Contents

Introduction to FTP ............................................................................3

Uses of FTP ...................................................................................................... 3
Working of FTP ................................................................................................ 3
Penetration Testing on FTP ................................................................3
Anonymous Login ............................................................................................ 5
Disable FTP_banner ...........................................................................7
Switch Port for FTP Service .................................................................9
Sniffing FTP Login Credential ............................................................ 10
Use SSL Certificate against Sniffing ................................................... 12
Stop FTP Brute_Force Attack with Fail2ban ...................................... 18
Restrict IP to connect FTP ................................................................. 19
Conclusion ....................................................................................... 22

Page 2 of 22
Introduction to FTP
FTP is a file transfer protocol, used to transfer files between a network using TCP/IP connections via Port
20/21. It is basically a client-server protocol. As it works on TCP, it requires two communication channels
between client and server: a command channel and a data channel. The command channel is for
controlling the conversation between client and server, whereas the data connection is initiated by the
server to transfer data.

Uses of FTP

 An FTP site is a web site where users can easily upload or download specific files.
 FTP by mail allows users without access to the Internet to access and copy files using anonymous
FTP by sending an email message to [email protected] and putting the word help in the
body of the text.
 FTP Explorer is an FTP client based on Windows 95 file manager (Windows 95 Explorer).
 An FTP server is a dedicated computer which provides FTP service. This invites hackers and
necessitates security hardware or software such as utilizing usernames, passwords, and file
access control.
 An FTP client is a computer application which accesses an FTP server. While doing so, users should
block incoming FTP connection attempts using passive mode and should check for viruses on all
downloaded files.

Working of FTP
FTP works just like HTTP and SMB protocols. When the FTP server is configured on a network, then a
specific folder is defined as a shared folder in order to share files. Users can access this file server via FTP.
FTP is often authenticated by a sign-in protocol. However, an FTP server may be configured to accept
anonymous login credentials as well. But now, it’s mostly FTP with SSL/TLS.

When transferring files through FTP, the user’s machine is called the "local host machine" and is
connected to the internet. Another machine is called the remote host, which has FTP running on it and is
also connected to the internet. Now, in order to transfer the files, the local host machine connects to the
remote host’s IP. Then the user must enter the username and password. FTP always provides a GUI which
makes file transfer user-friendly. Here, you can transfer files by the drag-and-drop method. Otherwise,
you can simply use FTP commands for the desired transfer.

Penetration Testing on FTP

Requirements:

 FTP server: Ubuntu

 Attacking machine: Kali
 Client machine: Windows

Page 3 of 22
Installation of FTP

Installation FTP is quite easy. To install FTP, open the terminal in ubuntu as root user and type:

apt install vsftpd

Once FTP is installed use nmap to confirm and to do so, type the following command:

nmap -p21 192.168.1.102

As you can see that FTP is working on port 21.

Page 4 of 22
Anonymous Login
As I have mentioned before, FTP credentials can be set to anonymous and this is often found on many FTP
servers. FTP users may authenticate themselves with a clear-text sign-in protocol, normally in the form
of a username and password, but can connect anonymously if the server is configured to allow it. So, let’s
see how it will be done by first configuring it to be anonymous. Use nano or another text editor to open
vsftpd.conf.Find the "anonymous_enable=NO" statement as shown in the image below.

Change NO to YES to enable anonymous as shown here:

Now let’s check it from nmap by using the following command:

Page 5 of 22
 nmap -A -p21 192.168.1.102

As the result shown by nmap, you can see that port 21 is open and you some details about it to like its
version. Now, let’s try and log in FTP using anonymous as our credentials. Now, let’s try and login:

ftp 192.168.1.102

Enter anonymous as username and password as shown in the image below as you will find you in the ftp
server.

Page 6 of 22
Disable FTP_banner
Now if you scan ftp from nmap you will its version:

nmap -sV -p21 192.168.1.102

Page 7 of 22
As this visibility of the version can leave you vulnerable to various exploits, let's now learn how you will
protect yourself by hiding the banner of FTP. For this, again open the vsftpd.conf file using any desired
text editor.

Find the line "ftpd_banner=welcome to blah FTP service" in the conf file.From this statement, remove the
# symbol as shown in the image below:

Now if you scan again with nmap, it will hide the banner. Try it by using the following command:

nmap -sV -p21 192.168.1.102

Page 8 of 22
Switch Port for FTP Service
Like this, you can add another security layer by changing the port of ftp. You can start the service of FTP
on any port you like. Here, we have shifted the FTP port to 5000. Find the line "listen_port=21" in the ftp
conf file to do this.Change the port number to 5000, or any other number as you desire, as shown in the
image below:

Save the file and restart the FTP service. If you scan from nmap, you will find the port is now at 5000.
Applying such a layer of security helps to confuse attackers.

nmap -p- 192.168.1.102

Page 9 of 22
Sniffing FTP Login Credential
By default, the traffic sent to and received from FTP is not encrypted. An attacker can use sniffing tools to
intercept data packets travelling between a server and a client in a network in order to obtain credentials.
then use them for unauthorised access. As we have discussed above, FTP users may authenticate
themselves with a clear-text sign-in protocol for username and password.

ftp 192.168.1.102 5000

Page 10 of 22
Similarly, if we capture TCP packet through Wireshark for sniffing FTP credential. So, now try and log in
to ftp using the following commands:

Give the username and password.

Capture the traffic using Wireshark. Now, in Wireshark, if you follow the TCP stream of the packet, you
can see the login credentials in clear text as shown in the following image:

Page 11 of 22
Use SSL Certificate against Sniffing
So, let's add another security layer to this for the above-mentioned problem.The solution to this is to
create an SSL certificate. This encrypted data packet travels between server and client networks.
SSL stands for Secure Sockets Layer, the protocol which provides secure, encrypted communications
between server and client.

Although an attacker can sniff network data packet but will be not able to read fetched information
because entire data will show in the form of ciphertext.

Here, administrations need to generate their own SSL certificate for secure authentication. Make a
directory where the SSL certificate keys will be stored.

Use the following command to create a certificate:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/certificates/vsftpd.pem
-out /etc/ssl/certificates/vsftpd.pem

Page 12 of 22
Once the above command is executed, open the vsftpd.conf file to change the default settings by adding
a few lines at the end of the file. The following are the lines to be added:

rsa_cert_file=/etc/ssl/certificates/vsftpd.pem
rsa_private_key_file=/etc/ssl/certificates/vsftpd.pem
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH

Page 13 of 22
Now let’s ensure whether we can connect to FTP server.

Protocol to: FTP

Encryption To: TSL/SSL Explicit encryption
Hostname: IP of the FTP Server
Port: 21
Username and Password: raj: 123

Page 14 of 22
Now the server will send the certificate to an authorized user click on yes to store certificate and continue
the encrypted connecting.

Page 15 of 22
Now, when you will establish the connection of FTP as shown in the image below:

Page 16 of 22
All the traffic that is sent and received is encrypted, which you can check through Wireshark. It is also
shown below:

Page 17 of 22
Stop FTP Brute_Force Attack with Fail2ban
Hydra is often the tool of choice for bruteforce. It can perform rapid dictionary attacks against more
than 50 protocols, including telnet, FTP, HTTP, HTTPS, SMB, several databases, and much more. Now, to
bruteforce our FTP server, we need to choose a word list. As with any dictionary attack, the wordlist is
key.

Run the following command to execute bruteforce:

hydra -L user -P pass 192.168.1.102 ftp

Page 18 of 22
As you can see, using hydra, we have logged in credentials and so a bruteforce attack is successful. But we
can protect our FTP server and important files. To be secure against brute force, you can use the
fail2ban tool. For a detailed guide on the fail2ban tool, read our other article here.

sudo fail2ban-client status vsftpd

Once you have limited the bruteforce attack through fail2ban, You can try and use hydra again, but you
will get a negative result, as shown in the image below:

Restrict IP to connect FTP

Another security layer that you can apply is blocking all other IPs but allowing your trusted ones. Now
open hosts.allow file from inside /etc to allow the valid user to connect with the server securely through

Page 19 of 22
a specific IP. At the end of the text file, enter the specific IP to whom you want to give permission to
establish a connection as shown in the given image.

It is quite important that the admin restrict all IPs other than the allowed IP (192.168.0.106) to protect
the network from being connected by an unknown IP.

Open /etc/hosts.deny and specify a list of hosts whom you want to deny access to the system.

Now open configure file of vsftpd and add following lines:

# TCP Wrappers
tcp_wrappers=Yes

Page 20 of 22
Now, if you connect to ftp from an allowed IP address, you will be logged in, as shown in the image below:

But it will block other IPs as shown below:

Page 21 of 22
Conclusion
FTP was discovered around four decades earlier. And since then, there have been substantial changes as
it has developed a lot over time. These changes have been related to encryption standards and file
transfer functionality.

Page 22 of 22
 JOIN OUR
TRAINING PROGRAMS
H ERE
CLICK BEGINNER

Bug Bounty Network Security

Ethical Hacking Essentials

Network Pentest
Wireless Pentest

ADVANCED

Burp Suite Pro Web Pro Computer

Services-API Infrastructure VAPT Forensics

Advanced CTF
Android Pentest Metasploit

EXPERT

Red Team Operation

Privilege Escalation
APT’s - MITRE Attack Tactics
Windows
Active Directory Attack
Linux
MSSQL Security Assessment

www.ignitetechnologies.in