Question

During a penetration test, I need to enumerate users and shared files on an FTP server without causing harm or raising alarms. What are the safest methods or tools to perform FTP enumeration, and how can I ensure that my actions remain ethical and within scope?

Examples of FTP commands or enumeration tools like ftp or nmap would be valuable.

Answer 1

Methods for FTP User and Share Enumeration

Certain methods and tools can be used to safely and efficiently enumerate FTP users and shares. Here are a few ways to accomplish this:

1. Preliminary Scanning with Nmap

Use Nmap to identify if the FTP service is running and gather basic information about the server.

nmap -p 21 -sV --script ftp-anon,ftp-syst <target-ip>

• ftp-anon: Checks for anonymous login capabilities.
• ftp-syst: Retrieves the system type and software version.

Example Output:

21/tcp open  ftp
| ftp-anon: Anonymous FTP login allowed
| ftp-syst:
|   STAT: FTP server status:
|      User: anonymous
|      Files: 10
|_     Directories: 2

2. Manual Enumeration Using the ftp Command

The built-in ftp client allows manual interaction with the server to explore its capabilities.

Connect to the server:

ftp <target-ip>

Log in with credentials (or anonymously if allowed):

Name (<target-ip>:user): anonymous
Password: <any email address>

Enumerate files and directories:

ls

Change directories to inspect shares:

cd <directory_name>
ls

3. Testing for Anonymous Login

Some FTP servers allow anonymous login, which can be leveraged to explore shared files.

Using Nmap:

nmap -p 21 --script ftp-anon <target-ip>

Using ftp:

ftp <target-ip>
# Log in with:
# Username: anonymous
# Password: <any email address>
ls

4. Enumerating Users with Brute-Force or Username Validation

Some FTP servers reveal valid usernames based on error messages or successful authentication attempts.

Using Hydra:

Hydra can test for valid usernames and passwords, but ensure you have authorization before attempting brute-force.

hydra -l <username-list> -P <password-list> ftp://<target-ip>

Replace <username-list> and <password-list> with files containing potential usernames and passwords.

Using Medusa:

Medusa can also perform user enumeration:

medusa -h <target-ip> -u <username> -P <password-list> -M ftp

5. Automated Enumeration Tools

Several tools automate FTP enumeration while remaining minimally intrusive:

Netcat (nc)

Quickly check for banner information:

nc <target-ip> 21

Example Output:

220 ProFTPD 1.3.5a Server ready

Metasploit Framework

Start Metasploit:

msfconsole

Use the auxiliary/scanner/ftp/ftp_version module to identify server details:

use auxiliary/scanner/ftp/ftp_version
set RHOSTS <target-ip>
run

Enum4linux: Though primarily for SMB, it can sometimes reveal FTP-related shares if integrated with directory services.

6. Reading FTP Configurations or Public Shares

If you have read access to the FTP root directory:

Look for common configuration files, e.g., ftpusers, ftphosts, or .conf files.

Download files for review:

get <file-name>