1 00:00:00,610 --> 00:00:09,340 Now, as you probably already know, file transfer protocol, or FTP, is used for the transfer of files 2 00:00:09,340 --> 00:00:12,400 between a client and a server using Port 21. 3 00:00:14,940 --> 00:00:19,680 Poorly configured FTP servers can be a good foothold. 4 00:00:20,930 --> 00:00:29,030 So you can run some MSF modules to enumerate FTP servers and gain some important information, such 5 00:00:29,030 --> 00:00:31,340 as software version, better info and all that. 6 00:00:33,090 --> 00:00:34,320 Aside from this. 7 00:00:35,410 --> 00:00:40,930 The FTP servers authenticate users with a clear text sign in mechanism. 8 00:00:41,930 --> 00:00:46,250 Moreover, it can sometimes allow anonymous login. 9 00:00:47,850 --> 00:00:50,670 So why don't we enumerate an FTP service? 10 00:00:51,850 --> 00:00:56,200 So let's have a look and see which hosts have FTP services. 11 00:00:57,610 --> 00:00:59,260 All right, so both of them have. 12 00:01:00,570 --> 00:01:09,790 But sometimes administrators use different ports for the services, so let's try a search with the best 13 00:01:09,810 --> 00:01:10,440 parameter. 14 00:01:11,100 --> 00:01:17,820 And just like that, you can find all the FTP servers that DB and MAP Command discovered. 15 00:01:19,560 --> 00:01:24,510 And yeah, as you see here, there's an active service running on 21 21. 16 00:01:25,620 --> 00:01:29,790 And then you'll get this list if you search for FTP auxiliaries. 17 00:01:31,280 --> 00:01:33,050 And I'll just use these ones here. 18 00:01:35,250 --> 00:01:44,610 Use auxiliary scanner FPP and F.T. version module show options. 19 00:01:45,780 --> 00:01:46,620 I think he said. 20 00:01:47,790 --> 00:01:49,290 So let's run the module. 21 00:01:50,400 --> 00:01:52,020 And there's a result. 22 00:01:53,900 --> 00:01:57,560 Now, you can do the same process for every FTP board. 23 00:01:58,760 --> 00:02:06,830 But here's an important point, if you get the version, look for vulnerabilities on the Internet or 24 00:02:06,830 --> 00:02:07,520 somewhere else. 25 00:02:08,560 --> 00:02:15,040 So what I'll do is I'll copy and then search Google or whatever your favorite search engine is. 26 00:02:17,120 --> 00:02:24,260 And you see these FDP has a vulnerability for this particular version and even Métis Point as a model 27 00:02:24,260 --> 00:02:24,650 for this. 28 00:02:25,900 --> 00:02:28,750 So make a note of that, because you will use it later. 29 00:02:29,350 --> 00:02:36,460 Oh, and by the way, this is a lab environment, remember, but the logic is 100 percent the same as 30 00:02:36,460 --> 00:02:38,290 in any real penetration testing. 31 00:02:40,080 --> 00:02:41,550 So I'll use another module. 32 00:02:43,460 --> 00:02:45,680 FTP log in. 33 00:02:47,350 --> 00:02:51,820 Showing options and here are the final variables. 34 00:02:53,260 --> 00:02:55,750 So I'm going to allow blank passwords. 35 00:02:56,850 --> 00:02:59,280 And username as password. 36 00:03:01,240 --> 00:03:07,180 And here on set user parse file to my FTP dictionary file. 37 00:03:08,330 --> 00:03:13,220 I'll create this list from the same address that I did for my high school. 38 00:03:14,350 --> 00:03:15,010 All right. 39 00:03:16,370 --> 00:03:17,210 Run the module. 40 00:03:19,430 --> 00:03:24,140 And I think you'll probably find one bear, so make a note of that to. 41 00:03:26,660 --> 00:03:28,130 Now, one more module. 42 00:03:29,350 --> 00:03:33,670 Some FTP modules allow for anonymous logins. 43 00:03:34,450 --> 00:03:40,660 So when you perform a vulnerability scan, you probably are going to get this finding. 44 00:03:41,730 --> 00:03:48,690 But you can quickly check to see if any of us discovered FTP services allowances. 45 00:03:49,200 --> 00:03:51,570 That's why this module is so handy. 46 00:03:52,570 --> 00:03:53,500 So options. 47 00:03:54,870 --> 00:03:59,190 OK, so I'll need to configure nothing, so I'll just run the module. 48 00:04:00,570 --> 00:04:06,630 And the result comes up pretty quickly, so, yeah, you can connect this FTP service on Métis, avoidable 49 00:04:06,630 --> 00:04:08,520 to anonymously. 50 00:04:09,880 --> 00:04:15,160 So now that we got the hang of that, let's enumerate some other services.