What are the methods for enumerating FTP users and shares securely

0 votes
During a penetration test, I need to enumerate users and shared files on an FTP server without causing harm or raising alarms. What are the safest methods or tools to perform FTP enumeration, and how can I ensure that my actions remain ethical and within scope?

Examples of FTP commands or enumeration tools like ftp or nmap would be valuable.
Nov 15 in Cyber Security & Ethical Hacking by Anupam
• 5,390 points
53 views

1 answer to this question.

0 votes

Methods for FTP User and Share Enumeration

Certain methods and tools can be used to safely and efficiently enumerate FTP users and shares. Here are a few ways to accomplish this:

1. Preliminary Scanning with Nmap

Use Nmap to identify if the FTP service is running and gather basic information about the server.

nmap -p 21 -sV --script ftp-anon,ftp-syst <target-ip>
  • ftp-anon: Checks for anonymous login capabilities.
  • ftp-syst: Retrieves the system type and software version.

Example Output:

21/tcp open  ftp
| ftp-anon: Anonymous FTP login allowed
| ftp-syst:
|   STAT: FTP server status:
|      User: anonymous
|      Files: 10
|_     Directories: 2

2. Manual Enumeration Using the ftp Command

The built-in ftp client allows manual interaction with the server to explore its capabilities.

Connect to the server:

ftp <target-ip>

Log in with credentials (or anonymously if allowed):

Name (<target-ip>:user): anonymous
Password: <any email address>

Enumerate files and directories:

ls

Change directories to inspect shares:

cd <directory_name>
ls

3. Testing for Anonymous Login

Some FTP servers allow anonymous login, which can be leveraged to explore shared files.

Using Nmap:

nmap -p 21 --script ftp-anon <target-ip>

Using ftp:

ftp <target-ip>
# Log in with:
# Username: anonymous
# Password: <any email address>
ls

4. Enumerating Users with Brute-Force or Username Validation

Some FTP servers reveal valid usernames based on error messages or successful authentication attempts.

Using Hydra:

Hydra can test for valid usernames and passwords, but ensure you have authorization before attempting brute-force.

hydra -l <username-list> -P <password-list> ftp://<target-ip>

Replace <username-list> and <password-list> with files containing potential usernames and passwords.

Using Medusa:

Medusa can also perform user enumeration:

medusa -h <target-ip> -u <username> -P <password-list> -M ftp

5. Automated Enumeration Tools

Several tools automate FTP enumeration while remaining minimally intrusive:

Netcat (nc)

Quickly check for banner information:

nc <target-ip> 21

Example Output:

220 ProFTPD 1.3.5a Server ready

Metasploit Framework

Start Metasploit:

msfconsole

Use the auxiliary/scanner/ftp/ftp_version module to identify server details:

use auxiliary/scanner/ftp/ftp_version
set RHOSTS <target-ip>
run

Enum4linux: Though primarily for SMB, it can sometimes reveal FTP-related shares if integrated with directory services.

6. Reading FTP Configurations or Public Shares

If you have read access to the FTP root directory:

Look for common configuration files, e.g., ftpusers, ftphosts, or .conf files.

Download files for review:

get <file-name>
answered Nov 20 by CaLLmeDaDDY
• 6,540 points

Related Questions In Cyber Security & Ethical Hacking

0 votes
1 answer

What are the comand used for troubleshooting DHCP issues?

The most common command used to troubleshoot ...READ MORE

answered Mar 23, 2019 in Cyber Security & Ethical Hacking by Priyaj
• 58,020 points
1,112 views
+1 vote
1 answer

How do you decrypt a ROT13 encryption on the terminal itself?

Yes, it's possible to decrypt a ROT13 ...READ MORE

answered Oct 17 in Cyber Security & Ethical Hacking by CaLLmeDaDDY
• 6,540 points
114 views
+1 vote
1 answer
+1 vote
1 answer
+1 vote
1 answer
+1 vote
1 answer
webinar REGISTER FOR FREE WEBINAR X
REGISTER NOW
webinar_success Thank you for registering Join Edureka Meetup community for 100+ Free Webinars each month JOIN MEETUP GROUP