# 第四十二课:攻击FTP服务 在办公区的内网中,充斥着大量的 ftp 文件服务器。其中不乏有部分敏感文件,也许有你需要的密码文件,也许有任务中的目标文件等。本季从讲述内网ftp服务器的发现以及常用的相关模块。 **靶机介绍:** * 靶机一:Windows 2003 | 192.168.1.115 * 靶机二:Debian | 192.168.1.5 msf 内置 search 模块,在实战中,为了更快速的找到对应模块,它提供了 type 参数(未来会具体讲到模块参数),以 ftp 模块为例。 ```bash msf > search type:auxiliary ftp Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- auxiliary/admin/cisco/vpn_3000_ftp_bypass 2006-08-23 normal Cisco VPN Concentrator 3000 FTP Unauthorized Administrative Access auxiliary/admin/officescan/tmlisten_traversal normal TrendMicro OfficeScanNT Listener Traversal Arbitrary File Access auxiliary/admin/tftp/tftp_transfer_util normal TFTP File Transfer Utility auxiliary/dos/scada/d20_tftp_overflow 2012-01-19 normal General Electric D20ME TFTP Server Buffer Overflow DoS auxiliary/dos/windows/ftp/filezilla_admin_user 2005-11-07 normal FileZilla FTP Server Admin Interface Denial of Service ...... ``` ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwrATY7JILnsrfXHi%2F9f4d6fb344a6812126526c03dc4cdb2e.jpg?generation=1551060436656861\&alt=media) ## auxiliary/scanner/ftp/ftp\_version ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwrAVQV_iSWOJ9riu%2Fafc593576266cfa54f2dcd0eeefcfa81.jpg?generation=1551060458652604\&alt=media) ## auxiliary/scanner/ftp/ftp\_login ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwrAXe-4K9rd8UenJ%2F6d172564dfc97a31f39366bedca0baf9.jpg?generation=1551060434584261\&alt=media) ## auxiliary/scanner/ftp/anonymous ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwrAZobBE_crMB5Qy%2F956d2d88181d499ab543583448d60aa9.jpg?generation=1551060451505506\&alt=media) 当然 msf 也内置了 nmap,来内网大量发现 FTP 存活主机,参数与使用与 nmap 一致。 ```bash msf auxiliary(scanner/ftp/anonymous) > db_nmap -sS -T4 -p21 192.168.1.115 ``` ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwrAaDs1Gt0keJkxn%2F79c9ed79b71ccc537313c6b1bbd2d477.jpg?generation=1551060431596397\&alt=media) msf 更多针对了 ftpd。\ ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwrAcgMPWGAJQHlTL%2Ff96780563285d4c96f6acefa51214740.jpg?generation=1551060447256980\&alt=media) ## ftp本地模糊测试辅助模块: ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwrAesil053vC-P3v%2F7cf2c4df632790edc7b4af6042f58388.jpg?generation=1551060434751998\&alt=media) ## auxiliary/fuzzers/ftp/ftp\_pre\_post ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwrAg_n2BIcJGprbG%2F20cdea228c480bc89f22f69987d877df.jpg?generation=1551060431570846\&alt=media) 关于 ftp 的本地 fuzzer,更推荐的是本地fuzz,msf 做辅助 poc。\ ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwrAiEy2Qife7n7qV%2Fd19bd4335259bd091a4ab4e9e6ba3fe5.jpg?generation=1551060459475697\&alt=media) ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwrAkETnptJYN0GKI%2F06293311884d5469f50199e889ede3f6.jpg?generation=1551060436801580\&alt=media) 关于后期利用,poc编写,在未来的季中会继续讲述。 > Micropoor