# 第四十二课：攻击FTP服务

在办公区的内网中，充斥着大量的 ftp 文件服务器。其中不乏有部分敏感文件，也许有你需要的密码文件，也许有任务中的目标文件等。本季从讲述内网ftp服务器的发现以及常用的相关模块。

**靶机介绍：**

* 靶机一：Windows 2003 | 192.168.1.115 &#x20;
* 靶机二：Debian | 192.168.1.5

msf 内置 search 模块，在实战中，为了更快速的找到对应模块，它提供了 type 参数（未来会具体讲到模块参数），以 ftp 模块为例。

```bash
msf > search type:auxiliary ftp

Matching Modules
 ================

Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/admin/cisco/vpn_3000_ftp_bypass 2006-08-23 normal Cisco VPN Concentrator 3000 FTP Unauthorized Administrative Access
auxiliary/admin/officescan/tmlisten_traversal normal TrendMicro OfficeScanNT Listener Traversal Arbitrary File Access
auxiliary/admin/tftp/tftp_transfer_util normal TFTP File Transfer Utility
auxiliary/dos/scada/d20_tftp_overflow 2012-01-19 normal General Electric D20ME TFTP Server Buffer Overflow DoS
auxiliary/dos/windows/ftp/filezilla_admin_user 2005-11-07 normal FileZilla FTP Server Admin Interface Denial of Service
......
```

![](/files/-LZJwrATY7JILnsrfXHi)

## auxiliary/scanner/ftp/ftp\_version

![](/files/-LZJwrAVQV_iSWOJ9riu)

## auxiliary/scanner/ftp/ftp\_login

![](/files/-LZJwrAXe-4K9rd8UenJ)

## auxiliary/scanner/ftp/anonymous

![](/files/-LZJwrAZobBE_crMB5Qy)

当然 msf 也内置了 nmap，来内网大量发现 FTP 存活主机，参数与使用与 nmap 一致。

```bash
msf auxiliary(scanner/ftp/anonymous) > db_nmap -sS -T4 -p21 192.168.1.115
```

![](/files/-LZJwrAaDs1Gt0keJkxn)

msf 更多针对了 ftpd。\
![](/files/-LZJwrAcgMPWGAJQHlTL)

## ftp本地模糊测试辅助模块：

![](/files/-LZJwrAesil053vC-P3v)

## auxiliary/fuzzers/ftp/ftp\_pre\_post

![](/files/-LZJwrAg_n2BIcJGprbG)

关于 ftp 的本地 fuzzer，更推荐的是本地fuzz，msf 做辅助 poc。\
![](/files/-LZJwrAiEy2Qife7n7qV)

![](/files/-LZJwrAkETnptJYN0GKI)

关于后期利用，poc编写，在未来的季中会继续讲述。

> Micropoor


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://micro8.gitbook.io/micro8/contents-1/41-50/42-gong-ji-ftp-fu-wu.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.