FTP Hacking

Docs that have proven to be a staple in understanding computer/network security. This is not an inclusive forum and nothing ipublished will tell you how to 0wn someone, these docs will help you understand how you got 0wnd.
Post Reply
User avatar
Posts: 1688
Joined: Sun Jul 07, 2002 10:02 am
Location: any given

FTP Hacking

Post by weazy » Fri May 30, 2003 7:25 pm


What Is FTP and What Is It Good For?

* What does the acronym FTP stands for?
* What can I do with FTPs anyway? What are they good for anyway?

------FTP Commands------

* How to use FTP with raw FTP commands
* How to use FTP with a GUI (Graphical User Interface) / text client(5)

------FTP Hacking------

* Finding out information about your target and finding security holes using that info
* Example FTP-related security holes
The Stupid Bug Corner
* An "elite" bug
Newbies Corner
* What is a protocol
* What is a port
* What is a mirror site
* What is a path (complete path + relative path)
* What is a client program and what is a server program
* How to find information about remote hosts
* What is a daemon
* What is root
* What is a core dump
* What is a DoS attack
* What is DUN
* What is an ISP
* What is flaming
Other Tutorials
* FTP Hacking.
* Overclocking.
* Ad and Spam Blocking.
* Sendmail.
* Phreaking.
* Advanced Phreaking.
* Phreaking II.
* IRC Warfare.
* Windows Registry.
* Info Gathering.
* Proxy/Wingate/SOCKS.
* Offline Windows Security.
* ICQ Security.


What Is FTP and What Is It Good For?

The word FTP (see footnote 1 below) stands for File Transfer Protocol(1).
FTP servers will let you to both download (retrieve a file from the server) and upload (send a file to the server) files from the server with great ease (if you
have permission to do so). You browse through a remote FTP site the same way you browse through your own computer's files and directories (of course,
you don't have read and/or write access to every file on the system, and some files you can't even see).

FTP Commands

The following are several basic FTP commands. To communicate with FTP daemons(7), connect to port(2) 21 and then use the following commands (see footnote 2 below) to communicate with the FTP server:
cd change directory (on the server)
lcd change local directory (when sending a file, the path(4) of the specified file will be the path you specify on lcd)
dir,ls directory listing
binary change mode to binary transfer
get retrieve a file
mget retrieve many files
put send a file
mput send many files
pwd print working directory on the server


For thousands of computer-related acronyms and abbreviations head to blacksun.box.sk and download the file called acros.txt from the projects page.

If you don't feel like typing stupid commands, there are lots of FTP clients(5) who will do all the work for you, but fortunately some will still show you all the commands they use so you'll be able to learn new commands.

You can download FTP clients for every Operating System from TUCOWS. Simply go to the nearest TUCOWS mirror site(3) or go directly to http://blacksun.box.sk/www.tucows.com. FTP Hacking

Since there are so many FTP holes for so many FTP server programs and so many Operating Systems, I decided that the best way it simply to explain to you how to find information about security holes by yourself.
I will also introduce several interesting FTP security holes near the end of this section.
To find FTP exploits, try searching the following websites (or join the BugTraq mailing list at http://blacksun.box.sk/www.securityfocus.com):
CERT (Computer Emergency Response Team) - http://cert.org/
X-Force Search (simplest) - http://www.iss.net/cgi-bin/xforce/xforce_index.pl
Packet Storm - packetstorm.genocide2600.com
BugTraq Archives - http://www.securityfocus.com/level2/bot ... ?go=search
Fyodor's Exploit World - http://www.insecure.org/sploits.html
Spikeman's Denial Of Service Website (for DoS(9) attacks against FTP servers) - http://www.genocide2600.com/~spikeman/
RootShell - http://www.rootshell.com/
Slashdot - http://www.slashdot.org/
Data - http://www.hideaway.net/data.html
(Please report all dead links to barakirs@netvision.net.il)

Note: one might think that the above sites are considered illegal, since they feature explanations about security holes and how to exploit them.
Well, screw one. These things are called "advisories" and they allow you to find holes on your own PC and fix them. Whether you use this information to secure yourself or hack others is your own choice. It's the difference between legitimate and illegal.

After you get to one of the following search sites (I recommend the BugTraq Archives) search for the keywords you want. For example: you find out(5) that your target is using this OS with this FTP server and this Webserver program etc'. Try combining all of those pieces of information and I'm sure you'll find the holes that fit you the most. You can also try searching holes on your own computer. Speaking about holes, we will explain about many security holes on the upcoming Sendmail tutorial (see blacksun.box.sk). Now, for several selected FTP holes.

Selected FTP Holes

The following FTP holes aren't new or extraordinary or incredibly fantastic or anything of that sort of matter. They're just good for learning. I picked some interesting FTP holes and written a small explanation about them just to get the newbies started. Note: the sites I got these from aren't "evil hacking sites". These explanations are called advisories and they are meant to be used by people who want to fix bugs on their systems. Whether you use them for that purpose or others is none of our business.

Some FTP daemons allows a premature PASV command, which can cause some FTP daemons to crash with a core dump(9). FTP core dumps can be used to salvage encrypted passwords, bypassing any shadow password scheme. It is not known exactly which servers are immune to this and which are not, and the only workaround right now is to get a newer FTP server program. Also see http://www.genocide2600.com/~spikeman/bisonware3.html for a DoS(9) attack against BisonWare FTP Server 3.5 similar to this hole.

FTP Bounce Attack (too long, see http://www.netspace.org/cgi-bin/wa?A2=i ... aq&P=R1425 (From BugTraq))

Local bug in FTP Daemon (too long, see http://www.netspace.org/cgi-bin/wa?A2=i ... aq&P=R1345 (From BugTraq))

(Quotes in partfrom BugTraq) Impact: Anybody from outside can shutdown your pc ftp server. And if u are under win3.1 the system will crash.

Program: WinQVT/NET
Version: All versions.. 16 and 32 bits
Solution.. dont use it or upgrade
Exploit: Just Send a OOB (Out of Band) to port 21,
Exploit for dummies: Take any winnuke, start it, and when u find a "139" change it to "21" instead.
OK, I know this is stupid....... :P. But maybe somebody will need it.. who knows...
Note: A patched version of NT 4.0 isn't vulnerable to this running MS's FTP server. I haven't had a chance to test an unpatched server, but IIRC, I did check the FTP port when the OOB problem was first reported and it didn't cause a crash.
I would suspect that this could be a DOS/Win problem in general, and might not be specific to the WinQVT package.
I hope this helped you learn how to find holes. There will be much more examples in the Sendmail tutorial. The Stupid Bug Corner

I found this on an "elite" website made by a bunch of "elite" "hackers".
They said that in order to "hack an FTP" you need to connect to it and send the following commands:
quote user ftp
quote cwd ~root
quote pass ftp
Basically, what the so-called hacker is trying to do here is to enter a username to get into the system, change the user to root(7) and then enter a password for the username.
This only works on VERY badly-configured FTP servers (the author mentioned that "this doesn't work on every FTP server". Well, I've got news for you - this doesn't work. Period. Unless you're talking about some 5 years old boy who just got a computer and clicked on some buttons and accidently set up an FTP server).

Appendix A: the SYST command

Entering the SYST command while connected to an FTP server often reveals valuable information on a system, such as the OS, which version and information about the FTP server.
Get access to an FTP server somehow (by using a username and a password you know or by using anonymous login - login: anonymous password:your-email-address@your.isp. You could also enter someone else's Email address, the server doesn't actually verifies the address you send or anything) and then type the SYST command.

Newbies Corner

Protocol - a set of rules and regulations, similar to a language. When two computers know the same protocol, they can use it to communicate with each other.

Port - (for the more technical explanation of what ports are, see the end of this explanation) ports are like holes that enable things (data, in this case) to come in or out of them. There are physical ports and software ports on your computer. Physical ports are those slots on the back of your computer, your monitor etc'. Now, software ports are used when connecting to other computers. For example: I just bought a new computer and I want to turn it into a webserver (I want to enable people to access selecetd web pages, pictures, cgi and java scripts or applets, programs etc' that are located on my computer). In order for that to happen, I need to install a webserver software. The webserver software opens a port on my computer and names it port 80. Then it listens to incoming connections on that port. When someone starts his Internet browser (Netscape, Lynx, Microsoft Explorer etc') and surfs to my website, his browser connects to my computer on port 80 and then sends HTTP commands that my webserver program can understand into it. My webserver program quickly picks up the incoming data and then sends it back into a port that the surfer's browser opened on the surfer's computer. The browser will listen on that port and wait for the data (the HTML page, the picture, the program etc') to come in through it. There are different ports for different services (we'll get to that) so data won't mix up. Imagine your browser getting data your FTP client was supposed to get. I hope you got the main idea of what a port is. Now, there are three kinds of ports: well-known ports, registered ports and dynamic/private ports. The well known ports are those from 0 through 1023. These are default ports for several services (a webserver is a service because it listens for connections from remote computers and then sends something back). For example: the default port for webservers is 80. Else, how would your browser know which port he has to access? Now, the registered ports are those from 1024 through 49151. These ports are reserved for several programs. For example: ICQ (http://blacksun.box.sk/www.icq.com) reserves a port and listens to incoming messages on it. The dynamic and/or private ports are those from 49152 through 65535, and can be used by anyone for any given purpose. "Techy Explanation" - To grant simultaneous access to the TCP module, TCP provides a user interface called a port. Ports are used by the kernel to identify network processes. These are strictly transport layer entities (that is to say that IP could care less about them). Together with an IP address, a TCP port provides provides an endpoint for network communications. In fact, at any given moment *all* Internet connections can be described by 4 numbers: the source IP address and source port and the destination IP address and destination port. Servers are bound to 'well-known' ports so that they may be located on a standard port on different systems. For example, the telnet daemon sits on TCP port 23, the FTP daemon sits on TCP port 21, the rlogin daemon sits on TCP port 513 etc'.

Important note about well-known ports: services (daemons waiting for incoming connections that serve people in some way) on these ports can be only ran by root, so inferior users won't start messing up with important ports.

Mirror site - a website which is an exact copy of the original website which is hosted by a different server. Mirror sites can be used to speed up downloads/uploads. For example: instead of downloading/uploading from/to the main tucows webserver, located somewhere distantly from my home, I can simply do it from one of their Israeli mirrors (mirror site located in Israel, my country) and that way the downloads/uploads would go faster.

Path - UNIX example: if a file is located at /etc/passwd, the file's path would be /etc. DOS/Windows example: if a file is located at c:\windows\win.exe, the file's path would be c:\windows. There are two kinds of paths: a complete path and a relative path. Complete path on DOS/Windows: if the file is located on c:\program files\quickview plus\ then this is the file's complete path. Complete path on UNIX: if the file is located at /usr/local/sbin then this is the file's complete path. Relative path on DOS/Windows: if the current directory (the directory you are on at the moment) is c:\windows and the target file is located at c:\windows\temp then the relative path to this file is temp. Relative path on UNIX: if the current directory is /usr/nobody and the file is located at /usr/nobody/public_html/cgi-bin then the file's relative path is public_html/cgi-bin.

Client / Server programs - A client program is a program that uses a resource offered by another program/computer. A server program is a program that supplies resources to client programs. Example: Client=Netscape Navigator. Server=Apache version 1.6.6 (a webserver, meaning a program that lets people who use Internet browsers to download specific web pages, pictures, files etc' from the computer it is installed on).

How to find out information about remote hosts - the best way to find out information is too look at daemon(6) banners. Daemon banners are small pieces of information some daemons return when connected to in order for the remote machine (the one connecting to the daemon) to know how to interact with them better. Try connecting to port 80 (webserver) and sending some commands like get and then looking at the banner. You may also try Sendmail (see next tutorial) on port 25, Telnet on port 23, FTP on port 21 or whatever you can come up with.

Daemon - a program that listens for incoming connections from remote machines on a specified port(2) and interacts with them.

Root - also referred as superuser, because his permissions are endless. His UID (User ID number, an identification number and user on a UNIX system has) and GID (Group ID. You can create groups and give them several permissions. For example: everyone from the accounting department can read and execute all the files on this directory, etc') are always 0 (except on very altered boxes). Once you are root, you can do practically anything on a system. Core Dump - when a program crashes it dumps all the core (all the info it handles that isn't saved on disk, meaning all of the program's stuff that are on the RAM chip) into a temporary file.

DoS - Denial of Service. A nuke in dummies language. Some kind of an attack that causes the target computer to deny some/all kinds of services to the users of that computer (including remote users). For example: Winnuke (also known as OOB), the simplest DoS in the world. (Taken from Spikeman's DoS site) This denial of service program affects Windows clients by sending an "Out of Band" exception message to port 139, which does not know how to handle it. This is a standard listening port on Windows operating systems. Users of Win 3.11, Win95, and Win NT are vulnerable to this attack. This program is basically a nuisance program, but it is being widely circulated over the internet now. It has become a bother in chatrooms and on IRC. By using your IP# and sending OOB data to port 139, malicious users can disconnect you from the net, often leaving you with low resources and the blue tinted screen. Some of you may have been victims already. If this happens to you on Win 95, you will see a Windows fatal error message similar to the following: Fatal exception 0E at 0028: in VxD MSTCP(01) + 000041AE. This was called from 0028: in VxD NDIS(01) + 00000D7C. Rebooting the comp should return it to normal state. Patches ("fixes") For WinNuke (OOB)

Additional Information on WinNuke
http://support.microsoft.com/support/kb ... 8/7/47.asp

Windows 95 Patches

http://support.microsoft.com/download/s ... ipup11.exe
http://support.microsoft.com/download/s ... ipup20.exe (for Winsock 2.0*)
Please read notes referring to 95 patches before installing.
Which version of Winsock do you have on your Windows 95 PC?
http://premium.microsoft.com/support/kb ... 7/7/19.asp
Windows NT 4.0 Patch
http://support.microsoft.com/support/kb ... 3/4/78.asp
Please read notes referring to Windows NT patches before installing.

More info on DoS attacks can be found at Spikeman's DoS site: http://www.genocide2600.com/~spikeman/main.html

* I do not know it it will work on newer versions of Winsock, so you'd better downgrade to Winsock 1.1 (the version that comes with Windows 95) by going to Control Panel, Network and removing TCP/IP and Dial Up Adapter(11) and then readding them (click add, choose protocol and in the company frame choose Microsoft and you'll find TCP/IP. For DUN do the same but choose adapter instead of protocol).
After you finish downgrading reupgrade to Winsock 2.0, apply the patch (Vipup20.exe) and then upgrade to newer versions of Winsock.

Flames - the action of flaming someone (send him angry mail about things he has done, opinions he has etc' which you do not agree with).

DUN - Dial Up Adapter. Basically it's the Windows program that dials to your ISP(12).

ISP - Internet Service Provider. A company that provides Internet services, such as Internet connectivity, web hosting, Email services etc'.

Distro - Distribution. Since UNIX is not a registered patent, trademark, copyrighted or whatever there are many distributions (software packages) of it. Every distro has it's own advantages and disadvantages (example: Redhat is the best for beginners).

Next Tutorials The next tutorial will be about Sendmail, the buggiest daemon on earth - what is Sendmail, Sendmail commands, how to hack through Sendmail, how to send completely untracable mail, a newbies corner (what is a daemon, how to trace mail etc') and much much more. If this tutorial scores 7 points out of 10, then the Sendmail tutorial with score 12. First of all, it's gonna be veery looong and it'll have lots of side tips and thorough explanations about security holes and tips and tricks and tons of cool stuff I havn't thought of yet. Besides, I did this tutorial in a rush 'cause I didn't have much time to work on it*, but summer vacation is coming up so I'll have plenty of time to work on the Sendmail tutorial. The 3rd tutorial will be probably about UNIX Shell Programming. I don't wanna give away any details right now, and besides - I'm not so sure about this title. Maybe I'll change it to an "All you wanted to know about IRC wars and never had the guts to ask" tutorial. Who knows. I'll set up a electronic poll soon so you'll be able to vote on that subject or suggest other titles (subscribe to the mailing list and you'll be notified when it's ready. To subscribe, go to blacksun.box.sk and go to the Mailing List page). For more information, head down to blacksun.box.sk. Don't forget to drop us a line!

* Just installed Redhat 6.0. Yeah, yeah, I know, it's not exactly the best Linux distro(10) out there (I'm trying not to offend all of you Redhat users out there), but I wanted to see how it looks and everything. I gotta tell you, the installation is EEE-ZZZ comparing to other distros, and it's great for beginners.

Note: before I'll release the Sendmail tutorial I will send out some mini-tutorials, such as "Buffer Overflows", "Overclocking", "RM Networks" etc'.

Other Tutorials

RM Networks Hacking.
Ad and Spam Blocking.
Sendmail (creating fake mails and hacking servers that run Sendmail).
Get them all at blacksun.box.sk, or join the mailing list at blacksunresearch.listbot.com.


BugTraq Archives - http://www.securityfocus.com/level2/bot ... ?go=search
RootShell - http://www.rootshell.com/
Fyodor's Exploit World - http://www.insecure.org/sploits.html
Packet Storm - http://packetstorm.harvard.edu/
X-Force Search (simplest) - http://www.iss.net/cgi-bin/xforce/xforce_index.pl
Slashdot - http://www.slashdot.org/
Spikeman's Denial Of Service Website - http://www.genocide2600.com/~spikeman/
PC Magazine - http://www.pcmagazine.com/

Other Tutorials

* FTP Hacking.
* Overclocking.
* Ad and Spam Blocking.
* Sendmail.
* Phreaking.
* Advanced Phreaking.
* Phreaking II.
* IRC Warfare.
* Windows Registry.
* Info Gathering.
* Proxy/Wingate/SOCKS.
* Offline Windows Security.
* ICQ Security.
--The Devil is in the Details--

Post Reply