FTP Enumeration to Exploitation (vsFTPd 2.3.4)
Overview
This document presents a complete penetration testing walkthrough against a vulnerable system (Metasploitable). The objective is to demonstrate how an attacker can progress from basic reconnaissance to full system compromise and data exfiltration by combining multiple weaknesses.
Unlike isolated vulnerabilities, real-world attacks rely on chaining:
- Misconfigurations
- Weak authentication
- Outdated software
This walkthrough follows a structured methodology:
- Reconnaissance and service discovery
- Service-specific enumeration (FTP)
- Misconfiguration analysis
- Credential testing
- Vulnerability identification
- Exploitation
- Post-exploitation
- Data exfiltration
Target Information
- Target IP: 192.168.29.157
- Environment: Metasploitable (intentionally vulnerable Linux system)
- Primary Focus: FTP service (Port 21)
1. Reconnaissance and Service Discovery
The first phase aims to identify all externally exposed services and understand the system’s attack surface.
Explanation
-sS: SYN scan (stealth scan for identifying open ports)-T3: Balanced timing for reliability and speed-sV: Service version detection
Findings
- 21/tcp → FTP (vsFTPd 2.3.4)
- 22/tcp → SSH
- 80/tcp → HTTP
- 139/445 → SMB
- Additional services (databases, RPC, etc.)
Analysis
The system exposes multiple services, indicating poor hardening. A large attack surface increases the likelihood of exploitable weaknesses.
From a prioritization perspective:
- Services with known vulnerabilities are targeted first
- FTP stands out due to version disclosure
2. FTP Enumeration
2.1 Version Detection
Result
Analysis
Version detection is critical because:
- It allows mapping the service to known vulnerabilities
- Public exploit databases often index vulnerabilities by version
The version identified (vsFTPd 2.3.4) is known to contain a backdoor vulnerability that allows remote command execution.
2.2 Anonymous Login Check
Result
Explanation
- FTP servers sometimes allow anonymous access for public file sharing
- In secure environments, this is usually restricted or disabled
Security Impact
- Unauthorized users can access the service
- Potential exposure of sensitive files
- May allow file upload/download depending on configuration
3. Manual FTP Verification
Automated scans must always be validated manually.
Login using:
Observations
- Authentication successful
- Directory listing shows no files
- Navigation to other directories is restricted
Interpretation
This indicates:
- Anonymous access is enabled
- Permissions are limited (likely read-only or sandboxed)
Important Concept
Access does not always equal exploitability. Even when login is possible, permissions determine the actual impact.
4. Credential Bruteforce
To test authentication strength, credential brute-forcing is performed.
nmap --script ftp-brute \
--script-args userdb=/usr/share/wordlists/metasploit/unix_users.txt,passdb=/usr/share/wordlists/rockyou.txt \
-p 21 192.168.29.157
Explanation
- Uses username and password wordlists
- Attempts login combinations against the FTP service
Results
- ftp:ftp
- user:user
- postgres:postgres
Analysis
These credentials indicate:
- Default or weak passwords
- Poor credential management
Security Risk
- Unauthorized access
- Potential privilege escalation
- Reuse of credentials across services
5. Vulnerability Identification
At this stage, multiple findings are correlated:
| Finding | Type | Impact |
|---|---|---|
| Anonymous login | Misconfiguration | Unauthorized access |
| Weak credentials | Authentication flaw | Easy compromise |
| vsFTPd 2.3.4 | Software vulnerability | Remote code execution |
Key Insight
Each issue alone may not be critical. However, when combined, they significantly increase the attack impact.
This is a fundamental principle in penetration testing:
The severity of a system is determined by how vulnerabilities interact, not just individual flaws.
6. Exploitation
The identified vulnerability (vsFTPd 2.3.4 backdoor) is exploited using Metasploit.
Step 1: Start Metasploit
Step 2: Search for Exploit
Step 3: Select Module
Step 4: Configure Target
Step 5: Execute Exploit
Result
- Backdoor connection established
- Remote shell obtained
Explanation
The vulnerability introduces a hidden backdoor in the FTP service that opens a shell when triggered, allowing attackers to execute commands remotely.
7. Post-Exploitation
Once access is obtained, the system is explored to assess impact.
Key Directories
/etc→ Contains configuration files and potential credential data/home→ User directories and personal files/root→ Administrative data
Analysis
Access to these directories indicates:
- High-level privileges
- Full system compromise
Post-exploitation focuses on:
- Data discovery
- Privilege escalation (if needed)
- Persistence (not covered in this lab)
8. Data Exfiltration
The final stage is extracting sensitive data.
Identified file:
Download:
Explanation
Data exfiltration involves transferring files from the compromised system to the attacker’s system.
Real-World Targets
- Credentials and password files
- Databases
- Internal documents
- Configuration files
Importance
This step represents the primary objective of most attacks:
Access is only valuable if data can be extracted.
9. Key Concepts and Learnings
- Enumeration is the foundation of penetration testing
- Version detection enables targeted exploitation
- Misconfigurations often provide initial entry points
- Weak credentials significantly increase attack success
- Exploitation is a transition phase, not the final goal
- Data exfiltration defines the real impact of a compromise
10. Conclusion
This walkthrough demonstrates a realistic attack chain:
- Discover exposed services
- Identify weak configurations
- Correlate vulnerabilities
- Exploit known weaknesses
- Gain system access
- Extract sensitive data
It highlights how multiple small issues can be combined to achieve full system compromise.
Understanding this process is essential for:
- Penetration testers (offensive security)
- System administrators (defensive security)
Disclaimer
This content is intended for educational purposes only. All activities were performed in a controlled lab environment. Unauthorized testing on real systems is illegal.