search

FTP [21]

chevron-rightIntroductionhashtag

  1. On of the oldest protocols

  2. Operates on the application layer of the OSI model, alongside http and pop

  3. TFTP - Trivial File Transfer Protoco l

    1. Less secure than FTP as it does not feature authentication

  4. FTP can be vulnerable as it transmit data in cleartext and can probably be sniffed

hashtag
VsftPD - Default Linux FTP Server

chevron-rightDefault FTP on Linux (vsftpd)hashtag

One of the most used FTP servers on Linux-based distributions is vsFTPdarrow-up-right. The default configuration of vsFTPd can be found in /etc/vsftpd.conf

  1. You can install it on Linux with the following 

z3tssu@htb[/htb]$ sudo apt install vsftpd
chevron-rightConfiguration Filehashtag
z3tssu@htb[/htb]$ cat /etc/vsftpd.conf | grep -v "#"

chevron-rightFTP Users hashtag
z3tssu@htb[/htb]$ cat /etc/ftpusers

guest
john
kevin

In addition, there is a file called /etc/ftpusers that we also need to pay attention to, as this file is used to deny certain users access to the FTP service. In the following example, the users guest, john, and kevin are not permitted to log in to the FTP service, even if they exist on the Linux system

chevron-rightDangerous Settingshashtag

There are many different security-related settings we can make on each FTP server. These can have various purposes, such as testing connections through the firewalls, testing routes, and authentication mechanisms. One of these authentication mechanisms is the anonymous user. This is often used to allow everyone on the internal network to share files and data without accessing each other's computers. With vsFTPd, the optional settingsarrow-up-right that can be added to the configuration file for the anonymous login look like this:

PreviousHost-Based Service EnumerationNextBasics

Last updated