Exploit Proftpd
Neomi Bensch
These tools are widely used by penetration testers, network administrators, and threat actors alike. The first tool is Nmap, short for Network Mapper. For network admins, Nmap helps to find networked computers, discover open ports, available services, and detect known vulnerabilities on their network. Once a list of services is discovered, they can be exploited.
This is part of the reconnaissance or scanning phase where the threat actor wants to learn as much about the target system as they can. Because this is a demonstration we are not going to be quiet about our attack and will do nothing to conceal our intentions. We will use -sV option that tells us the current version of any services that are running. This is a noisy attack that should be picked up by most intrusion detection systems or SIEMs.
The results from this command reveal a lot about our target system. Each open port is vulnerable to a potential attack. In our simulated attack, we are going to concentrate on the ftp service running the proftpd 1.3.3c software on Port 21.
The proftpd 1.3.3c software was patched over 10 years ago but serves as a good example of how a vulnerable piece of software can be exploited. It is highly unlikely to still be running as an unpatched service.
We could use Google to learn more about the vulnerabilities in the proftpd 1.3.3c server, or we can use the next tool in our toolbox, Metasploit, and use its built-in database to find known vulnerabilities.
Metasploit comes with an extensive database and technical details of over 180,000 vulnerabilites and 4000 exploits. These are all searchable with the search command from the Metasploit command line. We are going to use this database to find proftpd 1.3.3c vulnerabilities and known exploits.
Now we need to make some site-specific configuration settings. The first is the IP address of the target machine. Set the remote host IP address with the RHOSTS command. This is the same IP address we used during our Nmap scan earlier and the machine that is running the proftpd_1.3.3c server.
Once we have a proper shell we can move through the system as root, having full access to the Linux environment. This is where the system is most vulnerable. As root we can install rootkits, malware, ransomware, and exfiltrate data.
Data exfiltration is when a threat actor performs the unauthorized copying, transfer, or retrieval of data from a computer or server. As root, we have full access to the computer and can do anything we want including data exfiltration.
The Linux /etc/password file contains a list of system users, combined with the /etc/shadow file which contains encrypted passwords. Together these two files can be hacked to reveal username/password combinations for lateral movement through the network.
We exfiltrated /etc/passwd and /etc/shadow to our local machine. There is no reason that we could not also exfiltrate databases, customer information, stored credit cards, or company-sensitive information out of the network to a remote location as we did with the password files.
Cracking the hashed passwords is beyond the scope of this walkthrough, but if you can crack the passwords, an attacker can use the same credentials to pivot to other machines across the network. John the Ripper and Hashcat are two well-known password cracking tools that can quickly reveal username/password combinations.
This module exploits the SITE CPFR/CPTO mod_copy commands in ProFTPD version 1.3.5. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination. The copy commands are executed with the rights of the ProFTPD service, which by default runs under the privileges of the 'nobody' user. By using /proc/self/cmdline to copy a PHP payload to the website directory, PHP remote code execution is made possible.
The Exploit Database is maintained by OffSec, an information security training company that provides various Information Security Certifications as well as high end penetration testing services. The Exploit Database is a non-profit project that is provided as a public service by OffSec.
The Exploit Database is a CVE compliant archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. Our aim is to serve the most comprehensive collection of exploits gathered through direct submissions, mailing lists, as well as other public sources, and present them in a freely-available and easy-to-navigate database. The Exploit Database is a repository for exploits and proof-of-concepts rather than advisories, making it a valuable resource for those who need actionable data right away.
The Google Hacking Database (GHDB) is a categorized index of Internet search engine queries designed to uncover interesting, and usually sensitive, information made publicly available on the Internet. In most cases, this information was never meant to be made public but due to any number of factors this information was linked in a web document that was crawled by a search engine that subsequently followed that link and indexed the sensitive information.
After nearly a decade of hard work by the community, Johnny turned the GHDB over to OffSec in November 2010, and it is now maintained as an extension of the Exploit Database. Today, the GHDB includes searches for other online search engines such as Bing, and other online repositories like GitHub, producing different, yet equally valuable results.
I am shocked. I am running Ubuntu 14.04, with automatic security upgrades.
Also I ran updates and upgrades almost weekly, so the system should be update. But the most update proftpd package in Ubuntu 14.04 is the insucure dangerous version!!
I thought my system would be safe on an up to date Ubuntu 14.04 LTS. Well, I was wrong.
Tests for the presence of the ProFTPD 1.3.3c backdoor reported as BID45150. This script attempts to exploit the backdoor using the innocuousid command by default, but that can be changed with theftp-proftpd-backdoor.cmd script argument.
On Sunday, the 28th of November 2010 around 20:00 UTC the maindistribution server of the ProFTPD project was compromised. Theattackers most likely used an unpatched security issue in the FTP daemonto gain access to the server and used their privileges to replace thesource files for ProFTPD 1.3.3c with a version which contained a backdoor.The unauthorized modification of the source code was noticed byDaniel Austin and relayed to the ProFTPD project by Jeroen Geilman onWednesday, December 1 and fixed shortly afterwards.
The fact that the server acted as the main FTP site for the ProFTPDproject (ftp.proftpd.org) as well as the rsync distribution server(rsync.proftpd.org) for all ProFTPD mirror servers means that anyone whodownloaded ProFTPD 1.3.3c from one of the official mirrors from 2010-11-28to 2010-12-02 will most likely be affected by the problem.
Users are strongly advised to check systems running the affected code forsecurity compromises and compile/run a known good version of the code.To verify the integrity of the source files, use the GPG signaturesavailable on the FTP servers as well on the ProFTPD homepage at:
All downloads of ProFTPD-1.3.3c on the official website between 2010-11-28 and 2010-12-02 are potentially compromised versions. You are advised to check that your version is not compromised using the tools provided below.
In this article we are going to learn how to configure ProFTPD service in a CentOS machine. After that we will conduct penetration testing to evaluate the security of FTP service and then we will also learn the countermeasures for vulnerabilities.
The commands used were (without the hash sign) (ProFTPD, 2011): # cd/usr/local/src # wget -c ' -1.3.3a.tar.bz2' [2] For compilation of the source code, development libraries and compilers need to be installed on the CentOS machine. They were installed using the following command (ProFTPD, 2013): # yum -y groupinstall 'Development tools' [3] The ProFTPD server runs as a non-privileged user on the Linux system for security reasons. A group called ftpd was created and then a user called ftpd was also created that belonged to the ftpd group. The following commands were used:
[4] Once the user and group ftpd were added, the next step was to compile the source code of the ProFTP server to produce the ProFTPD binary, which supports the FTP (file transport protocol). The following commands were used to achieve this (ProFTPD, 2011):
[6] The main configuration file of the ProFTPD server, called proftpd.conf, which is located at /etc, was edited using vi editor. The final configuration file looked like the following. The configuration is heavily commented (comments starts with # sign) for explanation:
The same file has the configuration directive, starting with and ending with , and all the directives inside it were commented out (by putting a hash sign in front of the configuration) to disable anonymous FTP service on the ProFTPD server.
The final configuration file only allows local Linux accounts/users (users defined by the /etc/passwd) and chroot (restricts) them to their home directory so that they cannot break out of that directory. [7] Since the ProFTPD daemon is configured to support local Linux account and to chroot user to his/her home directory, a new user called prithak with password password was added to the Linux system for testing. The following commands were used: # useradd prithak # passwd prithak(enter password prithak twice) Similarly, another user called Daniel was also added to the system. Finally, now we have the following users on the system:
[8] The ProFTP server (192.168.79.135) was started in debugging mode and was accessed from the Windows machine (192.168.79.1) using the in-built Windows ftp command. The user prithak (having password prithak) was able to successfully log into the ProFTPD server and at the same time the ProFTPD server produced debugging logs on the standard output to confirm the details of the login. The proftpd was started using the following command line options: proftpd -n -d 4 -c /etc/proftpd.conf --ipv4 The options are as follows:
c80f0f1006