FTP Authendication Attack with Metasploit

 

Name      : FTP Authentication Scanner
Module    : auxiliary/scanner/ftp/ftp_login
Version   : 14976
License   : Metasploit Framework License (BSD)
Rank       : Normal
Provided by: todb <todb@metasploit.com>

Description:
 
This module will test FTP logins on a range of machines and report
successful logins. If you have loaded a database plugin and
connected to a database this module will record successful logins
and hosts so you can track your access.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0502

Example of successful login

msf  > use auxiliary/scanner/ftp/ftp_login
msf  auxiliary(ftp_login) > set rhosts External-IP
rhosts => External-IP
msf  auxiliary(ftp_login) > run
[*] External-IP:21 – Starting FTP login sweep
[*] Connecting to FTP server External-IP:21…
[*] Connected to target FTP server.
[*] External-IP:21 – FTP Banner: ‘220 Microsoft FTP Service\x0a\x0a’
[*] External-IP:21 FTP – Attempting FTP login for ‘anonymous':’chrome@example.com’
[+] External-IP:21 – Successful FTP login for ‘anonymous':’chrome@example.com’
[*] External-IP:21 – User ‘anonymous’ has READ access
[*] Successful authentication with read access on External-IP will not be reported
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Example of successful login with READ/WRITE access

msf  auxiliary(ftp_login) > run
[*] External-IP:21 – Starting FTP login sweep
[*] Connecting to FTP server External-IP:21…
[*] Connected to target FTP server.
[*] External-IP:21 – FTP Banner: ‘220 Microsoft FTP Service\x0a\x0a’
[*] External-IP:21 FTP – Attempting FTP login for ‘anonymous':’chrome@example.com’
[+] External-IP:21 – Successful FTP login for ‘anonymous':’chrome@example.com’
[*] External-IP:21 – User ‘anonymous’ has READ/WRITE access
[*] Successful authentication with write access on External-IP will not be reported
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Example of none successful login

msf  auxiliary(ftp_login) > run
[*] External-IP:21 – Starting FTP login sweep
[*] Connecting to FTP server External-IP:21…
[*] Connected to target FTP server.
[*] External-IP:21 – FTP Banner: ‘220 Microsoft FTP Service\x0a\x0a’
[*] External-IP:21 FTP – Attempting FTP login for ‘anonymous':’IEUser@’
[*] External-IP:21 FTP – Failed FTP login for ‘anonymous':’IEUser@’
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

If you don’t want to use metasploit but want to see same results you can use nmap

root@bt:~# nmap -sV -sC -p 21 remote-ip
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2010-06-02 02:04 BST
Nmap scan report for remote-ip
Host is up (0.00053s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_2010-06-02 02:04 61440 nc.exe
MAC Address: 00:02:03:04:05:06 (Micky Systems)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds

Most famous Metasploit Auxillary modules top 10

At Rapid7, often get asked what the top 10 Metasploit modules are. This is a hard question to answer: What does "top" mean anyway? Is it a personal opinion, or what is being used in the industry? Because many Metasploit users work in highly sensitive environments, and because we respect our users' privacy, the product doesn't report any usage reports back to us.

We may have found a way to answer your questions: We looked at our metasploit.com web server stats, specifically the Metasploit Auxiliary and Exploit Database, which exploit and module pages were researched the most. Here they are, annotated with Tod Beardley's excellent comments:

1. MS12-020 Microsoft Remote Desktop Use-After-Free DoS (CVE-2012-0002, MSB-MS12-020): This is the 2012 RDP Bug, where it was implied -- but never proven in public -- that a pre-auth bug in RDP can allow for remote code execution. This is likely the most popular module we have due to both recency bias and because there was an unusual level of spontaneous organization of the Metasploit developer community to search for the correct path to remote code execution. So far, nobody’s gotten RCE yet (in public), but the Metasploit module provides the most clues.
   
2. Microsoft Server Service Relative Path Stack Corruption (CVE-2008-4250, MSB-MS08-067): A four year old vulnerability that tends to give the most reliable shells on Windows 2003 Server and Windows XP. It’s also got a great pile of language pack targets. All of Metasploit’s exploits provide US English targeted shellcode, a few might provide Chinese, Spanish, French, or other popular languages; this one has targets in pretty much every language you’ve ever heard of. This exploit is also not ancient, so it’s reasonable to expect to find some unpatched systems in a medium to large enterprise vulnerable to it.
   
3. Microsoft Server Service NetpwPathCanonicalize Overflow (CVE-2006-3439, MSB-MS06-040): A six year old vulnerability that’s notable in that there’s no official patch from Microsoft for this on Windows NT 4.0. This was discovered after NT went end-of-life, so if you need remote root on an NT machine (and there are still plenty out there), this is going to be your first choice.
   
4. Microsoft RPC DCOM Interface Overflow (CVE-2003-0352, MSB-MS03-026): A nine year old vulnerability that used to be the de-facto standard exploit for Windows machines -- this is the RPC DCom bug, and it affects ancient NT machines. It was most notable in that it was used by the Blaster and Nachi worms to transit networks. It’s now pretty much a case study in stack buffer overflows in Windows, so it’s got a lot of historical value. If memory serves, this was the most reliable exploit in Metasploit v2.
   
5. Microsoft Windows 7 / Server 2008 R2 SMB Client Infinite Loop (CVE-2010-0017, MSB-MS10-006): Not sure why this module is popular -- it’s a client side DoS. Historically, it’s a neat DoS, since it demos a bug in Windows 7’s kernel, but all the module does is crash Windows 7 clients after you get a user to connect to you.
   
6. Adobe PDF Embedded EXE Social Engineering (CVE-2010-1240): This module exploits CVE-2010-1240 in Adobe Reader. The idea is that you can embed and execute a Meterpreter PE Executable in a PDF, and when the user opens the PDF, surprise shells! Since it’s on this list, it’s probably the most popular social engineering-style module.
   
7. Apache mod_isapi <= 2.2.14 Dangling Pointer (CVE-2010-0425): Although this is an exploit in Apache, don’t be fooled! It’s only exploitable on Windows (so that knocks out the biggest chunk of Apache installs at the time of this module’s release), and it’s only a DoS. Again, kind of a mystery as to why it’s so popular.
   
8. Java AtomicReferenceArray Type Violation Vulnerability (CVE-2012-0507): This was initially discovered in the wild as a Java 0-day, and this module represented the fevered work of sinn3r and Juan Vazquez, who turned out the first reliable public cross-platform exploit for the bug. The blog post "CVE-2012-0507 - Java Strikes Again" shows a screenshot of Meterpreter sessions on Windows, Ubuntu, and OSX systems. In fact, this may be the first publicly demonstrable Java exploit that Just Works against all three platforms for the vulnerable versions of Java -- no extra configuration or fingerprinting is needed.
   
9. Microsoft Windows Authenticated User Code Execution (CVE-1999-0504): The PSExec module is a utility module -- given an SMB username and password with sufficient privileges on the target machine, the user can get a shell. It’s not sexy, but it’s super handy for testing payloads and setup. Even though it’s a lowly #9, I’d bet it’s the most-used module in classroom and test environments.
   
10. Microsoft Plug and Play Service Overflow (CVE-2005-1983, MSB-MS05-039): This exploits the Plug and Play service on Windows 2000. This is the exploit that MS06-040 replaced, though until MS06-040, this was the most reliable exploit around for Windows 2000. The Zotob worm used it. Note that while the exploit isn’t 100% reliable, failed attempts had a tendency to trigger a reboot of the target, so the next attempt would be 100% successful. In other words, for some people, the reboot-on-failure is really more of a feature than a bug.

Let us know if you find this ranking interesting so we can continue sharing it in the future. We're excited to see how this list will look next month, and what the major changes will be!

Top 31 Metasploit Auxiliary Scanner Tutorials - Kali Linux

 

CASE 1:

This module queries the FrontPage Server Extensions and determines whether anonymous access is allowed.
use auxiliary/scanner/http/frontpage_login
set rhosts IP_Address
set rport 80
run
[*] http://IP_Address/ may not support FrontPage Server Extensions
[*] Scanned 1 of 1 hosts (100% complete)

CASE 2:

This module identifies the existence of possible copies of a specific file in a given path
use auxiliary/scanner/http/backup_file
set rhosts IP_Address
run

CASE 3:

use auxiliary/scanner/http/http_version
set rhosts IP_Address
run
[*] IP_Address:80 Microsoft-IIS/8.0 ( Powered by ASP.NET )
[*] Scanned 1 of 1 hosts (100% complete)

CASE 4:

Discover active pcAnywhere services through TCP
use auxiliary/scanner/pcanywhere/pcanywhere_udp
set rhosts IP_Address
run

CASE 5:

This module is based on et’s HTTP Directory Scanner module,
with one exception.Where authentication is required, it
attempts to bypass authentication using the WebDAV IIS6
Unicode vulnerability discovered by Kingcope.
use auxiliary/scanner/http/dir_webdav_unicode_bypass
set rhosts IP_Address
run
[*] Using code ’404′ as not found.
[*] Found protected folder http://IP_Address:80/Rpc/ 401 (IP_Address)
[*]     Testing for unicode bypass in IIS6 with WebDAV enabled using PROPFIND request.

CASE 6:

This module identifies the existence of files in a given
directory path named as the same name of the directory.
use auxiliary/scanner/http/file_same_name_dir
set rhosts IP_Address
run
[-] Blank or default PATH set.

CASE 7:

This module attempts to authenticate to an HTTP service.
use auxiliary/scanner/http/http_login
set rhosts IP_Address
run
[-] http://IP_Address:80 No URI found that asks for HTTP authentication

CASE 8:

Collect any leaked internal IPs by requesting commonly redirected locs from IIS.
use auxiliary/scanner/http/iis_internal_ip
set rhosts IP_Address
run

CASE 9:

Simplified version of MS09-020 IIS6 WebDAV Unicode Auth
Bypass scanner. It attempts to bypass authentication using
the WebDAV IIS6 Unicode vulnerability discovered by Kingcope.
use auxiliary/scanner/http/ms09_020_webdav_unicode_bypass
set rhosts IP_Address
run

CASE 10:

Checks if an HTTP proxy is open. False positive are avoided
verifing the HTTP return code and matching a pattern.
use auxiliary/scanner/http/open_proxy
set rhosts IP_Address
run

CASE 11:

Display available HTTP options for each system
use auxiliary/scanner/http/options
set rhosts IP_Address
run
[*] IP_Address allows OPTIONS, TRACE, GET, HEAD, POST methods
[*] IP_Address:80 – TRACE method allowed.
[*] Scanned 1 of 1 hosts (100% complete)

CASE 12:

This module identifies files in the first parent directory
with same name as the given directory path.
Example: Test /backup/files/ will look for the following files /backup/files.ext .
use auxiliary/scanner/http/prev_dir_same_name_file
set rhosts IP_Address
run
[-] Blank or default PATH set.
[*] Scanned 1 of 1 hosts (100% complete)

CASE 13:

This module identifies the existence of additional files by
modifying the extension of an existing file.
use auxiliary/scanner/http/replace_ext
set rhosts IP_Address
run
[*] Using code ’404′ as not found for .bak files.
[*] Using code ’404′ as not found for .txt files.
[*] Using code ’404′ as not found for .tmp files.
[*] Using code ’404′ as not found for .old files.
[*] Using code ’404′ as not found for .htm files.
[*] Using code ’404′ as not found for .ini files.
[*] Using code ’404′ as not found for .cfg files.
[*] Using code ’404′ as not found for .html files.
[*] Using code ’404′ as not found for .php files.
[*] Using code ’404′ as not found for .temp files.
[*] Using code ’404′ as not found for .tmp files.
[*] Using code ’404′ as not found for .java files.
[*] Using code ’404′ as not found for .doc files.
[*] Using code ’404′ as not found for .log files.
[*] Using code ’404′ as not found for .xml files.
[*] Scanned 1 of 1 hosts (100% complete)

CASE 14:

Scrap defined data from a specific web page based on a
regular expresion.
use auxiliary/scanner/http/scraper
set rhosts IP_Address
run
[*] [IP Address] / [Microsoft Internet Information Services 8]
[*] Scanned 1 of 1 hosts (100% complete)

CASE 15:

This module launch a sqlmap session. sqlmap is an automatic SQL
injection tool developed in Python. Its goal is to detect and
take advantage of SQL injection vulnerabilities on web applications.
Once it detects one or more SQL injections on the target host,
the user can choose among a variety of options to perform an
extensive back-end database management system fingerprint,
retrieve DBMS session user and database, enumerate users,
password hashes, privileges, databases, dump entire or
user specific DBMS tables/columns, run his own SQL SELECT
statement, read specific files on the file system and much more.
use auxiliary/scanner/http/sqlmap
set rhosts IP_Address
run

CASE 16:

This module test for authentication bypass using different HTTP verbs.
use auxiliary/scanner/http/verb_auth_bypass
set rhosts IP_Address
run
[*] [IP_Address] Authentication not required. / 200
[*] Scanned 1 of 1 hosts (100% complete)

CASE 17:

Identify valid users through the finger service using a
variety of tricks.
use auxiliary/scanner/finger/finger_users
set rhosts IP_Address
run
[*] IP_Address:79 No users found.
[*] Scanned 1 of 1 hosts (100% complete)

CASE 18:

Detect anonymous (read/write) FTP server access.
use auxiliary/scanner/ftp/anonymous
set rhosts IP_Address
run
[*] IP_Address:21 Anonymous READ (220 Microsoft FTP Service)
[*] Scanned 1 of 1 hosts (100% complete)

CASE 19:

This module will test FTP logins on a range of machines and
report successful logins. If you have loaded a database plugin
and connected to a database this module will record successful
logins and hosts so you can track your access.
use auxiliary/scanner/ftp/ftp_login
set rhosts IP_Address
run
[*] IP_Address:21 – Starting FTP login sweep
[*] Connecting to FTP server IP_Address:21…
[*] Connected to target FTP server.
[*] IP_Address:21 – FTP Banner: ’220 Microsoft FTP Service\x0d\x0a’
[*] IP_Address:21 FTP – Attempting FTP login for ‘anonymous’:’IEUser@’
[+] IP_Address:21 – Successful FTP login for ‘anonymous’:’IEUser@’
[*] IP_Address:21 – User ‘anonymous’ has READ access
[*] Successful authentication with read access on IP_Address will not be reported
[*] Scanned 1 of 1 hosts (100% complete)

CASE 20:

auxiliary/scanner/http/webdav_scanner
set rhosts IP_Address
run
[*] IP_Address (Microsoft-IIS/8.0) WebDAV disabled.
[*] Scanned 1 of 1 hosts (100% complete)

CASE 21:

use auxiliary/scanner/http/webdav_internal_ip
set rhosts IP_Address
run

CASE 22:

use auxiliary/scanner/http/webdav_website_content
set rhosts IP_Address
run

CASE 23:

For more on webdav myexploit recommend
http://carnal0wnage.attackresearch.com/2010/05/more-with-metasploit-and-webdav.html

CASE 24:

use auxiliary/scanner/http/dir_scanner
set rhosts IP_Address
run
[*] Detecting error code
[*] Using code ’404′ as not found for IP_Address
[*] Found http://IP_Address:80/Rpc/ 404 (IP_Address)
[*] Found http://IP_Address:80/aspnet_client/ 404 (IP_Address)
[*] Found http://IP_Address:80/rpc/ 404 (IP_Address)
[*] Scanned 1 of 1 hosts (100% complete)

CASE 25:

use auxiliary/scanner/http/ssl
set rhosts IP_Address
run
[*] IP_Address:443 Subject: /CN=WIN8SERVER
[*] IP_Address:443 Issuer: /CN=WIN8SERVER
[*] IP_Address:443 Signature Alg: sha1WithRSAEncryption
[+] Certificate contains no CA Issuers extension… possible self signed certificate
[+] Certificate Subject and Issuer match… possible self signed certificate
[*] IP_Address:443 has common name WIN8SERVER
[*] Scanned 1 of 1 hosts (100% complete)

CASE 26:

The “mssql_ping” module queries a host or range of hosts on
UDP port 1434 to determine the listening TCP port of any
MSSQL server, if available. MSSQL randomizes the TCP port
that it listens on so this is a very valuable module in
the Framework.
use auxiliary/scanner/mssql/mssql_ping
set rhosts IP_Address
run

CASE 27:

The SMTP Enumeration module will connect to a given mail server and use a wordlist to enumerate users that are present on the remote system.
use auxiliary/scanner/smtp/smtp_enum
set rhosts IP_Address
run

CASE 28:

use auxiliary/scanner/smtp/smtp_version
set rhosts IP_Address
run

CASE 29:

The “snmp_enum” module performs detailed enumeration of a
host or range of hosts via SNMP similar to the
standalone tools snmpenum and snmpcheck.
use auxiliary/scanner/snmp/snmp_enum
set rhosts IP_Address
run

CASE 30:

The endpoint_mapper module queries the EndPoint Mapper
service of a remote system to determine what services are
available. In the information gathering stage, this can
provide some very valuable information.
use auxiliary/scanner/dcerpc/endpoint_mapper
set rhosts IP-Address
set THREADS 55
run
[*] Connecting to the endpoint mapper service…
[*] b85afe70-a6d5-4259-822e-2c84da1ddb0d v1.0 TCP (49152) IP-Address
[*] a500d4c6-0dd1-4543-bc0c-d5f93486eaf8 v1.0 LRPC (LRPC-c9b26c881cadc33e19)
[*] 87f226c3-ec14-4325-8a99-6a46348418af v1.0 LRPC (WMsgKRpc01E39F1E2)
[*] 12e65dd8-887f-41ef-91bf-8d816c42c2e7 v1.0 LRPC (WMsgKRpc01E39F1E2) [Secure Desktop LRPC interface]
[*] 541b0ce0-c70b-1067-b317-00dd010662da v1.0 LRPC (LRPC-f46a818864cada72bb)
[*] 541b0ce0-c70b-1067-b317-00dd010662da v1.0 LRPC (LRPC-f46a818864cada72bb)

CASE 31:

The dcerpc/hidden scanner connects to a given range of IP
addresses and try to locate any RPC services  that are not
listed in the Endpoint Mapper and determine if
anonymous access to the service is allowed.
use auxiliary/scanner/dcerpc/hidden
set rhosts IP_Address
run
============================================================