1 00:00:07,130 --> 00:00:09,910 - [Man] Now let's go over how to exploit 2 00:00:09,910 --> 00:00:14,910 FTP real vulnerabilities and FTP insecure implementations. 3 00:00:15,530 --> 00:00:18,850 The legacy FTP protocol doesn't even encrypt 4 00:00:18,850 --> 00:00:21,410 or perform any type of integrity validation. 5 00:00:21,410 --> 00:00:24,200 So it is recommended that you actually use 6 00:00:24,200 --> 00:00:25,850 a more secure alternative like the 7 00:00:25,850 --> 00:00:27,500 File Transfer Protocol secure 8 00:00:27,500 --> 00:00:31,520 or FTPS or the Secure File Transfer Protocol 9 00:00:31,520 --> 00:00:34,090 otherwise known as SFTP. 10 00:00:34,090 --> 00:00:36,400 Now the SFTP and FTPS protocols, 11 00:00:36,400 --> 00:00:39,130 they do use encryption to protect data, 12 00:00:39,130 --> 00:00:42,070 however some implementations use 13 00:00:42,070 --> 00:00:44,040 very weak encryptions ciphers 14 00:00:44,040 --> 00:00:49,040 or encryption algorithms like Blowfish and the DES protocol. 15 00:00:50,180 --> 00:00:52,850 You should definitely use stronger algorithms 16 00:00:52,850 --> 00:00:55,053 like AES like for example. 17 00:00:56,220 --> 00:01:01,080 Now also, SFTP and FTP servers use hashing algorithm 18 00:01:01,080 --> 00:01:05,970 to verify the integrity of the file transmission. 19 00:01:05,970 --> 00:01:07,090 Another thing that I want to highlight 20 00:01:07,090 --> 00:01:10,570 is that actually secure FTP uses SSH 21 00:01:10,570 --> 00:01:15,570 and FTPS basically using FTP over TLS. 22 00:01:17,270 --> 00:01:19,470 Now in the past, a lot of people actually configure the 23 00:01:19,470 --> 00:01:24,470 SMTP servers to enable anonymous user authentication. 24 00:01:24,720 --> 00:01:26,220 And in this case actually, an attacker 25 00:01:26,220 --> 00:01:28,700 definitely can use that to store 26 00:01:28,700 --> 00:01:30,770 unwanted files in your server, 27 00:01:30,770 --> 00:01:34,100 or for potentially, also steal information 28 00:01:34,100 --> 00:01:37,390 that people may actually put in those directories. 29 00:01:37,390 --> 00:01:39,920 For example, let's say you're an attacker 30 00:01:39,920 --> 00:01:41,450 who compromises a system 31 00:01:41,450 --> 00:01:43,960 and then extracts sensitive information, 32 00:01:43,960 --> 00:01:46,480 then you can actually store that information 33 00:01:46,480 --> 00:01:50,610 and in FTP server that is configured for in an 34 00:01:50,610 --> 00:01:52,520 anonymous user authentication, 35 00:01:52,520 --> 00:01:55,450 and then you can use that as a stepping stone 36 00:01:55,450 --> 00:01:59,330 to then even export that data somewhere else 37 00:01:59,330 --> 00:02:02,130 or maybe actually that you're hosting malware right? 38 00:02:02,130 --> 00:02:05,503 And then malware can be propagated that way as well. 39 00:02:06,630 --> 00:02:09,880 Now here I'm using actually End map to determine the type 40 00:02:09,880 --> 00:02:12,900 of version of an SFTP server 41 00:02:12,900 --> 00:02:16,890 and of course as you can actually see it in the screen. 42 00:02:16,890 --> 00:02:19,090 You can also use Metasploit 43 00:02:19,090 --> 00:02:22,040 and use the accelerator scanner FTP anonymous 44 00:02:22,040 --> 00:02:26,500 to actually just basically try to see if the server 45 00:02:26,500 --> 00:02:30,663 is configured for anonymous login.