FTP scan -STATS-

FTP scan -STATS-

For those who is interested in my stats and findings after a nice big scan of FTP port 21

I scanned in groups of 50.000 Dutch IPs with NMap.
I used -T5 to speed up the things so he can missed some
ftp servers with slow response.

scan command/the script I used

#!/bin/bash
# $1 : infile (without .txt) output is infile + _p21.gnmap/nmap/xml
sudo nmap -v -r -iL “$1”.txt -Pn -T5 -sV –version-all -n -p 21 -oA ~/workingdir/output/p21/”$1″_p21 –script=ftp-anon,banner,ftp-proftpd-backdoor,ftp-vsftpd-backdoor –open -sS

Ofcourse you can use your own script for this. But this one suited me best at the moment.
I scanned for this 105 ip lists of 5000 gives me a total of 5.250.000 IP’s

Not 1 time I got a hit from the 2 scripts of nmap which checks for a backdoored FTP version

so
num ip’s : 5.250.000 (list)
uniq IP’s w/o port 21 : 41.412 (list)

Top 5 ip groups (list)
6963     145.216
3442     145.217
1642       83.162
1194     212.204
996        86.109

backdoored : 0
Found Service Info : 142 *not much(-T5 is fastscan with not enough waiting time)

Top 5
85 Service Info: OS: Unix
27 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
4 Service Info: Device: firewall
3 Service Info: Device: broadband router
2 Service Info: OS: VxWorks; CPE: cpe:/o:windriver:vxworks

FTP anonymous access : 1765* succesfully logins with user:anonymous pass:anon@

also the scan did a banner grab (short one because of the T5 option of NMap and a lot of banners aren’t grabbed because of the scriptwaiting time)
Banner grabbed : 20457 (almost 50% of the open ports found)

Return codes top 3
20190 220
62 530
46 550

ProFTPD : 5308 (1/4 of all the banners)

Top 5 versions
621 ProFTPD 1.3.1 Server
368 ProFTPD 1.3.3c Server
355 ProFTPD 1.3.2e Server
240 ProFTPD 1.3.3e Server
141 ProFTPD 1.3.3a Server

vsFTPD : 1653

Top 5 versions
907 (vsFTPd 2.0.5)
205 (vsFTPd 2.0.7)
122 (vsFTPd 2.3.2)
119 (vsFTPd 2.2.2)
68 (vsFTPd 2.0.1)

FileZilla : 710

Top 5 versions
168 FileZilla Server version 0.9.37 beta
142 FileZilla Server version 0.9.39 beta
83 FileZilla Server version 0.9.40 beta
72 FileZilla Server version 0.9.34 beta
41 FileZilla Server version 0.9.33 beta

VxWorks : 99

Top 5 versions
69 VxWorks (VxWorks5.4.2) FTP server ready
17 Tornado-vxWorks (VxWorks5.4.2) FTP server ready
9 VxWorks (5.4.2) FTP server ready
2 VxWorks (VxWorks5.5.1) FTP server ready
1 VxWorks FTP server (VxWorks 5.4.2) ready.

NASFTP : 359
Turbo : 350
277 Turbo station 2.x 1.3.2e Server
73 Turbo station 2.x 1.3.1rc2 Server
3.x Server : 9
Serv-U : 139
Top 5 versions
  29   v6.4
  16   v6.0
  14   v11.1
  11   v6.2
    8   v6.3

FTP Server ready. : 2469

some other statics
NAS found : 615
Microsoft FTP Service : 1805
FritzBox : 86
‘welcome’ in banner : 3116
‘ready’ in banner :8792
service not available : 33
Cisco : 23
P2612HW : 62 *ZyXEL Router
camera’s : 47 *39 AXIS
DreamBox : 197
Moxa FTP : 13
DSL Router : 30
DiskStation : 255
Check Point Firewall : 119
TCAdmin : 40
Winsock ready… : 93
Gene6 : 54
spftp : 38
ucftpd : 20
FTP-Uploadserver : 61
WAR-FTPD : 7
BulletProof FTP : 27
Titan FTP : 14
zFTPServer : 20
Cerberus : 22
Rumpus : 37
JD FTP : 33
Card AOS : 68
pd-admin : 6
Welcome to the CS network : 25 ? so many
Netwerkschijf : 7 *dutch for “disk drive”
Inactivity timer text : 72
Connection refused,
unknown IP address : 59
IP in banner : 3859

Why I make stats?
can be handy with pentesting!
For example knowning that the word ‘welcome’ isn’t often used (+/- 25%)
and ‘ready’ not reaching 50% that a scanner based on return strings
isn’t the best idea.
Or if you see the versions of the mainly used ftp servers don’t have the latest
version. 1.3.1. for ProFTPD and 2.0.5 for vsFTPd. and googling around brings
a lot of exploits based on this versions.
Serv-U 6.4 is most used, and a lot of exploits are on the net.
(Dir traversal, BoF’s, Auth. bypass).

oh.. the total scan time was just over 120 hours. 😀
I have the datafiles for sharing if you want them
(ip list, scan results, etc. contact me if you want them for your own research).

One thought on “FTP scan -STATS-

  1. Nice one bro 120 hours is too much of time
    I would be really happy if you share some data not all of course i need it for pentesting.
    I am still learning pentesting so live examples may be great to exploit them.

Leave a Reply

Your email address will not be published. Required fields are marked *