NetSec

Ramblings of a NetSec addict

  • Ramblings
    • OSCP Review
    • OSCE Review
    • So you want to be a Hacker?
    • InfoSec Topics
  • Tutorials
    • Simple Buffer Overflows
    • Converting Metasploit Module to Stand Alone
  • Hacking Snippets
    • Basic Information
      • Spawning a TTY Shell
      • Finding Public Exploits
    • Metasploit
      • Creating Metasploit Payloads
    • Passwords
      • Cracking Network Passwords (Hydra)
      • Generating Wordlists
      • Identifying Hashes (Hash Identifier)
      • Cracking Hashes (oclHashcat)
      • Obtaining Windows Passwords
    • Privilege Escalation
      • Linux Privilege Escalation Scripts
    • Port Redirection
      • Port Redirection with Rinetd
      • Dynamic Port Forwarding (SSH)
      • Remote Port Forwarding (SSH)
      • Local Port Forwarding (SSH)
      • Port Forwarding with Metasploit
    • Tools
      • Netcat
  • OS Tips
    • Linux
      • Simple Linux Commands
    • Windows
      • Simple Windows Commands
    • Programs
      • Remote Desktop (rdesktop)
      • Fixing Metasploit Slow Search
      • Encoding / Decoding Base64
  • Programming
    • Python Snippets
      • Multi-Threaded Brute Forcer
      • Writing Shellcode to a File
    • Programs
  • Peach Pits
    • FTP
      • Fuzz Username / Password
      • Fuzz FTP Commands
  • Vulnerable VMs
    • Walkthroughs
      • pWnOS 2.0

Fuzz FTP Commands

Peleus

This peach pit makes the assumption that the FTP communication follows the sequence:

‘Receive Banner’ > ‘Send Anonymous Login’ > ‘Receive OK, Request Password’ > ‘Send Password’ > ‘Receive OK’ > ‘Send Command’ > ‘Receive Response’

In order to run this pit you can use the command below, but I’ve also created a python wrapper (below) which can be used to sequentially call peach with different commands to fuzz. This helps automate the process further.

peach -DCOMMAND=###Command to Fuzz### ftp_command_fuzz.xml

peach -DCOMMAND=###Command to Fuzz### ftp_command_fuzz.xml

<Peach>list_of_commands.txt
 
    <!-- DATA SECTION -->
 
    <DataModel name="LoginAnon">
        <String value="USER " mutable="false" token="true"/>
        <String value="anonymous" mutable="false" token="true"/>
        <String value="\r\n" mutable="false" token="true"/>
    </DataModel>
 
    <DataModel name="PasswordAnon">
        <String value="PASS " mutable="false" token="true"/>    
        <String value="anonymous" mutable="false" token="true"/>
        <String value="\r\n" mutable="false" token="true"/>
    </DataModel>
 
    <DataModel name="Command">
        <String value="##COMMAND## " mutable="false" token="true"/>
        <!--Command To Fuzz -->
        <String value=""/>
        <String value="\r\n" mutable="false" token="true"/>
    </DataModel>
 
    <DataModel name="Response">
        <String value=""/>
    </DataModel>
 
    <!-- STATE SECTION -->
 
    <StateModel name="CommandFuzzing" initialState="PreAuth">
        <State name="PreAuth">
            <Action type="input">
                <DataModel ref="Response"/>
            </Action>
            <Action type="output">
                <DataModel ref="LoginAnon"/>
            </Action>
            <Action type="input">
                <DataModel ref="Response"/>
            </Action>
            <Action type="output">
                <DataModel ref="PasswordAnon"/>
            </Action>
            <Action type="input">
                <DataModel ref="Response"/>
            </Action>
            <Action type="changeState" ref="AuthorizedAnon"/>
        </State>
 
        <State name="AuthorizedAnon">
            <Action type="output">
                <DataModel ref="Command"/>
            </Action>
            <Action type="input">
                <DataModel ref="Response"/>
            </Action>
        </State>
    </StateModel> 
 
    <!-- AGENT SECTION -->
 
    <Agent name="LocalAgent">
        <Monitor name="Debugger" class="WindowsDebugger">
            <!-- Binary to fuzz path -->
            <!-- ### TO EDIT ### -->
            <Param name="CommandLine" value=" < Enter Path to Fuzzed Server > "/>
        </Monitor>
    </Agent>
 
    <!-- TEST SECTION -->
 
    <Test name="Default">
        <Agent ref="LocalAgent"/>
        <StateModel ref="CommandFuzzing"/>
        <Publisher class="TcpClient">
            <Param name="Host" value="127.0.0.1"/>
            <Param name="Port" value="21"/>
        </Publisher>
 
        <Logger class="File">
            <Param name="Path" value="Logs" />
        </Logger>
 
        <Strategy class="Sequential"/>
    </Test>
</Peach>

<Peach>list_of_commands.txt <!-- DATA SECTION --> <DataModel name="LoginAnon"> <String value="USER " mutable="false" token="true"/> <String value="anonymous" mutable="false" token="true"/> <String value="\r\n" mutable="false" token="true"/> </DataModel> <DataModel name="PasswordAnon"> <String value="PASS " mutable="false" token="true"/> <String value="anonymous" mutable="false" token="true"/> <String value="\r\n" mutable="false" token="true"/> </DataModel> <DataModel name="Command"> <String value="##COMMAND## " mutable="false" token="true"/> <!--Command To Fuzz --> <String value=""/> <String value="\r\n" mutable="false" token="true"/> </DataModel> <DataModel name="Response"> <String value=""/> </DataModel> <!-- STATE SECTION --> <StateModel name="CommandFuzzing" initialState="PreAuth"> <State name="PreAuth"> <Action type="input"> <DataModel ref="Response"/> </Action> <Action type="output"> <DataModel ref="LoginAnon"/> </Action> <Action type="input"> <DataModel ref="Response"/> </Action> <Action type="output"> <DataModel ref="PasswordAnon"/> </Action> <Action type="input"> <DataModel ref="Response"/> </Action> <Action type="changeState" ref="AuthorizedAnon"/> </State> <State name="AuthorizedAnon"> <Action type="output"> <DataModel ref="Command"/> </Action> <Action type="input"> <DataModel ref="Response"/> </Action> </State> </StateModel> <!-- AGENT SECTION --> <Agent name="LocalAgent"> <Monitor name="Debugger" class="WindowsDebugger"> <!-- Binary to fuzz path --> <!-- ### TO EDIT ### --> <Param name="CommandLine" value=" < Enter Path to Fuzzed Server > "/> </Monitor> </Agent> <!-- TEST SECTION --> <Test name="Default"> <Agent ref="LocalAgent"/> <StateModel ref="CommandFuzzing"/> <Publisher class="TcpClient"> <Param name="Host" value="127.0.0.1"/> <Param name="Port" value="21"/> </Publisher> <Logger class="File"> <Param name="Path" value="Logs" /> </Logger> <Strategy class="Sequential"/> </Test> </Peach>

This is the python wrapper I used. It can be placed in any directory along with a text file ‘list_of_commands.txt’ containing a list of the commands you wish to fuzz. These must be on one per line.

import subprocess
 
# Open list of commands to enumerate #
readIn = open('list_of_commands.txt','r').read().splitlines()
 
pit_name = "ftp_command_fuzz.xml"
 
for elements in readIn:
    subprocess.call(['C:\Program Files\Peach\peach.exe', '-DCOMMAND='+elements, 'C:/Program Files/Peach/Pits/'+pit_name], shell=True)

import subprocess # Open list of commands to enumerate # readIn = open('list_of_commands.txt','r').read().splitlines() pit_name = "ftp_command_fuzz.xml" for elements in readIn: subprocess.call(['C:\Program Files\Peach\peach.exe', '-DCOMMAND='+elements, 'C:/Program Files/Peach/Pits/'+pit_name], shell=True)

You can download each of these files here:
Peach Pit: ftp_command_fuzz.xml
Python Wrapper: ftp_command_wrapper.py
Sample List of Commands: list_of_commands.txt

Filed Under: FTP Tagged With: commands, ftp, fuzz, peach, pit

Copyright © 2022 · Genesis Sample on Genesis Framework · WordPress · Log in