NSE: ftp-anon

 We all know that poor security for an FTP server would be to allow the anonymous/anonymous credentials to hang around. That being said, it is conceivable that an admin may specifically have chosen this condition and there are measures in place to prohibit lateral movement.

When doing a pentest there are a number of ways to check the FTP service of a target.  A quick port scan, a poke with netcat can tell you some valuable information.

Let's look at NSE and do some recon.

 Above is a successful running of the NSE script ftp-anon.  

It is run with: #nmap -sV -sC [target ip] -p21 

We are using versioning switch (-sV) and scripting switch (-sC)

Important to note that if the server allows anonymous logins it will also tell us the writable files of the root directory.

Let's take a look at a machine with an open port and FTP service running on it.

 Look at what happens between the first (netcat) and the third(NSE) scan.  Netcat returns with an "open" state.  If one were to do a regular nmap scan of this machine at this point it would return with an "open" state as well.  When reviewing the third scan with NSE it actually comes back with "filtered."  This tells us that the FTP service does not have anonymous/anonymous set.

This information gives you some valuable information for your pentest.  In the second image we know that the target is using marginally more security at least by having some sort of authentication in place.

Next steps would be capitalizing on some social engineering and brute forcing the password. ;)

Make sure you have been given permission to perform pentests. 

 

Reference:

[1] https://nmap.org/nsedoc/scripts/ftp-anon.html