LabEx
Log InJoin Free

Use an Auxiliary Scanner for FTP Enumeration in Metasploit

Kali LinuxBeginner
Practice Now

Introduction

In this lab, you will learn the basics of using the Metasploit Framework for information gathering. Specifically, you will focus on FTP (File Transfer Protocol) enumeration using an auxiliary scanner module.

Metasploit is a powerful penetration testing framework that makes hacking simpler. It contains a vast collection of tools, exploits, and modules. Auxiliary modules are a key component, used for tasks like scanning, fuzzing, and reconnaissance, which don't involve direct exploitation.

FTP enumeration is the process of gathering information about an FTP service, such as its version, configuration, and whether it allows anonymous access. This information is crucial for identifying potential vulnerabilities. We will use the ftp_version auxiliary module to scan a target and identify the running FTP server software.

By the end of this lab, you will be familiar with the basic workflow of finding, configuring, and running a Metasploit module.

Search for the ftp_version auxiliary module

In this step, you will launch the Metasploit Framework console and search for a suitable module for FTP version scanning. The Metasploit console is the primary interface for interacting with the framework.

First, open a terminal and start the Metasploit console. We use the -q flag for a "quiet" start, which suppresses the banner for a cleaner interface.

msfconsole -q

Once you are inside the msfconsole prompt, you can use the search command to find modules. We are looking for a module that can identify the version of an FTP server. A good keyword to search for is ftp_version.

Type the following command into the msfconsole prompt:

search ftp_version

You will see a list of matching modules. The one we are interested in is an auxiliary scanner.

msf6 > search ftp_version

Matching Modules
================

   ##  Name                                 Disclosure Date  Rank    Check  Description
   -  ----                                 ---------------  ----    -----  -----------
   0  auxiliary/scanner/ftp/ftp_version                     normal  No     FTP Version Scanner
   1  exploit/windows/ftp/ftpshell_version_bof  2010-05-12       good    No     FTPShell 6.70 (Windows 7) Version Stack Buffer Overflow

The output shows the auxiliary/scanner/ftp/ftp_version module, which is exactly what we need for our task.

Select the ftp_version module

In this step, you will select the module you found in the previous step. After identifying a suitable module with the search command, you need to load it into the framework's context to configure and run it.

The command to select a module is use, followed by the full name of the module from the search results.

Based on the previous step's output, use the following command to select the FTP version scanner:

use auxiliary/scanner/ftp/ftp_version

After you execute this command, you will notice that the msfconsole prompt changes. It now includes the name of the selected module, indicating that you are working within its context.

msf6 > use auxiliary/scanner/ftp/ftp_version
msf6 auxiliary(scanner/ftp/ftp_version) >

This new prompt confirms that the ftp_version module is now active and ready for configuration.

Set the RHOSTS option to the target IP

In this step, you will configure the selected module. Most Metasploit modules require you to set specific options before they can be run. For scanner modules, the most common option is RHOSTS, which stands for "Remote Hosts". This option tells the module which target(s) to scan.

Our lab environment has an FTP server running on the same machine (localhost). The IP address for localhost is 127.0.0.1.

To set an option in Metasploit, you use the set command, followed by the option name and its value.

Set the RHOSTS option to our target IP address:

set RHOSTS 127.0.0.1

Metasploit will confirm the change by echoing the new setting back to you.

msf6 auxiliary(scanner/ftp/ftp_version) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1

Now the module knows which target to scan.

View and understand module options with show options

In this step, you will learn how to view and verify the configuration of a module. Before executing a module, it's always a good practice to review all its options to ensure everything is set correctly.

The show options command displays all the configurable parameters for the currently active module.

Run the following command to see the options for the ftp_version scanner:

show options

This will display a table with details about each option.

msf6 auxiliary(scanner/ftp/ftp_version) > show options

Module options (auxiliary/scanner/ftp/ftp_version):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS   127.0.0.1        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    21               yes       The target port (TCP)
   THREADS  1                yes       The number of concurrent threads (max one per host)

Let's break down the columns:

  • Name: The name of the option (e.g., RHOSTS).
  • Current Setting: The value currently assigned to the option. You can see 127.0.0.1 is set for RHOSTS.
  • Required: Indicates if the option must be set for the module to run (yes or no).
  • Description: A brief explanation of what the option does.

By reviewing this output, you can confirm that the required RHOSTS option is correctly set to our target. The other required options, RPORT and THREADS, already have default values that are suitable for our scan.

Execute the module with the run command

In this step, you will execute the module to perform the scan. Once you have selected a module and configured all the required options, you are ready to launch it.

The command to execute an auxiliary module is run. (For exploit modules, you can use either run or exploit).

Now, execute the scanner:

run

The module will connect to the target FTP server on the specified port and attempt to retrieve its version banner. The output will show the results of the scan.

msf6 auxiliary(scanner/ftp/ftp_version) > run

[+] 127.0.0.1:21      - FTP Banner: 220 (vsFTPd 3.0.5)
[*] 127.0.0.1:21      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

The output [+] 127.0.0.1:21 - FTP Banner: 220 (vsFTPd 3.0.5) is the key piece of information. It confirms that an FTP server is running on the target and tells us its software and version: vsFTPd 3.0.5. This is a successful enumeration.

Summary

In this lab, you have successfully performed a basic FTP enumeration using the Metasploit Framework. You have learned the fundamental workflow for using an auxiliary module, which is a core skill for any Metasploit user.

You have practiced the following key commands and concepts:

  • Starting the Metasploit console with msfconsole.
  • Finding modules with the search command.
  • Selecting a module for use with the use command.
  • Configuring module options, such as RHOSTS, with the set command.
  • Verifying the module's configuration with show options.
  • Executing the module to perform its task with the run command.

This process of searching, selecting, configuring, and running is applicable to thousands of modules within Metasploit, making it a foundational technique for penetration testing and security analysis.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux