Skip to content

ftp_login: Various improvements#21379

Draft
g0tmi1k wants to merge 18 commits into
rapid7:masterfrom
g0tmi1k:ftp_login
Draft

ftp_login: Various improvements#21379
g0tmi1k wants to merge 18 commits into
rapid7:masterfrom
g0tmi1k:ftp_login

Conversation

@g0tmi1k

@g0tmi1k g0tmi1k commented Apr 26, 2026

Copy link
Copy Markdown
Contributor

Related issue: #21096

This PR covers (a lot!):

  • Convert the module to use run_scanner(), and print_brute()
  • Able to be more verbose (gives proof/reasoning of action, show FTP banner, check user input), and clean up output
  • Use dead code - previously wasn't checking for FTP permission (CHECK_ACCESS/test_ftp_access())
  • Re-work how anonymous access is checked (as well as blank)
  • Update workspace more (via report_vuln()/report_service()/report_note())
  • Refresh module metadata
  • Able to enum the target more (EXTENDED_CHECKS/STORE_LOOT)
  • Update docs & scanner specs
          current  name     hosts  services  vulns  creds  loots  notes
          -------  ----     -----  --------  -----  -----  -----  -----
Before -> *        default  1      1         0      1      0      0
After  -> *        default  1      2         1      2      1      2

Target is metasploitable 2.

Before

  • ANONYMOUS_LOGIN -> [-] 10.0.0.10:21 - 10.0.0.10:21 - LOGIN FAILED: : (Incorrect: ) (incorrect)
  • CHECK_ACCESS -> [+] 10.0.0.10:21 - 10.0.0.10:21 - Login Successful: msfadmin:msfadmin (doesn't say about permissions)
$ ./msfconsole -q -x 'db_status; workspace -D;
setg VERBOSE true;
use auxiliary/scanner/ftp/ftp_login;
set RHOSTS 10.0.0.10;
set USERNAME msfadmin;
set PASSWORD incorrect;
set ANONYMOUS_LOGIN true;
set STOP_ON_SUCCESS false;
set USER_AS_PASS true;'
[*] Connected to msf. Connection type: postgresql.
[*] Deleted workspace: default
[*] Recreated the default workspace
VERBOSE => true
RHOSTS => 10.0.0.10
USERNAME => msfadmin
PASSWORD => incorrect
ANONYMOUS_LOGIN => true
STOP_ON_SUCCESS => false
USER_AS_PASS => true
msf auxiliary(scanner/ftp/ftp_login) > run
[*] 10.0.0.10:21          - 10.0.0.10:21 - Starting FTP login sweep
[-] 10.0.0.10:21          - 10.0.0.10:21 - LOGIN FAILED: : (Incorrect: )
[-] 10.0.0.10:21          - 10.0.0.10:21 - LOGIN FAILED: msfadmin:incorrect (Incorrect: )
[+] 10.0.0.10:21          - 10.0.0.10:21 - Login Successful: msfadmin:msfadmin
[*] 10.0.0.10:21          - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ftp/ftp_login) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      1         0      1      0      0

msf auxiliary(scanner/ftp/ftp_login) > hosts

Hosts
=====

address    mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------    ---  ----  -------  ---------  -----  -------  ----  --------
10.0.0.10

msf auxiliary(scanner/ftp/ftp_login) > services
Services
========

host       port  proto  name  state  info  resource  parents
----       ----  -----  ----  -----  ----  --------  -------
10.0.0.10  21    tcp    ftp   open         {}

msf auxiliary(scanner/ftp/ftp_login) > creds
Credentials
===========

id   host       origin     service       public    private   realm  private_type  JtR Format  cracked_password
--   ----       ------     -------       ------    -------   -----  ------------  ----------  ----------------
466  10.0.0.10  10.0.0.10  21/tcp (ftp)  msfadmin  msfadmin         Password

msf auxiliary(scanner/ftp/ftp_login) >

After

  • Can see FTP banner
  • Enum the target more
  • Much more in the workspace
  • Output format is more like ssh_login
  • ANONYMOUS_LOGIN -> [+] 10.0.0.10:21 - Login Successful: anonymous:mozilla@example.com (Read-only) (correct & permissions)
  • CHECK_ACCESS -> [+] 10.0.0.10:21 - Login Successful: msfadmin:msfadmin (Read/Write) (says about permissions)
$ ./msfconsole -q -x 'db_status; workspace -D;
setg VERBOSE true;
use auxiliary/scanner/ftp/ftp_login;
set RHOSTS 10.0.0.10;
set USERNAME msfadmin;
set PASSWORD incorrect;
set ANONYMOUS_LOGIN true;
set CHECK_ACCESS true;
set STOP_ON_SUCCESS false;
set USER_AS_PASS true;'
[*] Connected to msf. Connection type: postgresql.
[*] Deleted workspace: default
[*] Recreated the default workspace
VERBOSE => true
RHOSTS => 10.0.0.10
USERNAME => msfadmin
PASSWORD => incorrect
ANONYMOUS_LOGIN => true
CHECK_ACCESS => true
STOP_ON_SUCCESS => false
USER_AS_PASS => true
msf auxiliary(scanner/ftp/ftp_login) > run
[*] 10.0.0.10:21          - Starting FTP login sweep
[*] 10.0.0.10:21          - FTP Banner: vsFTPd 2.3.4
[*] 10.0.0.10:21          - Checking read/write access
[*] 10.0.0.10:21          - Getting FTP root directory contents
[*] 10.0.0.10:21          - Directory listing: (empty)
[+] 10.0.0.10:21          - Login Successful: anonymous:mozilla@example.com (Read-only)
[-] 10.0.0.10:21          - Failed: msfadmin:incorrect (Incorrect: 530 Login incorrect.)
[*] 10.0.0.10:21          - Checking read/write access
[*] 10.0.0.10:21          - Getting FTP root directory contents
[*] 10.0.0.10:21          - Directory listing:
[*] 10.0.0.10:21          -   drwxr-xr-x    6 1000     1000         4096 Apr 28  2010 vulnerable
[+] 10.0.0.10:21          - Directory listing stored to: /home/kali/.msf4/loot/20260521114501_default_10.0.0.10_ftp.dir_listing_343949.txt
[+] 10.0.0.10:21          - Login Successful: msfadmin:msfadmin (Read/Write)
[*] 10.0.0.10:21          - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ftp/ftp_login) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      2         1      2      1      2

msf auxiliary(scanner/ftp/ftp_login) > hosts

Hosts
=====

address    mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------    ---  ----  -------  ---------  -----  -------  ----  --------
10.0.0.10             Unknown                    device

msf auxiliary(scanner/ftp/ftp_login) > services
Services
========

host       port  proto  name  state  info          resource  parents
----       ----  -----  ----  -----  ----          --------  -------
10.0.0.10  21    tcp    tcp   open                 {}
10.0.0.10  21    tcp    ftp   open   vsFTPd 2.3.4  {}        tcp (21/tcp)

msf auxiliary(scanner/ftp/ftp_login) > vulns

Vulnerabilities
===============

Timestamp                Host       Service       Resource  Name                  References
---------                ----       -------       --------  ----                  ----------
2026-05-21 10:44:58 UTC  10.0.0.10  ftp (21/tcp)  {}        Weak FTP Credentials  CVE-1999-0502,ATT&CK-T1021,ATT&CK-T1110.001

msf auxiliary(scanner/ftp/ftp_login) > creds
Credentials
===========

id   host       origin     service       public     private              realm  private_type  JtR Format  cracked_password
--   ----       ------     -------       ------     -------              -----  ------------  ----------  ----------------
471  10.0.0.10  10.0.0.10  21/tcp (ftp)  anonymous  mozilla@example.com         Password
472  10.0.0.10  10.0.0.10  21/tcp (ftp)  msfadmin   msfadmin                    Password

msf auxiliary(scanner/ftp/ftp_login) > loot

Loot
====

host       service  type             name              content     info                                path
----       -------  ----             ----              -------     ----                                ----
10.0.0.10           ftp.dir_listing  ftp_msfadmin.txt  text/plain  FTP directory listing for msfadmin  /home/kali/.msf4/loot/20260521114501_default_10.0.0.10_ftp.dir_listing_343949.txt

msf auxiliary(scanner/ftp/ftp_login) > notes

Notes
=====

 Time                     Host       Service  Port  Protocol  Type        Data
 ----                     ----       -------  ----  --------  ----        ----
 2026-05-21 10:44:58 UTC  10.0.0.10  tcp      21    tcp       ftp.banner  {:banner=>"220 (vsFTPd 2.3.4)"}
 2026-05-21 10:44:58 UTC  10.0.0.10  tcp      21    tcp       ftp.cpe     {:cpe=>"cpe:/a:vsftpd_project:vsftpd:2.3.4"}

msf auxiliary(scanner/ftp/ftp_login) >

@g0tmi1k g0tmi1k changed the title ftp_login ftp_login: Test access & Improve anonymous_creds Apr 26, 2026
@g0tmi1k g0tmi1k force-pushed the ftp_login branch 7 times, most recently from 6a872ad to 441041f Compare April 30, 2026 13:00
@g0tmi1k g0tmi1k changed the title ftp_login: Test access & Improve anonymous_creds ftp_login: Various improvements May 4, 2026
@g0tmi1k g0tmi1k force-pushed the ftp_login branch 9 times, most recently from 5ab5c52 to 38bb8a8 Compare May 5, 2026 17:46
@g0tmi1k

g0tmi1k commented May 5, 2026

Copy link
Copy Markdown
Contributor Author

This now needs #21380 to be merged ahead of time.

@g0tmi1k g0tmi1k force-pushed the ftp_login branch 6 times, most recently from 44235ba to c564610 Compare May 6, 2026 14:03
@cdelafuente-r7 cdelafuente-r7 self-assigned this May 6, 2026
@cdelafuente-r7 cdelafuente-r7 added the rn-enhancement release notes enhancement label May 6, 2026
@cdelafuente-r7 cdelafuente-r7 moved this from Todo to In Progress in Metasploit Kanban May 6, 2026
@g0tmi1k g0tmi1k requested a review from cdelafuente-r7 May 29, 2026 13:55
@g0tmi1k

g0tmi1k commented May 29, 2026

Copy link
Copy Markdown
Contributor Author

(As always) Thanks @cdelafuente-r7! Think all feedback has been addressed - I've re-dropped report_vuln(). If it should be added back in, it can.

@g0tmi1k

g0tmi1k commented Jun 16, 2026

Copy link
Copy Markdown
Contributor Author

Fixed the conflict.

@cdelafuente-r7 cdelafuente-r7 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @g0tmi1k , I left a couple of comments.

Comment thread documentation/modules/auxiliary/scanner/ftp/ftp_login.md Outdated
Comment thread modules/auxiliary/scanner/ftp/ftp_login.rb Outdated
@g0tmi1k g0tmi1k force-pushed the ftp_login branch 2 times, most recently from 0f0e81a to 8ac3ac8 Compare June 23, 2026 16:41
@g0tmi1k

g0tmi1k commented Jun 23, 2026

Copy link
Copy Markdown
Contributor Author

Hey hey hey there @cdelafuente-r7 - thanks for once again reviewing this!

I believe I've acted on your feedback.
I also have fixed up the merge conflict too.

@cdelafuente-r7

Copy link
Copy Markdown
Contributor

Hi @g0tmi1k, the FTP mixin PR has been merge and this PR can now be rebased and tested. Please, if everything works as expected, move it from Draft to Ready to Review. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

rn-enhancement release notes enhancement

Projects

Status: Waiting on Contributor

Development

Successfully merging this pull request may close these issues.

4 participants