The Pen Tester's Framework: ftpmap

It's true, FTP isn't something that you think of first when conducting an assessment We look at web servers. FTP is something that people used in the 90s, right? 

Well, no. As it turns out a lot of organizations use FTP to move files from app to app, from partner to partner, from location to location. Legacy apps exist, and they are a large percentage of the vulnerable applications out there. FTP is a reality that everyone checking security needs to consider.

ftpmap "scans remote FTP servers to identify what software and what versions they are running" according to the man file.  It's certainly something that should be in your 'hey lets look at this server' test group.  So let's give it a try.

Interestingly, it wasn't installed! The configuration file was there, but there is no ftpmap directory in the vulnerability-analysis directory for the compiled code. So, well, I'll jsut do it manually!

sudo git clone https://github.com/Hypsurus/ftpmap.git
cd ftpmap
sudo ./configure
sudo make
sudo make install

Waaaiiit a minute. Error city. This shouldn't be happening! Guess that's why the PTF didn't put it on my system - something weird is missing:

CDPATH="${ZSH_VERSION+.}:" && cd . && /bin/bash /pentest/vulnerability-analysis/ftpmap/missing aclocal-1.15 
/pentest/vulnerability-analysis/ftpmap/missing: line 81: aclocal-1.15: command not found
WARNING: 'aclocal-1.15' is missing on your system.
         You should only need it if you modified 'acinclude.m4' or
         'configure.ac' or m4 files included by 'configure.ac'.
         The 'aclocal' program is part of the GNU Automake package:
         <http://www.gnu.org/software/automake>
         It also requires GNU Autoconf, GNU m4 and Perl in order to run:
         <http://www.gnu.org/software/autoconf>
         <http://www.gnu.org/software/m4/>
         <http://www.perl.org/>
make: *** [aclocal.m4] Error 127

Well, crap. A quick run of apt-get shows that I have the latest version of automake, so there must be something subtle wrong. Aah well, I don't see THAT many FTP sites out there ...


Comments are closed

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList