If we run the ftp-anon script on our target machine on port 21 , we can know if the FTP service allows authentication anonymously without having to enter a username and password. In this case, we see how such authentication is possible on the FTP server:
In the following script, we execute the scan asynchronously so that we can execute it on a certain port and launch parallel scripts, so that when one of the scripts is finalized, the defined function is executed. In this case, we execute the scripts defined for the FTP service and each time a response is obtained from a script, the callbackFTP function is executed, which will give us more information about that service.
You can find the following code in the filename: NmapScannerAsync_FTP.py:
#!/usr/bin/env python
# -*- encoding: utf-8 -*-
import optparse, nmap
import json
import argparse
def callbackFTP(host, result):
try:
script = result['scan'][host]['tcp'][21]['script']
print "Command line"+ result['nmap']['command_line']
for key, value in script.items():
print 'Script {0} --> {1}'.format(key, value)
except KeyError:
# Key is not present
pass
class NmapScannerAsyncFTP:
def __init__(self):
self.nmsync = nmap.PortScanner()
self.nmasync = nmap.PortScannerAsync()
def scanning(self):
while self.nmasync.still_scanning():
self.nmasync.wait(5)
This is the method that checks the port passed as parameter and launch Nmap scripts related with FTP in an asynchronous way:
def nmapScanAsync(self, hostname, port):
try:
print "Checking port "+ port +" .........."
self.nmsync.scan(hostname, port)
self.state = self.nmsync[hostname]['tcp'][int(port)]['state']
print " [+] "+ hostname + " tcp/" + port + " " + self.state
#FTP
if (port=='21') and self.nmsync[hostname]['tcp'][int(port)]['state']=='open':
print 'Checking ftp port with nmap scripts......'
#scripts for ftp:21 open
print 'Checking ftp-anon.nse .....'
self.nmasync.scan(hostname,arguments="-A -sV -p21 --script ftp-anon.nse",callback=callbackFTP)
self.scanning()
print 'Checking ftp-bounce.nse .....'
self.nmasync.scan(hostname,arguments="-A -sV -p21 --script ftp-bounce.nse",callback=callbackFTP)
self.scanning()
print 'Checking ftp-brute.nse .....'
self.nmasync.scan(hostname,arguments="-A -sV -p21 --script ftp-brute.nse",callback=callbackFTP)
self.scanning()
print 'Checking ftp-libopie.nse .....'
self.nmasync.scan(hostname,arguments="-A -sV -p21 --script ftp-libopie.nse",callback=callbackFTP)
self.scanning()
print 'Checking ftp-proftpd-backdoor.nse .....'
self.nmasync.scan(hostname,arguments="-A -sV -p21 --script ftp-proftpd-backdoor.nse",callback=callbackFTP)
self.scanning()
print 'Checking ftp-vsftpd-backdoor.nse .....'
self.nmasync.scan(hostname,arguments="-A -sV -p21 --script ftp-vsftpd-backdoor.nse",callback=callbackFTP)
self.scanning()
except Exception,e:
print str(e)
print "Error to connect with " + hostname + " for port scanning"
pass
This is our main program for requesting target and ports as parameters and for calling the nmapScanAsync(ip,port) function for each port:
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='Nmap scanner async')
# Main arguments
parser.add_argument("-target", dest="target", help="target IP / domain", required=True)
parser.add_argument("-ports", dest="ports", help="Please, specify the target port(s) separated by comma[80,8080 by default]", default="80,8080")
parsed_args = parser.parse_args()
port_list = parsed_args.ports.split(',')
ip = parsed_args.target
for port in port_list:
NmapScannerAsyncFTP().nmapScanAsync(ip, port)
Now, we are going to execute NmapScannerAsync_fFTP with target and ports parameters.
In this case, we perform a scan on the FTP port (21) and we can see that it executes each one of the scripts defined for this port, and it returns us more information that we can use for a later attack or exploiting process.
We can obtain information about FTP vulnerable services with the execution of the previous script:
python NmapScannerAsync.py -target 192.168.56.101 -ports 21
