Anonymous Logins For Pentesters
Anonymous Logins For Pentesters
Anonymous Logins For Pentesters
Introduction.......................................................................................3
Setting up Anonymous FTP .................................................................3
Attacking Anonymous FTP ..................................................................8
Setting up Anonymous SMB ............................................................. 10
Attacking Anonymous SMB .............................................................. 13
Conclusion ....................................................................................... 14
Page 2 of 14
Introduction
Anonymous Logins are a feature that allows the user to set up a service that is accessible by any user. It
doesn’t need specific credentials to access that resource. Various servers that wish to host data that
should be accessible to a wide range of users via anonymous logins. In real life, while performing network
penetration testing, a tester should be able to identify the anonymous service and test it. We will also be
looking behind the scenes at how these anonymous services are setup on our local target machine running
Ubuntu. We will be learning about the FTP service and the SMB service.
Each service that is installed on a Linux machine has a configuration file that can be used to tweak
options and settings for that particular service. By default, anonymous login is disabled on the vsftpd.
We will need to edit the /etc/vsftpd.conf configuration file in order to enable the anonymous login
functionality. We edit the configuration file with nano, but you can use any editor of your choice, such
as vi or sublime.We go through all of the other options and comments until we get to the
"anonymous_enabled=NO" option, which is shown in the image below.
Page 3 of 14
To enable Anonymous Login on the machine, change the "anonymous_enabled=NO" option to
"anonymous_enabled=YES."Refer to the screenshot below.
Page 4 of 14
Just enabling the Anonymous login or installing a service is not enough to get it working. We want a fully
functional FTP service. To do this, we need to be able to share files using FTP, and since we have enabled
anonymous login, we should be able to download the files from the Ubuntu machine using anonymous
access. The FTP service requires a directory whose contents can be shared over the network. We create a
directory in the /var directory. We named the directory after the pub. We also need to change the
ownership of the directory in order to make it suitable for sharing data. After creating and changing
ownership, we move into the directory and create a file with the message "Welcome to Hacking Articles"
in it. We named the text file note.txt.
mkdir -p /var/ftp/pub
sudo chown nobody:nogroup /var/ftp/pub
cd /var/ftp/pub
echo "Welcome to Hacking Articles" > note.txt
Page 5 of 14
Back to the vsftpd.conf file that we were editing, we need to add a specific configuration to make the
anonymous login functional. We add the directory that we just created in the configurations, and then we
add the no_anon_password option that will stop prompting for a password. Another option we added is
the hide_ids option. When queried, it will revert to the ftp: ftp combination., we need to add the range of
ports that can be used for passive FTP.
Page 6 of 14
This completes all the configurations that we require to setup an FTP service with anonymous login
enabled on an Ubuntu machine. All that is required is to restart the vsftpd service in order to put the new
configurations into effect. Now we will refer to our Kali Linux machine, i.e., the attacker machine.
Page 7 of 14
nano /etc/vsftpd.conf
service vsftpd restart
nmap -A 192.168.1.46
Page 8 of 14
Now that it has been confirmed that the FTP service is running with Anonymous Login enabled, let’s try
to access the service. To do this, we will connect to the FTP service by providing the IP address of the
machine. Because we don't have any user credentials and anonymous login is enabled, we'll enter
"Anonymous" in the Name field and be logged in. We can run the directory listing command ls to find out
the files that are shared over FTP. We see that there is a text file by the name of note.txt. We can transfer
the text file using the get command as depicted below. After the transfer, we can read the text file to
confirm that we have successfully gained the data from the file that was created on the Ubuntu machine.
ftp 192.168.1.46
Anonymous
ls
cd pub
ls
get note.txt
bye
cat note.txt
Page 9 of 14
Setting up Anonymous SMB
The next service that can be set up with anonymous access is the SMB service. As it was originally designed
for Windows systems, we need to install the samba service on our Ubuntu machine. As with the vsftpd,
we used apt to install the samba service, as shown below.
Page 10 of 14
Like all services that are installed on any Linux machine, Samba also has a configuration file that is located
inside the /etc directory. Since we are trying to setup the service with anonymous login, we are going to
add some additional configurations as compared to the basic installation of samba.
cd /etc/samba/
We are using the nano editor, but you can basically use any editor of your choice. Moving down to the
file, we add the following configurations, such as the directory that should be used for sharing the files.
We are making the /var/www directory for this purpose. We need to give it proper permissions, such as
browsable and public, so that it can be accessed by anonymous login.
Page 11 of 14
The next thing that we need to do is create a file that can be used to test the ability of file transfer using
SMB. We created a text file called file.txt and filled it with the message "Welcome To Ignite
Technologies". You will need to restart the service in order to make the configurations active.
cd /var/www
ls
cat file.txt
Page 12 of 14
Attacking Anonymous SMB
As we did with the FTP service, it is also possible to check if the service is running on the target machine
using the nmap scan. Although we are not going to demonstrate it here. We are going to proceed with
the assumption that the service is up and running on the target machine. We connect to the service using
smbclient. It is quite clear from the image below that we didn’t provide a user or password combination
to connect to the service since anonymous login is enabled. We then enumerated the shares and found
the file.txt shared. We transferred the file to the local Kali Linux machine and confirmed that the SMB
Anonymous Login service is active and working.
smbclient -L //192.168.1.46
smbclient //192.168.1.46/shares
cat file.txt
Page 13 of 14
Conclusion
Anonymous logins are quite common in real-life environments and in the Capture the Flags challenges as
well. As an attacker, it is important to understand how it works and what kind of setup is required to
enable the anonymous login. Most of all, it is important to know how to interact with this kind of access.
Page 14 of 14
JOIN OUR
TRAINING PROGRAMS
H ERE
CLICK BEGINNER
Network Pentest
Wireless Pentest
ADVANCED
Advanced CTF
Android Pentest Metasploit
EXPERT
Privilege Escalation
APT’s - MITRE Attack Tactics
Windows
Active Directory Attack
Linux
MSSQL Security Assessment
www.ignitetechnologies.in