FTP

Nmap discovered a FTP server on the target port 21 The running service is Microsoft ftpd

Null Session

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/algernon]
└─$ ftp ftp@$IP            
Connected to 192.168.236.65.
220 Microsoft FTP Service
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp>

Anonymous authentication successful

ftp> put test
local: test remote: test
229 Entering Extended Passive Mode (|||50023|)
550 Access is denied.

No write access

ftp> ls
229 Entering Extended Passive Mode (|||49846|)
150 Opening ASCII mode data connection.
04-29-20  10:31PM       <DIR>          ImapRetrieval
03-22-25  05:40AM       <DIR>          Logs
04-29-20  10:31PM       <DIR>          PopRetrieval
03-22-25  05:40AM       <DIR>          Spool
226 Transfer complete.

Listing the FTP server reveals 4 directories that appear to be related a mailing service

ftp> cd Logs
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||49922|)
125 Data connection already open; Transfer starting.
01-30-25  12:49AM                  273 2025.01.29-delivery.log.zip
01-30-25  12:49AM                  350 2025.01.29-imapLog.log.zip
01-30-25  12:49AM                  348 2025.01.29-popLog.log.zip
01-30-25  12:49AM                  382 2025.01.29-smtpLog.log.zip
01-30-25  12:49AM                  413 2025.01.29-xmppLog.log.zip
03-22-25  05:40AM                   46 2025.03.22-activation.log
03-22-25  05:40AM                   42 2025.03.22-delivery.log
03-22-25  05:40AM                  340 2025.03.22-maintenance.log
226 Transfer complete.

Logs is the only directory that has files in it

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/algernon/ftp]
└─$ wget -q -m ftp://ftp:ftp@$IP ; cd 192.168.236.65
┌──(kali㉿kali)-[~/…/PG_PRACTICE/algernon/ftp/192.168.236.65]
└─$ tree            
.
├── ImapRetrieval
├── Logs
│   ├── 2025.01.29-delivery.log.zip
│   ├── 2025.01.29-imapLog.log.zip
│   ├── 2025.01.29-popLog.log.zip
│   ├── 2025.01.29-smtpLog.log.zip
│   ├── 2025.01.29-xmppLog.log.zip
│   ├── 2025.03.22-activation.log
│   ├── 2025.03.22-delivery.log
│   └── 2025.03.22-maintenance.log
├── PopRetrieval
└── Spool
    ├── Drop
    ├── SubSpool0
    ├── SubSpool1
    ├── SubSpool2
    ├── SubSpool3
    ├── SubSpool4
    ├── SubSpool5
    ├── SubSpool6
    ├── SubSpool7
    ├── SubSpool8
    └── SubSpool9
 
16 directories, 8 files

Downloading them all

Logs

┌──(kali㉿kali)-[~/…/algernon/ftp/192.168.236.65/Logs]
└─$ ll
total 44K
4.0K drwxrwxr-x 2 kali kali 4.0K Mar 22 14:13 .
4.0K drwxrwxr-x 6 kali kali 4.0K Mar 22 14:09 ..
4.0K -rw-rw-r-- 1 kali kali  532 Mar 22 14:09 .listing
4.0K -rw-rw-r-- 1 kali kali   46 Mar 22 05:40 2025.03.22-activation.log
4.0K -rw-rw-r-- 1 kali kali   42 Mar 22 05:40 2025.03.22-delivery.log
4.0K -rw-rw-r-- 1 kali kali  340 Mar 22 05:40 2025.03.22-maintenance.log
4.0K -rw-rw-r-- 1 kali kali  273 Jan 30 00:49 2025.01.29-delivery.log.zip
4.0K -rw-rw-r-- 1 kali kali  350 Jan 30 00:49 2025.01.29-imapLog.log.zip
4.0K -rw-rw-r-- 1 kali kali  348 Jan 30 00:49 2025.01.29-popLog.log.zip
4.0K -rw-rw-r-- 1 kali kali  382 Jan 30 00:49 2025.01.29-smtpLog.log.zip
4.0K -rw-rw-r-- 1 kali kali  413 Jan 30 00:49 2025.01.29-xmppLog.log.zip

Logs appear to be divided into 2 different times; 2025.01.29 and 2025.03.22

`2025.01.29`

┌──(kali㉿kali)-[~/…/algernon/ftp/192.168.236.65/Logs]
└─$ cat 2025.03.22-activation.log
05:40:18.414 Daily activation check started.
 
┌──(kali㉿kali)-[~/…/algernon/ftp/192.168.236.65/Logs]
└─$ cat 2025.03.22-delivery.log  
05:40:11.883 Updating ClamAV database...
 
┌──(kali㉿kali)-[~/…/algernon/ftp/192.168.236.65/Logs]
└─$ cat 2025.03.22-maintenance.log
05:40:18.414 Compressed c:\SmarterMail\Logs\2025.01.29-delivery.log
05:40:18.414 Compressed c:\SmarterMail\Logs\2025.01.29-imapLog.log
05:40:18.414 Compressed c:\SmarterMail\Logs\2025.01.29-popLog.log
05:40:18.414 Compressed c:\SmarterMail\Logs\2025.01.29-smtpLog.log
05:40:18.414 Compressed c:\SmarterMail\Logs\2025.01.29-xmppLog.log

Based on the logs alone, it would appear that the target system might be armed with ClamAV SmarterMail is being used

`2025.03.22`

┌──(kali㉿kali)-[~/…/algernon/ftp/192.168.236.65/Logs]
└─$ ls *.zip | xargs -n1 unzip
Archive:  2025.01.29-delivery.log.zip
  inflating: 2025.01.29-delivery.log  
Archive:  2025.01.29-imapLog.log.zip
  inflating: 2025.01.29-imapLog.log  
Archive:  2025.01.29-popLog.log.zip
  inflating: 2025.01.29-popLog.log   
Archive:  2025.01.29-smtpLog.log.zip
  inflating: 2025.01.29-smtpLog.log  
Archive:  2025.01.29-xmppLog.log.zip
  inflating: 2025.01.29-xmppLog.log

Extracting content

┌──(kali㉿kali)-[~/…/algernon/ftp/192.168.236.65/Logs]
└─$ cat 2025.01.29-delivery.log   
23:49:20.003 Delivery server started at 1/29/2025 11:49:20 PM
23:49:20.018 Updating ClamAV database...
23:49:42.924 Updating the ClamAV database has completed successfully
 
 
┌──(kali㉿kali)-[~/…/algernon/ftp/192.168.236.65/Logs]
└─$ cat 2025.01.29-imapLog.log 
23:49:20.003 System.Net.Sockets.SocketException (0x80004005): The requested address is not valid in its context
   at System.Net.Sockets.Socket.DoBind(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.Bind(EndPoint localEP)
   at MailService.TcpServerLib.Common.PooledTcpServer.StartListening(IPEndPoint ipEndPoint)
 
 
┌──(kali㉿kali)-[~/…/algernon/ftp/192.168.236.65/Logs]
└─$ cat 2025.01.29-popLog.log 
23:49:20.003 System.Net.Sockets.SocketException (0x80004005): The requested address is not valid in its context
   at System.Net.Sockets.Socket.DoBind(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.Bind(EndPoint localEP)
   at MailService.TcpServerLib.Common.PooledTcpServer.StartListening(IPEndPoint ipEndPoint)
 
 
┌──(kali㉿kali)-[~/…/algernon/ftp/192.168.236.65/Logs]
└─$ cat 2025.01.29-smtpLog.log
23:49:19.940 smtp started at 1/29/2025 11:49:19 PM
23:49:19.987 System.Net.Sockets.SocketException (0x80004005): The requested address is not valid in its context
   at System.Net.Sockets.Socket.DoBind(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.Bind(EndPoint localEP)
   at MailService.TcpServerLib.Common.PooledTcpServer.StartListening(IPEndPoint ipEndPoint)
 
 
┌──(kali㉿kali)-[~/…/algernon/ftp/192.168.236.65/Logs]
└─$ cat 2025.01.29-xmppLog.log
23:49:20.065 xmpp Started at 1/29/2025 11:49:20 PM
23:49:20.081 Could not start listening on 192.168.120.110:5222 - System.Net.Sockets.SocketException (0x80004005): The requested address is not valid in its context
   at System.Net.Sockets.Socket.DoBind(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.Bind(EndPoint localEP)
   at MailService.Protocols.XMPP.Core.XmppServer.StartListening(IPEndPoint ipEndPoint)

N/A

InfoSec LAB

Explorer

Algernon_FTP

FTP

Null Session

Logs

`2025.01.29`

`2025.03.22`

Interactive Graph View

Table of Contents

Backlinks