Metasploit has an inbuilt module – ftp_version – designed specifically to scan for File Transfer Protocol services (FTP) on a network.
Let’s see how it performs against my Virtual Hacking Lab:
msf > use scanner/ftp/ftp_version
msf auxiliary(ftp_version) > set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf auxiliary(ftp_version) > set THREADS 255
THREADS => 255
msf auxiliary(ftp_version) > run
Output:
192.168.1.79:21 FTP Banner: ’220 Microsoft FTP Service\x0d\x0a’
So, the FTP service has been identified, but does it allow anonymous login?
msf > use auxiliary/scanner/ftp/anonymous
msf auxiliary(anonymous) > set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf auxiliary(anonymous) > set Threads 50
Threads => 50
msf auxiliary(anonymous) > run
Output:
192.168.1.79:21 Anonymous READ (220 Microsoft FTP Service)
Yep, Metasploit has detected the FTP service can be read by anyone. I was expecting Metasploit to identify anonymous write access also, but for some reason it didn’t pick this up.