Pentest Copilot: FTP Exploitation Flow from Directory Enumeration to Secret Extraction

Step 1: Initialization and Secret Metadata Extraction

Pentest Copilot starts by reading valid FTP credentials from an existing Secret entity. This entity contains metadata such as:

• Target IP address (192.168.29.145)

• Username (admin)

• Protocol (ftp)

• Port (21)

• Agent ID

This ensures all actions are authenticated and logged against the correct source.

Video (0:00–0:15): Initialization and credential metadata extraction.

Step 2: FTP Directory Enumeration

The agent runs JOB_COM_NETEXEC_FTP_LISTING, recursively enumerating all directories and files available on the server. This produces a tree structure showing file paths, sizes, permissions, and timestamps.

Video (0:16–0:30): FTP directory enumeration in progress.

Step 3: Filtering Relevant Files

Not every file is interesting. The agent applies might_contain_secret(filename), scoring filenames against patterns like .env, .json, .config, .pem, and _secret.txt. This narrows down files that are most likely to contain sensitive information.

Video (0:31–0:45): Filtering files with potential secrets.

Step 4: Downloading Files

Suspicious files are downloaded locally using JOB_FUNC_DOWNLOAD_FILE. Each download is logged with a checksum and file path for reproducibility.

Video (0:46–1:00): Downloading suspicious files.

Step 5: Uploading and Extracting Secrets

Downloaded files are uploaded to an SMB staging area with upload_to_smb. Pentest Copilot then runs JOB_FUNC_EXTRACT_SECRETS_FROM_FILE, parsing files for sensitive data such as API tokens, GitHub PATs, JWTs, and database passwords.

Example from the run:

1{
2  "description": "Uncovered a GitHub Personal Access Token, potentially leading to unauthorized repository access and sensitive content exposure.",
3  "file_path": "/tmp/tmpbxc5i67s/1746723925_VAIB1_secret.txt",
4  "line_number": 68
5}
6
7

Video (1:01–1:15): Extracting secrets from suspicious files.

Step 6: Creating File Entity

For each downloaded file, a File entity is created in the exploit graph with:

• file_path (e.g., /mnt/share/dumps/1746723925_VAIB1_secret.txt)

• file_type = "FTP File"

• confidence_level = 0.8

Video (1:16–1:25): File entity creation.

Step 7: Creating Secret Entity

Extracted secrets are normalized into Secret entities, enriched with identifiers:

• IP address (192.168.29.145)

• Username (admin)

• Protocol (ftp)

• File path (/tmp/.../secret.txt)

• ENV_KEY, ENV_SECRET values

• Metadata (line numbers, description, context)

Example Secret:

1{
2  "secret": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
3  "type": "JWT",
4  "source_file": "/tmp/tmpbxc5i67s/1746723925_VAIB1_secret.txt"
5}
6
7

Video (1:26–1:40): Secret entity creation.

Step 8: Creating Vulnerability Entity

Each discovered secret generates a Vulnerability entity documenting the risk.

• Title: Sensitive File Found on FTP Server

• Type: Information Disclosure

• Severity: HIGH (CVSS 7.8)

• Tags: FTP, File Disclosure, Sensitive Data Exposure

• Metadata: File path, extracted secret, CVE references if relevant

Video (1:41–1:55): Vulnerability entity creation.

Step 9: Linking Entities in the Exploit Graph

Finally, Pentest Copilot links all entities into a traceable chain:

File → Secret → Vulnerability

The exploit graph now shows how FTP access led to the discovery of secrets and documented vulnerabilities. This context is critical for defenders to prioritize fixes.

Video (1:56–end): Entity linkage in the graph.

Why This Matters

• Evidence-backed: Every finding is tied to a file, a secret, and a vulnerability node.

• Provenance preserved: Analysts can see exactly which file produced which secret.

• Reduced noise: Filename filtering narrows focus to high-probability files.

• Graph-based context: Shows defenders how FTP misconfigurations lead to real exposure.

Top 5 Frequently Asked Questions

1. Why target FTP if it’s considered outdated?
FTP remains common in enterprise file transfers and backups. Its lack of encryption and access controls makes it valuable for attackers.

2. How does Pentest Copilot know a file contains secrets?
It uses heuristics (might_contain_secret) combined with content-based scanning for tokens, passwords, API keys, and cloud credentials.

3. Are downloaded files safe for analysts to handle?
Yes. Files are hashed, logged, and stored in a staging area. Secrets are extracted automatically, reducing the need for manual file handling.

4. What kinds of secrets can it detect?
GitHub PATs, AWS/GCP/Azure keys, JWT tokens, database passwords, TLS private keys, and API tokens are all supported out of the box.

5. How should defenders mitigate FTP exposures?

• Replace FTP with SFTP/FTPS.

• Restrict access to least-privilege accounts.

• Audit directories regularly for sensitive files.

• Monitor for token leaks and rotate credentials frequently.

References

• RFC 959 – File Transfer Protocol

• MITRE ATT&CK – Exfiltration Over Alternative Protocol (T1048)

• OWASP – Secure File Transfer Guidelines