wireghoul
commented
2 weeks ago This is a very unusual edge case, the default password is set for when people forget to supply one and follows the password convention for anonymous accounts. Here are some things you might consider:
1) Set a password for the account and use a password
2) Supply a space as a password -P ' ', the FTP protocol parser on the server may not consider this a password value.
3) Supply enter as the password value -P $(echo -e "\r\n"), which shouldn't impact fuzzing due to the FTP protocol handling of empty lines
4) Temporarily change the code to default to a blank password: https://github.com/wireghoul/dotdotpwn/blob/master/dotdotpwn.pl#L136
5) Use a mitm tool or tunneling tool like stunnel to rewrite the traffic to remove the password
The reason why -P ''won't work has to do with how the program parses command line arguments and how perl handles truthy and falsey values where an empty string is seen as a false value setting the default value as the flag is considered missing.
Given the above options, the behaviour of perl and how rare it is to find a case like this I don't intend to make any changes to the code for this and I'm closing this ticket
I want to use the tool in a scenario where I need to first authenticate to an FTP server with a username and a blank password (just pressing ENTER). However, with this tool I'm not being able to specify that.