# FTP Pentesting Notes

## Protocol Overview

### Basic Information

* **Port** : TCP 21 (control), TCP 20 (data)
* **Protocol Type** : Clear-text, application layer
* **Purpose** : File transfer between client and server
* **Security** : Minimal built-in security, data transmitted in cleartext

### Connection Types

1. **Active FTP**
   * Client opens port > 1023
   * Server connects back from port 20
   * Issues with firewalls and NAT
2. **Passive FTP**
   * Client initiates all connections
   * Server provides data port > 1023
   * Better for firewalled environments

## Initial Enumeration

### Port Scanning

```bash
# Basic Nmap scan
nmap -p21 -sV <target>

# Aggressive scan with scripts
nmap -p21 -sV -sC -A <target>

# All FTP scripts
nmap -p21 --script ftp-* <target>
```

### Banner Grabbing

```bash
# Using netcat
nc -vn <target> 21

# Using telnet
telnet <target> 21

# Using FTP
ftp -vn <target>
```

## Anonymous Access

### Testing Anonymous Login

```bash
# Method 1: Direct FTP
ftp <target>
Username: anonymous
Password: anonymous

# Method 2: cURL
curl ftp://anonymous:anonymous@<target>/

# Method 3: Browser
ftp://anonymous:anonymous@<target>/
```

### Automated Anonymous Check

```bash
# Using Nmap
nmap -p21 --script ftp-anon <target>

# Using Metasploit
use auxiliary/scanner/ftp/anonymous
```

## Brute Force Attacks

### Using Hydra

```bash
# Basic authentication
hydra -l user -P passwords.txt ftp://<target>

# Using known username list
hydra -L users.txt -P passwords.txt ftp://<target>

# Specific port
hydra -l user -P passwords.txt -s 21 <target> ftp
```

### Using Medusa

```bash
medusa -h <target> -u user -P passwords.txt -M ftp
```

### Using Ncrack

```bash
ncrack -U users.txt -P passwords.txt ftp://<target>
```

## Common NSE Scripts

```bash
# Run all FTP scripts
nmap --script ftp-* -p 21 <target>

# Important individual scripts
nmap -p21 --script ftp-anon <target>        # Anonymous access
nmap -p21 --script ftp-brute <target>       # Brute force
nmap -p21 --script ftp-syst <target>        # System info
nmap -p21 --script ftp-proftpd-backdoor <target>  # ProFTPD backdoor
nmap -p21 --script ftp-vsftpd-backdoor <target>   # VSFTPD backdoor
nmap -p21 --script ftp-vuln* <target>       # Vulnerabilities
```

## File Operations

### Downloading Files

```bash
# Using FTP
ftp> get file.txt
ftp> mget *.txt

# Using wget
wget -m --no-passive ftp://anonymous:anonymous@<target>/

# Using cURL
curl -O ftp://anonymous:anonymous@<target>/file.txt
```

### Uploading Files

```bash
# Using FTP
ftp> put local.txt
ftp> mput *.txt

# Using cURL
curl -T local.txt ftp://user:pass@<target>/
```

## TFTP Operations (UDP/69)

```bash
# Connect
tftp <target>

# Commands
> connect
> get file.txt
> put file.txt
> status
> verbose
> quit
```

## Advanced Techniques

### FTP Bounce Attack

```bash
# Check for bounce
nmap -Pn -p21 --script ftp-bounce <target>

# Manual test
ftp> PORT <target>,port1,port2
```

### FTPS (FTP over SSL/TLS)

```bash
# Test SSL/TLS
openssl s_client -connect <target>:21 -starttls ftp

# Connect using lftp
lftp -u username,password -p 21 target
set ssl:verify-certificate no
set ftp:ssl-force true
```

## Configuration Files

### Server Configuration

* **VSFTPD** : `/etc/vsftpd.conf`
* **ProFTPD** : `/etc/proftpd/proftpd.conf`
* **Pure-FTPd** : `/etc/pure-ftpd/pure-ftpd.conf`

### User Restrictions

* **Denied Users** : `/etc/ftpusers`
* **User List** : `/etc/vsftpd.user_list`

## Common Vulnerabilities

1. **Anonymous Access** :
   * Default enabled
   * Weak configuration
   * Public read/write access
2. **Version-specific** :
   * vsftpd 2.3.4 backdoor
   * ProFTPD vulnerabilities
   * Buffer overflows
3. **Configuration Issues** :
   * Clear-text credentials
   * Weak file permissions
   * Directory traversal
   * FTP bounce enabled

## Post Exploitation

### Information Gathering

* List all accessible directories
* Check for sensitive files
* Examine file permissions
* Look for configuration files
* Search for user information

### Privilege Escalation

* Check upload directories for execute permissions
* Look for writable configuration files
* Test for directory traversal
* Search for sensitive data in FTP home directories

## Common FTP Response Codes

| Code | Meaning                    |
| ---- | -------------------------- |
| 230  | Login successful           |
| 530  | Login incorrect            |
| 331  | Username OK, need password |
| 221  | Goodbye                    |
| 500  | Syntax error               |
| 550  | File unavailable           |

## Best Practices for Pentesting

1. **Initial Reconnaissance** :
   * Identify FTP service version
   * Check for anonymous access
   * Banner grab for information
   * Test default credentials
2. **Deep Enumeration** :
   * Run vulnerability scans
   * Test authentication methods
   * Check file permissions
   * Look for sensitive data
   * Test upload capabilities
3. **Documentation** :
   * Record all findings
   * Note server configuration
   * Document vulnerabilities
   * Save evidence for reporting
4. **Risk Assessment** :
   * Evaluate impact of findings
   * Consider data sensitivity
   * Assess exploitation potential
   * Recommend mitigations


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://edu.noirchapeau.com/footprinting-enumeration-and-information-gathering-notes/ftp-pentesting-notes.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.