FTP Pentesting Notes

Protocol Overview

Basic Information

Port : TCP 21 (control), TCP 20 (data)
Protocol Type : Clear-text, application layer
Purpose : File transfer between client and server
Security : Minimal built-in security, data transmitted in cleartext

Connection Types

Active FTP
- Client opens port > 1023
- Server connects back from port 20
- Issues with firewalls and NAT
Passive FTP
- Client initiates all connections
- Server provides data port > 1023
- Better for firewalled environments

Initial Enumeration

Port Scanning

# Basic Nmap scan
nmap -p21 -sV <target>

# Aggressive scan with scripts
nmap -p21 -sV -sC -A <target>

# All FTP scripts
nmap -p21 --script ftp-* <target>

Banner Grabbing

# Using netcat
nc -vn <target> 21

# Using telnet
telnet <target> 21

# Using FTP
ftp -vn <target>

Anonymous Access

# Method 1: Direct FTP
ftp <target>
Username: anonymous
Password: anonymous

# Method 2: cURL
curl ftp://anonymous:anonymous@<target>/

# Method 3: Browser
ftp://anonymous:anonymous@<target>/

Automated Anonymous Check

# Using Nmap
nmap -p21 --script ftp-anon <target>

# Using Metasploit
use auxiliary/scanner/ftp/anonymous

Brute Force Attacks

Using Hydra

# Basic authentication
hydra -l user -P passwords.txt ftp://<target>

# Using known username list
hydra -L users.txt -P passwords.txt ftp://<target>

# Specific port
hydra -l user -P passwords.txt -s 21 <target> ftp

Using Medusa

medusa -h <target> -u user -P passwords.txt -M ftp

Using Ncrack

ncrack -U users.txt -P passwords.txt ftp://<target>

Common NSE Scripts

# Run all FTP scripts
nmap --script ftp-* -p 21 <target>

# Important individual scripts
nmap -p21 --script ftp-anon <target>        # Anonymous access
nmap -p21 --script ftp-brute <target>       # Brute force
nmap -p21 --script ftp-syst <target>        # System info
nmap -p21 --script ftp-proftpd-backdoor <target>  # ProFTPD backdoor
nmap -p21 --script ftp-vsftpd-backdoor <target>   # VSFTPD backdoor
nmap -p21 --script ftp-vuln* <target>       # Vulnerabilities

File Operations

Downloading Files

# Using FTP
ftp> get file.txt
ftp> mget *.txt

# Using wget
wget -m --no-passive ftp://anonymous:anonymous@<target>/

# Using cURL
curl -O ftp://anonymous:anonymous@<target>/file.txt

Uploading Files

# Using FTP
ftp> put local.txt
ftp> mput *.txt

# Using cURL
curl -T local.txt ftp://user:pass@<target>/

TFTP Operations (UDP/69)

# Connect
tftp <target>

# Commands
> connect
> get file.txt
> put file.txt
> status
> verbose
> quit

Advanced Techniques

FTP Bounce Attack

# Check for bounce
nmap -Pn -p21 --script ftp-bounce <target>

# Manual test
ftp> PORT <target>,port1,port2

FTPS (FTP over SSL/TLS)

# Test SSL/TLS
openssl s_client -connect <target>:21 -starttls ftp

# Connect using lftp
lftp -u username,password -p 21 target
set ssl:verify-certificate no
set ftp:ssl-force true

Configuration Files

Server Configuration

VSFTPD : /etc/vsftpd.conf
ProFTPD : /etc/proftpd/proftpd.conf
Pure-FTPd : /etc/pure-ftpd/pure-ftpd.conf

User Restrictions

Denied Users : /etc/ftpusers
User List : /etc/vsftpd.user_list

Common Vulnerabilities

Anonymous Access :
- Default enabled
- Weak configuration
- Public read/write access
Version-specific :
- vsftpd 2.3.4 backdoor
- ProFTPD vulnerabilities
- Buffer overflows
Configuration Issues :
- Clear-text credentials
- Weak file permissions
- Directory traversal
- FTP bounce enabled

Post Exploitation

Information Gathering

List all accessible directories
Check for sensitive files
Examine file permissions
Look for configuration files
Search for user information

Privilege Escalation

Check upload directories for execute permissions
Look for writable configuration files
Test for directory traversal
Search for sensitive data in FTP home directories

Common FTP Response Codes

Code

Meaning

230

530

331

Username OK, need password

221

Goodbye

500

Syntax error

550

File unavailable

Best Practices for Pentesting

Initial Reconnaissance :
- Identify FTP service version
- Check for anonymous access
- Banner grab for information
- Test default credentials
Deep Enumeration :
- Run vulnerability scans
- Test authentication methods
- Check file permissions
- Look for sensitive data
- Test upload capabilities
Documentation :
- Record all findings
- Note server configuration
- Document vulnerabilities
- Save evidence for reporting
Risk Assessment :
- Evaluate impact of findings
- Consider data sensitivity
- Assess exploitation potential
- Recommend mitigations

PreviousFootprinting - Enumeration and Information Gathering Notes NextSMB Pentesting Notes

Last updated 1 year ago

hashtagProtocol Overview

hashtagBasic Information

hashtagConnection Types

hashtagInitial Enumeration

hashtagPort Scanning

hashtagBanner Grabbing

hashtagAnonymous Access

hashtagTesting Anonymous Login

hashtagAutomated Anonymous Check

hashtagBrute Force Attacks

hashtagUsing Hydra

hashtagUsing Medusa

hashtagUsing Ncrack

hashtagCommon NSE Scripts

hashtagFile Operations

hashtagDownloading Files

hashtagUploading Files

hashtagTFTP Operations (UDP/69)

hashtagAdvanced Techniques

hashtagFTP Bounce Attack

hashtagFTPS (FTP over SSL/TLS)

hashtagConfiguration Files

hashtagServer Configuration

hashtagUser Restrictions

hashtagCommon Vulnerabilities

hashtagPost Exploitation

hashtagInformation Gathering

hashtagPrivilege Escalation

hashtagCommon FTP Response Codes

hashtagBest Practices for Pentesting

Protocol Overview

Basic Information

Connection Types

Initial Enumeration

Port Scanning

Banner Grabbing

Anonymous Access

Testing Anonymous Login

Automated Anonymous Check

Brute Force Attacks

Using Hydra

Using Medusa

Using Ncrack

Common NSE Scripts

File Operations

Downloading Files

Uploading Files

TFTP Operations (UDP/69)

Advanced Techniques

FTP Bounce Attack

FTPS (FTP over SSL/TLS)

Configuration Files

Server Configuration

User Restrictions

Common Vulnerabilities

Post Exploitation

Information Gathering

Privilege Escalation

Common FTP Response Codes

Best Practices for Pentesting