FTP Pentesting Notes

Protocol Overview

Basic Information

  • Port : TCP 21 (control), TCP 20 (data)

  • Protocol Type : Clear-text, application layer

  • Purpose : File transfer between client and server

  • Security : Minimal built-in security, data transmitted in cleartext

Connection Types

  1. Active FTP

    • Client opens port > 1023

    • Server connects back from port 20

    • Issues with firewalls and NAT

  2. Passive FTP

    • Client initiates all connections

    • Server provides data port > 1023

    • Better for firewalled environments

Initial Enumeration

Port Scanning

# Basic Nmap scan
nmap -p21 -sV <target>

# Aggressive scan with scripts
nmap -p21 -sV -sC -A <target>

# All FTP scripts
nmap -p21 --script ftp-* <target>
# Using netcat
nc -vn <target> 21

# Using telnet
telnet <target> 21

# Using FTP
ftp -vn <target>

Anonymous Access

Testing Anonymous Login

# Method 1: Direct FTP
ftp <target>
Username: anonymous
Password: anonymous

# Method 2: cURL
curl ftp://anonymous:anonymous@<target>/

# Method 3: Browser
ftp://anonymous:anonymous@<target>/

Automated Anonymous Check

# Using Nmap
nmap -p21 --script ftp-anon <target>

# Using Metasploit
use auxiliary/scanner/ftp/anonymous

Brute Force Attacks

Using Hydra

# Basic authentication
hydra -l user -P passwords.txt ftp://<target>

# Using known username list
hydra -L users.txt -P passwords.txt ftp://<target>

# Specific port
hydra -l user -P passwords.txt -s 21 <target> ftp

Using Medusa

medusa -h <target> -u user -P passwords.txt -M ftp

Using Ncrack

ncrack -U users.txt -P passwords.txt ftp://<target>

Common NSE Scripts

# Run all FTP scripts
nmap --script ftp-* -p 21 <target>

# Important individual scripts
nmap -p21 --script ftp-anon <target>        # Anonymous access
nmap -p21 --script ftp-brute <target>       # Brute force
nmap -p21 --script ftp-syst <target>        # System info
nmap -p21 --script ftp-proftpd-backdoor <target>  # ProFTPD backdoor
nmap -p21 --script ftp-vsftpd-backdoor <target>   # VSFTPD backdoor
nmap -p21 --script ftp-vuln* <target>       # Vulnerabilities

File Operations

Downloading Files

# Using FTP
ftp> get file.txt
ftp> mget *.txt

# Using wget
wget -m --no-passive ftp://anonymous:anonymous@<target>/

# Using cURL
curl -O ftp://anonymous:anonymous@<target>/file.txt

Uploading Files

# Using FTP
ftp> put local.txt
ftp> mput *.txt

# Using cURL
curl -T local.txt ftp://user:pass@<target>/

TFTP Operations (UDP/69)

# Connect
tftp <target>

# Commands
> connect
> get file.txt
> put file.txt
> status
> verbose
> quit

Advanced Techniques

FTP Bounce Attack

# Check for bounce
nmap -Pn -p21 --script ftp-bounce <target>

# Manual test
ftp> PORT <target>,port1,port2

FTPS (FTP over SSL/TLS)

# Test SSL/TLS
openssl s_client -connect <target>:21 -starttls ftp

# Connect using lftp
lftp -u username,password -p 21 target
set ssl:verify-certificate no
set ftp:ssl-force true

Configuration Files

Server Configuration

  • VSFTPD : /etc/vsftpd.conf

  • ProFTPD : /etc/proftpd/proftpd.conf

  • Pure-FTPd : /etc/pure-ftpd/pure-ftpd.conf

User Restrictions

  • Denied Users : /etc/ftpusers

  • User List : /etc/vsftpd.user_list

Common Vulnerabilities

  1. Anonymous Access :

    • Default enabled

    • Weak configuration

    • Public read/write access

  2. Version-specific :

    • vsftpd 2.3.4 backdoor

    • ProFTPD vulnerabilities

    • Buffer overflows

  3. Configuration Issues :

    • Clear-text credentials

    • Weak file permissions

    • Directory traversal

    • FTP bounce enabled

Post Exploitation

Information Gathering

  • List all accessible directories

  • Check for sensitive files

  • Examine file permissions

  • Look for configuration files

  • Search for user information

Privilege Escalation

  • Check upload directories for execute permissions

  • Look for writable configuration files

  • Test for directory traversal

  • Search for sensitive data in FTP home directories

Common FTP Response Codes

Code
Meaning

230

Login successful

530

Login incorrect

331

Username OK, need password

221

Goodbye

500

Syntax error

550

File unavailable

Best Practices for Pentesting

  1. Initial Reconnaissance :

    • Identify FTP service version

    • Check for anonymous access

    • Banner grab for information

    • Test default credentials

  2. Deep Enumeration :

    • Run vulnerability scans

    • Test authentication methods

    • Check file permissions

    • Look for sensitive data

    • Test upload capabilities

  3. Documentation :

    • Record all findings

    • Note server configuration

    • Document vulnerabilities

    • Save evidence for reporting

  4. Risk Assessment :

    • Evaluate impact of findings

    • Consider data sensitivity

    • Assess exploitation potential

    • Recommend mitigations

PreviousFootprinting - Enumeration and Information Gathering NotesNextSMB Pentesting Notes

Last updated