FTP - 21

The File Transfer Protocol (FTP) serves as a standard protocol for file transfer across a computer network between a server and a client. It is a plain-text protocol that uses as new line character 0x0d 0x0a so sometimes you need to connect using telnet or nc -C.

Default port: 21

Enumeration

ftp 10.10.10.10 # Connect to the ftp-server
ftp> status # overview of the Ftp-server's setting
ftp> debug  # Displays more information
ftp> trace  # Displays more information
ftp> ls -R  # Recursive Listing
ftp> get file.txt # Download a file
ftp> put newfile.txt # Upload a file
ftp> mget file.txt file2.txt file3.txt # Download multiple files
ftp> mput newfile.txt newfile1.txt newfile2.txt # Upload multiple files file
wget -m --no-passive ftp://password:password@10.10.10.10 # Downloading everything

❯ ls /usr/share/nmap/scripts/ | grep ftp
ftp-anon.nse
ftp-bounce.nse
ftp-brute.nse
ftp-libopie.nse
ftp-proftpd-backdoor.nse
ftp-syst.nse
ftp-vsftpd-backdoor.nse
ftp-vuln-cve2010-4221.nse
tftp-enum.nse
tftp-version.nse

Bruteforce Credentials

We can use medusa or hydra to bruteforce this protocol.

Hydra

Medusa

FTP Bounce Attack

We can use ftp bounce attack to enumerate internal network. Nmap has a feature to perform this attack easily:

nmap -Pn -v -n -p80 -b username:password@10.10.10.10 192.168.1.34

Enumeration​

Bruteforce Credentials​

FTP Bounce Attack​

Enumeration

Bruteforce Credentials

FTP Bounce Attack