Overview
The File Transfer Protocol (FTP) is a common protocol that is used across all operating systems to aid in remote file transfers between a client and server. FTP is a plaintext protocol, meaning that communication between a client and server are not encrypted. There is a secure version of FTP called SFTP that operates over the SSH port 22.
A number of different FTP application exist that provide added functionality in addition to the native FTP tool, some of those commonly encountered are:
- FileZilla
- CyberDuck
- WinSCP
- FireFTP
Apart from individual application vulnerabilities that can be exploited to gain file or remote access to a host machine, there are a number of actions that can be taken to enumerate objects.
Reconnaissance
Port Scanning and Enumeration
Nmap has various scripts that can be run against the different versions, running a generic initial scan and including the -sC or -A flag will automatically scan with default scripts such as ftp-syst, and ftp-anon.
| Nmap Script | Description |
|---|---|
| ftp-syst | Sends FTP SYST and STAT commands, returning the result |
| ftp-anon | Checks if an FTP server allows anonymous logins. |
To run all FTP scripts against a target (noisy), the below Nmap command can be used:
1
sudo nmap -sC --script ftp-* -p 21 %IP%
Output
The following is the output provided by running a standard scan on target 10.10.10.10. Note that NSE scripts identify that Anonymous login is allowed (status code 230 - Login Successful), the FTP version is vsftpd 3.0.3, and two files were identified being hosted.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
sudo nmap -A 10.10.10.10
...
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 ftp ftp 33 Jun 08 2021 allowed.userlist
|_-rw-r--r-- 1 ftp ftp 62 Apr 20 2021 allowed.userlist.passwd
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.10.9
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
Connecting to a Remote FTP Server
In some cases, anonymous login to a remote FTP server will be allowed, enabling access to particular files or shared directories without authentication. In such cases, a common list of credentials are:
| Username | Password |
|---|---|
| anonymous | |
| anonymous | anonymous |
| ftp | ftp |
1
2
3
4
5
6
7
ftp 10.10.10.10
# List all files, including those hidden
ls -a
# Download a file
mget allowed.userlist