The File Transfer Protocol (FTP) is a standard protocol for file transfer between a server and client over a network. It is a plain-text protocol using 0x0d 0x0a as newline characters — sometimes requiring connection via telnet or nc -C.
Default Port: 21
Enumeration
Banner Grabbing
nc -vn <IP> 21
openssl s_client -connect crossfit.htb:21 -starttls ftp # Get cert if any
Nmap Scan
sudo nmap -sV -p21 -sC -A 10.10.10.10
nmap --script ftp-* -p 21 <IP> # All FTP scripts including anon check
HELP and FEAT Commands
HELP # List supported commands
FEAT # List server features (AUTH TLS, MLST, UTF8, etc.)
STAT # Server info (version, configs, status)
Anonymous Login
ftp <IP>
> anonymous
> anonymous # or empty password
> ls -a # List all files including hidden
> binary # Set binary transfer mode
> ascii # Set ASCII transfer mode
> bye # Exit
anonymous : anonymousanonymous : (empty)ftp : ftp
Connect with starttls
lftp
lftp :~> set ftp:ssl-force true
lftp :~> set ssl:verify-certificate no
lftp :~> connect 10.10.10.208
lftp 10.10.10.208:~> login username Password
Brute Force
hydra -t 1 -l <Username> -P <Big_Passwordlist> -vV <IP> ftp
Download All Files
wget -m ftp://anonymous:[email protected] # Download all
wget -m --no-passive ftp://anonymous:[email protected]
# With special characters in credentials
wget -r --user="USERNAME" --password="PASSWORD" ftp://server.com/
FTP Commands Reference
| Command | Description |
|---|
USER username | Send username |
PASS password | Send password |
PORT 127,0,0,1,0,80 | Tell server to connect back to IP:port |
EPRT |2|127.0.0.1|80| | PORT with IPv6 support |
LIST | List current directory |
LIST -R | Recursive list |
RETR /path/file | Download a file |
STOR /path/file | Upload and overwrite a file |
APPE /path/file | Upload and append to file |
REST 6 | Resume from byte offset |
TYPE i | Set binary transfer |
PASV | Open passive connection |
FTP Bounce Attack
Some FTP servers allow the PORT command, enabling port scanning through the FTP server:
# Scan ports through FTP bounce
nmap -b <FTP_user>:<FTP_pass>@<FTP_IP> <Target_IP>
# Manual technique:
# 1. Upload a request file to the vulnerable FTP server
# 2. Use REST X to skip unwanted bytes
# 3. Use PORT to connect to target
# 4. Use RETR to send the saved request
Browser Connection
If a web application sends user-controlled data directly to an FTP server, you can inject double URL-encoded %250d%250a bytes to make the FTP server perform arbitrary actions.
Filezilla Server Vulnerability
FileZilla often binds an Administrative service on port 14147. If you can tunnel to this port from your machine, you can connect with a blank password and create new FTP users.
FTP Root Mapped to Webroot (XAMPP)
XAMPP/ProFTPD often maps FTP root to /opt/lampp/htdocs. Weak credentials on service accounts like daemon allow uploading a PHP web shell directly into the webroot.
Config Files
/etc/vsftpd.conf
/etc/proftpd.conf
/etc/ftpusers
/etc/ftp.conf
Dangerous vsftpd Settings
anonymous_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
local_enable=YES
write_enable=YES
Shodan Queries
