# FTP ## ABOUT **File Transfer Protocol** is a standard communication **protocol** used for the transfer of computer files from a server to a client on a computer network. **FTP** is built on a **client–server** model, and by default is using **port 21.** In **active FTP**, the client connects to the server’s command port (usually port 21) and tells the server which port it opened for data. The server then initiates the data connection back to the client’s specified port. This can cause issues if the client is behind a firewall or NAT that blocks incoming connections. In **passive FTP**, the client connects to the server’s command port and requests passive mode. The server then opens a random port and tells the client to connect to it for data transfer. This allows the client to initiate both connections, making it more firewall-friendly. ## COMMANDS | Command | Description | | ---------------------------------------- | ------------------------------------------------------------------ | | `USER` | specifies the user to log in as. | | `PASS` | sends the password for the user attempting to log in. | | `PORT` | when in active mode, this will change the data port used. | | `PASV` | switches the connection to the server from active mode to passive. | | `LIST` | displays a list of the files in the current directory. | | `CWD` | will change the current working directory to one specified. | | `PWD` | prints out the directory you are currently working in. | | `SIZE` | will return the size of a file specified. | | `RETR` | retrieves the file from the FTP server. | | `QUIT` | ends the session. | ## USAGE #### Connect ```bash ftp 13.13.13.13 ``` #### Commands ```bash get or mput - download a file or files put or mput - upload a file or files status - more info about server ls cd - moving in directories ``` ## TFTP **vsFTPd** is one of the most used FTP servers on Linux-based distributions. The default configuration of vsFTPd can be found in **/etc/vsftpd.conf**. Users, for which access to FTP server is forbidden could be found at **`/etc/ftpusers`** file ## Dangerous Config Settings * **`anonymous_enable=YES`** - Allowing anonymous login? * **`anon_upload_enable=YES`** - Allowing anonymous to upload files? * **`anon_mkdir_write_enable=YES`** - Allowing anonymous to create new directories? * **`no_anon_password=YES`** - Do not ask anonymous for password? * **`anon_root=/home/username/ftp`** - Directory for anonymous. * **`write_enable=YES`** - Allow the usage of FTP commands ## Bruteforcing We could do a FTP server **bruteforcing** or **password** spraying with **Medusa** ```bash medusa -u v17 -P /usr/share/wordlists/rockyou.txt -h 13.13.13.13 -M ftp ``` **Options:** * **`-u`** for username and **`-U`** for list * **`-p`** for password and **`-P`** for list * **`-h`** for host * **`-M`** for protocol ## FTP Bounce Attack We are using a **ftp** **`PORT`** command to trick **ftp server** into running command and getting information from device other than **ftp server**. As example we could use this to **scan the network** through **ftp**. You could look here for more explanation[ **\[LINK\]**](https://www.geeksforgeeks.org/what-is-ftp-bounce-attack/)**.** For making ftp bounce attack nmap scan we could use **`-b`** option: ```bash nmap -Pn -v -n -p80 -b v17:amogus@13.13.13.13 69.69.69.69 Where 13.13.13.13 is ftp server ``` ## Tips2Hack 1. Try to use anonymous login, config allows that, you could lurk for some juicy info. For this just use **anonymous** as login name, and left password empty. 2. If config allows, you could lurk even faster through directories with recursive listing **`ls -R`** 3. To download a file you need to use **`get`** command and to upload you need **`put`** and also you could use **`status`** to get more info about server and FTP state 4. To **download** **all** **files** you need to use ```bash wget -m --no-passive ftp://anonymous:anonymous@13.13.13.13 ``` 5. Check all available nmap ftp scripts: ```bash find / -type f -name ftp* 2>/dev/null | grep scripts ```