DiscordHackTheBoxTryHackMeGitHub

FTP

ABOUT

File Transfer Protocol is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network. FTP is built on a client–server model, and by default is using port 21.

In active FTP, the client connects to the server’s command port (usually port 21) and tells the server which port it opened for data. The server then initiates the data connection back to the client’s specified port. This can cause issues if the client is behind a firewall or NAT that blocks incoming connections.

In passive FTP, the client connects to the server’s command port and requests passive mode. The server then opens a random port and tells the client to connect to it for data transfer. This allows the client to initiate both connections, making it more firewall-friendly.

COMMANDS

Command
Description

USER

specifies the user to log in as.

PASS

sends the password for the user attempting to log in.

PORT

when in active mode, this will change the data port used.

PASV

switches the connection to the server from active mode to passive.

LIST

displays a list of the files in the current directory.

CWD

will change the current working directory to one specified.

PWD

prints out the directory you are currently working in.

SIZE

will return the size of a file specified.

RETR

retrieves the file from the FTP server.

QUIT

ends the session.

USAGE

Connect

ftp 13.13.13.13

Commands

get or mput - download a file or files
put or mput - upload a file or files
status - more info about server
ls cd - moving in directories

TFTP

vsFTPd is one of the most used FTP servers on Linux-based distributions. The default configuration of vsFTPd can be found in /etc/vsftpd.conf. Users, for which access to FTP server is forbidden could be found at /etc/ftpusers file

Dangerous Config Settings

  • anonymous_enable=YES - Allowing anonymous login?

  • anon_upload_enable=YES - Allowing anonymous to upload files?

  • anon_mkdir_write_enable=YES - Allowing anonymous to create new directories?

  • no_anon_password=YES - Do not ask anonymous for password?

  • anon_root=/home/username/ftp - Directory for anonymous.

  • write_enable=YES - Allow the usage of FTP commands

Bruteforcing

We could do a FTP server bruteforcing or password spraying with Medusa

medusa -u v17 -P /usr/share/wordlists/rockyou.txt -h 13.13.13.13 -M ftp

Options:

  • -u for username and -U for list

  • -p for password and -P for list

  • -h for host

  • -M for protocol

FTP Bounce Attack

We are using a ftp PORT command to trick ftp server into running command and getting information from device other than ftp server. As example we could use this to scan the network through ftp. You could look here for more explanation [LINK]. For making ftp bounce attack nmap scan we could use -b option:

nmap -Pn -v -n -p80 -b v17:amogus@13.13.13.13 69.69.69.69
Where 13.13.13.13 is ftp server

Tips2Hack

  1. Try to use anonymous login, config allows that, you could lurk for some juicy info. For this just use anonymous as login name, and left password empty.

  2. If config allows, you could lurk even faster through directories with recursive listing ls -R

  3. To download a file you need to use get command and to upload you need put and also you could use status to get more info about server and FTP state

  4. To download all files you need to use

wget -m --no-passive ftp://anonymous:anonymous@13.13.13.13

  1. Check all available nmap ftp scripts:

find / -type f -name ftp* 2>/dev/null | grep scripts
PreviousProtocolsNextSMB

Last updated