Pentesting FTP
Identification
Many different types of FTP server
Nmap scan results
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
Before connecting ensure that the directory you are in (on your local machine is writable, or else you will not be able to download anything off the remote ftp server
FTP Anonymous Login
ftp <ip>
username: anomyous
password: <enter>
If successful it will let you know you successfully logged in and might tell you the OS
230 User logged in.
Remote system type is Windows_NT.
Attempt to download and also place files.
Start with attempting to just place a text file with some words
If the file name has spaces, be sure to escape the space character
#anonymous login allowed
02-28-22 07:36PM <DIR> Nadine
02-28-22 07:37PM <DIR> Nathan
ftp> cd Nadine
ftp> get Confidential.txt
ftp> cd Nathan
ftp> get Notes\ to\ do.txt
Brute Force
Good wordlist for FTP brute https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt
Automated Scanning
Anon login and bounce FTP checks are perform by default by nmap with -sC option or:
nmap --script ftp-* -p 21 <ip>
Passive FTP
If a client machine has a firewall up, then Active FTP will create issues
If you find that you can successfully connect but cannot
ls
or run otherftp
commands, ensure to run below commandsConnect like normal to the ftp server
Once connected have your first command be:
passv
#or
passive
This will switch the FTP client server connection to passive move and allow you to operate as normal.
Downloading Files
To download one file use:
get filename.txt
To download everything in a specific directory use:
mget *
Put Files
To upload a file to the ftp server use:
put filename.txt
#or
mput filename.txt
Other Considerations
If there is also a web server, it is possible that the same directories accessible on the ftp server are hosted on the web server
For example if on the ftp server there is a directory called
scripts
, attempt to see if there is a directory on the web server called scripts.This will allow for an easy web shell upload, which can then be executed via the web server.
Last updated