Pentesting FTP

Identification

  • Many different types of FTP server

  • Nmap scan results 

PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd

  • Before connecting ensure that the directory you are in (on your local machine is writable, or else you will not be able to download anything off the remote ftp server

FTP Anonymous Login

ftp <ip>
username: anomyous
password: <enter>

  • If successful it will let you know you successfully logged in and might tell you the OS

230 User logged in.
Remote system type is Windows_NT.

  • Attempt to download and also place files.

  • Start with attempting to just place a text file with some words

  • If the file name has spaces, be sure to escape the space character 

#anonymous login allowed
02-28-22  07:36PM       <DIR>          Nadine
02-28-22  07:37PM       <DIR>          Nathan
ftp> cd Nadine
ftp> get Confidential.txt
ftp> cd Nathan
ftp> get Notes\ to\ do.txt

Brute Force

Good wordlist for FTP brute https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt

Automated Scanning

Anon login and bounce FTP checks are perform by default by nmap with -sC option or:

nmap --script ftp-* -p 21 <ip>

Passive FTP

  • If a client machine has a firewall up, then Active FTP will create issues

  • If you find that you can successfully connect but cannot ls or run other ftp commands, ensure to run below commands

  • Connect like normal to the ftp server

  • Once connected have your first command be:

passv
#or
passive

  • This will switch the FTP client server connection to passive move and allow you to operate as normal.

Downloading Files

  • To download one file use:

get filename.txt

  • To download everything in a specific directory use:

mget *

Put Files

  • To upload a file to the ftp server use:

put filename.txt 
#or 
mput filename.txt

Other Considerations

  • If there is also a web server, it is possible that the same directories accessible on the ftp server are hosted on the web server

  • For example if on the ftp server there is a directory called scripts, attempt to see if there is a directory on the web server called scripts.

  • This will allow for an easy web shell upload, which can then be executed via the web server.

PreviousPentesting KerberosNextPentesting Email

Last updated