Pentesting FTP

Identification

Many different types of FTP server
Nmap scan results

PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd

Before connecting ensure that the directory you are in (on your local machine is writable, or else you will not be able to download anything off the remote ftp server

ftp <ip>
username: anomyous
password: <enter>

If successful it will let you know you successfully logged in and might tell you the OS

230 User logged in.
Remote system type is Windows_NT.

Attempt to download and also place files.
Start with attempting to just place a text file with some words
If the file name has spaces, be sure to escape the space character

#anonymous login allowed
02-28-22  07:36PM       <DIR>          Nadine
02-28-22  07:37PM       <DIR>          Nathan
ftp> cd Nadine
ftp> get Confidential.txt
ftp> cd Nathan
ftp> get Notes\ to\ do.txt

Brute Force

Good wordlist for FTP brute https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt

Automated Scanning

Anon login and bounce FTP checks are perform by default by nmap with -sC option or:

nmap --script ftp-* -p 21 <ip>
nmap -p 21 --script ftp-brute.nse 10.11.1.31
ftp-anon.nse
ftp-bounce.nse
ftp-brute.nse
ftp-libopie.nse
ftp-proftpd-backdoor.nse
ftp-syst.nse
ftp-vsftpd-backdoor.nse
ftp-vuln-cve2010-4221.nse

Passive FTP

If a client machine has a firewall up, then Active FTP will create issues
If you find that you can successfully connect but cannot ls or run other ftp commands, ensure to run below commands
Connect like normal to the ftp server
Once connected have your first command be:

passv
#or
passive

This will switch the FTP client server connection to passive move and allow you to operate as normal.

Downloading Files

To download one file use:

get filename.txt

To download everything in a specific directory use:

mget *

Put Files

To upload a file to the ftp server use:

put filename.txt 
#or 
mput filename.txt

Other Considerations

If there is also a web server, it is possible that the same directories accessible on the ftp server are hosted on the web server
For example if on the ftp server there is a directory called scripts, attempt to see if there is a directory on the web server called scripts.
This will allow for an easy web shell upload, which can then be executed via the web server.

FTP Tricks

Recursive Listing

ls -R

cat a file without downloading it

get <FILENAME> -

Get SSL certificate from the target FTP server

openssl s_client -connect $host:21 -starttls ftp

Download all avaiable files from an FTP server

wget -m --no-passive ftp://anonymous:anonymous@$host 
wget -m --no-passive ftp://ceil:qwer1234@$host:2121

PreviousPentesting Kerberos NextPentesting Email

Last updated 3 months ago

hashtagIdentification

hashtagFTP Anonymous Login

hashtagBrute Force

hashtagAutomated Scanning

hashtagPassive FTP

hashtagDownloading Files

hashtagPut Files

hashtagOther Considerations

hashtagFTP Tricks

Identification

FTP Anonymous Login

Brute Force

Automated Scanning

Passive FTP

Downloading Files

Put Files

Other Considerations

FTP Tricks