# Pentesting TFTP

**Port:** UDP 69

TFTP (Trivial File Transfer Protocol) is a simple file transfer protocol with no authentication. Often used for network device configs, PXE boot, etc.

***

## Discovery

```bash
# UDP scan
nmap -sU -p 69 $ip

# Service version
nmap -sU -p 69 -sV $ip
```

***

## Enumeration with Nmap Scripts

### File Enumeration

```bash
# Enumerate common files (default wordlist)
nmap -sU -p 69 --script=tftp-enum $ip
```

**Output:**

```
69/udp open  tftp
| tftp-enum: 
|_  ciscortr.cfg
```

### Version Detection

```bash
nmap -sU -p 69 --script=tftp-version $ip
```

### Custom Wordlist

```bash
nmap -sU -p 69 --script=tftp-enum --script-args tftp-enum.filelist=/path/to/wordlist.txt $ip
```

### Common Files to Check

```
# Network devices
ciscortr.cfg
running-config
startup-config
router.cfg
switch.cfg

# Boot files
pxelinux.0
pxelinux.cfg/default
boot.cfg

# Other
test.txt
config.txt
backup.cfg
```

***

## Manual Interaction

### TFTP Client

```bash
# Connect and get file
tftp $ip -c get filename.cfg

# Interactive mode
tftp $ip
tftp> get ciscortr.cfg
tftp> quit
```

### Netcat (Raw)

```bash
# Read request (opcode 01)
echo -e "\x00\x01filename\x00octet\x00" | nc -u $ip 69

# Test with timeout
timeout 2 bash -c "echo -e '\x00\x01test.txt\x00octet\x00' | nc -u $ip 69" | xxd
```

### TFTP Opcodes

| Opcode | Operation           |
| ------ | ------------------- |
| 01     | Read Request (RRQ)  |
| 02     | Write Request (WRQ) |
| 03     | Data                |
| 04     | Acknowledgment      |
| 05     | Error               |

***

## File Upload (If Writable)

```bash
# Upload file
tftp $ip -c put localfile.txt remotefile.txt

# Interactive
tftp $ip
tftp> put shell.php
```

### Exploitation

If TFTP is writable and serves web directory:

1. Upload webshell
2. Access via HTTP

***

## Metasploit

```bash
# TFTP enumeration
use auxiliary/scanner/tftp/tftpbrute
set RHOSTS $ip
run

# TFTP server (for exfil)
use auxiliary/server/tftp
set TFTPROOT /tmp
run
```

***

## Config File Analysis

Network device configs often contain:

* Usernames/passwords (sometimes plaintext or Type 7)
* SNMP community strings
* VPN pre-shared keys
* Network topology info
* Domain names/hostnames

### Cisco Password Cracking

See [Hashcat - Network Device Hashes](https://book.ice-wzl.xyz/tool-guides/hashcat#network-device-hashes-cisco) for Cisco Type 5/7/8/9 cracking.

***

## Common TFTP Software

| Software        | Notes           |
| --------------- | --------------- |
| atftpd          | Linux, common   |
| tftpd-hpa       | Linux           |
| Netkit tftpd    | Linux           |
| SolarWinds TFTP | Windows         |
| Cisco TFTP      | Network devices |