Pentesting TFTP

Port: UDP 69

TFTP (Trivial File Transfer Protocol) is a simple file transfer protocol with no authentication. Often used for network device configs, PXE boot, etc.

Discovery

# UDP scan
nmap -sU -p 69 $ip

# Service version
nmap -sU -p 69 -sV $ip

Enumeration with Nmap Scripts

File Enumeration

# Enumerate common files (default wordlist)
nmap -sU -p 69 --script=tftp-enum $ip

Output:

69/udp open  tftp
| tftp-enum: 
|_  ciscortr.cfg

Version Detection

nmap -sU -p 69 --script=tftp-version $ip

Custom Wordlist

nmap -sU -p 69 --script=tftp-enum --script-args tftp-enum.filelist=/path/to/wordlist.txt $ip

Common Files to Check

# Network devices
ciscortr.cfg
running-config
startup-config
router.cfg
switch.cfg

# Boot files
pxelinux.0
pxelinux.cfg/default
boot.cfg

# Other
test.txt
config.txt
backup.cfg

Manual Interaction

TFTP Client

# Connect and get file
tftp $ip -c get filename.cfg

# Interactive mode
tftp $ip
tftp> get ciscortr.cfg
tftp> quit

Netcat (Raw)

# Read request (opcode 01)
echo -e "\x00\x01filename\x00octet\x00" | nc -u $ip 69

# Test with timeout
timeout 2 bash -c "echo -e '\x00\x01test.txt\x00octet\x00' | nc -u $ip 69" | xxd

TFTP Opcodes

Opcode

Operation

Read Request (RRQ)

Write Request (WRQ)

Data

Acknowledgment

Error

File Upload (If Writable)

# Upload file
tftp $ip -c put localfile.txt remotefile.txt

# Interactive
tftp $ip
tftp> put shell.php

Exploitation

If TFTP is writable and serves web directory:

Upload webshell
Access via HTTP

Metasploit

# TFTP enumeration
use auxiliary/scanner/tftp/tftpbrute
set RHOSTS $ip
run

# TFTP server (for exfil)
use auxiliary/server/tftp
set TFTPROOT /tmp
run

Config File Analysis

Network device configs often contain:

Usernames/passwords (sometimes plaintext or Type 7)
SNMP community strings
VPN pre-shared keys
Network topology info
Domain names/hostnames

Cisco Type 7 Password Decryption

# Online tool
https://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/358-cisco-type7-password-crack.html

# Python
pip install cisco-type7
cisco-type7 decrypt "0822455D0A16"

Common TFTP Software

Software

Notes

atftpd

Linux, common

tftpd-hpa

Linux

Netkit tftpd

Linux

SolarWinds TFTP

Windows

Cisco TFTP

Network devices

PreviousPentesting SNMP NextPentesting IPsec/IKE

Last updated 3 days ago

hashtagDiscovery

hashtagEnumeration with Nmap Scripts

hashtagFile Enumeration

hashtagVersion Detection

hashtagCustom Wordlist

hashtagCommon Files to Check

hashtagManual Interaction

hashtagTFTP Client

hashtagNetcat (Raw)

hashtagTFTP Opcodes

hashtagFile Upload (If Writable)

hashtagExploitation

hashtagMetasploit

hashtagConfig File Analysis

hashtagCisco Type 7 Password Decryption

hashtagCommon TFTP Software