> For the complete documentation index, see [llms.txt](https://book.ice-wzl.xyz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://book.ice-wzl.xyz/recon-enumeration/pentesting-tftp.md). # Pentesting TFTP **Port:** UDP 69 TFTP (Trivial File Transfer Protocol) is a simple file transfer protocol with no authentication. Often used for network device configs, PXE boot, etc. *** ## Discovery ```bash # UDP scan nmap -sU -p 69 $ip # Service version nmap -sU -p 69 -sV $ip ``` *** ## Enumeration with Nmap Scripts ### File Enumeration ```bash # Enumerate common files (default wordlist) nmap -sU -p 69 --script=tftp-enum $ip ``` **Output:** ``` 69/udp open tftp | tftp-enum: |_ ciscortr.cfg ``` ### Version Detection ```bash nmap -sU -p 69 --script=tftp-version $ip ``` ### Custom Wordlist ```bash nmap -sU -p 69 --script=tftp-enum --script-args tftp-enum.filelist=/path/to/wordlist.txt $ip ``` ### Common Files to Check ``` # Network devices ciscortr.cfg running-config startup-config router.cfg switch.cfg # Boot files pxelinux.0 pxelinux.cfg/default boot.cfg # Other test.txt config.txt backup.cfg ``` *** ## Manual Interaction ### TFTP Client ```bash # Connect and get file tftp $ip -c get filename.cfg # Interactive mode tftp $ip tftp> get ciscortr.cfg tftp> quit ``` ### Netcat (Raw) ```bash # Read request (opcode 01) echo -e "\x00\x01filename\x00octet\x00" | nc -u $ip 69 # Test with timeout timeout 2 bash -c "echo -e '\x00\x01test.txt\x00octet\x00' | nc -u $ip 69" | xxd ``` ### TFTP Opcodes | Opcode | Operation | | ------ | ------------------- | | 01 | Read Request (RRQ) | | 02 | Write Request (WRQ) | | 03 | Data | | 04 | Acknowledgment | | 05 | Error | *** ## File Upload (If Writable) ```bash # Upload file tftp $ip -c put localfile.txt remotefile.txt # Interactive tftp $ip tftp> put shell.php ``` ### Exploitation If TFTP is writable and serves web directory: 1. Upload webshell 2. Access via HTTP *** ## Metasploit ```bash # TFTP enumeration use auxiliary/scanner/tftp/tftpbrute set RHOSTS $ip run # TFTP server (for exfil) use auxiliary/server/tftp set TFTPROOT /tmp run ``` *** ## Config File Analysis Network device configs often contain: * Usernames/passwords (sometimes plaintext or Type 7) * SNMP community strings * VPN pre-shared keys * Network topology info * Domain names/hostnames ### Cisco Password Cracking See [Hashcat - Network Device Hashes](/tool-guides/hashcat.md#network-device-hashes-cisco) for Cisco Type 5/7/8/9 cracking. *** ## Common TFTP Software | Software | Notes | | --------------- | --------------- | | atftpd | Linux, common | | tftpd-hpa | Linux | | Netkit tftpd | Linux | | SolarWinds TFTP | Windows | | Cisco TFTP | Network devices | --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://book.ice-wzl.xyz/recon-enumeration/pentesting-tftp.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.