FTP
FTP Security & Exploitation Guide
1. About FTP
File Transfer Protocol (FTP) is a standard communication protocol used to transfer files between a client and server over a network.
Operates on a client–server model.
By default, uses TCP port 21 for control connections.
Data transfers can occur over separate dynamic ports (active/passive modes).
Often replaced with more secure alternatives such as SFTP (SSH File Transfer Protocol) or FTPS (FTP Secure over TLS).
2. Basic Usage
Connecting to an FTP Server
ftp 192.0.2.10
Common Commands
get <file> # Download a file
mget * # Download multiple files
put <file> # Upload a file
mput * # Upload multiple files
ls # List directory contents
cd <dir> # Change directory
status # Show connection/server info
bye # Exit FTP session
3. FTP on Linux (vsFTPd Example)
vsFTPd (Very Secure FTP Daemon) is one of the most widely used FTP servers on Linux.
Default configuration file:
/etc/vsftpd.conf
Users denied access are typically listed in:
/etc/ftpusers
4. Dangerous Configuration Settings
Certain misconfigurations in vsftpd.conf
can make FTP highly insecure:
anonymous_enable=YES
→ Allows anonymous login.anon_upload_enable=YES
→ Allows anonymous users to upload files.anon_mkdir_write_enable=YES
→ Allows anonymous users to create directories.no_anon_password=YES
→ Anonymous login without a password.anon_root=/home/username/ftp
→ Directory assigned to anonymous users.write_enable=YES
→ Enables write access for users.
5. Brute-Forcing FTP
FTP credentials can often be cracked through brute force or password spraying.
Using Medusa
medusa -u rio -P /usr/share/wordlists/rockyou.txt -h 192.0.2.10 -M ftp
6. FTP Bounce Attack
An FTP Bounce Attack abuses the PORT
command to instruct an FTP server to connect to another system on behalf of the attacker.
Example with Nmap
nmap -Pn -v -n -p80 -b rio@192.0.2.10 198.51.100.25
# 192.0.2.10 = FTP server
# 198.51.100.25 = target host being scanned
7. Tips & Tricks for Exploiting FTP
Anonymous Login: Try
anonymous
as username with an empty password.Recursive Listing: If allowed, use
ls -R
to quickly explore directories.Mirror Entire Directory:
wget -m --no-passive ftp://anonymous:anonymous@192.0.2.10
Nmap NSE Scripts:
nmap --script ftp* -p21 192.0.2.10
Banner Grabbing:
nmap -sV -p21 192.0.2.10 nc 192.0.2.10 21
8. Beyond FTP – TFTP
Trivial File Transfer Protocol (TFTP):
Uses UDP port 69.
No authentication, extremely insecure.
Often found in embedded systems, PXE boot, and IoT devices.
Tools:
tftp
client, Metasploit modules.
Last updated