FTP

FTP Security & Exploitation Guide

1. About FTP

File Transfer Protocol (FTP) is a standard communication protocol used to transfer files between a client and server over a network.

  • Operates on a client–server model.

  • By default, uses TCP port 21 for control connections.

  • Data transfers can occur over separate dynamic ports (active/passive modes).

  • Often replaced with more secure alternatives such as SFTP (SSH File Transfer Protocol) or FTPS (FTP Secure over TLS).


2. Basic Usage

Connecting to an FTP Server

ftp 192.0.2.10

Common Commands

get <file>     # Download a file
mget *         # Download multiple files
put <file>     # Upload a file
mput *         # Upload multiple files
ls             # List directory contents
cd <dir>       # Change directory
status         # Show connection/server info
bye            # Exit FTP session

3. FTP on Linux (vsFTPd Example)

vsFTPd (Very Secure FTP Daemon) is one of the most widely used FTP servers on Linux.

  • Default configuration file: /etc/vsftpd.conf

  • Users denied access are typically listed in: /etc/ftpusers


4. Dangerous Configuration Settings

Certain misconfigurations in vsftpd.conf can make FTP highly insecure:

  • anonymous_enable=YES → Allows anonymous login.

  • anon_upload_enable=YES → Allows anonymous users to upload files.

  • anon_mkdir_write_enable=YES → Allows anonymous users to create directories.

  • no_anon_password=YES → Anonymous login without a password.

  • anon_root=/home/username/ftp → Directory assigned to anonymous users.

  • write_enable=YES → Enables write access for users.


5. Brute-Forcing FTP

FTP credentials can often be cracked through brute force or password spraying.

Using Medusa

medusa -u rio -P /usr/share/wordlists/rockyou.txt -h 192.0.2.10 -M ftp 

6. FTP Bounce Attack

An FTP Bounce Attack abuses the PORT command to instruct an FTP server to connect to another system on behalf of the attacker.

Example with Nmap

nmap -Pn -v -n -p80 -b rio@192.0.2.10 198.51.100.25
# 192.0.2.10 = FTP server
# 198.51.100.25 = target host being scanned

7. Tips & Tricks for Exploiting FTP

  1. Anonymous Login: Try anonymous as username with an empty password.

  2. Recursive Listing: If allowed, use ls -R to quickly explore directories.

  3. Mirror Entire Directory:

    wget -m --no-passive ftp://anonymous:anonymous@192.0.2.10
  4. Nmap NSE Scripts:

    nmap --script ftp* -p21 192.0.2.10
  5. Banner Grabbing:

    nmap -sV -p21 192.0.2.10
    nc 192.0.2.10 21

8. Beyond FTP – TFTP

Trivial File Transfer Protocol (TFTP):

  • Uses UDP port 69.

  • No authentication, extremely insecure.

  • Often found in embedded systems, PXE boot, and IoT devices.

  • Tools: tftp client, Metasploit modules.


Last updated