21 - FTP

Introduction

Port: 21 (TCP)

The File Transfer Protocol (FTP) is a standard network protocol used for transferring files. There are various ways of exploiting the service:

Anonymous Authentication
Directory Path Traversal: An attacker could create or remove files outside the FTP root folder.
Brute Force Attack
Buffer Overflow: There are FTP services that are vulnerable to Buffer overflows.

Enumeration

You can use Nmap to enumerate an FTP server.

sudo nmap -sC -sV --script="ftp* and not brute" -p21 -n <TARGET>

If anonymous login is enabled, you can retrieve files as anonymous with a random password.

nmap --script=ftp-anon <TARGET>
PORT   STATE SERVICE
21/tcp open  ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--   1 1170     924            31 Mar 28  2001 .banner
| d--x--x--x   2 root     root         1024 Jan 14  2002 bin
| d--x--x--x   2 root     root         1024 Aug 10  1999 etc
| drwxr-srwt   2 1170     924          2048 Jul 19 18:48 incoming [NSE: writeable]
| d--x--x--x   2 root     root         1024 Jan 14  2002 lib
| drwxr-sr-x   2 1170     924          1024 Aug  5  2004 pub
|_Only 6 shown. Use --script-args ftp-anon.maxlist=-1 to see all.

Upload/Download binaries

If binary mode is not enabled, your binary files will not upload or download correctly. Thus, you need to type:

binary on

Recursive download

If you want to download every file from an FTP service, you can use wget.

wget -r -m [ --no-passive | --passive-ftp ] ftp://anonymous:password@<TARGET>

mget is also an alternative, but it shall not always work.

prompt off
mget -R <Remote_folder> <Local_folder>

Error: Address already in use

We need to enable passive mode:

pass

References

Pentesting | Exploiting FTP

Last updated 3 years ago

hashtagIntroduction

hashtagEnumeration

hashtagAnonymous login

hashtagUpload/Download binaries

hashtagRecursive download

hashtagError: Address already in use

hashtagReferences