# 21 - FTP

## Introduction

**Port**: 21 (TCP)

The **File Transfer Protocol** (FTP) is a standard network protocol used for transferring files. There are various ways of exploiting the service:

* **Anonymous Authentication**
* **Directory Path Traversal**: An attacker could create or remove files outside the FTP root folder.
* **Brute Force Attack**
* **Buffer Overflow**: There are FTP services that are vulnerable to Buffer overflows.

## Enumeration

You can use Nmap to enumerate an FTP server.

```bash
sudo nmap -sC -sV --script="ftp* and not brute" -p21 -n <TARGET>
```

## Anonymous login

If **anonymous** login is enabled, you can retrieve files as anonymous with a random password.

```bash
nmap --script=ftp-anon <TARGET>
PORT   STATE SERVICE
21/tcp open  ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--   1 1170     924            31 Mar 28  2001 .banner
| d--x--x--x   2 root     root         1024 Jan 14  2002 bin
| d--x--x--x   2 root     root         1024 Aug 10  1999 etc
| drwxr-srwt   2 1170     924          2048 Jul 19 18:48 incoming [NSE: writeable]
| d--x--x--x   2 root     root         1024 Jan 14  2002 lib
| drwxr-sr-x   2 1170     924          1024 Aug  5  2004 pub
|_Only 6 shown. Use --script-args ftp-anon.maxlist=-1 to see all.
```

## Upload/Download binaries

If binary mode is **not** enabled, your binary files will not upload or download correctly. Thus, you need to type:

```
binary on
```

## Recursive download

If you want to download every file from an FTP service, you can use wget.

```
wget -r -m [ --no-passive | --passive-ftp ] ftp://anonymous:password@<TARGET>
```

mget is also an alternative, but it shall not always work.

```
prompt off
mget -R <Remote_folder> <Local_folder>
```

## Error: Address already in use

We need to enable passive mode:

```
pass
```

## References

* [Pentesting | Exploiting FTP](https://medium.com/@kubotortech/pentesting-exploiting-ftp-cba8ec81968e)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://the-pentesting-guide.marmeus.com/active/services/21-ftp.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.