Port 20/21 - FTP
The File Transfer Protocol (FTP) is a common protocol that is used across all operating systems to aid in remote file transfers between a client and server. FTP is a plaintext protocol, meaning that communication between a client and server are not encrypted. There is a secure version of FTP called SFTP that operates over the SSH port 22.
A number of different FTP application exist that provide added functionality in addition to the native FTP tool, some of those commonly encountered are:
FileZilla
CyberDuck
WinSCP
FireFTP
Apart from individual application vulnerabilities that can be exploited to gain file or remote access to a host machine, there are a number of actions that can be taken to enumerate objects.
Reconnaissance
Port Scanning and Enumeration
Nmap has various scripts that can be run against the different versions, running a generic initial scan and including the -sC or -A flag will automatically scan with default scripts such as ftp-syst, and ftp-anon.
ftp-syst
Sends FTP SYST and STAT commands, returning the result
ftp-anon
Checks if an FTP server allows anonymous logins.
To run all FTP scripts against a target (noisy), the below Nmap command can be used:
sudo nmap -sC --script ftp-* -p 21 %IP%Output
The following is the output provided by running a standard scan on target 10.10.10.10. Note that NSE scripts identify that Anonymous login is allowed (status code 230 - Login Successful), the FTP version is vsftpd 3.0.3, and two files were identified being hosted.
Connecting to a Remote FTP Server
In some cases, anonymous login to a remote FTP server will be allowed, enabling access to particular files or shared directories without authentication. In such cases, a common list of credentials are:
anonymous
anonymous
anonymous
ftp
ftp
Last updated