# Port 20/21 - FTP The File Transfer Protocol (FTP) is a common protocol that is used across all operating systems to aid in remote file transfers between a client and server. FTP is a plaintext protocol, meaning that communication between a client and server are not encrypted. There is a secure version of FTP called SFTP that operates over the SSH port 22. A number of different FTP application exist that provide added functionality in addition to the native FTP tool, some of those commonly encountered are: * FileZilla * CyberDuck * WinSCP * FireFTP Apart from individual application vulnerabilities that can be exploited to gain file or remote access to a host machine, there are a number of actions that can be taken to enumerate objects. ## Reconnaissance ### Port Scanning and Enumeration Nmap has various scripts that can be run against the different versions, running a generic initial scan and including the `-sC` or `-A` flag will automatically scan with default scripts such as `ftp-syst`, and `ftp-anon`. | Nmap Script | Description | | ----------- | ------------------------------------------------------ | | ftp-syst | Sends FTP SYST and STAT commands, returning the result | | ftp-anon | Checks if an FTP server allows anonymous logins. | To run all FTP scripts against a target (noisy), the below Nmap command can be used: {% code overflow="wrap" %} ```bash sudo nmap -sC --script ftp-* -p 21 %IP% ``` {% endcode %} #### Output The following is the output provided by running a standard scan on target `10.10.10.10`. Note that NSE scripts identify that Anonymous login is allowed (status code 230 - Login Successful), the FTP version is `vsftpd 3.0.3`, and two files were identified being hosted. {% code overflow="wrap" %} ```bash sudo nmap -A 10.10.10.10 ... PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) | -rw-r--r-- 1 ftp ftp 33 Jun 08 2021 allowed.userlist |_-rw-r--r-- 1 ftp ftp 62 Apr 20 2021 allowed.userlist.passwd | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.10.10.9 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 2 | vsFTPd 3.0.3 - secure, fast, stable |_End of status ``` {% endcode %} ### Connecting to a Remote FTP Server In some cases, anonymous login to a remote FTP server will be allowed, enabling access to particular files or shared directories without authentication. In such cases, a common list of credentials are: | Username | Password | | --------- | --------- | | anonymous | | | anonymous | anonymous | | ftp | ftp | {% code overflow="wrap" %} ```bash ftp 10.10.10.10 # List all files, including those hidden ls -a # Download a file mget allowed.userlist ``` {% endcode %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://darkcybe.gitbook.io/darkcybe/offensive-security-operations/penetration-testing/techniques/technology-focused/network-protocols-and-services/port-20-21-ftp.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.