Port 20/21 - FTP

The File Transfer Protocol (FTP) is a common protocol that is used across all operating systems to aid in remote file transfers between a client and server. FTP is a plaintext protocol, meaning that communication between a client and server are not encrypted. There is a secure version of FTP called SFTP that operates over the SSH port 22.

A number of different FTP application exist that provide added functionality in addition to the native FTP tool, some of those commonly encountered are:

  • FileZilla

  • CyberDuck

  • WinSCP

  • FireFTP

Apart from individual application vulnerabilities that can be exploited to gain file or remote access to a host machine, there are a number of actions that can be taken to enumerate objects.

Reconnaissance

Port Scanning and Enumeration

Nmap has various scripts that can be run against the different versions, running a generic initial scan and including the -sC or -A flag will automatically scan with default scripts such as ftp-syst, and ftp-anon.

Nmap ScriptDescription

ftp-syst

Sends FTP SYST and STAT commands, returning the result

ftp-anon

Checks if an FTP server allows anonymous logins.

To run all FTP scripts against a target (noisy), the below Nmap command can be used:

sudo nmap -sC --script ftp-* -p 21 %IP%

Output

The following is the output provided by running a standard scan on target 10.10.10.10. Note that NSE scripts identify that Anonymous login is allowed (status code 230 - Login Successful), the FTP version is vsftpd 3.0.3, and two files were identified being hosted.

sudo nmap -A 10.10.10.10
...
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--    1 ftp      ftp            33 Jun 08  2021 allowed.userlist
|_-rw-r--r--    1 ftp      ftp            62 Apr 20  2021 allowed.userlist.passwd
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.10.9
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status

Connecting to a Remote FTP Server

In some cases, anonymous login to a remote FTP server will be allowed, enabling access to particular files or shared directories without authentication. In such cases, a common list of credentials are:

UsernamePassword

anonymous

anonymous

anonymous

ftp

ftp

ftp 10.10.10.10

# List all files, including those hidden
ls -a

# Download a file
mget allowed.userlist
PreviousNetwork Protocols and ServicesNextPort 22 - SSH

Last updated