# FTP - Port 21 {% tabs %} {% tab title="Support VeryLazyTech πŸŽ‰" %} * Become VeryLazyTech [**member**](https://buymeacoffee.com/verylazytech/membership)**! 🎁** * **Follow** us on: * **βœ– Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **πŸ‘Ύ Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **πŸ“œ Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * Visit our [**shop** ](https://buymeacoffee.com/verylazytech/extras)for e-books and courses. πŸ“š * Support us and [**buy me a coffee**](https://buymeacoffee.com/verylazytech)**. β˜•** {% endtab %} {% endtabs %} Penetration testing (pentesting) of **FTP (File Transfer Protocol)** involves assessing and exploiting vulnerabilities within an FTP server to gain unauthorized access or escalate privileges. To effectively pentest FTP services, you'll need to understand FTP operations, common misconfigurations, and weaknesses. Below is a comprehensive guide covering **enumeration, exploitation, and various tricks** you can use. #### **Understanding FTP Basics** FTP is a protocol used to transfer files over a network. It operates on two primary ports: * **Port 21 (Command)**: Handles the command/control connections. * **Port 20 (Data)**: Used for data transfer in **Active Mode**. ## **Checklist for FTP Pentesting** 1. **Enumerate the FTP service**: * Use Nmap and banner grabbing. [#service-discovery](#service-discovery "mention") * Check for anonymous login. [#anonymous-login](#anonymous-login "mention") * Explore FTP directories. 2. **Test for common vulnerabilities**: * Brute force credentials. [#brute-force-attack](#brute-force-attack "mention") * Upload malicious files. [#exploiting-weak-permissions](#exploiting-weak-permissions "mention") * Look for directory traversal vulnerabilities. [#directory-traversal-vulnerability](#directory-traversal-vulnerability "mention") 3. **Search for known exploits**: * Identify software version. [#vulnerable-software-versions](#vulnerable-software-versions "mention") * Use exploit-db or Metasploit. [#vulnerable-software-versions](#vulnerable-software-versions "mention") 4. **Escalate privileges**: [#escalation-via-ftp-misconfigurations](#escalation-via-ftp-misconfigurations "mention") * Search for sensitive files. * Use local exploits. 5. **Post-exploitation**: * Capture credentials. * Look for pivoting opportunities. [#tunneling-ftp-traffic](#tunneling-ftp-traffic "mention") ## Common FTP Commands[​](https://hackviser.com/tactics/pentesting/services/ftp#common-ftp-commands)
CommandDescriptionUsage
lcdChange local directory.lcd /path/to/directory
cdChange server directory.cd /path/to/directory
lsList server directory files.ls
getDownload file from server.get filename.txt
mgetDownload multiple files.mget *.txt
putUpload file to server.put filename.txt
mputUpload multiple files.mput *.txt
binSet binary transfer mode.bin
asciiSet ASCII transfer mode.ascii
quitExit FTP client.quit
### Download all files from FTP ``` wget -m ftp://anonymous:anonymous@Victim_IP wget -m --no-passive ftp://anonymous:anonymous@Victim_IP ``` If your user/password has special characters: ``` wget -r --user="USERNAME" --password="PASSWORD" ftp://Victim_IP/ ``` ## **Enumeration of FTP** ### **Service Discovery** The first step in penetration testing FTP is identifying if the service is running on the target machine. You can use network scanning tools like **Nmap** to detect FTP services. ```bash nmap -p 21 -sV ``` * `-p 21` scans port 21 where FTP is typically running. * `-sV` detects the version of the FTP service. **Nmap Script for FTP Enumeration:** Nmap has several useful scripts for FTP enumeration: ```bash nmap --script "ftp*" -p 21 ``` This command runs all FTP-related scripts against the target. ### **Anonymous Login** FTP servers often allow anonymous login, which could lead to unauthorized access. Test for anonymous login: ```bash ftp ``` Try logging in with the username **`anonymous`** and an empty password or any random string. If successful, it means the server allows anonymous access, which can be used to browse, upload, and download files depending on permissions. ### **Banner Grabbing** Banner grabbing helps identify the software version running on the server. Once identified, you can look for specific exploits related to that version. ```bash telnet 21 ``` Look for version information in the banner. If the banner is hidden, tools like **Netcat** can also be used: ```bash nc -v 21 ``` ### **Directory Traversal Vulnerability** FTP misconfigurations may allow you to navigate outside the intended directory. Try moving up directories using `cd ..`. If you can navigate to system files like `/etc/passwd`, it indicates a **directory traversal vulnerability**. ## **Exploitation** Once you’ve gathered information from enumeration, the next step is exploitation. Below are some common FTP vulnerabilities that you can exploit. ### **Brute Force Attack** If anonymous access is not allowed, you can attempt a brute force attack to guess the FTP credentials. **Hydra** is a popular tool for this: ```bash hydra -l -P /path/to/password/list.txt ftp:// ``` * `-l` specifies the username. * `-P` specifies the wordlist file. Make sure to limit the number of attempts to avoid detection by the target. ### **Exploiting Weak Permissions** If the FTP server allows you to upload files and execute them, you can upload malicious scripts or binaries (e.g., PHP, Python) to gain access to the system. Steps: 1. Upload a **reverse shell** to the FTP server. 2. Set up a listener on your machine to catch the connection. 3. Execute the shell script from the FTP directory (if allowed). For example, using **Netcat**: ```bash nc -lvnp 4444 ``` Upload a reverse shell script to the server and execute it to gain a connection. ### **Misconfigurations and Default Credentials** Check if the FTP server is using default credentials. Many FTP services come with default usernames and passwords. Refer to lists of default credentials for popular FTP software like **ProFTPD**, **vsftpd**, or **FileZilla**. ### **Vulnerable Software Versions** Once you have identified the software version of the FTP server, search for known vulnerabilities and exploits. **Exploit-DB** is a great resource for this. Look for CVEs related to the FTP server software and version. For example, **vsftpd 2.3.4** has a famous backdoor vulnerability (CVE-2011-2523). Search for available exploits: ```bash searchsploit vsftpd 2.3.4 ``` This will provide potential exploit paths, like uploading a backdoored file or leveraging default credentials. ## **Privilege Escalation and Post-Exploitation** Once you gain access, the next step is privilege escalation, where you aim to increase your privileges on the system to become an administrator or root. ### **Escalation via FTP Misconfigurations** If you can access sensitive system files like `/etc/passwd` through FTP, you may be able to escalate your privileges by modifying files, creating new users, or gathering valuable information like password hashes. ### **Using Local Exploits** If the FTP service allows file uploads, you can upload local privilege escalation scripts to the server. Look for kernel exploits that match the target system’s version. Example: 1. Upload a local exploit to the FTP server. 2. Use the exploit to elevate privileges once executed. ### **Capturing Credentials** If the FTP server logs user activity, you might be able to retrieve **plaintext credentials** from log files. Search for logs related to authentication or session data. Use **grep** to search for specific strings in log files: ```bash grep -i "user" /var/log/auth.log ``` Look for stored passwords or session tokens that can be used for further access. ## **Bypassing Firewalls and Filters** Some FTP servers are configured with firewalls or filters that prevent direct exploitation. Here are some techniques to bypass them: ### **Active vs Passive Mode** FTP operates in two modes: Active and Passive. If one mode is blocked by a firewall, you can try switching modes. * **Active Mode**: Client opens a port for the server to connect. * **Passive Mode**: Server opens a port for the client to connect. Use the `passive` command in FTP clients if the active mode is blocked. ### **Tunneling FTP Traffic** You can tunnel FTP traffic through **SSH** or use proxy servers to bypass firewalls. This is useful when dealing with secure environments. Example of tunneling FTP through SSH: ```bash ssh -L 2121::21 user@ ``` This command forwards your local port 2121 to the target server's port 21, allowing you to bypass network restrictions. ## **Tools for FTP Penetration Testing** Here is a list of tools commonly used for FTP pentesting: * **Nmap**: For port scanning and service enumeration. * **Hydra**: For brute force attacks on FTP credentials. * **Metasploit**: Contains modules for FTP exploitation. * **Netcat**: For banner grabbing and reverse shells. * **Searchsploit**: For finding available exploits. * **Wireshark**: For capturing and analyzing FTP traffic. * **Burp Suite**: Can be used to intercept FTP traffic if using proxies. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.verylazytech.com/network-pentesting/ftp-port-21.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.