FTP (21)
enumerationports
Summary
Always test anonymous login, then mirror readable files. Note the banner (vsftpd/ProFTPD versions) for known CVEs, and watch for upload rights into a webroot.
Walkthrough
FTP (port 21) is an easy early win.
Checklist
- Anonymous login —
ftp anonymous@<IP>with any password. Tons of boxes
leave this open.
- Loot readable files —
wget -rmirrors the whole tree locally so you can
grep offline.
- Brute force — if anonymous fails but you have a userlist, run
hydra. - Banner / version — note the server software; vsftpd 2.3.4 and old
ProFTPD builds have public RCEs.
Pivots
- If FTP shares the same filesystem as a webserver (e.g. you can write to
/var/www), upload a webshell and trigger it over HTTP.
- Use
binarymode before transferring executables.
Commands
bash
# Try anonymous login first ftp anonymous@<IP> # Password: anything
bash
# Mirror everything if anonymous read is allowed wget -r ftp://anonymous:anything@<IP>/
bash
# Brute force credentials hydra -L users.txt -P passwords.txt <IP> ftp