← Back to search

FTP (21)

enumerationports

Summary

Always test anonymous login, then mirror readable files. Note the banner (vsftpd/ProFTPD versions) for known CVEs, and watch for upload rights into a webroot.

Walkthrough

FTP (port 21) is an easy early win.

Checklist

  1. Anonymous loginftp anonymous@<IP> with any password. Tons of boxes

leave this open.

  1. Loot readable fileswget -r mirrors the whole tree locally so you can

grep offline.

  1. Brute force — if anonymous fails but you have a userlist, run hydra.
  2. Banner / version — note the server software; vsftpd 2.3.4 and old

ProFTPD builds have public RCEs.

Pivots

  • If FTP shares the same filesystem as a webserver (e.g. you can write to

/var/www), upload a webshell and trigger it over HTTP.

  • Use binary mode before transferring executables.

Commands

bash

# Try anonymous login first
ftp anonymous@<IP>
# Password: anything

bash

# Mirror everything if anonymous read is allowed
wget -r ftp://anonymous:anything@<IP>/

bash

# Brute force credentials
hydra -L users.txt -P passwords.txt <IP> ftp