FTP Enumeration Guide
Introduction
FTP is a network protocol used to transfer files from a server to a client over a network. FTP servers can be accessed either via the ftp command-line tool or via third-party applications such as FileZilla. This service runs on port 21 by default.
This guide will cover the main methods to enumerate an FTP server in order to find potential vulnerabilities or misconfigurations.
Identifying an FTP Server
Port scanning tools such as Nmap can be used to identify whether an FTP server is running on the target host:
nmap -p 21 X.X.X.X
The scan has identified that the remote server is running FTP on port 21.
Banner Grabbing
Services often have a banner that is displayed when establishing a connection, Banner Grabbing is a technique used to gain information about the services and its version. Netcat can be used for this task:
nc -nv X.X.X.X 21
The banner is disclosing the application used on port 21 as well as the version (vsFTPd 3.0.3)
Once the FTP service and version running on the server have been identified, common exploit databases such as Exploit DB can be used to identify any potential vulnerabilities:
In case of vsFTPd 2.3.2, for example, the only available exploit on Exploit DB was a denial of service, but unpatched FTP applications can often lead to vulnerabilities such as arbitrary file write/read, remote command execution and more.
Banner grabbing can also be performed using the -sV Nmap flag or through the auxiliary/scanner/ftp/ftp_version Metasploit module.
Anonymous Authentication
FTP has a way to allow remote users to authenticate without having the need to identify themselves to the server. If this feature is enabled on the FTP server, users will be able to authenticate using anonymous as the username and any password
Anonymous FTP is a common way to get access to a server in order to view or download files that are publicly available, although it can pose a security risk if the FTP server is exposing sensitive files or folders. The FTP command can be used to perform an authentication as follows:
ftp X.X.X.X
#provide anonymous as username
#provide any passowrd
Thrugh anonymous authentication, a connection was established to the remote server without the need of any credentials.
Anonymous authentications can also be performed using the Nmap ftp-anon script, the Metasploit auxiliary/scanner/ftp/anonymous module or through graphical user interfaces such as FileZilla.
Common Credentials
A few common passwords or usernames (if unknown) such as admin, administrator, root, ftpuser, test etc. should be tried if anonymous authentication is disabled on the remote FTP server. This is safer than bruteforcing and it should always be tried when possible.
In the example above, a connection was established by using a password of “test”.
An FTP authentication can also be performed using the auxiliary/scanner/ftp/ftp_login Metasploit module, graphical user interfaces such as FileZilla or by simply typing ftp://X.X.X.X/ in the URL bar of a browser.
Bruteforcing Credentials
A brute-force attack consists of an attacker submitting a number of passwords or usernames with the purpose of identifying the correct combination to access a given system.
Network cracking tools such as Hydra can be used to perform bruteforce attacks against online services such as FTP, HTTP, SMB etc. In this specific case it will be a dictionary attack, meaning hydra will use a list of usernames and passwords from a text file to perform the authentication attempts.
The following command can be used in Hydra to bruteforce FTP credentials:
hydra [-L users.txt or -l user_name] [-P pass.txt or -p password] -f [-S port] ftp://X.X.X.X
The command above has identified the password for the “ftpuser” user, by providing a list of usernames and passwords.
FTP servers credentials can also be bruteforced by using the Nmap ftp-brute script or the Metasploit auxiliary/scanner/ftp/ftp_version module.
Packet Sniffing
Packet sniffing is the practice of gathering, collecting, and logging some or all packets that pass through a computer network, regardless of how the packet is addressed.
Because data transmitted over FTP on port 21 is unencrypted, an attacker could intercept traffic on the network and identify the credentials being used to perform the authentication.
Wireshark is a widely popular network sniffing and packet analyzing tool that can be used to do exactly that. The main screen displays all of the traffic within the network (in this case a filter for port 21 has been applied):
The Follow→TCP Stream functionality can be used to inspect the actual traffic:
In this case Wireshark was able to capture the connection made on port 21 and display the clear-text credentials used to authenticate.
The dig command line tool which comes with Kali Linux can also be used to analyze network traffic.
Enumerating Files & Folders
Once an authentication has been performed successfully, steps should be performed in order to identify the following:
- Current working directory
- Whether FTP is granting access to directories being used by other services
- Files and folders the current user has access to read/write to
These enumeration steps are key in order to further exploit FTP. For example, if the FTP server grants access to a folder used by a web server, a malicious script can be uploaded and executed from a browser. Alternatively, if the current FTP user can access or modify certain files such as .bash_history, SSH keys, passwd/shadow etc. it could potentially grant remote access to the system.
Nmap Scripts
The Nmap Scripting Engine (NSE) allows users to write (and share) simple scripts (using the Lua programming language ) to automate a wide variety of networking tasks.
Nmap comes with several FTP-related scripts such as:
- ftp-anon – Checks if an FTP server allows anonymous logins.
- ftp-brute – Performs brute-force password auditing against FTP servers.
- ftp-bounce – Checks to see if an FTP server allows port scanning using the FTP bounce method.
When using Nmap, scripts can be specified using the –script flag as follows:
nmap -p 21 --script [script name] X.X.X.X
Nmap scripts can be very powerful and can help greatly in speeding up reconassaince. The -sC flag will perform all scripts deemed as safe by Nmap when doing a port scan.
Common FTP Commands
Below are some of the most common commands that can be used when communicating with an FTP server:
| Command | Description |
| ?/help | print local help information |
| append | Append to a file |
| ascii | set ascii transfer type |
| binary | Set Binary transfer type |
| bye/exit/quit | Terminate ftp session and exit |
| cd | Change remote working directory |
| chmod | Change file permissions of remote file |
| close/disconnect | Terminate FTP session |
| debug | toggle/set debugging mode |
| delete/mdelete (multiple) | delete remote file |
| dir/ls | list contents of remote directory |
| get/recv/mget (multiple) | receive file |
| mkdir | make directory on remote machine |
| passive | enter passive transfer mode |
| put/mput (multiple) | send one file |
| pwd | print working directory on remote machine |
| rename | rename file |
| rmdir | remove directory on remote machine |
| size | show size of remote file |
| type | set file transfer type |
| verbose | toggle verbose mode |
When an FTP connection can be established, either through anonymous login or via an authenticated user, the above commands can be useful for downloading, uploading, modifying and removing files.
Conclusion
FTP is a very common service when performing penetration testing, and although in most cases it does not pose a huge threat by itself, it can often help attackers in gaining remote system access by uploading or modifying sensitive files via FTP.
Anonymous authentication should be disabled unless absolutely necessary, strong passwords should be enforced, when practicable, SFTP should be used over FTP and the service used on the server side should be patched regularly.
