- Many different types of FTP server
- Nmap scan results
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
- Before connecting ensure that the directory you are in (on your local machine is writable, or else you will not be able to download anything off the remote ftp server
ftp <ip>
username: anomyous
password: <enter>
- If successful it will let you know you successfully logged in and might tell you the OS
230 User logged in.
Remote system type is Windows_NT.
- Attempt to download and also place files.
- Start with attempting to just place a text file with some words
- If the file name has spaces, be sure to escape the space character
#anonymous login allowed
02-28-22 07:36PM <DIR> Nadine
02-28-22 07:37PM <DIR> Nathan
ftp> cd Nadine
ftp> get Confidential.txt
ftp> cd Nathan
ftp> get Notes\ to\ do.txt
Good wordlist for FTP brute https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt
Anon login and bounce FTP checks are perform by default by nmap with -sC option or:
nmap --script ftp-* -p 21 <ip>- If a client machine has a firewall up, then Active FTP will create issues
- Connect like normal to the ftp server
- Once connected have your first command be:
passv
#or
passive
- This will switch the FTP client server connection to passive move and allow you to operate as normal.
- To download one file use:
get filename.txt
- To download everything in a specific directory use:
mget *
- To upload a file to the ftp server use:
put filename.txt
#or
mput filename.txt
- If there is also a web server, it is possible that the same directories accessible on the ftp server are hosted on the web server
- For example if on the ftp server there is a directory called
scripts, attempt to see if there is a directory on the web server called scripts. - This will allow for an easy web shell upload, which can then be executed via the web server.