File Transfer Protocol (FTP)

protocolsandservers networkservices networksecurityprotocols footprinting

File Transfer Protocol (FTP) is a widely used protocol to transfer files. It's mostly used externally, unlike SMB or NFS.

🐊️ Ports: 21 (TCP/control), and 20 (TCP/data)

πŸ”₯ FTP communications are not encrypted.

πŸ”’ There is a secure version called FTPS (port 990, over SSL/TLS).

$ ftp IP # use current user username
$ ftp username@IP
$ ftp username@IP -p port
ftp> help

If username@IP doesn't work, you can manually connect:

$ ftp -n IP
ftp> user username
Password: xxx
FTP protocol internals

An FTP request is starting with the server sending USER, the client answering with a username, the server sending PASS, and the user answering back with the password.

There are two modes in FTP: active, and passive. The mode determines the port used to transfer data. Data is transferred via the port 20, while in passive mode, a port higher than 1023 will be used.

There are two channels in an FTP connection: a channel to send commands (also called control), and one to transfer data. There is also a transfer mode, which could be ASCII, or binary (default). You can enter type [a|i] or ascii|binary to switch.

Once in an FTP shell, here some commands you may use:

ftp> pwd # path to the current folder
ftp> ls folder # list files
ftp> cd folder # move to folder
ftp> put /local/path /remote/dest # upload
ftp> get /remote/path /local/dest # download
ftp> less file # read file
ftp> exit # exit
ftp> bye # same

To download all files:

$ wget -m --no-passive ftp://username:password@IP

And to query information about the server:

ftp> syst # information about the system
ftp> stat # same, but there is the version+ftp client name
ftp> status # same as 'stat'

➑️ If put/get keep failing, try moving to the target folder first.

FTP Pentester notes ☠️

FTP may be used by hackers to find interesting files. Remember to check for hidden files. ⚠️

Enumeration

attacking_common_services

  • We can use nmap to run basic scripts
$ nmap -sC -sV -p 21 IP
  • We may be able to use FTP bounce to scan for ports
$ nmap [...] -b ftp:username:password@IP INTERNAL_IP

Foothold

password_attacks kenobi startup cowboyhacker easyctf chillhack blocky

  • Anonymous users may have been enabled. Try a blank password.
$ ftp anonymous@IP
  • The password may be weak and vulnerable to brute force.
$ hydra -L user.list -P password.list ftp://IP -V -f

Well-known CVEs

lame

  • ProFTPD 1.3.5: users could move files from a non-mounted path to the mounted path. You could steal an id_rsa for instance.

  • vsFTPd 2.3.4: has a backdoor as per CVE-2011-2523.

  • CoreFTP 727 (ref): can use PUT to arbitrarily upload files

Random Notes

Simple FTP Server

You can use pyftpdlib:

$ sudo apt install python3-pyftpdlib
$ python3 -m pyftpdlib --port 21
$ python3 -m pyftpdlib --port 21 --write

You can use twisted πŸ‘»:

$ sudo pip3 install twisted
$ sudo python3 -m twisted ftp -p 21 -r .

πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.

  • ftp -p (passive mode, may bypass some firewall)
  • tftp
  • configuration (/etc/vsftpd.conf, /etc/ftpusers=deny FTP access)
  • hide usernames (hide_ids=YES, use ftp:ftp)
  • nmap ftp-anon, ftp-syst