The File Transfer Protocol (FTP) used for the transfer of computer files between a client and server in a network via port 21 usually runs as a server side daemon.
FTP port 21 open
- Fingerprint server
- telnet ip_address 21 (Banner grab)
- Run command ftp ip_address
- Check for anonymous access
- ftp ip_addressUsername: anonymous OR anonPassword: email@example.com
- Password guessing
- Hydra brute force
- Examine configuration files
ftp-vulnerability-scan - Nmap can be leveraged to scan FTP services for known vulnerabilities. Example syntax:
nmap -sV -Pn -vv -p [PORT] --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221 [IP]
ftp-default - Hydra can be utilized to check FTP services for default credentials.
hydra -s [PORT] -C ./wordlists/ftp-userpass-def.txt -u -f [IP] ftp
FTP users may authenticate themselves with a clear-text sign-in protocol, normally in the form of a username and password, but can connect anonymously if the server is configured to allow it. If anonymous login is allowed to connect with FTP, then anyone can login into server. An attacker can easily search for anonymous login permission using following metasploit exploit.
use auxiliary/scanner/ftp/anonymous msf auxiliary(anonymous) >set rhosts 192.168.0.106 msf auxiliary(anonymous) >exploit