The File Transfer Protocol (FTP) used for the transfer of computer files between a client and server in a network via port 21 usually runs as a server side daemon.

FTP port 21 open

  • Fingerprint server
    • telnet ip_address 21 (Banner grab)
    • Run command ftp ip_address
    • ftp@example.com
    • Check for anonymous access
      • ftp ip_addressUsername: anonymous OR anonPassword: any@email.com
  • Password guessing
    • Hydra brute force
    • medusa
    • Brutus
  • Examine configuration files
    • ftpusers
    • ftp.conf
    • proftpd.conf
  • MiTM
    • pasvagg.pl

NMAP Query

ftp-vulnerability-scan - Nmap can be leveraged to scan FTP services for known vulnerabilities. Example syntax:

nmap -sV -Pn -vv -p [PORT] --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221 [IP]  

HYDRA Query

ftp-default - Hydra can be utilized to check FTP services for default credentials.

hydra -s [PORT] -C ./wordlists/ftp-userpass-def.txt -u -f [IP] ftp  

METASPLOIT Actions

FTP users may authenticate themselves with a clear-text sign-in protocol, normally in the form of a username and password, but can connect anonymously if the server is configured to allow it. If anonymous login is allowed to connect with FTP, then anyone can login into server. An attacker can easily search for anonymous login permission using following metasploit exploit.

use auxiliary/scanner/ftp/anonymous  
msf auxiliary(anonymous) >set rhosts 192.168.0.106  
msf auxiliary(anonymous) >exploit  

FTP Enumeration PORT 21

Refs:
1. FTP Enumeration DigitalAftermath
2. Penetration Testing of an FTP Server
3. Pen Testing 0Day Security