# FTP
**FTP (File Transfer Protocol)** is one of the oldest protocols still widely used for transferring files over a network. It operates over **TCP port 21** and allows clients to upload, download, or manage files on a remote server.
## How Does It Work?
* **Client connects** to an FTP server.
* Server authenticates the client (either with **credentials** or **anonymously**).
* Depending on permissions, the client can **list**, **upload**, **download**, **delete**, or **modify** files.
## Why Is FTP Still Used?
Despite being outdated and unencrypted, FTP is still used for:
* File distribution (software mirrors)
* Interfacing with legacy systems
* Automated backups and data exports
## Why Pentesters Love FTP
FTP is a goldmine for attackers and red teamers because:
* It often runs with **weak or default credentials**
* It is commonly **misconfigured**
* It may expose **sensitive files**, credentials, or even remote shells
* Traffic is often **unencrypted**, making it easy to sniff credentials with tools like Wireshark
{% hint style="success" %}
Make [SECLISTS](https://github.com/danielmiessler/SecLists) your FRIEND! :heart\_eyes:
You need to learn how to choose wordlist in any scenerio you are.
{% endhint %}
## FTP Misconfigurations
Misconfigurations in FTP servers are among the most common and dangerous security pitfalls. They often arise from default settings, poor understanding of access controls, or simply trying to make file sharing “easier” at the cost of security. In penetration testing, FTP misconfigurations are low-hanging fruit — a frequent entry point for an attacker.
### Lab Configuration Example (`/etc/vsftpd.conf`)
```bash
anonymous_enable=YES # Allow anonymous login (INSECURE)
local_enable=YES # Allow local user login
write_enable=YES # Allow writing (uploading files)
anon_upload_enable=YES # Allow anonymous users to upload (VERY INSECURE)
anon_mkdir_write_enable=YES # Allow anonymous directory creation
```
### Why This Is Bad:
* **No authentication barrier:** Anyone can log in as "anonymous".
* **Writable upload directory:** Allows attackers to upload malicious files, web shells, or tools.
* **Directory traversal risks** if the user isn't jailed properly.
* **PII leakage:** Files like `creds.txt`, `flag.txt`, `payroll.csv` may be exposed.
***
## Nmap Scan
Below is a nmap scan that I did on the lab environment we provided for ftp enumeration:
❯ nmap enumlikeapro.nca -T4 -sCV -p 21
..SNIP..
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rwxrwxrwx 1 0 0 32 May 10 06:38 creds.txt [NSE: writeable]
| drwxrwxrwx 2 0 0 4096 May 10 06:39 devops [NSE: writeable]
| drwxrwxrwx 4 0 0 4096 May 10 06:39 engineering [NSE: writeable]
| drwxrwxrwx 3 0 0 4096 May 10 06:39 finance [NSE: writeable]
| -rwxrwxrwx 1 0 0 33 May 10 06:35 flag.txt [NSE: writeable]
| drwxrwxrwx 3 0 0 4096 May 10 06:39 it [NSE: writeable]
| drwxrwxrwx 2 0 0 4096 May 10 06:39 legal [NSE: writeable]
|_drwxrwxrwx 2 65534 65534 4096 May 23 16:02 upload [NSE: writeable]
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.10.76
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.5 - secure, fast, stable
|_End of status
Service Info: OS: Unix
## Anonymous Login
**Anonymous login** is a feature of many FTP servers where users can log in without a username or password. By default, most servers accept the username `anonymous` and any string (even blank) as the password. Historically, this was used to allow public access to download software or documents — such as Linux ISO mirrors or public datasets.
However, when left enabled on sensitive or internal systems, **anonymous FTP is a critical security risk**.
In our intentionally vulnerable lab setup, we’ve configured the FTP server at `enumlikeapro.nca` to allow **anonymous access.**
This means **anyone** can connect to the FTP server and browse its contents. No password or user validation is required. Here’s how you can try it:
❯ ftp anonymous@enumlikeapro.nca
Connected to enumlikeapro.nca.
220 (vsFTPd 3.0.5)
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
Once connected, you can explore the directory structure:
```bash
ftp> ls
229 Entering Extended Passive Mode (|||40010|)
150 Here comes the directory listing.
-rwxrwxrwx 1 0 0 32 May 10 06:38 creds.txt
drwxrwxrwx 2 0 0 4096 May 10 06:39 devops
drwxrwxrwx 4 0 0 4096 May 10 06:39 engineering
drwxrwxrwx 3 0 0 4096 May 10 06:39 finance
-rwxrwxrwx 1 0 0 33 May 10 06:35 flag.txt
drwxrwxrwx 3 0 0 4096 May 10 06:39 it
drwxrwxrwx 2 0 0 4096 May 10 06:39 legal
drwxrwxrwx 2 65534 65534 4096 May 23 16:02 upload
226 Directory send OK.
```
You’ll see that **sensitive files** like `creds.txt`, and department folders (`engineering/`, `it/`, `legal/`) are exposed to the public. This demonstrates the real-world danger of anonymous login paired with poor directory permissions.
### Realistic Scenarios
Anonymous login becomes even more dangerous when:
* A developer accidentally uploads `.env` or `.conf` files with API keys
* `creds.txt` includes reused SSH or application passwords
* The FTP root is also the web root (e.g., `/var/www/html`), making uploaded scripts **publicly accessible**
## Basic FTP Commands
Once you connect to an FTP server, you enter an interactive shell where you can issue commands to list, download, upload, and navigate files and directories. These commands are very similar to those used in Unix-like systems — but with slight differences.
Following is a cheatsheet you can refer to and give it a try yourself, since you already have used linux, it shouldn't be that big of a deal:
| Command | Description |
| --------------- | ------------------------------------------- |
| `ftp ` | Connect to an FTP server |
| `ls` / `dir` | List files and directories |
| `cd ` | Change directory |
| `get ` | Download a file from the server |
| `put ` | Upload a file to the server |
| `mget ` | Download multiple files (wildcards allowed) |
| `mput ` | Upload multiple files |
| `pwd` | Print working directory on the server |
| `delete ` | Delete a file on the server (if allowed) |
| `mkdir ` | Create a new directory on the server |
| `rmdir ` | Remove a directory |
| `quit` / `bye` | Exit the FTP session |
| `help` | Show available FTP commands |
## Brute-Forcing FTP Credentials
When anonymous access is disabled or limited, attackers often pivot to **brute-forcing valid user credentials** — especially when `local_enable=YES` is set in the FTP configuration. This means any user account on the server (like `gita` or `hari`) can be targeted for login.
One of the most effective and commonly used tools for brute-forcing credentials is [**Hydra**](https://github.com/vanhauser-thc/thc-hydra). It supports parallelized login attempts and works against many services, including FTP.
Here’s how we can use Hydra to target the `gita` user on our lab’s FTP server:
❯ hydra -l gita -P EnumLikeAPro/passwords.txt ftp://enumlikeapro.nca -t 32
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-05-23 22:12:53
[DATA] max 32 tasks per 1 server, overall 32 tasks, 52 login tries (l:1/p:52), ~2 tries per task
[DATA] attacking ftp://enumlikeapro.nca:21/
[21][ftp] host: enumlikeapro.nca login: gita password: REDACTED_PASSWORD
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-05-23 22:12:59
If `EnumLikeAPro/passwords.txt` includes the correct password, Hydra will quickly find it.
### Credential Reuse Across Services
In many real-world scenarios, **users reuse passwords** across multiple services (e.g., FTP, SSH, databases). In our lab environment, we’ve intentionally configured things this way to teach this exact lesson.
After brute-forcing FTP for user `gita`, try logging into SSH using the same credentials:
```
ssh gita@enumlikeapro.nca
```
You’ll likely be greeted with a shell prompt — meaning your FTP brute force just **pivoted into full shell access** via SSH.
{% hint style="danger" %}
You have already accessed shell for gita in ssh enumeration part, so you can skip this part.
{% endhint %}
## Shared Home Directories
Another important lab configuration we’ve made is that:
{% hint style="info" %}
🔐 The home directory used for FTP access is the **same** as the user's SSH home directory.
{% endhint %}
So if you upload a file via FTP to `/home/gita/upload/`, and then log in via SSH as `gita`, you’ll find the same file in that directory.
This mirrors many real-world misconfigurations where:
* FTP and SSH use the same user accounts
* Home directories are shared across services
* Files dropped via FTP can be used for **post-exploitation**, **data exfiltration**, or **command execution**
{% hint style="success" %}
🧠 **Note:** While we’ve set this up intentionally for demonstration, this isn’t always the case. In production environments, FTP may use a restricted chroot jail or a different directory tree. Always test and enumerate!
{% endhint %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://handbook.ncateam.xyz/reconnaissance/services-enumeration/ftp.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.