FTP Enumeration Cheatsheet
Default Ports: 21 (control), 20 (data - active mode)
Banner Grabbing & Connection
nc -nv <ip> 21
telnet <ip> 21
ftp <ip>
openssl s_client -connect <ip>:21 -starttls ftp # FTPS
Anonymous Login
ftp <ip>
# Username: anonymous
# Password: anonymous (or leave blank)
# Via curl
curl -v ftp://<ip>/ --user anonymous:anonymous
curl -v ftp://<ip>/<path>/ --user anonymous:anonymous
FTP Commands (Once Connected)
USER <username> # Send username
PASS <password> # Send password
SYST # Display system type
STAT # Status / verbose file listing
LIST # List files (verbose)
NLST # Name list (simple)
PWD # Print working directory
CWD <dir> # Change directory
GET <file> # Download file
PUT <file> # Upload file
MGET * # Download all files
BINARY # Switch to binary transfer mode
ASCII # Switch to ASCII transfer mode
PASV # Enter passive mode
QUIT # Disconnect
Nmap FTP Scripts
nmap -p 21 --script ftp-anon <ip> # Check anonymous login
nmap -p 21 --script ftp-banner <ip> # Banner grab
nmap -p 21 --script ftp-brute <ip> # Brute force credentials
nmap -p 21 --script ftp-bounce <ip> # FTP bounce attack check
nmap -p 21 --script ftp-syst <ip> # SYST command response
nmap -p 21 --script ftp-vsftpd-backdoor <ip> # vsFTPd 2.3.4 backdoor check
nmap -p 21 -sV --script ftp-* <ip> # Run all FTP scripts
Brute Force
hydra -l <user> -P wordlist.txt ftp://<ip>
hydra -L users.txt -P wordlist.txt ftp://<ip>
medusa -u <user> -P wordlist.txt -h <ip> -M ftp
Bulk Download
# wget recursive download (no passive mode)
wget -m --no-passive ftp://anonymous:anonymous@<ip>
# curl recursive
curl -s ftp://<ip>/ --user anonymous:anonymous | awk '{print $NF}' | \
while read f; do curl -s ftp://<ip>/$f --user anonymous:anonymous -O; done
Key Vulnerabilities
| Software | CVE | Description |
|---|---|---|
| vsFTPd 2.3.4 | CVE-2011-2523 | Backdoor shell on port 6200 |
| ProFTPd 1.3.5 | CVE-2015-3306 | mod_copy unauthenticated file copy |
| ProFTPd 1.3.3c | CVE-2010-4221 | Remote heap overflow |