File Transfer Protocol: Runs on app layer of TCP/IP stack: Same as HTTP/POP

  • Connects through two channels: Client/server establishes control through port 21

    • Client sends cmds to server: Server returns status codes

    • Both participants can establish a data channel on port 20

Channel used exclusively for data transmission

  • If a connection is broken, it's resumed after it's re-established

connect # sets remote host, port for file xfers
get # xfers file/set of files from remot to local 
put # xfers file/set of files from local to remote
status # shows current status (ascii or bin), time-out val
verbose # displays additional info during file xfer

/etc/ftpusers # used to deny users access 

#anonymous Login
ftp> status
ftp> debug 
ftp> trace # packet tracing on

hide_ids=YES UID/GUID of the service will be overwritten

  • More difficult to ID which file rights are written/uploaded

  • Allows us to use LFI vulns to make hosts exec cmds: view, download, inspect

    • Attacks possible with logs, leading to RCE

ftp> get Notes.txt # download a file 
ftp > put testupload.txt # upload a file
wget -m --no-passive ftp://anon:anon@ #download all files

tree . # heirarchical file structure listed
    ├── Folder
       └── SubFolder
           ├── Text.txt 
           ├── WordFile.docx
           └── Presentation.pptx
    └── AnotherFile.txt
sudo nmap --script-updatedb

# nmap script trace (scan history against a service, with timeouts)
sudo nmap -sV -p21 -sC -A --script-trace

# if server runs tls/ssl openssl instead
openssl s_client -connect -starttls ftp

find / -type f -name ftp* 2>/dev/null | grep scripts # find nse scripts
ls /usr/share/nmap/scripts | grep ftp # find nse scripts


ftp-syst: executes STAT, which displays server status

# banner grab
nc -nv 21
telnet 21

Last updated