FTP Enum

FTP Enumeration

CheckList

Anonymous login
Check default credentials
Check version for exploit
Check for files upon login
Check for SSH keys or if you can access .ssh file
Try uploading shell if reflected in web server.
Brute force credentials

FTP nse scripts

nmap –script ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 10.0.0.1

ftp 10.10.10.10 21

Connected to 10.10.10.10.
220 (vsFTPd 3.0.3)
Name (10.10.10.10:kali): anonymous
331 Please specify the password.
Password: whatever_password

Error "Program cannot be run in DOS mode"

Make sure that BINARY mode is enable so that you can transfer/execute files.

Example:
===================
ftp> binary
200 Type set to I.
ftp> put someexecutable.exe
local: someexecutable.exe remote: someexecutable.exe
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
371329 bytes sent in 1.30 secs (279.2892 kB/s)

See if you can upload on the target

Usually if you see some folder named pub the directory should be:
/var/ftp/pub/

It may also be a /var/www/html directory where you can upload a shell

Default creds

admin:admin
admin:password

PreviousCheckList NextSSH Enum

Last updated 3 years ago