Back to All Modules

FTP Enumeration

#Overview

File Transfer Protocol (FTP) operates on TCP port 21 (command channel) with dynamic ports for data transfer (active mode: server connects to client from port 20; passive mode: client connects to server on negotiated port). Many FTP servers permit anonymous access (username: anonymous or ftp, password: anything), exposing files that may contain credentials, configuration details, source code, or internal documentation. FTP version enumeration also identifies vulnerable FTP server implementations.

#Prerequisites

  • Tools: ftp client (built-in), nmap (ftp-anon NSE), Hydra (credential brute-force)
  • Access Level: Network access to port 21
  • Default Anonymous Credentials: username anonymous or ftp, password any email (convention: anonymous@example.com)

#Detection & Enumeration

#Anonymous Login Testing

# nmap NSE check (fast, passive test)
nmap --script ftp-anon -p 21 10.10.10.161

# Manual anonymous login test
ftp 10.10.10.161
# Username: anonymous
# Password: anonymous@example.com

# One-liner anonymous test
echo "quit" | ftp -n 10.10.10.21 <<< "open 10.10.10.21\nuser anonymous anything\n"

# Passive FTP with anonymous login and file listing
ftp -p 10.10.10.21
BASH

#File Enumeration and Download

# FTP client interactive session
ftp 10.10.10.161
Name: anonymous
Password: [anything]
ftp> ls -la          # list all files with details
ftp> ls -R           # recursive listing from current directory
ftp> get filename    # download a single file
ftp> mget *.txt      # download multiple files (interactive prompt)
ftp> prompt OFF      # turn off interactive prompting before mget
ftp> mget *          # download everything
ftp> binary          # set binary mode for executable/archive downloads
ftp> ascii           # set ASCII mode for text file downloads (default)
ftp> passive         # toggle passive mode (solve firewall issues)

# Non-interactive file download with wget
wget --user=anonymous --password=anything ftp://10.10.10.21/file.txt

# Download entire FTP directory recursively
wget -r --no-passive ftp://anonymous:anything@10.10.10.21/
BASH

#FTP Banner and Version Detection

# nc banner grab
nc -nv 10.10.10.161 21

# nmap service version detection
nmap -sV -p 21 10.10.10.161

# Banner examples:
# "220 ProFTPD 1.3.5 Server" --> check for ProFTPD exploits
# "220 vsFTPd 3.0.3" --> check for vsFTPd vulnerabilities
BASH

#Common Pitfalls

  • Active vs passive mode. Many modern firewalls block active FTP (server initiates data connection to client). Use passive mode (passive command in ftp client, or -p flag).
  • Binary vs ASCII mode. Executables, ZIP files, and images must be downloaded in binary mode or they will be corrupted. Always binary before downloading non-text files.
  • Some FTP servers allow anonymous login but restrict to a chroot jail with limited visibility. List contents carefully before downloading.
  • FTP over TLS (FTPS, explicit TLS on port 21 with AUTH TLS) may require additional flags. ftp client may not support it; use lftp instead: lftp -u anonymous,pass ftps://10.10.10.21.

#OPSEC Considerations

  • FTP transmits credentials in cleartext. An anonymous login transmits the username "anonymous" and whatever password is supplied, visible to any packet capture.
  • FTP file transfers generate significant traffic if downloading large files or recursively downloading entire directories. Monitor for data volume anomalies.
  • Single FTP connection for anonymous access is less suspicious than repeated brute-force connections. Test once, note the result, and move on.
  • FTP bounce attacks (using PORT command to redirect data connections to a third host) are a legacy technique that modern FTP servers block by default. Attempting them is noisy and likely to fail.
  • FTP enumeration is passive from a logging perspective -- most FTP servers log connections and file access. A login with "anonymous" followed by ls and get of sensitive files creates a clear audit trail.
  • FTP is cleartext (no encryption). If you have credentials, anyone on the network path can capture them. Use FTPS or SFTP when available.

#Post-Exploitation Value

  • Anonymous FTP access frequently exposes backup files, configuration archives, and source code containing database credentials, API keys, or internal documentation.
  • Write access to FTP directories (less common with anonymous) allows dropping webshells or other malicious files if the FTP directory is served by a web server.
  • FTP version information guides vulnerability research. ProFTPD 1.3.5 had a known RCE (CVE-2015-3306), vsFTPd 2.3.4 had a backdoor (CVE-2011-2523).
  • Downloaded files may reveal internal hostnames, IP addressing schemes, and software inventories useful for lateral movement.

#Cross-References

#Tool References

ToolDescriptionLink
ftpStandard FTP clientBuilt into all OSes
lftpSophisticated FTP/FTPS/HTTP clientBuilt into most Linux distros
nmap (ftp-anon, ftp-brute)NSE scripts for FTP enumerationBuilt into nmap
wgetFile download with FTP supportBuilt into most Linux distros

#Source Machines

  • FTP enumeration with anonymous access is a common initial foothold vector. Check for ftp-anon in nmap script output before dismissing port 21. While none of the sampled HTB machines in this guide relied primarily on FTP, real-world engagements frequently encounter misconfigured FTP servers with anonymous access to sensitive directories.