Pentesting FTP
Identification
Many different types of FTP server
Nmap scan results
Before connecting ensure that the directory you are in (on your local machine is writable, or else you will not be able to download anything off the remote ftp server
FTP Anonymous Login
If successful it will let you know you successfully logged in and might tell you the OS
Attempt to download and also place files.
Start with attempting to just place a text file with some words
If the file name has spaces, be sure to escape the space character
Brute Force
Good wordlist for FTP brute https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt
Automated Scanning
Anon login and bounce FTP checks are perform by default by nmap with -sC option or:
Passive FTP
If a client machine has a firewall up, then Active FTP will create issues
If you find that you can successfully connect but cannot
lsor run otherftpcommands, ensure to run below commandsConnect like normal to the ftp server
Once connected have your first command be:
This will switch the FTP client server connection to passive move and allow you to operate as normal.
Downloading Files
To download one file use:
To download everything in a specific directory use:
Put Files
To upload a file to the ftp server use:
Other Considerations
If there is also a web server, it is possible that the same directories accessible on the ftp server are hosted on the web server
For example if on the ftp server there is a directory called
scripts, attempt to see if there is a directory on the web server called scripts.This will allow for an easy web shell upload, which can then be executed via the web server.
Last updated