FTP – port 21

Cheat sheet and tricks for the File Transfer Protocol (FTP).

FTP is insecure as it uses clear text to send credentials. See Telnet for other examples.

Nmap scripts

ls -la /usr/share/nmap/scripts/ftp*

nmap -Pn --script "ftp* and not brute" -p 21 $IP -oA nmap-ftp

IP=x.x.x.x
WL=/usr/share/wordlists/rockyou.txt
USERS=/usr/share/seclists/Usernames/top-usernames-shortlist.txt
nmap -Pn --script ftp-brute -p 21 $IP --script-args userdb=${USERS},passdb=$WL -oA nmap-ftp-brute

Directory Traversal

See this exploit for common paths.

dir ./../../../../../../../../

FileZilla

filezilla

Download all files locally and search for interesting information.

grep -Ril "flag" .
grep -Ri "password" .
grep -Ri "key" .
grep -Ri "sessionkey" .
grep -Ri "admin" .

FTP Client

Installation

sudo apt install ftp

Connect to ftp server (port 21)

ftp $IP

ftp anonymous@${IP}

ftp anonymous@${IP} 21

# Anonymous (guest)
ftp $IP
Name: anonymous
Password: (enter password, try anonymous, or just press Enter without providing a password)

Login

user myuser1

Help / Display available commands

help

Prints the names of the files and subdirectories in the current directory on the remote computer

ls

Try to escape the chrooted environment

ls ../../../../../../..//etc

Change directory

cd directory

cd ..

File transfer – ASCII mode

This changes to ascii mode for transferring text files.

ascii

File transfer – Binary mode

This command changes to binary mode for transferring all files that are not text files

binary

File transfer – Download files

This downloads the file passwd from the remote computer to the local computer.

get <file on FTP server> <file on client machine>

get /etc/passwd /home/kali/passwd

# Downloads all files that end with ".jpg"
mget *.jpg

File transfer – Upload files

Uploads the file test.txt from the local computer to the remote computer.

put <file on client machine> <file on FTP server>

put /home/kali/test.txt test.txt

# Uploads all the files that end with ".jpg"
mput *.jpg

Delete files

# Deletes all files that end with ".jpg"
mdelete *.jpg

Interactive mode

Turns interactive mode on or off so that commands on multiple files are executed without user confirmation.

prompt

Exit the ftp client

quit

Non-interactive mode – Windows

ftp.txt

open x.x.x.x 21
username
password
ftp@ftp.com
dir
bye

Run FTP commands from ftp.txt

type ftp.txt

ftp -s:ftp.txt

Non-interactive mode – Linux

The FTP command shell on Linux does not have the “-s” option. Build a shell script to execute the FTP commands.

ftp.sh

#!/bin/bash

ftp -n x.x.x.x <<END_SCRIPT
quote USER myusername
quote PASS mypassword
prompt
dir
bye
END_SCRIPT

chmod u+x ftp.sh
./ftp.sh

FTP Server

Python

pip install pyftpdlib

Using the anonymous user

python -m pyftpdlib -p 21 -w

ftp anonymous@x.x.x.x

ftp.py – authenticated

#!/usr/bin/python
from pyftpdlib.authorizers import DummyAuthorizer
from pyftpdlib.handlers import FTPHandler
from pyftpdlib.servers import FTPServer

authorizer = DummyAuthorizer()
authorizer.add_user("ftpuser", "<PASSWORD>", "/home/ftpuser", perm="elradfmwMT")

handler = FTPHandler
handler.authorizer = authorizer

server = FTPServer(("127.0.0.1", 21), handler)
server.serve_forever()

mkdir /home/ftpuser
sudo groupadd ftpgroup
sudo useradd -g ftpgroup -d /home/ftpuser -s /etc ftpuser
chown ftpuser: ftpuser
./ftp.py

ftp ftpuser@127.0.0.1
<PASSWORD>

Pure-FTPd

Installation

sudo apt install pure-ftpd

Configuration

sudo groupadd ftpgroup
sudo useradd -g ftpgroup -d /dev/null -s /etc ftpuser
sudo pure-pw useradd pureuser -u ftpuser -d /ftphome
sudo pure-pw mkdb
cd /etc/pure-ftpd/auth/
sudo ln -s ../conf/PureDB 60pdb
sudo mkdir -p /ftphome
sudo chown -R ftpuser:ftpgroup /ftphome/
sudo systemctl restart pure-ftpd

Uncomment this line in /etc/pure-ftpd/pure-ftpd.conf

UnixAuthentication           yes