# FTP | 21
## 01. Common Enumeration
## ------------------| Nmap scans
find / -type f -name ftp* 2>/dev/null | grep scripts
nmap --script ftp-brute -p 21 $IP
nmap --script ftp-vsftpd-backdoor -p 21
nmap --script ftp-vuln-cve2010-4221 -p 21 $IP
nmap --script ftp-anon.nse -p 21 $IP
nmap --script ftp-bounce.nse -p 21 $IP
nmap --script ftp-brute.nse -p 21 $IP
nmap --script ftp-libopie -p 21 $IP
nmap --script ftp-brute -p 21 $IP
## ------------------| Vulnerable versions
ProFTPD-1.3.3c Backdoor
ProFTPD 1.3.5 Mod_Copy Command Execution
VSFTPD v2.3.4 Backdoor Command Execution
## ------------------| Anonymous Login
anonymous:anonymous
## ------------------| Not Allowed Users
/etc/ftpusers
## ------------------| Login
ftp://<username>:'<password>'@ip
## ------------------| Service Interaction
nc -nv <hostIP> 21 ### NetCat
telnet <hostIP> 21 ### Telnet
openssl s_client -connect <hostIP>:21 -starttls ftp ### OpenSSL
## ------------------| Download all files at ones
wget -m --user=username --password=password ftp://<hostIP>
wget -m --no-passive ftp://anonymous:anonymous@<hostIP>
## ------------------| SSL/TLS encryption for the control channel
### 550 SSL/TLS required on the control channel
sudo apt install lftp
lftp -u <username>,'<password>' <IP>
set ftp:ssl-force true
set ftp:ssl-protect-data true
set ssl:verify-certificate false
dir
## ------------------| Common Commands
USER <username> ### Send username to log in.
PASS <password> ### Send password for login.
QUIT ### Close the FTP session.
HELP ### Show help for commands.
NOOP ### Do nothing (used to keep the connection alive).
PWD ### Print the current working directory.
CWD <dir> ### Change working directory.
CDUP ### Move to parent directory.
MKD <dir> ### Make a new directory.
RMD <dir> ### Remove a directory.
LIST ### List files in the current directory.
LIST -R ### List all files and directories recursively (works in `ftp` client or `lftp`).
NLST ### List names of files in the current directory.
TYPE A ### Set transfer mode to ASCII.
TYPE I ### Set transfer mode to Binary (Image).
RETR <file> ### Download a file from the server. (Direct raw FTP command to retrieve the file)
GET <file> ### Download a file from the server. (Easier, FTP client version)
STOR <file> ### Upload a file to the server. (Direct raw FTP command)
PUT <file> ### Upload a file to the server. (Easier, FTP client version)
APPE <file> ### Append to a file on the server.
DELE <file> ### Delete a file on the server.
RNFR <file> ### Specify the file to be renamed.
RNTO <newname> ### Specify the new name for a file.
PORT <host-port> ### Set data connection using active mode.
PASV ### Set data connection using passive mode.
SYST ### Show operating system type of server.
STAT ### Show current status/info of connection or file.
SIZE <file> ### Show size of a file.
FEAT ### List all new features supported by server.
## ------------------| Configurations (/etc/vsftpd.conf)
listen=NO ### Run from `inetd` instead of standalone daemon.
hide_ids=YES ### Show "ftp" instead of user/group names in listings.
ssl_enable=NO ### Disable SSL for connections.
listen_ipv6=YES ### Enable listening on IPv6 interfaces.
local_enable=YES ### Allow local system users to log in.
write_enable=YES ### ⚠️ Enable file modification commands (upload, delete, rename, etc).
chown_uploads=YES ### Change owner of anonymous uploads.
use_localtime=YES ### Use local system time.
xferlog_enable=YES ### Enable logging for uploads/downloads.
no_anon_password=YES ### ⚠️ Skip password prompt for anonymous login.
anonymous_enable=YES ### ⚠️ Enable anonymous login.
dirmessage_enable=YES ### Show directory messages on entry.
ls_recurse_enable=YES ### Allow recursive directory listings.
dirmessage_enable=YES ### Show message when entering a new directory.
chroot_local_user=YES ### Place local users to their home directories.
chroot_list_enable=YES ### Use list of local users to chroot.
anon_upload_enable=YES ### ⚠️ Allow anonymous users to upload files.
chown_username=h4rithd ### User to own anonymous uploads.
pam_service_name=vsftpd ### PAM service name for authentication.
anon_root=/home/h4rithd/ ### ⚠️ Set home directory for anonymous users.
connect_from_port_20=YES ### Use port 20 for data connections.
anon_mkdir_write_enable=YES ### ⚠️ Allow anonymous users to create directories.
secure_chroot_dir=/var/run/vsftpd/empty ### Secure empty directory for chroot jail.
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem ### Path to SSL certificate.
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key ### Path to SSL private key.
* Enumerate users.
```bash
# Create php script (Change the ip address and file name shoud be index.php)
nano index.php
# Then host it (but it is too slow)
sudo php -S 127.0.0.1:80
# Or you can host it on apache2 (much faster than above one)
cp index.php /var/www/html/index.php
service apache2 start
# Then run wfuzz tool
wfuzz -w /usr/share/seclists/Usernames/top-usernames-shortlist.txt -u http://127.0.0.1/index.php?username=FUZZ
```
* Useful links
*
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.h4rithd.com/tcp/21-ftp.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.