aex.red

21 FTP

Notes

Notes

Alternative Ports
21 TCP (default)
2121, 2100

Service Description
FTP (File Transfer Protocol) runs on TCP port 21 and provides unencrypted file transfer functionality. Data channels typically operate on TCP port 20 (active mode) or random high ports (passive mode). Commonly used for file sharing, embedded devices, network appliances, legacy systems.

FTP transmits data and credentials in plaintext. Avoid using over untrusted networks.

Attacks

Anonymous Login Enabled
Access to the file system without credentials; commonly misconfigured.

Cleartext Credentials
Usernames and passwords sent in plain ASCII over the network.

Directory Traversal
Poorly secured FTP daemons may allow access outside the intended root via ../ sequences.

Write Access / Upload Exploits
Writable directories may allow for backdoor uploads, web shells, or abuse of script execution paths.

Tools & Exploits

Enumeration

nmap
Standard version and script probing.

nmap -sV -p21 --script ftp-anon,ftp-bounce,ftp-syst,ftp-vsftpd-backdoor <target>

ftp / lftp / ncftp
Command-line interaction with FTP service.

ftp <target>

hydra / medusa / ncrack
Bruteforce FTP credentials (if permitted).

hydra -l anonymous -P common.txt ftp://<target>

Exploitation or Post-Enum

Anonymous Login File Access

ftp
open <target>
Name: anonymous
Password: anonymous
ls

Disable Passive Mode & Enumerate

> passive
> dir -a

Upload Shell to Web Directory
If write access is allowed to a web server directory:

put shell.php

FTP Bounce Scan
Rare, legacy attack vector for port scanning via FTP servers.

nmap -b <username>:<pass>@<ftp-host> <target>

Manual Post-Access Enumeration
After gaining access, check for:

  • ls -la in all directories — find hidden files (e.g. .htaccess, .ssh, .bash_history)
  • Look for config files (*.conf, php.ini, web.config, .env) which may leak database creds
  • Try cd .. to escape chroot/jailed environments
  • Look for /www, /htdocs, /inetpub for potential web-exposed upload targets
  • Check for cronjobs, backup folders, or logs (/logs, /backup, /cron, /var/log)
  • get useful files for offline inspection

Abuse of Upload Permissions
If web shell isn’t viable, try:

  • Upload .htaccess to enable script execution
  • Place a malicious script with cron-like name hoping it’s picked up
  • Upload authorized_keys to .ssh/ if found and writable

Exfil Opportunities

  • Upload file receiver or place beacon scripts (e.g., curl back to attacker)
  • Drop reverse shell scripts in common execution paths if execution is feasible

wget FTP Fetching
Use wget to fetch files directly from an FTP server:

wget ftp://user:pass@target/file.txt -O loot.txt

curl FTP Fetching
Use curl in a similar fashion to retrieve files:

curl -u user:pass ftp://target/file.txt -o loot.txt

Supports more control over headers and better scripting integration.

ncftpget / ncftpput
Useful in scripts or when automating pulls and pushes:

ncftpget -u user -p pass target /local/dir /remote/file
ncftpput -u user -p pass target /remote/dir /local/file

Edge Case Tricks

  • Use ftp:// inside proxy-aware tools or chained environments to bypass filtering or allow-listed domains
  • Abuse ftp:// support in web apps or config files to load payloads remotely
  • Use FTP in combination with LD_PRELOAD, cron or config poisoning if local system interaction is possible
  • Combine ftp upload + curl fetch for chained command injection/payload delivery

Wireshark Analysis Tips

Filters

tcp.port == 21
ftp

What to look for:

  • USER / PASS credentials
  • LIST / RETR / STOR commands
  • Unexpected file uploads or directory access

References

Graph View