Skip to content

01. FTP

1. Scanning for FTP Service and OS Detection using Nmap

Command:

nmap <IP Address> -p 21 -sV -O

Explanation:

  • nmap: Runs the Nmap network scanner.
  • <IP Address>: Target IP address of the system being scanned.
  • -p 21: Specifies scanning only port 21 (FTP service port).
  • -sV: Enables version detection to determine the software running on port 21.
  • -O: Enables OS detection to identify the operating system of the target.

Example:

nmap 192.168.1.10 -p 21 -sV -O

Output (example):

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
OS details: Linux 3.x - 4.x

2. Anonymous FTP Login Attempt

Command:

ftp <IP Address>
  • Connects to the FTP service on the target system.

When prompted for a username, try logging in with:

  • Username: anonymous
  • Password: (Leave it blank or use anonymous)

Example:

ftp 192.168.1.10

Output (if anonymous login is allowed):

Connected to 192.168.1.10.
220 (vsFTPd 3.0.3)
Name (192.168.1.10:user): anonymous
331 Please specify the password.
Password:
230 Login successful.
ftp>

If anonymous login is successful, you can list directories and download files.

3. FTP Brute-Force Attack using Hydra

Command:

hydra -L /usr/share/metasploit-framework/data/wordlists/common_user.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt <IP Address> ftp

Explanation:

  • hydra: A powerful brute-forcing tool.
  • -L /path/to/userlist: Specifies the file containing possible usernames.
  • -P /path/to/passwordlist: Specifies the file containing possible passwords.
  • <IP Address>: Target IP address.
  • ftp: Specifies the FTP service for brute-forcing.

Example:

hydra -L /usr/share/metasploit-framework/data/wordlists/common_user.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt 192.168.1.10 ftp

Output (example if successful login is found):

[21][ftp] host: 192.168.1.10   login: admin   password: 123456

4. Using Nmap FTP-Brute Script for Brute-Forcing

Command:

nmap <IP Address> --script ftp-brute --script-args userdb=/path/to/userlist,passdb=/path/to/passwordlist -p 21

Explanation:

  • --script ftp-brute: Runs the FTP brute-force script.
  • --script-args userdb=<path>,passdb=<path>: Specifies username and password lists.
  • -p 21: Targets FTP port.

Example:

nmap 192.168.1.10 --script ftp-brute --script-args userdb=/usr/share/wordlists/users.txt,passdb=/usr/share/wordlists/passwords.txt -p 21

Output (example if credentials are found):

PORT   STATE SERVICE
21/tcp open  ftp
|
| ftp-brute:
|   Accounts:
|     admin:password123 => Valid credentials
|_  Statistics: Performed 1000 guesses in 30 seconds