Skip to content

14. Nmap FTP Enumeration

1. Anonymous FTP Access Check

nmap -p 21 --script ftp-anon 192.168.1.1

Explanation:

  • -p 21: Scans port 21, the default port for FTP services.
  • --script ftp-anon: Executes the ftp-anon NSE script to check if anonymous FTP login is enabled on the target system.
  • 192.168.1.1: The target IP address.

Purpose:

  • Detects if the FTP server allows unauthorized login using the username anonymous.
  • Identifies accessible directories and files.

Example Output:

PORT   STATE SERVICE
21/tcp open  ftp
| ftp-anon: Anonymous FTP login allowed (username: anonymous)
|_drwxr-xr-x   2 ftp      ftp          4096 Sep 01 12:00 pub

Interpretation:

  • Anonymous FTP login is enabled.
  • The pub directory is accessible for read/write operations.

2. FTP System Information Check

nmap -p 21 --script ftp-syst 192.168.1.1

Explanation:

  • -p 21: Targets the FTP service on port 21.
  • --script ftp-syst: Runs the ftp-syst NSE script to query the FTP server for its system type.
  • 192.168.1.1: The target IP address.

Purpose:

  • Determines the operating system and FTP software version running on the target server.
  • Useful for fingerprinting and identifying potential vulnerabilities.

Example Output:

PORT   STATE SERVICE
21/tcp open  ftp
| ftp-syst: UNIX Type: L8

Interpretation:

  • The FTP server reports its system type as UNIX Type: L8. This indicates a UNIX-like operating system, often helpful for OS detection.

3. TFTP Enumeration

nmap -p 21 --script tftp-enum 192.168.1.1

Explanation:

  • -p 21: While port 21 is typically used for FTP, this command targets TFTP services running on non-standard ports. Adjust the port if needed.
  • --script tftp-enum: Executes the tftp-enum NSE script to enumerate readable and writable files on a TFTP server.
  • 192.168.1.1: The target IP address.

Purpose:

  • Identifies files and directories accessible via TFTP.
  • Highlights potential misconfigurations, such as unrestricted file access.

Example Output:

PORT   STATE SERVICE
21/tcp open  ftp
| tftp-enum:
|   Files:
|     config.cfg
|     backup.img
|_    firmware.bin

Interpretation:

  • The TFTP server has files such as config.cfg, backup.img, and firmware.bin available for reading or writing.
  • This could expose sensitive configuration or firmware files.

Summary of Scripts

Script Purpose Key Findings
ftp-anon Checks for anonymous FTP login. Determines if unauthorized access is allowed.
ftp-syst Retrieves system type and software information. Identifies OS and FTP software version.
tftp-enum Enumerates files accessible on a TFTP server. Finds readable or writable files, highlighting risks.

Usage Notes

  • Combine these scripts with other Nmap commands for comprehensive FTP/TFTP security assessments.
  • Adjust the target port if FTP or TFTP services are running on non-standard ports.
  • Use responsibly and ensure proper authorization for scanning the target.