Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

🏠 Back to Blog

FTP

FTP is a layer 7 application protocol and is one of the oldest protocols used on the internet. It is used for transferring files between a client and a server over a TCP/IP network. FTP operates on two separate channels: a command channel for sending commands and a data channel for transferring files.

How FTP Works

  • FTP uses a client-server architecture, where the client initiates a connection to the server. The client sends commands to the server over the command channel, and the server responds with status codes and messages. When a file transfer is initiated, a separate data channel is established for transferring the file.
  • FTP supports two modes of operation: active and passive. In active mode, the client opens a random port and sends the port number to the server, which then connects back to the client on that port for data transfer. In passive mode, the server opens a random port and sends the port number to the client, which then connects to the server on that port for data transfer. Passive mode is often used when the client is behind a firewall or NAT.
  • FTP uses tcp/21 for control (commands) and tcp/20 for data transfer in active mode. In passive mode, the data port is dynamically assigned by the server.
  • The FTP protocol supports a number of commands. However, not all implementations support all commands. With each command sent by the client, the server will respond with a status code (similar to HTTP). The status codes can be viewed here: https://en.wikipedia.org/wiki/List_of_FTP_server_return_codes
  • FTP transmits data in plaintext, which means that all data, including usernames and passwords, are sent unencrypted. This makes FTP vulnerable to eavesdropping.

Login

  • Upon connecting the FTP server, we will be prompted to provide a username and password (assuming anonymous auth is disabled). After providing the correct username/password combination, the FTP server will respond with a status code 230, along with the banner of the server (if one exists).
ftp> user rtn
331 Please specify the password.
Password:
230 Login successful.
  • After authenticating, one of the first things we can do is check the status of the server:
ftp> status

Connected to 10.129.14.136.
No proxy connection.
Connecting using address family: any.
Mode: stream; Type: binary; Form: non-print; Structure: file
Verbose: on; Bell: off; Prompting: on; Globbing: on
Store unique: off; Receive unique: off
Case: off; CR stripping: on
Quote control characters: on
Ntrans: off
Nmap: off
Hash mark printing: off; Use of PORT cmds: on
Tick counter printing: off

vsFTPd

  • vsFTPd (Very Secure FTP Daemon) is a popular open-source FTP server for Unix-like systems. It is known for its security features and performance. vsFTPd supports both active and passive modes of FTP and provides various configuration options to enhance security, such as SSL/TLS encryption, user authentication, and access control.
  • The default configuration for vsFTPd can typically be found at /etc/vsftpd.conf
  • /etc/ftpusers is a file that contains a list of users who are not allowed to log in to the FTP server. If a username is listed in this file, the user will be denied access to the FTP server, regardless of their password or other authentication methods.
rtn@ns1:~$ cat /etc/ftpusers
# /etc/ftpusers: list of users disallowed FTP access. See ftpusers(5).

root
daemon
bin
sys
sync
games
man
lp
mail
news
uucp
nobody

Footprinting FTP Services

nmap is an excellent tool for footprinting remote FTP servers. We can use its built-in scripting engine (and ready-made scripts) to help interrogate a potential FTP service.

  • First, we’ll want to update the nmap scripting database:
rnemeth@htb[/htb]$ sudo nmap --script-updatedb

Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-19 13:49 CEST
NSE: Updating rule database.
NSE: Script Database updated successfully.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.28 seconds
  • nmap scripts are typically located in /usr/share/nmap/scripts/
  • Example run of nmap against an FTP server:
rnemeth@htb[/htb]$ sudo nmap -sV -p21 -sC -A 10.129.14.136

Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-16 18:12 CEST
Nmap scan report for 10.129.14.136
Host is up (0.00013s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rwxrwxrwx    1 ftp      ftp       8138592 Sep 16 17:24 Calendar.pptx [NSE: writeable]
| drwxrwxrwx    4 ftp      ftp          4096 Sep 16 17:57 Clients [NSE: writeable]
| drwxrwxrwx    2 ftp      ftp          4096 Sep 16 18:05 Documents [NSE: writeable]
| drwxrwxrwx    2 ftp      ftp          4096 Sep 16 17:24 Employees [NSE: writeable]
| -rwxrwxrwx    1 ftp      ftp            41 Sep 16 17:24 Important Notes.txt [NSE: writeable]
|_-rwxrwxrwx    1 ftp      ftp             0 Sep 15 14:57 testupload.txt [NSE: writeable]
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.4
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status