FTP
aka vsftpd, ProFTPD, pure-ftpd
File transfer on 21, in cleartext. Test anonymous login first; if the FTP root maps to a web root you can upload a shell, and old daemons carry famous backdoors.
Ports
| Port | Proto | Notes |
|---|---|---|
21 | tcp | FTP control channel |
Fingerprint
- 220 banner names the daemon and version
- nmap ftp-anon checks anonymous access
Key files
| Path | Holds | Sensitive |
|---|---|---|
served directory | configs, backups and source that leak creds | sensitive |
writable upload dir | webshell drop if it overlaps the web root |
Default / weak creds
anonymous / anonymous (or any password)
Service users
ftp
Known CVEs
| CVE | Impact |
|---|---|
| CVE-2011-2523 | vsftpd 2.3.4 backdoor, smiley triggers a root shell on 6200 |
| CVE-2015-3306 | ProFTPD mod_copy unauthenticated file copy to web root |
Exploitation primitives
- Anonymous login to read/loot files
- Upload a webshell when the FTP root is the web root
- Version-specific backdoors (vsftpd 2.3.4) and mod_copy (SITE CPFR/CPTO)
Overview
FTP on 21 is cleartext and frequently allows anonymous access. Even read-only anonymous access often leaks config or source files, and a writable root that overlaps the web server is an instant webshell.
Enumeration
Try anonymous login:
ftp <TARGET>Nmap anon / syst scripts:
nmap -p21 --script ftp-anon,ftp-syst <TARGET>Mirror everything anonymously:
wget -m --no-passive ftp://anonymous:anon@<TARGET>/Hardening
Disable anonymous write, prefer FTPS/SFTP, and keep the daemon patched.
Seen on these machines 2
