TFTP
aka Trivial FTP
Trivial FTP on 69/udp, no authentication at all. Used for device configs, firmware and PXE, so it both leaks files and accepts uploads.
Ports
| Port | Proto | Notes |
|---|---|---|
69 | udp | TFTP, no auth |
Fingerprint
- nmap UDP scan shows 69 open
- No login prompt; you just get/put by filename
Key files
| Path | Holds | Sensitive |
|---|---|---|
served directory | router/switch/VoIP configs and firmware | sensitive |
Service users
nobodytftp
Exploitation primitives
- Download known config filenames (no auth, but you cannot list)
- Upload a file when the directory is writable (webshell / config overwrite)
Overview
TFTP on 69/udp has no auth and no directory listing, so it is all about known filenames. Network gear and VoIP phones drop their configs here, which often carry credentials.
Enumeration
Scan for it:
nmap -sU -p69 --script tftp-enum <TARGET>Open a TFTP session:
tftp <TARGET>Transfer
Download a known config:
tftp <TARGET> -c get running-configUpload a file (if writable):
tftp <TARGET> -c put shell.phpHardening
Restrict TFTP to the PXE/management VLAN, make it read-only, and never store secrets in served configs.