21 - FTP

When I see FTP Port Open:

1. Try FTP Default creds - anonymous:anonymous / admin:admin

2. Once you log in, type passive and binary for file transfer modes

3. If anonymous login -> create a payload, upload and try visit <IP>/exploit.asp

4. FTP Login: ftp <username>@<IP>

5. Banner Grabbing: nc -nv <IP> 21

6. Grab Cert: openssl s_client -connect <IP>:21 -starttls ftp

7. Download all the files in share: wget -m ftp://anonymous:anon@<IP>

8. Download all: wget -m --no-passive ftp://:@<IP>

9. Different port: ftp <IP> -P 3084

10. Bruteforce: hydra [-L <users.txt> or -l <user_name>] [-P <pass.txt> or -p ] -f [-S port] ftp://<IP>

11. If it's a Microsoft server -> Try asp, aspx payloads. Try staged/stageless, x32/x64 payloads.

12. Check if we can overwrite stuff and upload files to make it work. Look at the permissions.

13. Look for hidden files, go back to a directory if you find anything, and look for creds in DB Files.

FTP Enumeration Guide - StefLan's Security BlogStefLan's Security Blog

SecLists/ftp-betterdefaultpasslist.txt at master · danielmiessler/SecListsGitHub