Kashishtopi
  • whoami
    • Little bit more about me
  • OSCP Cheatsheet
    • Cheatsheet
      • Scanning
      • Ports
        • 80/443 - HTTP(s)
        • 139/445 - SMB
        • 21 - FTP
        • 53 - DNS
        • 22 - SSH
        • 389/636/3268 - LDAP
        • 161 - SNMP
        • 25 - SMTP
        • 3389 - RDP
        • 135/593 - RPC
        • 5985/5986 - Evil-winrm
        • 3306 - MYSQL
        • 1433 - MSSQL
      • Shells
        • TTY shells
      • File Transfers
      • Host Web Server
    • Attacks
      • WebShell
      • Password Cracking
        • Bruteforce
        • Hash Crack
        • Create Wordlist
      • File Uploads
        • HTML (.hta)
        • Macro
        • OLE
      • LFI / RFI
      • Shellshock
      • Github
      • SQLi
        • MYSQL
        • MSSQL
    • Linux PrivEsc
      • Automated
      • Methodology
      • Quick wins
      • Manual Enum
      • Kernel Exploits
      • SUID
      • Insecure File Perm
      • Password Loot
      • Restrict Shell Escape
      • Sudo
      • Docker
      • Cron Jobs
      • Device Drivers
      • Unmounted Drives
      • Capabilities
      • NFS Root Squashing
    • Windows PrivEsc
      • Kernel exploit
      • Manual
      • Quick Wins
      • Password loot
      • Run As
      • SE Privileges
      • Unquoted Service Path
      • Scheduled Tasks
      • AlwaysInstallElevated
      • Insecure File permission
      • Windows Subsystem
      • UAC Bypass
      • .ODT - Htdocs
      • Autoron
      • upnuphost
    • Active Directory
      • We got Users but no Pass?
      • Enumeration
      • Authentication
      • Pivoting
      • Lateral Movement
      • Hash Dumping
      • Persistence
Powered by GitBook
On this page

Was this helpful?

  1. OSCP Cheatsheet
  2. Cheatsheet
  3. Ports

21 - FTP

Previous139/445 - SMBNext53 - DNS

Last updated 1 year ago

Was this helpful?

When I see FTP Port Open:

  1. Try FTP Default creds - anonymous:anonymous / admin:admin

  2. Once you log in, type passive and binary for file transfer modes

  3. If anonymous login -> create a payload, upload and try visit <IP>/exploit.asp

  4. FTP Login: ftp <username>@<IP>

  5. Banner Grabbing: nc -nv <IP> 21

  6. Grab Cert: openssl s_client -connect <IP>:21 -starttls ftp

  7. Download all the files in share: wget -m ftp://anonymous:anon@<IP>

  8. Download all: wget -m --no-passive ftp://:@<IP>

  9. Different port: ftp <IP> -P 3084

  10. Bruteforce: hydra [-L <users.txt> or -l <user_name>] [-P <pass.txt> or -p ] -f [-S port] ftp://<IP>

  11. If it's a Microsoft server -> Try asp, aspx payloads. Try staged/stageless, x32/x64 payloads.

  12. Check if we can overwrite stuff and upload files to make it work. Look at the permissions.

  13. Look for hidden files, go back to a directory if you find anything, and look for creds in DB Files.

LogoFTP Enumeration Guide - StefLan's Security BlogStefLan's Security Blog
LogoSecLists/ftp-betterdefaultpasslist.txt at master · danielmiessler/SecListsGitHub