Cheatsheet
| Action | Command |
|---|---|
| NetExec | nxc ftp -u '{username}' -p '{password}' -M {modules} |
| Noauth Login | ftp $ipscope |
| Get all no login available files | wget -m --no-passive ftp://anonymous:anonymous@$ipscope |
| Nmap FTP Enum | nmap $ipscope -sV -p21 -sC -A --script-trace |
| sFTP | openssl s_client -connect $ipscope -starttls ftp |
| hydra | hydra -L {user list} -P/p {passwordlist/password} |
File Transfer Protocol
Distinguish active and passive mode :
Active Client initiate connection and server responds by setting the client side ports. This gets blocked by firewall on clients so passive is the most common. Passive Server indicates which ports he chose to the client, but the latter is now establishing the connection with this information and preventing the firewall to block it.
FTP Command List
| Type | Command | What it Does |
|---|---|---|
| Command | ! | Runs the specified command on the local computer |
| Command | ? | Displays descriptions for ftp commands |
| Command | append | Appends a local file to a file on the remote computer |
| Command | ascii | Sets the file transfer type to ASCII, the default |
| Command | bell | Toggles a bell to ring after each file transfer command is completed (default = OFF) |
| Command | binary | Sets the file transfer type to binary |
| Command | bye | Ends the FTP session and exits ftp |
| Command | cd | Changes the working directory on the remote computer |
| Command | close | Ends the FTP session and returns to the command interpreter |
| Command | debug | Toggles debugging (default = OFF) |
| Command | delete | Deletes a single file on a remote computer |
| Command | dir | Displays a list of a remote directory’s files and subdirectories |
| Command | disconnect | Disconnects from the remote computer, retaining the ftp prompt |
| Command | get | Copies a single remote file to the local computer |
| Command | glob | Toggles filename globbing (wildcard characters) (default = ON) |
| Command | hash | Toggles hash sign (#) printing for each data block transferred (default = OFF) |
| Command | help | Displays descriptions for ftp commands |
| Command | lcd | Changes the working directory on the local computer |
| Command | literal | Sends arguments, verbatim, to the remote FTP server |
| Command | ls | Displays an abbreviated list of a remote directory’s files and subdirectories |
| Command | mdelete | Deletes one or more files on a remote computer |
| Command | mdir | Displays a list of a remote directory’s files and subdirectories |
| Command | mget | Copies one or more remote files to the local computer |
| Command | mkdir | Creates a remote directory |
| Command | mls | Displays an abbreviated list of a remote directory’s files and subdirectories |
| Command | mput | Copies one or more local files to the remote computer |
| Command | open | Connects to the specified FTP server |
| Command | prompt | Toggles prompting (default = ON) |
| Command | put | Copies a single local file to the remote computer |
| Command | pwd | Displays the current directory on the remote computer (literally, “print working directory”) |
| Command | quit | Ends the FTP session with the remote computer and exits ftp (same as “bye”) |
| Command | quote | Sends arguments, verbatim, to the remote FTP server (same as “literal”) |
| Command | recv | Copies a remote file to the local computer |
| Command | remotehelp | Displays help for remote commands |
| Command | rename | Renames remote files |
| Command | rmdir | Deletes a remote directory |
| Command | send | Copies a local file to the remote computer (same as “put”) |
| Command | status | Displays the current status of FTP connections |
| Command | trace | Toggles packet tracing (default = OFF) |
| Command | type | Sets or displays the file transfer type (default = ASCII) |
| Command | user | Specifes a user to the remote computer |
| Command | verbose | Toggles verbose mode (default = ON) |
FTP Command Line
| Type | Command | What it Does |
|---|---|---|
| Command Line | -v | Suppresses verbose display of remote server responses. |
| Command Line | -n | Suppresses auto login |
| Command Line | -i | Turns off interactive prompting during multiple file transfers. |
| Command Line | -d | Enables debugging, displaying all ftp commands passed between the client and server. |
| Command Line | –g | Disables filename globbing, which permits the use of wildcard chracters in local file and path names. |
| Command Line | -s:filename | Specifies a text file containing ftp commands; the commands will automatically run after ftp starts. No spaces are allowed in this parameter. Use this switch instead of redirection (>). |
| Command Line | -a | Use any local interface when binding data connection. |
| Command Line | -w:windowsize | Overrides the default transfer buffer size of 4096. |
| Command Line | -computer | Specifies the computer name or IP address of the remote computer to connect to. The computer, if specified, must be the last parameter on the line. |
TFTP
Unlikely to see this protocol as it does not require authent. However if you have a foot on the internal network the chances of finding one increase as they might have “public” shares inside the network.
| Commands | Description |
|---|---|
connect | Sets the remote host, and optionally the port, for file transfers. |
get | Transfers a file or set of files from the remote host to the local host. |
put | Transfers a file or set of files from the local host onto the remote host. |
quit | Exits tftp. |
status | Shows the current status of tftp, including the current transfer mode (ascii or binary), connection status, time-out value, and so on. |
verbose | Turns verbose mode, which displays additional information during file transfer, on or off. |
Different FTP servers
vsFTP
Mostly used on Linux distributions using FTP.
- Conf is located at
/etc/vsftpd.conf - Users can be found in
/etc/ftpusers
Default settings :
| Setting | Description |
|---|---|
listen=NO | Run from inetd or as a standalone daemon? |
listen_ipv6=YES | Listen on IPv6 ? |
anonymous_enable=NO | Enable Anonymous access? |
local_enable=YES | Allow local users to login? |
dirmessage_enable=YES | Display active directory messages when users go into certain directories? |
use_localtime=YES | Use local time? |
xferlog_enable=YES | Activate logging of uploads/downloads? |
connect_from_port_20=YES | Connect from port 20? |
secure_chroot_dir=/var/run/vsftpd/empty | Name of an empty directory |
pam_service_name=vsftpd | This string is the name of the PAM service vsftpd will use. |
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem | The last three options specify the location of the RSA certificate to use for SSL encrypted connections. |
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key | |
ssl_enable=NO |
Dangerous Settings
Optional settings to look for in misconfigured :
| Setting | Description |
|---|---|
anonymous_enable=YES | Allowing anonymous login? |
anon_upload_enable=YES | Allowing anonymous to upload files? |
anon_mkdir_write_enable=YES | Allowing anonymous to create new directories? |
no_anon_password=YES | Do not ask anonymous for password? |
anon_root=/home/username/ftp | Directory for anonymous. |
write_enable=YES | Allow the usage of FTP commands: STOR, DELE, RNFR, RNTO, MKD, RMD, APPE, and SITE? |