FTP Enumeration
Why FTP Still Matters
The File Transfer Protocol (FTP) is one of the oldest Internet protocols and remains common in legacy environments and internal networks. It operates at the application layer like HTTP and POP and typically relies on two channels:
- Control channel on TCP port 21 (commands and status codes)
- Data channel on TCP port 20 (file transfers)
If a transfer breaks, FTP can often resume once the connection is re‑established.
Active vs. Passive FTP
FTP supports two modes that affect firewall behavior:
- Active mode: The server initiates the data connection back to the client. This can fail when the client is behind a strict firewall.
- Passive mode: The server announces a port, and the client initiates the data connection usually firewall‑friendly and the most common default today.
Authentication & Clear‑Text Risk
FTP is clear‑text by default, meaning credentials and data can be sniffed if the network is exposed. Many servers require credentials, but some allow anonymous FTP, which can be convenient internally yet risky in practice. Anonymous access should be tightly restricted and monitored.
TFTP in a Nutshell
Trivial File Transfer Protocol (TFTP) is a stripped‑down alternative to FTP:
- Uses UDP (unreliable, requires app‑level recovery)
- No authentication
- Typically limited to shared, world‑readable/writable directories
Because of the minimal security model, TFTP should only be used in trusted local networks.
vsFTPd: Common Defaults to Know
On Linux, vsFTPd is a popular FTP server. Its main configuration file is typically located at /etc/vsftpd.conf. Key defaults often include:
- Local users can log in (
local_enable=YES) - Anonymous access disabled (
anonymous_enable=NO) - Logging enabled (
xferlog_enable=YES) - SSL disabled by default (
ssl_enable=NO)
Another important file is /etc/ftpusers, which explicitly blocks specific users from using FTP.
Risky Configuration Patterns
Certain settings frequently lead to exposure:
- Anonymous login enabled
- Anonymous uploads enabled
- Write permissions in public directories
- Recursive listing enabled, revealing large directory trees
While some of these can be useful internally, they are common sources of data leakage and misconfiguration findings during audits.
Footprinting the Service (Safely)
A typical enumeration approach focuses on confirming the service, banner, and capabilities:
- Port scanning: FTP commonly runs on TCP 21
- Service detection: Identify server type/version
- Scripted checks: Look for anonymous access, server status, and exposed directories
Nmap’s scripting engine (NSE) includes scripts like ftp-anon and ftp-syst to automate these checks.
When TLS Is Enabled
If FTP uses TLS/SSL, you need a client that supports it (e.g., openssl s_client -starttls ftp). Certificates can reveal hostnames and organizational details that are useful for inventory and documentation.
Common FTP Commands
| Command | Description |
|---|---|
ftp <FQDN/IP> |
Interact with the FTP service on the target |
nc -nv <FQDN/IP> 21 |
Interact with the FTP service on the target |
telnet <FQDN/IP> 21 |
Interact with the FTP service on the target |
openssl s_client -connect <FQDN/IP>:21 -starttls ftp |
Interact with the FTP service on the target using encrypted connection |
wget -m --no-passive ftp://anonymous:anonymous@<target> |
Download all available files on the target FTP server |
Practical Takeaways
- Prefer SFTP/FTPS when possible; FTP clear‑text is a liability.
- If anonymous FTP is required, restrict access and monitor logs.
- Keep directory listings and write access tightly controlled.
- During enumeration, collect banner info, allowed methods, and directory visibility then document findings clearly.
This post summarizes core FTP/TFTP behavior, common server configurations, and safe enumeration concepts for security assessments.