**Note: The content in this article is only for educational purposes and understanding of cybersecurity concepts. It should enable people and organizations to have a better grip on threats and know how to protect themselves against them. Please use this information responsibly.**
The File Transfer Protocol (FTP) is a network protocol designed for transferring files between a client and server in a computer network.
How it works:
- Client-Server Model: FTP is based on a client-server architecture with the client initiating connections to upload or download files from the server.
- Separate Connections: FTP establishes two different connections as follows:
- Control Connection: It manages commands and responses.
- Data Connection: This handles file transfer itself.
- Authentication: The most common requirement for users to enter username and password. However, some servers allow anonymous FTP access.
- Commands: Actions such as listing directories, changing directories, and transferring files are performed by clients sending commands to the server.
- Modes: There are two modes under which FTP operates, active mode and passive mode, that determine how the data connection is established.
- Transfer Types: ASCII for text files and binary for non-text files are among the various data types supported by FTP.
- Ports: By default, FTP uses port 21 for the control connection and port 20 for the data connection.
FTP enumeration involves probing an FTP server to gather information about its structure, configuration, and contents. This can reveal valuable details such as user accounts, directory listings, and potentially sensitive files.
Here’s a comprehensive guide on how to perform FTP enumeration using various tools and techniques.
Tools and Techniques for FTP Enumeration
1. Basic FTP Client Commands
FTP enumeration can start with basic FTP client commands. You may connect to and communicate with an FTP server using the built-in FTP clients found in the majority of OS systems.
Connecting to an FTP Server:
ftp <ftp_server>
Logging in Anonymously:
ftp> open <ftp_server>
ftp> Name (ftp_server:username): anonymous
ftp> Password: <any_password>
Listing Directories: This command lists the files and directories in the current directory.
ftp> ls
Downloading Files:
ftp> get <filename>
2. Using Nmap for FTP Enumeration
Nmap is an effective network scanning tool that comes with FTP enumeration scripts.
- Using Nmap Scripts for FTP Enumeration:
nmap –script ftp* -p 21 <target_ip>
This command runs various Nmap scripts that check for anonymous access, FTP bounce attacks, system information, and known vulnerabilities.
3. Using Metasploit Framework
Metasploit provides modules for FTP enumeration that can automate the process and find vulnerabilities.
Search for FTP Modules:
search ftp
Use the FTP Version Scanner:
use auxiliary/scanner/ftp/ftp_version
set RHOSTS <target_ip>
run
This module identifies the FTP server version.
Check for Anonymous Login:
use auxiliary/scanner/ftp/anonymous
set RHOSTS <target_ip>
run
This module checks if the FTP server allows anonymous login.
4. Using Hydra to guess login credentials.
Hydra is a powerful password-cracking tool. It performs dictionary attacks & brute force attacks using the given list of possible usernames and passwords.
Preparing Username and Password Lists
To perform the brute force attack, we will need lists of possible usernames and passwords. These lists can be custom-made or can be obtained from online repositories.
nano username.txt
nano password.txt
Running Hydra for FTP Enumeration
Once the lists are ready, we can start the enumeration process.
hydra -L username.txt -P password.txt 192.168.162.130 ftp
-L username.txt = Specifies the file containing the list of usernames
-P password.txt = Specifies the file containing the list of passwords
Hydra will attempt to log in using username and password combination.
5. Enumerating FTP by Packet Sniffing using Wireshark
Wireshark is a tool for analyzing network protocols and can be used in network analysis tasks like FTP enumeration.
Launch Wireshark with root privileges to allow for capturing on all interfaces and also ensure that the promiscuous mode is enabled in Wireshark.
Once the Wireshark starts capturing the packets, it will show different-different data packets. To see only the FTP packets, we will use the FTP filter.
Right-click on any FTP packet and follow the TCP stream.
Wireshark will be opening a new window showing the entire communication of that connection in a readable format.
In the new window, we can view the data sent by both the client and the server in the order in which it was transmitted.
Conclusion
FTP enumeration is the essential cybersecurity technique that helps gather critical information about an FTP server’s configuration, structure, and accessible files in its directories. Cybersecurity professionals use tools to gain valuable insights, such as basic FTP commands, Nmap, Metasploit, Hydra, and Wireshark. These provide insights into user accounts, directory listings, and access permissions and highlight any weaknesses in security, such as weak authentication, anonymous login permission, or unpatched vulnerabilities that could possibly be exploited by attackers. Through FTP enumeration, security teams may identify these risks to strengthen the security of FTP service and possibly prevent unauthorized entry into the network.
