FTP

Identification

# Base connection
ftp <IP>
> USER Anonymous
> PASS test

# It can be usefull to try passive mode
ftp -p <IP>
> USER Anonymous
> PASS test

# Using telnet
telnet <IP> 21
Anonymous
test
bin (binary mode, don\'t forget it before transfering exe file)
get / send

# FTP Web Access ?
# Try upload and execute through web access
ftp://IP

Bruteforce

hydra -L users.txt -P passwords.txt -t 3 -s 21 IP ftp

Mount remote FTP locally

sudo apt-get install curlftpfs
mkdir /mnt/my_ftp
curlftpfs ftp-user:ftp-pass@my-ftp-location.local /mnt/my_ftp/

# To allow other users
curlftpfs -o allow_other ftp-user:ftp-pass@my-ftp-location.local /mnt/my_ftp/

ftp-vulnerability-scan - Nmap can be leveraged to scan FTP services for known vulnerabilities.

Example Syntax:

nmap -sV -Pn -vv -p [PORT] --script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221 [IP]

ftp-default - Hydra can be utilized to check FTP services for default credentials.

Example Syntax:

hydra -s [PORT] -C ./wordlists/ftp-default-userpass.txt -u -f [IP] ftp