Enumeration

Banner Grabbing

telnet 10.10.10.10 21

Anonymous Access

ftp 10.10.10.10

Username: anonymous OR anon

Password: any

Bruteforce

Hydra

hydra -t 1 -l admin -P ~/password-list.txt -vV 10.10.10.10 ftp

Medusa

medusa -h 10.10.10.10 -u admin -P ~/password-list.txt -M ftp

MiTM

https://labs.p64cyber.com/passive-aggression-v1-0/null

FTP Fuzzing

A Metasploit module that will connect to an FTP server and perform pre and post-authentication fuzzing. – Suggested by @_tmap

use auxiliary/fuzzers/ftp/ftp_pre_post

Metasploit

Anonymous FTP Access Detection

Detect anonymous (read/write) FTP server access.

use auxiliary/scanner/ftp/anonymous

BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure

This module exploits a directory traversal vulnerability found in BisonWare BisonFTP server version 3.5. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command including file system traversal strings such as ‘..//.’

use auxiliary/scanner/ftp/bison_ftp_traversal

ColoradoFTP Server 1.3 Build 8 Directory Traversal Information Disclosure

use auxiliary/scanner/ftp/colorado_ftp_traversal

This module exploits a directory traversal vulnerability found in ColoradoFTP server version <= 1.3 Build 8. This vulnerability allows an attacker to download and upload arbitrary files from the server GET/PUT command including file system traversal strings starting with ‘\’. The server is written in Java and therefore platform independent, however this vulnerability is only exploitable on the Windows version.

Easy File Sharing FTP Server 3.6 Directory Traversal

use auxiliary/scanner/ftp/easy_file_sharing_ftp

This module exploits a directory traversal vulnerability found in Easy File Sharing FTP Server Version 3.6 and Earlier. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command that includes file system traversal strings such as ‘../’

Authentication Scanner

This module will test FTP logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.

use auxiliary/scanner/ftp/ftp_login

Version Scanner

Detect FTP Version.

use auxiliary/scanner/ftp/ftp_version

Konica Minolta FTP Utility 1.00 Directory Traversal Information Disclosure

This module exploits a directory traversal vulnerability found in Konica Minolta FTP Utility 1.0. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command that includes file system traversal strings such as ‘..//’

use auxiliary/scanner/ftp/konica_ftp_traversal

PCMan FTP Server 2.0.7 Directory Traversal Information Disclosure

This module exploits a directory traversal vulnerability found in PCMan FTP Server 2.0.7. This vulnerability allows an attacker to download arbitrary files from the server by crafting a RETR command that includes file system traversal strings such as ‘..//’

use auxiliary/scanner/ftp/pcman_ftp_traversal 

Titan FTP XCRC Directory Traversal Information Disclosure

This module exploits a directory traversal vulnerability in the XCRC command implemented in versions of Titan FTP up to and including 8.10.1125. By making sending multiple XCRC command, it is possible to disclose the contents of any file on the drive with a simple CRC “brute force” attack. Although the daemon runs with SYSTEM privileges, access is limited to files that reside on the same drive as the FTP server’s root directory.

use auxiliary/scanner/ftp/titanftp_xcrc_traversal

FTP Configuration Files

Nix

/etc/vsftpd/vsftpd.conf
/etc/apache2/mods-available/proxy_ftp.conf
apt-ftparchive.conf
ftp-archive.conf

Windows

ApplicationHost.config

Default Username/Passwords

anonymous:anonymous
root:rootpasswd
root:12hrs37
ftp:b1uRR3
admin:admin
localadmin:localadmin
admin:1234
apc:apc
admin:nas
Root:wago 
Admin:wago 
User:user 
Guest:guest 
ftp:ftp
admin:password
a:avery
admin:123456
adtec:none
admin:admin12345
none:dpstelecom
instrument:instrument
user:password
root:password
default:default
admin:default
nmt:1234
admin:Janitza
supervisor:supervisor
user1:pass1
avery:avery
IEIeMerge:eMerge
ADMIN:12345
beijer:beijer
Admin:admin
admin:1234
admin:1111
root:admin
se:1234
admin:stingray
device:apc
apc:apc
dm:ftp
dmftp:ftp
httpadmin:fhttpadmin
user:system
MELSEC:MELSEC
QNUDECPU:QNUDECPU
ftp_boot:ftp_boot
uploader:ZYPCOM
ftpuser:password
USER:USER
qbf77101:hexakisoctahedron
ntpupdate:ntpupdate
sysdiag:factorycast@schneider
wsupgrade:wsupgrade
pcfactory:pcfactory
loader:fwdownload
test:testingpw
webserver:webpages
fdrusers:sresurdf
nic2212:poiuypoiuy
user:user00
su:ko2003wa
MayGion:maygion.com
admin:9999
PlcmSpIp:PlcmSpIp

Searchsploit Results