FTP is a method to access and share files on the internet. The protocol is a way to communicate between computers on a TCP/IP network, FTP is a TCP based service exclusively and it is a client-server protocol where a client will communicate with a server.

"File Transfer Protocol," can transfer files between any computers that have an Inter communication, and also works between computers using totally different operating systems.

Anonymous FTP is a type of FTP that allows users to access files and other data without needing an ID or password.

  • Transferring files from a client computer to a server computer is called "uploading"
  • Transferring from a server to a client is "downloading"

How does it work

There are two distinct communication channels while establishing an FTP connection.

  • Port 21: The first one is called the command channel where it initiates the instruction and response.
  • Port 20: The other one is called a data channel, where the distribution of data happens. The confusion begins however, when we find that depending on the mode, the data port is not always on port 20.

Types of FTP communication

he FTP server may support Active or Passive connections or both. Most FTP client programs select passive connection mode by default because server administrators prefer it as a safety measure.  Firewalls generally block connections that are "initiated" from the outside.  Using passive mode, the FTP client (like Auto FTP Manager) is "reaching out" to the server to make the connection.  The firewall will allow these outgoing connections, meaning that no special adjustments to firewall settings are required.


Active FTP connection, the client opens a port and listens and the server actively connects to it.

command: client >1023 (to ->) server 21

data: client >1023 (<- to) server 20

  • In active mode FTP the client connects from a random unprivileged port (N > 1023) to the FTP server's command port, port 21.
  • Then, the client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server.
  • The server will then connect back to the client's specified data port from its local data port, which is port 20.


From the server-side firewall's standpoint, to support active mode FTP the following communication channels need to be opened:

  • FTP server's port 21 from anywhere (Client initiates connection)
  • FTP server's port 21 to ports > 1023 (Server responds to client's control port)
  • FTP server's port 20 to ports > 1023 (Server initiates data connection to client's data port)
  • FTP server's port 20 from ports > 1023 (Client sends ACKs to server's data port)

FTP Active vs. Passive Mode


Passive FTP connection, the server opens a port and listens (passively) and the client connects to it.  You must grant Auto FTP Manager access to the Internet and to choose the right type of FTP Connection Mode

command: client >1023 (to ->) server 21

data: client >1024 (to ->) server >1023

  • In passive mode FTP the client initiates both connections to the server, solving the problem of firewalls filtering the incoming data port connection to the client from the server.
  • When opening an FTP connection, the client opens two random unprivileged ports locally (N > 1023 and N+1). The first port contacts the server on port 21, but instead of then issuing a PORT command and allowing the server to connect back to its data port, the client will issue the PASV command.
  • The result of this is that the server then opens a random unprivileged port (P > 1023) and sends P back to the client in response to the PASV command. The client then initiates the connection from port N+1 to port P on the server to transfer data.

From the server-side firewall's standpoint, to support passive mode FTP the following communication channels need to be opened:

  • FTP server's port 21 from anywhere (Client initiates connection)
  • FTP server's port 21 to ports > 1023 (Server responds to client's control port)
  • FTP server's ports > 1023 from anywhere (Client initiates data connection to random port specified by server)
  • FTP server's ports > 1023 to remote ports > 1023 (Server sends ACKs (and data) to client's data port)


FTP command table


DOS Command


Change user password on a site

Literal SITE PSWD oldpassword newpassword

"Literal" sends a command line to the remote FTP connection and executes the SITE PSWD command.

Connect to the specified FTP host on the specified port

open [host] [port]

For example, type:

open myftpsite.com 21

Navigate to a different directory on remote machine

cd [directory]

For example, type:

cd M:\InetPub\EFTRoot\MySite\Usr\jbug

Change to parent directory


Same as cd ..\

Changes directory on local machine

lcd [path]

For example, type lcd c:\temp.

Displays a list of files and folders in the current remote directory

dir [path]

ls [directory] [localfile]

For example, type:

dir M:\InetPub\EFTRoot\MySite\Usr\jbug


ls M:\InetPub\EFTRoot\MySite\Usr\jbug C:\temp\contents.txt

Creates a directory on the remote file system

mkdir [name]

For example, to create a folder into which you will upload your graphics files, type:

mkdir images

Copies a file from the local to the remote computer

put [filename.ext]

To upload the file with a different name, use

put oldfilename.ext newfilename.ext

Copies multiple files from the local to the remote computer

mput [files]

Puts multiple files; *.* puts all files; *.txt puts all .txt files, my_*.* puts all files that start with my_ with any extension.

Copies a file from the remote to the local computer

get [filename.ext]

For example, type:

get dog.jpg

Copies multiple files from the remote to the local computer

mget [files]

Gets multiple files; *.* gets all files; *.txt gets all .txt files, my_*.* gets all files that start with my_ with any extension.

Deletes a file

delete [filename.ext]

For example, type:

delete dog.jpg

Renames a file

rename [filename] [filename]

For example, to rename a picture of your dog, Pooh Bear, type:

rename dog.jpg PoohBear.jpg

Removes a directory on the remote computer

rmdir [name]

For example, type:

rmdir olddogpics

List current working directory


Use when you forget which directory you are in or if you want to copy the path

Close connection

bye (or quit)

Disconnect from remove FTP server

List of available commands or help for a specific command


help [command]

? [command]

help by itself lists available FTP commands; help [command] or ? [command] provides help for the specific command

Change transfer mode to ASCII


Used for HTML and text files

Change transfer mode to binary


Used for graphics, compressed files, audio clips, etc.

Displays current transfer mode (ASCII or binary)


Query the status of files, transfers in process, and other system information. The STAT command implemented on some FTP servers could allow a remote attacker to obtain sensitive information; therefore, it is disabled on some servers.

Enable/disable prompts


Use this command if you do not want to be prompted for each file transfer when transferring multiple files.



1. Basic enumeration scan

  • nmap -p 21 -A -sV -sC

2. Using NSE scripts

  • nmap -p 21 --script ftp-anon,ftp-bounce,ftp-brute,ftp-libopie,ftp-proftpd-backdoor,ftp-syst,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221


1. Enumerate banner

  • use auxiliary/scanner/ftp/ftp_version
  • show options
  • set RHOSTS
  • exploit

Secure banner: Edit the config file located in /etc, in our case it is named vsftpd.conf, enable custom banner, by uncommenting the line:



Then restart the service and test again.

2. Brute force with Metasploit

  • use auxiliary/scanner/ftp/ftp_login
  • show options
  • set blank_passwords true
  • set RHOSTS
  • set USERNAME anonymous
  • exploit

You can set password, username lists, stop on success, etc.

3. Find the privileges of anonymous login

  • use auxiliary/scanner/ftp/anonymous
  • show options
  • set rhosts
  • exploit

Connect using FTP command

1. Once, the username & password are identified. Or if anonymous log in is enabled. Access the remote service

  • ftp
  • USER: anonymous
  • PASS: anonymous

2. Once authenticated, you are permitted to run commands depending on permissions of the user.

  • pwd
  • dir
  • get lol.pcap

3. Since, we have read permission we could download the file

  • ls -l lol.pcap


You can brute force log in using hydra

  • hydra -s 21 -C /usr/share/legion/wordlists/ftp-default-userpass.txt -u -f ftp

There are other methods to enumerate ftp like capturing network traffic, sometime ftp is sent over insecure networks.

Once, you get log in you can explore and navigate through the file system, read or even write files.

I captured traffic using Wireshark and I see the log in messages flowing through the network