0xnhl

Back

FTP Exploits

Created: 1/12/2026 Updated: 1/12/2026

Attackers often abuse FTP servers to steal information. The legacy FTP protocol doesn’t use encryption or perform any kind of integrity validation. Recommended practice dictates that you implement a more secure alternative, such as File Transfer Protocol Secure (FTPS) or Secure File Transfer Protocol (SFTP).

The SFTP and FTPS protocols use encryption to protect data; however, some implementations – such as Blowfish and DES – offer weak encryption ciphers (encryption algorithms). You should use stronger algorithms, such as AES. Similarly, SFTP and FTPS servers use hashing algorithms to verify the integrity of file transmission. SFTP uses SSH, and FTPS uses FTP over TLS. Best practice calls for disabling weak hashing protocols such as MD5 or SHA-1 and using stronger algorithms in the SHA-2 family (such as SHA-2 or SHA-512).

In addition, FTP servers often enable anonymous user authentication, which an attacker may abuse to store unwanted files in your server, potentially for exfiltration. For example, an attacker who compromises a system and extracts sensitive information can store that information (as a stepping stone) to any FTP server that may be available and allows any user to connect using the anonymous account.

Using Nmap to Scan an FTP Server: nmap -sV 172.16.20.136
To test for anonymous login in an FTP server by using Metasploit:

msf > use auxiliary/scanner/ftp/anonymous
msf auxiliary(scanner/ftp/anonymous) > set RHOSTS 172.16.20.136
RHOSTS => 172.16.20.136
msf auxiliary(scanner/ftp/anonymous) > exploit

[+] 172.16.20.136:21 - 172.16.20.136:21 - Anonymous READ (220  vsFTPd 3.0.3))
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
plaintext

Here it shows that the FTP server is configured for anonymous login. The mitigation in this example is to edit the FTP server configuration file to disable anonymous login. In this example, the server is using vsFTPd, and thus the configuration file is located at /etc/vsftpd.conf.

Best practices for mitigating FTP server abuse and attacks:

  • Use strong passwords and multifactor authentication. A best practice is to use good credential management and strong passwords. When possible, use two-factor authentication for any critical service or server.
  • Implement file and folder security, making sure that users have access to only the files they are entitled to access.
  • Use encryption at rest – that is, encrypt all files stored in the FTP server.
  • Lock down administration accounts. You should restrict administrator privileges to a limited number of users and require them to use multifactor authentication. In addition, do not use common administrator usernames such as root or admin.
  • Keep the FTPS or SFTP server software up-to-date.
  • Use the U.S. government FIPS 140-2 validated encryption ciphers for general guidance on what encryption algorithms to use.
  • Keep any back-end databases on a different server than the FTP server.
  • Require re-authentication of inactive sessions.