# FTP
## Enumeration
`Nmap` default scripts `-sC` includes the [ftp-anon](https://nmap.org/nsedoc/scripts/ftp-anon.html) Nmap script which checks if a FTP server allows anonymous logins.
## **Anonymous Authentication**
$ ftp <IP>
Connected to 192.168.2.142.
220 (vsFTPd 2.3.4)
Name (192.168.2.142:kali): anonymous
enter empty password
## Protocol Specifics Attacks
### Bruteforcing
There are many different tools to perform a brute-forcing attack. Let us explore one of them, [Medusa](https://github.com/jmk-foofus/medusa).
With `Medusa`, we can use the option `-u` to specify a single user to target, or you can use the option `-U` to provide a file with a list of usernames.
The option `-P` is for a file containing a list of passwords.
We can use the option `-M` and the protocol we are targeting (FTP) and the option `-h` for the target hostname or IP address.
```bash
medusa -u fiona -P /usr/share/wordlists/rockyou.txt -h 10.129.203.7 -M ftp
```
{% hint style="info" %}
Although we may find services vulnerable to brute force, most applications today prevent these types of attacks. A more effective method is Password Spraying.
{% endhint %}
### **FTP Bounce Attack**
An FTP bounce attack is a network attack that uses FTP servers to deliver outbound traffic to another device on the network. The attacker uses a `PORT` command to trick the FTP connection into running commands and getting information from a device other than the intended server.
The `Nmap` -b flag can be used to perform an FTP bounce attack:
```bash
nmap -Pn -v -n -p80 -b anonymous:password@
```
Modern FTP servers include protections that, by default, prevent this type of attack, but if these features are misconfigured in modern-day FTP servers, the server can become vulnerable to an FTP Bounce attack.
