LabEx
Log InJoin Free

FTP Enumeration and Anonymous Access

NmapBeginner
Practice Now

Introduction

Welcome to this hands-on lab on network enumeration and file transfer protocol exploitation. In the field of cybersecurity, the first step to assessing a system's security is understanding what services it exposes to the network. This process is called enumeration.

In this lab, you will simulate the initial phases of a penetration test. You will start by confirming connectivity to a target machine. Then, you will use nmap, a powerful network scanning tool, to discover open ports and identify running services. Finally, you will exploit a misconfigured FTP service that allows anonymous access to retrieve a hidden flag. This exercise will provide you with fundamental skills in network reconnaissance and exploitation.

Upon completion, you will understand how to:

  • Verify network connectivity using ping.
  • Scan for open ports and services using nmap.
  • Connect to an FTP service with anonymous access.
  • Exploit a common misconfiguration to access files.

Let's begin.

Verify Connectivity to Target with Ping

In this step, you will begin the reconnaissance phase by verifying connectivity to the target system. The ping command is a fundamental network utility used to test if a host is reachable on an IP network. It sends ICMP Echo Request packets to the target and waits for ICMP Echo Reply packets.

Your environment has been pre-configured with a target system accessible via the hostname target.

Run the following command in the terminal to send four packets to the target and confirm it is online:

ping -c 4 target

You should see output similar to the following, indicating that the target is responding and the connection is stable. The exact IP address and time values may vary.

PING target (172.17.0.2) 56(84) bytes of data.
64 bytes from target (172.17.0.2): icmp_seq=1 ttl=64 time=0.086 ms
64 bytes from target (172.17.0.2): icmp_seq=2 ttl=64 time=0.064 ms
64 bytes from target (172.17.0.2): icmp_seq=3 ttl=64 time=0.063 ms
64 bytes from target (172.17.0.2): icmp_seq=4 ttl=64 time=0.064 ms

--- target ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3069ms
rtt min/avg/max/mdev = 0.063/0.069/0.086/0.010 ms

Once you see the successful replies, you can be confident that your machine can communicate with the target.

Scan Open Ports with Nmap

In this step, you will use nmap to perform a port scan on the target. Nmap (Network Mapper) is an essential tool for network discovery and security auditing. By scanning for open ports, you can identify which services are running on the target, which is a crucial step in finding potential vulnerabilities.

Execute the following command in your terminal to scan for open ports and detect service versions:

nmap -sV target

Nmap will now scan the target machine with version detection enabled. After a few moments, it will display a report of its findings. The output should look similar to this:

Starting Nmap 7.80 ( https://nmap.org ) at 2025-09-15 10:00 CST
Nmap scan report for target (172.17.0.2)
Host is up (0.00011s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.5
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds

Observe the output carefully. Nmap has found that port 21/tcp is open and is running the ftp service with version vsftpd 3.0.5. This is our entry point for the next step.

Connect to Target via FTP

In this step, you will attempt to connect to the open FTP port you discovered. FTP (File Transfer Protocol) is a standard communication protocol used to transfer computer files between a server and client. Its main vulnerability is that it can be misconfigured to allow anonymous access without proper authentication. We will exploit a common misconfiguration that allows anonymous login.

Run the ftp command to connect to the target:

ftp target

You will be connected to the FTP service and prompted for a username.

Connected to target.
220 (vsFTPd 3.0.5)
Name (target:labex):

The system is asking for a login. A common misconfiguration in FTP services allows anonymous access. Type anonymous at the login prompt and press Enter. Since the service is configured to allow anonymous access without password, you can press Enter again when prompted for a password.

Name (target:labex): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

If successful, you will be logged in and presented with an FTP prompt (ftp>). This indicates you have gained access to the FTP service.

ftp>

You are now connected to the FTP service and can interact with the remote filesystem.

Explore Target System and Locate Flag

In this step, having successfully gained access to the FTP service, your final task is to explore the available files and download the flag. This simulates the post-exploitation phase where an attacker looks for sensitive information.

You are currently connected to the FTP service. Use the ls command to list the files and directories in the current remote location.

ftp > ls

You should see a list of files. Look for a file named flag.txt.

ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0              42 Sep 15 11:30 flag.txt
226 Directory send OK.
ftp>

Now that you've located the file, use the get command to download it to your local machine. This will transfer the file from the remote server to your current local directory.

ftp > get flag.txt

The file will be downloaded and you should see transfer status messages.

ftp> get flag.txt
local: flag.txt remote: flag.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for flag.txt (42 bytes).
226 Transfer complete.
42 bytes received in 0.00 secs (17.6 kB/s)
ftp>

Now exit the FTP session and view the downloaded file contents.

ftp > exit

Use the cat command to display the contents of the downloaded flag.txt file.

cat flag.txt

The terminal will display the flag's hash value.

labex{d3adb33f_p0rt_sc4nn1ng_m4st3ry}

Congratulations! You have successfully enumerated, accessed, and retrieved the flag from the target system. Copy the flag value to complete the lab.

Summary

In this lab, you completed a basic penetration testing workflow from reconnaissance to gaining access. You learned how to:

  • Use ping to confirm a target is online and reachable.
  • Employ nmap -sV to perform a port scan, identifying open ports and the services running on them.
  • Identify and connect to a misconfigured FTP service with anonymous access.
  • Exploit a common misconfiguration to gain access to files on a remote system.
  • Use FTP commands to list and download files from the remote server.

This exercise highlights the importance of network security fundamentals. FTP services should be properly configured with authentication and access controls. Anonymous access should be disabled unless specifically required, and all file transfer services should use secure protocols like SFTP or FTPS. By understanding how attackers operate, you are better equipped to defend your own systems.

Related Nmap Courses
Nmap for Beginners

Nmap for Beginners

cybersecuritynmaplinux
Hands-On Network Scanning with Nmap on Linux

Hands-On Network Scanning with Nmap on Linux

cybersecuritynmaplinux
Nmap Scanning and Telnet Access

Nmap Scanning and Telnet Access

cybersecuritynmaplinux