Port: UDP 69
TFTP (Trivial File Transfer Protocol) is a simple file transfer protocol with no authentication. Often used for network device configs, PXE boot, etc.
# UDP scan
nmap -sU -p 69 $ip
# Service version
nmap -sU -p 69 -sV $ip# Enumerate common files (default wordlist)
nmap -sU -p 69 --script=tftp-enum $ipOutput:
69/udp open tftp
| tftp-enum:
|_ ciscortr.cfg
nmap -sU -p 69 --script=tftp-version $ipnmap -sU -p 69 --script=tftp-enum --script-args tftp-enum.filelist=/path/to/wordlist.txt $ip# Network devices
ciscortr.cfg
running-config
startup-config
router.cfg
switch.cfg
# Boot files
pxelinux.0
pxelinux.cfg/default
boot.cfg
# Other
test.txt
config.txt
backup.cfg
# Connect and get file
tftp $ip -c get filename.cfg
# Interactive mode
tftp $ip
tftp> get ciscortr.cfg
tftp> quit# Read request (opcode 01)
echo -e "\x00\x01filename\x00octet\x00" | nc -u $ip 69
# Test with timeout
timeout 2 bash -c "echo -e '\x00\x01test.txt\x00octet\x00' | nc -u $ip 69" | xxd| Opcode | Operation |
|---|---|
| 01 | Read Request (RRQ) |
| 02 | Write Request (WRQ) |
| 03 | Data |
| 04 | Acknowledgment |
| 05 | Error |
# Upload file
tftp $ip -c put localfile.txt remotefile.txt
# Interactive
tftp $ip
tftp> put shell.phpIf TFTP is writable and serves web directory:
- Upload webshell
- Access via HTTP
# TFTP enumeration
use auxiliary/scanner/tftp/tftpbrute
set RHOSTS $ip
run
# TFTP server (for exfil)
use auxiliary/server/tftp
set TFTPROOT /tmp
runNetwork device configs often contain:
- Usernames/passwords (sometimes plaintext or Type 7)
- SNMP community strings
- VPN pre-shared keys
- Network topology info
- Domain names/hostnames
See Hashcat - Network Device Hashes for Cisco Type 5/7/8/9 cracking.
| Software | Notes |
|---|---|
| atftpd | Linux, common |
| tftpd-hpa | Linux |
| Netkit tftpd | Linux |
| SolarWinds TFTP | Windows |
| Cisco TFTP | Network devices |