FTP Enumeration - Anonymous account + Files & Directories exposed 

This scenario simulates a reconnaissance technique used to identify FTP servers that allow anonymous login and expose sensitive files or directories without authentication. Anonymous FTP access is a legacy feature that permits users to log in using a generic “anonymous” or “ftp” account, often without a password or using a placeholder like an email address. While intended for public file sharing, this configuration can inadvertently expose critical or sensitive information when not properly managed.

The scenario attempts to connect to FTP services across the target network using anonymous credentials. If successful, it lists accessible directories and enumerates files to assess the level of exposure. Many threat actors use this method early in the attack chain to gather publicly available information (e.g., system configs, backup files, application code, credentials) before launching more targeted attacks. This test provides organizations with visibility into weak FTP configurations, especially in legacy or mismanaged environments, and supports efforts to decommission insecure services or tighten access controls.

Objective:

• Detect FTP servers that allow unauthenticated (anonymous) access.
• Identify files and directories exposed to anonymous users.
• Help prevent data leakage, misconfiguration, or unintentional file disclosure.

Use Case:

• Network reconnaissance and attack surface reduction.
• Legacy system audits and infrastructure hygiene.
• Purple team simulations for data exposure detection.
• Enhancing detection rules for unusual FTP activity in SIEM platforms.

Tactics & Techniques:

• Tactic: Discovery / Collection (MITRE ATT&CK: TA0007 / TA0009)
• Technique: File and Directory Discovery – [T1083]
• Technique: Exploit Public-Facing Application – [T1190] (in post-exploitation contexts)

Impact:

This scenario is non-intrusive and does not modify or exfiltrate any files. It solely connects using anonymous credentials and reads directory listings and filenames. However, it may generate FTP log entries or alerts on intrusion detection systems, especially those configured to flag anonymous logins or directory traversal.

Detection Tips:

Security teams can monitor for:

• FTP logins from external or internal sources using anonymous or ftp usernames.
• Directory listings (LIST, NLST) or file downloads by unauthenticated users.
• Unusual access patterns or automated enumeration behavior.
• Consider integrating FTP logs into SIEM tools and applying behavioral rules to detect bulk listing or file access attempts from unauthorized users.
• Recommended Mitigations:
• Disable anonymous access on all FTP servers unless explicitly required.
• Enforce strong authentication and use FTPS or SFTP instead of plain FTP.
• Apply strict file and directory permissions for all public or shared folders.
• Monitor FTP logs regularly for unauthorized access or misconfigurations.
• Decommission legacy FTP services in favor of modern, secure alternatives.

References:

• OWASP FTP Security Guidelines
• CIS Controls: Secure Configuration of Network Services
• NIST SP 800-123: Guide to General Server Security