TFTP 69

TFTP Scanning and Enumeration - Port 69

TFTP (Trivial File Transfer Protocol) is a simple protocol used for transferring files, typically in a local area network (LAN). It's often used for tasks like network booting and transferring configuration files.

TFTP Overview:

• Default Port: 69

• Protocol: TFTP is a simplified version of FTP and is often used to transfer files in a minimal way, lacking authentication and encryption. It operates over UDP and is usually restricted to small file transfers.

Enumeration Techniques:

1. Banner Grabbing:

   • Use nc (Netcat) or nmap to check if a banner is available on the TFTP server. Example:

     nc -vn <IP> 69
     nmap -sU -p69 -sV <IP>  # Checking for TFTP version and banner

2. Basic File Enumeration:

   • Attempt to list or retrieve files from the TFTP server. Example:

     tftp <IP>
     tftp> get <filename>  # Attempt to get a specific file
     tftp> put <filename>  # Attempt to upload a file (if allowed)

3. TFTP Brute Force:

   • Use tools like tftp-hacker to brute force the names of files or directories on the server. Example:

     tftp-hacker -t <IP> -f <filelist.txt>

4. Automated Checks with Nmap:

   • Use nmap scripts to perform TFTP enumeration, check for TFTP services, and attempt file retrieval. Example:

     nmap --script tftp-* -p 69 <IP>

5. Anonymous File Retrieval:

   • TFTP typically doesn't require authentication. You can try retrieving various files from the server. Example:

     tftp <IP>
     tftp> get /etc/passwd  # Try retrieving a common system file
     tftp> get <filename>   # Try retrieving any known filename

6. TFTP Vulnerability Scanning:

   • Some TFTP servers are vulnerable to buffer overflow or misconfiguration issues. Check for these vulnerabilities using automated tools like nmap or Metasploit. Example with Nmap:

     sudo nmap -sU -p 69 --script=tftp-vuln -A <IP>

7. Check for Misconfigured TFTP Servers:

   • Misconfigured TFTP servers can allow clients to download sensitive files, including system files or configuration files. Example:

     tftp <IP>
     tftp> get /var/backups/config  # Retrieve backup or configuration files

8. TFTP Brute Forcing Configuration Files:

   • Some devices may have TFTP configured to serve firmware or configuration files. You can attempt to retrieve or upload configuration files using brute-forcing techniques. Example:

     tftp <IP>
     tftp> get /<device>/config.cfg  # Retrieve a potential device configuration file

9. TFTP and OS Fingerprinting:

   • If TFTP is used for network booting, you may be able to fingerprint the operating system by attempting to fetch boot files like pxelinux.0 or grub.cfg. Example:

     tftp <IP>
     tftp> get pxelinux.0

10. Automated File Download:

    • Use wget to download files from the TFTP server recursively. Example:

      wget -r ftp://<IP>   # Download all files recursively from TFTP server

Useful Tools for Scanning:

• Nmap: For service discovery, script scanning, and TFTP vulnerability checks.

• TFTP-hacker: For brute forcing filenames and attempting file transfers.

• tftp: The built-in tool for interacting with TFTP servers.

• Metasploit: For TFTP-based exploits and vulnerabilities.