LinkedInGithub
Edit

TFTP 69

TFTP Scanning and Enumeration - Port 69

TFTP (Trivial File Transfer Protocol) is a simple protocol used for transferring files, typically in a local area network (LAN). It's often used for tasks like network booting and transferring configuration files.

TFTP Overview:

  • Default Port: 69

  • Protocol: TFTP is a simplified version of FTP and is often used to transfer files in a minimal way, lacking authentication and encryption. It operates over UDP and is usually restricted to small file transfers.

Enumeration Techniques:

  1. Banner Grabbing:

    • Use nc (Netcat) or nmap to check if a banner is available on the TFTP server. Example:

      nc -vn <IP> 69
nmap -sU -p69 -sV <IP>  # Checking for TFTP version and banner

  2. Basic File Enumeration:

    • Attempt to list or retrieve files from the TFTP server. Example:

      tftp <IP>
tftp> get <filename>  # Attempt to get a specific file
tftp> put <filename>  # Attempt to upload a file (if allowed)

  3. TFTP Brute Force:

    • Use tools like tftp-hacker to brute force the names of files or directories on the server. Example:

      tftp-hacker -t <IP> -f <filelist.txt>

  4. Automated Checks with Nmap:

    • Use nmap scripts to perform TFTP enumeration, check for TFTP services, and attempt file retrieval. Example:

      nmap --script tftp-* -p 69 <IP>

  5. Anonymous File Retrieval:

    • TFTP typically doesn't require authentication. You can try retrieving various files from the server. Example:

      tftp <IP>
tftp> get /etc/passwd  # Try retrieving a common system file
tftp> get <filename>   # Try retrieving any known filename

  6. TFTP Vulnerability Scanning:

    • Some TFTP servers are vulnerable to buffer overflow or misconfiguration issues. Check for these vulnerabilities using automated tools like nmap or Metasploit. Example with Nmap:

      sudo nmap -sU -p 69 --script=tftp-vuln -A <IP>

  7. Check for Misconfigured TFTP Servers:

    • Misconfigured TFTP servers can allow clients to download sensitive files, including system files or configuration files. Example:

      tftp <IP>
tftp> get /var/backups/config  # Retrieve backup or configuration files

  8. TFTP Brute Forcing Configuration Files:

    • Some devices may have TFTP configured to serve firmware or configuration files. You can attempt to retrieve or upload configuration files using brute-forcing techniques. Example:

      tftp <IP>
tftp> get /<device>/config.cfg  # Retrieve a potential device configuration file

  9. TFTP and OS Fingerprinting:

    • If TFTP is used for network booting, you may be able to fingerprint the operating system by attempting to fetch boot files like pxelinux.0 or grub.cfg. Example:

      tftp <IP>
tftp> get pxelinux.0

  10. Automated File Download:

    • Use wget to download files from the TFTP server recursively. Example:

      wget -r ftp://<IP>   # Download all files recursively from TFTP server

Useful Tools for Scanning:

  • Nmap: For service discovery, script scanning, and TFTP vulnerability checks.

  • TFTP-hacker: For brute forcing filenames and attempting file transfers.

  • tftp: The built-in tool for interacting with TFTP servers.

  • Metasploit: For TFTP-based exploits and vulnerabilities.

PreviousSSH 22NextWinRM 5985,5986

Last updated