FileZilla A free, open-source FTP/SFTP/FTPS client. In this lab, use File > Site Manager > New Site to create a connection. Set encryption to 'FTP - Insecure' to force unencrypted FTP so Wireshark can capture credentials in cleartext. File → Site Manager → New Site → set encryption to FTP Insecure

Glossary

Access Control
Security mechanisms that restrict who can access what resources and what they can do. Combines authentication (proving identity), authorization (what you can do), and accounting (logging what was done). Broken access controls are one of OWASP's Top 10.
FTP access control: read vs write permissions per user per directory
Access Review
A periodic process of verifying that all accounts have appropriate access rights given current role and business need. Best practice: quarterly reviews and reviews triggered by role changes or terminations. Prevents access accumulation over time.
Question to ask: Does Maintenance_Jill have a documented business need for Finance FTP access?
Active Mode FTP
FTP connection mode where the CLIENT announces which port the server should connect back to for data transfer. The SERVER initiates the data connection. Largely obsolete because stateful firewalls and NAT block the server's inbound connection attempt.
Client → PORT (ip,port) → Server ∴ Server → SYN → Client (blocked by most firewalls)
Anonymous FTP
FTP server configuration allowing login with username 'anonymous' and no real password. Originally designed for public software distribution. Completely bypasses authentication — no identity, no accountability, no audit trail. Critical risk on any internal server.
Anonymous login = anyone on the network can access whatever files anonymous has access to
Application Layer (OSI Layer 7)
The top layer of the OSI network model where end-user protocols operate. FTP, HTTP, DNS, SMTP, and SSH are application-layer protocols. They define how applications communicate — but rely on lower layers (TCP, IP) for actual packet delivery.
OSI Layer 7 = Application (FTP, HTTP, SSH) | Layer 4 = Transport (TCP, UDP) | Layer 3 = Network (IP)
Audit Trail
A chronological log of system activities — who did what, when, from where. Required for incident response, compliance, and accountability. Anonymous FTP destroys audit trails: entries say 'anonymous' did something, but identity is completely unknown.
Log: 2026-03-10 09:14:22 Finance_Bob RETR /Finance/Q1_report.xlsx from 192.168.2.168
Authentication
Verifying the claimed identity of a user or system before granting access. Methods: something you know (password), something you have (token/smart card), something you are (biometric). Anonymous FTP bypasses authentication entirely — a critical security failure.
FTP auth: USER Finance_Bob → PASS bob (cleartext auth over the control channel)
Blast Radius
The scope of damage possible if a security control fails or an account is compromised. Minimizing blast radius is a core goal of least privilege — an overpermissioned admin account has a much larger blast radius than a read-only analyst account.
Compromised admin: full server control | Compromised read-only analyst: read access only
Cleartext / Plaintext
Data transmitted or stored without encryption — fully readable by anyone who intercepts it. FTP sends everything in cleartext: commands, usernames, passwords, and file contents are all visible in any packet capture. The opposite of encrypted data.
PASS bob — Wireshark shows this in plain English. No decryption needed.
Control Channel (FTP)
The persistent TCP connection on port 21 used for all FTP commands and server responses. Commands like USER, PASS, CWD, LIST, and RETR all flow through here. Credentials transmitted on this channel are fully visible in cleartext.
Port 21 stays open the entire session | USER Finance_Bob → PASS bob visible here
Credential Stuffing
Automated attack where stolen credentials from one breach are tested against other services. Accounts with simple, reused passwords are immediately compromised. Using 'admin' as a password on multiple systems makes one breach cascade into many.
Data breach leaks Finance_Admin:admin → attacker tries this on every service the company runs
Credential Theft
Stealing authentication credentials (usernames and passwords). FTP's cleartext transmission means credential theft requires only a packet capture — no decryption needed. Any attacker with network access can harvest FTP credentials in real time.
Wireshark on a shared network segment captures PASS bob — credential stolen with zero effort
Credentials
Authentication information used to prove identity to a system. Typically a username and password, but also includes tokens, certificates, and API keys. Stolen credentials are the most common initial access method in security incidents.
Finance_Bob : bob — a credential pair. 'bob' as a password makes this trivially stealable.
CVSS — Common Vulnerability Scoring System
A standardized 0–10 scale for rating vulnerability severity. Critical: 9.0–10.0 | High: 7.0–8.9 | Medium: 4.0–6.9 | Low: 0.1–3.9. Used in security reports to communicate risk objectively to stakeholders.
FTP cleartext on internet-facing finance server: CVSS ~9.8 Critical
Data Channel (FTP)
A separate TCP connection used for actual file data and directory listings. Created fresh for each transfer, then closed. In Active mode uses port 20 (server-initiated). In Passive mode uses a negotiated ephemeral port (client-initiated).
A new data channel opens for each LIST or RETR command, then closes
Data Exfiltration
Unauthorized transfer of data out of a system — typically by an attacker or malicious insider. FTP's plaintext transmission and lack of encryption makes exfiltrated data completely readable. Write access enables uploading data to a staging area.
RETR *.xlsx on an FTP server — downloads every Excel file the attacker can access
Default / Trivial Credentials
Username/password combinations that are either pre-configured defaults (admin/admin, root/root) or trivially obvious (username = password). Attackers always try these first. The Finance_Admin account using 'admin' is a textbook example.
admin/admin, root/root, admin/password — every attacker tries these automatically
Dictionary Attack
Password attack using a pre-built list of common passwords, words, and patterns. Passwords like 'bob', 'admin', 'password' appear in every dictionary file and are cracked in milliseconds. Longer, complex, random passwords are not susceptible.
Tools like Hydra or Hashcat test 10,000+ common passwords per second
Encryption
Converting readable data into an unreadable form using a cryptographic key and algorithm. Only parties with the correct key can decrypt it. FTP has no encryption. SFTP and FTPS encrypt all data including credentials.
FTP: credentials travel as plain text | SFTP: credentials encrypted with SSH keys
Ephemeral Port
A temporary, randomly-assigned high-numbered port (typically 1024–65535) used for a single connection. In Passive FTP, the server assigns an ephemeral port for each data channel. The port is freed when the connection closes.
PASV response assigns port 51322 for this one data transfer — then it's released
File/Directory Permissions
Rules defining what actions a user can perform on a resource. Common FTP permissions: read (download files), write (upload/modify files), list (see directory contents), delete. Permissions should be scoped to the minimum required by the user's job function.
Analyst role: read-only /Finance/Reports | khoi (incorrectly): read+write entire server
FileZilla
A free, open-source FTP/SFTP/FTPS client. In this lab, use File > Site Manager > New Site to create a connection. Set encryption to 'FTP - Insecure' to force unencrypted FTP so Wireshark can capture credentials in cleartext.
File → Site Manager → New Site → set encryption to FTP Insecure
Firewall
A security device or software that monitors and controls network traffic based on defined rules. Can be host-based (on the computer) or network-based (at the perimeter). Blocks unauthorized connections while allowing legitimate traffic.
Rule: allow tcp dst-port 22 deny tcp dst-port 21 (blocks FTP, allows SFTP)
FTP — File Transfer Protocol
A network protocol (RFC 959) for transferring files between a client and server over TCP/IP. FTP transmits all data — including usernames and passwords — in cleartext with zero encryption, making it inherently insecure for sensitive data.
Uses port 21 for commands, port 20 (active) or ephemeral port (passive) for data
FTP Commands
Text commands exchanged over the control channel. KEY COMMANDS: USER (send username), PASS (send password), CWD (change directory), LIST (list files), RETR (download file), STOR (upload file), PASV (request passive mode), PORT (active mode port), QUIT (close session).
USER Finance_Bob → PASS bob → CWD /Finance → LIST → RETR report.xlsx
FTPS — FTP Secure
FTP with TLS/SSL encryption added. Comes in two forms: Explicit FTPS (STARTTLS on port 21) and Implicit FTPS (port 990). Maintains FTP's command structure but wraps it in encryption. Often confused with SFTP, which is an entirely different protocol.
FTPS = FTP + TLS wrapper | SFTP = SSH-based replacement for FTP
Inbound Connection
A TCP connection initiated from an external system toward your host or network. Stateful firewalls block inbound connections that were not first initiated from the inside. Active FTP fails because it requires the server to open an inbound connection to the client.
Active FTP data channel = inbound to client from server = blocked by stateful firewall
Insider Threat
A security risk originating from within the organization — current or former employees, contractors, or business partners misusing their authorized access. Overpermissioned accounts amplify insider threat risk by giving individuals access beyond their legitimate need.
Disgruntled employee with write access to FTP server could delete or exfiltrate all financial data
MFA — Multi-Factor Authentication
Authentication requiring two or more factors: something you know (password), something you have (phone/hardware token), or something you are (biometric). Significantly reduces risk of compromised passwords — even a stolen password is useless without the second factor.
Even if attacker knows 'admin', they cannot log in without the MFA code from the admin's phone
NAT — Network Address Translation
Technique where a router maps many private IP addresses to one public IP. Devices behind NAT cannot receive unsolicited inbound TCP connections. This breaks Active FTP — the server cannot initiate the data connection back to the client.
192.168.x.x (private) → single public IP via router | server cannot reach back through NAT
Overpermissioned Account
An account granted more access rights than required by its role and business need. Violates the principle of least privilege. A compromised overpermissioned account gives an attacker far more capability than if access had been properly scoped.
khoi (low-level analyst) with write access to entire Finance server = overpermissioned
Packet Capture (PCAP)
Recording network packets as they travel across a network interface. Any unencrypted protocol — FTP, Telnet, HTTP — exposes all data in a packet capture, including usernames, passwords, and file contents.
Wireshark saves captures as .pcap files | FTP credentials visible in plaintext in every capture
Passive Mode FTP
FTP connection mode where the SERVER advertises an ephemeral port for the CLIENT to connect to for data transfer. The client initiates both the control and data connections. Default in modern FTP clients because it works through NAT and firewalls.
Client → PASV → Server ∴ Server → 227 (ip,port) → Client ∴ Client → SYN → Server:port
Password Policy
Organizational rules governing password requirements: minimum length (12+ chars), complexity (uppercase, numbers, symbols), expiration, reuse restrictions, lockout after failed attempts. A missing or weak policy directly causes findings like those in this lab.
Good policy: 12+ chars, complexity, 90-day rotation, no username in password, 5-attempt lockout
PCI-DSS
Payment Card Industry Data Security Standard — compliance requirements for organizations handling credit card data. Requirement 4 mandates encryption of cardholder data in transit. Using plaintext FTP to transfer payment data is a direct PCI-DSS violation.
PCI-DSS Req 4.2.1: 'Strong cryptography shall be used during transmission of cardholder data'
Port
A logical endpoint numbered 0–65535 that allows a single IP address to run multiple services at once. Well-known ports below 1024 are standardized by IANA. Port 21 = FTP, Port 22 = SSH/SFTP, Port 80 = HTTP, Port 443 = HTTPS.
tcp.port == 21 filters only FTP control traffic in Wireshark
Principle of Least Privilege (PoLP)
A security principle: every account, process, or system should have only the minimum access rights needed for its function — nothing more. Limits the blast radius of any breach or insider threat. Overpermissioned accounts violate this principle.
Analyst needs read-only access to /Finance/Reports — NOT write access to the entire server
Protocol
A standardized set of rules for how data is formatted, transmitted, and received between systems. Protocols are usually specified in RFCs. FTP, TCP, IP, HTTP, SSH are all protocols at different layers of the network stack.
FTP is an application-layer protocol that sits on top of TCP/IP
RFC — Request for Comments
Documents published by the IETF that define internet standards and protocols. Despite the modest name, RFCs are the authoritative technical specifications. RFC 959 defines FTP. RFC 793 defines TCP. RFC 5321 defines SMTP.
RFC 959 (1985) = FTP specification | RFC 793 (1981) = TCP specification
SFTP — SSH File Transfer Protocol
A completely separate, secure file transfer protocol that runs over SSH on port 22. All data including credentials is encrypted end-to-end. NOT an extension of FTP — entirely different protocol. The recommended replacement for FTP in most scenarios.
SFTP: all traffic encrypted | FTP: all traffic cleartext → always choose SFTP
Stateful Firewall
A firewall that tracks the state of active connections and only allows traffic that is part of an established session. Blocks unsolicited inbound connections — precisely what Active FTP requires. Most modern firewalls are stateful.
Client establishes outbound connection: allowed | Server initiates inbound (Active FTP): blocked
TCP — Transmission Control Protocol
A transport-layer protocol providing reliable, ordered, error-checked delivery between applications. TCP establishes connections via the 3-way handshake before any data transfer. All FTP connections (control and data channels) use TCP.
Every TCP connection: SYN → SYN-ACK → ACK (3-way handshake) then data flows
TCP 3-Way Handshake
The TCP connection establishment process: (1) SYN — client requests connection, (2) SYN-ACK — server acknowledges and responds, (3) ACK — client confirms. Visible in Wireshark as the first three packets of any TCP session.
In Wireshark: look for SYN / SYN-ACK / ACK flags before the 220 FTP banner appears
TCP/IP Protocol Suite
The foundational networking protocols of the internet. TCP (Transmission Control Protocol) provides reliable, ordered, error-checked delivery. IP (Internet Protocol) handles addressing and routing. FTP runs over TCP/IP.
FTP uses TCP to guarantee file data arrives completely and in order
Weak Password
A password that is short, common, or easily guessable — trivially cracked by brute force, dictionary attack, or credential stuffing. 'bob', 'admin', 'password', '123456' can be cracked in milliseconds by any automated tool.
Finance_Bob password 'bob' — cracked in <1ms by any password attack tool
Wireshark
The industry-standard free packet analyzer. Captures live network traffic and decodes hundreds of protocols. Lets you filter traffic by port, IP, or protocol. Essential for network troubleshooting and security analysis.
Filter: tcp.port == 21 shows only FTP control channel commands and responses
LAB

FTP Security Lab

PROGRESS
0 / 6
// MARCH 10, 2026 — 1.5 HR LAB
FTP Security Lab
Introduction to FTP from a cybersecurity perspective

Objectives

  • Recognize FTP ports and the differences between Active and Passive modes
  • Gain hands-on familiarity with FTP clients (FileZilla)
  • Recognize and analyze FTP traffic in Wireshark packet captures
  • Identify flaws in server configuration using least privilege and access control principles
  • Produce actionable security recommendations for a customer

Tools Used

  • FileZilla FTP Client
  • Wireshark
  • FTP Lab Server

Lab Network

  • Client: 192.168.2.168
  • Server: 192.168.2.188
  • Control port: 21
  • Data port: varies

Discussion Prompt

Before we dive in — how many of you have used FTP before? Where have you seen it used in the wild? Think about web hosting, file transfers, legacy enterprise systems.

// MODULE 01
FTP Fundamentals
What is FTP, what ports does it use, and why does it matter?

What is FTP?

FTP — File Transfer Protocol — is one of the oldest application-layer protocols still in widespread use. Defined in RFC 959, it was designed specifically for transferring files between hosts on a TCP/IP network. FTP is a cleartext protocol: all data, including credentials, travels unencrypted. This is its most significant security problem.

Port 21 — Control

Port 21 is the command channel. All FTP commands (USER, PASS, LIST, RETR, STOR) and server responses flow on this connection. The control connection persists for the entire FTP session.

Port 20 — Data (Active)

Port 20 is the data channel used in Active mode. Data transfers (directory listings, file downloads/uploads) use a separate TCP connection established through this port — but only in active mode.

Security Implication

Because FTP sends credentials and data in plaintext over port 21, an attacker with network access can trivially capture usernames, passwords, and file contents. Wireshark will show you exactly this in the lab. SFTP (port 22) and FTPS (port 990) exist as encrypted alternatives — this lab intentionally uses unencrypted FTP to demonstrate the risk.

// QUESTION 01 What does FTP stand for?
A. Fast Transfer Protocol
B. File Transfer Protocol
C. File Transmission Protocol
D. Forwarded Transfer Protocol
File Transfer Protocol — defined in RFC 959. Designed specifically for transferring files over TCP/IP networks. Predates the modern internet and remains in use due to legacy system inertia and specific use cases.
// QUESTION 02 Which ports does FTP use?
A. Port 22 (control) and Port 23 (data)
B. Port 80 (control) and Port 443 (data)
C. Port 21 (control) and Port 20 (data, active mode)
D. Port 21 only — all traffic on one port
Port 21 is the control/command channel. Port 20 is the data channel — but only in Active mode. In Passive mode, the data channel uses a negotiated ephemeral port above 1023 rather than port 20.
// MODULE 02
Active vs Passive FTP
How the data connection is established — and why it matters for firewalls
// ACTIVE FTP — Server initiates data connection back to client
CLIENT :N (random port)
──PORT cmd──►
SERVER :21
Client tells server: "I'm listening on port N, connect to me for data"
CLIENT :N
◄──SYN (data)──
SERVER :20
Server initiates TCP connection FROM port 20 TO client port N

Active Mode Problem

The server initiates the data connection back to the client. This is problematic when the client is behind a NAT router or stateful firewall — the firewall blocks unsolicited inbound connections. Active mode is largely obsolete in modern networks for exactly this reason.

In the lab: PORT (200x256)+122 — this is the client telling the server which port to connect to (octets 5 and 6 encode the port number).

// PASSIVE FTP — Client initiates BOTH connections
CLIENT
──PASV cmd──►
SERVER :21
CLIENT
◄──PORT N reply──
SERVER
Server says: "Connect to me on port N for data transfer"
CLIENT
──SYN (data)──►
SERVER :N
Client initiates data connection to server's advertised port

Passive Mode — Current Standard

Passive mode is the default in modern FTP clients because the client initiates both the control and data connections. This plays nicely with NAT and client-side firewalls. The server must have a range of ports open for data connections — in this lab, that includes port 51322.

Wireshark filter for this lab:

tcp.port == 21 or tcp.port == 51322
// QUESTION 03 In passive FTP, which party advertises the port number the data connection will use?
A. The client, via the PORT command
B. The server, in response to the PASV command
C. Always port 20, regardless of mode
D. It is negotiated via a three-way handshake before the control connection
In passive mode, the client sends PASV to the server. The server responds with the IP and port number it is listening on for the data connection. The client then initiates the data connection to that server-advertised port. This keeps all connection initiations on the client side.
// QUESTION 04 Why is Active FTP generally not used today?
A. It is slower than Passive mode
B. Active mode is only available on legacy servers
C. The server initiates the data connection back to the client, which is blocked by NAT and stateful firewalls
D. Active mode requires port 22, which conflicts with SSH
Active FTP requires the server to make an inbound TCP connection to the client on a client-specified port. Stateful firewalls and NAT devices block unsolicited inbound connections, so the data channel is dropped. Passive mode solves this by making the client initiate both connections.
// MODULE 03
User Access Lab
Connect with each account — observe what each user can see and do

Lab Setup — FileZilla

File > Site Manager > New Site. Set encryption to FTP — Insecure (not SFTP or FTPS). Enter the server IP and credentials below. Connect with each account one at a time.

Account Password Role Flag
anonymous none required No authenticated role REVIEW
Finance_Bob bob Analyst 1 — Finance WEAK PWD
Finance_Admin admin Finance Admin / IT Personnel CRITICAL
Maintenance_Jill Fall2025 No Finance association REVIEW
khoi (provided in lab) Finance user — low level OVERPERMISSIONED
// WORKSHEET Q1 For each account, note which files and directories they had access to. What were the differences between the accounts?
Key differences:

anonymous: Should have restricted or no access. If anonymous login is enabled with any file access, this is a misconfiguration — no authentication means anyone can connect.

Finance_Bob: Analyst-level access. Should see Finance-related files but with read-only scope limited to their function.

Finance_Admin: Broader Finance directory access including admin-level files, consistent with IT/admin role.

Maintenance_Jill: Has no finance association — if she can access Finance directories, that's a least privilege violation. Her scope should be limited to maintenance-relevant files only.

khoi: Low-level finance user who has been granted excessive read AND write permissions across directories that exceed what their role requires. This is the primary finding — they can read and write files beyond their job function.
// WORKSHEET Q2 What files did the khoi account have access to? Why is this a problem?
khoi is a low-level finance user but has been granted an overly permissive set of abilities including read and write access to directories beyond what their job function requires.

The concern: excessive write access means khoi could exfiltrate data, modify financial records, or plant files on the server. Even if khoi is a trusted employee today, the principle of least privilege exists precisely because insider threats and compromised credentials are real attack vectors. If khoi's account is compromised, the blast radius is far larger than necessary.
// MODULE 04
Network Traffic Analysis
Reading FTP sessions in Wireshark — what the wire reveals

Wireshark Filters for This Lab

// Capture FTP control + passive data port
tcp.port == 21 or tcp.port == 51322

// Filter by source (client machine)
ip.src == 192.168.2.168

// Filter by destination (FTP server)
ip.dst == 192.168.2.188
wireshark — ftp session capture
// TCP 3-way handshake to port 21
SYN 192.168.2.168:52401 → 192.168.2.188:21
SYN-ACK 192.168.2.188:21 → 192.168.2.168:52401
ACK 192.168.2.168:52401 → 192.168.2.188:21
 
// FTP login — plaintext on the wire
220 FTP Server Ready
USER Finance_Bob
331 Password required
PASS bob ← password visible in cleartext
230 User logged in
 
// Directory navigation
CWD /Finance
LIST
RETR quarterly_report.xlsx
 
// PASV mode — server advertises data port
PASV
227 Entering Passive Mode (192,168,2,188,200,202)
// port = (200*256)+202 = 51402
// QUESTION 05 Did you observe a TCP 3-way handshake? How do you identify it in Wireshark?
A. No — FTP uses UDP so there is no 3-way handshake
B. Yes — you see SYN, SYN-ACK, ACK packets to port 21 before any FTP commands
C. Only in Active mode — Passive mode skips the handshake
D. The handshake happens but is not visible to Wireshark
FTP runs over TCP. Every TCP connection opens with the 3-way handshake (SYN → SYN-ACK → ACK). In Wireshark you'll see this for BOTH the control connection (port 21) and the data connection (port 51322 or whatever port PASV negotiated).
// QUESTION 06 Can you identify a username and password from a Wireshark FTP capture? Why or why not?
A. No — FTP uses hashed authentication
B. Only the username is visible, not the password
C. Yes — both USER and PASS commands transmit credentials in plaintext
D. Only if the attacker intercepts within the same subnet
FTP transmits credentials in cleartext. The USER command sends the username, and the PASS command sends the password — both visible in any Wireshark capture. This is a fundamental, unfixable flaw in FTP. Any attacker with network access (same subnet, compromised router, tap) can harvest credentials from FTP traffic.
// WORKSHEET Q3 In passive mode, how does the client determine which port to use for the data connection?
PASV Response Port Calculation:

After the client sends the PASV command, the server responds with six comma-separated numbers: the IP address (4 octets) and the port (2 octets). The port is calculated as:

port = (octet5 * 256) + octet6

Example: 227 Entering Passive Mode (192,168,2,188,200,202)
Port = (200 × 256) + 202 = 51402

The client then initiates a new TCP connection to the server's IP on that negotiated port for the data transfer.
// MODULE 05
Least Privilege & Access Controls
Evaluating whether users have appropriate access given their role

Principle of Least Privilege

Every account should have the minimum permissions required to perform its function — no more. Access beyond business need is a vulnerability: it expands blast radius if an account is compromised, increases insider threat risk, and creates compliance exposure.

Account Role Problem? Concern
anonymous None CRITICAL Unauthenticated access. No business justification for anonymous FTP on a Finance server.
Finance_Bob Analyst 1 REVIEW Password is literally "bob" — trivially guessable. Password policy failure.
Finance_Admin IT Admin CRITICAL Password is "admin" — default/trivial credential. Admin account with no password security.
Maintenance_Jill Maintenance — no Finance CRITICAL No association with Finance. Should not have FTP access to a Finance server at all.
khoi Finance (low-level) CRITICAL Read AND write access that exceeds job function. Overpermissioned relative to role.
// QUESTION 07 Which account represents the most concerning access control violation based on role mismatch?
A. Finance_Bob — weak password
B. Finance_Admin — admin password is "admin"
C. Maintenance_Jill — no business justification for access to a Finance FTP server
D. khoi — has write access
Maintenance_Jill has no Finance association whatsoever — there is zero business justification for a maintenance employee to have any access to a Finance FTP server. This is a complete access control failure. khoi is also a significant finding (excessive permissions), and Finance_Admin's password is critically weak, but Jill represents the clearest role mismatch.
// WORKSHEET Q4 Were there any accounts where you felt like you had too much access? What access did those accounts have, and what is the business risk?
Overpermissioned accounts:

khoi: Finance user with read/write access beyond their role. Risk: can exfiltrate or tamper with financial data. If account is compromised via credential theft, attacker inherits write access to Finance server.

Finance_Admin: Admin account with trivial password ("admin"). Risk: credential stuffing or brute force would immediately succeed. Admin-level access = full scope of damage on the server.

anonymous: Any access whatsoever is too much. No authenticated identity means no accountability and no audit trail. Disabling anonymous FTP is a baseline requirement for any production system.
// MODULE 06
Recommendations
What would you tell this customer? How severe is it?

Finding 1 — FTP Cleartext Transmission

CRITICAL

All credentials and file contents transmitted over FTP are visible in plaintext on the network. Any attacker with network access can trivially capture usernames, passwords, and data.

Recommendation: Migrate to SFTP (SSH File Transfer Protocol, port 22) or FTPS (FTP over TLS). Disable plain FTP on the server. There is no mitigation that makes plaintext FTP acceptable for financial data.

Finding 2 — Anonymous FTP Enabled

CRITICAL

Anonymous login is enabled, allowing unauthenticated access to the FTP server. This bypasses all authentication controls and removes accountability from access events.

Recommendation: Disable anonymous FTP immediately. There is no legitimate use case for anonymous access to a Finance file server.

Finding 3 — Trivial / Default Credentials

CRITICAL

Finance_Bob uses password "bob". Finance_Admin uses password "admin". These are dictionary attack first-guess credentials. The admin account with a trivial password is the highest impact item in this category.

Recommendation: Enforce a password policy: minimum 12 characters, complexity requirements, no username-as-password. Rotate all current credentials. Consider MFA for administrative accounts.

Finding 4 — Role Misalignment (Maintenance_Jill)

HIGH

Maintenance_Jill has FTP access to a Finance server with no documented business justification. This violates least privilege and creates unnecessary exposure.

Recommendation: Remove Maintenance_Jill's access. Conduct a full access review: every account on the FTP server should have a documented business owner and access justification.

Finding 5 — Excessive Permissions (khoi)

HIGH

khoi is a low-level Finance user with read and write access that exceeds their job function. Overpermissioning increases blast radius if the account is compromised.

Recommendation: Scope khoi's access to read-only on specific directories required for their role. Apply the same review to all analyst-level accounts.

// WORKSHEET Q5 — DISCUSSION What severity rating would you assign to the FTP cleartext credential issue? How would you present these findings to a non-technical customer?
Severity: Critical

FTP transmitting credentials and financial data in cleartext on a Finance server is a Critical finding by any standard framework (CVSS, OWASP, NIST). Data confidentiality is completely broken for any attacker with network access — which includes any malicious insider or anyone who has compromised a network device.

How to present to a non-technical customer:
"Imagine every file you send to this server, and every password you use to log in, is written on a postcard. Anyone on the network between your computer and the server can read that postcard. Right now, your employees are sending financial files using the postcard method. We need to switch to a sealed envelope — that's what SFTP does."

Pair the analogy with the business impact: regulatory exposure, potential breach notification requirements (PCI-DSS if payment data is involved, SOX for public company financial data), and reputational risk.

Lab Complete

You've covered FTP fundamentals, active vs passive modes, hands-on user access testing, network traffic analysis in Wireshark, and produced security findings with recommendations. These skills apply directly to security assessments, helpdesk troubleshooting, and network defense work.