ftp_anonymous: Report service/vuln, store loot & update metadata

[g0tmi1k]

This PR is for:

• Move module to match other generic FTP modules
• Add/Update metasploit (including CVE & notes)
• Clean up output and be more verbose
• Add report_service and report_vuln
• Able to store "loot" if successfully exploited as proof

Before

[*] Connected to the database specified in the YAML file
[*] Connected to msf. Connection type: postgresql. Connection name: OYGIkFxA.
[*] Deleted workspace: default
[*] Recreated the default workspace
VERBOSE => true
RHOSTS => 10.0.0.10
LHOST => tap0
msf >
msf > use scanner anonymous ftp

Matching Modules
================

   #  Name                             Disclosure Date  Rank    Check  Description
   -  ----                             ---------------  ----    -----  -----------
   0  auxiliary/scanner/ftp/anonymous  .                normal  No     Anonymous FTP Access Detection


Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/ftp/anonymous

[*] Using auxiliary/scanner/ftp/anonymous
msf auxiliary(scanner/ftp/anonymous) >
msf auxiliary(scanner/ftp/anonymous) > options

Module options (auxiliary/scanner/ftp/anonymous):

   Name     Current Setting      Required  Description
   ----     ---------------      --------  -----------
   FTPPASS  mozilla@example.com  no        The password for the specified username
   FTPUSER  anonymous            no        The username to authenticate as
   RHOSTS   10.0.0.10            yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT    21                   yes       The target port (TCP)
   THREADS  1                    yes       The number of concurrent threads (max one per host)


View the full module info with the info, or info -d command.

msf auxiliary(scanner/ftp/anonymous) >
msf auxiliary(scanner/ftp/anonymous) > run
[*] 10.0.0.10:21          - Connecting to FTP server 10.0.0.10:21...
[*] 10.0.0.10:21          - Connected to target FTP server.
[*] 10.0.0.10:21          - Authenticating as anonymous with password mozilla@example.com...
[*] 10.0.0.10:21          - Sending password...
[+] 10.0.0.10:21          - 10.0.0.10:21 - Anonymous READ (220 (vsFTPd 2.3.4))
[*] 10.0.0.10:21          - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ftp/anonymous) >
msf auxiliary(scanner/ftp/anonymous) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      1         0      1      0      0

msf auxiliary(scanner/ftp/anonymous) > services -v
Services
========

host       port  proto  name  state  info  resource  parents
----       ----  -----  ----  -----  ----  --------  -------
10.0.0.10  21    tcp    ftp   open         {}

msf auxiliary(scanner/ftp/anonymous) >
msf auxiliary(scanner/ftp/anonymous) > creds
Credentials
===========

id  host       origin     service       public     private              realm  private_type  JtR Format  cracked_password
--  ----       ------     -------       ------     -------              -----  ------------  ----------  ----------------
63  10.0.0.10  10.0.0.10  21/tcp (ftp)  anonymous  mozilla@example.com         Password

msf auxiliary(scanner/ftp/anonymous) >
msf auxiliary(scanner/ftp/anonymous) >

After

msf > use scanner anonymous ftp

Matching Modules
================

   #  Name                                 Disclosure Date  Rank    Check  Description
   -  ----                                 ---------------  ----    -----  -----------
   0  auxiliary/scanner/ftp/ftp_anonymous  .                normal  No     Anonymous FTP Access Detection
   1  auxiliary/scanner/ftp/ftp_login      .                normal  No     FTP Authentication Scanner


Interact with a module by name or index. For example info 1, use 1 or use auxiliary/scanner/ftp/ftp_login

msf > use 0
msf auxiliary(scanner/ftp/ftp_anonymous) >
msf auxiliary(scanner/ftp/ftp_anonymous) > options

Module options (auxiliary/scanner/ftp/ftp_anonymous):

   Name        Current Setting      Required  Description
   ----        ---------------      --------  -----------
   FTPPASS     mozilla@example.com  no        The password for the specified username
   FTPUSER     anonymous            no        The username to authenticate as
   RHOSTS      10.0.0.10            yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT       21                   yes       The target port (TCP)
   STORE_LOOT  true                 no        Store the directory listing as loot
   THREADS     1                    yes       The number of concurrent threads (max one per host)


View the full module info with the info, or info -d command.

msf auxiliary(scanner/ftp/ftp_anonymous) >
msf auxiliary(scanner/ftp/ftp_anonymous) > run
[*] 10.0.0.10:21          - Connecting to FTP server 10.0.0.10:21...
[*] 10.0.0.10:21          - Connected to target FTP server.
[*] 10.0.0.10:21          - Authenticating as anonymous with password mozilla@example.com...
[*] 10.0.0.10:21          - Sending password...
[*] 10.0.0.10:21          - Testing write access, Creating directory: wSSePVqs
[+] 10.0.0.10:21          - Anonymous Read-only access (vsFTPd 2.3.4)
[*] 10.0.0.10:21          - Listing directory contents
[*] 10.0.0.10:21          - Directory listing:
-rw-r--r--    1 0        0               0 Apr 24 19:25 test

[+] 10.0.0.10:21          - Directory listing stored to: /home/kali/.msf4/loot/20260424203150_default_10.0.0.10_ftp.anonymous_727755.txt
[*] 10.0.0.10:21          - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ftp/ftp_anonymous) >
msf auxiliary(scanner/ftp/ftp_anonymous) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      1         1      1      1      0

msf auxiliary(scanner/ftp/ftp_anonymous) >
msf auxiliary(scanner/ftp/ftp_anonymous) > services
Services
========

host       port  proto  name  state  info                resource  parents
----       ----  -----  ----  -----  ----                --------  -------
10.0.0.10  21    tcp    ftp   open   220 (vsFTPd 2.3.4)  {}

msf auxiliary(scanner/ftp/ftp_anonymous) >
msf auxiliary(scanner/ftp/ftp_anonymous) > vulns

Vulnerabilities
===============

Timestamp                Host       Service       Resource  Name                  References
---------                ----       -------       --------  ----                  ----------
2026-04-24 19:31:51 UTC  10.0.0.10  ftp (21/tcp)  {}        Anonymous FTP Access  URL-https://en.wikipedia.org/wiki/File_Transfer_Protocol#Anonymous_FTP,CVE-1999-0497

msf auxiliary(scanner/ftp/ftp_anonymous) >

[g0tmi1k]

This now needs #21380 to be merged ahead of time.

[cdelafuente-r7]

Thank you @g0tmi1k. I left a couple of minor comments and it will be good to go. I tested the module and it still works as expected.

[g0tmi1k]

Thanks for the review & time @cdelafuente-r7. Feedback hopefully addressed!

[cdelafuente-r7]

Thank you @g0tmi1k. It looks good to me now. I'll go ahead and land it.

[cdelafuente-r7]

Release Notes

This updates the FTP anonymous scanner module. Key changes include moving the module to align with other generic FTP modules, adding and updating CVE references and documentation notes, and cleaning up the output to be more verbose. Additionally, the module now reports service and vulnerability data to the database and stores proof-of-exploitation info in the loot upon a successful run.

[g0tmi1k]

Thanks @cdelafuente-r7 !