FTP fingerprinting is common among normal users and hackers alike. Most FTP clients contain a few fingerprinting techniques to figure out the server version in order to compensate for some well known bugs. Hackers use the technique in order to figure out what version the server is running. There are zillions of exploits for FTP servers, so figuring out the exact version helps the hacker narrow down what they have to do in order to compromise the system.
The first way to fingerprint an FTP server is to send the SYST command. In theory, this command should return the underlying operating system version. However, since it has been found that this provides too much information to hackers, most FTP servers these days return something generic, like "UNIX".
Another technique is to view the output of directory listings. The original versions of FTP uses text-mode clients where directory listings where read by human beings. Therefore, no standards clarified the format of this output, so implementors chose their own methods. Thus, the directory listing can sometimes reveal the version of the server. This is the chief way that client programs fingerprint servers these days.
Another method is to send invalid data. The following is a technique that David Litchfield proposed:
ftp> cd ~mail
550 /var/spool/mail: No such file or directory.
ftp> cd ~games
550 /usr/games: No such file or directory.
ftp> cd ~root
550 /root: No such file or directory.
ftp> cd ~guest
550 Unknown user name after ~
ftp> cd ~jsmith
550 Unknown user name after ~
ftp> cd ~nobody
550 /dev/null: No such file or directory
The WU-FTP daemon can be forced to reveal the existence and location of default accounts and directories. Different versions of UNIX have different defaults, so this technique can reveal the underlying operating system.
