0) What is TFTP?
Trivial File Transfer Protocol (TFTP) is a very simple, UDP-based file transfer service. It provides minimal authentication (usually none) and is often used for transferring small files such as firmware images, device configs, or boot files (PXE). Because it lacks built-in security it is commonly a target in network assessments.
1) Recon Phase
- Identify host(s) offering UDP/69 with a quick UDP scan (eg. nmap -sU -p 69)
- Confirm responsiveness with tftp/atftp clients or nmap NSE scripts
- Capture traffic with tshark/wireshark to observe transfer attempts and filenames
Use nmap -sU -p 69 --script tftp-enum <target> to discover readable files and basic TFTP responses. Follow up with an interactive TFTP client for manual checks.
2) Enumeration Phase
- Attempt anonymous reads: use tftp/atftp to GET common files (config, startup-config, *.bin, *.img)
- Try directory/file name fuzzing (common firmware names, device model names)
- Use nmap NSE for enumeration: tftp-enum and related scripts
Common commands:
tftp > connect <target>
tftp > get <filename>
atftp --get <filename> --verbose <target>
3) Exploitation Phase
- Download exposed configuration backups or firmware images that may contain credentials
- Upload (if allowed) crafted files to achieve persistence or overwrite boot files (device dependent)
- Use recovered credentials from configs to pivot to other services (SSH, HTTP admin, etc.)
Look for readable files like device config, passwd-like files, or private keys. If upload/write is allowed, proceed with extreme caution and only in authorised testing scenarios.
TFTP Info — What to Look For
- Unauthenticated read (GET) access to config or firmware files
- Write (PUT) allowed — high impact if present
- Default or predictable filenames (firmware images, startup-config, nxos.bin, backup.cfg)
- Embedded credentials, plaintext config items, or private keys inside downloaded files
- PXE/boot files exposing internal infrastructure or scripts
Tools Required
sudo apt install tftp atftp tftp-hpa nmap tshark