Most people learning pentesting focus on TCP. Makes sense — HTTP, FTP, SMB, that’s where a lot of the action is. But UDP protocols are a different beast, and they’re often overlooked. That’s exactly why they’re interesting.

What is TFTP and why should you care?

TFTP — Trivial File Transfer Protocol — is the stripped-back cousin of FTP. We’re talking trivial by design: no authentication, no encryption, no directory listings. Just simple file transfers over UDP. It sounds ancient, and it kind of is — but it’s still actively used in network device provisioning, PXE boot environments, router firmware updates, and embedded systems. That means it still shows up on real engagements.

No authentication. Think about that for a second.

Why UDP makes fuzzing different

When you fuzz a TCP protocol, you get a handshake, a connection, feedback. UDP is stateless — you fire packets and hope the server says something useful back. That changes how you approach fuzzing. You’re not just looking for crashes; you’re looking for unexpected behaviour, weird responses, and anything that suggests the implementation is handling malformed input poorly.

Getting comfortable with UDP-based fuzzing early on makes you a more well-rounded vulnerability researcher. A lot of people skip it because it feels less intuitive. Don’t skip it.

What this tool has actually done

This isn’t something I threw together for a blog post. This TFTP fuzzer was built as part of the same vulnerability research workflow I was using to find and document previously undisclosed bugs in server software. The methodology is the same as the FTP fuzzer — systematic, targeted, and designed to surface real issues in real software.

Where to get it

Open source, on GitHub, alongside the rest of the nullsecurity toolset:

https://github.com/nullsecuritynet/tools/blob/main/fuzzer/tftp-fuzz/release/tftp-fuzz.py

As with anything in this space — read the code before you run it. Understand what it’s actually sending. If you can modify it to target a different UDP-based protocol, even better. That’s the exercise that makes it stick.

If TFTP keeps showing up in your scans and you’ve been glossing over it, this is your sign to stop doing that.