Tools

FileZilla Credentials Decoder

Decode FTP credentials stored in FileZilla sitemanager.xml or recentservers.xml files. Base64-encoded passwords are decoded automatically.

XML Content

Drag and drop an XML file here, or click to browse

Results

Decoded entries will appear here

Loading FileZilla Decoder...

FileZilla Password Decoder Online

Extract and decode saved FTP credentials from FileZilla sitemanager.xml and recentservers.xml files. Passwords encoded in Base64 are decoded automatically. All processing runs locally in your browser.

What is FILEZILLA?

FileZilla is one of the most widely used FTP clients. It saves server connection profiles, including usernames and passwords, in XML files on your local system. The primary file is sitemanager.xml, which stores named site entries, and recentservers.xml, which stores recently connected servers. Passwords in these files are stored in plaintext or encoded with Base64 depending on the FileZilla version. When security researchers or penetration testers find these files on a compromised machine, or when a developer needs to recover lost credentials, a FileZilla decoder extracts all saved credentials from the XML structure.

Example

Input:

<?xml version="1.0" encoding="UTF-8"?>
<FileZilla3 version="3.66.5" platform="windows">
  <Servers>
    <Server>
      <Host>ftp.example.com</Host>
      <Port>21</Port>
      <Protocol>0</Protocol>
      <Type>0</Type>
      <User>ftpuser</User>
      <Pass encoding="base64">c2VjcmV0cGFzcw==</Pass>
      <Name>My FTP Site</Name>
    </Server>
  </Servers>
</FileZilla3>

Output:

Name: My FTP Site
Host: ftp.example.com
Port: 21
Protocol: FTP
Username: ftpuser
Password: secretpass

FAQ

Where does FileZilla store saved passwords?
FileZilla stores saved site credentials in sitemanager.xml and recently used connection data in recentservers.xml. On Windows these files are typically located at %APPDATA%\FileZilla\. On Linux and macOS they are in ~/.config/filezilla/ or ~/.filezilla/.
Are FileZilla passwords encrypted?
No. FileZilla does not encrypt passwords. In older versions passwords were stored in plaintext. In newer versions they are Base64-encoded, which is an encoding scheme, not encryption. Anyone with access to the XML file can recover the passwords. FileZilla intentionally avoids encryption to prevent a false sense of security.
How is this tool used in penetration testing?
During a penetration test, after gaining access to a Windows workstation, testers look for FileZilla XML files in common profile directories. Extracting FTP credentials from these files can reveal access to file servers, web hosting accounts, backup servers, and internal infrastructure.
Is it safe to paste my FileZilla file here?
Yes. The decoder runs entirely in your browser using JavaScript. No file content is transmitted to any server. The parsing and decoding happen locally on your machine.
What protocols does FileZilla support in sitemanager.xml?
The Protocol field uses numeric codes: 0 for FTP, 3 for SFTP (SSH File Transfer Protocol), 4 for FTP over explicit TLS, and 6 for FTP over implicit TLS. The decoder translates these codes to their human-readable names.

FileZilla Password Decoder Online

What is FILEZILLA?

Example

Input:

<?xml version="1.0" encoding="UTF-8"?>
<FileZilla3 version="3.66.5" platform="windows">
  <Servers>
    <Server>
      <Host>ftp.example.com</Host>
      <Port>21</Port>
      <Protocol>0</Protocol>
      <Type>0</Type>
      <User>ftpuser</User>
      <Pass encoding="base64">c2VjcmV0cGFzcw==</Pass>
      <Name>My FTP Site</Name>
    </Server>
  </Servers>
</FileZilla3>

Output:

Name: My FTP Site
Host: ftp.example.com
Port: 21
Protocol: FTP
Username: ftpuser
Password: secretpass

FAQ

Where does FileZilla store saved passwords?
FileZilla stores saved site credentials in sitemanager.xml and recently used connection data in recentservers.xml. On Windows these files are typically located at %APPDATA%\FileZilla\. On Linux and macOS they are in ~/.config/filezilla/ or ~/.filezilla/.
Are FileZilla passwords encrypted?
No. FileZilla does not encrypt passwords. In older versions passwords were stored in plaintext. In newer versions they are Base64-encoded, which is an encoding scheme, not encryption. Anyone with access to the XML file can recover the passwords. FileZilla intentionally avoids encryption to prevent a false sense of security.
How is this tool used in penetration testing?
During a penetration test, after gaining access to a Windows workstation, testers look for FileZilla XML files in common profile directories. Extracting FTP credentials from these files can reveal access to file servers, web hosting accounts, backup servers, and internal infrastructure.
Is it safe to paste my FileZilla file here?
Yes. The decoder runs entirely in your browser using JavaScript. No file content is transmitted to any server. The parsing and decoding happen locally on your machine.
What protocols does FileZilla support in sitemanager.xml?
The Protocol field uses numeric codes: 0 for FTP, 3 for SFTP (SSH File Transfer Protocol), 4 for FTP over explicit TLS, and 6 for FTP over implicit TLS. The decoder translates these codes to their human-readable names.