HackTricks
Search…
⌃K

FTP Bounce attack - Scan

Support HackTricks and get benefits!

FTP Bounce - Scanning

Manual

  1. 1.
    Connect to vulnerable FTP
  2. 2.
    Use **PORT**or EPRT(but only 1 of them) to make it establish a connection with the <IP:Port> you want to scan:
    PORT 172,32,80,80,0,8080 EPRT |2|172.32.80.80|8080|
  3. 3.
    Use LIST(this will just send to the connected <IP:Port> the list of current files in the FTP folder) and check for the possible responses: 150 File status okay (This means the port is open) or 425 No connection established (This means the port is closed)
    1. 1.
      Instead of LIST you could also use RETR /file/in/ftp and look for similar Open/Close responses.
Example Using PORT (port 8080 of 172.32.80.80 is open and port 7777 is closed):
Same example using EPRT(authentication omitted in the image):
Open port using EPRT instead of LIST (different env)

nmap

nmap -b <name>:<pass>@<ftp_server> <victim>
nmap -Pn -v -p 21,80 -b ftp:[email protected] 127.0.0.1 #Scan ports 21,80 of the FTP
nmap -v -p 21,22,445,80,443 -b ftp:[email protected] 192.168.0.1/24 #Scan the internal network (of the FTP) ports 21,22,445,80,443
Support HackTricks and get benefits!