FTP Bounce attack - Scan

FTP Bounce - Scanning


  1. 1.
    Connect to vulnerable FTP
  2. 2.
    Use **PORT**or EPRT(but only 1 of them) to make it establish a connection with the <IP:Port> you want to scan:
    PORT 172,32,80,80,0,8080 EPRT |2||8080|
  3. 3.
    Use LIST(this will just send to the connected <IP:Port> the list of current files in the FTP folder) and check for the possible responses: 150 File status okay (This means the port is open) or 425 No connection established (This means the port is closed)
    1. 1.
      Instead of LIST you could also use RETR /file/in/ftp and look for similar Open/Close responses.
Example Using PORT (port 8080 of is open and port 7777 is closed):
Same example using EPRT(authentication omitted in the image):
Open port using EPRT instead of LIST (different env)


nmap -b <name>:<pass>@<ftp_server> <victim>
nmap -Pn -v -p 21,80 -b ftp:[email protected] #Scan ports 21,80 of the FTP
nmap -v -p 21,22,445,80,443 -b ftp:[email protected] #Scan the internal network (of the FTP) ports 21,22,445,80,443