You are reading:
Secrets of Network Cartography: A Comprehensive Guide to nmap
Like the online e-book? You'll love the downloadable version! Buy it here!Advantages of the FTP Bounce Attack
Like idlescan, the FTP bounce attack can scan "through" a firewall. The nmap station needs only an FTP login to scan any device that can be accessed from the FTP server. This is a significant feature, since reconnaissance of the protected network would not be possible otherwise.
The FTP bounce attack uses standard FTP functionality. Nmap does not require specialized packet configurations or changes to the FTP protocol. Therefore, the FTP bounce attack does not require any privileged access.
Disadvantages of the FTP Bounce Attack
The largest disadvantage of the FTP bounce attack relates to the availability of an FTP server that allows a PORT command to redirect the data connection to a third device. Most FTP servers have their default configuration to protect against this use of the PORT command, although it technically that modification does not follow the FTP standard.
My FreeBSD server had to be reconfigured through inetd.conf to start ftpd with the –R parameter to disable the protection and strictly comply with the FTP RFC. This is obviously not the normal configuration for a production FTP server!
The FTP bounce attack can only scan TCP ports. Since FTP doesn't connect to remote devices with UDP, it's not possible to get feedback on the availability of UDP ports.
The process of bouncing through an FTP server is slow when compared to other scanning methods. The port scanning requests can only check a single port at a time, and the current nmap bounce attack options only provide for a single FTP connection.
The FTP bounce attack starts an application session with the FTP server, and most FTP servers will log the connection and all of the commands used during the session.
When to use the FTP Bounce Attack The FTP bounce attack is a well positioned TCP port scan through a firewall. FTP is a commonly available application through a packet-filtering device, and a connection to an FTP server provides the perfect jumping-off-point to gather more information about the rest of the protected network. If the FTP server is this poorly maintained, there are probably more devices that need to be identified and corrected!
The FTP bounce attack does not provide version information, but there is potential to create additional functionality. Adding this functionality in nmap is questionable, however, because there are few FTP devices available where a bounce attack would be applicable (and the numbers are dwindling). There are many more potential enhancements to nmap that would provide much more capability than updating the FTP bounce attack.
The FTP bounce attack is interesting, but it's probably not going to work with contemporary FTP servers. If you need to scan through a firewall, you may have better luck with idlescan.