8.4 FTP Bounce Attacks

As outlined in Chapter 4, FTP services bundled with the following operating platforms are vulnerable to bounce attacks in which port scans or malformed data can be sent to arbitrary locations via FTP:

  • FreeBSD 2.1.7 and earlier

  • HP-UX 10.10 and earlier

  • Solaris 2.6 / SunOS 5.6 and earlier

  • SunOS 4.1.4 and earlier

  • SCO OpenServer 5.0.4 and earlier

  • SCO UnixWare 2.1 and earlier

  • IBM AIX 4.3 and earlier

  • Caldera Linux 1.2 and earlier

  • Red Hat Linux 4.2 and earlier

  • Slackware 3.3 and earlier

  • Any Linux distribution running WU-FTPD 2.4.2-BETA-16 or earlier

If you know that an accessible FTP service is running on an internal network and is accessible through NAT, bounce attacks can be used to probe and attack other internal hosts, and even the server running the FTP service itself.

8.4.1 FTP Bounce Port Scanning

You can use the nmap port scanner in Unix and Windows environments to perform an FTP bounce port scan, using the -P0 and -b flags in the following manner:

nmap -P0 -b username:password@ftp-server:port <target host>

Example 8-5 shows an FTP bounce port scan being launched through the Internet-based to scan an internal host at, a known address previously enumerated through DNS querying.

Example 8-5. FTP bounce scanning with nmap
# nmap -P0 -b -p21,22,23,25,80

Starting nmap 3.45 ( www.insecure.org/nmap/ )

Interesting ports on  (

Port       State       Service

21/tcp     open        ftp

22/tcp     open        ssh

23/tcp     closed      telnet

25/tcp     closed      smtp

80/tcp     open        http

Nmap run completed -- 1 IP address (1 host up) scanned in 12 seconds

When performing any type of bounce port scan with nmap, you should specify the -P0 option. This will prevent an attacker from probing the target host to ascertain whether it is up.

8.4.2 FTP Bounce Exploit Payload Delivery

If you can upload a binary file containing a crafted buffer overflow string to an FTP server that in turn is vulnerable to bounce attack, you can then send that information to a specific service port (either on the local host or other addresses). This concept is shown in Figure 8-2.

Figure 8-2. An illustration of the FTP payload bounce attack

For this type of attack to be effective, an attacker needs to authenticate and log into the FTP server, locate a writeable directory, and test to see if the server is susceptible to FTP bounce attack. Solaris 2.6 is an excellent example because in its default state it is vulnerable to FTP bounce and RPC service overflow attacks. Binary exploit data isn't the only type of payload that can be bounced through a vulnerable FTP server: spammers have also sent unsolicited email this way.

Since 1995 when Hobbit released his first white paper on the issue of FTP abuse, a number of similar documents and approaches have been detailed. The CERT web site has a good description of the issue with background information, accessible at http://www.cert.org/tech_tips/ftp_port_attacks.html.