FTP bounce attack is a vulnerability type where an attacker who cannot access a server in the internal network by using targeted FTP server as a proxy to transfer files and scans ports. If this explanation sounds complex, don’t worry. You can check whether your server is impacted by this vulnerability by using our tool.
FTP (File Transfer Protocol) is a TCP-based protocol that enables file transfer between the server and the client. There are numerous FTP commands. Some of these are PUT, STOR, GET(RETR) and PORT commands. You can view the complete list by clicking the link here.
You can connect to the FTP server by using FTP clients with graphical interface (ex. Filezilla, CuteFTP, Cyberduck), by using the command line (ex. bash, iterm, powershell) or by using your browser.
If you are using a command-line interface (or a script) to connect to FTP, you can send any command you want to the target server. People with malicious intent might use PORT command which is an FTP command for your FTP server to send the request to other systems. With this method, they can transfer files or scan ports in other systems by using your FTP server.
In FTP protocol, PORT command indicates an IP address and port which FTP server should connect. To learn more about PORT command, read this. People with malicious intent changes the parameters of this command and use the FTP server to open connections to different addresses.
This vulnerability enables the attacker to connect to another system via an FTP server and do unauthorised operations. For example, directory listing, port scanning, file downloading etc.
You can check FTP Bounce vulnerability within seconds with our free and online FTP Bounce Vulnerability Control tool. To do this, you can start by typing your domain name in the form on top of the page and start scanning.
Or you can check with nmap tool and nmap -v -P0 -b username:[email protected]:port Target_Host or nmap -sV --script ftp-bounce Target_Host command which can be installed to all operating systems.
Also, you can use ftpbounce auxiliary module of “Metasploit Framework” to check the vulnerability.
Lastly, you can check manually. If your FTP server is impacted from this vulnerability, you will have a result similar to the following:
USER A 331 Username okay, awaiting password PASS A 230 User logged in, proceed PORT 172,19,0,100,0,1234 200 The requested action has been successfully completed LIST 150 File status okay; about to open data connection // We understood port 1234 is open 226 Closing data connection PORT 172,19,0,100,0,4444 200 The requested action has been successfully completed LIST 425 No connection established // We understood port 4444 is closed
For example, an attacker using this vulnerability can scan ports in the internal network systems by using the following command:
nmap -v -p 21,22,445,80,443 -b username:[email protected] 192.168.0.1/24
There is a simple and effective solution to not to be impacted by this vulnerability. FTP server should be configured only to allow a connection between server and client.