maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/network-services-pentesting/pentesting-ftp/ftp-bounce-attack.md

37 lines
1.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# FTP Bounce attack - Scan
{{#include ../../banners/hacktricks-training.md}}
## FTP Bounce - Scanning
### Manual
1. 连接到易受攻击的FTP
2. 使用 **`PORT`** 或 **`EPRT`**(但只能使用其中一个)来与您想要扫描的 _\<IP:Port>_ 建立连接:
`PORT 172,32,80,80,0,8080`\
`EPRT |2|172.32.80.80|8080|`
3. 使用 **`LIST`**(这将仅向连接的 _\<IP:Port>_ 发送FTP文件夹中当前文件的列表并检查可能的响应 `150 File status okay`(这意味着端口是开放的)或 `425 No connection established`(这意味着端口是关闭的)
1. 除了 `LIST`,您还可以使用 **`RETR /file/in/ftp`** 并寻找类似的 `Open/Close` 响应。
使用 **PORT** 的示例172.32.80.80 的端口 8080 是开放的,端口 7777 是关闭的):
![](<../../images/image (241).png>)
使用 **`EPRT`** 的相同示例(图中省略了身份验证):
![](<../../images/image (539).png>)
使用 `EPRT` 而不是 `LIST` 打开的端口(不同环境)
![](<../../images/image (875).png>)
### **nmap**
```bash
nmap -b <name>:<pass>@<ftp_server> <victim>
nmap -Pn -v -p 21,80 -b ftp:ftp@10.2.1.5 127.0.0.1 #Scan ports 21,80 of the FTP
nmap -v -p 21,22,445,80,443 -b ftp:ftp@10.2.1.5 192.168.0.1/24 #Scan the internal network (of the FTP) ports 21,22,445,80,443
```
{{#include ../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink