1

Suppose that there is a network of machines, and there is a server with ftp server that allows ftp bounce.

I do a nmap scan on the network nmap -sC -some other parameters network address.

Does nmap use ftp bounce to attack the network?

If not, how do I use ftp bounce to check/attack ports?

Dotzio
  • 53
  • 1
  • 3

1 Answers1

1

It is possible to use FTP bounce using nmap to port scan the network.

E.g. : 

nmap -v -b -P0 <username>:<password>@<ftp_server_address> <address(es)_to_scan>

we use the -P0 so we don't try and ping the server prior to the scan.

To see if ftp bounce is possible, check this script.

Boaz Tirosh
  • 633
  • 2
  • 7
  • 18
  • 1
    Isn't the flag for disabling ping `-Pn`, rather than `-P0`? – Polynomial Sep 22 '12 at 13:21
  • 1
    Nmap `-P0` functions the same as `-PN`; both inhibit ping. I've always used `-P0` and was surprised that it isn't mentioned at all in the documentation. I wouldn't be surprised if it was an option a decade ago when I learned the tool and is now deprecated but retained for compatibility. (I did tcpdump a scan to verify that it does, in fact, inhibit the ping scan) – gowenfawr Sep 22 '12 at 13:36
  • @gowenfawr @Polynomial In Nmap 5.30BETA1, several options were renamed to be more consistent, but the old forms are still valid: `-P0` and `-PN` became `-Pn`, and `-sP` ("Ping scan") became `-sn` ("No port scan"). – bonsaiviking Oct 25 '12 at 14:34