TCP FTP Bounce Scan
This type of scan exploits a vulnerability inside old FTP servers that support a proxy-based FTP
connection. This vulnerability takes advantage of a feature that existed inside old ftp servers, which
allowed the users to connect to the FTP server and send files to a third-party server. This was done
110
◾
Ethical Hacking and Penetration Testing Guide
by asking the server to send a file to a specific port on the target machine. This way the attacker
could remain anonymous, while the FTP server actually performs the dirty work.
Port
192,168,0,5,0-135
SYN + Port 135
SYN/ACK
ACK
226 Transfer
complete
Source
192.168.0.8
FTP server
192.168.0.7
Destination
192.168.0.5
List
However, I would like to mention that this bug was patched inside most of the FTP servers
during the 1990s when it was first found, and almost all ftp servers are nowadays configured to
block port commands, but you can still find a vulnerable FTP server if you look long enough.
Nmap gives you the flexibility to test if a target FTP server is vulnerable to the FTP bounce
attack or not.
Command
:
nmap –b
Service Version Detection
So, until now we discussed how to figure out the services that are running on a certain port. In this
section, we will learn to use nmap to find the exact version of the service running on a port; this
could help us look for the potential exploits for that particular version of the service.
Nmap has a database named nmap-services that contain more than 2200 well-known services.
The service version detection can be performed by specifying the –sv parameter to the nmap.
Command
:
nmap –sV
Target Enumeration and Port Scanning Techniques
◾
Dostları ilə paylaş: |
