110
◾
Ethical Hacking and Penetration Testing Guide
by asking the server to send a file to a specific port on the target machine. This way the attacker
could
remain anonymous, while the FTP server actually performs the dirty work.
Port
192,168,0,5,0-135
SYN + Port 135
SYN/ACK
ACK
226 Transfer
complete
Source
192.168.0.8
FTP
server
192.168.0.7
Destination
192.168.0.5
List
However, I would like to mention that this bug was patched inside most of the FTP servers
during the 1990s
when it was first found, and almost all ftp servers are nowadays configured to
block
port commands, but you can still find a vulnerable FTP server if you look long enough.
Nmap gives you the flexibility to test if a target FTP server is vulnerable to the FTP bounce
attack or not.
Command
:
nmap –b
Service Version Detection
So, until now we discussed how to figure out the services that are running on a certain port. In this
section, we will learn to use nmap to find the exact version of the service running on a port; this
could help us look for the potential exploits for that particular version of the service.
Nmap has a database named nmap-services that contain more than 2200 well-known services.
The service version detection can be performed by specifying the –sv parameter to the nmap.
Command
:
nmap –sV