FTP Bounce Attack
What's a bounce attack.
The FTP bounce attack introduces the third workstation to act as a proxy between the nmap and the remote device.
FTP Bounce attack wouldnt be possible if it is not set to ftp transfer mode known as passive mode.
With ftp passive mode, ftp command connections are completely seperate from ftp data connections.
password is anonpass
192.168.0.5 is remote device
-P0 tells nmap that i dont want to ping to remote device.
FTP Bounce attack is a attack that hides the originating station, if we ping the remote device, there will be a way to trace connection between our nmap station and target device. When ping disabled we remain hidden.
If Nmap manages to successfully logon to an FTP server but you receive the following:
“Your ftp bounce server doesn't allow privileged ports, skipping them.”
It means the FTP server is configured to not send anything to ports 0-1024 less for port 20 & 21 – this was an early way of preventing such things as Nmap from connecting to ‘well known’ ports except for 20 & 21 – which is mostly the only ports it will need to connect too to send a file.
If your FTP Bounce server does not allow it to act as a proxy at all, eventually you will get the message:
Quote:
Your ftp bounce server sucks, it won't let us feed bogus ports!
Advantages
- Scanning through a firewall is easy.
- Standard FTP, nothing special is required
Disadvantages
- It is diffcult to find an older, insecure FTP server that allows this capability
Newer FTP servers provide built-in protection by default.
Idlescan
Idlescan is another method to scan without direct communication. This attack is more reliable than outdated FTP bounce attack.
Before launching idlescan, a zombie station must be identified. There are two requirements associatedfor this station, the zombie station must be idle, and must provide consistent and predictable IP Identification IPID values. If the zombie station doesnot give predictable IPID's nmap will provide a warning before the scan begins.
IP Identification Field
Each IP header includes a 2 byte field called Identification field. Every frame that is transmitted from a device carries a unique identification number. These IPID values are very important to the operation of IP protocol. If ip packet is large which network cant handle, then the packet is fragmented into smaller pieces. Each fragement then has a special field set that help the end station to determine the number of fragement packets and the order of reassembly.
Even thought the original frame is splitted into smaller pieces, all the fragments still carry the original IPID value.
In many operating systems the IPID changes incrementally, for each transmitted frame, this means that we can predict the IPID of many systems before the next frame appears. This is the type of operation that will need for a idle scan session.
However not all operating systems work so predictively some operating systems randomize their IPID's for every frame, which makes those operating systems useless for idle scan.
