As outlined in Chapter 4, FTP services bundled with the following operating platforms are vulnerable to bounce attacks in which port scans or malformed data can be sent to arbitrary locations via FTP:
If you know that an accessible FTP service is running on an internal network and is accessible through NAT, bounce attacks can be used to probe and attack other internal hosts, and even the server running the FTP service itself. 8.4.1 FTP Bounce Port ScanningYou can use the nmap port scanner in Unix and Windows environments to perform an FTP bounce port scan, using the -P0 and -b flags in the following manner: nmap -P0 -b username:password@ftp-server:port <target host> Example 8-5 shows an FTP bounce port scan being launched through the Internet-based 142.51.17.230 to scan an internal host at 192.168.0.5, a known address previously enumerated through DNS querying. Example 8-5. FTP bounce scanning with nmap# nmap -P0 -b 142.51.17.230 192.168.0.5 -p21,22,23,25,80 Starting nmap 3.45 ( www.insecure.org/nmap/ ) Interesting ports on (192.168.0.5): Port State Service 21/tcp open ftp 22/tcp open ssh 23/tcp closed telnet 25/tcp closed smtp 80/tcp open http Nmap run completed -- 1 IP address (1 host up) scanned in 12 seconds
8.4.2 FTP Bounce Exploit Payload DeliveryIf you can upload a binary file containing a crafted buffer overflow string to an FTP server that in turn is vulnerable to bounce attack, you can then send that information to a specific service port (either on the local host or other addresses). This concept is shown in Figure 8-2. Figure 8-2. An illustration of the FTP payload bounce attackFor this type of attack to be effective, an attacker needs to authenticate and log into the FTP server, locate a writeable directory, and test to see if the server is susceptible to FTP bounce attack. Solaris 2.6 is an excellent example because in its default state it is vulnerable to FTP bounce and RPC service overflow attacks. Binary exploit data isn't the only type of payload that can be bounced through a vulnerable FTP server: spammers have also sent unsolicited email this way. Since 1995 when Hobbit released his first white paper on the issue of FTP abuse, a number of similar documents and approaches have been detailed. The CERT web site has a good description of the issue with background information, accessible at http://www.cert.org/tech_tips/ftp_port_attacks.html. |