What is the FTP bounce attack?
Suppose X is a user on attacker.com, and X wants to transfer a file from target.com. But, X does not have permission to transfer files from target.com. There is another machine, middle-man.com, which has permission to transfer files from target.com.
So, X makes a plan. He opens an FTP connection to middle-man.com. And then, instructs middle-man.com to transfer the file from target.com to attacker.com using FTP protocol. This is called the FTP bounce attack.
How does the FTP bounce attack work?
This attack is possible when the FTP Server in middle-man.com supports passive mode.
Let’s look into what the passive mode of FTP connection is.
FTP protocol usually uses two connections – one control connection and one data connection. Commands are transferred using the control connection. And data travels through the data connection.
In Active FTP, the FTP client first initiates the control connection from its port N to the FTP server’s command port – port 21. The client then listens to port N+1 and sends the port N+1 to the FTP server. The FTP server then initiates the data connection from its port M to the port N+1 of the FTP Client.
But, if the FTP client has a firewall set up that controls the incoming data connections from outside, then active FTP may be a problem. And, a feasible solution for that is Passive FTP.
In Passive FTP, the client initiates the control connection from its port N to port 21 of the FTP server. After this, the client issues a passv command. The server then sends the client one of its port numbers, M. The client initiates the data connection from its port P to port M of the FTP Server.
In the FTP bounce attack, an attacker exploits the passive mode of the FTP server. The attacker performs the following steps :
- X opens an FTP connection from attacker.com to the FTP Server middle-man.com
- X issues a port command and asks the server to open a data connection to port M. But he tricks the FTP server. Instead of specifying the IP address of attacker.com, he gives the IP address of target.com.
- X now sends the FTP Server a file of listed commands and requests it to execute that.
- The file has the following set of commands :
1. Open an FTP connection to target.com
2. middle-man.com uses passive mode. So, it must send a port number to which target.com should open a data connection. middle-man.com specifies that with a port command, but instead of giving the IP address of middle-man.com, the file specifies the IP address of attacker.com.
3. Transfer the required file over the connection thus established.
So, at this point, middle-man.com is tricked into requesting target.com to open a data connection from …
0 Comments