FTP bounce attack is a vulnerability that allows an attacker to use an FTP server as a proxy for attacks against other machines. The attack works by tricking the FTP server into sending packets to the victim’s machine, with the attacker’s IP address spoofed in the packets. This can be used to bypass firewalls and other security measures.
Nmap can be used to detect the FTP bounce attack by using the FTP Bounce script. The script sends a PORT command to the FTP server with a fake IP address, and then tries to connect to that address using the FTP server as a proxy. If the server allows the connection, it is vulnerable to the FTP bounce attack.
Here is an example command to run the FTP Bounce script in Nmap:
nmap -sV --script=ftp-bounce
<target>
This command will perform a version detection scan (-sV) and run the FTP Bounce script against the target.
As for a real-life case study, in 2017, a vulnerability was discovered in the ProFTPD server that allowed an attacker to carry out the FTP bounce attack. This vulnerability was assigned CVE-2017-7418 and affected versions 1.3.5b and earlier. Nmap can be used to detect this vulnerability by running the FTP Bounce script against the vulnerable server.
It’s worth noting that the FTP bounce attack is an old technique that is no longer widely used. Many modern FTP servers have mitigations in place to prevent this type of attack. However, it’s still important to be aware of this vulnerability and to test for it if you are running an FTP server.