# FTP Bounce attack - Scan {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %} ## FTP Bounce - Scanning ### Manual 1. Connect to vulnerable FTP 2. Use \*\*`PORT`\*\*or **`EPRT`**(but only 1 of them) to make it establish a connection with the *\* you want to scan: `PORT 172,32,80,80,0,8080`\ `EPRT |2|172.32.80.80|8080|` 3. Use **`LIST`**(this will just send to the connected *\* the list of current files in the FTP folder) and check for the possible responses: `150 File status okay` (This means the port is open) or `425 No connection established` (This means the port is closed) 1. Instead of `LIST` you could also use **`RETR /file/in/ftp`** and look for similar `Open/Close` responses. Example Using **PORT** (port 8080 of 172.32.80.80 is open and port 7777 is closed): ![](https://4053168017-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FbkAZDoSuRHGdNlWHdyKs%2Fuploads%2Fgit-blob-d136676c3db8797a97d5c6fb1850ce88dd908615%2Fimage%20\(241\).png?alt=media) Same example using **`EPRT`**(authentication omitted in the image): ![](https://4053168017-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FbkAZDoSuRHGdNlWHdyKs%2Fuploads%2Fgit-blob-eb344f626e6d5b251ed703799f7fbb741538732f%2Fimage%20\(539\).png?alt=media) Open port using `EPRT` instead of `LIST` (different env) ![](https://4053168017-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FbkAZDoSuRHGdNlWHdyKs%2Fuploads%2Fgit-blob-c10b134894e78aa5a2f48642f02c8c8c6799f5c3%2Fimage%20\(875\).png?alt=media) ### **nmap** ```bash nmap -b :@ nmap -Pn -v -p 21,80 -b ftp:ftp@10.2.1.5 127.0.0.1 #Scan ports 21,80 of the FTP nmap -v -p 21,22,445,80,443 -b ftp:ftp@10.2.1.5 192.168.0.1/24 #Scan the internal network (of the FTP) ports 21,22,445,80,443 ``` {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}