NMAP FTP Bounce Attack

Jarret B

Well-Known Member
Staff member
May 22, 2017
Reaction score
An NMAP FTP Bounce Attack is similar in nature to an Idle Scan Attack. The requirement for the Bounce Attack is a File Transfer Protocol (FTP) Server with FXP.

The File eXchange Protocol (FXP) is used to allow data to be transferred from one server to another without the need of going through the client which initiated the transfer. Basically, an FTP Server can be told where to transfer the file rather than send it to the client system.

The FXP ability is what is utilized to perform the FTP Bounce Attack.

The FTP Bounce Attack

So, let’s look at the process of what is occurring during the FTP Bounce Attack.

There are three systems involved: the Source System, FTP Server and the Target System.

The Source System is where NMAP is being executed. The FTP Server is being utilized for the Bounce Attack. The Target System is being tested for open ports.

At the Source System NMAP is being run and given the IP Address of the FTP Server and the Target System. The Source System will perform a Three-Way Handshake with the FTP Server to open a connection. Once the connection is opened a request is sent to the FTP Server to send a file to the Target System on a specified port.

After the request is received to transfer a file to the Target System on a specified port the FTP Server will open a connection to the Target System. If the Port is closed the Target will refuse the Three-Way Handshake. If the Port is open the Target will accept a Three-Way Handshake with the FTP Server and accept the file transfer. Once a file transfer is completed the FTP Server will send a message to the Source System informing it that the file transfer completed on a specified port.

When NMAP receives the message it can add the open port to a list of open ports to be listed when the scan is completed.

The scan allows for two main things:
  1. The scan can be performed through a Firewall
  2. The Source and Target Systems never communicate with one another as long as the parameter ‘-P0’ is used so the Source System does not contact the Target to verify it is on-line

These two items are very important since a Firewall will not stop the scan. Servers inside a Firewall can be scanned as long as a file transferred from an FTP Server is not blocked. Having this blocked is unlikely.

The second item is important so that there is no log of any type showing the Source System on the Target. Only the FTP Server has a log, if one is enabled, of the communications and transfers between the systems. This is something that may not be accessible by the owners of the Target System.

Keep in mind that since the connection from the Source System is to an FTP Server there is no need for Root Privileges. The Ports being scanned are Transmission Control Protocol (TCP) only and no User Datagram Protocol (UDP) Ports will be tested. The scan can be slow since there is a file transfer occurring for open ports.

A final thing to keep in mind is that to find an FTP Server with FXP enabled is difficult.

To Enable FXP on Your FTP Server

You may want to test the FTP Bounce Attack on your own systems. To do this you need to have FXP enabled on an FTP Server. Here are some ways to enable FXP on various FTP Servers I found at ‘https://blog.servermania.com/setup-fxp-on-ftp-servers/’:
  • ProFTPD FTP server
    • Config file: /etc/proftpd.conf
    • Add “AllowForeignAddress on” in the Global sections of the configuration file.
  • vsftpd FTP server
    • Config file: /etc/vsftpd/vsftpd.conf
    • Add lines to config:
      • pasv_promiscuous=YES
      • port_promiscuous=YES
  • wu-ftpd FTP server
    • Config file to edit: /etc/ftpaccess
    • Directives in config:
      • port-allow {ArbitraryClassName} {HostAddrs}
      • pasv-allow {ArbitraryClassName} {HostAddrs}
    • If you want to allow FXP for everyone just use predefined class “all”:
      • port-allow all
      • pasv-allow all
    • If you want to give FXP to clients from some addresses only you have to create a new class for them first:
      • class {ArbitraryClassName} {AccessTypes} {HostAddrs} [HostAddrs]
    • Example:
      • class fxpclass real,guest,anonymous *.domain.com *.anotherdomain.com
      • class all real,guest,anonymous *
    • This will define a new class “fxpclass”. Make sure you have put this definition before the class “all” definition.
    • Now you can use the new class in FXP options:
      • port-allow fxpclass
      • pasv-allow fxpclass
On any FTP Server make sure you enable Anonymous logins as well as what is shown for enabling FXP above.

If when running the NMAP Bounce Attack command you get an error such as ‘Your ftp bounce server doesn't allow privileged ports, skipping them.’, this is due to an FTP Server not sending to ports between 1 and 1,024 except Port 21. The first 1,024 ports will be skipped.

One more thing to be aware of during the NMAP Scan is the use of Port numbers.

Port Designations

During a scan there will be port numbers involved so we need to cover the way that NMAP handles port numbers.

There are 65,535 TCP Ports and 65,535 UDP Ports in TCP/IP. When dealing with bytes of data one byte can only produce 256 values. There are eight bits in a byte allowing for counting from 0 to 255 for a total of 256 values. To be able to address the full 65,535 ports then two bytes must be used.

The way this is done in an NMAP Scan is the port number is added to the end of the IP Address. If the Target System’s IP Address is and we want to specify port 133 then we would use an address of We use the first four bytes for the Target System’s Address and the last two as the port number.

If the first byte of the port number is ‘0’ then the port we are accessing is the last byte. For example in the port address of ‘0.133’ the port is ‘133’. If the port address were ‘1.133’ then we have to take the ‘1’ times ‘256’ and add ‘133’ to get ‘389’. So, port ‘1.133’ is actually port ‘389’.

Hopefully this can help clear up some of the extra numbers in the IP Addresses seen in the NMAP Scan. Now to the scan.

FTP Bounce Scan

The command used for the FTP Bounce attack is:

nmap -v -b name:password@FTP-Address Target-Address -Pn

The ‘-v’ is for verbose reporting during and after the scan. The ‘-b’ allows for a bounce attack. The name is the username used to login into the FTP Server. Usually an anonymous login is allowed so use ‘anonymous’. The password is not important on anonymous logins so anything should work, such as ‘password’. It may be best to type a fake e-mail address such as ‘[email protected]’. The ‘FTP-Address’ designates the IP Address of the FTP Server to use. The Target Address is the IP Address of the Target System. The parameter ‘-Pn’ is used to specify not to ping the Target System to verify it is on-line.

If you want to run the scan you will need to find older FTP Software or find all of the proper parameters to make the FTP Server accept an NMAP Bounce Attack.

NOTE: Be aware that the scan is not workable since most FTP Servers will not perform what is needed for the scan. The scan is more for informative purposes.