If not redirected, please click here https://www.thesecuritybuddy.com/vulnerabilities/what-is-ftp-bounce-attack/
What is FTP Bounce Attack ?
Suppose, X is a user on attacker.com and X wants to transfer a file from target.com. But, X does not have permission to transfer file from target.com. There is another machine middle-man.com who has permission to transfer file from target.com.
So, X makes a plan. He opens an FTP
connection to middle-man.com. And then, instructs middle-man.com to
transfer the file from target.com to attacker.com using FTP protocol.
This is called FTP Bounce Attack.
How is FTP Bounce Attack perpetrated ?
This attack is possible when FTP Server
in middle-man.com supports passive mode.
Let's look into what is passive mode of
FTP connection.
FTP protocol normally uses two
connections – one control connection and one data connection.
Commands are transferred using control connection and data travels
through the data connection.
In Active FTP, the FTP client
first initiates the control connection from its port N to FTP
Server's command port – port 21. The client then listens to port
N+1 and sends the port N+1 to FTP Server. FTP Server then initiates
the data connection, from its port M to the port N+1 of the FTP
Client.
But, if the FTP Client has a firewall
setup that controls the incoming data connections from outside, then
active FTP may be a problem. And, a feasible solution for that is
Passive FTP.
In Passive FTP, the client
initiates the control connection from its port N to the port 21 of
FTP Server. After this, the client issues a passv comand. The server
then sends the client one of its port number M. And the client
initiates the data connection from its port P to port M of the FTP
Server.
In FTP Bounce Attack, the attacker
exploits the passive mode of the FTP Server. He performs the
following steps :
- X opens an FTP connection from attacker.com to the FTP Server middle-man.com
- X issues a port command and asks the server to open a data connection to port M. But, he tricks the FTP Server. Instead of specifying IP address of attacker.com, he gives the IP address of target.com.
- X now sends the FTP Server a file of listed commands and requests it to execute that.
- The file has the following set of commands :
1. Open an FTP connection to target.com
2. middle-man.com uses passive mode. So, it must send a port number to which target.com should open a data connection. middle-man.com specifies that with a port command, but instead of giving IP address of middle-man.com, the file specifies IP address of attacker.com.
3. Transfer the required file over the connection thus established.
So, at this point, middle-man.com is
tricked to request target.com to open a data connection from
target.com to actually attacker.com.
And this is how FTP Bounce Attack is
performed.
How to prevent FTP Bounce Attack ?
A commonly used countermeasure is
to configure the FTP Server not to allow connections to be
established with any other host other than the FTP Client.
This was an informative article on FTP
Bounce Attack. Hope you enjoyed it.
No comments:
Post a Comment