Nmap Announce mailing list archives
FTP Bounce Attack question and suggestion
From: Tom Curtis <tomcrts () uswest net>
Date: Sun, 21 Nov 1999 08:25:11 -0700 (MST)
Hello everyone, I have been waiting patiently for someone else to ask the question I have, since noone has I finally decided to come out of the closet and ask the question here in this forum for myself. I have managed to locate a few "creaky old" FTP servers that seem to permit me to use the FTP Bounce option, however the results I get are not accurate. The option becomes even more innacurate it seems when I scan a class C range. This may be a "bug" in the current aplha version of nmap, (I can't say for sure because I did not test this feature in earlier versions). I am assuming others who have tried this option have had similar results. Additionally, a scanner called "sockcheck.c" is posted on rootshell that will scan a list of IP addresses and test them for unsecure proxies. This has been recently enhanced to scan THROUGH an unsecure socks proxy, sockcheck2.c, (which has not yet been made public). It appears to be extreemly accurate, (even though it's a bit slow), and over the past few weeks I have been able to locate several hundred additional unsecure proxies using it. Unsecure proxies can be used in conjunction with with a bouncer, (like to sockbounce.c), for telnet, ftp, http, & nntp connections. I believe this same technique could be incorporated into nmap to scan ranges of ports and IP's like the FTP Bounce Attack. I'd be happy to share the source code for sockcheck2.c and the bouncer with anyone that could write a patch for nmap that would add the option of a "Socks Bounce Attack". Tom
Current thread:
- FTP Bounce Attack question and suggestion Tom Curtis (Nov 21)