> For the complete documentation index, see [llms.txt](https://ricardev.gitbook.io/red-team/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ricardev.gitbook.io/red-team/services-hacking-both/20-21-ftp/ftp-bounce-attack-escaneo.md).

# FTP BOUNCE ATTACK - ESCANEO

{% embed url="<https://book.hacktricks.xyz/network-services-pentesting/pentesting-ftp/ftp-bounce-attack>" %}

## MANUAL

1. Conectar con la FTP vulnerable.
2. Utilizar **PORT** o **EPRT** (solo unos de ellos) para hacer al servidor establecer una conexión con la `<IP:PUERTO>` que se quiere escanear:\
   `PORT 172,32,80,80,0,8080`\
   `EPRT |2|172.32.80.80|8080|`
3. Utilizar **LIST**. Esto mandará a la conexión `<IP:PUERTO>` la lista de archivos en la carpeta actual del FTP y espera respuesta: \
   `150 File status okay` Esto quiere decir que el puerto está **abierto**.\
   `425 No connection established` Esto quiere decir que el puerto está **cerrado**.
4. En lugar de **LIST** se puede utilizar **RETR** /file/in/ftp y esperar una **respuesta similar** a la de LIST.

Ejemplo utilizando **PORT** (Puerto 8080 abierto / Puerto 7777 cerrado):

<figure><img src="/files/tJwXuYvmMNiARNiqr57C" alt=""><figcaption></figcaption></figure>

Ejemplo con **EPRT** (Puerto 8080 abierto / Puerto 7777 cerrado):

<figure><img src="/files/w7bFiqGeCjvjyQcBk6GH" alt=""><figcaption></figcaption></figure>

Ejemplo con **RETR** en vez de LIST:

<figure><img src="/files/qe8rmAd6dDdU8LGmoqUm" alt=""><figcaption></figcaption></figure>

## NMAP

```
nmap -b <name>:<pass>@<ftp_server> <victim>
nmap -Pn -v -p 21,80 -b ftp:ftp@10.2.1.5 127.0.0.1 #Scan ports 21,80 of the FTP
nmap -v -p 21,22,445,80,443 -b ftp:ftp@10.2.1.5 192.168.0.1/24 #Scan the internal network (of the FTP) ports 21,22,445,80,443
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://ricardev.gitbook.io/red-team/services-hacking-both/20-21-ftp/ftp-bounce-attack-escaneo.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
