Skip to content

ftp_bounce: Various improvements#21388

Open
g0tmi1k wants to merge 8 commits into
rapid7:masterfrom
g0tmi1k:ftp_bounce
Open

ftp_bounce: Various improvements#21388
g0tmi1k wants to merge 8 commits into
rapid7:masterfrom
g0tmi1k:ftp_bounce

Conversation

@g0tmi1k

@g0tmi1k g0tmi1k commented Apr 28, 2026

Copy link
Copy Markdown
Contributor

This PR refreshes this module by:

  • Moves the module to be more like other generic FTP service modules filenames
  • Able to be more verbose
  • Updating metadata
  • Update workspace (report_note()/report_service()/report_vuln()/report_host())
  • Tweaked settings/options descriptions
         current  name     hosts  services  vulns  creds  loots  notes
         -------  ----     -----  --------  -----  -----  -----  -----
Before -> *        default  2      3         0      0      0      1
AFter  -> *        default  2      3         1      1      0      3

Target is Metasploitable 2 & a container which is vulnerable to the attack.

Setup

Skipping over Metasploitable 2, but looking at the container:

$ docker run --rm -p 2121:21 -p 40000-40100:40000-40100 --name proftpd registry.gitlab.com/g0tmi1k/proftpd-docker:1.3.3c
787c7350dc34 - ProFTPD 1.3.3c (maint) (built Mon Apr 27 2026 16:28:37 UTC) standalone mode STARTUP

Before

  • Only see open ports
$ ./msfconsole -q -x 'db_status; workspace -D; setg VERBOSE true;
use auxiliary/scanner/portscan/ftpbounce;
set RHOSTS 10.0.0.10;
set BOUNCEHOST 127.0.0.1;
set BOUNCEPORT 2121;
set PORTS 80,6667;
options;'
[*] Connected to msf. Connection type: postgresql.
[*] Deleted workspace: default
[*] Recreated the default workspace
VERBOSE => true
RHOSTS => 10.0.0.10
BOUNCEHOST => 127.0.0.1
BOUNCEPORT => 2121
PORTS => 80,6667

Module options (auxiliary/scanner/portscan/ftpbounce):

   Name        Current Setting      Required  Description
   ----        ---------------      --------  -----------
   BOUNCEHOST  127.0.0.1            yes       FTP relay host
   BOUNCEPORT  2121                 yes       FTP relay port
   DELAY       0                    yes       The delay between connections, per thread, in milliseconds
   FTPPASS     mozilla@example.com  no        The password for the specified username
   FTPUSER     anonymous            no        The username to authenticate as
   JITTER      0                    yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
   PORTS       80,6667              yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS      10.0.0.10            yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   THREADS     1                    yes       The number of concurrent threads (max one per host)


View the full module info with the info, or info -d command.

msf auxiliary(scanner/portscan/ftpbounce) > run
[*] 127.0.0.1:2121        - Connecting to FTP server...
[*] 127.0.0.1:2121        - Connected to target FTP server
[*] 127.0.0.1:2121        - Authenticating as anonymous with password mozilla@example.com...
[*] 127.0.0.1:2121        - Sending password...
[+] 127.0.0.1:2121        -  TCP OPEN 10.0.0.10:6667
[*] 127.0.0.1:2121        - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/portscan/ftpbounce) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  2      3         0      0      0      1

msf auxiliary(scanner/portscan/ftpbounce) > hosts

Hosts
=====

address    mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------    ---  ----  -------  ---------  -----  -------  ----  --------
10.0.0.10             Unknown                    device
127.0.0.1             Unknown                    device

msf auxiliary(scanner/portscan/ftpbounce) > services
Services
========

host       port  proto  name  state  info                                                 resource  parents
----       ----  -----  ----  -----  ----                                                 --------  -------
10.0.0.10  6667  tcp          open                                                        {}
127.0.0.1  2121  tcp    ftp   open   ProFTPD 1.3.3c Server (ProFTPD Docker Installation)  {}        tcp (2121/tcp)
127.0.0.1  2121  tcp    tcp   open                                                        {}

msf auxiliary(scanner/portscan/ftpbounce) > notes

Notes
=====

 Time                     Host       Service  Port  Protocol  Type        Data
 ----                     ----       -------  ----  --------  ----        ----
 2026-05-21 09:03:19 UTC  127.0.0.1  ftp      2121  tcp       ftp.banner  {:banner=>"220 ProFTPD 1.3.3c Server (ProFTPD Docker Installation) [172.17.0.2]"}

msf auxiliary(scanner/portscan/ftpbounce) >

After

  • Can see open and closed ports (and reason)
$ ./msfconsole -q -x 'db_status; workspace -D; setg VERBOSE true;
use auxiliary/scanner/portscan/ftp_bounce;
set RHOSTS 10.0.0.10;
set BOUNCEHOST 127.0.0.1;
set BOUNCEPORT 2121;
set PORTS 80,6667;
options;'
[*] Connected to msf. Connection type: postgresql.
[*] Deleted workspace: default
[*] Recreated the default workspace
VERBOSE => true
RHOSTS => 10.0.0.10
BOUNCEHOST => 127.0.0.1
BOUNCEPORT => 2121
PORTS => 80,6667

Module options (auxiliary/scanner/portscan/ftp_bounce):

   Name        Current Setting      Required  Description
   ----        ---------------      --------  -----------
   BOUNCEHOST  127.0.0.1            yes       FTP relay host
   BOUNCEPORT  2121                 yes       FTP relay port
   DELAY       0                    yes       The delay between connections, per thread, in milliseconds
   FTPPASS     mozilla@example.com  no        Password for the FTP relay (BOUNCEHOST)
   FTPUSER     anonymous            no        Username for the FTP relay (BOUNCEHOST)
   JITTER      0                    yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
   PORTS       80,6667              yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS      10.0.0.10            yes       The host(s) to scan via BOUNCEHOST (FTP relay)
   THREADS     1                    yes       The number of concurrent threads (max one per host)


View the full module info with the info, or info -d command.

msf auxiliary(scanner/portscan/ftp_bounce) > run
[*] 127.0.0.1:2121        - Connecting to FTP server...
[*] 127.0.0.1:2121        - Connected to target FTP server
[*] 127.0.0.1:2121        - Authenticating as anonymous with password mozilla@example.com...
[*] 127.0.0.1:2121        - Sending password...
[!] 127.0.0.1:2121        - 127.0.0.1:2121 -> 10.0.0.10:80: PORT rejected (port <= 1023/TCP blocked by server, which is expected) -- 500 Illegal PORT command
[+] 127.0.0.1:2121        - 127.0.0.1:2121 -> 10.0.0.10:6667: LIST -- TCP OPEN
[+] 127.0.0.1:2121        - 2 port(s) scanned via 127.0.0.1:2121, 1 port(s) open: 6667
[*] 127.0.0.1:2121        - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/portscan/ftp_bounce) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  2      3         1      1      0      3

msf auxiliary(scanner/portscan/ftp_bounce) > hosts

Hosts
=====

address    mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------    ---  ----  -------  ---------  -----  -------  ----  --------
10.0.0.10             Unknown                    device
127.0.0.1             Unknown                    device

msf auxiliary(scanner/portscan/ftp_bounce) > services
Services
========

host       port  proto  name  state  info                                           resource  parents
----       ----  -----  ----  -----  ----                                           --------  -------
10.0.0.10  6667  tcp          open   Discovered via FTP bounce from 127.0.0.1:2121  {}
127.0.0.1  2121  tcp    ftp   open   ProFTPD 1.3.3c                                 {}        tcp (2121/tcp)
127.0.0.1  2121  tcp    tcp   open                                                  {}

msf auxiliary(scanner/portscan/ftp_bounce) > vulns

Vulnerabilities
===============

Timestamp                Host       Service         Resource  Name               References
---------                ----       -------         --------  ----               ----------
2026-05-21 09:06:05 UTC  127.0.0.1  ftp (2121/tcp)  {}        FTP Bounce Attack  CVE-1999-0017

msf auxiliary(scanner/portscan/ftp_bounce) > creds
Credentials
===========

id   host       origin     service         public     private              realm  private_type  JtR Format  cracked_password
--   ----       ------     -------         ------     -------              -----  ------------  ----------  ----------------
465  127.0.0.1  127.0.0.1  2121/tcp (ftp)  anonymous  mozilla@example.com         Password

msf auxiliary(scanner/portscan/ftp_bounce) > notes

Notes
=====

 Time                     Host       Service  Port  Protocol  Type        Data
 ----                     ----       -------  ----  --------  ----        ----
 2026-05-21 09:06:04 UTC  127.0.0.1  ftp      2121  tcp       ftp.banner  {:banner=>"220 ProFTPD 1.3.3c Server (ProFTPD Docker Installation) [172.17.0.2]"}
 2026-05-21 09:06:04 UTC  127.0.0.1  ftp      2121  tcp       ftp.cpe     {:cpe=>"cpe:/a:proftpd:proftpd:1.3.3c"}
 2026-05-21 09:06:04 UTC  127.0.0.1  ftp      2121  tcp       ftp.bounce  {:info=>"Attempted to use machine for FTP bounce attack", :target=>"10.0.0.10"}

msf auxiliary(scanner/portscan/ftp_bounce) >

@github-actions

Copy link
Copy Markdown

Thanks for your pull request! As part of our landing process, we manually verify that all modules work as expected.

We've added the additional-testing-required label to indicate that additional testing is required before this pull request can be merged.
For maintainers, this means visiting here.

@g0tmi1k g0tmi1k force-pushed the ftp_bounce branch 4 times, most recently from 21c26f6 to c25dfee Compare May 4, 2026 11:48
@g0tmi1k g0tmi1k changed the title ftp_bounce: Be more verbose & report more ftp_bounce: Various improvements May 4, 2026
@g0tmi1k g0tmi1k force-pushed the ftp_bounce branch 15 times, most recently from 514b905 to 4da9d57 Compare May 12, 2026 08:50
@g0tmi1k

g0tmi1k commented May 21, 2026

Copy link
Copy Markdown
Contributor Author

Think I've finished tweaking with this PR!

Doesn't need it, but also did have #21416 & #21396 applied in the 'after' testing (not before).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

Status: Todo

Development

Successfully merging this pull request may close these issues.

2 participants