Basics of Bounce Scan Attack

Photo Credit to https://www.hackeroyale.com/

One of the most important things for an attacker is to be able to hide his movements. Therefore, attackers need to have an intermediary system or server on the Internet in order for their attack to succeed. The FTP bounce Scanning tool is an attack tool that exploits vulnerabilities in the FTP protocol. The FTP protocol is the protocol used to support proxy FTP connections. This vulnerability in FTP servers makes it difficult to track the whereabouts of an attacker. Therefore, FTP bounce is similar to IP spoofing. Because both of these attacks can keep their whereabouts secret. For example, Badwebsitexyz.Com uses PI (Protocol Interpreter) to control the FTP server connection. This PI is called Badspiterbites.com. So if you want to send a request from this FTP server somewhere, start with that PI. Through this PI, the DTP (Data Transfer Process) server can be activated and the DTP file can be sent anywhere on the Internet.

Therefore, the victim will only find Badspiterbites.com when they trace it. Badwebsitexyz.com, the original intermediary; You will not find the source of the attack.

Due to the FTP server vulnerabilities mentioned above, a port scanner can scan TCP ports within the FTP server proxy. You can also use this method to connect to firewall-protected FTP servers. In addition, blocked ports; For example, you can scan closed ports, such as port 139. Port 139 is the Net BIOS session service (TCP) port. Used for resource sharing (file and printer) on Windows 98, ME and NT. About 10% of users share files and folders while browsing the internet. Because of this sharing, Port139 is open. For this reason, most hackers target that port first when trying to establish a connection with a target. The firewall always blocks port 139. Therefore, users should use a firewall to prevent this port from accessing the internet.

The advantages of FTP bounce scanning are that it is difficult to trace; and bypassing the firewall. The main drawback is that it is slow to use this method and most FTP servers eventually find out what you are using and disable the proxy “feature”, making it impossible to use a single proxy FTP server in the long run.

Nmap scans ports within large networks it is a network mapper tool used to do this. It is a very popular tool that may work well for a single host. Nmap’s motto is TMTOWTDI (There’s More Than One Way To Do It).
This tool is written in perl programming language, but it is very good to use as a scanner. If you are a hacker, sometimes you need to be fast. Sometimes you just have to be more discriminating with the help you render toward other people
Sometimes you may need to bypass the firewall. Also, the protocols you want to scan can be different, such as UDP, TCP, ICMP, and so on. Therefore, you can not only use Scanning mode. Also, they do not want to use 10 different scanner tools with different interfaces. That’s why Nmap invented Nmap can support the attacks listed below.

1။ Vanilla TCP Connect () Scanning
2။ TCP SYN (half open) Scanning
3။ TCP FIN (stealth) Scanning
4။ TCP FTP Proxy (bounce attack) Scanning
5။ SYN/FIN Scanning
6။ UDP recvfrom() Scanning
7။ UDP raw ICMP port unreachable Scanning
8။ ICMP Scanning (Ping Sweep)
9။ Reverse-ident Scanning

Nmap also has other capabilities. These include Delay Time; Packs can be sent back if the timeout occurs. You can scan multiple ports at once. You can send a lot of pings to bring down the host. You can also select targets and ports. Yes The following are examples of scan attack commands available in Nmap 4.53.

 

Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:

Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
–exclude <host1[,host2][,host3],…>: Exclude hosts/networks
–excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
-sL: List Scan – simply list targets to scan
-sP: Ping Scan – go no further than determining if host is online
-PN: Treat all hosts as online — skip host discovery
-PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO [protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
–dns-servers <serv1[,serv2],…>: Specify custom DNS servers
–system-dns: Use OS’s DNS resolver
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
–scanflags <flags>: Customize TCP scan flags
-sI <zombie host[:probeport]>: Idle scan
-sO: IP protocol scan
-b <FTP relay host>: FTP bounce scan
–traceroute: Trace hop path to each host
–reason: Display the reason a port is in a particular state
PORT SPECIFICATION AND SCAN ORDER:
-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
-F: Fast mode – Scan fewer ports than the default scan
-r: Scan ports consecutively – don’t randomize
–top-ports <number>: Scan <number> most common ports

–port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
–version-intensity <level>: Set from 0 (light) to 9 (try all probes)
–version-light: Limit to most likely probes (intensity 2)
–version-all: Try every single probe (intensity 9)
–version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
-sC: equivalent to –script=safe,intrusive
–script=<Lua scripts>: <Lua scripts> is a comma separated list of
directories, script-files or script-categories
–script-args=<n1=v1,[n2=v2,…]>: provide arguments to scripts
–script-trace: Show all data sent and received
–script-updatedb: Update the script database.
OS DETECTION:
-O: Enable OS detection
–osscan-limit: Limit OS detection to promising targets
–osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take <time> are in milliseconds, unless you append ‘s'(seconds), ‘m’
(minutes), or ‘h’ (hours) to the value (e.g. 30m).
-T[0-5]: Set timing template (higher is faster)
–min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
–min-parallelism/max-parallelism <time>: Probe parallelization
–min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies probe round
trip time.
–max-retries <tries>: Caps number of port scan probe retransmissions.
–host-timeout <time>: Give up on target after this long
–scan-delay/–max-scan-delay <time>: Adjust delay between probes
FIREWALL/IDS EVASION AND SPOOFING:
-f; –mtu <val>: fragment packets (optionally w/given MTU)
-D <decoy1,decoy2[,ME],…>: Cloak a scan with decoys
-S <IP_Address>: Spoof source address
-e <iface>: Use specified interface
-g/–source-port <portnum>: Use given port number
–data-length <num>: Append random data to sent packets
–ip-options <options>: Send packets with specified ip options
–ttl <val>: Set IP time-to-live field
–spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
–badsum: Send packets with a bogus TCP/UDP checksum
OUTPUT:
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3, and Grepable
format, respectively, to the given filename.
-oA <basename>: Output in the three major formats at once
-v: Increase verbosity level (use twice for more effect)
-d[level]: Set or increase debugging level (Up to 9 is meaningful)
–open: Only show open (or possibly open) ports
–packet-trace: Show all packets sent and received
–iflist: Print host interfaces and routes (for debugging)
–log-errors: Log errors/warnings to the normal-format output file
–append-output: Append to rather than clobber specified output files
–resume <filename>: Resume an aborted scan
–stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
–webxml: Reference stylesheet from Insecure.Org for more portable XML
–no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
-6: Enable IPv6 scanning
-A: Enables OS detection and Version detection, Script scanning and Traceroute
–datadir <dirname>: Specify custom Nmap data file location
–send-eth/–send-ip: Send using raw ethernet frames or IP packets
–privileged: Assume that the user is fully privileged
–unprivileged: Assume the user lacks raw socket privileges
-V: Print version number
-h: Print this help summary page.
EXAMPLES:
nmap -v -A scanme.nmap.org
nmap -v -sP 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -PN -p 80

Leave a Reply

Your email address will not be published.

DigitalOcean Referral Badge