Lucene search
K

FTP Bounce Port Scanner

🗓️ 23 Jan 2009 02:05:28Reported by kris katterjohn <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 20 Views

FTP Bounce Port Scanner module for TCP service enumeration via FTP bounce PORT/LIST method by kris katterjoh

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary

  # Order is important here
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::Scanner
  include Msf::Exploit::Remote::Ftp

  def initialize
    super(
      'Name'        => 'FTP Bounce Port Scanner',
      'Description' => %q{
        Enumerate TCP services via the FTP bounce PORT/LIST
        method.
      },
      'Author'      => 'kris katterjohn',
      'License'     => MSF_LICENSE
    )

    register_options([
      OptString.new('PORTS', [true, "Ports to scan (e.g. 22-25,80,110-900)", "1-10000"]),
      OptAddress.new('BOUNCEHOST', [true, "FTP relay host"]),
      OptPort.new('BOUNCEPORT', [true, "FTP relay port", 21]),
      OptInt.new('DELAY', [true, "The delay between connections, per thread, in milliseconds", 0]),
      OptInt.new('JITTER', [true, "The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.", 0])
    ])

    deregister_options('RPORT')
  end

  # No IPv6 support yet
  def support_ipv6?
    false
  end

  def rhost
    datastore['BOUNCEHOST']
  end

  def rport
    datastore['BOUNCEPORT']
  end

  def run_host(ip)
    ports = Rex::Socket.portspec_crack(datastore['PORTS'])
    if ports.empty?
      raise Msf::OptionValidateError.new(['PORTS'])
    end

    jitter_value = datastore['JITTER'].to_i
    if jitter_value < 0
      raise Msf::OptionValidateError.new(['JITTER'])
    end

    delay_value = datastore['DELAY'].to_i
    if delay_value < 0
      raise Msf::OptionValidateError.new(['DELAY'])
    end

    return if not connect_login

    ports.each do |port|
      # Clear out the receive buffer since we're heavily dependent
      # on the response codes.  We need to do this between every
      # port scan attempt unfortunately.
      while true
        r = sock.get_once(-1, 0.25)
        break if not r or r.empty?
      end

      begin

        # Add the delay based on JITTER and DELAY if needs be
        add_delay_jitter(delay_value,jitter_value)

        host = (ip.split('.') + [port / 256, port % 256]).join(',')
        resp = send_cmd(["PORT", host])

        if resp =~ /^5/
          #print_error("Got error from PORT to #{ip}:#{port}")
          next
        elsif not resp
          next
        end

        resp = send_cmd(["LIST"])

        if resp =~ /^[12]/
          print_good(" TCP OPEN #{ip}:#{port}")
          report_service(:host => ip, :port => port)
        end
      rescue ::Exception
        print_error("Unknown error: #{$!}")
      end
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

05 Mar 2019 19:04Current
7.1High risk
Vulners AI Score7.1
20