\!/ KyuuKazami \!/

Path : /usr/share/nmap/scripts/
Upload :
Current File : //usr/share/nmap/scripts/ftp-bounce.nse

local coroutine = require "coroutine"
local nmap = require "nmap"
local shortport = require "shortport"
local string = require "string"

description=[[
Checks to see if an FTP server allows port scanning using the FTP bounce method.
]]
author = "Marek Majkowski"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

---
-- @args ftp-bounce.username Username to log in with. Default
-- <code>"anonymous"</code>.
-- @args ftp-bounce.password Password to log in with. Default
-- <code>"IEUser@"</code>.
--
-- @output
-- PORT   STATE SERVICE
-- 21/tcp open  ftp
-- |_ftp-bounce: bounce working!
--
-- PORT   STATE SERVICE
-- 21/tcp open  ftp
-- |_ftp-bounce: server forbids bouncing to low ports <1025
-- 
-- PORT   STATE SERVICE
-- 21/tcp open  ftp
-- |_ftp-bounce: no banner

categories = {"default", "safe"}


portrule = shortport.service("ftp")

line_iterate = function(s)
	local line
	for line in string.gmatch(s, "([^\n$]*)") do
		if #line > 0 then
			coroutine.yield(line)
		end
	end
end

-- returns last ftp code read, or 000 on timeout
get_ftp_code = function(socket)
	local fcode = 000
	local code  = 0
	local status
	local result
	local co
	local line
	local err

	while true do
		status, result = socket:receive()
		if not status then
			break
		end
		-- read okay!
		co = coroutine.create(line_iterate)
		while coroutine.status(co) ~= 'dead' do
			err, line = coroutine.resume(co, result)
			if line then
				code = string.match(line, "^(%d%d%d) ")
				if not code then
					code = "-1"
				end
				-- io.write(">" .. code .. ":".. line .. "<\n")
				if tonumber(code) > 0 then
					fcode = tonumber(code)
				end
			end
		end
		-- not received good ftp code, try again
		if fcode ~= 0 then
			break
		end
	end
	-- io.write("## " .. fcode .. "\n");
	return fcode
end

local get_login = function()
	local user, pass
	local k

	for _, k in ipairs({"ftp-bounce.username", "username"}) do
		if nmap.registry.args[k] then
			user = nmap.registry.args[k]
			break
		end
	end

	for _, k in ipairs({"ftp-bounce.password", "password"}) do
		if nmap.registry.args[k] then
			pass = nmap.registry.args[k]
			break
		end
	end

	return user or "anonymous", pass or "IEUser@"
end

action = function(host, port)
	local socket = nmap.new_socket()
	local result;
	local status = true
	local isAnon = false
	local isOk   = false
	local sendPass = true
	local user, pass = get_login()
	local fc
	
	socket:set_timeout(10000)
	socket:connect(host, port)

	-- BANNER
	fc = get_ftp_code(socket)
	if fc == 0 then
		socket:close()
		-- no banner
		return "no banner"
	end
	if fc == 421 or (fc >= 500 and fc <= 599) then
		socket:close()
	--	return "server says you are not allowed to create connection"
		return
	end
	if fc < 200 or fc > 299 then
		socket:close()
		-- bad code
	--	return "bad banner (code " .. fc .. ")"
		return
	end
	
	socket:set_timeout(5000)
	-- USER
	socket:send("USER " .. user .. "\r\n")
	fc = get_ftp_code(socket)
	if (fc >= 400 and fc <= 499) or (fc >= 500 and fc <= 599) then
		socket:close()
		-- bad code
		--return "anonymous user not allowed"
		return
	end
	if fc == 0 then
		socket:close()
		-- return "anonymous user timeouted"
		return 
	end
	if fc ~= 230 and fc ~= 331 then
		socket:close()
		-- bad code
		-- return "bad response for anonymous user (code " .. fc .. ")"
		return 
	end
	if fc == 230 then
		sendPass = false
	end

	-- PASS
	if sendPass then
		socket:send("PASS " .. pass .. "\r\n")
		fc = get_ftp_code(socket)
		if (fc >= 500 and fc <= 599) or (fc >= 400 and fc <= 499) then
			socket:close()
			-- bad code
			-- return "anonymous user/pass rejected"
			return
		end
		if fc == 0 then
			socket:close()
			-- return "anonymous pass timeouted"
			return
		end
		if fc ~= 230 and fc ~= 200 then
			socket:close()
			-- return "answer to PASS not understood (code " .. fc .. ")"
			return
		end
	end
	
	-- PORT scanme.nmap.com:highport
	socket:send("PORT 205,217,153,62,80,80\r\n")
	fc = get_ftp_code(socket)
	if (fc >= 500 and fc <= 599) then
		socket:close()
		-- return "server forbids bouncing"
		return
	end
	if fc == 0 then
		socket:close()
		-- return "PORT command timeouted"
		return
	end
	if not (fc >= 200 and fc<=299) then
		socket:close()
		-- return "PORT response not understood (code " .. fc .. ")"
		return
	end

	-- PORT scanme.nmap.com:lowport
	socket:send("PORT 205,217,153,62,0,80\r\n")
	fc = get_ftp_code(socket)
	if (fc >= 500 and fc <= 599) then
		socket:close()
		return "server forbids bouncing to low ports <1025"
	end
	if fc == 0 then
		socket:close()
		-- return "PORT command timeouted for low port"
		return
	end
	if not (fc >= 200 and fc<=299) then
		socket:close()
		-- return "PORT response not understood for low port (code " .. fc .. ")"
		return
	end

	socket:close()
	return "bounce working!"
end

@KyuuKazami