ftp_bounce: Various improvements by g0tmi1k · Pull Request #21388 · rapid7/metasploit-framework

g0tmi1k · 2026-04-28T13:31:11Z

This PR refreshes this module by:

Moving the module to be more like other generic FTP service modules
Able to be more verbose
Updating metadata
Use report_note & report_service

Setup

$ docker run --rm -p 2121:21 -p 40000-40100:40000-40100 --name proftpd registry.gitlab.com/g0tmi1k/proftpd-docker:1.3.3c
787c7350dc34 - ProFTPD 1.3.3c (maint) (built Mon Apr 27 2026 16:28:37 UTC) standalone mode STARTUP

Before

$ ./msfconsole -q -x 'db_status; workspace -D;
setg VERBOSE true; setg RHOSTS 10.0.0.10; setg LHOST tap0;'
[*] Connected to msf. Connection type: postgresql.
[*] Deleted workspace: default
[*] Recreated the default workspace
VERBOSE => true
RHOSTS => 10.0.0.10
LHOST => tap0
msf > use ftpbounce

Matching Modules
================

   #  Name                                  Disclosure Date  Rank    Check  Description
   -  ----                                  ---------------  ----    -----  -----------
   0  auxiliary/scanner/portscan/ftpbounce  .                normal  No     FTP Bounce Port Scanner


Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/portscan/ftpbounce

[*] Using auxiliary/scanner/portscan/ftpbounce
msf auxiliary(scanner/portscan/ftpbounce) > options

Module options (auxiliary/scanner/portscan/ftpbounce):

   Name        Current Setting      Required  Description
   ----        ---------------      --------  -----------
   BOUNCEHOST                       yes       FTP relay host
   BOUNCEPORT  21                   yes       FTP relay port
   DELAY       0                    yes       The delay between connections, per thread, in milliseconds
   FTPPASS     mozilla@example.com  no        The password for the specified username
   FTPUSER     anonymous            no        The username to authenticate as
   JITTER      0                    yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
   PORTS       1-10000              yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS      10.0.0.10            yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   THREADS     1                    yes       The number of concurrent threads (max one per host)


View the full module info with the info, or info -d command.

msf auxiliary(scanner/portscan/ftpbounce) > setg BOUNCEHOST 127.0.0.1
BOUNCEHOST => 127.0.0.1
msf auxiliary(scanner/portscan/ftpbounce) > setg BOUNCEPORT 2121
BOUNCEPORT => 2121
msf auxiliary(scanner/portscan/ftpbounce) > setg PORTS 80,6667
PORTS => 80,6667
msf auxiliary(scanner/portscan/ftpbounce) > run
[*] 127.0.0.1:2121 - Connecting to FTP server 127.0.0.1:2121...
[*] 127.0.0.1:2121 - Connected to target FTP server.
[*] 127.0.0.1:2121 - Authenticating as anonymous with password mozilla@example.com...
[*] 127.0.0.1:2121 - Sending password...
[+] 127.0.0.1:2121 -  TCP OPEN 10.0.0.10:6667
[*] 127.0.0.1:2121 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/portscan/ftpbounce) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      1         0      0      0      0

msf auxiliary(scanner/portscan/ftpbounce) > hosts

Hosts
=====

address    mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------    ---  ----  -------  ---------  -----  -------  ----  --------
10.0.0.10             Unknown                    device

msf auxiliary(scanner/portscan/ftpbounce) > services
Services
========

host       port  proto  name  state  info  resource  parents
----       ----  -----  ----  -----  ----  --------  -------
10.0.0.10  6667  tcp          open         {}

msf auxiliary(scanner/portscan/ftpbounce) >

After

msf auxiliary(scanner/portscan/ftpbounce) > git checkout ftp_bounce
[*] exec: git checkout ftp_bounce

Switched to branch 'ftp_bounce'
Your branch is up to date with 'origin/ftp_bounce'.
msf auxiliary(scanner/portscan/ftpbounce) > workspace -D
[*] Deleted workspace: default
[*] Recreated the default workspace
msf auxiliary(scanner/portscan/ftpbounce) > reload_all
[...]
msf auxiliary(scanner/portscan/ftpbounce) > use ftp_bounce

Matching Modules
================

   #  Name                                   Disclosure Date  Rank    Check  Description
   -  ----                                   ---------------  ----    -----  -----------
   0  auxiliary/scanner/portscan/ftp_bounce  .                normal  No     FTP Bounce Port Scanner


Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/portscan/ftp_bounce

[*] Using auxiliary/scanner/portscan/ftp_bounce
msf auxiliary(scanner/portscan/ftp_bounce) > run
[*] 127.0.0.1:2121 - Connecting to FTP server 127.0.0.1:2121...
[*] 127.0.0.1:2121 - Connected to target FTP server.
[*] 127.0.0.1:2121 - Authenticating as anonymous with password mozilla@example.com...
[*] 127.0.0.1:2121 - Sending password...
[!] 127.0.0.1:2121 - 127.0.0.1:2121 -> 10.0.0.10:80: PORT rejected (expected as DATA < 1024) -- 500 Illegal PORT command
[+] 127.0.0.1:2121 -  TCP OPEN 10.0.0.10:6667
[*] 127.0.0.1:2121 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/portscan/ftp_bounce) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  2      2         0      0      0      1

msf auxiliary(scanner/portscan/ftp_bounce) > hosts

Hosts
=====

address    mac  name        os_name  os_flavor  os_sp  purpose  info  comments
-------    ---  ----        -------  ---------  -----  -------  ----  --------
10.0.0.10                   Unknown                    device
127.0.0.1       172.17.0.2  Unknown                    device

msf auxiliary(scanner/portscan/ftp_bounce) > services
Services
========

host       port  proto  name  state  info                                                              resource  parents
----       ----  -----  ----  -----  ----                                                              --------  -------
10.0.0.10  6667  tcp          open   Discovered via FTP bounce from 127.0.0.1:2121                     {}
127.0.0.1  2121  tcp    ftp   open   ProFTPD 1.3.3c Server (ProFTPD Docker Installation) [172.17.0.2]  {}

msf auxiliary(scanner/portscan/ftp_bounce) > notes

Notes
=====

 Time                     Host       Service  Port  Protocol  Type        Data
 ----                     ----       -------  ----  --------  ----        ----
 2026-04-28 13:29:48 UTC  127.0.0.1  ftp      2121  tcp       ftp.bounce  {:info=>"Attempted to use machine for FTP bounce attack", :target=>"10.0.0.10"}

msf auxiliary(scanner/portscan/ftp_bounce) >

github-actions · 2026-04-29T16:37:52Z

Thanks for your pull request! As part of our landing process, we manually verify that all modules work as expected.

We've added the additional-testing-required label to indicate that additional testing is required before this pull request can be merged.
For maintainers, this means visiting here.

g0tmi1k · 2026-05-05T17:49:09Z

This now needs #21380 to be merged ahead of time.

smcintyre-r7 added this to Metasploit Kanban Apr 28, 2026

github-project-automation Bot moved this to Todo in Metasploit Kanban Apr 28, 2026

g0tmi1k force-pushed the ftp_bounce branch 2 times, most recently from b003c83 to 14da846 Compare April 29, 2026 16:37

github-actions Bot added the additional-testing-required label Apr 29, 2026

g0tmi1k force-pushed the ftp_bounce branch 4 times, most recently from 21c26f6 to c25dfee Compare May 4, 2026 11:48

g0tmi1k changed the title ~~ftp_bounce: Be more verbose & report more~~ ftp_bounce: Various improvements May 4, 2026

g0tmi1k force-pushed the ftp_bounce branch 6 times, most recently from 1d261dd to 3c6e789 Compare May 5, 2026 17:45

g0tmi1k force-pushed the ftp_bounce branch 5 times, most recently from 3a206ad to a8cfa1e Compare May 6, 2026 13:15

g0tmi1k added 7 commits May 6, 2026 17:26

ftp_bounce: Move module

093107b

ftp_bounce: Make rubocop happy

7121cf1

ftp_bounce: Make description more verbose

ed6e410

ftp_bounce: Be more verbose

3e72052

ftp_bounce: Add report_service/report_note for BOUNCEHOST

ed4eea5

ftp_bounce: Add CVE

e00bd0a

ftp_bounce: Add report_vuln

e976cbb

g0tmi1k added 4 commits May 6, 2026 17:26

ftp_bounce: Add report_note

48cd2d1

ftp_bounce: Check if we are scanning self

c0b9b81

ftp_bounce: Improved ruby logic

9087101

ftp_bounce: Use FTP mixin

1dcd4b4

g0tmi1k force-pushed the ftp_bounce branch from a8cfa1e to 1dcd4b4 Compare May 6, 2026 16:26

ftp_bounce: report_host if up, but no ports open

68a0acc

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ftp_bounce: Various improvements#21388

ftp_bounce: Various improvements#21388
g0tmi1k wants to merge 12 commits intorapid7:masterfrom
g0tmi1k:ftp_bounce

g0tmi1k commented Apr 28, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented Apr 29, 2026

Uh oh!

g0tmi1k commented May 5, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

g0tmi1k commented Apr 28, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Setup

Before

After

Uh oh!

github-actions Bot commented Apr 29, 2026

Uh oh!

g0tmi1k commented May 5, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

g0tmi1k commented Apr 28, 2026 •

edited

Loading