FTP Bounce Attack question and suggestion

[Tom Curtis <tomcrts () uswest net>]

Hello everyone,

I have been waiting patiently for someone else to ask the question I have,
since noone has I finally decided to come out of the closet and ask the
question here in this forum for myself.

I have managed to locate a few "creaky old" FTP servers that seem to
permit me to use the FTP Bounce option, however the results I get are not
accurate.  The option becomes even more innacurate it seems when I scan a
class C range.  This may be a "bug" in the current aplha version of nmap,
(I can't say for sure because I did not test this feature in earlier
versions).  I am assuming others who have tried this option have had
similar results.

Additionally, a scanner called "sockcheck.c" is posted on rootshell that
will scan a list of IP addresses and test them for unsecure
proxies.  This has been recently enhanced to scan THROUGH an unsecure 
socks proxy, sockcheck2.c, (which has not yet been made public). It
appears to be extreemly accurate, (even though it's a bit slow), and over
the past few weeks I have been able to locate several hundred additional
unsecure proxies using it. Unsecure proxies can be used in conjunction
with with a bouncer, (like to sockbounce.c), for telnet, ftp, http, &
nntp connections.  I believe this same technique could be incorporated
into nmap to scan ranges of ports and IP's like the FTP Bounce Attack.

I'd be happy to share the source code for sockcheck2.c and the bouncer
with anyone that could write a patch for nmap that would add the option of
a "Socks Bounce Attack".

Tom