Brute-Force FTP Credentials & Get Server Access
Hackers often find fascinating files in the most ordinary of places, one of those being FTP servers. Sometimes, luck will prevail, and anonymous logins will be enabled, meaning anyone can just log in. But more often than not, a valid username and password will be required. But there are several methods to brute-force FTP credentials and gain server access.
About Network
How to Prevent FTP Brute-Force Attacks
If you are running FTP, chances are you're going to see tons of brute-force attempts daily, most of which are probably automated. Regardless, there are a few steps you can take to mitigate the risk of a successful attack.
Perhaps the easiest thing to do is not run FTP at all if it isn't needed. Doing so eliminates the problem. If it is essential, consider putting it on a non-standard port, which will remove most, if not all, automated brute-force attacks.
Using a service like Fail2ban alongside proper firewall rules will also drastically cut down the likelihood of compromise. And like anything else, using strong passwords that are difficult to crack will dissuade all but the most determined attackers.
Learn moreFile Transfer Protocol is a network protocol used to transfer files. It uses a client-server model in which users can connect to a server using an FTP client. Authentication takes place with a username and password, typically transmitted in plaintext, but can also support anonymous logins if available.
FTP usually runs on port 21 by default but can be configured to run on a non-standard port. It is often used in web development and can be found in pretty much any large organization where file transfer is essential.
Today, we explored FTP and how to brute-force credentials using a variety of tools. We covered Ncrack, Medusa, Hydra, Patator, and Metasploit, and we touched on some ways to prevent these types of attacks. FTP might seem like a boring target, but its prevalence makes it worth knowing how to attack.
Initial Setup
Before we begin, let's run a simple Nmap scan on our target to make sure the FTP service is present. We will be using Metasploitable 2 as the target and Kali Linux as the attacking machine.
Great, it looks like it's up and open.
Next, let's create two text files, one for usernames and one for passwords. In a real engagement, we'd want to use files with much larger data sets, but for demonstration purposes, we'll keep these short to speed up the whole process.
Ncrack
The first tool we'll look at today is Ncrack. Simply type ncrack in the terminal to display the usage information and available options:
As you can see, there are a lot of options here, but for now, we'll stick to the basics.
We can use the -U flag to set the file containing usernames, and the -P flag to set the file containing passwords. Then, specify the service (FTP) followed by the IP address of our target:
We can see it discovered credentials for user and ftp; the multiple hits are because anonymous logins are allowed for that user, making any password a valid password.
We can also specify the port number explicitly, which is useful if a service is running on a non-default port. Using the -v flag gives us a little more information as well:
Medusa
The next tool we'll explore is Medusa. Type medusa in the terminal to see the options:
We need to know what modules are available before we can run the tool — use the -d option to dump all modules:
Fire it off, and we can see it in action:
We can see it found a couple of valid credentials.
Hydra
Now, let's go over Hydra. Type hydra at the command line to view syntax and options:
Adding the -h flag will give us a bit more options as well as some usage examples:
We can use the -L flag to set the username list, the -P flag to set the password list, and much like we did with Ncrack, specify the service and target IP address:
If the service isn't running on the default port, we can use the -s option to specify whatever port number it's running on:
Patator
The next tool we'll look at is Patator. Type patator in the terminal to see the available modules:
As you can see, the tool can do a lot. But since we're only concerned with FTP, we can see the help menu with the following command:
That gives us module options, global options, and some syntax examples. Patator is a little more complicated than the previous tools we've covered, but it offers a ton of flexibility in return.
The biggest thing to keep in mind is that we need to set variables for the username and password files. We can accomplish that by setting user to FILE0 and password to FILE1. Next, we simply set the files to the appropriate number. Don't forget to set the host, then we're ready to go:
We can see that we get a few successful hits.
Patator has a useful option to ignore specific parameters, meaning we can choose to display only the successful logins. Use the -x flag to ignore invalid login messages:
That makes the output a little cleaner, so it's easier to see what's going on.
Metasploit
The last tool we'll use to brute-force FTP credentials is Metasploit. Launch it by typing msfconsole in the terminal. From there, we can search for any modules related to FTP using the search command:
We want the ftp_login module, so load it with the use command:
Type options to take a look at the current settings:
First, we need to set the IP address of our target:
Next, specify the file containing the list of usernames:
And do the same for the passwords:
That should be all we need, so type run to start the scan:
We can see all the available pairs it tries to brute-force, and we end up with a couple of successful logins.
Wrapping Up
Today, we explored FTP and how to brute-force credentials using a variety of tools. We covered Ncrack, Medusa, Hydra, Patator, and Metasploit, and we touched on some ways to prevent these types of attacks. FTP might seem like a boring target, but its prevalence makes it worth knowing how to attack.