|
Title: How to hack FTP? Post by: scucci on September 19, 2008, 01:01:05 PM I posted a recent topic regarding securing FTPand now I'm curious in finding a way to hack my FTP server. I want to see if this is possible and learn how to protect it. Are there any known methods or tools that you recomend? I know that FTP sends all data (credentials/files) in clear text, and I want to show this to management.
Also is there a non-intrusive way to secure FTP from a users point of view? We still want them to loging to FTP via their browser or client without having to install any software on their side? Thanks, Scucci Title: Re: How to hack FTP? Post by: BillV on September 19, 2008, 02:24:14 PM Sniffing - Wireshark (http://www.wireshark.org)
Logon Attack - THC-Hydra (http://freeworld.thc.org/thc-hydra/) And you could always exploit the software running the FTP service. I'm not sure I understand your other question. You would secure your FTP service on the server side.... BillV Title: Re: How to hack FTP? Post by: sgt_mjc on September 19, 2008, 02:27:59 PM A favorite tool if you are using a Windows PC is Cain & Able. Good Windows Swiss Army knife type tool.
Title: Re: How to hack FTP? Post by: scucci on September 19, 2008, 08:42:53 PM I guess I didn't make myself that clear in the last post, its kinda of a 2 part question.
1. I know that FTP is not secure and I want to try and crack our current FTP site. I'm currently researching ways to do this. I was wanted to know how to view data and credentials as they're going on the wire. I've read that it passes data in clear text, so i wanted to try and capture this. Is this only possible internally or can this be done externally from the network. 2. Secondly, since FTP does pass everything in clear text I wanted to know a few solutions to secure FTP that wouldn't require a different experience from the users. Is this possible to do without having them download a different client or accessing in a different way. thanks again, matt Title: Re: How to hack FTP? Post by: sgt_mjc on September 19, 2008, 10:15:47 PM If you are running Cain on your box, it can intercept FTP credentials. Wireshark will give you a raw view of the traffic. Try looking into SFTP. Good luck.
Title: Re: How to hack FTP? Post by: wishi on October 17, 2008, 10:42:29 AM Why not reverse the client's source a bit. Most times there's a off-by-one or other option to exploit it.
Hydra - guess it's just not my style. You could try Medusa or John, or even CUDA API in C - and speed this up as long as you know whether the policy isn't harmed, causing logfiles. Therefore footprint that before you start anything. Have fun, wishi Title: Re: How to hack FTP? Post by: Dave 1 on September 02, 2010, 10:19:06 AM I need a hacker to gain access to my websites ftp details. a host is with holding them from me. but I need it doing before tommorrow 12 noon.
Title: Re: How to hack FTP? Post by: H1t M0nk3y on September 02, 2010, 10:34:26 AM @Dave 1: This is an ETHICAL hacker site. We don't do illegal stuff here.
Title: Re: How to hack FTP? Post by: Dave 1 on September 02, 2010, 10:55:42 AM Is it illegal if its my website?
Title: Re: How to hack FTP? Post by: H1t M0nk3y on September 02, 2010, 11:56:47 AM Quote a host is with holding them from me Why does this host holding your FTP site? You can hack your own stuff in your own lab with tools you own, but other than that, you would need a written permission to do a pentest. And if someone is holding your web site against you, he would probably not sign anything... Title: Re: How to hack FTP? Post by: White ghost on October 31, 2011, 03:09:45 AM You can hack the ftp server with ncrack
ncrack is a backtrack linux tool (and back track is a linux distribution for pentration test its free) but you can download ncrack for windows its a command line application and here is the example of it ncrack -v --user admin 192.168.10.1:21 Title: Re: How to hack FTP? Post by: millwalll on October 31, 2011, 04:29:41 AM All the above methods would work fine. Most people would try brute force the account if there was no lock out using hydra or another tool. Using wireshark would work too as long you had access to the network to sniff the traffic this would be the most effect as FTP is not a secure protocol and transfer everything in plain text.
Title: Re: How to hack FTP? Post by: 3xban on October 31, 2011, 09:06:59 AM Careful WhiteGhost, we had another user come in and look for someone to hack a site for them that wasn't the OP.
But to the OP, what you may want to prove is that the FTP site is seceptible to a Man-in-the-middle attack since FTP uses cleartext credentials. Explain to them that SFTP is the prefered method of transfering files to customers and partners. It is run over a Secure Shell (SSH) session which utilizes an encrypted tunnel. The cost is low for implmenting a SFTP solution. And yes the best way to show them is the use of a sniffer and a tool lilke Cain. Ha! you can get elaborate and utlize the SET to clone the FTP site and show them how someone can socially engineer users to gain access to their credentials :D Title: Re: How to hack FTP? Post by: ev0wpnz on November 08, 2011, 08:42:32 PM scucci,
FTP is an inherently insecure protocol due to the fact that it uses plain-text and allows anonymous logins. There are also a lot of the FTP applications that are vulnerable to remote exploitation. An example of one vulnerable application would be wu-ftpd. I think 3xban did a great good of answering your question an I mostly just reiterating what he said. Performing an Man-in-the-middle using ARP poisoning and using something like ettercap/cain&able to grab the credentials as someone logs into them would be the simplest way. You could aslo exploit the service although this does not prove that the protocol itself is insecure just the particular application your using. Here is a good video on Man-in-the-middle: http://www.youtube.com/watch?v=-hd7XG-b6uk Feel free to message me if you have any more questions.
Powered by SMF 1.1.18 |
SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com |