Password Cracking

How to Crack FTP Password – Multiple Brute-Force Tool

Password Cracking FTP - Brute-Force FTP Server - Cracking FTP Password

Cracking FTP Password : Hackers often find interesting files in the most common places, one of which is FTP servers. Sometimes, there will be luck, and anonymous login will be unlocked, which means that anyone can just log in. But in most cases, a valid username and password will be required. But there are a few ways to force FTP credentials aggressively and gain server access.

File Transfer Protocol is a network protocol used to transfer files. It uses a client server model where users can connect to the server using an FTP client. Authentication occurs with a username and password, usually transmitted in plain text, but can also support anonymous login when available.

FTP usually works in port 21 automatically but can be configured to run in the default port. It is commonly used in web development and can be found in any large organization where file transfers are important. Cracking FTP Password

 

Table of Tools :

      • Hydra
      • X-Hydra
      • Metasploit
      • Ncrack
      • Medusa
      • Patator

 

Requirements :

  • Kali Linux ( Any Linux )
  • Termux Kali Linux

 

Video Demo :

 

 

Hydra

Hydra is usually a tool of choice. It can perform instant dictionary attacks against over 50 codes, including telnet, ftp, http, https, smb, many details, and much more.

Now, we need to select a list of words. As with any dictionary attack, glossary is key. Kali has a wide range of words built-in.

Run the following command

hydra -L /root/Desktop/user.txt -P /root/Desktop/pass.txt 192.168.58.213 ftp

-L: denotes path for username list

-P: denotes path for the password list

Once the commands are issued it will start using the dictionary attack so you will have the correct username and password immediately. As you can see we have successfully captured the FTP username as suman and password is a hack.

 

X-Hydra

 

This is an graphical version for you to use dictionary attacks via the FTP port to crash the system. For this method to work:

Open xHydra in your Kali Then select the Single Target option and provide the IP of your victim PC. Then select FTP in the box opposite the Protocol option and provide the port number 21 against the port option.

 

Now, go to the Passwords tab and select Username List and provide the path to your text file, which contains usernames, in the box next to it.

Then select Password List and provide the path to your text file, which contains all the passwords, in the box next to it.

After you do this, go to the Start tab and click the Start button on the left.

Now, the dictionary attack process will begin. Therefore, you will get your victim’s username and password.

IMG

 

Metasploit

The last tool we will use to enforce FTP credentials aggressively is Metasploit. Start by typing msfconsole to terminal. From there, we can search for any FTP related modules using the search command:

This module will check FTP login to the machine list and report successful login. Once you have downloaded the website plugin and connected to the site this module will record effective login with hosts so you can track your access.

Open the Kali terminal type : msfconsole

Now type

 use auxiliary/scanner/ftp/ftp_login
msf exploit (ftp_login)> set rhosts 192.168.58.213
msf exploit (ftp_login)> set user_file /root/Desktop/user.txt
msf exploit (ftp_login)> set pass_file /root/Desktop/pass.txt
msf exploit (ftp_login)> set stop_on_success true
msf exploit (ftp_login)> exploit

From the image below you can see that we have successfully captured the FTP username and password.

 

Ncrack

Hi Hacker, in this tutorial we are going to discuss a nasty enforcement tool called “Ncrack”. About Ncrack: Ncrack is a high-speed network authentication tool. It is designed to help companies protect their networks by constantly checking all of their hosts and network devices for incorrect passwords.

Ncrack is a high-speed network authentication tool. It is designed to help companies protect their networks by constantly checking all of their hosts and network devices for incorrect passwords.

Run the following command

ncrack –v -U /root/Desktop/user.txt -P /root/Desktop/pass.txt 192.168.58.213

-U : denotes path for username list

-P : denotes path for the password list

We can also specify a clear port number, which is useful if the service is running in a non-default port. Using the -v flag gives us even more information:

As you can see we have successfully captured FTP username as suman and password is a hack.

 

Medusa

Hi Hacker, in this tutorial we will talk about another cruel coercive tool called “Medusa”. Medusa is a speed, parallel, and modular, brute-force login. The goal is to support as many resources as possible for as long as possible. There are some important features of this tool that you have

Medusa is intended to be a speed, very parallel, modular, login brute-forcer. It supports multiple protocols: AFP, CVS, FTP, HTTP, IMAP, rlogin, SSH, Subversion, and VNC to name a few.

Run the following command

medusa -h 192.168.58.213 -U /root/Desktop/user.txt -P /root/Desktop/pass.txt -M ftp
  • -h : flag specifies the host
  • -U : flag specifies the list of usernames
  • -P : flag specifies the list of passwords
  • -M : flag specifies the module to use

As you can see we have successfully captured FTP username as suman and password is a hack.

 

Patator

Hi Hacker, in this tutorial we will talk about another new cruel coercion tool called “Patator”. Patator was written due to frustration using Hydra, Medusa, Ncrack, Metasploit modules and Nmap NSE scripts for password guess attacks. I have chosen a different path so I do not create

Patator is a multi-purpose brute-forcer, with modular design and flexible use. It is very useful to do brute force attacks on several ports like FTP, HTTP, SMB and more.

The main thing to remember is that we need a flexible set of username and password files. We can achieve that by setting the user to FILE0 and the password to FILE1. Next, we simply put the files in the correct number. Don’t forget to set up host, and get ready to go:

patator ftp_login host=192.168.58.213 user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt

 

From the given image below you can see that the dictionary attack process begins and that way, you will get your victim’s username and password.

 

How To Prevent FTP Brute-Force Attack : Cracking FTP Password

If you use FTP, there is a good chance you will see tons of brute-force attempts every day, many of which are likely to be automatic. However, there are a few steps you can take to reduce the risk of a successful attack.

Probably the easiest thing to do is not use FTP at all if it is not needed. Doing so eliminates the problem. If it is important, consider placing it in an unusual position, which will remove the automatic brute-force attack, if not all.

Using a service like Fail2ban in compliance with appropriate firewall rules will greatly reduce the chances of crashing. And like anything else, using strong passwords that are hard to break will block everyone except the most determined attackers.

Threatening : cracking ftp password

Today, we have explored FTP and a way to force-validate authentication using various tools. We have combined Ncrack, Medusa, Hydra, Patator, and Metasploit, and have come up with specific ways to prevent these types of attacks. FTP may seem like a boring target, but its spread makes it more aggressive.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button