Web penetration test - 5. Brute force cracking vulnerability - (3) FTP password cracking

File transfer protocol （File Transfer Protocol：FTP） Is a set of standard protocols for file transfer on the network , It works in OSI The seventh layer of the model , TCP The fourth layer of the model , The application layer , Use TCP Transmission, not UDP, The client has to go through a “ Three handshakes ” The process of , Ensure that the connection between the client and the server is reliable , And it's connection oriented , Provide reliable guarantee for data transmission .
FTP Allow users to operate in the form of files （ Such as the addition of documents 、 Delete 、 Change 、 check 、 Transmission, etc ） Communicate with another host . However , Users do not really log in to the computer they want to access and become full users , You can use FTP Programs access remote resources , Realize the round-trip transmission of files by users 、 Directory management, access to e-mail, etc , Even though both computers may be equipped with different operating systems and file storage methods .
Default TCP port 21.

One 、hydra

Hydra Is a parallel login cracker , It supports multiple attack protocols . It's very fast and flexible , And new modules are easy to add .kali Toolset integrated .

hydra Project address ：https://github.com/vanhauser-thc/thc-hydra/releases Full version

hydra Support ：
Cisco AAA、Cisco auth、Cisco enable、CVS、FTP、HTTP(S)-FORM-GET、HTTP(S)-FORM-POST、HTTP(S)-GET、HTTP(S)-HEAD、HTTP- agent 、ICQ、IMAP、IRC、LDAP、MS-SQL、MySQL、NNTP、Oracle The listener 、Oracle SID、PC-Anywhere、PC-NFS、POP3、PostgreSQL、RDP、Rexec、Rlogin、Rsh、SIP、SMB(NT) 、SMTP、SMTP enumeration 、SNMP v1+v2+v3、SOCKS5、SSH（v1 and v2）、SSHKEY、Subversion、Teamspeak (TS2)、Telnet、VMware-Auth、VNC and XMPP`.

hydra -L /root/Desktop/user.txt -P /root/Desktop/pass.txt IP ftp

-L： Specify the user name dictionary path
-P： Specify password dictionary path

Two 、Medusa

Medusa It's a fast one 、 A parallel and modular login brute force cracker . The goal is to support as many services as possible that allow remote authentication .kalikali Toolset integrated .

file ：
www.foofus.net/jmk/medusa/medusa.html
Source code ：
https://github.com/jmk-foofus/medusa
https://github.com/jmk-foofus/medusa/archive/2.2.tar.gz

The main functions are as follows ：
1、 Thread based parallel testing ： It can target multiple hosts at the same time 、 The user or password performs a brute force test .
2、 Flexible user input ： Target information can be specified in a number of ways （ host / user / password ）. for example , Each item can be a single item , It can also be a file that contains multiple entries . Besides , The combined file format allows users to refine their target list .
3、 Modular design ： Each service module acts as an independent .mod File exists . This means that the list of supported services can be extended for brute force cracking without any modification to the core application .
4、 Support multiple protocols ： Many services are currently supported （ for example SMB、HTTP、POP3、MS-SQL、SSHv2 etc. ）.

medusa -h IP -U /root/Desktop/user.txt -P /root/Desktop/pass.txt -M ftp

-U： Indicates the path to the user name list
-P： Indicates the path to the password list
-M： Specify the burst parameter type

3、 ... and 、Ncrack

Ncrack Is a high-speed network authentication cracking tool . It aims to help companies protect their networks by proactively testing all their hosts and network devices for password errors .Ncrack Is to use a modular approach 、 Be similar to Nmap Command line syntax and dynamic engine design that can adjust its behavior according to network feedback . It allows fast and reliable large-scale auditing of multiple hosts .kali Toolset integrated .

Ncrack The functionality of the includes a very flexible interface , Allow users to have complete control over network operations , Allow very complex brute force attacks , Easy to use timing templates , Be similar to Nmap The runtime interaction of . Supported protocols include SSH、RDP、FTP、Telnet、HTTP(S)、Wordpress、POP3(S)、IMAP、CVS、SMB、VNC、SIP、Redis、PostgreSQL、MQTT、MySQL、MSSQL、MongoDB、Cassandra、WinRM、OWA , and DICOM

Project address ：https://nmap.org/ncrack/

ncrack –v -U /root/Desktop/user.txt -P /root/Desktop/pass.txt IP:21

-U： Indicates the path to the user name list
-P： Indicates the path to the password list
-v： Increase the level of detail （ Use twice or more for better results ）

Four 、Patator

Patator For the use of Hydra、Medusa、Ncrack、Metasploit Module and Nmap NSE The script is written to thwart password guessing attacks . I chose a different approach , So as not to create another brute force cracking tool and avoid repeating the same shortcomings .Patator It's a use. Python Write multithreading tools , It strives to be more reliable and flexible than its predecessors .

Project address ：https://github.com/lanjelot/patator

patator ftp_login host=IP user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt

5、 ... and 、Metasploit

use auxiliary/scanner/ftp/ftp_login
msf exploit (ftp_login)>set rhosts IP
msf exploit (ftp_login)>set user_file /root/Desktop/user.txt
msf exploit (ftp_login)>set pass_file /root/Desktop/pass.txt
msf exploit (ftp_login)>set stop_on_success true
msf exploit (ftp_login)> exploit