how to UsE Hydra to brute force AN ftp server
It is possible to use Hydra both lawfully and unlawfully. It is up to you to ensure your usage is lawful. Get appropriate permission and approval before attempting a brute-force attack, and handle the information obtained ethically. If you are unsure whether your usage is lawful, do not proceed until you have confirmed that it is. ThIS example below was performed in a lab envIRONment and is for cyber Security
(RED TEAm) educationAL purposes ONLY
In the below "HOW TO" I will show you how to set up a lab using Windows 2022 and install an FTP server using IIS. I will demonstrate how to use HYDRA brute force attack on an unsecured FTP Server and show log files of what it looks like if someone is trying to brute force an FTP server. After this "HOW TO" you should be able to see that it's not recommended to run an unsecured FTP server and that you should run an SFTP.
STEP 1) Firstly, you will need to add the FTP server features from the server manage
STEP 2) Next, click on the “Add Roles and Features”. You should see the Before you begin screen:
STEP 3) Click on the Next button. You should see the Select Installation Type screen:
STEP 4) Select “role-based or feature-based installation” and click on the Next button. You should see the destination server selection screen:
STEP 5) Choose “Select a server from the server pool” and click on the Next button. You should see the Select server roles screen:
STEP 6) Select “Web Server (IIS) from the list” and click on the Next button. You should see the Select Features screen:
STEP 7) Click on the Next button. You should see the Select Role Services screen:
STEP 8) Select FTP Server and click on the Next button. You should see the following screen:
STEP 9) Review all configurations and click on the Install button to start the installation. You should see the installation progress screen:
STEP 10) To create a new user, open the Server Manager => Tools and click on Computer Management. You should see the following screen:
STEP 11) In the left panel, click on the Local Users and Groups => Users then right click on the Users => New User. You should see the User Creation screen:
Provide your username, password, and click on the Create button. You should see your newly created user in the following screen: In this example I will use ftpuser as username and Password123! for password . You will need this testing HYDRA bruteforce later in this tutorial
STEP 12) Open the Server Manager, click on the Tools => Internet Information Server (IIS) Manager. You should see the following screen:
STEP 13) Right click on the Sites => Add FTP Site. You should see the FTP site configuration screen:
STEP 14) Define your FTP Sitename, FTP directory path, and click on the Next button. You should see the port configuration screen:
STEP 15) Define your bind IP address, port, SSL setting and click on the Next button. You should see the FTP authentication configuration screen:
STEP 16) Open up Terminal on you KALI Linux and type:
a. cd Desktop PRESS ENTER
b. touch passwords.txt PRESS ENTER
c . sudo nano passwords.txt PRESS ENTER
STEP 17) This will put you into the NANO text editor and you will be editing the passwords.txt file that you created using the touch command.
Enter the passwords as seen on the side picture, PESS ENTER after each password. When you done typing
PRESS CRTL + X
PRESS Y
PRESS ENTER
Take note that the password we used for the ftpuser on the FTP Server is in the list for demonstration purposes. This is for proof of concept!
STEP 18) Type
sudo hydra -l ftpuser -P ./passwords.txt -f ip address ftp
ip address will be the IP address of the FTP server. If you don't know the IP address of your FTP server. Open up command prompt on the FTP server and type IPCONFIG.
The -l command specifies to use 1 username. In this demonstration we used "ftpuser" which we already knew. However, the -L command can use a username.txt list which can contain hundreds of usernames.
The -p command will use 1 password while the -P command uses the "passwords.txt" which can contain hundreds if not thousands of passwords.
This allows HYDRA to perform Brute force acts using combinations of usernames and passwords bases off the size and complexity of the username and password files provided.
Reasons why FTP is insecure with Wire Shark packet capture & FTP Log file example
FTP (File Transfer Protocol) is considered an insecure protocol for several reasons, and it can be easily intercepted and analyzed by network monitoring tools like WIRESHARK. Here's one reason why FTP is insecure:
The lack of Encryption: FTP does not inherently encrypt data during transmission. This means that when you transfer files or log in using FTP, your username, password, and data are sent in plaintext over the network. Anyone with access to the network traffic can intercept and view this information, posing a significant security risk. You can see this in the picture to the right. While using HYDRA I ran Wireshark and gathered packets. You can see password and usernames are sent in plain text across the network.
While looking at the FTP log file located in the C:\inetpub\logs\LogFiles\FTPSVC2 directory you notice the date & time entries a indicative of a Brute force attack. Over a dozen log in attempts have been made by "ftpuser" at the same time. The source and destination IP addresses have been omitted but they source IP from "ftpuser" is the same as well.
Due to these vulnerabilities, using FTP for transferring sensitive data over untrusted networks is strongly discouraged. Instead, it is recommended to use more secure alternatives like SFTP (Secure File Transfer Protocol) or FTPS (FTP Secure) that incorporate encryption and better security features to protect data during transmission. These protocols address the security shortcomings of FTP and provide a safer way to transfer files over the internet or other untrusted networks.
Donate
If you've enjoyed exploring my projects and want to see more amazing creations, your support can make a big difference! By contributing, you're helping me continue to innovate and bring even more exciting projects to life. Don't forget to like, subscribe, and follow for updates on the latest developments. Thank you for being a part of this journey!
Click here to make a difference with your donation today!