BRUTEFORCE (I): ATTACKING AN FTP SERVER WITH BRUTER
- Layout for this exercise:
1 - Bruter: a bruteforce attack tool
- In cryptography, a brute-force attack consists of an attacker trying many passwords or passphrases with the hope of eventually guessing correctly.
- The attacker systematically checks all possible passwords and passphrases until the correct one is found.
- Bruter is a parallel network login brute-forcer on Win32.
- This tool is intended to demonstrate the importance of choosing strong passwords.
- The goal of Bruter is to support a variety of services that allow remote authentication.
- Downloading Bruter to the attacker machine Windows 7:
https://sourceforge.net/projects/worawita/files/latest/download
2 - Setting up an FTP server
- Opening the XAMPP Control Panel at the victim Windows 10:
- Starting the FTP server:
- Connecting to the FTP server:
- Adding admin as user:
- Setting a simple password (123) for the user admin:
- Setting as Shared folder C:\FTPtransfer for the FTP server:
- Entering authentication credentials:
- The access to the FTPtransfers folder is successful:
3 - Bruteforcing the FTP server
- From the attacker machine Windows 7, checking that the port 21 is open at the victim Windows 10 (192.168.1.6):
- Running Bruter.exe from the attacker against the FTP server (IP 192.168.1.6, port 21):
3.1) Dictionary
- Taking the Dictionary option and browsing for a wordlist:
- Starting the attack:
- Finally the attack is successful because the password (123) is revealed:
3.2) Brute force
- Choosing Brute force option, setting options for the Charset and the length of the password:
- Starting the attack:
- Finally the attack is successful because the password (123) is revealed:
- The password has been chosen deliberately simple because the purpose of this exercise was just to demonstrate how to operate with the Bruter tool.
- For more complex passwords Bruter has a wide range of predefined Charsets with a greater number of characters, in addition to the possibility of decreasing the Min_Len parameter and increasing Max_Len.
- Obviously, the disadvantage would lie in the slowness of the attack, in addition to the greater amount of resources needed to implement it.
