RE: Cracking FTP password so that I can convince people not to use FTP, and to instead use SFTP? How do I crack the pwd?

["Kenepp, Donald" <dkenepp () icgcommerce com>]

Hi Chip,

  You don't want or need to hack his server.  Honestly, you can brute
force anything given time and resources.  It's just a matter of having
enough of each and some reason to make it worthwhile.

  The easiest way to demonstrate the problem with FTP is to gather FTP
passwords with a network protocol sniffer like Wireshark (formerly
Ethereal).  Just have him install the free packet sniffer, and show him
that every time he puts in his FTP password, anyone with access to a
server or network he routes through between his computer and his FTP
site can read his username and password in plain-text.  While Wireshark
analysis can be complex, just starting a capture, finding the FTP
packets, and reading them when you know they are coming should be pretty
straight-forward.  You can also have him look at a http login packet vs.
an https site packet.

  Cracking the password doesn't demonstrate much.  The point is that
with old protocols like FTP, you don't need to crack the password.  You
can just read it in standard network traffic.  SFTP or FTP over SSH
encrypts the username/password before it goes over the wire.

  - Don

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Chip Panarchy
Sent: Friday, October 10, 2008 10:23 AM
To: security-basics () securityfocus com; pen-test () securityfocus com
Subject: Cracking FTP password so that I can convince people not to use
FTP, and to instead use SFTP? How do I crack the pwd?

Hello

I was wondering if I could have some help in 'hacking'/'cracking' an FTP
site.

I know that FTP is a very old protocol... so I'm certain that there
are many holes in it. Especially in one that hasn't been maintained
for a few years.

How do I crack the password on the FTP site so that I can use that to
convince the owner of the site (a friend of mine) to switch to SFTP?

I really want to know, because no matter how hard I argue with him,
there still is no comparison to cold hard evidence. I've been trying
to convince him for the last month, but he won't budge. Finally I got
him to give me permission to attempt to hack his FTP site.

So please tell me what method I can use to hack the FTP site.

Thanks in advance,

Chip Panarchy

**********************************************************************
This e-mail is intended for the use of the addressee(s) only and may contain privileged, confidential, or proprietary 
information of ICG Commerce.  If you have received this message in error, please e-mail administrator at postmaster () 
icgcommerce com, then delete the e-mail and destroy any printed copy.   ICG Commerce reserves the right to retain, 
archive, use and disclose any emails that are sent from or to this email address. Thank you.

www.icgcommerce.com

**********************************************************************