Security Basics mailing list archives
RE: Cracking FTP password so that I can convince people not to use FTP, and to instead use SFTP? How do I crack the pwd?
From: "Kenepp, Donald" <dkenepp () icgcommerce com>
Date: Fri, 10 Oct 2008 14:18:15 -0400
Hi Chip, You don't want or need to hack his server. Honestly, you can brute force anything given time and resources. It's just a matter of having enough of each and some reason to make it worthwhile. The easiest way to demonstrate the problem with FTP is to gather FTP passwords with a network protocol sniffer like Wireshark (formerly Ethereal). Just have him install the free packet sniffer, and show him that every time he puts in his FTP password, anyone with access to a server or network he routes through between his computer and his FTP site can read his username and password in plain-text. While Wireshark analysis can be complex, just starting a capture, finding the FTP packets, and reading them when you know they are coming should be pretty straight-forward. You can also have him look at a http login packet vs. an https site packet. Cracking the password doesn't demonstrate much. The point is that with old protocols like FTP, you don't need to crack the password. You can just read it in standard network traffic. SFTP or FTP over SSH encrypts the username/password before it goes over the wire. - Don -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Chip Panarchy Sent: Friday, October 10, 2008 10:23 AM To: security-basics () securityfocus com; pen-test () securityfocus com Subject: Cracking FTP password so that I can convince people not to use FTP, and to instead use SFTP? How do I crack the pwd? Hello I was wondering if I could have some help in 'hacking'/'cracking' an FTP site. I know that FTP is a very old protocol... so I'm certain that there are many holes in it. Especially in one that hasn't been maintained for a few years. How do I crack the password on the FTP site so that I can use that to convince the owner of the site (a friend of mine) to switch to SFTP? I really want to know, because no matter how hard I argue with him, there still is no comparison to cold hard evidence. I've been trying to convince him for the last month, but he won't budge. Finally I got him to give me permission to attempt to hack his FTP site. So please tell me what method I can use to hack the FTP site. Thanks in advance, Chip Panarchy ********************************************************************** This e-mail is intended for the use of the addressee(s) only and may contain privileged, confidential, or proprietary information of ICG Commerce. If you have received this message in error, please e-mail administrator at postmaster () icgcommerce com, then delete the e-mail and destroy any printed copy. ICG Commerce reserves the right to retain, archive, use and disclose any emails that are sent from or to this email address. Thank you. www.icgcommerce.com **********************************************************************
Current thread:
- Cracking FTP password so that I can convince people not to use FTP, and to instead use SFTP? How do I crack the pwd? Chip Panarchy (Oct 10)
- RE: Cracking FTP password so that I can convince people not to use FTP, and to instead use SFTP? How do I crack the pwd? Kenepp, Donald (Oct 10)
- Re: Cracking FTP password so that I can convince people not to use FTP, and to instead use SFTP? How do I crack the pwd? Jon Kibler (Oct 10)
- Re: Cracking FTP password so that I can convince people not to use FTP, and to instead use SFTP? How do I crack the pwd? p0liX (Oct 10)
- Re: Cracking FTP password so that I can convince people not to use FTP, and to instead use SFTP? How do I crack the pwd? Adriel Desautels (Oct 10)
- Re: Cracking FTP password so that I can convince people not to use FTP, and to instead use SFTP? How do I crack the pwd? Gustavo Castro (Oct 10)
- Re: Cracking FTP password so that I can convince people not to use FTP, and to instead use SFTP? How do I crack the pwd? Tiago 'gouki' Faria (Oct 10)
- Message not available
- Message not available
- Message not available
- Re: Cracking FTP password so that I can convince people not to use FTP, and to instead use SFTP? How do I crack the pwd? Adriel Desautels (Oct 14)