Thursday, June 28, 2012

BackTrack and Metasploitable 2 - Brute Forcing FTP

Metasploitable 2 is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities. You can download Metasploitable 2 here. I will be using BackTrack 5 R2 to test and exploit the Metasploitable virtual machine.

Getting started is easy. Start your BackTrack and Metasploitable VMs and make sure they can communicate with each other. If they can't ping each other make sure they have the proper addresses (you may need to run 'dhclient' on your BackTrack machine). Now that our machines can talk to each other, let's use BackTrack to see what's running on Metasploitable. We are going to use nmap to get an idea of what is running on the Metasploitable VM. We can use the -sV flag to enable version detection which will give us more information about the found services.

This nmap scan tells us there are a lot of open services. In this post I am going to focus on FTP, and in following posts I will be concentrating on SSH and Telnet. These three services are extremely useful for attackers when trying to gain access to a system. These services should be disabled if not needed or at least strongly protected. Starting with the first service found, let's get access via FTP:

Brute Forcing FTP Using xHydra

Most attackers will usually check if anonymous FTP is enabled before doing anything. In most environments anonymous FTP should be disabled. The next step would be brute forcing an authenticated account. I used xHydra to do this because it provides a nice GUI.
Putting in our target:

Entering our username(s) and password(s), here I am using a small list for testing purposes. Larger lists can be found at Skull Security

The only thing I changed in the Tuning window was the Number of Tasks.
Under the Specific tab the only thing I added was the "http / https url" which is your target IP address.

Start! Because I used small wordlists with credentials I knew would work, it didn't take very long before we got a hit!

Here is the result, logged in using msfadmin:msfadmin
To make things look nice I connected with the same credentials using FireFTP
Done! Using the brute force method does not always work, but if an attacker does their reconnaissance and gets enough information about their target, they can be rather successful.


Post a Comment