yyang Posted November 25, 2014 Share Posted November 25, 2014 Hello, I am trying to bruteforce one of the VM machine running FTP server using metasploit framework but it does not work for me well for some reason. I mean ftp_login does not try all passowrds in the list. Does anyone know what might be wrong? Thanks. nmap -p 21 192.168.33.203Starting Nmap 6.40 ( http://nmap.org ) at 2014-11-20 02:16 EST Nmap scan report for 192.168.33.203Host is up (0.11s latency).PORT STATE SERVICE21/tcp open ftpMAC Address: 00:50:56:AF:23:93 (VMware) msf auxiliary(ftp_login) > set RHOSTS 192.168.33.203RHOSTS => 192.168.33.203msf auxiliary(ftp_login) > set USER_FILE /usr/share/wordlists/user.txtUSER_FILE => /usr/share/wordlists/user.txtmsf auxiliary(ftp_login) > set PASS_FILE /usr/share/wordlists/rockyou.txtPASS_FILE => /usr/share/wordlists/rockyou.txtmsf auxiliary(ftp_login) > set THREADS 50THREADS => 50msf auxiliary(ftp_login) > run [*] 192.168.33.203:21 - Starting FTP login sweep[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:123456 (Incorrect: )[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:12345 (Incorrect: )[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:123456789 (Incorrect: )[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:password (Incorrect: )[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:iloveyou (Incorrect: )[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:princess (Incorrect: )[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:1234567 (Incorrect: )[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:rockyou (Incorrect: )[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:12345678 (Incorrect: )[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:abc123 (Incorrect: )[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:nicole (Unable to Connect: )[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:daniel (Unable to Connect: )[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:babygirl (Unable to Connect: ) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed Quote Link to comment Share on other sites More sharing options...
cooper Posted November 25, 2014 Share Posted November 25, 2014 Your FTP server only allows 10 concurrent connections yet you're trying 50. I'm guessing metasploit sees 3 failed connection attempts, assumes the host is down and stops the attack altogether. Quote Link to comment Share on other sites More sharing options...
yyang Posted November 25, 2014 Author Share Posted November 25, 2014 But I changed threads to be 1 and tried again. It does not make much difference. Any other idea? Thanks. msf auxiliary(ftp_login) > set THREADS 1THREADS => 1msf auxiliary(ftp_login) > run [*] 192.168.33.203:21 - Starting FTP login sweep[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:123456 (Unable to Connect: )[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:12345 (Incorrect: )[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:123456789 (Incorrect: )[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:password (Incorrect: )[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:iloveyou (Incorrect: )[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:princess (Incorrect: )[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:1234567 (Incorrect: )[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:rockyou (Incorrect: )[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:12345678 (Incorrect: )[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:abc123 (Incorrect: )[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:nicole (Incorrect: )[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:daniel (Unable to Connect: )[-] 192.168.33.203:21 FTP - LOGIN FAILED: root:babygirl (Unable to Connect: ) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed Quote Link to comment Share on other sites More sharing options...
digininja Posted November 25, 2014 Share Posted November 25, 2014 have you tried using a password file with just a few entries in it, one of them the pasword? Have you checked the FTP log files to see if they give any extra info? Quote Link to comment Share on other sites More sharing options...
cooper Posted November 26, 2014 Share Posted November 26, 2014 Yeah. It smells like your FTP server is smart enough to see the attack going on and to outright block your IP or some such. The FTP logs should give more insight. See if you can implement some sort of delay between attempts. Quote Link to comment Share on other sites More sharing options...
yyang Posted November 27, 2014 Author Share Posted November 27, 2014 Ok. I just tried to set BRUTEFORCE_SPEED to 0, and run it again. 3 more passowrds tried this time but "Unable to connect" again after that. Is there any other options to modify the delay in this module or should I suppose this machine is not vulnerable to brute force attack and give up? Thanks. Quote Link to comment Share on other sites More sharing options...
cooper Posted November 27, 2014 Share Posted November 27, 2014 The more sensible approach in the situation as you described it is to post the relevant info from the FTP logs, which probably say you're trying logins in too close succession. The fact that you don't mention the FTP side worries me (you don't have access or you didn't bother to look in spite of our recommendations). Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.