Tuesday, April 3, 2018

Bruteforce (I): attacking an FTP server with BRUTER


- Layout for this exercise:

1 - Bruter: a bruteforce attack tool 

- In cryptography, a brute-force attack consists of an attacker trying many passwords or passphrases with the hope of eventually guessing correctly. 

- The attacker systematically checks all possible passwords and passphrases until the correct one is found. 

- Bruter is a parallel network login brute-forcer on Win32.

- This tool is intended to demonstrate the importance of choosing strong passwords. 

- The goal of Bruter is to support a variety of services that allow remote authentication.

- Downloading Bruter to the attacker machine Windows 7:

2 - Setting up an FTP server

- Opening the XAMPP Control Panel at the victim Windows 10:

- Starting the FTP server:

- Connecting to the FTP server:

- Adding admin as user:

- Setting a simple password (123) for the user admin:

- Setting as Shared folder C:\FTPtransfer for the FTP server:

- Entering authentication credentials:

- The access to the FTPtransfers folder is successful:

3 - Bruteforcing the FTP server

- From the attacker machine Windows 7, checking that the port 21 is open at the victim Windows 10 (

- Running Bruter.exe from the attacker against the FTP server (IP, port 21):

3.1) Dictionary

- Taking the Dictionary option and browsing for a wordlist:

- Starting the attack:

- Finally the attack is successful because the password (123) is revealed:

3.2) Brute force

- Choosing Brute force option, setting options for the Charset and the length of the password:

- Starting the attack:

- Finally the attack is successful because the password (123) is revealed:

- The password has been chosen deliberately simple because the purpose of this exercise was just to demonstrate how to operate with the Bruter tool.

- For more complex passwords Bruter has a wide range of predefined Charsets with a greater number of characters, in addition to the possibility of decreasing the Min_Len parameter and increasing Max_Len.

- Obviously, the disadvantage would lie in the slowness of the attack, in addition to the greater amount of resources needed to implement it.