RE: Cracking FTP password so that I can convince people not to use FTP, and to instead use SFTP? How do I crack the pwd?



Chip,

Listen to my advice.

If you are looking at tools like Hydra then what your really looking at is telling your 'client' that he needs secure passwords which are near impossible to crack (and regular changes to the passwords), and an Intrusion Detection System to alert and confine when brute force attempts such as this takes place.

As I said, it doesnt matter if you use SFTP or FTP if your worried about someone cracking the password - that's totally different than worrying about someone eavesdropping on legitimate FTP traffic and stealing the password. If your worried about that threat then SFTP is the way to go. Then, ensure the client knows about the need for legitimate certificates and the need for the client side to be vigilante for fake certificate errors.

Craig




________________________________________
Craig Wilson
Senior IT Network Administrator & Support Analyst
T. 0207 264 5113
M. 07899895510
F. 02072645101
E. cwilson@xxxxxxxxxxxxxxx
W. http://www.ppilearning.com/
P Think Green - Please do not print this email unless you really need to
http://www.ppilearning.com/promotions/winserver2008register.php

This email and any attachments are confidential information and solely intended to be read by the email addressees above. If you inadvertently receive this email, your access is unauthorised and you may not copy, disclose, distribute or otherwise use this email and its contents. If you have received this email in error, please inform us immediately at mailto:SA@xxxxxxxxxxxxxxx and delete all copies from your system. PPI Learning Services accepts no legal liability for the contents of this email including any errors, interception or interference, as internet communications are not secure. Whilst PPI Learning Services and the sender have taken every precaution to prevent transmission of computer viruses, should this inadvertently occur we do not accept any liability. Any offer or acceptance of a contract for goods or services made in this email is subject to our standard terms and conditions (available on request), unless other terms and conditions have been agreed in writing between authorised signatories of the parties. PPI Learning Services Limited. Registered Address: 3-5 Crutched Friars, London, EC3N 2HR. Registered in United Kingdom Company Number 06008725

________________________________________

From: listbounce@xxxxxxxxxxxxxxxxx [listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Robin Wood [dninja@xxxxxxxxx]
Sent: 11 October 2008 20:05
To: Chip Panarchy
Cc: security-basics@xxxxxxxxxxxxxxxxx; pen-test@xxxxxxxxxxxxxxxxx
Subject: Re: Cracking FTP password so that I can convince people not to use FTP, and to instead use SFTP? How do I crack the pwd?

2008/10/11 Chip Panarchy <forumanarchy@xxxxxxxxx>:
Well thanks for the replies guys.

The most helpful ones (apart from the ones explaining how the protocol
works and differences between that and SFTP etc.) were the ones that
suggested I use;

Brutus or Hydra. (oh, and Metasploit)

As my 'live-hack' will involve crack the FTP site remotely (completely
different network, thus making Wireshark less useful).

It may be worth looking through youtube or one of the other video
sites for videos of people doing it, I used a video of someone doing a
bruteforce attack against a web login form to convince a client of why
they should use strong passwords rather than their company names.

Saves creating your own demo which if you've ever seen a failed one
you'll know that it isn't always as easy as you'd think.

Robin

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------



Relevant Pages