RE: Cracking FTP password so that I can convince people not to use FTP, and to instead use SFTP? How do I crack the pwd?

[Craig Wilson <cwilson () ppilearning com>]

Chip,

Listen to my advice.

If you are looking at tools like Hydra then what your really looking at is telling your 'client' that he needs secure 
passwords which are near impossible to crack (and regular changes to the passwords), and an Intrusion Detection System 
to alert and confine when brute force attempts such as this takes place.

As I said, it doesnt matter if you use SFTP or FTP if your worried about someone cracking the password - that's totally 
different than worrying about someone eavesdropping on legitimate FTP traffic and stealing the password. If your 
worried about that threat then SFTP is the way to go.  Then, ensure the client knows about the need for legitimate 
certificates and the need for the client side to be vigilante for fake certificate errors.

Craig




________________________________________
Craig Wilson
Senior IT Network Administrator & Support Analyst
T. 0207 264 5113
M. 07899895510
F. 02072645101
E. cwilson () ppilearning com
W. http://www.ppilearning.com/
P Think Green - Please do not print this email unless you really need to
http://www.ppilearning.com/promotions/winserver2008register.php

This email and any attachments are confidential information and solely intended to be read by the email addressees 
above. If you inadvertently receive this email, your access is unauthorised and you may not copy, disclose, distribute 
or otherwise use this email and its contents. If you have received this email in error, please inform us immediately at 
mailto:SA () PPILearning com and delete all copies from your system. PPI Learning Services accepts no legal liability 
for the contents of this email including any errors, interception or interference, as internet communications are not 
secure. Whilst PPI Learning Services and the sender have taken every precaution to prevent transmission of computer 
viruses, should this inadvertently occur we do not accept any liability. Any offer or acceptance of a contract for 
goods or services made in this email is subject to our standard terms and conditions (available on request), unless 
other terms and conditions have been agreed in writing between authorised signatories of the parties. PPI Learning 
Services Limited. Registered Address: 3-5 Crutched Friars, London, EC3N 2HR. Registered in United Kingdom Company 
Number 06008725

________________________________________

From: listbounce () securityfocus com [listbounce () securityfocus com] On Behalf Of Robin Wood [dninja () gmail com]
Sent: 11 October 2008 20:05
To: Chip Panarchy
Cc: security-basics () securityfocus com; pen-test () securityfocus com
Subject: Re: Cracking FTP password so that I can convince people not to use FTP, and to instead use SFTP? How do I 
crack the pwd?

2008/10/11 Chip Panarchy <forumanarchy () gmail com>:
> Well thanks for the replies guys.
>
> The most helpful ones (apart from the ones explaining how the protocol
> works and differences between that and SFTP etc.) were the ones that
> suggested I use;
>
> Brutus or Hydra. (oh, and Metasploit)
>
> As my 'live-hack' will involve crack the FTP site remotely (completely
> different network, thus making Wireshark less useful).

It may be worth looking through youtube or one of the other video
sites for videos of people doing it, I used a video of someone doing a
bruteforce attack against a web login form to convince a client of why
they should use strong passwords rather than their company names.

Saves creating your own demo which if you've ever seen a failed one
you'll know that it isn't always as easy as you'd think.

Robin

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------