FTP Passwording

No explicit questions like "how do I hack xxx.com" please!
User avatar
RiGGER
forum buddy
forum buddy
Posts: 10
Joined: 24 Sep 2006, 16:00
18

FTP Passwording

Post by RiGGER »

Hello all. I recently have set up one of my first official non-freewebs BS websites, and I was wondering....

I have FTP access to my online server, and I have the password that goes with it to access my server-side (on the internet) files.

Now I would certainly like to know this. How hard, and how easy, would it be for someone to access my FTP files and futhermore gain access to my FTP server? I've been searching MANY forums for answers, but I figured that hey, I should post only at the best of them (and this is one of 'em!).

In other words, I'de like to try and gain access to my server as if I didn't know my server-side password. Can anyone help me with this problem that I have at hand? Any help at all would go much appreciated.

Thank you for reading this!

PS: I do not know anything about anything. I am very new at this whole ordeal, and I have been trying to learn more about this specific computer subject for the past six months (yet I failed miserably); so please, keep your help to a very novice speak. Thank you very much!

User avatar
maboroshi
Dr. Mab
Dr. Mab
Posts: 1624
Joined: 28 Aug 2005, 16:00
19

hmm

Post by maboroshi »

Ok you have a website that is no longer under a free server

Im assuming since it is a commercial service they would have at least some general understanding of security if not a whole lot more

What you could do if you would like to learn more is do a port scan of the server ip address or yourdomain.com depending on the country your from this is not illegal

this will give you a general idea of what ports are open on the server and where in security holes will lie

Common ports that are open on most servers 21 80 your port scanning program should tell you what they are

assuming you wish to learn what there FTP security is like you can then open up a cmd (assuming your on windows) and telnet to there FTP server I believe the command is telnet -o serverip port 21 or whatever

This will identify to some degree what system is set up for FTP

Now if you have a smart admin he has probably got all sorts of bells and whistles to fake what he is running and most likely watching his log files to see what your upto

Thats to some degree a basic run down of security on the server running your web site

Now lets have a discussion about the security of your personal computer for instance your new to the computer scene I bet your running Internet Explorer

Now you have to ask yourself am I downloading pirated software am I downloading mad amounts of porn do I have anti virus do I have a firewall

Things like aforementioned will generally lead to things such as Trojans and spyware and lots of other things that will more than likely be able to get your FTP password and cause a lot of trouble for your computer

So these are things to consider if your worried about the security of your passwords


Cheers

and if you have anymore questions feel free to ask :)

User avatar
RiGGER
forum buddy
forum buddy
Posts: 10
Joined: 24 Sep 2006, 16:00
18

Post by RiGGER »

Hey! Thanks a bunch for that reply.

No, I'm not very new at that whole "don't go here or you'll get spyware/trojan/virus" kinda thing. Infact I have over ~10 years computer experience (and I'm protected by a "borrowed" Norton Antivirus 2003).

I'm not that new to the torrent scene, infact I have all of that behind me.

I also use FireFox, cause IE is kinda bad, but still usable for things like these.

I'm also firewalled by Windows Firewall (could you reccomend a better one?).

And I scan my computer for spyware and other such things once or twice a week. Believe me, I have done my fair share of "borrowing."

So, to the point, I'll try out that cmd stuff (I am on a Windows XP SP2) and try to figure out the ip my domain and what ports are available.

Also, what's a good port scanning program?

pseudo_opcode
cyber messiah
cyber messiah
Posts: 1201
Joined: 30 Apr 2006, 16:00
18
Location: 127.0.0.1

Post by pseudo_opcode »

well the security also depends upon the combination of OS and daemon running.. and to some extent the configuration files... and yes on the sys admin as well..if its an unix/linux server you can also look for several front end modules of code for input sanitization(in some cases,for overflows, fuzzing,etc)... well the posibilities are limitless... most probable being social engineering...

d10b
Fame ! Where are the chicks?!
Fame ! Where are the chicks?!
Posts: 159
Joined: 05 Nov 2005, 17:00
19
Location: Saint Paul, MN
Contact:

Re: FTP Passwording

Post by d10b »

Attacking your hosted website probably isn't a good idea, some probing won't hurt. If you're trying to test their security for learning purposes there's better ways to practice. If you're worried about how easy it would be for someone to access your hosted FTP site you shouldn't worry. Do you have a strong password? And another question you might ask yourself is; why would someone attack me? Do you have a popular website/FTP server or is it just personal files?
``The true voyage of discovery lies not in seeking new landscapes, but in having new eyes``

User avatar
RiGGER
forum buddy
forum buddy
Posts: 10
Joined: 24 Sep 2006, 16:00
18

Post by RiGGER »

I basically want to educate my FTP-ing

Any help on how to do this would be really great.

-Thanks

d10b
Fame ! Where are the chicks?!
Fame ! Where are the chicks?!
Posts: 159
Joined: 05 Nov 2005, 17:00
19
Location: Saint Paul, MN
Contact:

Here's a start.

Post by d10b »

Learning what FTP is might be a start :)
http://en.wikipedia.org/wiki/File_Transfer_Protocol

Wikipedia is a huge help to begin learning about anything.

Linux man pages help w/commands.
http://www.hmug.org/man/1/ftp.php

If your intentions are accessing someone else's FTP site... well good luck to you. Here is an interesting list of FTP vulnerabilities http://www.networkscanning.com/FTP-VSSF.html
``The true voyage of discovery lies not in seeking new landscapes, but in having new eyes``

User avatar
maboroshi
Dr. Mab
Dr. Mab
Posts: 1624
Joined: 28 Aug 2005, 16:00
19

Sorry

Post by maboroshi »

Sorry I misread your initial post :(

User avatar
RiGGER
forum buddy
forum buddy
Posts: 10
Joined: 24 Sep 2006, 16:00
18

Post by RiGGER »

OK guys! I read up on that stuff! And actually Maboroshi, you were quite bang-on on what I innitially want to do.

Now here's the thing. I don't have Linux, but I'm planning on getting it installed permanently on athe piece of s#it computer that I have idling downstairs. Is there any good Linux that I should know of for something like this? I've heard that a Linux called Mandrake is really good, and I've also experimented a bit with Auditor Tools.

So please, if you could, keep the words to the most simple meenings (example: daemon... huh?) and try to run me through these things step-by-step (in the most simple (well, not too simple) manner possible).

But what Maboroshi stated about the telnet client was actually a very good start!

-Thanks

User avatar
RiGGER
forum buddy
forum buddy
Posts: 10
Joined: 24 Sep 2006, 16:00
18

Post by RiGGER »

Alright! Here's what I got so far!

In cmd, i typed > telnet

> o www.(mysite).com 21

then, after a brief pause, I got this

>220 Website FTP server ready

Now when i type something, like > login, it gives me this

> login
> 500 LOGIN not understood

and thats all that I get.

Help please?

User avatar
RiGGER
forum buddy
forum buddy
Posts: 10
Joined: 24 Sep 2006, 16:00
18

Post by RiGGER »

OK! More research has led me to this!

> user (user)
> pass (pass)

and if I enter the variables correctly, I am logged onto the server, but when I do not, and just fake a password, it doesn't log on, and tell me INVALID all over the place.

so heres my main problem! I now need a password and username!

Although, I can presume that the user would be (mysite).com, yet I still wouldn't know the password... so there ya have it... all that I need is to find out how to get a valid working password...

Yoohoo! I need help! (Please don't flame but how else am I supposed to state this question?)

z3mwaz
suck-o-fied!
suck-o-fied!
Posts: 85
Joined: 23 Jul 2006, 16:00
18
Location: Texas
Contact:

Post by z3mwaz »

i'm alittle lost on what you are asking.

You are the owner of the server
You know your own user name and password
You can log in with your "correct" name and passeord

but then you say "so heres my main problem! I now need a password and username! "

What do you mean?
You said that you have the user name and passwd,
But you need another name and password?

I'm Lost...
“Yes, I am a criminal. My crime is that of curiosity.”

User avatar
RiGGER
forum buddy
forum buddy
Posts: 10
Joined: 24 Sep 2006, 16:00
18

Post by RiGGER »

Ok, lemme re-explain this.

This whole thread is only for the sole-purpose of educating the uneducated about how to access FTP without the means of knowing username, nor password.

Yes, I DO have full access to my FTP site with username and password, but I'm checking it for 'vulnerabilites,' as if a hacker would try to get into it, and how he would be able to do that. I have some means of FTP security on my server, so I'm basically testing it.

Yet, my main problem is, is that I firstly need/want to know how to do this (a form of educating myself on FTP servers and their full accessibility, if you will).

That's basically it, so if you could help me out here, I'de greatly appreciate it.

-Thanks

z3mwaz
suck-o-fied!
suck-o-fied!
Posts: 85
Joined: 23 Jul 2006, 16:00
18
Location: Texas
Contact:

Post by z3mwaz »

oh ok, i see where ur coming from now sorry.

well one thing is
FTP username/passwords are tranfered in clear text. so if so one one your network used a sniffer then thay could get a name and password very easily.
I'm not to sure on how to do it but you can set up a secure connection so that the FTP info is encrypted.
I'll look up what i can when i'm done studing tonite

If you want I'm on IRC in #suck-o right now and most likey all nite
“Yes, I am a criminal. My crime is that of curiosity.”

User avatar
RiGGER
forum buddy
forum buddy
Posts: 10
Joined: 24 Sep 2006, 16:00
18

Post by RiGGER »

Thanks alot man! Unfortunately, I cannot go onto the IRC channel because I'll be sleeping. I have to go to my classes tomorrow morning.

Now, from what I understood, here's what you should know.

My website is NOT on a local server. I payed for a domain-name and the domain-hoster is currently hosting my files remotely.

Also, I'm not too sure about what you mean with the "secure FTP connection."

And lastly, I'm trying to act this situation out as if I do not even know any of the encryptions or usernames or passwords on this server.

Thanks alot for this stuff bro! Talk to ya later.

Post Reply