Crack FTP with Custom Wordlist

Introduction

In this challenge, you'll be tasked with cracking a rogue employee's FTP server using Hydra and a custom wordlist. The scenario involves a weakly secured FTP server running on the company network, and your objective is to identify the password and secure the server.

The challenge involves setting up a vulnerable FTP server using vsftpd, creating a user named configuser with a known password, and then crafting a custom password list file named passwords.txt containing potential passwords like "config1", "config123", and "password". Finally, you'll use Hydra to brute-force the FTP password for the configuser account on localhost using your custom password list, aiming to identify the correct password and demonstrate the vulnerability.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL hydra(("Hydra")) -.-> hydra/HydraGroup(["Hydra"]) hydra/HydraGroup -.-> hydra/single_password("Single Password Attack") hydra/HydraGroup -.-> hydra/ftp_attack("FTP Brute Force") hydra/HydraGroup -.-> hydra/output_saving("Output File Saving") subgraph Lab Skills hydra/single_password -.-> lab-550733{{"Crack FTP with Custom Wordlist"}} hydra/ftp_attack -.-> lab-550733{{"Crack FTP with Custom Wordlist"}} hydra/output_saving -.-> lab-550733{{"Crack FTP with Custom Wordlist"}} end

Crack FTP with Custom Wordlist

A rogue employee has set up a personal FTP server on the company network with a weak password. Your mission is to use Hydra to identify the password and secure the server.

Tasks

Create a password list file named passwords.txt in the ~/project directory containing the passwords "config1", "config123", and "password".
Use Hydra to crack the FTP password for the username configuser on localhost using your custom password list.

Requirements

The password list file must be named passwords.txt and located in the ~/project directory.
The Hydra command must target the FTP service running on localhost.
The Hydra command must specify the username configuser.
The Hydra command must use the password list file you created.
The password list file must contain the passwords "config1", "config123", and "password", each on a new line.
Save the results to a file results.txt in the ~/project directory.

Examples

If Hydra successfully cracks the password, you will see output similar to:

cat ~/project/results.txt

Should display the following output:

[21][ftp] host: localhost   login: configuser   password: [placeholder]

Hints

Use the echo -e command or manual editing to create the password list file.
Refer to the lab documentation for the correct Hydra syntax.

✨ Check Solution and Practice

Summary

In this challenge, the goal is to crack an FTP password using Hydra with a custom wordlist. The setup involves installing and configuring vsftpd and hydra, creating a test user (configuser) with a known weak password, and starting the FTP service.

The task requires creating a passwords.txt file containing potential passwords, then using Hydra to brute-force the FTP password for the configuser account on localhost, specifying the custom password list. This exercise demonstrates how to use Hydra to identify weak passwords in FTP services and highlights the importance of strong password policies.