Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Defacing FTPs


Defacing FTPs

By ghostghost | 10196 Reads |
0     0

Ladies and Gentlemen, men and women, guys and gals, and anyone in between, welcome to another fine article by oxeh.

I have submitted a total of one article and with this one 2 articles to HBH. Well that should be good. Heh, okay, well enough blabbering about my accomplishments and let me teach you how to use an old vulnerability in websites that uses a FTP client called WS_FTP. The vulnerability has been patched in later versions of the famous FTP client.

Vulnerability

The vunlerability in the previous versions of WS_FTP, saved the username (unencrypted) and the password (encrypted) on the server that the user was logged onto.

Vulnerable File

The file is called WS_FTP.ini, as you have read above that the username is unencrypted and the password is encrypted. But WS_FTP was dumb enough not to use a famous encryption-algrothim such as MD5 so they used their own (I'm assuming).

Example of such a file:

HOST= ftp.***.com
UID=master
PWD=V29BEA5A170EE544D8F2D7CEA802A182BA76A387266A14799AEA53D73B0AE
LOCDIR= G:\\***\\Download
DIR=\"/\"
PASVMODE=0

Now, within the file above you have known that 'UID' means 'User ID' (which is the username of the target) and PWD stands for password of the target. But our goal is to find vulnerable servers and then crack their passwords and logonto their FTP.

PWD Decoder

Yes, you heard me, a decoder. There is a way to 'decrypt' / 'decode' the PWD line. Now, you have to copy the whole encrypted password including at its beggining the (PWD=).

Here is a such a decoder: http://lab.artlung.com/ws_ftp_password_decoder/

Pretty cool eh?

Finding vulnerable servers

Now, you wouldn't be choosing a sphosticated target because this vulnerability is pretty old, and you wont be going around on every single website you know and try to find the file.

Here is where a hacker's best friend barges in, Google. Yes, Google itself. Open up google.com, and we'll be using three query types:

markupinurl:\"WS_FTP.ini\"OR markupfiletype:ini WS_FTP.iniOR markupinurl:\"WS_FTP.ini\" PWD=

Now, there are a few pages Google brought up, some targets on the first page might have changed their passwords so go on to the next pages of the results and try finding which target is still vulnerable, using the same password as his FTP and hasn't changes it since and do whatever you want.

This document has been written for educational purposes on HellBoundHackers (HBH) and you cannot copy, redustribute, edit or claim this document is yours.

Copyright 2005 - 2006 ~ oxeh

Comments
ghost's avatar
ghost 18 years ago

nice tut! not musch possible targets, though. (only 7 pages on google and 3 first pages are unrealted) how come in some FTP's the UID is anonymous?

ghost's avatar
ghost 18 years ago

just wondering why the "beginers hacking guide" got slated so musch for encouraging defacement and yet this one has not been treated to the same flaming?

I dont really get off of defacing peoples sites tbh, but, i can see how it is important to understand how its done …

Like i said just wondering.

Acc