Follow us on Twitter!
Don't judge the unknown - Grindordie
Sunday, April 20, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 27
Guests Online: 26
Members Online: 1

Registered Members: 82850
Newest Member: hardstylurr
Latest Articles

Defacing FTPs

Arrow Image Another fine article about using an old exploit and a hacker's best friend, Google to find vulnerable sites.



Ladies and Gentlemen, men and women, guys and gals, and anyone in between, welcome to another fine article by oxeh.

I have submitted a total of one article and with this one 2 articles to HBH. Well that should be good. Heh, okay, well enough blabbering about my accomplishments and let me teach you how to use an old vulnerability in websites that uses a FTP client called WS_FTP. The vulnerability has been patched in later versions of the famous FTP client.

Vulnerability

The vunlerability in the previous versions of WS_FTP, saved the username (unencrypted) and the password (encrypted) on the server that the user was logged onto.

Vulnerable File

The file is called WS_FTP.ini, as you have read above that the username is unencrypted and the password is encrypted. But WS_FTP was dumb enough not to use a famous encryption-algrothim such as MD5 so they used their own (I\'m assuming).

Example of such a file:

[CODE][AOL]
HOST= ftp.***.com
UID=master
PWD=V29BEA5A170EE544D8F2D7CEA802A182BA76A387266A14799AEA53D73B0AE
LOCDIR= G:\\***\\Download
DIR=\"/\"
PASVMODE=0
[/CODE]

Now, within the file above you have known that \'UID\' means \'User ID\' (which is the username of the target) and PWD stands for password of the target. But our goal is to find vulnerable servers and then crack their passwords and logonto their FTP.

PWD Decoder

Yes, you heard me, a decoder. There is a way to \'decrypt\' / \'decode\' the PWD line. Now, you have to copy the whole encrypted password including at its beggining the (PWD=).

Here is a such a decoder: http://lab.artlung.com/ws_ftp_password_decoder/

Pretty cool eh?

Finding vulnerable servers

Now, you wouldn\'t be choosing a sphosticated target because this vulnerability is pretty old, and you wont be going around on every single website you know and try to find the file.

Here is where a hacker\'s best friend barges in, Google. Yes, Google itself. Open up google.com, and we\'ll be using three query types:

[CODE]inurl:\"WS_FTP.ini\"[/CODE]
OR

[CODE]filetype:ini WS_FTP.ini[/CODE]
OR

[CODE]inurl:\"WS_FTP.ini\" PWD=[/CODE]

Now, there are a few pages Google brought up, some targets on the first page might have changed their passwords so go on to the next pages of the results and try finding which target is still vulnerable, using the same password as his FTP and hasn\'t changes it since and do whatever you want.

This docu<i></i>ment has been written for educational purposes on HellBoundHackers (HBH) and you cannot copy, redustribute, edit or claim this docu<i></i>ment is yours.

Copyright 2005 - 2006
~ oxeh

Comments

enforceron August 08 2006 - 15:18:50
nice tut! not musch possible targets, though. (only 7 pages on google and 3 first pages are unrealted) how come in some FTP's the UID is anonymous?
Accuraxon October 25 2006 - 13:47:01
just wondering why the "beginers hacking guide" got slated so musch for encouraging defacement and yet this one has not been treated to the same flaming? I dont really get off of defacing peoples sites tbh, but, i can see how it is important to understand how its done ... Like i said just wondering. Acc
Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.