Brute force attacks with Brutus

Wade Stich
Brute force attacks are continuous attempts to authenticate using a word list or dictionary of possible
passwords. For this tutorial, we’ll be using a tool called Brutus AE2 and attack an FTP server on the local
network. Brutus AE2 also supports HTTP authentication, Telnet, POP3, SMB and supports custom
protocols.

(Note: Some virus scanners may identify this as a possible threat)

1) Once we’ve executed BrutusA2.exe, we need to specify the network address of the server which
the FTP daemon is running that we wish to target. In this instance, it’s on the localhost so we’ll
just leave it as is.

2) Next, we need to specify the protocol we want to attack. For this tutorial, we’re attacking FTP.

3) Now we need to choose our wordlist and enter the username or location of the userlist we wish
to try. We’ll use the default userlist and the username “user”.
 4) Now that we’re ready to audit our FTP server, go ahead and click the “Start” button.

5) Success, we’ve correctly identified the password for account “user” which is “siekta”.

Summary
This is a crude method of gaining access to a machine, log wise it’s fairly noisy but makes for an excellent
tool to audit FTP/HTTP/POP3/Telnet for weak passwords.