LowAndSlow is a free utility that attempts “low and slow” brute force sign-ons against a selected FTP server, FTPS server, or SFTP server.
LowAndSlow works off a list of usernames and a list of passwords, and waits a configurable number of seconds between each attempt. If the delay is set to 0 or 1, LowAndSlow behaves like a “rapid fire” script kiddie, but longer delays will allow it to fly under the radar of user lockout and IP lockout (a.k.a. antihammering) features on most FTP/S and SSH servers.
Since it is likely that low and slow scans will span days, the utility is designed to automatically write its progress to disk after every attempt, and resume the scan from its last attempt when the utility is restarted.
The ideal user of LowAndSlow is a security analyst. It requires familiarity with command-line interfaces and TCP/IP networking, but intimate knowledge of file transfer is not required.
LowAndSlow is a command-line application for Windows. It was written in C# and requires .NET 4.0. (Any Windows OS that supports .NET 4.0 should run this client.)
Download and Installation
- Download LowAndSlow (it’s a Zip file)
- Unpack the contents into a folder on your system
- Open a command-line window (“CMD”) and CD into that folder
- Run “LowAndSlow /help” to make sure all is well
- Run “LowAndSlow -scanfolder=demo” to run a short, 4 attempt test against a public FTP server. (Two attempts should fail, and the two “anonymous” attempts should work.)
- Go into the “demo” folder and inspect the files:
- configuration.txt – connection, debug and delay parameters (this file is optional; you can specify all important parameters using command-line arguments instead)
- username.txt and password.txt – lists of usernames and passwords (both of these files are always required)
- (log file).log – log file containing every message written to the screen
- detects.txt – log file containing just the positive sign on attempts (“detects”)
- Make a copy of the “demo” folder as “myscan”. Delete the “*.log” files and the “detects.txt” file from the copy. Change the values in the configuration, username and password file for one of your FTP/S or SFTP servers. Rerun the utility as “LowAndSlow -scanfolder=myscan”
- Now rerun LowAndSlow with other command-line arguments such as “-debug=10”, “-delay=3”, etc.
- To see LowAndSlow’s built-in resume feature in action, hit “Ctrl+C” to kill the utility while running, and then restart the utility.
The following configuration elements are accepted as both command-line arguments (preceded by a dash, e.g., “-debug=5”) and configuration file entries unless otherwise noted. Command-line arguments always override configuration file entries.
- debug=(0-10) : set verbosity level (5 is default, set higher for more)
- delay=(value) : average seconds to wait between attempts
- delayvar=(value) : maximum seconds to vary wait between attempts
- help (also ?) : display this help (command-line only)
- hostname=(value) : target this hostname or IP address
- noresume : always scan all usernames and passwords (see ‘-resume’)
- port=(value) : target this TCP port
- protocol=(value) : ftp, ftps or sftp (ftp is default)
- resume : try to resume scan from last stop (default)
- scanfolder=(value) : REQUIRED – where your config and log files are. May either by subfolder of current directory or the full path of a folder elsewhere. (command-line only)
- ftptryestimate=(value) : used to estimate completion time, set to 2 seconds by default (configuration file only)
The configuration file is always named “configuration.txt”. It is an optional file but if not present then all parameters must be provided as command-line arguments.
Username and Password Files
Populated username and password files are always required. Usernames and passwords must each be listed on their own line, and comments starting with apostrophes are ignored. The username file is always named “username.txt” and the password file is always named “password.txt.”
LowAndSlow writes incomplete progress to a resume file called “pointer.txt”. This file may not always exist because LowAndSlow deletes it after it completes a scan. If this file is not present, LowAndSlow will start (or restart) this scan from the beginning.
This file may be created or edited with care. Line 1 is the last username scanned and line 2 is the last password scanned. If errors are encountered parsing this file (e.g., if the “last” username or password are not in the username or password lists), the scan will restart from the beginning.
Log File and Screen Messages
The “debug” parameter controls which messages are written to a log file and the console. Console messages are colored but do not list the date/time or the debug level. Log messages are not colored but do list the date/time and the debug level.
The name of the log file will contain the date and time (down to the second) that LowAndSlow was invoked. In most cases this will ensure that each run of LowAndSlow generates a unique log file.
Log files are opened and closed with each write. While somewhat inefficient, this avoids certain lock errors or missing messages that could result from other implementations.
“Successful Detects” File
If LowAndSlow finds any successful username/password combinations (a “detect”), it will log them into a special “detects.txt” file. Multiple detects in a single run or detects in different runs will all be logged in this file, along with the date and protocol from the detect.
The detects file will be created as needed; you do not need to create it in your new scan folders.
Q: What the the most common ports associated with each protocol?
A: FTP and FTPS (explicit) are most commonly found on TCP port 21. SFTP uses SSH and is most commonly found on TCP port 22.
Q: Do you support FTPS implicit connections?
A: Not at this time. LowAndSlow only supports “explicit” FTPS connections (those that conform to RFC 4217).
Q: I shut down my computer every night. What’s the best way to resume a low-and-slow scan again in the morning?
A: Put your LowAndSlow parameters in a batch file and run that from the Windows “Startup” folder. (LowAndSlow will automatically resume the scan from wherever it left off the previous night.)
Q: Can I run multiple copies of LowAndSlow at once?
A: Yes. However, you should use a different “-scanfolder” for each instance.
Q: Why did you release this utility?
A: We wrote an early version of this utility for our MFT Audits, where we used it to make sure file transfer servers were honoring their lock-out settings and quietly poke around legacy FTP servers that were in scope but liable to crash if stressed. There was enough demand from our friends to release it publicly, so we did.
Q: Why did you invent “low and slow” brute force attacks on file transfer servers?
A: We didn’t. Read this.
Q: How do I detect and prevent “low and slow” brute force attacks against my servers?
A: We cover that here.
Q: What file transfer clients are you using under the covers?
A: .NET’s WebRequestMethods as our FTP client and FTPS client, plus references to SharpNET from Tamir Gal for SFTP (see SharpFTP’s project page for its source).
Q: I have a hard-to-fill file transfer requirement. Can you help?
A: Yes, drop us a line and we’ll set up a call to discuss live.
Q: I think I found a bug in the utility. How do I report it?
A: Rerun the utility with “-debug=10” and send us your log.