zoukankan      html  css  js  c++  java
  • OSCP Learning Notes Exploit(7)

    Pre-Exploit Password Attacks

    Tools:

    1. ncrack

    Ncrack 0.6 ( http://ncrack.org )
    Usage: ncrack [Options] {target and service specification}
    TARGET SPECIFICATION:
    Can pass hostnames, IP addresses, networks, etc.
    Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
    -iX <inputfilename>: Input from Nmap's -oX XML output format
    -iN <inputfilename>: Input from Nmap's -oN Normal output format
    -iL <inputfilename>: Input from list of hosts/networks
    --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
    --excludefile <exclude_file>: Exclude list from file
    SERVICE SPECIFICATION:
    Can pass target specific services in <service>://target (standard) notation or
    using -p which will be applied to all hosts in non-standard notation.
    Service arguments can be specified to be host-specific, type of service-specific
    (-m) or global (-g). Ex: ssh://10.0.0.10,at=10,cl=30 -m ssh:at=50 -g cd=3000
    Ex2: ncrack -p ssh,ftp:3500,25 10.0.0.10 scanme.nmap.org google.com:80,ssl
    -p <service-list>: services will be applied to all non-standard notation hosts
    -m <service>:<options>: options will be applied to all services of this type
    -g <options>: options will be applied to every service globally
    Misc options:
    ssl: enable SSL over this service
    path <name>: used in modules like HTTP ('=' needs escaping if used)
    db <name>: used in modules like MongoDB to specify the database
    domain <name>: used in modules like WinRM to specify the domain
    TIMING AND PERFORMANCE:
    Options which take <time> are in seconds, unless you append 'ms'
    (milliseconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
    Service-specific options:
    cl (min connection limit): minimum number of concurrent parallel connections
    CL (max connection limit): maximum number of concurrent parallel connections
    at (authentication tries): authentication attempts per connection
    cd (connection delay): delay <time> between each connection initiation
    cr (connection retries): caps number of service connection attempts
    to (time-out): maximum cracking <time> for service, regardless of success so far
    -T<0-5>: Set timing template (higher is faster)
    --connection-limit <number>: threshold for total concurrent connections
    --stealthy-linear: try credentials using only one connection against each specified host
    until you hit the same host again. Overrides all other timing options.
    AUTHENTICATION:
    -U <filename>: username file
    -P <filename>: password file
    --user <username_list>: comma-separated username list
    --pass <password_list>: comma-separated password list
    --passwords-first: Iterate password list for each username. Default is opposite.
    --pairwise: Choose usernames and passwords in pairs.
    OUTPUT:
    -oN/-oX <file>: Output scan in normal and XML format, respectively, to the given filename.
    -oA <basename>: Output in the two major formats at once
    -v: Increase verbosity level (use twice or more for greater effect)
    -d[level]: Set or increase debugging level (Up to 10 is meaningful)
    --nsock-trace <level>: Set nsock trace level (Valid range: 0 - 10)
    --log-errors: Log errors/warnings to the normal-format output file
    --append-output: Append to rather than clobber specified output files
    MISC:
    --resume <file>: Continue previously saved session
    --save <file>: Save restoration file with specific filename
    -f: quit cracking service after one found credential
    -6: Enable IPv6 cracking
    -sL or --list: only list hosts and services
    --datadir <dirname>: Specify custom Ncrack data file location
    --proxy <type://proxy:port>: Make connections via socks4, 4a, http.
    -V: Print version number
    -h: Print this help summary page.
    MODULES:
    SSH, RDP, FTP, Telnet, HTTP(S), POP3(S), IMAP, SMB, VNC, SIP, Redis, PostgreSQL, MySQL, MSSQL, MongoDB, Cassandra, WinRM, OWA
    EXAMPLES:
    ncrack -v --user root localhost:22
    ncrack -v -T5 https://192.168.0.1
    ncrack -v -iX ~/nmap.xml -g CL=5,to=1h
    SEE THE MAN PAGE (http://nmap.org/ncrack/man.html) FOR MORE OPTIONS AND EXAMPLES

    2. medusa

    Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

    ALERT: Host information must be supplied.

    Syntax: Medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT]
    -h [TEXT] : Target hostname or IP address
    -H [FILE] : File containing target hostnames or IP addresses
    -u [TEXT] : Username to test
    -U [FILE] : File containing usernames to test
    -p [TEXT] : Password to test
    -P [FILE] : File containing passwords to test
    -C [FILE] : File containing combo entries. See README for more information.
    -O [FILE] : File to append log information to
    -e [n/s/ns] : Additional password checks ([n] No Password, [s] Password = Username)
    -M [TEXT] : Name of the module to execute (without the .mod extension)
    -m [TEXT] : Parameter to pass to the module. This can be passed multiple times with a
    different parameter each time and they will all be sent to the module (i.e.
    -m Param1 -m Param2, etc.)
    -d : Dump all known modules
    -n [NUM] : Use for non-default TCP port number
    -s : Enable SSL
    -g [NUM] : Give up after trying to connect for NUM seconds (default 3)
    -r [NUM] : Sleep NUM seconds between retry attempts (default 3)
    -R [NUM] : Attempt NUM retries before giving up. The total number of attempts will be NUM + 1.
    -c [NUM] : Time to wait in usec to verify socket is available (default 500 usec).
    -t [NUM] : Total number of logins to be tested concurrently
    -T [NUM] : Total number of hosts to be tested concurrently
    -L : Parallelize logins using one username per thread. The default is to process
    the entire username before proceeding.
    -f : Stop scanning host after first valid username/password found.
    -F : Stop audit after first valid username/password found on any host.
    -b : Suppress startup banner
    -q : Display module's usage information
    -v [NUM] : Verbose level [0 - 6 (more)]
    -w [NUM] : Error debug level [0 - 10 (more)]
    -V : Display version
    -Z [TEXT] : Resume scan based on map of previous scan

     

    相信未来 - 该面对的绝不逃避,该执著的永不怨悔,该舍弃的不再留念,该珍惜的好好把握。
  • 相关阅读:
    ios web 媒体查询兼容
    Linux python 虚拟环境管理
    three.js 纹理动画实现
    three.js 在模型上移动相机
    three.js 模型拖动之DragControls控制器
    three.js 添加html内容、文本
    微信公众号对接记录
    事务的日志
    事务的隔离级别
    事务中的锁
  • 原文地址:https://www.cnblogs.com/keepmoving1113/p/11198113.html
Copyright © 2011-2022 走看看