Fuerza Bruta con Medusa: SSH, FTP, SMB, HTTP y MySQL

Qué es Medusa?

El man lo describe como: "Auditor de Login de Red Paralelo", es una aplicación para realizar Fuerza Bruta de Passwords.

Se denomina paralelo debido a que está basado en Hilos para testeo concurrente de varios hosts, usuarios ó passwords.

Posee un diseño modular, cada servicio existe como un módulo independiente en archivos .mod.


Instalamos medusa:

# apt-get install medusa

Vemos que módulos soporta:

# medusa -d

Medusa v2.0 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks

Available modules in "." :

Available modules in "/usr/lib/medusa/modules" :
+ cvs.mod : Brute force module for CVS sessions : version 2.0
+ ftp.mod : Brute force module for FTP/FTPS sessions : version 2.0
+ http.mod : Brute force module for HTTP : version 2.0
+ imap.mod : Brute force module for IMAP sessions : version 2.0
+ mssql.mod : Brute force module for M$-SQL sessions : version 2.0
+ mysql.mod : Brute force module for MySQL sessions : version 2.0
+ ncp.mod : Brute force module for NCP sessions : version 2.0
+ nntp.mod : Brute force module for NNTP sessions : version 2.0
+ pcanywhere.mod : Brute force module for PcAnywhere sessions : version 2.0
+ pop3.mod : Brute force module for POP3 sessions : version 2.0
+ postgres.mod : Brute force module for PostgreSQL sessions : version 2.0
+ rexec.mod : Brute force module for REXEC sessions : version 2.0
+ rlogin.mod : Brute force module for RLOGIN sessions : version 2.0
+ rsh.mod : Brute force module for RSH sessions : version 2.0
+ smbnt.mod : Brute force module for SMB (LM/NTLM/LMv2/NTLMv2) sessions : version 2.0
+ smtp-vrfy.mod : Brute force module for enumerating accounts via SMTP VRFY : version 2.0
+ smtp.mod : Brute force module for SMTP Authentication with TLS : version 2.0
+ snmp.mod : Brute force module for SNMP Community Strings : version 2.0
+ ssh.mod : Brute force module for SSH v2 sessions : version 2.0
+ svn.mod : Brute force module for Subversion sessions : version 2.0
+ telnet.mod : Brute force module for telnet sessions : version 2.0
+ vmauthd.mod : Brute force module for the VMware Authentication Daemon : version 2.0
+ vnc.mod : Brute force module for VNC sessions : version 2.0
+ web-form.mod : Brute force module for web forms : version 2.0
+ wrapper.mod : Generic Wrapper Module : version 2.0


Fuerza Bruta a SSH:

# medusa -h localhost -u root -P /root/pass.txt -M ssh -n 2222

-h Indicamos la Ip del host al cual queremos hacer fuerza bruta (127.0.0.1)
-u El usuario del server (root)
-P Especificamos la ruta al archivo de lista de posibles passwords
-M Es el módulo que deseamos (SSH, FTP, etc)
-n Cambiamos el puerto que por defecto es el 22 (a 2222)


Vemos los intentos y cuando logra encontrar el password:

Medusa v2.0 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks


The default build of Libssh2 is to use OpenSSL for crypto. Several Linux
distributions (e.g. Debian, Ubuntu) build it to use Libgcrypt. Unfortunately,
the implementation within Libssh2 of libgcrypt appears to be broken and is
not thread safe. If you run multiple concurrent Medusa SSH connections, you
are likely to experience segmentation faults. Please help Libssh2 fix this
issue or encourage your distro to use the default Libssh2 build options.

ACCOUNT CHECK: [ssh] Host: localhost (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 1234 (1 of 8 complete)
ACCOUNT CHECK: [ssh] Host: localhost (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: peterete (2 of 8 complete)
ACCOUNT CHECK: [ssh] Host: localhost (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: mi_pass (3 of 8 complete)
ACCOUNT CHECK: [ssh] Host: localhost (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: otro.mas (4 of 8 complete)
ACCOUNT CHECK: [ssh] Host: localhost (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: pass (5 of 8 complete)
ACCOUNT CHECK: [ssh] Host: localhost (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: mi_passwd (6 of 8 complete)
ACCOUNT FOUND: [ssh] Host: localhost User: root Password: mi_passwd [SUCCESS]


Ahora veremos medusa para Fuerza Bruta de FTP:

# medusa -C pass.txt -M ftp

Medusa v2.0 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks

ERROR: Thread B6BD6B70: Host: 192.168.1.101 Cannot connect [unreachable], retrying (1 of 3 retries)
ERROR: Thread B6BD6B70: Host: 192.168.1.101 Cannot connect [unreachable], retrying (2 of 3 retries)
ERROR: Thread B6BD6B70: Host: 192.168.1.101 Cannot connect [unreachable], retrying (3 of 3 retries)
NOTICE: ftp.mod: failed to connect, port 21 was not open on 192.168.1.101
ACCOUNT CHECK: [ftp] Host: 192.168.1.150 (2 of 3, 1 complete) User: ftp_user (1 of 2, 0 complete) Password: ftp_pass (1 of 4 complete)
ACCOUNT FOUND: [ftp] Host: 192.168.1.150 User: ftp_user Password: ftp_pass [SUCCESS]
ACCOUNT CHECK: [ftp] Host: 192.168.1.150 (2 of 3, 1 complete) User: user1 (2 of 2, 1 complete) Password: peterete (1 of 1 complete)
ERROR: Thread B5AD0B70: Host: 192.168.1.200 Cannot connect [unreachable], retrying (1 of 3 retries)
ERROR: Thread B5AD0B70: Host: 192.168.1.200 Cannot connect [unreachable], retrying (2 of 3 retries)
ERROR: Thread B5AD0B70: Host: 192.168.1.200 Cannot connect [unreachable], retrying (3 of 3 retries)


Fuerza bruta del user root del mysql en el localhost:

# medusa -h localhost -u root -P pass.txt -M mysql

Medusa v2.0 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks

ACCOUNT CHECK: [mysql] Host: localhost (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 1234 (1 of 9 complete)
ACCOUNT CHECK: [mysql] Host: localhost (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: telev (2 of 9 complete)
ACCOUNT CHECK: [mysql] Host: localhost (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: peterete (3 of 9 complete)
ACCOUNT CHECK: [mysql] Host: localhost (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: mi_pass (4 of 9 complete)
ACCOUNT CHECK: [mysql] Host: localhost (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: admin (5 of 9 complete)
ACCOUNT FOUND: [mysql] Host: localhost User: root Password: admi [SUCCESS]


Fuerza bruta a SMB:

# medusa -h 192.168.1.100 -u admin -P /root/pass.txt -M smbnt

ACCOUNT CHECK: [smbnt] Host: 192.168.1.100 (1 of 1, 0 complete) User: admin (1 of 1, 0 complete) Password: pepe (1 of 6 complete)
ACCOUNT CHECK: [smbnt] Host: 192.168.1.100 (1 of 1, 0 complete) User: admin (1 of 1, 0 complete) Password: admin (2 of 6 complete)
ACCOUNT CHECK: [smbnt] Host: 192.168.1.100 (1 of 1, 0 complete) User: admin (1 of 1, 0 complete) Password: 1234 (3 of 6 complete)
ACCOUNT CHECK: [smbnt] Host: 192.168.1.100 (1 of 1, 0 complete) User: admin (1 of 1, 0 complete) Password: miPass (4 of 6 complete)
ACCOUNT FOUND: [smbnt] Host: 192.168.1.100 User: admin Password: miPass [SUCCESS]


Fuerza bruta http:

#root@prueba:~# medusa -h 192.168.1.100 -u admin -P /root/wordlist.txt -M http

ACCOUNT CHECK: [http] Host: 192.168.1.100 (1 of 1, 0 complete) User: admin (1 of 1, 0 complete) Password: qwerty (1 of 6 complete)
ACCOUNT CHECK: [http] Host: 192.168.1.100 (1 of 1, 0 complete) User: admin (1 of 1, 0 complete) Password: 1234 (2 of 6 complete)
ACCOUNT CHECK: [http] Host: 192.168.1.100 (1 of 1, 0 complete) User: admin (1 of 1, 0 complete) Password: pepe (3 of 6 complete)
ACCOUNT CHECK: [http] Host: 192.168.1.100 (1 of 1, 0 complete) User: admin (1 of 1, 0 complete) Password: miPass (4 of 6 complete)
ACCOUNT FOUND: [http] Host: 192.168.1.100 User: admin Password: miPass [SUCCESS]

Fuerza Bruta SNMP (con un simple for)

Antes que nada editamos un archivo de texto en el cual colocaremos nuestra lista de palabras de diccionario u otra lista generada por algun programa generador de passwords.

El archivo con los passwords generados lo llamare pass.txt:

# vim pass.txt

1234
peterete
mi_pass
morsa
public
qwerty
god

Luego ejecutamos el siguiente for, donde la ip 192.168.1.101 es el servidor de SNMP, del cual no sabemos la comunity:

for i in $(cat pass.txt); do snmpwalk -v 2c 192.168.1.100 -c $i; done

Si dentro del archivo pass.txt esta la comunity, obtendremos el resultado de la consulta snmp.

Cambiar EDITOR de texto predeterminado

Cuando ejecutamos el editor del crontab, por defecto nos abre con el editor de texto nano.

# crontab -e

GNU nano 2.2.4 File: /tmp/crontab.lBvmzo/crontab

# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line

Si queremos cambiarlo y que sea predeterminado el vim ejecutamos:

# export EDITOR=vim

Tambien podemos hacerlo eligiendo el numero del editor que deseamos ejecutando el siguiente comando:

# update-alternatives --config editor

MySQL GRANT SELECT a una DB Especifica con un Usuario Especifico

Creo una base de datos llamada dbmorsa:

mysql> create database dbmorsa;

Creo un usuario nuevo morsa, si ya existe este comando cambia el password, con este comando también habilitamos privilegios en todas las DB existentes:

mysql> GRANT ALL PRIVILEGES ON *.* TO 'morsa'@'localhost' IDENTIFIED BY 'my_pass';

Vemos el usuario creado

mysql> use mysql;

mysql> select user from user where user='morsa';

+-------+
| user |
+-------+
| morsa |
+-------+
1 row in set (0.00 sec)


Vemos privilegios con el usuario morsa logueado:

mysql> mysql –u root –p

Password: my_pass

mysql> show grants;

+-----------------------------------------------------------------------------------------------------------------------+
| Grants for morsa@localhost |
+-----------------------------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'morsa'@'localhost' IDENTIFIED BY PASSWORD '*6AA8F77DAD1D9BA03C9535B32B0281A1B70B6B90' |
+-----------------------------------------------------------------------------------------------------------------------+


Cambio a la DB dbmorsa

mysql> use dbmorsa

Creo dos tablas en la DB dbmorsa:

mysql> CREATE TABLE tabla1(codigo int, nombre varchar(10));
mysql> CREATE TABLE tabla2(valor int, nombreInt varchar(10));

Veo las tablas creadas:

mysql> show tables;

+-------------------+
| Tables_in_dbmorsa |
+-------------------+
| tabla1 |
| tabla2 |
+-------------------+
2 rows in set (0.00 sec)


Vemos que aun estan vacias:

mysql> select * from tabla1;

Empty set (0.00 sec)

mysql> select * from tabla2;
Empty set (0.00 sec)


Inserto datos en las tablas creadas previamente:

mysql> INSERT INTO tabla1 VALUES(1,'Beto');
mysql> INSERT INTO tabla1 VALUES(2,'Teto');
mysql> INSERT INTO tabla1 VALUES(3,'Peto');

mysql> INSERT INTO tabla2 VALUES(1,'Marta');
mysql> INSERT INTO tabla2 VALUES(2,'Parta');
mysql> INSERT INTO tabla2 VALUES(3,'Larta');

Consultamos los datos recientemente creados en ambas tablas:

mysql> select * from tabla1;

+--------+--------+
| codigo | nombre |
+--------+--------+
| 1 | Beto |
| 2 | Teto |
| 3 | Peto |
+--------+--------+
3 rows in set (0.00 sec)

mysql> select * from tabla2;
+-------+-----------+
| valor | nombreInt |
+-------+-----------+
| 1 | Marta |
| 2 | Parta |
| 3 | Larta |
+-------+-----------+
3 rows in set (0.00 sec)


Eliminamos usuario morsa:

mysql>DELETE FROM `mysql`.`user` WHERE `user`.`Host` = 'localhost' AND `user`.`User` = 'morsa';
mysql> FLUSH PRIVILEGES;

Ahora creamos nuevamente el usuario morsa y solo damos permisos a dicho usuario para realizar un SELECT en ls base dbmorsa y la tabla2:

root@Pruebas:~# mysql -u root –p
mysql> GRANT SELECT ON dbmorsa.tabla2 TO 'morsa'@'localhost' IDENTIFIED BY 'MORSA';
mysql> exit
root@Pruebas:~# mysql -u morsa -p

Vemos que solo esta visible la DB dbmorsa y la tabla2 correspondiente:

mysql> show databases;

+--------------------+
| Database |
+--------------------+
| dbmorsa |
+--------------------+
2 rows in set (0.00 sec)

mysql> use dbmorsa;

Database changed

mysql> show tables;

+-------------------+
| Tables_in_dbmorsa |
+-------------------+
| tabla2 |
+-------------------+
1 row in set (0.00 sec)


Corroboramos también que podemos hacer un select:

mysql> select * from tabla2;

+-------+-----------+
| valor | nombreInt |
+-------+-----------+
| 1 | Marta |
| 2 | Parta |
| 3 | Larta |
+-------+-----------+
3 rows in set (0.00 sec)

TCPDUMP Quick Reference (Guía rápida de tcpdump)

TCPdump es una herramienta para capturar y analizar trafico que circula por la red.

# Host con ip origen 192.168.1.100

tcpdump src host 192.168.1.100

# Host con ip destino 192.168.1.200

tcpdump dst host 192.168.1.200

# Host con mac destino

tcpdump ether dst 01:2f:e1:d4:1f:55

# Red destino 192.168.1.0/24

tcpdump dst net 192.168.1.0 mask 255.255.255.0

# ó

tcpdump dst net 192.168.1.0/24

# Cualquier ip con puerto destino SMTP

tcpdump dst port 25

# Cualquier ip con puerto SSH

tcpdump port 22

# Ver trafico ICMP

tcpdump ip proto \\icmp

# ó

tcpdump | grep ICMP

# Muestra trafico que no es ip, muestra ARP y CDPv2

tcpdump | grep -v IP

# Protocolo y puerto de DNS

tcpdump tcp and port 53

# Puerto 22 o 23 (SSH ó Telnet)

tcpdump tcp and \(port 22 or port 23\)

# Puerto que no sea www

tcpdump tcp and not port 80

Codigo ASCII en linux

No te acordas los ascii en linux, simplemente un man:

~# man ascii

Oct Dec Hex Char Oct Dec Hex Char
------------------------------------------------------------------------
000 0 00 NUL '\0' 100 64 40 @
001 1 01 SOH (start of heading) 101 65 41 A
002 2 02 STX (start of text) 102 66 42 B
003 3 03 ETX (end of text) 103 67 43 C
004 4 04 EOT (end of transmission) 104 68 44 D
005 5 05 ENQ (enquiry) 105 69 45 E
006 6 06 ACK (acknowledge) 106 70 46 F
007 7 07 BEL '\a' (bell) 107 71 47 G
010 8 08 BS '\b' (backspace) 110 72 48 H
011 9 09 HT '\t' (horizontal tab) 111 73 49 I
012 10 0A LF '\n' (new line) 112 74 4A J
013 11 0B VT '\v' (vertical tab) 113 75 4B K
014 12 0C FF '\f' (form feed) 114 76 4C L
015 13 0D CR '\r' (carriage ret) 115 77 4D M
016 14 0E SO (shift out) 116 78 4E N
017 15 0F SI (shift in) 117 79 4F O
020 16 10 DLE (data link escape) 120 80 50 P
021 17 11 DC1 (device control 1) 121 81 51 Q
022 18 12 DC2 (device control 2) 122 82 52 R
023 19 13 DC3 (device control 3) 123 83 53 S
024 20 14 DC4 (device control 4) 124 84 54 T
025 21 15 NAK (negative ack.) 125 85 55 U
026 22 16 SYN (synchronous idle) 126 86 56 V
027 23 17 ETB (end of trans. blk) 127 87 57 W
030 24 18 CAN (cancel) 130 88 58 X
031 25 19 EM (end of medium) 131 89 59 Y
032 26 1A SUB (substitute) 132 90 5A Z
033 27 1B ESC (escape) 133 91 5B [
034 28 1C FS (file separator) 134 92 5C \ '\\'
035 29 1D GS (group separator) 135 93 5D ]
036 30 1E RS (record separator) 136 94 5E ^
037 31 1F US (unit separator) 137 95 5F _
040 32 20 SPACE 140 96 60 `
041 33 21 ! 141 97 61 a
042 34 22 " 142 98 62 b
043 35 23 # 143 99 63 c
044 36 24 $ 144 100 64 d
045 37 25 % 145 101 65 e
046 38 26 & 146 102 66 f
047 39 27 ´ 147 103 67 g

050 40 28 ( 150 104 68 h
051 41 29 ) 151 105 69 i
052 42 2A * 152 106 6A j
053 43 2B + 153 107 6B k
054 44 2C , 154 108 6C l
055 45 2D - 155 109 6D m
056 46 2E . 156 110 6E n
057 47 2F / 157 111 6F o
060 48 30 0 160 112 70 p
061 49 31 1 161 113 71 q
062 50 32 2 162 114 72 r
063 51 33 3 163 115 73 s
064 52 34 4 164 116 74 t
065 53 35 5 165 117 75 u
066 54 36 6 166 118 76 v
067 55 37 7 167 119 77 w
070 56 38 8 170 120 78 x
071 57 39 9 171 121 79 y
072 58 3A : 172 122 7A z
073 59 3B ; 173 123 7B {
074 60 3C < 174 124 7C |
075 61 3D = 175 125 7D }
076 62 3E > 176 126 7E ~
077 63 3F ? 177 127 7F DEL


Tables
For convenience, let us give more compact tables in hex and decimal.

2 3 4 5 6 7 30 40 50 60 70 80 90 100 110 120
------------- ---------------------------------
0: 0 @ P ` p 0: ( 2 < F P Z d n x
1: ! 1 A Q a q 1: ) 3 = G Q [ e o y
2: " 2 B R b r 2: * 4 > H R \ f p z
3: # 3 C S c s 3: ! + 5 ? I S ] g q {
4: $ 4 D T d t 4: " , 6 @ J T ^ h r |
5: % 5 E U e u 5: # - 7 A K U _ i s }
6: & 6 F V f v 6: $ . 8 B L V ` j t ~
7: ´ 7 G W g w 7: % / 9 C M W a k u DEL
8: ( 8 H X h x 8: & 0 : D N X b l v
9: ) 9 I Y i y 9: ´ 1 ; E O Y c m w
A: * : J Z j z
B: + ; K [ k {
C: , < L \ l |
D: - = M ] m }
E: . > N ^ n ~
F: / ? O _ o DEL

Obtener Serial Number del Server por Linea de Comandos

Inicio -> Ejecutar -> cmd

C:\Documents and Settings\user>wmic bios get serialnumber

SerialNumber
CGU5112gW7

NOTA: Probado en XP, Win2003 y Win2008