Web penetration test - 5. Brute force cracking vulnerability - (5) SMB password cracking

Communication protocol （Server Message Block：SMB） Mainly as Microsoft Network communication protocol .SMB It's at the session layer （session layer） And presentation layer （presentation layer） And a small number of application layers （application layer） The agreement .SMB Used NetBIOS The application program interface of . in addition , It's an open protocol , Protocol extensions are allowed .
Default port ：139、445.

One 、hydra

Hydra Is a parallel login cracker , It supports multiple attack protocols . It's very fast and flexible , And new modules are easy to add .kali Toolset integrated .

hydra Project address ：https://github.com/vanhauser-thc/thc-hydra/releases Full version

hydra Support ：
Cisco AAA、Cisco auth、Cisco enable、CVS、FTP、HTTP(S)-FORM-GET、HTTP(S)-FORM-POST、HTTP(S)-GET、HTTP(S)-HEAD、HTTP- agent 、ICQ、IMAP、IRC、LDAP、MS-SQL、MySQL、NNTP、Oracle The listener 、Oracle SID、PC-Anywhere、PC-NFS、POP3、PostgreSQL、RDP、Rexec、Rlogin、Rsh、SIP、SMB(NT) 、SMTP、SMTP enumeration 、SNMP v1+v2+v3、SOCKS5、SSH（v1 and v2）、SSHKEY、Subversion、Teamspeak (TS2)、Telnet、VMware-Auth、VNC and XMPP`.

hydra -L /root/Desktop/user.txt -P /root/Desktop/pass.txt IP smb

-L： Specify the user name dictionary path
-P： Specify password dictionary path

Two 、Ncrack

Ncrack Is a high-speed network authentication cracking tool . It aims to help companies protect their networks by proactively testing all their hosts and network devices for password errors .Ncrack Is to use a modular approach 、 Be similar to Nmap Command line syntax and dynamic engine design that can adjust its behavior according to network feedback . It allows fast and reliable large-scale auditing of multiple hosts .kali Toolset integrated .

Ncrack The functionality of the includes a very flexible interface , Allow users to have complete control over network operations , Allow very complex brute force attacks , Easy to use timing templates , Be similar to Nmap The runtime interaction of . Supported protocols include SSH、RDP、FTP、Telnet、HTTP(S)、Wordpress、POP3(S)、IMAP、CVS、SMB、VNC、SIP、Redis、PostgreSQL、MQTT、MySQL、MSSQL、MongoDB、Cassandra、WinRM、OWA , and DICOM

Project address ：https://nmap.org/ncrack/

ncrack –U /root/Desktop/user.txt -P /root/Desktop/pass.txt IP –p 445

-U： Indicates the path to the user name list
-P： Indicates the path to the password list

3、 ... and 、Medusa

Medusa It's a fast one 、 A parallel and modular login brute force cracker . The goal is to support as many services as possible that allow remote authentication .kalikali Toolset integrated .

file ：
www.foofus.net/jmk/medusa/medusa.html
Source code ：
https://github.com/jmk-foofus/medusa
https://github.com/jmk-foofus/medusa/archive/2.2.tar.gz

The main functions are as follows ：
1、 Thread based parallel testing ： It can target multiple hosts at the same time 、 The user or password performs a brute force test .
2、 Flexible user input ： Target information can be specified in a number of ways （ host / user / password ）. for example , Each item can be a single item , It can also be a file that contains multiple entries . Besides , The combined file format allows users to refine their target list .
3、 Modular design ： Each service module acts as an independent .mod File exists . This means that the list of supported services can be extended for brute force cracking without any modification to the core application .
4、 Support multiple protocols ： Many services are currently supported （ for example SMB、HTTP、POP3、MS-SQL、SSHv2 etc. ）.

medusa -h IP -U /root/Desktop/user.txt -P /root/Desktop/pass.txt -M smbnt

-U： Indicates the path to the user name list
-P： Indicates the path to the password list
-M： Specify the burst parameter type

Four 、Metasploit

use auxiliary/scanner/smb/smb_login
msf exploit (smb_login)>set rhosts IP
msf exploit (smb_login)>set user_file /root/Desktop/user.txt
msf exploit (smb_login)>set pass_file /root/Desktop/pass.txt
msf exploit (smb_login)>set stop_on_success true
msf exploit (smb_login)>exploit