概述
SSHScan是一个枚举SSH密码的测试工具。使用SSHScan,可以轻松检测到弱密码。
工具地址
https://github.com/evict/SSHScan
使用
首先打开kali
之后下载工具
git clone https://github.com/evict/SSHScan.git
给工具添加可执行权限并且运行
root@kali:~# cd SSHScan/
root@kali:~/SSHScan# ls
README.md sshscan.py
root@kali:~/SSHScan# chmod +x sshscan.py
root@kali:~/SSHScan# python sshscan.py -h
_____ _____ _ _ _____
/ ___/ ___| | | / ___|
\ `--.\ `--.| |_| \ `--. ___ __ _ _ __
`--. \`--. | _ |`--. \/ __/ _` | '_ \
/\__/ /\__/ | | | /\__/ | (_| (_| | | | |
\____/\____/\_| |_\____/ \___\__,_|_| |_|
evict
Usage: usage sshscan.py [options]
Options:
--version show program's version number and exit
-h, --help show this help message and exit
Options:
-t TARGET, --target=TARGET
Specify target as 'target' or 'target:port' (port 22
is default)
-l TARGETLIST, --target-list=TARGETLIST
File with targets: 'target' or 'target:port' seperated
by a newline (port 22 is default)
root@kali:~/SSHScan#
从帮助信息里就可以看出使用这款工具十分简单 -t 后面跟一个目标地址,-l 后面跟一个目标文件文件格式类似下面这样
192.168.1.100:22
192.168.1.101:22
192.168.1.102:22
扫描一个ip列表
root@kali:~/SSHScan# python sshscan.py -l bboysoul.ls
_____ _____ _ _ _____
/ ___/ ___| | | / ___|
\ `--.\ `--.| |_| \ `--. ___ __ _ _ __
`--. \`--. | _ |`--. \/ __/ _` | '_ \
/\__/ /\__/ | | | /\__/ | (_| (_| | | | |
\____/\____/\_| |_\____/ \___\__,_|_| |_|
evict
[*] List contains 3 targets to scan
[*] Initiating scan for 192.168.1.100 on port 22
[*] Connected to 192.168.1.100 on port 22...
[+] Target SSH version is: SSH-2.0-OpenSSH_6.7p1 Raspbian-5+deb8u3
[+] Retrieving ciphers...
[+] Detected the following ciphers:
aes128-ctr aes128-gcm@openssh.com
aes192-ctr aes256-gcm@openssh.com
aes256-ctr chacha20-poly1305@openssh.com
[+] Detected the following KEX algorithms:
curve25519-sha256 ecdh-sha2-nistp256
curve25519-sha256@libssh.org ecdh-sha2-nistp384
diffie-hellman-group14-sha1 ecdh-sha2-nistp521
diffie-hellman-group-exchange-sha256
[+] Detected the following MACs:
hmac-sha1 hmac-sha2-256-etm@openssh.com
hmac-sha2-256 hmac-sha2-512-etm@openssh.com
hmac-sha2-512 umac-64-etm@openssh.com
umac-64 umac-128-etm@openssh.com
hmac-sha1-etm@openssh.com
[+] Detected the following HostKey algorithms:
ecdsa-sha2-nistp256 ssh-rsa
ssh-ed25519 ssh-dss
[+] No weak ciphers detected!
[+] Detected the following weak KEX algorithms:
diffie-hellman-group14-sha1 ecdh-sha2-nistp384
ecdh-sha2-nistp256 ecdh-sha2-nistp521
[+] Detected the following weak MACs:
hmac-sha1 hmac-sha1-etm@openssh.com
umac-64 umac-64-etm@openssh.com
[+] Detected the following weak HostKey algorithms:
ecdsa-sha2-nistp256 ssh-dss
[+] Compression has been enabled!
[*] Initiating scan for 192.168.1.101 on port 22
[-] Error while connecting to 192.168.1.101 on port 22
[*] Initiating scan for 192.168.1.102 on port 22
[-] Error while connecting to 192.168.1.102 on port 22
[*] Scan completed for 1 out of 3 targets!
从上面可以看出只有192.168.1.100开放了ssh端口,openssh的版本是6.7p1的,同样的,只扫描一个ip我就不演示了
上面我们说到这个工具是是枚举ssh密码的工具,那么枚举的密码字典要放在哪里
只要打开你运行的这个python脚本
vim sshscan.py
找到下面这几句话
def get_output(rawlist):
if rawlist:
ciphers = ['3des-cbc','aes128-cbc','aes192-cbc','aes256-cbc','aes128-ctr','aes192-ctr','aes256-ctr','aes128-gcm@openssh.com','aes256-gcm@openssh.com','arcfour','arcfour128','arcfour256','blowfish-cbc','cast128-cbc','chacha20-poly1305@openssh.com']
strong_ciphers = ['chacha20-poly1305@openssh.com','aes256-gcm@openssh.com','aes128-gcm@openssh.com','aes256-ctr','aes192-ctr','aes128-ctr']
weak_ciphers = ['woyaoxuehuilinux']
macs = ['hmac-md5','hmac-md5-96','hmac-ripemd160','hmac-sha1','hmac-sha1-96','hmac-sha2-256','hmac-sha2-512','umac-64','hmac-md5-etm@openssh.com','hmac-md5-96-etm@openssh.com','hmac-ripemd160-etm@openssh.com','hmac-sha1-etm@openssh.com','hmac-sha1-96-etm@openssh.com','hmac-sha2-256-etm@openssh.com','hmac-sha2-512-etm@openssh.com','umac-64-etm@openssh.com','umac-128-etm@openssh.com']
strong_macs = ['hmac-sha2-512-etm@openssh.com','hmac-sha2-256-etm@openssh.com','umac-128','umac-128-etm@openssh.com','hmac-sha2-512','hmac-sha2-256','umac-128@openssh.com']
weak_macs = []
kex = ['curve25519-sha256', 'curve25519-sha256@libssh.org','diffie-hellman-group1-sha1','diffie-hellman-group14-sha1','diffie-hellman-group-exchange-sha1','diffie-hellman-group-exchange-sha256','ecdh-sha2-nistp256','ecdh-sha2-nistp384','ecdh-sha2-nistp521','ecdsa-sha2-nistp256-cert-v01@openssh.com','ecdsa-sha2-nistp384-cert-v01@openssh.com','ecdsa-sha2-nistp521-cert-v01@openssh.com']
strong_kex = ['curve25519-sha256', 'curve25519-sha256@libssh.org', 'diffie-hellman-group-exchange-sha256']
weak_kex = []
hka = ['ecdsa-sha2-nistp256-cert-v01@openssh.com','ecdsa-sha2-nistp384-cert-v01@openssh.com','ecdsa-sha2-nistp521-cert-v01@openssh.com','ssh-ed25519-cert-v01@openssh.com','ssh-rsa-cert-v01@openssh.com','ssh-dss-cert-v01@openssh.com','ssh-rsa-cert-v00@openssh.com','ssh-dss-cert-v00@openssh.com','ecdsa-sha2-nistp256','ecdsa-sha2-nistp384','ecdsa-sha2-nistp521','ssh-ed25519','ssh-rsa','ssh-dss']
strong_hka = ['ssh-rsa-cert-v01@openssh.com','ssh-ed25519-cert-v01@openssh.com','ssh-rsa-cert-v00@openssh.com','ssh-rsa','ssh-ed25519']
weak_hka = []
dmacs = []
这里就是写字典的地方,而密码字典在下面这里
weak_ciphers = ['woyaoxuehuilinux']
你可以把你的字典放在这里
之后扫描
root@kali:~/SSHScan# python sshscan.py -t 192.168.1.100
_____ _____ _ _ _____
/ ___/ ___| | | / ___|
\ `--.\ `--.| |_| \ `--. ___ __ _ _ __
`--. \`--. | _ |`--. \/ __/ _` | '_ \
/\__/ /\__/ | | | /\__/ | (_| (_| | | | |
\____/\____/\_| |_\____/ \___\__,_|_| |_|
evict
[*] Target 192.168.1.100 specified without a port number, using default port 22
[*] Initiating scan for 192.168.1.100 on port 22
[*] Connected to 192.168.1.100 on port 22...
[+] Target SSH version is: SSH-2.0-OpenSSH_6.7p1 Raspbian-5+deb8u3
[+] Retrieving ciphers...
[+] Detected the following ciphers:
aes128-ctr aes128-gcm@openssh.com
aes192-ctr aes256-gcm@openssh.com
aes256-ctr chacha20-poly1305@openssh.com
[+] Detected the following KEX algorithms:
curve25519-sha256 ecdh-sha2-nistp256
curve25519-sha256@libssh.org ecdh-sha2-nistp384
diffie-hellman-group14-sha1 ecdh-sha2-nistp521
diffie-hellman-group-exchange-sha256
[+] Detected the following MACs:
hmac-sha1 hmac-sha2-256-etm@openssh.com
hmac-sha2-256 hmac-sha2-512-etm@openssh.com
hmac-sha2-512 umac-64-etm@openssh.com
umac-64 umac-128-etm@openssh.com
hmac-sha1-etm@openssh.com
[+] Detected the following HostKey algorithms:
ecdsa-sha2-nistp256 ssh-rsa
ssh-ed25519 ssh-dss
[+] Detected the following weak ciphers:
woyaoxuehuilinux
[+] Detected the following weak KEX algorithms:
diffie-hellman-group14-sha1 ecdh-sha2-nistp384
ecdh-sha2-nistp256 ecdh-sha2-nistp521
[+] Detected the following weak MACs:
hmac-sha1 hmac-sha1-etm@openssh.com
umac-64 umac-64-etm@openssh.com
[+] Detected the following weak HostKey algorithms:
ecdsa-sha2-nistp256 ssh-dss
[+] Compression has been enabled!
root@kali:~/SSHScan#
看下面这里
[+] Detected the following weak ciphers:
woyaoxuehuilinux
探测到密码了
欢迎关注我的博客www.bboy.app
Have Fun