使用SSHScan扫描破解ssh密码

发表于: 分类于:
字数:1091

概述

SSHScan是一个枚举SSH密码的测试工具。使用SSHScan,可以轻松检测到弱密码。

工具地址

https://github.com/evict/SSHScan

使用

首先打开kali 之后下载工具 git clone https://github.com/evict/SSHScan.git 给工具添加可执行权限并且运行

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

[email protected]:~# cd SSHScan/
[email protected]:~/SSHScan# ls
README.md  sshscan.py
[email protected]:~/SSHScan# chmod +x sshscan.py 
[email protected]:~/SSHScan# python sshscan.py -h

      _____ _____ _    _ _____
     /  ___/  ___| | | /  ___|
     \ `--.\ `--.| |_| \ `--.  ___ __ _ _ __
      `--. \`--. |  _  |`--. \/ __/ _` | '_ \
     /\__/ /\__/ | | | /\__/ | (_| (_| | | | |
     \____/\____/\_| |_\____/ \___\__,_|_| |_|
                                            evict
                
Usage: usage sshscan.py [options]

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit

  Options:
    -t TARGET, --target=TARGET
                        Specify target as 'target' or 'target:port' (port 22
                        is default)
    -l TARGETLIST, --target-list=TARGETLIST
                        File with targets: 'target' or 'target:port' seperated
                        by a newline (port 22 is default)
[email protected]:~/SSHScan#

从帮助信息里就可以看出使用这款工具十分简单 -t 后面跟一个目标地址,-l 后面跟一个目标文件文件格式类似下面这样

1
2
3

192.168.1.100:22
192.168.1.101:22
192.168.1.102:22

扫描一个ip列表

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64

[email protected]:~/SSHScan# python sshscan.py -l bboysoul.ls

      _____ _____ _    _ _____
     /  ___/  ___| | | /  ___|
     \ `--.\ `--.| |_| \ `--.  ___ __ _ _ __
      `--. \`--. |  _  |`--. \/ __/ _` | '_ \
     /\__/ /\__/ | | | /\__/ | (_| (_| | | | |
     \____/\____/\_| |_\____/ \___\__,_|_| |_|
                                            evict
                
[*] List contains 3 targets to scan
[*] Initiating scan for 192.168.1.100 on port 22
[*] Connected to 192.168.1.100 on port 22...
    [+] Target SSH version is: SSH-2.0-OpenSSH_6.7p1 Raspbian-5+deb8u3
    [+] Retrieving ciphers...
    [+] Detected the following ciphers: 
            aes128-ctr                           [email protected]               
            aes192-ctr                           [email protected]               
            aes256-ctr                           [email protected]        


    [+] Detected the following KEX algorithms: 
            curve25519-sha256                    ecdh-sha2-nistp256                   
            [email protected]         ecdh-sha2-nistp384                   
            diffie-hellman-group14-sha1          ecdh-sha2-nistp521                   
            diffie-hellman-group-exchange-sha256                                      


    [+] Detected the following MACs: 
            hmac-sha1                            [email protected]        
            hmac-sha2-256                        [email protected]        
            hmac-sha2-512                        [email protected]              
            umac-64                              [email protected]             
            [email protected]                                                 


    [+] Detected the following HostKey algorithms: 
            ecdsa-sha2-nistp256                  ssh-rsa                              
            ssh-ed25519                          ssh-dss                              


    [+] No weak ciphers detected!
    [+] Detected the following weak KEX algorithms: 
            diffie-hellman-group14-sha1          ecdh-sha2-nistp384                   
            ecdh-sha2-nistp256                   ecdh-sha2-nistp521                   


    [+] Detected the following weak MACs: 
            hmac-sha1                            [email protected]            
            umac-64                              [email protected]              


    [+] Detected the following weak HostKey algorithms: 
            ecdsa-sha2-nistp256                  ssh-dss                              


    [+] Compression has been enabled!
[*] Initiating scan for 192.168.1.101 on port 22
    [-] Error while connecting to 192.168.1.101 on port 22

[*] Initiating scan for 192.168.1.102 on port 22
    [-] Error while connecting to 192.168.1.102 on port 22

[*] Scan completed for 1 out of 3 targets!

从上面可以看出只有192.168.1.100开放了ssh端口,openssh的版本是6.7p1的,同样的,只扫描一个ip我就不演示了

上面我们说到这个工具是是枚举ssh密码的工具,那么枚举的密码字典要放在哪里 只要打开你运行的这个python脚本 vim sshscan.py 找到下面这几句话

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

def get_output(rawlist):
	if rawlist:
		ciphers = ['3des-cbc','aes128-cbc','aes192-cbc','aes256-cbc','aes128-ctr','aes192-ctr','aes256-ctr','[email protected]','[email protected]','arcfour','arcfour128','arcfour256','blowfish-cbc','cast128-cbc','[email protected]']
		strong_ciphers = ['[email protected]','[email protected]','[email protected]','aes256-ctr','aes192-ctr','aes128-ctr']
		weak_ciphers = ['woyaoxuehuilinux']
	   	macs = ['hmac-md5','hmac-md5-96','hmac-ripemd160','hmac-sha1','hmac-sha1-96','hmac-sha2-256','hmac-sha2-512','umac-64','[email protected]','[email protected]','[email protected]','[email protected]','[email protected]','[email protected]','[email protected]','[email protected]','[email protected]']
		strong_macs = ['[email protected]','[email protected]','umac-128','[email protected]','hmac-sha2-512','hmac-sha2-256','[email protected]']
		weak_macs = []
		kex = ['curve25519-sha256', '[email protected]','diffie-hellman-group1-sha1','diffie-hellman-group14-sha1','diffie-hellman-group-exchange-sha1','diffie-hellman-group-exchange-sha256','ecdh-sha2-nistp256','ecdh-sha2-nistp384','ecdh-sha2-nistp521','[email protected]','[email protected]','[email protected]']
		strong_kex = ['curve25519-sha256', '[email protected]', 'diffie-hellman-group-exchange-sha256']
		weak_kex = []
		hka = ['[email protected]','[email protected]','[email protected]','[email protected]','[email protected]','[email protected]','[email protected]','[email protected]','ecdsa-sha2-nistp256','ecdsa-sha2-nistp384','ecdsa-sha2-nistp521','ssh-ed25519','ssh-rsa','ssh-dss']
		strong_hka = ['[email protected]','[email protected]','[email protected]','ssh-rsa','ssh-ed25519']
		weak_hka = []
		dmacs = []

这里就是写字典的地方,而密码字典在下面这里 weak_ciphers = ['woyaoxuehuilinux'] 你可以把你的字典放在这里 之后扫描

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61

[email protected]:~/SSHScan# python sshscan.py -t 192.168.1.100

      _____ _____ _    _ _____
     /  ___/  ___| | | /  ___|
     \ `--.\ `--.| |_| \ `--.  ___ __ _ _ __
      `--. \`--. |  _  |`--. \/ __/ _` | '_ \
     /\__/ /\__/ | | | /\__/ | (_| (_| | | | |
     \____/\____/\_| |_\____/ \___\__,_|_| |_|
                                            evict
                
[*] Target 192.168.1.100 specified without a port number, using default port 22
[*] Initiating scan for 192.168.1.100 on port 22
[*] Connected to 192.168.1.100 on port 22...
    [+] Target SSH version is: SSH-2.0-OpenSSH_6.7p1 Raspbian-5+deb8u3
    [+] Retrieving ciphers...
    [+] Detected the following ciphers: 
            aes128-ctr                           [email protected]               
            aes192-ctr                           [email protected]               
            aes256-ctr                           [email protected]        


    [+] Detected the following KEX algorithms: 
            curve25519-sha256                    ecdh-sha2-nistp256                   
            [email protected]         ecdh-sha2-nistp384                   
            diffie-hellman-group14-sha1          ecdh-sha2-nistp521                   
            diffie-hellman-group-exchange-sha256                                      


    [+] Detected the following MACs: 
            hmac-sha1                            [email protected]        
            hmac-sha2-256                        [email protected]        
            hmac-sha2-512                        [email protected]              
            umac-64                              [email protected]             
            [email protected]                                                 


    [+] Detected the following HostKey algorithms: 
            ecdsa-sha2-nistp256                  ssh-rsa                              
            ssh-ed25519                          ssh-dss                              


    [+] Detected the following weak ciphers: 
            woyaoxuehuilinux                                                          


    [+] Detected the following weak KEX algorithms: 
            diffie-hellman-group14-sha1          ecdh-sha2-nistp384                   
            ecdh-sha2-nistp256                   ecdh-sha2-nistp521                   


    [+] Detected the following weak MACs: 
            hmac-sha1                            [email protected]            
            umac-64                              [email protected]              


    [+] Detected the following weak HostKey algorithms: 
            ecdsa-sha2-nistp256                  ssh-dss                              


    [+] Compression has been enabled!
[email protected]:~/SSHScan#

看下面这里

1
2

 [+] Detected the following weak ciphers: 
            woyaoxuehuilinux

探测到密码了

欢迎关注我的博客 www.bboy.app Have Fun