标签:Linux弱口令安全检测 NMAP扫描端口 破解密码与密码字典
前言:在inter环境中,过于简单的口令是服务器面临的最大风险。对于任何一个承担这安全责任的管理员,及时找出这些弱口令是非常必要的,这样便于采取进一步的安全措施,使用John the Ripper 检测Linux、Unix系统用户的密码强度,使用NMAP扫描端口,可以找出网络中不可控的应用服务,及时关闭不安全的服务,减小安全风险。
1、弱口令探测(john the ripper)
1)下载并安装:官方网站是http://openwall.com/john/,在该网站可以获取最新的稳定版源码包
现在解压安装
[root@localhost ~]# mount /dev/cdrom /media/ mount: block device /dev/sr0 is write-protected, mounting read-only [root@localhost ~]# cd /media/ [root@localhost media]# ls john-1.8.0.tar.tar [root@localhost media]# tar zxf john-1.8.0.tar.tar -C /usr/src/ [root@localhost media]# cd /usr/src/john-1.8.0/ [root@localhost john-1.8.0]# cd src/ [root@localhost src]# pwd /usr/src/john-1.8.0/src [root@localhost src]# make clean linux-x86-64 ......省略编译信息 [root@localhost src]# ls ../run/john //确定已生成可执行程序john ../run/john
John the Ripper 不需要特别的安装操作,编译完成后的run子目录中包括可执行程序John及相关配置文件、字典文件等,可以复制到任何位置使用。
2)检测弱口令
[root@localhost src]# cp /etc/shadow /root/shadow.txt //准备待破解的密码文件 [root@localhost src]# cd ../run [root@localhost run]# ./john /root/shadow.txt //执行暴力破解 0g 0:00:00:42 86% 1/3 0g/s 168.7p/s 168.7c/s 168.7C/s root9999900000..Root000000 0g 0:00:00:43 89% 1/3 0g/s 168.6p/s 168.6c/s 168.6C/s user1555555..u999991982 0g 0:00:00:47 94% 1/3 0g/s 168.6p/s 168.6c/s 168.6C/s 999992010..r999991955 123456 (zhangsan) 123456 (root) 123456 (user1) ......省略部分 ......//按Ctrl+C组合键终止后续过程 [root@localhost run]# ./john --show /root/shadow.txt //查看已破解出的账户列表 root:123456:17552:0:99999:7::: zhangsan:123456:17591:0:30:7::: user1:123456:17592:0:99999:7::: 3 password hashes cracked, 0 left
3)使用密码字典文件破解,默认的字典文件为password.lst
对于密码的暴力破解,字典文件的选择很关键。只要字典文件足够完整,密码破解只是时间问题,
[root@localhost run]# :>john.pot //清空已破解出的账户列表,以便重新分析 [root@localhost run]# ./john --show /root/shadow.txt 0 password hashes cracked, 3 left [root@localhost run]# passwd user1 //修改强密码pwd@123 更改用户 user1 的密码 。 新的 密码: 重新输入新的 密码: passwd: 所有的身份验证令牌已经成功更新。 [root@localhost run]# vim password.lst //将pwd@123写入密码字典里 123456 12345 pwd@123 //需要新添加
执行破解(破解之前需要重新拷贝shadow文件)
[root@localhost run]# cp /etc/shadow /root/shadow.txt cp:是否覆盖"/root/shadow.txt"? y [root@localhost run]# ./john --wordlist=./password.lst /root/shadow.txt Loaded 3 password hashes with 3 different salts (crypt, generic crypt(3) [?/64]) Press 'q' or Ctrl-C to abort, almost any other key for status 123456 (zhangsan) pwd@123 (user1) 123456 (root) 3g 0:00:00:01 100% 1.886g/s 60.37p/s 181.1c/s 181.1C/s 123456..pamela Use the "--show" option to display all of the cracked passwords reliably Session completed
2、网络扫描(NMAP)
NMAP是一个强大的端口扫描类安全评测工具,官方网站是http://nmap.org/ NMAP被设计为检测主机数量众多的巨大网络,支持ping扫描、多端口检测、OS识别等多种技术
1)安装NMAP包
[root@localhost ~]# mount /dev/cdrom /media/ mount: block device /dev/sr0 is write-protected, mounting read-only [root@localhost ~]# cd /media/ [root@localhost media]# ls nmap-7.60-1.x86_64.rpm [root@localhost media]# [root@localhost media]# rpm -ivh nmap-7.60-1.x86_64.rpm Preparing... ########################################### [100%] 1:nmap ########################################### [100%]
2)、扫描语法及类型
nmap [扫描类型] [选项] [扫描目标...] 其中,扫描目标可以是主机名、IP地址或网络地址等,多个目标以空格分割;常用的选项有“-p”、“-n”,分别用来指定扫描的端口、禁用反向DNS解析(以加快扫描速度); 扫描类型决定这检测的方式,也直接影响扫描的结果。 比较常用的几种扫描类型如下: NMAP的扫描语法 nmap [扫描类型] [选项] <扫描目标 ...> 常用的扫描类型 -sS,TCP SYN扫描(半开) -sT,TCP 连接扫描(全开) -sF,TCP FIN扫描 -sU,UDP扫描 -sP,ICMP扫描 -P0,跳过ping检测
3)针对本机进行扫描,检查开放了哪些常用的tcp端口,udp端口
[root@localhost ~]# nmap 127.0.0.1 //扫描常用的TCP端口 Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-03 00:34 CST mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers Nmap scan report for localhost (127.0.0.1) Host is up (0.000010s latency). Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 111/tcp open rpcbind 631/tcp open ipp Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds 4)扫描常用的udp端口 [root@localhost ~]# nmap -sU 127.0.0.1 //扫描常用的UDP端口 Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-03 00:35 CST mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers Nmap scan report for localhost (127.0.0.1) Host is up (0.000028s latency). Not shown: 997 closed ports PORT STATE SERVICE 111/udp open rpcbind 631/udp open|filtered ipp 780/udp open|filtered wpgs Nmap done: 1 IP address (1 host up) scanned in 1.67 seconds
在扫描结果中,STATE列若为open则表示端口为开放状态,为filtered表示为可能被防火墙过滤,为closed表示端口为关闭状态。
[root@localhost ~]# nmap -p 21 192.168.1.0 //检查哪些主机提供FTP服务 Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-03 00:40 CST mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 0.57 seconds [root@localhost ~]# nmap -p 21 192.168.1.0 //检查网段中哪些存活主机(能ping通) Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-03 00:42 CST mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 0.57 seconds
[root@localhost ~]# nmap -p 139,455 192.168.1.1-100 //检查192.168.1.1-100主机是否开启共享服务 Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-03 00:43 CST mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers Nmap scan report for 192.168.1.1 Host is up (0.00024s latency). PORT STATE SERVICE 139/tcp closed netbios-ssn 455/tcp closed creativepartnr Nmap scan report for 192.168.1.12 Host is up (0.00016s latency). PORT STATE SERVICE 139/tcp open netbios-ssn 455/tcp closed creativepartnr MAC Address: 00:50:56:C0:00:08 (VMware) Nmap done: 100 IP addresses (2 hosts up) scanned in 1.99 seconds
标签:Linux弱口令安全检测 NMAP扫描端口 破解密码与密码字典
原文地址:http://blog.51cto.com/13557682/2079942