'Medusa和Hydra对比'

Posted on | Edited on | In

1.介绍

1.1Hydra

Number one of the biggest security holes are passwords, as every password security study shows. This tool is a proof of concept code, to give researchers and security consultants the possibility to show how easy it would be to gain unauthorized access from remote to a system.

THIS TOOL IS FOR LEGAL PURPOSES ONLY!

There are already several login hacker tools available, however, none does either support more than one protocol to attack or support parallized connects.

It was tested to compile cleanly on Linux, Windows/Cygwin, Solaris, FreeBSD/OpenBSD, QNX (Blackberry 10) and MacOS.

Currently this tool supports the following protocols: Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MEMCACHED, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

However the module engine for new services is very easy so it won’t take a long time until even more services are supported. Your help in writing, enhancing or fixing modules is highly appreciated!! :-)

1.2Medusa

Medusa is a speedy, parallel, and modular, login brute-forcer. The goal is to support as many services which allow remote authentication as possible. The author considers following items as some of the key features of this application:

  • Thread-based parallel testing. Brute-force testing can be performed against multiple hosts, users or passwords concurrently.
  • Flexible user input. Target information (host/user/password) can be specified in a variety of ways. For example, each item can be either a single entry or a file containing multiple entries. Additionally, a combination file format allows the user to refine their target listing.
  • Modular design. Each service module exists as an independent .mod file. This means that no modifications are necessary to the core application in order to extend the supported list of services for brute-forcing.
  • Multiple protocols supported. Many services are currently supported (e.g. SMB, HTTP, POP3, MS-SQL, SSHv2, among others).
  • Application stability. Maybe I’m just lame, but Hydra frequently crashed on me. I was no longer confident that Hydra was actually doing what it claimed to be. Rather than fix Hydra, I decided to create my own buggy application which could crash in new and exciting ways.

2.参数介绍

2.1Hydra

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [service://server[:PORT][/OPT]]
-R 恢复上一次的会话
-I 忽略存在的恢复文件
-S SSL连接
-s 端口号
-l 尝试登陆名
-L 从文件中导入登录名
-p 尝试密码
-P 从文件中导入密码
-e nsr n尝试空密码 s尝试与用户名相同的密码 r反向登陆循环
-c TIME 设置尝试登陆等待时间
-4 / -6 使用IPV4地址或IPV6地址
-v / -V 详细信息模式/显示每次尝试的用户名+密码/调试模式
-O 使用旧版本SSL v2和v3
-q 不显示连接错误信息
-h 帮助
-M 从文件中导入服务类型
-f / -F 在找到第一个账号/密码后,停止破解
server 目标IP
service 支持的服务类型
支持的服务类型:adam6500 asterisk cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres radmin2 rdp redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp
Examples:
hydra -l user -P passlist.txt ftp://192.168.0.1
  hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
  hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
  hydra -l admin -p password ftp://[192.168.0.0/24]/
  hydra -L logins.txt -P pws.txt -M targets.txt ssh

2.2Medusa

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT]
-h [TEXT]      目标IP
-H [FILE]      目标主机文件
-u [TEXT]      用户名
-U [FILE]      用户名文件
-p [TEXT]      密码
-P [FILE]      密码文件
-C [FILE]      组合条目文件
-O [FILE]      文件日志信息
-e [n/s/ns]    N意为空密码,S意为密码与用户名相同
-M [TEXT]      模块执行名称
-m [TEXT]      传递参数到模块
-d             显示所有的模块名称
-n [NUM]       使用非默认端口
-s             启用SSL
-r [NUM]       重试间隔时间,默认为3秒
-t [NUM]       设定线程数量
-L             并行化,每个用户使用一个线程
-f             在找到第一个账号/密码后,停止破解
-q             显示模块的使用信息
-v [NUM]       详细级别(0-6详细)
-w [NUM]       错误调试级别(0-10)
-V             显示版本
-Z [TEXT]      继续扫描上一次
Example:
medusa -M ssh -u root -P passwd.txt -h 192.168.126.130 -f -v 6

3.实验

3.1暴力破解SSH

3.1.1Hydra

1
hydra -l chessur -P passwd.txt ssh://192.168.126.130

3.1.2Medusa

1
medusa -M ssh -u chessur -P passwd.txt -h 192.168.126.130 -F -v 6

3.2暴力破解FTP

3.2.1Hydra

1
hydra -l ftp1 -P passwd.txt ssh://192.168.126.130

3.2.2Medusa

1
medusa -M ftp -u ftp1 -P passwd.txt -h 192.168.126.130 -f -v 6

4.总结

1.Medusa比Hydra稳定,但是破解速度比较慢。

2.SSH尝试速度比FTP尝试速度慢。

3.Medusa支持参数和服务类型比Hydra少,可能是很久不更新的原因。

5.参考

[1] thc-hydra-README

[2] Medusa Parallel Network Login Auditor