在渗透测试中,这里主要说的是linux系统,我们经常遇到任意文件下载或读取,以及命令执行等,但是命令执行有些时候并没有交互式的,我们想添加账号和密码就会很困难,所以这时我们就可以读取shadow文件,将内容保存到本地,然后使用john来进行破解,从而可使用系统中的账号进行远程连接控制!
下载地址:http://www.openwall.com/john/
基本使用语法:
|
1
|
john shadow
|
|
1
2
3
4
5
6
7
8
|
root@kali:~
# john /etc/shadow
Warning: detected
hash
type
"sha512crypt"
, but the string is also recognized as
"crypt"
Use the
"--format=crypt"
option to force loading these as that
type
instead
Using default input encoding: UTF-8
Loaded 3 password hashes with 3 different salts (sha512crypt, crypt(3) $6$ [SHA512 128
/128
AVX 2x])
Remaining 2 password hashes with 2 different salts
Press
'q'
or Ctrl-C to abort, almost any other key
for
status
1q2w3e4r (eth10)
|
|
1
2
3
4
5
6
7
|
root@kali:~# cat /root/.john/john.pot
$
6
$
8
uR
2
a
64
J$y
2
Oc
5
C
6
QsTRtJ
1
tpfpJKDIAfXzSM
8
rJ
0
IizfM
32
Mn.ac.UBUGgtq
1
HT
2
kgvnx
4
LFGukbj/poLJzg
32
VjpTbJS.:root
$
6
$wovV.UXy$
0
EJJ
0
YuL
0
g
52
aHtLBgJFJ
0
/LhxR
5
maRQ
7
.Nw
5
ekAyQEjvISVP
6
msRShAVaWE
3
twlLy
4
oU
8
WQ
95
HchjJHez/EB
1:
123456
$
6
$xUWbL
8
ha$W
6
Clcf.vJjZZPt//xnvCmvhbmW.iEmu.XLGyKtoUdrAgTA
91
/pasBu
5
.TQ.cM
1
r
97
Qxg
8
NxrUun
5
CNasZOAAb
1:
123
$
6
$ITd
1
qoda$
0
bNvtCP
8
ntHxtfC
82
kYm.
67
ScLhXCKUgNpRWHX
1
oybjPrUJAr.wKFPD
17
zMJVs
036
xUfIuEjNpRKHmBPOE
4
T
40:
1
q
2
w
3
e
$
6
$aFZHXjfb$oJikWBNpKcPiN
90
Jwg/xTAmSZCREFNDgYraNow
90
A
2
IxboBfgGQl/tMSTinrpwCT
9
uSDohF/Nml
3
Dhpz
1
yTZj.:asdfgh
$
6
$hIpfeY
1
N$
5
GjR
9
IiK
3
aY
4
rCvlFNX
91
PWFC
6
dDyU
6
z
7
oDJme
0
maHUuvvIO/qVCuy
2
Sx.z
4
VChtIspGnnq
3
PlxT/
8
ELoSDKM.:
1
q
2
w
3
e
4
|
|
1
2
3
4
5
6
7
8
9
10
11
12
|
F:\eth10-CTF-Toolkits\CTF工具包\暴力破解\john179\run>john.exe F:\ctf\shadow
1 [main] john 9540 find_fast_cwd: WARNING: Couldn't compute FAST_CWD pointer. Please report this problem to
the public mailing list cygwin@cygwin.com
cygwin warning:
MS-DOS style path detected: F:\ctf\shadow
Preferred POSIX equivalent is:
/cygdrive/f/ctf/shadow
CYGWIN environment variable option
"nodosfilewarning"
turns off this warning.
Consult the user's guide
for
more
details about POSIX paths:
http:
//cygwin
.com
/cygwin-ug-net/using
.html
#using-pathnames
Loaded 8 password hashes with 8 different salts (FreeBSD MD5 [32
/32
])
2_FTP (2_FTP)
1_FTP (1_FTP)
|
在windows下可在工具的run目录下查看john.pot
本文转自 eth10 51CTO博客,原文链接:http://blog.51cto.com/eth10/1957544
