简介
账号root密码linuxrz
ssh root@IP
1.有多少IP在爆破主机ssh的root帐号,如果有多个使用","分割
2.ssh爆破成功登陆的IP是多少,如果有多个使用","分割
3.爆破用户名字典是什么?如果有多个使用","分割
4.登陆成功的IP共爆破了多少次
5.黑客登陆主机后新建了一个后门用户,用户名是多少
1.有多少IP在爆破主机ssh的root帐号,如果有多个使用”,”分割
看/var/log/auth.log.1
root@ip-10-0-10-3:/var/log# cat auth.log.1
Aug 1 07:40:47 linux-rz sshd[7461]: Invalid user test1 from 192.168.200.35 port 33874
Aug 1 07:40:48 linux-rz sshd[7461]: pam_unix(sshd:auth): check pass; user unknown
Aug 1 07:40:48 linux-rz sshd[7461]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.35
Aug 1 07:40:50 linux-rz sshd[7461]: Failed password for invalid user test1 from 192.168.200.35 port 33874 ssh2
Aug 1 07:40:52 linux-rz sshd[7461]: Connection closed by invalid user test1 192.168.200.35 port 33874 [preauth]
Aug 1 07:40:58 linux-rz sshd[7465]: Invalid user test2 from 192.168.200.35 port 51640
Aug 1 07:41:01 linux-rz sshd[7465]: pam_unix(sshd:auth): check pass; user unknown
Aug 1 07:41:01 linux-rz sshd[7465]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.35
Aug 1 07:41:04 linux-rz sshd[7465]: Failed password for invalid user test2 from 192.168.200.35 port 51640 ssh2
Aug 1 07:41:07 linux-rz sshd[7465]: Connection closed by invalid user test2 192.168.200.35 port 51640 [preauth]
Aug 1 07:41:09 linux-rz sshd[7468]: Invalid user test3 from 192.168.200.35 port 48168
Aug 1 07:41:11 linux-rz sshd[7468]: pam_unix(sshd:auth): check pass; user unknown
Aug 1 07:41:11 linux-rz sshd[7468]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.35
Aug 1 07:41:13 linux-rz sshd[7468]: Failed password for invalid user test3 from 192.168.200.35 port 48168 ssh2
Aug 1 07:41:19 linux-rz sshd[7468]: Connection closed by invalid user test3 192.168.200.35 port 48168 [preauth]
Aug 1 07:42:30 linux-rz sshd[7471]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.32 user=root
Aug 1 07:42:32 linux-rz sshd[7471]: Failed password for root from 192.168.200.32 port 51888 ssh2
Aug 1 07:42:33 linux-rz sshd[7471]: Connection closed by authenticating user root 192.168.200.32 port 51888 [preauth]
Aug 1 07:42:49 linux-rz sshd[7288]: Received disconnect from 192.168.200.2 port 54682:11: disconnected by user
Aug 1 07:42:49 linux-rz sshd[7288]: Disconnected from user root 192.168.200.2 port 54682
Aug 1 07:42:49 linux-rz sshd[7288]: pam_unix(sshd:session): session closed for user root
Aug 1 07:42:49 linux-rz systemd-logind[440]: Session 6 logged out. Waiting for processes to exit.
Aug 1 07:42:49 linux-rz systemd-logind[440]: Removed session 6.
Aug 1 07:46:39 linux-rz sshd[7475]: Invalid user user from 192.168.200.2 port 36149
Aug 1 07:46:39 linux-rz sshd[7475]: pam_unix(sshd:auth): check pass; user unknown
Aug 1 07:46:39 linux-rz sshd[7475]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2
Aug 1 07:46:41 linux-rz sshd[7475]: Failed password for invalid user user from 192.168.200.2 port 36149 ssh2
Aug 1 07:46:45 linux-rz sshd[7475]: Connection closed by invalid user user 192.168.200.2 port 36149 [preauth]
Aug 1 07:46:45 linux-rz sshd[7478]: Invalid user user from 192.168.200.2 port 44425
Aug 1 07:46:45 linux-rz sshd[7478]: pam_unix(sshd:auth): check pass; user unknown
Aug 1 07:46:45 linux-rz sshd[7478]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2
Aug 1 07:46:47 linux-rz sshd[7478]: Failed password for invalid user user from 192.168.200.2 port 44425 ssh2
Aug 1 07:46:48 linux-rz sshd[7478]: Connection closed by invalid user user 192.168.200.2 port 44425 [preauth]
Aug 1 07:46:48 linux-rz sshd[7480]: Invalid user user from 192.168.200.2 port 38791
Aug 1 07:46:48 linux-rz sshd[7480]: pam_unix(sshd:auth): check pass; user unknown
Aug 1 07:46:48 linux-rz sshd[7480]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2
Aug 1 07:46:50 linux-rz sshd[7480]: Failed password for invalid user user from 192.168.200.2 port 38791 ssh2
Aug 1 07:46:52 linux-rz sshd[7480]: Connection closed by invalid user user 192.168.200.2 port 38791 [preauth]
Aug 1 07:46:52 linux-rz sshd[7482]: Invalid user user from 192.168.200.2 port 37489
Aug 1 07:46:52 linux-rz sshd[7482]: pam_unix(sshd:auth): check pass; user unknown
Aug 1 07:46:52 linux-rz sshd[7482]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2
Aug 1 07:46:54 linux-rz sshd[7482]: Failed password for invalid user user from 192.168.200.2 port 37489 ssh2
Aug 1 07:46:54 linux-rz sshd[7482]: Connection closed by invalid user user 192.168.200.2 port 37489 [preauth]
Aug 1 07:46:54 linux-rz sshd[7484]: Invalid user user from 192.168.200.2 port 35575
Aug 1 07:46:54 linux-rz sshd[7484]: pam_unix(sshd:auth): check pass; user unknown
Aug 1 07:46:54 linux-rz sshd[7484]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2
Aug 1 07:46:56 linux-rz sshd[7484]: Failed password for invalid user user from 192.168.200.2 port 35575 ssh2
Aug 1 07:46:57 linux-rz sshd[7484]: Connection closed by invalid user user 192.168.200.2 port 35575 [preauth]
Aug 1 07:46:57 linux-rz sshd[7486]: Invalid user hello from 192.168.200.2 port 35833
Aug 1 07:46:57 linux-rz sshd[7486]: pam_unix(sshd:auth): check pass; user unknown
Aug 1 07:46:57 linux-rz sshd[7486]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2
Aug 1 07:46:59 linux-rz sshd[7486]: Failed password for invalid user hello from 192.168.200.2 port 35833 ssh2
Aug 1 07:46:59 linux-rz sshd[7486]: Connection closed by invalid user hello 192.168.200.2 port 35833 [preauth]
Aug 1 07:47:00 linux-rz sshd[7489]: Invalid user hello from 192.168.200.2 port 37653
Aug 1 07:47:00 linux-rz sshd[7489]: pam_unix(sshd:auth): check pass; user unknown
Aug 1 07:47:00 linux-rz sshd[7489]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2
Aug 1 07:47:02 linux-rz sshd[7489]: Failed password for invalid user hello from 192.168.200.2 port 37653 ssh2
Aug 1 07:47:02 linux-rz sshd[7489]: Connection closed by invalid user hello 192.168.200.2 port 37653 [preauth]
Aug 1 07:47:02 linux-rz sshd[7491]: Invalid user hello from 192.168.200.2 port 37917
Aug 1 07:47:02 linux-rz sshd[7491]: pam_unix(sshd:auth): check pass; user unknown
Aug 1 07:47:02 linux-rz sshd[7491]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2
Aug 1 07:47:04 linux-rz sshd[7491]: Failed password for invalid user hello from 192.168.200.2 port 37917 ssh2
Aug 1 07:47:05 linux-rz sshd[7491]: Connection closed by invalid user hello 192.168.200.2 port 37917 [preauth]
Aug 1 07:47:05 linux-rz sshd[7493]: Invalid user hello from 192.168.200.2 port 41957
Aug 1 07:47:05 linux-rz sshd[7493]: pam_unix(sshd:auth): check pass; user unknown
Aug 1 07:47:05 linux-rz sshd[7493]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2
Aug 1 07:47:08 linux-rz sshd[7493]: Failed password for invalid user hello from 192.168.200.2 port 41957 ssh2
Aug 1 07:47:08 linux-rz sshd[7493]: Connection closed by invalid user hello 192.168.200.2 port 41957 [preauth]
Aug 1 07:47:08 linux-rz sshd[7495]: Invalid user hello from 192.168.200.2 port 39685
Aug 1 07:47:08 linux-rz sshd[7495]: pam_unix(sshd:auth): check pass; user unknown
Aug 1 07:47:08 linux-rz sshd[7495]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2
Aug 1 07:47:10 linux-rz sshd[7495]: Failed password for invalid user hello from 192.168.200.2 port 39685 ssh2
Aug 1 07:47:11 linux-rz sshd[7495]: Connection closed by invalid user hello 192.168.200.2 port 39685 [preauth]
Aug 1 07:47:11 linux-rz sshd[7497]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2 user=root
Aug 1 07:47:13 linux-rz sshd[7497]: Failed password for root from 192.168.200.2 port 34703 ssh2
Aug 1 07:47:15 linux-rz sshd[7497]: Connection closed by authenticating user root 192.168.200.2 port 34703 [preauth]
Aug 1 07:47:16 linux-rz sshd[7499]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2 user=root
Aug 1 07:47:18 linux-rz sshd[7499]: Failed password for root from 192.168.200.2 port 46671 ssh2
Aug 1 07:47:18 linux-rz sshd[7499]: Connection closed by authenticating user root 192.168.200.2 port 46671 [preauth]
Aug 1 07:47:18 linux-rz sshd[7501]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2 user=root
Aug 1 07:47:20 linux-rz sshd[7501]: Failed password for root from 192.168.200.2 port 39967 ssh2
Aug 1 07:47:20 linux-rz sshd[7501]: Connection closed by authenticating user root 192.168.200.2 port 39967 [preauth]
Aug 1 07:47:20 linux-rz sshd[7503]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2 user=root
Aug 1 07:47:22 linux-rz sshd[7503]: Failed password for root from 192.168.200.2 port 46647 ssh2
Aug 1 07:47:23 linux-rz sshd[7503]: Connection closed by authenticating user root 192.168.200.2 port 46647 [preauth]
Aug 1 07:47:23 linux-rz sshd[7505]: Accepted password for root from 192.168.200.2 port 46563 ssh2
Aug 1 07:47:23 linux-rz sshd[7505]: pam_unix(sshd:session): session opened for user root by (uid=0)
Aug 1 07:47:23 linux-rz systemd-logind[440]: New session 7 of user root.
Aug 1 07:47:23 linux-rz sshd[7525]: Invalid user from 192.168.200.2 port 37013
Aug 1 07:47:23 linux-rz sshd[7525]: pam_unix(sshd:auth): check pass; user unknown
Aug 1 07:47:23 linux-rz sshd[7525]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2
Aug 1 07:47:26 linux-rz sshd[7525]: Failed password for invalid user from 192.168.200.2 port 37013 ssh2
Aug 1 07:47:28 linux-rz sshd[7525]: Connection closed by invalid user 192.168.200.2 port 37013 [preauth]
Aug 1 07:47:28 linux-rz sshd[7528]: Invalid user from 192.168.200.2 port 37545
Aug 1 07:47:28 linux-rz sshd[7528]: pam_unix(sshd:auth): check pass; user unknown
Aug 1 07:47:28 linux-rz sshd[7528]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2
Aug 1 07:47:30 linux-rz sshd[7528]: Failed password for invalid user from 192.168.200.2 port 37545 ssh2
Aug 1 07:47:30 linux-rz sshd[7528]: Connection closed by invalid user 192.168.200.2 port 37545 [preauth]
Aug 1 07:47:30 linux-rz sshd[7530]: Invalid user from 192.168.200.2 port 39111
Aug 1 07:47:30 linux-rz sshd[7530]: pam_unix(sshd:auth): check pass; user unknown
Aug 1 07:47:30 linux-rz sshd[7530]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2
Aug 1 07:47:32 linux-rz sshd[7530]: Failed password for invalid user from 192.168.200.2 port 39111 ssh2
Aug 1 07:47:32 linux-rz sshd[7530]: Connection closed by invalid user 192.168.200.2 port 39111 [preauth]
Aug 1 07:47:33 linux-rz sshd[7532]: Invalid user from 192.168.200.2 port 35173
Aug 1 07:47:33 linux-rz sshd[7532]: pam_unix(sshd:auth): check pass; user unknown
Aug 1 07:47:33 linux-rz sshd[7532]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2
Aug 1 07:47:35 linux-rz sshd[7532]: Failed password for invalid user from 192.168.200.2 port 35173 ssh2
Aug 1 07:47:37 linux-rz sshd[7532]: Connection closed by invalid user 192.168.200.2 port 35173 [preauth]
Aug 1 07:47:37 linux-rz sshd[7534]: Invalid user from 192.168.200.2 port 45807
Aug 1 07:47:37 linux-rz sshd[7534]: pam_unix(sshd:auth): check pass; user unknown
Aug 1 07:47:37 linux-rz sshd[7534]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.2
Aug 1 07:47:39 linux-rz sshd[7534]: Failed password for invalid user from 192.168.200.2 port 45807 ssh2
Aug 1 07:47:41 linux-rz sshd[7534]: Connection closed by invalid user 192.168.200.2 port 45807 [preauth]
Aug 1 07:50:29 linux-rz sshd[7505]: pam_unix(sshd:session): session closed for user root
Aug 1 07:50:29 linux-rz systemd-logind[440]: Session 7 logged out. Waiting for processes to exit.
Aug 1 07:50:29 linux-rz systemd-logind[440]: Removed session 7.
Aug 1 07:50:37 linux-rz sshd[7539]: Accepted password for root from 192.168.200.2 port 48070 ssh2
Aug 1 07:50:37 linux-rz sshd[7539]: pam_unix(sshd:session): session opened for user root by (uid=0)
Aug 1 07:50:37 linux-rz systemd-logind[440]: New session 8 of user root.
Aug 1 07:50:45 linux-rz useradd[7551]: new group: name=test2, GID=1000
Aug 1 07:50:45 linux-rz useradd[7551]: new user: name=test2, UID=1000, GID=1000, home=/home/test2, shell=/bin/sh
Aug 1 07:50:52 linux-rz passwd[7563]: pam_unix(passwd:chauthtok): password changed for test2
Aug 1 07:50:56 linux-rz sshd[7539]: Received disconnect from 192.168.200.2 port 48070:11: disconnected by user
Aug 1 07:50:56 linux-rz sshd[7539]: Disconnected from user root 192.168.200.2 port 48070
Aug 1 07:50:56 linux-rz sshd[7539]: pam_unix(sshd:session): session closed for user root
Aug 1 07:50:56 linux-rz systemd-logind[440]: Session 8 logged out. Waiting for processes to exit.
Aug 1 07:50:56 linux-rz systemd-logind[440]: Removed session 8.
Aug 1 07:52:57 linux-rz sshd[7606]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.31 user=root
Aug 1 07:52:59 linux-rz sshd[7606]: Failed password for root from 192.168.200.31 port 40364 ssh2
Aug 1 07:53:01 linux-rz sshd[7606]: Connection closed by authenticating user root 192.168.200.31 port 40364 [preauth]
Aug 1 08:01:26 linux-rz sshd[748]: Received disconnect from 192.168.200.2 port 50378:11: disconnected by user
Aug 1 08:01:26 linux-rz sshd[748]: Disconnected from user root 192.168.200.2 port 50378
Aug 1 08:01:26 linux-rz sshd[748]: pam_unix(sshd:session): session closed for user root
Aug 1 08:01:26 linux-rz systemd-logind[440]: Session 3 logged out. Waiting for processes to exit.
Aug 1 08:01:26 linux-rz systemd-logind[440]: Removed session 3.
Aug 1 08:18:27 ip-172-31-37-190 useradd[487]: new group: name=debian, GID=1001
Aug 1 08:18:27 ip-172-31-37-190 useradd[487]: new user: name=debian, UID=1001, GID=1001, home=/home/debian, shell=/bin/bash
Aug 1 08:18:27 ip-172-31-37-190 useradd[487]: add 'debian' to group 'adm'
Aug 1 08:18:27 ip-172-31-37-190 useradd[487]: add 'debian' to group 'dialout'
Aug 1 08:18:27 ip-172-31-37-190 useradd[487]: add 'debian' to group 'cdrom'
Aug 1 08:18:27 ip-172-31-37-190 useradd[487]: add 'debian' to group 'floppy'
Aug 1 08:18:27 ip-172-31-37-190 useradd[487]: add 'debian' to group 'sudo'
Aug 1 08:18:27 ip-172-31-37-190 useradd[487]: add 'debian' to group 'audio'
Aug 1 08:18:27 ip-172-31-37-190 useradd[487]: add 'debian' to group 'dip'
Aug 1 08:18:27 ip-172-31-37-190 useradd[487]: add 'debian' to group 'video'
Aug 1 08:18:27 ip-172-31-37-190 useradd[487]: add 'debian' to group 'plugdev'
Aug 1 08:18:27 ip-172-31-37-190 useradd[487]: add 'debian' to group 'netdev'
Aug 1 08:18:27 ip-172-31-37-190 useradd[487]: add 'debian' to shadow group 'adm'
Aug 1 08:18:27 ip-172-31-37-190 useradd[487]: add 'debian' to shadow group 'dialout'
Aug 1 08:18:27 ip-172-31-37-190 useradd[487]: add 'debian' to shadow group 'cdrom'
Aug 1 08:18:27 ip-172-31-37-190 useradd[487]: add 'debian' to shadow group 'floppy'
Aug 1 08:18:27 ip-172-31-37-190 useradd[487]: add 'debian' to shadow group 'sudo'
Aug 1 08:18:27 ip-172-31-37-190 useradd[487]: add 'debian' to shadow group 'audio'
Aug 1 08:18:27 ip-172-31-37-190 useradd[487]: add 'debian' to shadow group 'dip'
Aug 1 08:18:27 ip-172-31-37-190 useradd[487]: add 'debian' to shadow group 'video'
Aug 1 08:18:27 ip-172-31-37-190 useradd[487]: add 'debian' to shadow group 'plugdev'
Aug 1 08:18:27 ip-172-31-37-190 useradd[487]: add 'debian' to shadow group 'netdev'
Aug 1 08:18:27 ip-172-31-37-190 passwd[493]: password for 'debian' changed by 'root'
Aug 1 08:18:27 ip-172-31-37-190 sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/touch /var/log/aws114_ssm_agent_installation.log
Aug 1 08:18:27 ip-172-31-37-190 sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Aug 1 08:18:27 ip-172-31-37-190 sudo: pam_unix(sudo:session): session closed for user root
Aug 1 08:18:27 ip-172-31-37-190 sshd[544]: Server listening on 0.0.0.0 port 22.
Aug 1 08:18:27 ip-172-31-37-190 systemd-logind[503]: Watching system buttons on /dev/input/event1 (Power Button)
Aug 1 08:18:27 ip-172-31-37-190 sshd[544]: Server listening on :: port 22.
Aug 1 08:18:27 ip-172-31-37-190 systemd-logind[503]: Watching system buttons on /dev/input/event2 (Sleep Button)
Aug 1 08:18:27 ip-172-31-37-190 systemd-logind[503]: Watching system buttons on /dev/input/event0 (AT Translated Set 2 keyboard)
Aug 1 08:18:27 ip-172-31-37-190 systemd-logind[503]: New seat seat0.
Jun 6 09:38:28 ip-10-0-10-3 passwd[416]: password for 'debian' changed by 'root'
Jun 6 09:38:29 ip-10-0-10-3 systemd-logind[428]: Watching system buttons on /dev/input/event1 (Power Button)
Jun 6 09:38:29 ip-10-0-10-3 systemd-logind[428]: Watching system buttons on /dev/input/event2 (Sleep Button)
Jun 6 09:38:29 ip-10-0-10-3 systemd-logind[428]: Watching system buttons on /dev/input/event0 (AT Translated Set 2 keyboard)
Jun 6 09:38:29 ip-10-0-10-3 systemd-logind[428]: New seat seat0.
Jun 6 09:38:29 ip-10-0-10-3 sshd[466]: Server listening on 0.0.0.0 port 22.
Jun 6 09:38:29 ip-10-0-10-3 sshd[466]: Server listening on :: port 22.
过滤出root账号密码错误的
root@ip-10-0-10-3:/var/log# cat auth.log.1 | grep "Failed password for root" -a
Aug 1 07:42:32 linux-rz sshd[7471]: Failed password for root from 192.168.200.32 port 51888 ssh2
Aug 1 07:47:13 linux-rz sshd[7497]: Failed password for root from 192.168.200.2 port 34703 ssh2
Aug 1 07:47:18 linux-rz sshd[7499]: Failed password for root from 192.168.200.2 port 46671 ssh2
Aug 1 07:47:20 linux-rz sshd[7501]: Failed password for root from 192.168.200.2 port 39967 ssh2
Aug 1 07:47:22 linux-rz sshd[7503]: Failed password for root from 192.168.200.2 port 46647 ssh2
Aug 1 07:52:59 linux-rz sshd[7606]: Failed password for root from 192.168.200.31 port 40364 ssh2
ip在第11个位置
root@ip-10-0-10-3:/var/log# cat auth.log.1 | grep "Failed password for root" -a | awk '{print $11}'
192.168.200.32
192.168.200.2
192.168.200.2
192.168.200.2
192.168.200.2
192.168.200.31
flag1 : flag{192.168.200.2,192.168.200.31,192.168.200.32}
2.ssh爆破成功登陆的IP是多少,如果有多个使用”,”分割
那就找包含Accepted password for root
字段的
root@ip-10-0-10-3:/var/log# cat auth.log.1 | grep "Accepted password for root" -a | awk '{print $11}'
192.168.200.2
192.168.200.2
flag2 flag{192.168.200.2}
3.爆破用户名字典是什么?如果有多个使用”,”分割
root@ip-10-0-10-3:/var/log# cat auth.log.1 | grep "Failed password" -a
Aug 1 07:40:50 linux-rz sshd[7461]: Failed password for invalid user test1 from 192.168.200.35 port 33874 ssh2
Aug 1 07:41:04 linux-rz sshd[7465]: Failed password for invalid user test2 from 192.168.200.35 port 51640 ssh2
Aug 1 07:41:13 linux-rz sshd[7468]: Failed password for invalid user test3 from 192.168.200.35 port 48168 ssh2
Aug 1 07:42:32 linux-rz sshd[7471]: Failed password for root from 192.168.200.32 port 51888 ssh2
Aug 1 07:46:41 linux-rz sshd[7475]: Failed password for invalid user user from 192.168.200.2 port 36149 ssh2
Aug 1 07:46:47 linux-rz sshd[7478]: Failed password for invalid user user from 192.168.200.2 port 44425 ssh2
Aug 1 07:46:50 linux-rz sshd[7480]: Failed password for invalid user user from 192.168.200.2 port 38791 ssh2
Aug 1 07:46:54 linux-rz sshd[7482]: Failed password for invalid user user from 192.168.200.2 port 37489 ssh2
Aug 1 07:46:56 linux-rz sshd[7484]: Failed password for invalid user user from 192.168.200.2 port 35575 ssh2
Aug 1 07:46:59 linux-rz sshd[7486]: Failed password for invalid user hello from 192.168.200.2 port 35833 ssh2
Aug 1 07:47:02 linux-rz sshd[7489]: Failed password for invalid user hello from 192.168.200.2 port 37653 ssh2
Aug 1 07:47:04 linux-rz sshd[7491]: Failed password for invalid user hello from 192.168.200.2 port 37917 ssh2
Aug 1 07:47:08 linux-rz sshd[7493]: Failed password for invalid user hello from 192.168.200.2 port 41957 ssh2
Aug 1 07:47:10 linux-rz sshd[7495]: Failed password for invalid user hello from 192.168.200.2 port 39685 ssh2
Aug 1 07:47:13 linux-rz sshd[7497]: Failed password for root from 192.168.200.2 port 34703 ssh2
Aug 1 07:47:18 linux-rz sshd[7499]: Failed password for root from 192.168.200.2 port 46671 ssh2
Aug 1 07:47:20 linux-rz sshd[7501]: Failed password for root from 192.168.200.2 port 39967 ssh2
Aug 1 07:47:22 linux-rz sshd[7503]: Failed password for root from 192.168.200.2 port 46647 ssh2
Aug 1 07:47:26 linux-rz sshd[7525]: Failed password for invalid user from 192.168.200.2 port 37013 ssh2
Aug 1 07:47:30 linux-rz sshd[7528]: Failed password for invalid user from 192.168.200.2 port 37545 ssh2
Aug 1 07:47:32 linux-rz sshd[7530]: Failed password for invalid user from 192.168.200.2 port 39111 ssh2
Aug 1 07:47:35 linux-rz sshd[7532]: Failed password for invalid user from 192.168.200.2 port 35173 ssh2
Aug 1 07:47:39 linux-rz sshd[7534]: Failed password for invalid user from 192.168.200.2 port 45807 ssh2
Aug 1 07:52:59 linux-rz sshd[7606]: Failed password for root from 192.168.200.31 port 40364 ssh2
由于不会shell编程,看了一下别人的语法
root@ip-10-0-10-3:/var/log# cat /var/log/auth.log.1 | grep -a "Failed password" | perl -e 'while($_=<>){ /for(.*?) from/; print "$1\n";}'| uniq -c | sort -nr
5 invalid user user
5 invalid user hello
5 invalid user
4 root
1 root
1 root
1 invalid user test3
1 invalid user test2
1 invalid user test1
$_
是perl的默认输入变量,<>
是输入操作符号,非贪婪匹配到for * from
,如果匹配到,打印第一个捕获组(.*?)的内容,也就是用户名并换行
flag3 flag{user,hello,root,test3,test2,test1}
4.登陆成功的IP共爆破了多少次
第二题拿到登录成功的ip是192.168.200.2
,用wc统计一下
root@ip-10-0-10-3:/var/log# cat auth.log.1 | grep -a "192.168.200.2" | grep "Failed password for root" | wc -l
4
或者uniq -c
root@ip-10-0-10-3:/var/log# cat auth.log.1 | grep -a "192.168.200.2" | grep "Failed password for root" |awk '{print $11}'| sort | uniq -c
4 192.168.200.2
flag4 flag{4}
5.黑客登陆主机后新建了一个后门用户,用户名是多少
过滤一下new user
root@ip-10-0-10-3:/var/log# cat auth.log.1 | grep -a "new user"
Aug 1 07:50:45 linux-rz useradd[7551]: new user: name=test2, UID=1000, GID=1000, home=/home/test2, shell=/bin/sh
Aug 1 08:18:27 ip-172-31-37-190 useradd[487]: new user: name=debian, UID=1001, GID=1001, home=/home/debian, shell=/bin/bash
新用户是test2
flag5 flag{test2}