TCP端口复用
#coding = utf-8
import socket
import sys
import os
import re
from threading import Thread
class Hack(object):
def __init__(self,src_addr=None,dst_addr=None):
self.src_addr = src_addr
self.dst_addr = dst_addr
def request(self,data):
return data
def response(self,data):
return data
class HttpHack(Hack):
def request(self,data):
data = re.sub('Host:.*?\r\n','Host: %s:%s\r\n'%(self.dst_addr),data.decode())
return data.encode()
ROUTES = [
{
'name' :'HTTP',
'addr' :('127.0.0.1',80),
'route' :b'^(GET|POST)',
'hack' :HttpHack,
},{
'name' :'JRMP',
'addr' :('127.0.0.1',8009),
'route' :b'^JRMI',
'hack' :Hack,
},{
'name' :'SSH',
'addr' :('127.0.0.1',22),
'route' :b'^SSH',
'hack' :Hack,
},{
'name' :'RDP',
'addr' :('127.0.0.1',3389),
'route' :b'^\x03\x00\x00',
'hack' :Hack,
},{
'name' :'PostgreSQL',
'addr' :('127.0.0.1',5432),
'route' :b'^\x00\x00\x00\x08\x04',
'hack' :Hack,
},{
'name' :'Oracle',
'addr' :('127.0.0.1',1521),
'route' :b'^\x00(\xec|\xf1)\x00\x00\x01\x00\x00\x00\x019\x01',
#'route' :b'\(DESCRIPTION=\(CONNECT_DATA=\(SERVICE_NAME=',
'hack' :Hack,
},{
'name' :'MSSQL',
'addr' :('127.0.0.1',1433),
'route' :b'^\x12\x01\x00',
'hack' :Hack,
},{
'name' :'NC',
'addr' :('127.0.0.1',51),
'route' :b'.*',
'hack' :Hack,
}
]
class TcpTunnel(Thread):
SOCKS = {}
def __init__(self,srcsock,srcaddr):
Thread.__init__(self)
self.srcsock = srcsock
self.srcaddr = srcaddr
self.dstsock = self.SOCKS[srcsock] if srcsock in self.SOCKS else socket.socket(socket.AF_INET,socket.SOCK_STREAM)
self.iskeep = True
def s(self,dstsock,srcsock):
while self.iskeep:
try:
buff = dstsock.recv(10240)
except Exception as e:
break
buff = self.hack.response(buff)
#print('recv',buff)
srcsock.sendall(buff)
if not buff:
self.iskeep = False
break
srcsock.close()
def run(self):
while self.iskeep:
try:
buff = self.srcsock.recv(10240)
except Exception as e:
break
if not buff:
self.iskeep = False
break
if self.srcsock not in self.SOCKS:
for value in ROUTES:
if re.search(value['route'],buff,re.IGNORECASE):
print('[+]Connect %s%s <--> %s'%(value['name'],str(value['addr']),str(self.srcaddr)))
self.hack = value['hack'](self.srcaddr,value['addr'])
self.dstsock.connect(value['addr'])
break
self.SOCKS[self.srcsock] = self.dstsock
Thread(target=self.s,args=(self.dstsock,self.srcsock,)).start()
buff = self.hack.request(buff)
#print('send',buff)
self.dstsock.sendall(buff)
self.dstsock.close()
print('[+]DisConnect %s%s <--> %s'%(value['name'],str(value['addr']),str(self.srcaddr)))
class SockProxy(object):
def __init__(self,host='0.0.0.0',port=1111,listen=100):
self.host = host
self.port = port
self.listen = listen
self.socks = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
self.socks.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
self.socks.bind((self.host,self.port))
def start(self):
self.socks.listen(self.listen)
print('Start Proxy Listen - %s:%s'%(self.host,self.port))
while True:
sock,addr = self.socks.accept()
T = TcpTunnel(sock,addr)
T.start()
if __name__ == '__main__':
try:`请输入代码`
port = int(sys.argv[1])
except:
port = 1111
try:
c = SockProxy('0.0.0.0',port)
c.start()
except KeyboardInterrupt:
sys.exit()
SMB扫描
from impacket import smb
def smb_login(ip,port,user,pwd):
try:
client = smb.SMB('*SMBSERVER',ip)
client.login(user,pwd)
flag ='[+] IPC$ weak password: '+user,pwd
except:
print '[-] checking for '+user,pwd+' fail'
FTP扫描
import ftplib
def ftp_anonymous(ip,port):
try:
ftp = ftplib.FTP()
ftp.connect(ip,port,2)
ftp.login()
ftp.quit()
print '[+] FTP login for anonymous'
except:
print '[-] checking for FTP anonymous fail'
def ftp_login(ip,port,user,pwd):
try:
ftp = ftplib.FTP()
ftp.connect(ip,port,2)
ftp.login(user,pwd)
ftp.quit()
print '[+] FTP weak password: '+user,pwd
except:
print '[-] checking for '+user,pwd+' fail'
SSH扫描
import paramiko
def ssh_login(ip,port,user,pwd):
try:
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect(ip,port,user,pwd,timeout=5)
print '[+] SSH weak password: '+user,pwd
ssh.close()
except:
print '[-] checking for '+user,pwd+' fail'
Telnet扫描
import telnetlib
def telnet(ip,port,user,pwd):
try:
tn = telnetlib.Telnet(ip,timeout=5)
tn.set_debuglevel(0)
tn.read_until("login: ")
tn.write(user + '\r\n')
tn.read_until("assword: ")
tn.write(pwd + '\r\n')
result = tn.read_some()
result = result+tn.read_some()
if result.find('Login Fail')>0 or result.find('incorrect')>0:
print "[-] Checking for "+user,pwd+" fail"
else:
print "[+] Success login for "+user,pwd
tn.close()
MySQL扫描
import MySQLdb
def Mysql_login(ip,port,user,pwd):
try:
db = MySQLdb.connect(host=ip, user=user, passwd=pwd,port=port)
print '[+] Mysql weak password: '+user,pwd
db.close()
except:
print '[-] checking for '+user,pwd+' fail'
MSsql扫描
import pymssql
def mssql_login(ip,port,user,pwd):
try:
db = pymssql.connect(host=ip,user=user,password=pwd,port=port)
print '[+] MSsql weak password: '+user,pwd
db.close()
except:
#pass
print '[-] checking for '+user,pwd+' fail'
MongoDB
from pymongo import MongoClient
def mongodb(ip,port=27017):
try:
client = MongoClient(ip,port)
db=client.local
flag = db.collection_names()
if flag:
print "[+] Mongodb login for anonymous"
except Exception, e:
pass
def mongodb_login(ip,port,user,pwd):
try:
client = MongoClient(ip,port)
db_auth = client.admin
flag = db_auth.authenticate(user, pwd)
if flag == True:
print '[+] Mongodb weak password: '+user,pwd
except:
print '[-] checking for '+user,pwd+' fail'
phpmyadmin
import requests
def phpMyAdmin_login(ip,port,user,pwd):
try:
url = "http://"+ip+":"+str(port)+"/phpmyadmin/index.php"
data={'pma_username':user,'pma_password':pwd}
response = requests.post(url,data=data,timeout=5)
result=response.content
if result.find('name="login_form"')==-1:
print '[+] find phpMyAdmin weak password in:'+url
print '[+] find phpMyAdmin weak password:'+user,pwd
else:
print '[-] Checking for '+user,pwd+" fail"
time.sleep(2)
except:
print '[-] Something Error'+user,pwd+" fail"
Tomcat
import requests
def tomcat_login(ip,port,user,pwd):
try:
url = "http://"+ip+":"+str(port)+"/manager/html"
user_agent = "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)"
Authorization = "Basic %s" % (base64.b64encode(user+':'+pwd))
header = { 'User-Agent' : user_agent , 'Authorization':Authorization}
request = urllib2.Request(url,headers=header)
response = urllib2.urlopen(request,timeout=5)
result=response.read()
if response.code ==200:
print '[Success] ' + url+' '+user+':'+pwd
except:
print '[Login failed]' + url+' '+user+':'+pwd