测试NTP 时间服务器用的,ntp_ip_enum.py,源码如下:
#!/usr/bin/env python
"""
Basic script to pull addresses from a NTP server using the monlist command. Can also output Maltego resultset.
Gert Burger
SensePost (Pty) Ltd
www.sensepost.com
This work is licensed under the Creative Commons Attribution 2.5 South Africa License available at https://creativecommons.org/licenses/by/2.5/za/ www.2cto.com
Edited by SECUREPLA.NET
"""
from struct import unpack, pack
import socket
import select
import sys
import string
OUTPUT_FORMAT='normal' #'maltego' for maltego xml or any other string for normal output
DEBUG=False #Enables basic debug info
TIMEOUT=2 #Read timeout in seconds
TRIES=3 #Number of times to do the monlist request
filename="NTP.txt"
def int_ip_to_str(ip_num):
return socket.inet_ntoa(pack('!L', ip_num))
def str_ip_to_int(ip):
return unpack('!L',socket.inet_aton(ip))
def get_payload():
return """x17x00x02x2ax00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"""
def parse_monlist_packet(data):
result = dict(response=False, more=False, error=None, records=[])
if len(data) < 8:
result['error'] = 'NO_HEADER'
return result
ntp_flags, ntp_auth, ntp_vers, ntp_req_code, num_items, item_size = unpack('!BBBBHH', data[0:8])
data = data[8:]
result['response'] = ntp_flags & (1 << 7) > 0
result['more'] = ntp_flags & (1 << 6) > 0
if not result['response']: #Return if its a request
result['error'] = "REQUEST_PACKET"
elif ntp_req_code == 42: #Check if its a monlist packet
if DEBUG: print "item_size[%s] tnum_items[%s] tlen(data)[%s]" % (item_size, num_items, len(data))
if item_size != 32:
result['error'] = "WRONG_ITEM_SIZE"
elif num_items < 1:
result['error'] = "WRONG_ITEM_COUNT"
elif len(data) < num_items*item_size:
result['error'] = "SHORT_PACKET"
else:
for offset in range(0, num_items*item_size, item_size):
parts = unpack('!IIIIIIII', data[offset:offset+item_size])
ip = int_ip_to_str(parts[4])
port = parts[7]
result['records'].append((ip, port))
else:
result['error'] = "WRONG_REQUEST_CODE"
return result
def fetch(ntp_server, timeout=5):
def send_payload(sock, target):
data = get_payload()
bytes_sent = sock.sendto(data, (target, 123))
if bytes_sent != len(data) and DEBUG:
print "Failed to send payload"
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.bind(('0.0.0.0', 0))
send_payload(sock, ntp_server)
results = set()
count = 0
while True:
rlist, wlist, xlist = select.select([sock], [], [], TIMEOUT)
if sock in rlist:
data, addr = sock.recvfrom(1024)
ret = parse_monlist_packet(data)
if ret['error']:
if DEBUG: print "Error parsing packet[%s]" % ret['error']
else:
results.update([x[0] for x in ret['records']])
else:
count += 1
if count >= TRIES:
break
send_payload(sock, ntp_server)
return list(results)
def print_maltego(results):
from xml.dom.minidom import Document
doc = Document()
mm = doc.createElement('MaltegoMessage')
doc.appendChild(mm)
mtrm = doc.createElement('MaltegoTransformResponseMessage')
mm.appendChild(mtrm)
entities = doc.createElement('Entities')
mtrm.appendChild(entities)
for result in results:
entity = doc.createElement('Entity')
entity.setAttribute('Type', 'IPAddress')
value = doc.createElement('Value')
value_node = doc.createTextNode(result)
value.appendChild(value_node)
entity.appendChild(value)
entities.appendChild(entity)
output = doc.toxml()
print output[output.index(" so that maltego can function
if __name__ == '__main__':
if len(sys.argv) > 1:
targets = sys.argv[1:]
else:
print "Usage: %s target ntp serversnnThis script will return a unique set of IP's obtained from the list of ntp servers via the monlist command" % sys.argv[0]
sys.exit(-1)
results = set()
for target in targets:
results.update(fetch(target))
results = sorted(results, key=str_ip_to_int)
if str(OUTPUT_FORMAT).lower() == 'maltego':
print_maltego(results)
else:
delimiter = 'n'
print "Target host: %s" % targets
print "------------------------------- MonList ------------------------------"
print delimiter.join(results)
print "------------------------------- MonList ------------------------------"
print "Number of results %s" % len(results)
#FILE = open(filename,"a")
#FILE.writelines("-------------------------------NTP List------------------------------")
#FILE.writelines("n")
#FILE.writelines("Target host: ")
#FILE.writelines(targets)
#FILE.writelines("n")
#FILE.writelines("n".join(results))
#FILE.writelines("n")
#FILE.writelines("Number of results %s" % len(results))
#print "Completed. Check NTP.txt"
#spidermark sensepostdata ntp_monlist.py
摘自 :Nuclear'Atk 网络安全研究中心,本文地址:https://lcx.cc/?FoxNews=2307.html