弱密码扫描工具:ssh、postgresql、Redis、MySQL、mongoDB、FTP、sqlserver(mssql)、Dahua(大华)、hikvision(海康威视);9个弱密码探测集合

弱密码工具

本工具是根据github上的原有工具进行修改的,原工具只有3个弱密码扫描,这里增加到了9个弱密码扫描,原工具传送门
并修改了用户名和密码的使用方式;

本工具目前可对SSH、postgresql、Redis、MySQL、mongoDB、FTP、sqlserver(mssql)、Dahua(大华)、hikvision(海康威视);这9个软件/Web进行弱密码扫描;

代码语言:python3

用户名-密码集合

username_dict 字典是各个类别的用户名,可自行增加;
passwords_list 列表是通用的密码字段,其中{user}是用来替换用户名字段,可自行增加修改;

username_dict = {
    "ftp":        ["ftp", "anonymous"],
    # "ftp":        ["ftp", "admin", "www", "web", "root", "db", "wwwroot", "data"],
    "mysql":      ["root", "mysql", "admin", "test"],
    "mssql":      ["sa"],
    # "smb":        ["administrator", "admin", "guest"],
    # "rdp":        ["administrator", "admin", "guest"],
    "postgresql": ["postgres", "admin"],
    "ssh":        ["root", "admin"],
    "mongodb":    ["root", "admin"],
    # "oracle":     ["sys", "system", "admin", "test", "web", "orcl"],
    "dahua":        ["admin", "dahua", "root", "test"],
    "hikvision":    ["admin"]
}

passwords_list = ["123456", "12345", 'asdf1234', 'abc12345', '12345{user}', "{user}12345", '12345abc',"admin", "admin123", "root",
                  "", "pass123", "pass@123", "password", "123123", "654321", "111111",
     "123", "1", "admin@123", "Admin@123", "admin123!@#", "{user}", "{user}1", "{user}111", "{user}123",
     "{user}@123", "{user}_123", "{user}#123", "{user}@111", "{user}@2019", "{user}@123#4", "P@ssw0rd!",
     "P@ssw0rd", "Passw0rd", "qwe123", "12345678", "test", "test123", "123qwe", "123qwe!@#", "123456789",
     "123321", "666666", "a123456.", "123456~a", "123456!a", "000000", "1234567890", "8888888","888888", "!QAZ2wsx",
     "1qaz2wsx", "abc123", "abc123456", "1qaz@WSX", "a11111", "a12345", "Aa1234", "Aa1234.", "Aa12345", "a123456",
     "a123123", "Aa123123", "Aa123456", "Aa12345.", "sysadmin", "system", "1qaz!QAZ", "2wsx@WSX", "qwe123!@#",
     "Aa123456!", "A123456s!", "sa123456", "1q2w3e", "Charge123", "Aa123456789","pwd@123456"]

1、SSH弱密码

部分关键代码如下:

name, pwd = self.qlist.get().split(':')
if "{user}" in pwd:
    pwd = pwd.replace("{user}", name)
try:
    ssh = paramiko.SSHClient()
    ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
    ssh.connect(hostname=self.host,port=self.port,username=name,password=pwd,timeout=self.timeout)
    time.sleep(0.05)
    ssh.close()
    s = "[OK] %s:%s" % (name,pwd)
    self.show_log(self.host,s)
    self.result.append(s)
except socket.timeout:
    self.show_log(self.host,"Timeout...")
    self.qlist.put(name + ':' + pwd)
    time.sleep(3)
except Exception as e:
    error = "[Error] %s:%s" % (name,pwd)
    self.show_log(self.host,error)
    pass

2、postgresql弱密码

部分关键代码如下:

name,pwd = self.qlist.get().split(':')
if "{user}" in pwd:
    pwd = pwd.replace("{user}", name)
try:
    pgscon = psycopg2.connect(host=self.host, port=self.port, user=name, password=pwd)
    time.sleep(0.02)
    pgscon.close()
    s = "[OK] %s:%s" % (name,pwd)
    self.show_log(self.host,s)
    self.result.append(s)
except socket.timeout:
    self.show_log(self.host,"Timeout...")
    self.qlist.put(name + ':' + pwd)
    time.sleep(3)
except Exception as e:
    # print(e)
    error = "[Error] %s:%s" % (name,pwd)
    self.show_log(self.host,error)
    pass

3、redis弱密码

redis默认是没有用户名的,所以这里只用到密码合集内容
关键代码如下:

pwd = self.qlist.get()
if "{user}" in pwd:
    pwd = pwd.replace("{user}", "redis")
try:
    conn = redis.Redis(host=self.host, port=self.port, password=pwd)
    conn.ping()
    # time.sleep(0.05)
    s = "[OK] :%s" % (pwd)
    if pwd == "":
        s += "(no password)"
    self.show_log(self.host,s)
    self.result.append(s)
except socket.timeout:
    self.show_log(self.host,"Timeout...")
    self.qlist.put(':' + pwd)
    time.sleep(1)
except Exception as e:
    error = "[Error] :%s" % (pwd)
    self.show_log(self.host,error)
    pass

4、MySQL弱密码

关键代码如下:

name,pwd = self.qlist.get().split(':')
if "{user}" in pwd:
    pwd = pwd.replace("{user}", name)
try:
    conn = pymysql.connect(host=self.host, user=name, passwd=pwd, db='mysql', port=self.port)
    if conn:
        # time.sleep(0.05)
        conn.close()
    s = "[OK] %s:%s" % (name,pwd)
    self.show_log(self.host,s)
    self.result.append(s)
except socket.timeout:
    self.show_log(self.host,"Timeout")
    self.qlist.put(name + ':' + pwd)
    time.sleep(3)
except Exception as e:
    # print(e)
    error = "[Error] %s:%s" % (name,pwd)
    self.show_log(self.host,error)
    pass

5、mongodb弱密码

mongoDB这里是针对不同pymongo版本使用不同方法,4.0版本之前和之后的调用方法不一样,这里做了判断,不影响
关键代码如下:

pymongo_ver = pymongo.version
name, pwd = self.qlist.get().split(':')
if"{user}" in pwd:
    pwd = pwd.replace("{user}", name)
try:
    if int(pymongo_ver.split(".")[0]) >= 4:
        conn = pymongo.MongoClient(host=self.host, port=self.port, username=name, password=pwd, socketTimeoutMS=3000)
        conn.list_database_names()
    else:
        conn = pymongo.MongoClient(host=self.host, port=self.port, socketTimeoutMS=3000)
        if name or pwd:
            db = conn.admin
            db.authenticate(name, pwd)
        else:
            conn.list_database_names()
    conn.close()
    s = "[OK] %s:%s" % (name,pwd)
    self.show_log(self.host,s)
    self.result.append(s)
except socket.timeout:
    self.show_log(self.host,"Timeout...")
    self.qlist.put(name + ':' + pwd)
    time.sleep(3)
except Exception as e:
    # print(e)
    error = "[Error] %s:%s" % (name,pwd)
    self.show_log(self.host,error)
    pass

6、FTP弱密码

FTP弱密码这里是要做匿名登录的,先进行匿名登录尝试,然后在使用用户名和密码进行扫描
关键代码如下:

# 匿名登录
try:
    if not self.is_exit:
        ftpclient = ftplib.FTP()
        ftpclient.connect(host=self.host, port=self.port)
        ftpclient.login()
        ftpclient.close()
        s = "[OK] %s:%s" % ("匿名登录", "匿名登录")
        self.show_log(self.host, s)
        self.result.append(s)
        self.is_exit = True
        self.qlist.queue.clear()
except Exception as e:
    print("匿名登录error:", e)
name,pwd = self.qlist.get().split(':')
if "{user}" in pwd:
    pwd = pwd.replace("{user}", name)
try:
    ftpclient = ftplib.FTP()
    ftpclient.connect(host=self.host, port=self.port, timeout=3)
    ftpclient.login(name, pwd)
    ftpclient.close()

    s = "[OK] %s:%s" % (name,pwd)
    self.show_log(self.host,s)
    self.result.append(s)
except socket.timeout:
    self.show_log(self.host,"Timeout")
    self.qlist.put(name + ':' + pwd)
    time.sleep(3)
except Exception as e:
    print(e)
    error = "[Error] %s:%s" % (name,pwd)
    self.show_log(self.host,error)
    pass

7、sqlserver(mssql)弱密码

sqlserver就是mssql
关键代码如下:

name,pwd = self.qlist.get().split(':')
if "{user}" in pwd:
    pwd = pwd.replace("{user}", name)
try:
    conn = pymssql.connect(host=self.host, port=self.port, user=name, password=pwd)
    if conn:
        # time.sleep(0.05)
        conn.close()
    s = "[OK] %s:%s" % (name,pwd)
    self.show_log(self.host,s)
    self.result.append(s)
except socket.timeout:
    self.show_log(self.host,"Timeout")
    self.qlist.put(name + ':' + pwd)
    time.sleep(3)
except Exception as e:
    print(e)
    error = "[Error] %s:%s" % (name,pwd)
    self.show_log(self.host,error)
    pass

8、dahua(大华)弱密码

关键代码如下:

ip = self.host + ":" + self.port
url = f"http://{ip}/RPC2_Login"
headers = {
    'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
    'Host': ip,
    'Origin': 'http://' + ip,
    'Referer': 'http://' + ip,
    'Accept': 'application/json, text/javascript, */*; q=0.01',
    'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
    'Accept-Encoding': 'gzip, deflate',
    'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
    'Connection': 'close',
    'X-Requested-With': 'XMLHttpRequest',
}




name,pwd = self.qlist.get().split(':')
if "{user}" in pwd:
    pwd = pwd.replace("{user}", name)
print(name,pwd)
_json = {
    "method": "global.login",
    "params": {
        "userName": name,
        "password": pwd,
        "clientType": "Web3.0",
        "loginType": "Direct",
        "authorityType": "Default",
        "passwordType": "Plain",
    },
    "id": 1,
    "session": 0,
}
try:
    r = requests.post(url, headers=headers, json=_json, verify=False, timeout=5)
    if r.status_code == 200 and r.json()['result'] == True:
        s = "[OK] %s:%s" % (name,pwd)
        self.show_log(self.host,s)
        self.result.append(s)
except socket.timeout:
    self.show_log(self.host,"Timeout")
    self.qlist.put(name + ':' + pwd)
    time.sleep(3)
    print("Timeout")
except Exception as e:
    print(e)
    error = "[Error] %s:%s" % (name,pwd)
    self.show_log(self.host,error)
    pass

9、hikvision(海康威视)弱密码

关键代码如下:

ip = self.host + ":" + self.port
url = f"http://{ip}/ISAPI/Security/userCheck"
headers = {
    'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
    'Connection': 'close'
}


name,pwd = self.qlist.get().split(':')
if "{user}" in pwd:
    pwd = pwd.replace("{user}", name)
# print(name,pwd)
try:
    r = requests.get(url, auth=(name, pwd), timeout=10, headers=headers, verify=False)
    print(r.status_code)
    print(r.text)
    if r.status_code == 200 and 'userCheck' in r.text and 'statusValue' in r.text and '200' in r.text:
        s = "[OK] %s:%s" % (name,pwd)
        self.show_log(self.host,s)
        self.result.append(s)
except socket.timeout:
    self.show_log(self.host,"Timeout")
    self.qlist.put(name + ':' + pwd)
    time.sleep(3)
    print("Timeout")
except Exception as e:
    print(e)
    # error = "[Error] %s:%s" % (name,pwd)
    # self.show_log(self.host,error)
    pass

工具源码地址

github地址:WeakpassScan

  • 0
    点赞
  • 5
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值