def ssh_l(self, ip, port):
"""
ssh连接
:param ip:
:param port:
:return:
"""
try:
for data in self.lines:
username = data.split(':')[0]
password = data.split(':')[1]
flag = self.ssh_connect(ip, username, password, port)
if flag == 2:
break
if flag == 1:
self.lock.acquire()
printGreen(
"%s ssh at %s has weaken password!!-------%s:%s\r\n" %
(ip, port, username, password))
self.result.append(
"%s ssh at %s has weaken password!!-------%s:%s\r\n" %
(ip, port, username, password))
self.lock.release()
break
except Exception, e:
pass
def ftp_l(self, ip, port):
try:
for data in self.lines:
username = data.split(':')[0]
password = data.split(':')[1]
flag = self.ftp_connect(ip, username, password, port)
if flag == 1:
self.lock.acquire()
printGreen(
"[+] %s ftp at %s has weaken password!!-------%s:%s\r\n"
% (ip, port, username, password))
self.result.append(
"[+] %s ftp at %s has weaken password!!-------%s:%s\r\n"
% (ip, port, username, password))
self.lock.release()
break
elif flag == 2:
self.lock.acquire()
print "[!] %s's ftp service can't connect or connect timeout" % (
ip)
self.lock.release()
break
else:
self.lock.acquire()
print "[*] %s's ftp service 's %s:%s login fail " % (
ip, username, password)
self.lock.release()
except:
pass
def vnc_l(self, ip, port):
try:
for data in self.lines:
flag = self.vnc_connect(ip=ip, port=port, password=data)
if flag == 2:
self.lock.acquire()
print "%s vnc at %s not allow connect now because of too many security failure" % (
ip, port)
self.lock.release()
break
if flag == 1:
self.lock.acquire()
printGreen(
"%s vnc at %s has weaken password!!-----%s\r\n" %
(ip, port, data))
self.result.append(
"%s vnc at %s has weaken password!!-----%s\r\n" %
(ip, port, data))
self.lock.release()
break
else:
self.lock.acquire()
print "login %s vnc service with %s fail " % (ip, data)
self.lock.release()
except Exception, e:
pass
def web_login(self, url, ip, port, username, password):
"""
:param url:
:param ip:
:param port:
:param username:
:param password:
:return:
"""
creak = 0
try:
header = {}
login_pass = username + ':' + password
header['Authorization'] = 'Basic ' + base64.encodestring(
login_pass)
# header base64.encodestring 会多加一个回车号
header['Authorization'] = header['Authorization'].replace("\n", "")
r = requests.get(url, headers=header, timeout=8)
if r.status_code == 200:
self.result.append(
"%s service at %s has weaken password!!-------%s:%s\r\n" %
(ip, port, username, password))
self.lock.acquire()
printGreen(
"%s service at %s has weaken password!!-------%s:%s\r\n" %
(ip, port, username, password))
self.lock.release()
creak = 1
else:
self.lock.acquire()
print "%s service 's %s:%s login fail " % (ip, username,
password)
self.lock.release()
except Exception, e:
pass
def rsync_connect(self, ip, port):
"""
rsync连接
:param ip:
:param port:
:return:
"""
creak = 0
try:
payload = '\x40\x52\x53\x59\x4e\x43\x44\x3a\x20\x33\x31\x2e\x30\x0a'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
socket.setdefaulttimeout(8)
s.connect((ip, int(port)))
s.sendall(payload)
time.sleep(2)
# server init.
initinfo = s.recv(400)
if "RSYNCD" in initinfo:
s.sendall("\x0a")
time.sleep(2)
modulelist = s.recv(200)
# print modulelist
if len(modulelist) > 0:
for i in modulelist.split("\n"):
# 模块保存到list中
if i != "" and i.find("@RSYNCD") < 0:
self.lock.acquire()
printGreen("%s rsync at %s find a module\r\n" %
(ip, port))
self.result.append("%s rsync at %s find a module\r\n" %
(ip, port))
self.lock.release()
except Exception, e:
print e
pass
def mongo_db(self, ip, port):
"""
连接
:param ip:
:param port:
:return:
"""
try:
for data in self.lines:
username = data.split(':')[0]
password = data.split(':')[1]
flag = self.mongodb_connect(ip, username, password, port)
if flag in [1, 4]:
break
if flag == 2:
self.lock.acquire()
printGreen(
"%s mongoDB at %s has weaken password!!-------%s:%s\r\n"
% (ip, port, username, password))
self.result.append(
"%s mongoDB at %s has weaken password!!-------%s:%s\r\n"
% (ip, port, username, password))
self.lock.release()
break
except:
pass
def mongoDB(self, ip, port):
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, int(port)))
data = binascii.a2b_hex(
"3a000000a741000000000000d40700000000000061646d696e2e24636d640000000000ffffffff130000001069736d6173746572000100000000"
)
s.send(data)
result = s.recv(1024)
if "ismaster" in result:
getlog_data = binascii.a2b_hex(
"480000000200000000000000d40700000000000061646d696e2e24636d6400000000000100000021000000026765744c6f670010000000737461727475705761726e696e67730000"
)
s.send(getlog_data)
result = s.recv(1024)
if "totalLinesWritten" in result:
self.lock.acquire()
printGreen(
'[+] %s mongodb service at %s allow login Anonymous login!!\r\n'
% (ip, port))
self.result.append(
'[+] %s mongodb service at %s allow login Anonymous login!!\r\n'
% (ip, port))
self.lock.release()
except Exception, e:
print "[!] err: %s" % e
def rsync_creak(self, ip, port):
try:
payload = '\x40\x52\x53\x59\x4e\x43\x44\x3a\x20\x33\x31\x2e\x30\x0a'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
socket.setdefaulttimeout(10)
s.connect((ip, int(port)))
s.sendall(payload)
time.sleep(2)
initinfo = s.recv(400)
if "RSYNCD" in initinfo:
s.sendall("\x0a")
time.sleep(2)
modulelist = s.recv(200)
key = False
if len(modulelist) > 0:
for i in modulelist.split("\n"):
# 无模块的就不报漏洞
if i != "" and i.find("@RSYNCD") < 0:
key = True
break
if key:
self.lock.acquire()
printGreen(
"[+] %s rsync at %s port maybe allow anonymous login"
% (ip, port))
self.result.append(
"[+] %s rsync at %s port maybe allow anonymous login"
% (ip, port))
self.lock.release()
except Exception, e:
print "[!] err: %s" % e
def redisexp(self, ip, port):
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, port))
s.send("INFO\r\n")
result = s.recv(1024)
if "redis_version" in result:
self.lock.acquire()
printGreen('[+] %s redis service at %s allow login Anonymous login!!\r\n' % (ip, port))
self.result.append('[+] %s redis service at %s allow login Anonymous login!!\r\n' % (ip, port))
self.lock.release()
elif "Authentication" in result:
for password in self.lines:
flag = self.redis(password, ip, port)
if flag == 1:
self.lock.acquire()
printGreen('[+] %s redis service at %s port has weakpass:%s' % (ip, port, password))
self.result.append('[+] %s redis service at %s port has weakpass:%s' % (ip, port, password))
self.lock.release()
break
else:
self.lock.acquire()
print "[*] %s's redis service 's %s login fail " % (ip, password)
self.lock.release()
except Exception, e:
print "[!] %s" % e
def ssh_l(self, ip, port):
try:
for data in self.lines:
username = data.split(':')[0]
password = data.split(':')[1]
flag = self.ssh_connect(ip, username, password, port)
if flag == 2:
self.lock.acquire()
print "[!] connect %s ssh service at %s login fail " % (
ip, port)
self.lock.release()
break
elif flag == 1:
self.lock.acquire()
printGreen(
"[+] %s ssh at %s has weaken password!!-------%s:%s\r\n"
% (ip, port, username, password))
self.result.append(
"[+] %s ssh at %s has weaken password!!-------%s:%s\r\n"
% (ip, port, username, password))
self.lock.release()
break
elif flag == 0:
self.lock.acquire()
print "[*] %s ssh service 's %s:%s login fail " % (
ip, username, password)
self.lock.release()
except Exception, e:
print "[!] err:%s" % e
pass
def telnet_connect(self, ip, port, user, pass_, timeout=2):
user_match = "(?i)(login|username)"
pass_match = '(?i)(password|pass)'
login_match = '#|\$|>'
try:
tn = telnetlib.Telnet(ip, port)
# tn.set_debuglevel(3)
time.sleep(0.5)
os = tn.read_some()
# os 为版本信息
# print os
# 版本信息匹配搭配用户名,爆破用户名加密码
if re.search(user_match, os, re.IGNORECASE):
try:
tn.write(str(user) + '\r\n')
tn.read_until(pass_match, timeout)
tn.write(str(pass_) + '\r\n')
login_info = tn.read_until(login_match, timeout=timeout)
tn.close()
if re.search(login_match, login_info, re.IGNORECASE):
printGreen(
"[+] %s telnet at %s port has weaken password!!-------%s:%s\r\n"
% (ip, port, user, pass_))
self.result.append(
"[+] %s telnet at %s port has weaken password!!-------%s:%s\r\n"
% (ip, port, user, pass_))
self.lock.release()
else:
self.lock.acquire()
print "[*] %s's telnet service 's %s:%s login fail " % (
ip, user, pass_)
self.lock.release()
except Exception, e:
print "[!] err:%s" % e
pass
# 版本信息匹配搭配密码,只爆破密码
elif re.search(pass_match, os, re.IGNORECASE):
tn.read_until(pass_match, timeout=timeout)
tn.write(str(pass_) + '\r\n')
login_info = tn.read_until(login_match, timeout=timeout)
print login_info
tn.close()
if re.search(login_match, login_info):
self.lock.acquire()
printGreen(
"[+] %s telnet at %s port has weaken password!!-------%s\r\n"
% (ip, port, pass_))
self.result.append(
"[+] %s telnet at %s port has weaken password!!-------%s\r\n"
% (ip, port, pass_))
self.lock.release()
else:
self.lock.acquire()
print "[*] %s's telnet service 's %s login fail " % (ip,
pass_)
self.lock.release()
def run(self, ipdict, pinglist, threads, file):
# memeche
if len(ipdict['memcache']):
for ip in ipdict['memcache']:
printGreen(
"[+] %s memcache at %s port has memcached_information_leak\r\n"
% (ip.split(':')[0], ip.split(':')[1]))
self.result.append(
"[+] %s memcache at %s port has memcached_information_leak\r\n"
% (ip.split(':')[0], ip.split(':')[1]))
for i in xrange(len(self.result)):
self.config.write_file(contents=self.result[i], file=file)
def ldap_creak(self, ip, port):
try:
flag = self.ldap_connect(ip, port)
if flag == 1:
self.lock.acquire()
printGreen("[+] %s ldap at %s port allow simple bind\r\n" %
(ip, port))
self.result.append(
"[+] %s ldap at %s port allow simple bind\r\n" %
(ip, port))
self.lock.release()
except Exception, e:
print "[!] err: %s" % e
pass
def smb_l(self, ip, port):
try:
for data in self.lines:
username = data.split(':')[0]
password = data.split(':')[1]
if self.smb_connect(ip, username, password) == 1:
self.lock.acquire()
printGreen(
"[+] %s smb at %s has weaken password!!-------%s:%s\r\n" % (ip, port, username, password))
self.result.append(
"[+] %s smb at %s has weaken password!!-------%s:%s\r\n" % (ip, port, username, password))
self.lock.release()
break
else:
self.lock.acquire()
print "[*] %s smb 's %s:%s login fail " % (ip, username, password)
self.lock.release()
except Exception, e:
print "[!] err: %s" % e
def mssq1(self, ip, port):
try:
for data in self.lines:
username = data.split(':')[0]
password = data.split(':')[1]
flag = self.mssql_connect(ip, username, password, port)
if flag == 2:
break
if flag == 1:
self.lock.acquire()
printGreen(
"[+] %s mssql at %s has weaken password!!-------%s:%s\r\n"
% (ip, port, username, password))
self.result.append(
"[+] %s mssql at %s has weaken password!!-------%s:%s\r\n"
% (ip, port, username, password))
self.lock.release()
break
except Exception, e:
pass
def web_main(self, ip, port):
"""
web爆破
:param ip:
:param port:
:return:
"""
# iis_put vlun scann
try:
url = 'http://' + ip + ':' + str(port) + '/' + str(
time.time()) + '.txt'
r = requests.put(url, data='hi~', timeout=10)
if r.status_code == 201:
self.lock.acquire()
printGreen('%s has iis_put vlun at %s\r\n' % (ip, port))
self.lock.release()
self.result.append('%s has iis_put vlun at %s\r\n' %
(ip, port))
except Exception, e:
# print e
pass
def redis_exp(self):
"""
爆破
:return:
"""
while True:
ip, port = self.sp.get()
try:
r = redis.Redis(host=ip, port=port, db=0, socket_timeout=8)
r.dbsize()
self.lock.acquire()
printGreen(
'%s redis service at %s allow login Anonymous login!!\r\n'
% (ip, port))
self.result.append(
'%s redis service at %s allow login Anonymous login!!\r\n'
% (ip, port))
self.lock.release()
except Exception, e:
if "Authentication" in e[0]:
# 爆破一下 2333
for data in self.lines:
try:
r = redis.Redis(host=ip,
port=port,
db=0,
password=data,
socket_timeout=8)
r.dbsize()
printGreen(
'%s redis service at %s port has weakpass:%s' %
(ip, port, data))
self.result.append(
'%s redis service at %s port has weakpass:%s' %
(ip, port, data))
break
except Exception, e:
print "[*] %s redis service 's at %s login with:%s fail,err:%s" % (
ip, port, data, str(e))
def ftp_l(self, ip, port):
"""
读文件爆破
:param ip:
:param port:
:return:
"""
try:
for data in self.lines:
username = data.split(':')[0]
password = data.split(':')[1]
if self.ftp_connect(ip, username, password, port) == 1:
self.lock.acquire()
printGreen(
"%s ftp at %s has weaken password!!-------%s:%s\r\n" %
(ip, port, username, password))
self.result.append(
"%s ftp at %s has weaken password!!-------%s:%s\r\n" %
(ip, port, username, password))
self.lock.release()
break
except:
pass
def ldap_creak(self, ip, port):
"""
ldap连接
:param ip:
:param port:
:return:
"""
try:
flag = self.ldap_connect(ip, port)
if flag == 2:
self.lock.acquire()
printGreen("%s ldap at %s can't connect\r\n" % (ip, port))
self.lock.release()
if flag == 1:
self.lock.acquire()
printGreen("%s ldap at %s allow simple_bind\r\n" % (ip, port))
self.result.append("%s ldap at %s allow simple_bind\r\n" %
(ip, port))
self.lock.release()
except Exception, e:
print e
pass
return 3
# print info
# 认证信息匹配搭配用户名,爆破用户名加密码
if re.search(user_match, info, re.IGNORECASE):
try:
tn.write(str(user) + '\r\n')
tn.read_until(pass_match, timeout=timeout)
tn.write(str(pass_) + '\r\n')
login_info = tn.read_until(login_match,
timeout=timeout)
tn.close()
# print login_info
if re.search(login_match, login_info):
self.lock.acquire()
printGreen(
"[+] %s telnet at %s port has weaken password!!-------%s:%s\r\n"
% (ip, port, user, pass_))
self.result.append(
"[+] %s telnet at %s port has weaken password!!-------%s:%s\r\n"
% (ip, port, user, pass_))
self.lock.release()
return 1
else:
self.lock.acquire()
print "[*] %s's telnet service 's %s:%s login fail " % (
ip, user, pass_)
self.lock.release()
except Exception, e:
print "[!] err: %s" % e
return 3
# 认证信息匹配搭配密码,只爆破密码
