def login(self, ipaddress, port, user_passwd_pair_list):
for user_passwd_pair in user_passwd_pair_list:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.settimeout(self.timeout)
s.connect((ipaddress, port))
except Exception as E:
logger.debug('ConnectException: {} {} {}'.format(E, ipaddress, port))
return
finally:
s.close()
try:
conn = psycopg2.connect(host=ipaddress,
port=int(port),
user=user_passwd_pair[0],
password=user_passwd_pair[1],
connect_timeout=self.timeout
)
log_success("PostgreSQL", ipaddress, port, user_passwd_pair)
conn.close()
except Exception as E:
logger.debug('AuthenticationException: %s' % E)
continue
finally:
pass
def login_with_hash(self, ipaddress, port, hashes):
user_hash_pair_list = []
for hash in hashes:
user_hash_pair_list.append(hash.strip().split(","))
for user_hash_pair in user_hash_pair_list:
try:
fp = SMBConnection('*SMBSERVER', ipaddress, sess_port=int(port), timeout=self.timeout)
except Exception as E:
logger.debug('ConnectException: {} {} {}'.format(E, ipaddress, port))
return
try:
if fp.login(user_hash_pair[1], "",
domain=user_hash_pair[0],
lmhash=user_hash_pair[2].split(":")[0],
nthash=user_hash_pair[2].split(":")[1]):
if fp.isGuestSession() == 0:
log_success("SMB", ipaddress, port, [
"{}/{}".format(user_hash_pair[0], user_hash_pair[1]),
user_hash_pair[2]
])
except Exception as E:
logger.debug('AuthenticationException: %s' % E)
finally:
fp.getSMBServer().get_socket().close()
def login(self, ipaddress, port, user_passwd_pair_list):
for user_passwd_pair in user_passwd_pair_list:
try:
fp = SMBConnection('*SMBSERVER', ipaddress, sess_port=int(port), timeout=self.timeout)
except Exception as E:
logger.debug('ConnectException: {} {} {}'.format(E, ipaddress, port))
return
try:
if "\\" in user_passwd_pair[0]:
domain = user_passwd_pair[0].split("\\")[0]
username = user_passwd_pair[0].split("\\")[1]
else:
domain = ""
username = user_passwd_pair[0]
if fp.login(username, user_passwd_pair[1], domain=domain):
if fp.isGuestSession() == 0:
if domain == "":
log_success("SMB", ipaddress, port, user_passwd_pair)
else:
log_success("SMB", ipaddress, port,
["{}\\{}".format(domain, username), user_passwd_pair[1]])
except Exception as E:
logger.debug('AuthenticationException: %s' % E)
finally:
fp.getSMBServer().get_socket().close()
def login(self, ipaddress, port, user_passwd_pair_list):
for user_passwd_pair in user_passwd_pair_list:
try:
flag = check_rdp(ipaddress, port, user_passwd_pair[0], user_passwd_pair[1], "", timeout=self.timeout)
if flag:
log_success("RDP", ipaddress, port, user_passwd_pair)
except Exception as E:
logger.debug('ConnectException: {} {} {}'.format(E, ipaddress, port))
return
def login(self, ipaddress, port, user_passwd_pair_list):
for user_passwd_pair in user_passwd_pair_list:
try:
fp = pymysql.connect(host=ipaddress, port=int(port), user=user_passwd_pair[0],
passwd=user_passwd_pair[1], connect_timeout=self.timeout)
fp.get_server_info()
log_success("MYSQL", ipaddress, port, user_passwd_pair)
except Exception as E:
logger.debug('AuthenticationException: %s' % E)
continue
finally:
pass
def login_with_pool(self, ipaddress, port, user_passwd_pair_list, pool_size=10):
for user_passwd_pair in user_passwd_pair_list:
try:
client = ParallelSSHClient(hosts=[ipaddress], port=port, user=user_passwd_pair[0],
password=user_passwd_pair[1], num_retries=0, timeout=self.timeout,
pool_size=pool_size)
output = client.run_command('whoami', timeout=self.timeout)
log_success("SSH", ipaddress, port, user_passwd_pair)
except Exception as E:
logger.debug('AuthenticationException: ssh')
continue
finally:
pass
def login(self, ipaddress, port, user_passwd_pair_list):
v = VNC(self.timeout)
for user_passwd_pair in user_passwd_pair_list:
try:
version = v.connect(ipaddress, int(port))
if v.login(user_passwd_pair[1]):
log_success("VNC", ipaddress, port, user_passwd_pair)
return
except Exception as E:
logger.debug('AuthenticationException: %s' % E)
continue
finally:
pass
def login(self, ipaddress, port, user_passwd_pair_list):
for user_passwd_pair in user_passwd_pair_list:
try:
fp = SMBConnection('*SMBSERVER', ipaddress, sess_port=int(port), timeout=self.timeout)
except Exception as E:
logger.debug('ConnectException: {} {} {}'.format(E, ipaddress, port))
return
try:
if fp.login(user_passwd_pair[0], user_passwd_pair[1], ""):
if fp.isGuestSession() == 0:
log_success("SMB", ipaddress, port, user_passwd_pair)
except Exception as E:
logger.debug('AuthenticationException: %s' % E)
finally:
fp.getSMBServer().get_socket().close()
def login(self, ipaddress, port, user_passwd_pair_list):
for user_passwd_pair in user_passwd_pair_list:
try:
r = redis.Redis(host=ipaddress, port=port, db=0, socket_connect_timeout=self.timeout)
except Exception as E:
logger.debug('ConnectException: {} {} {}'.format(E, ipaddress, port))
return
try:
id = r.execute_command("AUTH {}".format(user_passwd_pair[1]))
log_success("Redis", ipaddress, port, user_passwd_pair)
return
except Exception as E:
logger.debug('AuthenticationException: %s' % E)
continue
finally:
pass
def login_with_pool_key(self, ipaddress, port, user_passwd_pair_list, key_file_path_list, pool_size=10):
for key_file_path in key_file_path_list:
for user_passwd_pair in user_passwd_pair_list:
# for user in users:
try:
client = ParallelSSHClient(hosts=[ipaddress], port=port, user=user_passwd_pair[0],
pkey=key_file_path,
num_retries=0,
timeout=self.timeout,
pool_size=pool_size)
output = client.run_command('whoami', timeout=self.timeout)
log_success("SSH", ipaddress, port, [user_passwd_pair[0], "key: {}".format(key_file_path)])
except Exception as E:
logger.debug('AuthenticationException: ssh')
continue
finally:
pass
def login(self, ipaddress, port, user_passwd_pair_list):
fp = FTP(timeout=self.timeout)
for user_passwd_pair in user_passwd_pair_list:
try:
banner = fp.connect(ipaddress, int(port))
except Exception as E:
logger.debug('ConnectException: %s' % E)
return
try:
resp = fp.sendcmd('USER ' + user_passwd_pair[0])
resp = fp.sendcmd('PASS ' + user_passwd_pair[1])
resp = fp.sendcmd('PWD')
log_success("FTP", ipaddress, port, user_passwd_pair)
except Exception as E:
logger.debug('AuthenticationException: %s' % E)
continue
finally:
fp.close()
def check(self):
for u in self.user:
for p in self.password:
header = {
'User-Agent':
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language':
'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',
'Connection':
'close',
'Upgrade-Insecure-Requests':
'1',
"Authorization":
"Basic " + base64.b64encode(("%s:%s") % (u, p))
}
try:
Virtual_Host_Manager_url = self.url + "/host-manager/html"
reponse = requests.get(Virtual_Host_Manager_url,
timeout=3,
headers=header)
if ("Tomcat Virtual Host Manager" in reponse.text):
log_success("Tomcat", Virtual_Host_Manager_url, "",
(u, p))
return True
except Exception as e:
pass
try:
Tomcat_Web_Application_Manager_url = self.url + "/manager/html"
reponse = requests.get(Tomcat_Web_Application_Manager_url,
timeout=3,
headers=header)
if ("Tomcat Web Application Manager" in reponse.text):
log_success("Tomcat",
Tomcat_Web_Application_Manager_url, "",
(u, p))
return True
except Exception as e:
pass
return False
def login(self, ipaddress, port, user_passwd_pair_list):
for user_passwd_pair in user_passwd_pair_list:
husername = binascii.b2a_hex(user_passwd_pair[0])
lusername = len(user_passwd_pair[0])
lpassword = len(user_passwd_pair[1])
hpwd = binascii.b2a_hex(user_passwd_pair[1])
address = binascii.b2a_hex(ipaddress) + '3a' + binascii.b2a_hex(str(port))
data = '0200020000000000123456789000000000000000000000000000000000000000000000000000ZZ5440000000000000000000000000000000000000000000000000000000000X3360000000000000000000000000000000000000000000000000000000000Y373933340000000000000000000000000000000000000000000000000000040301060a09010000000002000000000070796d7373716c000000000000000000000000000000000000000000000007123456789000000000000000000000000000000000000000000000000000ZZ3360000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000Y0402000044422d4c6962726172790a00000000000d1175735f656e676c69736800000000000000000000000000000201004c000000000000000000000a000000000000000000000000000069736f5f31000000000000000000000000000000000000000000000000000501353132000000030000000000000000'
data1 = data.replace(data[16:16 + len(address)], address)
data2 = data1.replace(data1[78:78 + len(husername)], husername)
data3 = data2.replace(data2[140:140 + len(hpwd)], hpwd)
if lusername >= 16:
data4 = data3.replace('0X', str(hex(lusername)).replace('0x', ''))
else:
data4 = data3.replace('X', str(hex(lusername)).replace('0x', ''))
if lpassword >= 16:
data5 = data4.replace('0Y', str(hex(lpassword)).replace('0x', ''))
else:
data5 = data4.replace('Y', str(hex(lpassword)).replace('0x', ''))
hladd = hex(len(ipaddress) + len(str(port)) + 1).replace('0x', '')
data6 = data5.replace('ZZ', str(hladd))
data7 = binascii.a2b_hex(data6)
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(self.timeout)
s.connect((ipaddress, port))
except Exception as E:
logger.debug('ConnectException: {} {} {}'.format(E, ipaddress, port))
return
try:
s.send(data7)
if 'master' in s.recv(1024):
log_success("MSSQL", ipaddress, port, user_passwd_pair)
else:
logger.debug('AuthenticationFailed')
except Exception as E:
logger.debug('AuthenticationException: %s' % E)
continue
def login(self, ipaddress, port, user_passwd_pair_list):
try:
conn = pymongo.MongoClient(ipaddress, port)
dbname = conn.list_database_names()
log_success("MongoDB", ipaddress, port, None)
conn.close()
return
except Exception as E:
logger.debug(E)
finally:
pass
for user_passwd_pair in user_passwd_pair_list:
try:
client = pymongo.MongoClient(
host=ipaddress,
port=port,
maxIdleTimeMS=int(self.timeout * 1000),
socketTimeoutMS=int(self.timeout * 1000),
connectTimeoutMS=int(self.timeout * 1000),
serverSelectionTimeoutMS=int(self.timeout * 1000),
waitQueueTimeoutMS=int(self.timeout * 1000),
wTimeoutMS=int(self.timeout * 1000),
socketKeepAlive=False,
connect=False
)
except Exception as E:
logger.exception(E)
logger.debug('ConnectException: {} {} {}'.format(E, ipaddress, port))
return
try:
db = client.admin
db.authenticate(user_passwd_pair[0], user_passwd_pair[1])
log_success("MongoDB", ipaddress, port, user_passwd_pair)
except Exception as E:
logger.debug('AuthenticationException: %s' % E)
continue
finally:
client.close()
pass
def login(self, ipaddress, port, user_passwd_pair_list):
# 检查未授权访问功能
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.settimeout(self.timeout)
s.connect((ipaddress, port))
s.send('stats\r\n')
tmp = s.recv(1024)
if 'version' in tmp or b"version" in tmp:
log_success("Memcached", ipaddress, port, None)
return
except Exception as e:
pass
finally:
s.close()
for user_passwd_pair in user_passwd_pair_list:
try:
client = bmemcached.Client(('{}:{}'.format(ipaddress, port),),
user_passwd_pair[0],
user_passwd_pair[1],
socket_timeout=self.timeout)
status = client.stats()
data = json.dumps(status.get("{}:{}".format(ipaddress, port)))
if 'Auth failure' in data:
continue
elif "version" in data:
log_success("Memcached", ipaddress, port, user_passwd_pair)
else:
return
except Exception as E:
logger.debug('AuthenticationException: %s' % E)
continue
finally:
pass