def ssh_l(self, ip, port): """ ssh连接 :param ip: :param port: :return: """ try: for data in self.lines: username = data.split(':')[0] password = data.split(':')[1] flag = self.ssh_connect(ip, username, password, port) if flag == 2: break if flag == 1: self.lock.acquire() printGreen( "%s ssh at %s has weaken password!!-------%s:%s\r\n" % (ip, port, username, password)) self.result.append( "%s ssh at %s has weaken password!!-------%s:%s\r\n" % (ip, port, username, password)) self.lock.release() break except Exception, e: pass
def ftp_l(self, ip, port): try: for data in self.lines: username = data.split(':')[0] password = data.split(':')[1] flag = self.ftp_connect(ip, username, password, port) if flag == 1: self.lock.acquire() printGreen( "[+] %s ftp at %s has weaken password!!-------%s:%s\r\n" % (ip, port, username, password)) self.result.append( "[+] %s ftp at %s has weaken password!!-------%s:%s\r\n" % (ip, port, username, password)) self.lock.release() break elif flag == 2: self.lock.acquire() print "[!] %s's ftp service can't connect or connect timeout" % ( ip) self.lock.release() break else: self.lock.acquire() print "[*] %s's ftp service 's %s:%s login fail " % ( ip, username, password) self.lock.release() except: pass
def vnc_l(self, ip, port): try: for data in self.lines: flag = self.vnc_connect(ip=ip, port=port, password=data) if flag == 2: self.lock.acquire() print "%s vnc at %s not allow connect now because of too many security failure" % ( ip, port) self.lock.release() break if flag == 1: self.lock.acquire() printGreen( "%s vnc at %s has weaken password!!-----%s\r\n" % (ip, port, data)) self.result.append( "%s vnc at %s has weaken password!!-----%s\r\n" % (ip, port, data)) self.lock.release() break else: self.lock.acquire() print "login %s vnc service with %s fail " % (ip, data) self.lock.release() except Exception, e: pass
def web_login(self, url, ip, port, username, password): """ :param url: :param ip: :param port: :param username: :param password: :return: """ creak = 0 try: header = {} login_pass = username + ':' + password header['Authorization'] = 'Basic ' + base64.encodestring( login_pass) # header base64.encodestring 会多加一个回车号 header['Authorization'] = header['Authorization'].replace("\n", "") r = requests.get(url, headers=header, timeout=8) if r.status_code == 200: self.result.append( "%s service at %s has weaken password!!-------%s:%s\r\n" % (ip, port, username, password)) self.lock.acquire() printGreen( "%s service at %s has weaken password!!-------%s:%s\r\n" % (ip, port, username, password)) self.lock.release() creak = 1 else: self.lock.acquire() print "%s service 's %s:%s login fail " % (ip, username, password) self.lock.release() except Exception, e: pass
def rsync_connect(self, ip, port): """ rsync连接 :param ip: :param port: :return: """ creak = 0 try: payload = '\x40\x52\x53\x59\x4e\x43\x44\x3a\x20\x33\x31\x2e\x30\x0a' s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) socket.setdefaulttimeout(8) s.connect((ip, int(port))) s.sendall(payload) time.sleep(2) # server init. initinfo = s.recv(400) if "RSYNCD" in initinfo: s.sendall("\x0a") time.sleep(2) modulelist = s.recv(200) # print modulelist if len(modulelist) > 0: for i in modulelist.split("\n"): # 模块保存到list中 if i != "" and i.find("@RSYNCD") < 0: self.lock.acquire() printGreen("%s rsync at %s find a module\r\n" % (ip, port)) self.result.append("%s rsync at %s find a module\r\n" % (ip, port)) self.lock.release() except Exception, e: print e pass
def mongo_db(self, ip, port): """ 连接 :param ip: :param port: :return: """ try: for data in self.lines: username = data.split(':')[0] password = data.split(':')[1] flag = self.mongodb_connect(ip, username, password, port) if flag in [1, 4]: break if flag == 2: self.lock.acquire() printGreen( "%s mongoDB at %s has weaken password!!-------%s:%s\r\n" % (ip, port, username, password)) self.result.append( "%s mongoDB at %s has weaken password!!-------%s:%s\r\n" % (ip, port, username, password)) self.lock.release() break except: pass
def mongoDB(self, ip, port): try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((ip, int(port))) data = binascii.a2b_hex( "3a000000a741000000000000d40700000000000061646d696e2e24636d640000000000ffffffff130000001069736d6173746572000100000000" ) s.send(data) result = s.recv(1024) if "ismaster" in result: getlog_data = binascii.a2b_hex( "480000000200000000000000d40700000000000061646d696e2e24636d6400000000000100000021000000026765744c6f670010000000737461727475705761726e696e67730000" ) s.send(getlog_data) result = s.recv(1024) if "totalLinesWritten" in result: self.lock.acquire() printGreen( '[+] %s mongodb service at %s allow login Anonymous login!!\r\n' % (ip, port)) self.result.append( '[+] %s mongodb service at %s allow login Anonymous login!!\r\n' % (ip, port)) self.lock.release() except Exception, e: print "[!] err: %s" % e
def rsync_creak(self, ip, port): try: payload = '\x40\x52\x53\x59\x4e\x43\x44\x3a\x20\x33\x31\x2e\x30\x0a' s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) socket.setdefaulttimeout(10) s.connect((ip, int(port))) s.sendall(payload) time.sleep(2) initinfo = s.recv(400) if "RSYNCD" in initinfo: s.sendall("\x0a") time.sleep(2) modulelist = s.recv(200) key = False if len(modulelist) > 0: for i in modulelist.split("\n"): # 无模块的就不报漏洞 if i != "" and i.find("@RSYNCD") < 0: key = True break if key: self.lock.acquire() printGreen( "[+] %s rsync at %s port maybe allow anonymous login" % (ip, port)) self.result.append( "[+] %s rsync at %s port maybe allow anonymous login" % (ip, port)) self.lock.release() except Exception, e: print "[!] err: %s" % e
def redisexp(self, ip, port): try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((ip, port)) s.send("INFO\r\n") result = s.recv(1024) if "redis_version" in result: self.lock.acquire() printGreen('[+] %s redis service at %s allow login Anonymous login!!\r\n' % (ip, port)) self.result.append('[+] %s redis service at %s allow login Anonymous login!!\r\n' % (ip, port)) self.lock.release() elif "Authentication" in result: for password in self.lines: flag = self.redis(password, ip, port) if flag == 1: self.lock.acquire() printGreen('[+] %s redis service at %s port has weakpass:%s' % (ip, port, password)) self.result.append('[+] %s redis service at %s port has weakpass:%s' % (ip, port, password)) self.lock.release() break else: self.lock.acquire() print "[*] %s's redis service 's %s login fail " % (ip, password) self.lock.release() except Exception, e: print "[!] %s" % e
def ssh_l(self, ip, port): try: for data in self.lines: username = data.split(':')[0] password = data.split(':')[1] flag = self.ssh_connect(ip, username, password, port) if flag == 2: self.lock.acquire() print "[!] connect %s ssh service at %s login fail " % ( ip, port) self.lock.release() break elif flag == 1: self.lock.acquire() printGreen( "[+] %s ssh at %s has weaken password!!-------%s:%s\r\n" % (ip, port, username, password)) self.result.append( "[+] %s ssh at %s has weaken password!!-------%s:%s\r\n" % (ip, port, username, password)) self.lock.release() break elif flag == 0: self.lock.acquire() print "[*] %s ssh service 's %s:%s login fail " % ( ip, username, password) self.lock.release() except Exception, e: print "[!] err:%s" % e pass
def telnet_connect(self, ip, port, user, pass_, timeout=2): user_match = "(?i)(login|username)" pass_match = '(?i)(password|pass)' login_match = '#|\$|>' try: tn = telnetlib.Telnet(ip, port) # tn.set_debuglevel(3) time.sleep(0.5) os = tn.read_some() # os 为版本信息 # print os # 版本信息匹配搭配用户名,爆破用户名加密码 if re.search(user_match, os, re.IGNORECASE): try: tn.write(str(user) + '\r\n') tn.read_until(pass_match, timeout) tn.write(str(pass_) + '\r\n') login_info = tn.read_until(login_match, timeout=timeout) tn.close() if re.search(login_match, login_info, re.IGNORECASE): printGreen( "[+] %s telnet at %s port has weaken password!!-------%s:%s\r\n" % (ip, port, user, pass_)) self.result.append( "[+] %s telnet at %s port has weaken password!!-------%s:%s\r\n" % (ip, port, user, pass_)) self.lock.release() else: self.lock.acquire() print "[*] %s's telnet service 's %s:%s login fail " % ( ip, user, pass_) self.lock.release() except Exception, e: print "[!] err:%s" % e pass # 版本信息匹配搭配密码,只爆破密码 elif re.search(pass_match, os, re.IGNORECASE): tn.read_until(pass_match, timeout=timeout) tn.write(str(pass_) + '\r\n') login_info = tn.read_until(login_match, timeout=timeout) print login_info tn.close() if re.search(login_match, login_info): self.lock.acquire() printGreen( "[+] %s telnet at %s port has weaken password!!-------%s\r\n" % (ip, port, pass_)) self.result.append( "[+] %s telnet at %s port has weaken password!!-------%s\r\n" % (ip, port, pass_)) self.lock.release() else: self.lock.acquire() print "[*] %s's telnet service 's %s login fail " % (ip, pass_) self.lock.release()
def run(self, ipdict, pinglist, threads, file): # memeche if len(ipdict['memcache']): for ip in ipdict['memcache']: printGreen( "[+] %s memcache at %s port has memcached_information_leak\r\n" % (ip.split(':')[0], ip.split(':')[1])) self.result.append( "[+] %s memcache at %s port has memcached_information_leak\r\n" % (ip.split(':')[0], ip.split(':')[1])) for i in xrange(len(self.result)): self.config.write_file(contents=self.result[i], file=file)
def ldap_creak(self, ip, port): try: flag = self.ldap_connect(ip, port) if flag == 1: self.lock.acquire() printGreen("[+] %s ldap at %s port allow simple bind\r\n" % (ip, port)) self.result.append( "[+] %s ldap at %s port allow simple bind\r\n" % (ip, port)) self.lock.release() except Exception, e: print "[!] err: %s" % e pass
def smb_l(self, ip, port): try: for data in self.lines: username = data.split(':')[0] password = data.split(':')[1] if self.smb_connect(ip, username, password) == 1: self.lock.acquire() printGreen( "[+] %s smb at %s has weaken password!!-------%s:%s\r\n" % (ip, port, username, password)) self.result.append( "[+] %s smb at %s has weaken password!!-------%s:%s\r\n" % (ip, port, username, password)) self.lock.release() break else: self.lock.acquire() print "[*] %s smb 's %s:%s login fail " % (ip, username, password) self.lock.release() except Exception, e: print "[!] err: %s" % e
def mssq1(self, ip, port): try: for data in self.lines: username = data.split(':')[0] password = data.split(':')[1] flag = self.mssql_connect(ip, username, password, port) if flag == 2: break if flag == 1: self.lock.acquire() printGreen( "[+] %s mssql at %s has weaken password!!-------%s:%s\r\n" % (ip, port, username, password)) self.result.append( "[+] %s mssql at %s has weaken password!!-------%s:%s\r\n" % (ip, port, username, password)) self.lock.release() break except Exception, e: pass
def web_main(self, ip, port): """ web爆破 :param ip: :param port: :return: """ # iis_put vlun scann try: url = 'http://' + ip + ':' + str(port) + '/' + str( time.time()) + '.txt' r = requests.put(url, data='hi~', timeout=10) if r.status_code == 201: self.lock.acquire() printGreen('%s has iis_put vlun at %s\r\n' % (ip, port)) self.lock.release() self.result.append('%s has iis_put vlun at %s\r\n' % (ip, port)) except Exception, e: # print e pass
def redis_exp(self): """ 爆破 :return: """ while True: ip, port = self.sp.get() try: r = redis.Redis(host=ip, port=port, db=0, socket_timeout=8) r.dbsize() self.lock.acquire() printGreen( '%s redis service at %s allow login Anonymous login!!\r\n' % (ip, port)) self.result.append( '%s redis service at %s allow login Anonymous login!!\r\n' % (ip, port)) self.lock.release() except Exception, e: if "Authentication" in e[0]: # 爆破一下 2333 for data in self.lines: try: r = redis.Redis(host=ip, port=port, db=0, password=data, socket_timeout=8) r.dbsize() printGreen( '%s redis service at %s port has weakpass:%s' % (ip, port, data)) self.result.append( '%s redis service at %s port has weakpass:%s' % (ip, port, data)) break except Exception, e: print "[*] %s redis service 's at %s login with:%s fail,err:%s" % ( ip, port, data, str(e))
def ftp_l(self, ip, port): """ 读文件爆破 :param ip: :param port: :return: """ try: for data in self.lines: username = data.split(':')[0] password = data.split(':')[1] if self.ftp_connect(ip, username, password, port) == 1: self.lock.acquire() printGreen( "%s ftp at %s has weaken password!!-------%s:%s\r\n" % (ip, port, username, password)) self.result.append( "%s ftp at %s has weaken password!!-------%s:%s\r\n" % (ip, port, username, password)) self.lock.release() break except: pass
def ldap_creak(self, ip, port): """ ldap连接 :param ip: :param port: :return: """ try: flag = self.ldap_connect(ip, port) if flag == 2: self.lock.acquire() printGreen("%s ldap at %s can't connect\r\n" % (ip, port)) self.lock.release() if flag == 1: self.lock.acquire() printGreen("%s ldap at %s allow simple_bind\r\n" % (ip, port)) self.result.append("%s ldap at %s allow simple_bind\r\n" % (ip, port)) self.lock.release() except Exception, e: print e pass
return 3 # print info # 认证信息匹配搭配用户名,爆破用户名加密码 if re.search(user_match, info, re.IGNORECASE): try: tn.write(str(user) + '\r\n') tn.read_until(pass_match, timeout=timeout) tn.write(str(pass_) + '\r\n') login_info = tn.read_until(login_match, timeout=timeout) tn.close() # print login_info if re.search(login_match, login_info): self.lock.acquire() printGreen( "[+] %s telnet at %s port has weaken password!!-------%s:%s\r\n" % (ip, port, user, pass_)) self.result.append( "[+] %s telnet at %s port has weaken password!!-------%s:%s\r\n" % (ip, port, user, pass_)) self.lock.release() return 1 else: self.lock.acquire() print "[*] %s's telnet service 's %s:%s login fail " % ( ip, user, pass_) self.lock.release() except Exception, e: print "[!] err: %s" % e return 3 # 认证信息匹配搭配密码,只爆破密码