def memcache(self, port): warning("check memcache weak password") s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((self.host, int(port))) s.send("stats\r\n") result = s.recv(1024) if "version" in result: return "memcache unauthorized"
def mssql(self, port): warning("check mssql weak password") for user in USER_DIC['mssql']: for pass_ in PASSWORD_DIC: pass_ = pass_.replace('{user}', user) try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((self.host, port)) hh = binascii.b2a_hex(self.host) husername = binascii.b2a_hex(user) lusername = len(user) lpassword = len(pass_) ladd = len(self.host) + len(str(self.port)) + 1 hladd = hex(ladd).replace('0x', '') hpwd = binascii.b2a_hex(pass_) pp = binascii.b2a_hex(str(self.port)) address = hh + '3a' + pp hhost = binascii.b2a_hex(self.host) data = "0200020000000000123456789000000000000000000000000000000000000000000000000000ZZ5440000000000000000000000000000000000000000000000000000000000X3360000000000000000000000000000000000000000000000000000000000Y373933340000000000000000000000000000000000000000000000000000040301060a09010000000002000000000070796d7373716c000000000000000000000000000000000000000000000007123456789000000000000000000000000000000000000000000000000000ZZ3360000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000Y0402000044422d4c6962726172790a00000000000d1175735f656e676c69736800000000000000000000000000000201004c000000000000000000000a000000000000000000000000000069736f5f31000000000000000000000000000000000000000000000000000501353132000000030000000000000000" data1 = data.replace(data[16:16 + len(address)], address) data2 = data1.replace(data1[78:78 + len(husername)], husername) data3 = data2.replace(data2[140:140 + len(hpwd)], hpwd) if lusername >= 16: data4 = data3.replace( '0X', str(hex(lusername)).replace('0x', '')) else: data4 = data3.replace( 'X', str(hex(lusername)).replace('0x', '')) if lpassword >= 16: data5 = data4.replace( '0Y', str(hex(lpassword)).replace('0x', '')) else: data5 = data4.replace( 'Y', str(hex(lpassword)).replace('0x', '')) hladd = hex(ladd).replace('0x', '') data6 = data5.replace('ZZ', str(hladd)) data7 = binascii.a2b_hex(data6) sock.send(data7) packet = sock.recv(1024) if 'master' in packet: return "username:%s,password:%s,host:%s" % ( user, pass_, self.host) except Exception as e: print e
def ftp(self, port): warning("check ftp weak password") for user in USER_DIC['ftp']: for pass_ in PASSWORD_DIC: pass_ = pass_.replace('{user}', user) print pass_ try: ftp = ftplib.FTP() ftp.connect(self.host, port) ftp.login(user, pass_) if user == 'ftp': return "anonymous" return "username:%s,password:%s,host:%s" % (user, pass_, self.host) except Exception, e: pass
def mysql(self, port): warning("check msyql weak password") for user in USER_DIC['mysql']: for pass_ in PASSWORD_DIC: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((self.host, int(port))) packet = sock.recv(254) plugin, scramble = self.get_scramble(packet) if not scramble: return 3 pass_ = pass_.replace('{user}', user) auth_data = self.get_auth_data(user, pass_, scramble, plugin) sock.send(auth_data) result = sock.recv(1024) if result == "\x07\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00": return "username:%s,password:%s,host:%s" % (user, pass_, self.host)
def main(): checkVersion() fb = prepare_param(parse_args()) warning("Init fb successfully") if fb.targets: targets = [normalize_url(t) for t in fb.targets] BBScanPars = " --host %s" % (" ".join(targets)) elif fb.file: BBScanPars = " -f %s" % (abspath + fb.file) try: with open(fb.file) as fp: targets = [ normalize_url(line.strip()) for line in fp.xreadlines() ] except IOError as e: print '[!] No such file or directory , please check your file location' exit() # 后台扫描其他服务,如敏感信息泄露,目录爆破 core.run3rd.runBBScan(BBScanPars) # service scanner , such as MySQL,redis for target in targets: openport = getopenports(target) info("scan port complete " + ",".join(map(str, openport))) port_queue = [] for portitem in openport: wk = weakservice(url2ip(target), [portitem]) port_queue.append(gevent.spawn(wk.brute)) gevent.joinall(port_queue) warning("Init poc scaner") # poc scanner part task_queue = Queue() result_queue = Queue() plugins = glob.glob('pocs/pocsuite/*.py') if ( fb.plugins == '') else ["pocs\\pocsuite\\" + fb.plugins + '.py'] for target in targets: # gen scan task queue for plugin in plugins: task_queue.put([target, plugin]) # 放弃python muti-threading,使用协程,提升扫描速度 gevent.joinall([ gevent.spawn(runPlugins, task_queue, result_queue) for i in range(fb.threads) ])
def ssh(self, port): warning("check ssh weak password") ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) for user in USER_DIC['ssh']: for pass_ in PASSWORD_DIC: pass_ = str(pass_.replace('{user}', user)) try: # print "check %s:%s at %s" % (user,pass_,self.host) ssh.connect(self.host, port, user, pass_, timeout=5) ssh.exec_command('whoami') ssh.close() if pass_ == '': pass_ = "null" return "username:%s,password:%s,host:%s" % (user, pass_, self.host) warning("username:%s,password:%s,host:%s" % (user, pass_, self.host)) break except Exception, e: pass
def rsync(self, port): """ rsync 弱口令 """ warning("check rsync weak password") # ver= None# self.get_ver(ip)# get rsync moudle maxline = 8192 CRLF = '\r\n' LF = '\n' def getline(file): line = file.readline(maxline + 1) if len(line) > maxline: raise Error("got more than %d bytes" % maxline) if not line: raise EOFError if line[-2:] == CRLF: line = line[:-2] elif line[-1:] in CRLF: line = line[:-1] return line def getresp(file): resp = getmultiline(file) if resp.find('ERROR') != -1: raise Error, resp else: return resp def getmultiline(file): line = getline(file) return line try: sock = socket.create_connection((self.host, port)) af = sock.family file = sock.makefile('rb') server_protocol_version = getresp(file) return "host:%s,rsync:%s" % (self.host, server_protocol_version) except Exception as e: print e
def redis(self, port): warning("check redis weak password") try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((self.host, int(port))) s.send("INFO\r\n") result = s.recv(1024) if "redis_version" in result: return "%s redis unauthorized" % self.host elif "Authentication" in result: for pass_ in PASSWORD_DIC: # 密码转换暂无 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((self.host, int(self.port))) s.send("AUTH %s\r\n" % (pass_)) result = s.recv(1024) if '+OK' in result: return "username:%s,password:%s" % (user, pass_) warning("username:%s,password:%s,host:%s" % (user, pass_, self.host)) except Exception, e: return 3
def mongodb(self, port): warning("check mongodb weak password") try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((self.host, port)) data = binascii.a2b_hex( "3a000000a741000000000000d40700000000000061646d696e2e24636d640000000000ffffffff130000001069736d6173746572000100000000" ) s.send(data) result = s.recv(1024) if "ismaster" in result: getlog_data = binascii.a2b_hex( "480000000200000000000000d40700000000000061646d696e2e24636d6400000000000100000021000000026765744c6f670010000000737461727475705761726e696e67730000" ) s.send(getlog_data) result = s.recv(1024) if "totalLinesWritten" in result: return "unauthorized" else: return '' except Exception, e: print e
def elasticsearch(self, port): warning( "check elasticsearch weak password, but i don't write code~ , it's A HTTP request " )