def memcache(self, port):
warning("check memcache weak password")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.host, int(port)))
s.send("stats\r\n")
result = s.recv(1024)
if "version" in result:
return "memcache unauthorized"
def mssql(self, port):
warning("check mssql weak password")
for user in USER_DIC['mssql']:
for pass_ in PASSWORD_DIC:
pass_ = pass_.replace('{user}', user)
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((self.host, port))
hh = binascii.b2a_hex(self.host)
husername = binascii.b2a_hex(user)
lusername = len(user)
lpassword = len(pass_)
ladd = len(self.host) + len(str(self.port)) + 1
hladd = hex(ladd).replace('0x', '')
hpwd = binascii.b2a_hex(pass_)
pp = binascii.b2a_hex(str(self.port))
address = hh + '3a' + pp
hhost = binascii.b2a_hex(self.host)
data = "0200020000000000123456789000000000000000000000000000000000000000000000000000ZZ5440000000000000000000000000000000000000000000000000000000000X3360000000000000000000000000000000000000000000000000000000000Y373933340000000000000000000000000000000000000000000000000000040301060a09010000000002000000000070796d7373716c000000000000000000000000000000000000000000000007123456789000000000000000000000000000000000000000000000000000ZZ3360000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000Y0402000044422d4c6962726172790a00000000000d1175735f656e676c69736800000000000000000000000000000201004c000000000000000000000a000000000000000000000000000069736f5f31000000000000000000000000000000000000000000000000000501353132000000030000000000000000"
data1 = data.replace(data[16:16 + len(address)], address)
data2 = data1.replace(data1[78:78 + len(husername)],
husername)
data3 = data2.replace(data2[140:140 + len(hpwd)], hpwd)
if lusername >= 16:
data4 = data3.replace(
'0X',
str(hex(lusername)).replace('0x', ''))
else:
data4 = data3.replace(
'X',
str(hex(lusername)).replace('0x', ''))
if lpassword >= 16:
data5 = data4.replace(
'0Y',
str(hex(lpassword)).replace('0x', ''))
else:
data5 = data4.replace(
'Y',
str(hex(lpassword)).replace('0x', ''))
hladd = hex(ladd).replace('0x', '')
data6 = data5.replace('ZZ', str(hladd))
data7 = binascii.a2b_hex(data6)
sock.send(data7)
packet = sock.recv(1024)
if 'master' in packet:
return "username:%s,password:%s,host:%s" % (
user, pass_, self.host)
except Exception as e:
print e
def ftp(self, port):
warning("check ftp weak password")
for user in USER_DIC['ftp']:
for pass_ in PASSWORD_DIC:
pass_ = pass_.replace('{user}', user)
print pass_
try:
ftp = ftplib.FTP()
ftp.connect(self.host, port)
ftp.login(user, pass_)
if user == 'ftp': return "anonymous"
return "username:%s,password:%s,host:%s" % (user, pass_,
self.host)
except Exception, e:
pass
def mysql(self, port):
warning("check msyql weak password")
for user in USER_DIC['mysql']:
for pass_ in PASSWORD_DIC:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((self.host, int(port)))
packet = sock.recv(254)
plugin, scramble = self.get_scramble(packet)
if not scramble: return 3
pass_ = pass_.replace('{user}', user)
auth_data = self.get_auth_data(user, pass_, scramble, plugin)
sock.send(auth_data)
result = sock.recv(1024)
if result == "\x07\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00":
return "username:%s,password:%s,host:%s" % (user, pass_,
self.host)
def main():
checkVersion()
fb = prepare_param(parse_args())
warning("Init fb successfully")
if fb.targets:
targets = [normalize_url(t) for t in fb.targets]
BBScanPars = " --host %s" % (" ".join(targets))
elif fb.file:
BBScanPars = " -f %s" % (abspath + fb.file)
try:
with open(fb.file) as fp:
targets = [
normalize_url(line.strip()) for line in fp.xreadlines()
]
except IOError as e:
print '[!] No such file or directory , please check your file location'
exit()
# 后台扫描其他服务,如敏感信息泄露,目录爆破
core.run3rd.runBBScan(BBScanPars)
# service scanner , such as MySQL,redis
for target in targets:
openport = getopenports(target)
info("scan port complete " + ",".join(map(str, openport)))
port_queue = []
for portitem in openport:
wk = weakservice(url2ip(target), [portitem])
port_queue.append(gevent.spawn(wk.brute))
gevent.joinall(port_queue)
warning("Init poc scaner")
# poc scanner part
task_queue = Queue()
result_queue = Queue()
plugins = glob.glob('pocs/pocsuite/*.py') if (
fb.plugins == '') else ["pocs\\pocsuite\\" + fb.plugins + '.py']
for target in targets:
# gen scan task queue
for plugin in plugins:
task_queue.put([target, plugin])
# 放弃python muti-threading,使用协程,提升扫描速度
gevent.joinall([
gevent.spawn(runPlugins, task_queue, result_queue)
for i in range(fb.threads)
])
def ssh(self, port):
warning("check ssh weak password")
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
for user in USER_DIC['ssh']:
for pass_ in PASSWORD_DIC:
pass_ = str(pass_.replace('{user}', user))
try:
# print "check %s:%s at %s" % (user,pass_,self.host)
ssh.connect(self.host, port, user, pass_, timeout=5)
ssh.exec_command('whoami')
ssh.close()
if pass_ == '': pass_ = "null"
return "username:%s,password:%s,host:%s" % (user, pass_,
self.host)
warning("username:%s,password:%s,host:%s" %
(user, pass_, self.host))
break
except Exception, e:
pass
def rsync(self, port):
"""
rsync 弱口令
"""
warning("check rsync weak password")
# ver= None# self.get_ver(ip)# get rsync moudle
maxline = 8192
CRLF = '\r\n'
LF = '\n'
def getline(file):
line = file.readline(maxline + 1)
if len(line) > maxline:
raise Error("got more than %d bytes" % maxline)
if not line: raise EOFError
if line[-2:] == CRLF: line = line[:-2]
elif line[-1:] in CRLF: line = line[:-1]
return line
def getresp(file):
resp = getmultiline(file)
if resp.find('ERROR') != -1:
raise Error, resp
else:
return resp
def getmultiline(file):
line = getline(file)
return line
try:
sock = socket.create_connection((self.host, port))
af = sock.family
file = sock.makefile('rb')
server_protocol_version = getresp(file)
return "host:%s,rsync:%s" % (self.host, server_protocol_version)
except Exception as e:
print e
def redis(self, port):
warning("check redis weak password")
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.host, int(port)))
s.send("INFO\r\n")
result = s.recv(1024)
if "redis_version" in result:
return "%s redis unauthorized" % self.host
elif "Authentication" in result:
for pass_ in PASSWORD_DIC:
# 密码转换暂无
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.host, int(self.port)))
s.send("AUTH %s\r\n" % (pass_))
result = s.recv(1024)
if '+OK' in result:
return "username:%s,password:%s" % (user, pass_)
warning("username:%s,password:%s,host:%s" %
(user, pass_, self.host))
except Exception, e:
return 3
def mongodb(self, port):
warning("check mongodb weak password")
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.host, port))
data = binascii.a2b_hex(
"3a000000a741000000000000d40700000000000061646d696e2e24636d640000000000ffffffff130000001069736d6173746572000100000000"
)
s.send(data)
result = s.recv(1024)
if "ismaster" in result:
getlog_data = binascii.a2b_hex(
"480000000200000000000000d40700000000000061646d696e2e24636d6400000000000100000021000000026765744c6f670010000000737461727475705761726e696e67730000"
)
s.send(getlog_data)
result = s.recv(1024)
if "totalLinesWritten" in result:
return "unauthorized"
else:
return ''
except Exception, e:
print e
def elasticsearch(self, port):
warning(
"check elasticsearch weak password, but i don't write code~ , it's A HTTP request "
)
