本文转载自微信公众号《绕过》,作者绕过。转载本文请联系旁路公众号。在内网检测中,弱口令扫描是必不可少的环节,选择一款好用的弱口令扫描工具尤为重要。曾经写过一个弱口令检测工具,经常有童鞋问后台iscan的源码,但其实通过Python搭建自己的弱口令扫描工具很简单,无非就是扫描多个集成了Pythons脚本。今天分享一些常用的端口服务扫描脚本。大家可以根据自己的需要改写脚本,制作自己的弱口令检测工具,然后在实战中应用。是不是很有趣?1.RDP扫描模块RDP协议比较复杂。如果你想用Python实现RDP暴力破解,你还没有找到更简单的实现方式。后来在impacket示例文件下找到了rdp_check.py,这个脚本可以用来测试目标主机上的账号是否有效。那么,通过它重写Python扫描脚本就变得非常简单了。demo代码有点长,这里就不贴了。demo截图如下:具体参考代码:https://github.com/SecureAuthCorp/impacket/blob/master/examples/rdp_check.py2,SMB扫描模块用于检测共享文件夹和smb弱密码。fromimpacketimportsmbdefsmb_login(ip,port,user,pwd):try:client=smb.SMB('*SMBSERVER',ip)client.login(user,pwd)flag='[+]IPC$weakpassword:'+user,pwdexcept:print'[-]checkingfor'+user,pwd+'fail'3.FTP扫描模块用于检测FTP匿名访问和弱口令。importftplibdefftp_anonymous(ip,port):try:ftp=ftplib.FTP()ftp.connect(ip,port,2)ftp.login()ftp.quit()print'[+]FTPloginforanonymous'except:print'[-]检查FTPanonymous失败'defftp_login(ip,port,user,pwd):try:ftp=ftplib.FTP()ftp.connect(ip,port,2)ftp.login(user,pwd)ftp.quit()print'[+]FTPweakpassword:'+user,pwdexcept:print'[-]checkingfor'+user,pwd+'fail'4、SSH扫描模块用于检测SSH弱口令。importparamikodefssh_login(ip,port,user,pwd):try:ssh=paramiko.SSHClient()ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())ssh.connect(ip,port,user,pwd,timeout=5)打印'[+]SSHweakpassword:'+user,pwdssh.close()except:print'[-]checkingfor'+user,pwd+'fail'5、Telnet扫描模块模拟Telnet登录验证过程,用于telnet检测弱密码。importtelnetlibdeftelnet(ip,port,user,pwd): try: tn=telnetlib.Telnet(ip,timeout=5) tn.set_debuglevel(0) tn.read_until("login:") tn.write(user+'\r\n') tn.read_until("assword:") tn.write(pwd+'\r\n') result=tn.read_some() result=result+tn.read_some() ifresult.find('LoginFail')>0orresult.find('incorrect')>0: print[-]Checkingfor"+user,pwd+"fail" else: print"[+]Successloginfor"+user,pwd tn.close()6.MySQL扫描模块用于检测MySQL弱口令。importMySQLdbdefMysql_login(ip,port,user,pwd):try:db=MySQLdb.connect(host=ip,user=user,passwd=pwd,port=port)print'[+]Mysqlweakpassword:'+user,pwddb.close()except:print'[-]checkingfor'+user,pwd+'fail'7.MSsql扫描模块用于检测MSSQL弱密码。importpymssqldefmssql_login(ip,port,user,pwd):try:db=pymssql.connect(host=ip,user=user,password=pwd,port=port)print'[+]MSsqlweakpassword:'+user,pwddb.close()except:#passprint'[-]checkingfor'+user,pwd+'fail'8.MongoDB模块用于检测MongoDB匿名登录和弱口令。frompymongoimportMongoClientdefmongodb(ip,port=27017):try:client=MongoClient(ip,port)db=client.localflag=db.collection_names()ifflag:print"[+]Mongodbloginforanonymous"exceptException,e:passdefmongodb_login(ip,port,user,pwd):try:client=MongoClient(ip,port)db_auth=client.adminflag=db_auth.authenticate(user,pwd)ifflag==True:print'[+]Mongodbweakpassword:'+user,pwdexcept:print'[-]checkingfor'+user,pwd+'fail'9、phpmyadmin扫描模块模拟http请求,检测phpmyadmin的弱密码。importrequestsdefphpMyAdmin_login(ip,port,user,pwd):try:url="http://"+ip+":"+str(port)+"/phpmyadmin/index.php"data={'pma_username':user,'pma_password':pwd}response=requests.post(url,data=data,timeout=5)result=response.contentifresult.find('name="login_form"')==-1:print'[+]findphpMyAdminweakpasswordin:'+urlprint'[+]findphpMyAdminweakpassword:'+user,pwdelse:print'[-]Checkingfor'+user,pwd+"fail"time.sleep(2)except:print'[-]SomethingError'+user,pwd+"fail"10、Tomcat扫描模块模拟http请求,检测tomcat控制台弱口令。importrequestsdeftomcat_login(ip,port,user,pwd):try:url="http://"+ip+":"+str(port)+"/manager/html"user_agent="Mozilla/4.0(compatible;MSIE5.5;WindowsNT)"Authorization="Basic%s"%(base64.b64encode(user+':'+pwd))header={'User-Agent':user_agent,'Authorization':Authorization}request=urllib2.Request(url,headers=header)response=urllib2.urlopen(request,timeout=5)result=response.read()ifresponse.code==200:print'[Success]'+url+''+user+':'+pwdexcept:print'[登录失败]'+url+''+user+':'+pwd
