[原創]K8Cscan for Python 2.0
0x000 簡介html
K8Cscan掃描器Python版支持Windows和Linux系統python
詳情參考:http://www.javashuo.com/article/p-xhgigpwl-kn.htmlgit
0x001 功能github
1.MS17-010漏洞檢測windows
2.SMB協議版本探測socket
3.存活主機掃描工具
4.DLL插件掃描(可加載Cscan已發佈的DLL,注:該功能僅限Windows且.net版本>=4.0)ui
PS:因爲Cscan功能較多,發現Py可調用.net編寫的DLL,偷懶先加載現有插件。spa
雖然思路同樣,但有些功能實現起來不同,比方其它語言都可ICMP協議實現ping操作系統
固然python也能夠,可是Py的Socket Raw必定要管理員權限,爲了保證任意權限下可用
因此PY版我採用調用系統ping命令這種很是次的方法,來實現內網存活主機的掃描。
沒辦法咱們不是那種能夠扛本身的設備去現場接條網線施工的人,打下的權限未必高權限。
不少時候一樣的功能因爲實現方式不同,有些工具任意權限下可用,有些僅管理員可用。
0x001 代碼
#K8Cscan for python 2.0
#Author: K8gege
#Date: 20190530
#Platform: (Windows & Linux)
#Windows need to .net framework >= 4.0
#Linux not support load 'netscan40.dll' (Maybe Mono is support)
#Usage:
#python K8Cscan.py 192.11.22.40
#python K8Cscan.py 192.11.22.40/24
#python K8Cscan.py 192.11.22.40/24 -t ms17010
#python K8Cscan.py --type=dll 192.11.22.42
#python K8Cscan.py 192.11.22.40/24 -t dll
import platform
import socket
import os
import threading
import time
import telnetlib
import argparse
# import gevent
# from gevent import monkey; monkey.patch_all();
# import socket
# from gevent.pool import Pool
from mysmb import MYSMB
from impacket import smb, smbconnection, nt_errors
from impacket.uuid import uuidtup_to_bin
from impacket.dcerpc.v5.rpcrt import DCERPCException
from struct import pack
import sys
USERNAME = ''
PASSWORD = ''
NDR64Syntax = ('71710533-BEBA-4937-8319-B5DBEF9CCC36', '1.0')
MSRPC_UUID_BROWSER = uuidtup_to_bin(('6BFFD098-A112-3610-9833-012892020162','0.0'))
MSRPC_UUID_SPOOLSS = uuidtup_to_bin(('12345678-1234-ABCD-EF00-0123456789AB','1.0'))
MSRPC_UUID_NETLOGON = uuidtup_to_bin(('12345678-1234-ABCD-EF00-01234567CFFB','1.0'))
MSRPC_UUID_LSARPC = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AB','0.0'))
MSRPC_UUID_SAMR = uuidtup_to_bin(('12345778-1234-ABCD-EF00-0123456789AC','1.0'))
pipes = {
'browser' : MSRPC_UUID_BROWSER,
'spoolss' : MSRPC_UUID_SPOOLSS,
'netlogon' : MSRPC_UUID_NETLOGON,
'lsarpc' : MSRPC_UUID_LSARPC,
'samr' : MSRPC_UUID_SAMR,
}
def smbcheck(target):
if checkPort(target,'445'):
conn = MYSMB(target)
try:
conn.login(USERNAME, PASSWORD)
except smb.SessionError as e:
#print('Login failed: ' + nt_errors.ERROR_MESSAGES[e.error_code][0])
sys.exit()
finally:
#print('OS: ' + conn.get_server_os())
TragetOS = '(' + conn.get_server_os()+')'
tid = conn.tree_connect_andx('\\\\'+target+'\\'+'IPC$')
conn.set_default_tid(tid)
# test if target is vulnerable
TRANS_PEEK_NMPIPE = 0x23
recvPkt = conn.send_trans(pack('<H', TRANS_PEEK_NMPIPE), maxParameterCount=0xffff, maxDataCount=0x800)
status = recvPkt.getNTStatus()
if status == 0xC0000205: # STATUS_INSUFF_SERVER_RESOURCES
#print('The target is not patched')
CheckResult = 'MS17-010\t'+TragetOS
return CheckResult
def GetSmbVul(ip):
# output = os.popen('ping -%s 1 %s'%(ptype,ip)).readlines()
# for w in output:
# if str(w).upper().find('TTL')>=0:
#print "online "+ip
try:
SmbVul=smbcheck(ip)
if SmbVul<>None:
print('%s\t%s'%(ip,SmbVul))
except:
pass
def GetOSname(ip):
try:
print('%s\t%s\t%s'%(ip,getHostName(ip)))
except:
pass
def ScanSmbVul(ip):
if '/24' in ip:
ipc = (ip.split('.')[:-1])
for i in range(1,256):
add = ('.'.join(ipc)+'.'+str(i))
threading._start_new_thread(GetSmbVul,(add,))
time.sleep(0.1)
else:
GetSmbVul(ip)
def checkPort(ip,port):
server = telnetlib.Telnet()
try:
server.open(ip,port)
#print('{0} port {1} is open'.format(ip, port))
return True
except Exception as err:
#print('{0} port {1} is not open'.format(ip,port))
return False
finally:
server.close()
def getHostName(target):
try:
result = socket.gethostbyaddr(target)
return result[0]
except socket.herror, e:
return ''
def getos():
return platform.system()
try:
import clr
except:
pass
def netscan(ip):
try:
clr.FindAssembly('netscan40.dll')
clr.AddReference('netscan40')
from CscanDLL import scan
print(scan.run(ip)),
except:
pass
def Cscan(ip):
if '/24' in ip:
ipc = (ip.split('.')[:-1])
for i in range(1,256):
add = ('.'.join(ipc)+'.'+str(i))
threading._start_new_thread(netscan,(add,))
# if type=='dll':
# threading._start_new_thread(netscan,(add,))
# elif type=='smb':
# threading._start_new_thread(netscan,(add,))
time.sleep(0.1)
else:
netscan(ip)
def CscanSMBver(ip):
if '/24' in ip:
ipc = (ip.split('.')[:-1])
for i in range(1,256):
add = ('.'.join(ipc)+'.'+str(i))
threading._start_new_thread(smbVersion,(add,))
time.sleep(0.1)
else:
smbVersion(ip)
def CscanOSname(ip):
if '/24' in ip:
ipc = (ip.split('.')[:-1])
for i in range(1,256):
add = ('.'.join(ipc)+'.'+str(i))
threading._start_new_thread(GetOSname,(add,))
time.sleep(0.1)
else:
GetOSname(ip)
def getip():
return socket.gethostbyname(socket.gethostname())
def pingIP(ip):
#print ip
#gevent.sleep(0)
output = os.popen('ping -%s 1 %s'%(ptype,ip)).readlines()
for w in output:
if str(w).upper().find('TTL')>=0:
print ip
# try:
# SmbVul=smbcheck(ip)
# if SmbVul==None:
# print('%s\t%s'%(ip,getHostName(ip)))
# else:
# print('%s\t%s\t%s'%(ip,getHostName(ip),SmbVul))
# except:
# pass
def CpingIP(ip):
ip=ipc+str(ip)
pingIP(ip)
def Cping(ip):
if '/24' in ip:
ipc = (ip.split('.')[:-1])
for i in range(1,256):
add = ('.'.join(ipc)+'.'+str(i))
threading._start_new_thread(pingIP,(add,))
time.sleep(0.1)
#ipcc = scanip.split('.')[:-1]
#ipccc = ('.'.join(ipcc)+'.')
#global ipc
#ipc = ipccc
#ipc = scanip.split('.')[:-1]
#print "ipc: "+ipc
# pool = Pool(255)
# pool.map(CpingIP,xrange(1,254))
# pool.join()
else:
pingIP(ip)
def PrintLine():
print('=============================================')
from impacket.smbconnection import *
from impacket.nmb import NetBIOSError
import errno
def smbVersion(rhost):
host = rhost
port=445
try:
smb = SMBConnection(host, host, sess_port=port)
except NetBIOSError:
return
except socket.error, v:
error_code = v[0]
if error_code == errno.ECONNREFUSED:
return
else:
return
dialect = smb.getDialect()
if dialect == SMB_DIALECT:
print(host + "\tSMBv1 ")
elif dialect == SMB2_DIALECT_002:
print(host + "\tSMBv2.0 ")
elif dialect == SMB2_DIALECT_21:
print(host + "\tSMBv2.1 ")
else:
print(host + "\tSMBv3.0 ")
ipc=""
if __name__ == '__main__':
print('K8Cscan 2.0 by k8gege')
parser = argparse.ArgumentParser()
parser.add_argument('ip',help='IP or IP/24')
parser.add_argument('--type', '-t', type=str, choices=['ping', 'smbver', 'osname','ms17010','dll'], help='Scan Type',default='ping')
args = parser.parse_args()
if getos() == 'Windows':
ptype = 'n'
elif getos() == 'Linux':
ptype = 'c'
else:
print('The system is not supported.')
sys.exit()
scanip=args.ip
if args.type == 'ping':
print "Scan Online"
PrintLine()
Cping(scanip)
elif args.type == 'smbver':
print "Scan Smb Version "
CscanSMBver(scanip)
elif args.type == 'dll':
if ptype =='n':
if(os.path.exists('netscan40.dll')):
print('load netscan40.dll (.net >= 4.0)')
PrintLine()
Cscan(scanip)
else:
print('load netscan40.dll')
else:
print('The system is not supported.')
sys.exit(1)
elif args.type == 'ms17010':
print "Scan MS17-010 VUL \n" + scanip
ScanSmbVul(scanip)
elif args.type == 'osname':
print "Scan hostName \n" + scanip
CscanOSname(scanip)
PrintLine()
print('Scan Finished!')
0x003 用法
例子1: SMB漏洞之MS17-010掃描
例子2:DLL掃描之Cscan操做系統探測插件
根目錄下放osscan.rar中的netscan40.dll便可(其它dll同理,windows下不建議python版)PY受好者請繼續
如圖所示探測到內網Win7三臺、Win10兩臺、2012一臺及主機名、路由一臺(開放WEB服務,產品版本等)
例子3:SMB版本探測(可用於判斷操做系統,因Linux默認不開啓)
SMB版本對應操做系統(可用於判斷操做系統,因Linux默認不開啓)
Scan Smb Version 192.11.22.118 SMBv3.0 Win8.1 192.11.22.7 SMBv3.0 Win10 192.11.22.41 SMBv2.1 (Win7) SMBv1 XP or 2003 Kali開啓SMB後 192.11.22.54 SMBv3.0 192.11.22.54 KALI [Win 6.1] 抓包顯示爲 Windows Server 2003 3790 Service Pack 2
例子4:Kali下使用
0x004 下載
相關文章
- 1. [原創]K8Cscan插件之Weblogic漏洞掃描&GetShell Exploit
- 2. [原創]K8Cscan插件之C段旁站掃描\子域名掃描
- 3. js猜數字小遊戲2.0——原創
- 4. [原創]SSH Tunnel for UDP
- 5. 原創python學習
- 6. [原創]K8Cscan插件之Host2IP(批量域名解析/主機名轉IP)
- 7. python基礎2.0
- 8. 【原創】Python 工具 cheat
- 9. [原創]K8Cscan插件之多種方式系統版本探測(內網滲透/支持批量/可跨網段)
- 10. (原創)python發送郵件
- 更多相關文章...
- • SQLite - Python - SQLite教程
- • Docker 安裝 Python - Docker教程
- • Java Agent入門實戰(三)-JVM Attach原理與使用
- • ☆技術問答集錦(13)Java Instrument原理
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
