一种是3gstudent分享的调用Nsa泄露的smbtouch-1.1.1.exe实现验证,另一种是参考巡风的poc。这里整合学习了下两种不同的方法。

import os

import fileinput

print "---This is Ms17010's tools for 139/445---"

#ip开始

BeginIP = raw_input(" [+] >输入开始ip:") #172.16.9.1

#ip终点

EndIP = raw_input(" [+] >输入终端ip:")

#Log file

fp = open('log.txt', 'w+')

#向Smbtouch-1.1.1.xml里面按照xml的格式文档写入默认127.0.0.1

OldIP = '      <value>127.0.0.1</value>'

TempIP = OldIP

print "------------------scaning----------------"

print ""

#切片操作

IP1 =  BeginIP.split('.')[0]

IP2 =  BeginIP.split('.')[1]

IP3 =  BeginIP.split('.')[2]

IP4 = BeginIP.split('.')[-1]

EndIP_last = EndIP.split('.')[-1]

for i in range(int(IP4)-1,int(EndIP_last)):

     ip = str(IP1+'.'+IP2+'.'+IP3+'.'+IP4)

     int_IP4 = int(IP4)

     int_IP4 += 1

     IP4 = str(int_IP4)

     NewIP= '      <value>'+ip+'</value>'

     for line in fileinput.input('Smbtouch-1.1.1.xml',inplace=1):

     	print line.rstrip().replace(TempIP,NewIP)

     TempIP = NewIP

     Output = os.popen(r"Smbtouch-1.1.1.exe").read()

     Output = Output[0:Output.find('<config',1)]

     fp.writelines(Output)

     Flag = Output.find('[-] Touch failed')

     if Flag == -1 :

	print '[+] Touch success:	' +ip

     else:

	print '[-] Touch failed:	' +ip

else:

     fp.close( )

     for line in fileinput.input('Smbtouch-1.1.1.xml',inplace=1):

     	print line.rstrip().replace(NewIP,OldIP)

  前两天看到freebuf的关于《如何转换永恒之蓝(Eternalblue)的POC》

  ms17-010 poc

#!/usr/bin/python

# coding: utf-8

'''

The poc is used to detecte MS17-010

'''

import binascii

import socket

import struct

import sys

import threading

negotiate_protocol_request = binascii.unhexlify(

    "00000085ff534d4272000000001853c00000000000000000000000000000fffe00004000006200025043204e4554574f524b2050524f4752414d20312e3000024c414e4d414e312e30000257696e646f777320666f7220576f726b67726f75707320332e316100024c4d312e325830303200024c414e4d414e322e3100024e54204c4d20302e313200")

session_setup_request = binascii.unhexlify(

    "00000088ff534d4273000000001807c00000000000000000000000000000fffe000040000dff00880004110a000000000000000100000000000000d40000004b000000000000570069006e0064006f007700730020003200300030003000200032003100390035000000570069006e0064006f007700730020003200300030003000200035002e0030000000")

tree_connect_request = binascii.unhexlify(

    "00000060ff534d4275000000001807c00000000000000000000000000000fffe0008400004ff006000080001003500005c005c003100390032002e003100360038002e003100370035002e003100320038005c00490050004300240000003f3f3f3f3f00")

trans2_session_setup = binascii.unhexlify(

    "0000004eff534d4232000000001807c00000000000000000000000000008fffe000841000f0c0000000100000000000000a6d9a40000000c00420000004e0001000e000d0000000000000000000000000000")

def main(ips):

    ip = ips

    if ip != "":

        check_ip(ip)

    if filename != "":

        with open(filename, "r") as fp:

            for line in fp:

                semaphore.acquire()

                ip_address = line.strip()

                t = threading.Thread(target=threaded_check, args=(ip_address,))

                t.start()

num_threads = 10

timeout = 10

filename = ""

print_lock = threading.Lock()

if len(sys.argv) == 5:

    ip = sys.argv[1]

    filename = sys.argv[2]

    timeout = sys.argv[3]

    num_threads = sys.argv[4]

    semaphore = threading.BoundedSemaphore(value=num_threads)

else:

    print "[!] >............... "

def print_status(ip, message):

    global print_lock

    with print_lock:

        print "[*] [%s] %s" % (ip, message)

def check_ip(ip):

    global negotiate_protocol_request, session_setup_request, tree_connect_request, trans2_session_setup, timeout, verbose

    # Connect to socket

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

    s.settimeout(float(timeout) if timeout else None)

    host = ip

    port = 445

    s.connect((host, port))

    # Send/receive negotiate protocol request

    print_status(ip, "正在准备协议!")

    s.send(negotiate_protocol_request)

    s.recv(1024)

    # Send/receive session setup request

    print_status(ip, "正在设置请求!")

    s.send(session_setup_request)

    session_setup_response = s.recv(1024)

    # Extract user ID from session setup response

    user_id = session_setup_response[32:34]

    print_status(ip, "用户 ID = %s" % struct.unpack("<H", user_id)[0])

    # Replace user ID in tree connect request packet

    modified_tree_connect_request = list(tree_connect_request)

    modified_tree_connect_request[32] = user_id[0]

    modified_tree_connect_request[33] = user_id[1]

    modified_tree_connect_request = "".join(modified_tree_connect_request)

    # Send tree connect request

    print_status(ip, "发送连接!!!")

    s.send(modified_tree_connect_request)

    tree_connect_response = s.recv(1024)

    # Extract tree ID from response

    tree_id = tree_connect_response[28:30]

    print_status(ip, "Tree ID = %s" % struct.unpack("<H", tree_id)[0])

    # Replace tree ID and user ID in trans2 session setup packet

    modified_trans2_session_setup = list(trans2_session_setup)

    modified_trans2_session_setup[28] = tree_id[0]

    modified_trans2_session_setup[29] = tree_id[1]

    modified_trans2_session_setup[32] = user_id[0]

    modified_trans2_session_setup[33] = user_id[1]

    modified_trans2_session_setup = "".join(modified_trans2_session_setup)

    # Send trans2 sessions setup request

    print_status(ip, "发送成功!正在返回!")

    s.send(modified_trans2_session_setup)

    final_response = s.recv(1024)

    s.close()

    # Check for 0x51 response to indicate DOUBLEPULSAR infection

    if final_response[34] == "\x51":

        with print_lock:

            print("\033[0;31m%s\033[0m" % "[*]  存在:DOUBLEPULSAR !!!\n" )

    else:

        with print_lock:

            print "[-]  不存在DOUBLEPULSAR !!!\n"

def threaded_check(ip_address):

    global semaphore

    try:

        check_ip(ip_address)

    except Exception as e:

        with print_lock:

            print "[错误] [%s] - %s" % (ip_address, e)

    finally:

        semaphore.release()

if __name__ == '__main__':

    ip = '192.168.1.1'

    main(ip)

  扫描这里使用IPy模块处理输入扫描网段和使用multiprocessing机制

# coding: utf-8

# by:adislj

import socket

from datetime import datetime

from multiprocessing.dummy import Pool as ThreadPool  #多线程

import IPy

from MS17_010_poc import *

try:

    print '[*] >请输入你要扫描的ip段/如:192.168.1.0/24'

    remote_server = raw_input("[+] >输入ip段:") #172.16.9.0/24

    ip_list = []

    ips = IPy.IP(remote_server) #Class and tools for handling of IPv4 and IPv6 addresses and networks

    for ipx in ips:

        ip_list.append(ipx)

    ip_list = ip_list[1:-1]

    print '-' * 41

    print '[*] >你扫描的网段是:', remote_server

    print '-' * 41

    socket.setdefaulttimeout(0.5)

except:

    pass

def scan_port(ip_list):

    try:

        port_list = [445]

        for port in port_list:

            s = socket.socket(2, 1)

            res = s.connect_ex((str(ip_list), port))

            if res == 0:  # 如果端口开启

                if port == 445:

                    print ip_list

                    print '[*] >端口:{}开放,正在发送MS17-010 Poc'.format(port)

                    main(str(ip_list))

                    s.close()

                else:

                    print '.' * 41

            s.close()

    except Exception, e:

        print str(e.message)

if remote_server != '':

    t1 = datetime.now()

    pool = ThreadPool(processes=5)

    results = pool.map(scan_port, ip_list)

    pool.close()

    pool.join()

else:

    print '请输入ip段!'

    exit(0)

print '[*] >MS17-010扫描完成时间:', datetime.now() - t1

  

[python]MS17-010自动化扫描脚本的更多相关文章

  1. python+paramiko库+svn写的自动化部署脚本

    第一篇博文 直接开门见山的说了. 这是件什么事?:每次部署都是复制本地的文件粘贴到服务器端,因为路径复杂,所以费时且手工容易出漏洞. 一直在想有什么办法可以解决这种,因为以前在微软的一个牛人同事做过一 ...

  2. python自动化执行脚本

    ---恢复内容开始--- 1 (1)首先在你的.py文件上加上一行代码注释: #!/usr/local/bin/python2.7 (2)终端下执行: crontab -e 进入后,输入i 进入可编辑 ...

  3. Python 网站后台扫描脚本

    Python  网站后台扫描脚本 #!/usr/bin/python #coding=utf-8 import sys import urllib import time url = "ht ...

  4. python模块之sys和subprocess以及编写简单的主机扫描脚本

    python模块之sys和subprocess以及编写简单的主机扫描脚本 1.sys模块 sys.exit(n)  作用:执行到主程序末尾,解释器自动退出,但是如果需要中途退出程序,可以调用sys.e ...

  5. 《转载》Jenkins持续集成-自动化部署脚本的实现《python》

    本文转载自慕课网 读者须知:1.本手记本着记续接前面的两张手记内容整理2.本手记针对tomcat部署测试环境实现 最近工作比较繁忙,导致这章一直拖延,没有太抽出时间来总结.要实现Jenkins端的持续 ...

  6. 用python写一个自动化盲注脚本

    前言 当我们进行SQL注入攻击时,当发现无法进行union注入或者报错等注入,那么,就需要考虑盲注了,当我们进行盲注时,需要通过页面的反馈(布尔盲注)或者相应时间(时间盲注),来一个字符一个字符的进行 ...

  7. 【Linux】CentOS下升级Python和Pip版本全自动化py脚本

    [Linux]CentOS下升级Python和Pip版本全自动化py脚本 CentOS7.6自带py2.7和py3.6 想要安装其它版本的话就要自己重新下载和编译py其它版本并且配置环境,主要是软链接 ...

  8. 安全基线自动化扫描、生成报告、加固的实现(以Tomcat为例)

    一.背景说明 当前在服务上线前,安全部门都会对服务基线配置进行把关,整个流程可以分为扫描.生成报告.修复三步. 在执行这一流程时当前普遍的做法是半自动化的,扫描和生成报告是自动化的,执行扫描.执行生成 ...

  9. python+request接口自动化框架

    python+request接口自动化框架搭建 1.数据准备2.用python获取Excel文件中测试用例数据3.通过requests测试接口4.根据接口返回的code值和Excel对比 但本章只讲整 ...

随机推荐

  1. nginx的源代码分析--间接回调机制的使用和类比

    nginx使用了间接回调机制.结合upstream机制的使用来说明一下,首先明白几个事实: 1)事实上ngxin和下游client的连接使用的是ngx_http_connection_t,每一个连接相 ...

  2. C++ 中的几种初始化

    前言 阅读C++教材时,想必你听过复制初始化,直接初始化,值初始化这三个概念吧.笔者本人常将其混淆,遂在此记录下它们的具体含义以便日后查阅. 复制初始化( copy-initialization ) ...

  3. 前端基础——CSS盒子模型

    如今很多网页都是由很多个"盒子"拼接.嵌套而成,所以多少接触过网页设计的朋友一定都对CSS盒子模型有所了解. 为了更好的说明,先举个通俗的样例:在一个仓库中放了10个纸箱,每一个纸 ...

  4. What the 80/20 Rule Tells Us about Reducing HTTP Requests

    Performance Research, Part 1: What the 80/20 Rule Tells Us about Reducing HTTP Requests https://yuib ...

  5. Theseven relationsarein threecategories:equivalent, congruent, andsimilar.

    http://www.math.pitt.edu/~xfc/math2370/chap5.pdf

  6. java replaceAll Replace

    java ReplaceAll 的两个参数都必须是正则表达式. 在正则表达式中 \ (一个斜线)是用 \\ 来表示(即:用两个斜线表示一个斜线) 而在Java语言中 \ (一个斜线)是用 \\ 来表示 ...

  7. ubuntu 16.04安装Jenkins

    快速安装: sudo wget -q -O - http://pkg.jenkins.io/debian-stable/jenkins.io.key | sudo apt-key add - sudo ...

  8. STM32 ~ JTAG、SWD和串口下载的问题

    最近有一个项目用到STM32,为了使PCB布线方便一些所以改了一些引脚,占用了JTAG接口的PA15和PB3,所以要禁用一下JTAG,下载采用SWD模式.这样在实际操作中做出一些总结(方法网上都有.这 ...

  9. RTSP(Real Time Streaming Protocol)学习笔记 -- RFC2326

    Real Time Streaming Protocol (RTSP)  RTSP是用在娱乐或通讯中控制流媒体服务器的网络协议,它可以创建和控制两个端点之间的会话. Client发出一些命令来控制me ...

  10. android studio导入项目出现的奇葩错误

    1.Error:(1, 0) Cause: com/android/build/gradle/AppPlugin : Unsupported major.minor version 52.0