!142 修改ssh爆破模块

Merge pull request !142 from 宋帮诚晋/master
2022-11-25 08:31:19 +00:00 · 2022-11-25 08:31:19 +00:00 · e40d8194cb
parent 4fcce07675 c71e561e25
commit e40d8194cb
8 changed files with 147 additions and 138 deletions
--- a/src/genmai/ArgParser/ParameterParser.go
+++ b/src/genmai/ArgParser/ParameterParser.go
@ -9,6 +9,7 @@ import(
    "strconv"
    "log"
    "main/genmai"
+    "main/tools/SSHExplosion"
 	)

 var Num int
@ -184,4 +185,25 @@ func WKPWD(WKPWD string ,PWDList []string){
        fmt.Println("弱密码已生成")
    }
    return
+}
+//SSH爆破
+func SSHBurst (SSHBurst string,SSHBurstList []string){
+    if SSHBurst =="true"{
+        SSHHostCheck,list:=IPCheck(SSHBurstList[0])
+        if SSHHostCheck!="true"{
+            fmt.Println("host格式报错",list)
+            log.Println("host格式报错")
+        }else{
+            poolNums,err:= strconv.Atoi(SSHBurstList[1])
+            if err!=nil{
+                fmt.Println(err)
+                log.Println(err)
+            }else{
+
+                SSHExplosion.SshExp(list[:],poolNums)
+                
+            }
+        }
+    }
+    return
 }
--- a/src/main
+++ b/src/main
--- a/src/main.go
+++ b/src/main.go
@ -26,6 +26,7 @@ type Vul struct{
    MD string //生成MD文件
    RemoteAssessment string //远程检测,所需参数在RAVUL中
    WKPWD string //弱口令生成,所需参数在WKPWDVUL结构体中
+    SSHBurst string //SSH爆破
 }

 type RAVUL struct{
@ -71,7 +72,7 @@ func main(){

    //远程模块参数
    RA := flag.Bool("RA", false, "使用远程检测，只能单独使用模块")
-    flag.StringVar(&RAV.SSHHost, "H", "false", "远程检测指定host")
+    flag.StringVar(&RAV.SSHHost, "host", "false", "远程检测指定host")
    flag.StringVar(&RAV.SSHUser, "user", "false", "远程检测指定用户")
    flag.StringVar(&RAV.SSHPassword, "passwd", "false", "远程登录密码")

@ -81,7 +82,12 @@ func main(){
    flag.StringVar(&WKV.CompanyName, "CPN", "0", "设置特定公司名")
    flag.StringVar(&WKV.Name, "Name", "0", "设置姓名")
    flag.StringVar(&WKV.Nums, "Nums", "0", "设置特殊数字（如年份）")
-    // return
+
+    // SSH爆破模块
+    SSHB:= flag.Bool("SSHBurst", false, "使用SSH爆破")
+
+
+    
    //
    All := flag.Bool("all", false, "只扫描system,kernel的所有poc以及检测baselin模块，不可联合其他参数使用")

@ -92,6 +98,8 @@ func main(){
    
    //将插件模块的值存放到数组中
    PWDList :=[...]string{WKV.CompanyName,WKV.Name,WKV.Nums}
+    poolNums:=strconv.Itoa(vul.ParserNum)
+    SSHBurstList :=[...]string{RAV.SSHHost,poolNums} 

    //初始化bool值
    sAll :=strconv.FormatBool(*All)
@ -99,6 +107,7 @@ func main(){
    vul.RemoteAssessment=strconv.FormatBool(*RA)
    vul.WKPWD=strconv.FormatBool(*WK)
    help:=strconv.FormatBool(*Help)
+    vul.SSHBurst =strconv.FormatBool(*SSHB)

    //是否开启远程检测
    if vul.RemoteAssessment=="true"{
@ -113,6 +122,8 @@ func main(){

    }else{
        ArgParser.WKPWD(vul.WKPWD,PWDList[:])
+        ArgParser.SSHBurst(vul.SSHBurst,SSHBurstList[:])
+        return
        ArgParser.ParameterParser(vul.System,vul.Kernel,vul.Web,vul.BaseLine,sAll,vul.PoolStatNum,vul.ParserNum,vul.Update,vul.IP,help)
    }
    return
--- a/src/tools/SSHExplosion/CheckAlive.go
+++ b/src/tools/SSHExplosion/CheckAlive.go
@ -0,0 +1,16 @@
+package SSHExplosion
+
+import(
+	"net"
+	"fmt"
+	"time"
+)
+
+func checkAlive(ip string) bool {
+	alive := false
+	_, err := net.DialTimeout("tcp", fmt.Sprintf("%v:%v", ip, "22"), time.Second*5)
+	if err == nil {
+	   alive = true
+	}
+	return alive
+ }
--- a/src/tools/SSHExplosion/ReadFile.go
+++ b/src/tools/SSHExplosion/ReadFile.go
@ -1,33 +1,26 @@
 package SSHExplosion
 import(
-	"log"
-	"io"
+	// "log"
+	// "io"
 	"os"
 	"bufio"
+    "strings"
 )
-//用户名
-func readName(path string)(listName []string){
-    //打开文件
-    file, err := os.Open(path) //只是用来读的时候，用os.Open。相对路径，针对于同目录下。
-    if err != nil{
-        log.Printf("打开文件失败,err:%v\n",err)
-        return
-    }
-    defer file.Close() //关闭文件,为了避免文件泄露和忘记写关闭文件

-    //使用buffio读取文件内容
-    reader := bufio.NewReader(file) //创建新的读的对象
-    for {
-        line , err := reader.ReadString('\n') //注意是字符，换行符。
-        if err == io.EOF{ 
-            log.Println("文件读完了")
-            break
-        }
-        if err != nil{ //错误处理
-            log.Printf("读取文件失败,错误为:%v",err)
-            return
-        }
-		listName =append(listName,line)
-    }   
-	return listName
-}
+func readFile(filename string) ([]string, error) {
+    file, err := os.Open(filename)
+    if err != nil {
+       return nil, err
+    }
+    defer file.Close()
+    scanner := bufio.NewScanner(file)
+    scanner.Split(bufio.ScanLines)
+    var result []string
+    for scanner.Scan() {
+       passwd := strings.TrimSpace(scanner.Text())
+       if passwd != "" {
+          result = append(result, passwd)
+       }
+    }
+    return result, err
+}
--- a/src/tools/SSHExplosion/SSHConnect.go
+++ b/src/tools/SSHExplosion/SSHConnect.go
@ -25,84 +25,11 @@ func SshConnect(ip, username, password string) (bool, error) {
    if err == nil {
       defer client.Close()
       session, err := client.NewSession()
-       errRet := session.Run("echo 飞雪无情")
+       errRet := session.Run(" ")
       if err == nil && errRet == nil {
          defer session.Close()
          success = true
       }
    }
    return success, err
-}
-// func SshConnect(SSHHost string,SSHUser string, SSHPassword string)(result string){
-
-//     sshHost := SSHHost
-
-//     sshUser := SSHUser
-
-//     sshPassword := SSHPassword
-
-//     sshType := "password"
-
-//     sshPort := 22
-
-
-//     //创建sshp登陆配置
-
-//     config := &ssh.ClientConfig{
-
-//         Timeout:         5*time.Second,//ssh 连接time out 时间一秒钟, 如果ssh验证错误 会在一秒内返回
-
-//         User:            sshUser,
-
-//         HostKeyCallback: ssh.InsecureIgnoreHostKey(), 
-
-//         //HostKeyCallback: hostKeyCallBackFunc(h.Host),
-
-//     }
-
-//     if sshType == "password" {
-
-//         config.Auth = []ssh.AuthMethod{ssh.Password(sshPassword)}
-
-//     }
-
-//     //dial 获取ssh client
-
-// 	addr := fmt.Sprintf("%s:%d", sshHost, sshPort)
-
-//     sshClient, err := ssh.Dial("tcp", addr, config)
-
-//     if err != nil {
-
-//         log.Fatal("创建ssh client 失败",err)
-//     }
-
-//     defer sshClient.Close()
-
-//     //创建ssh-session
-
-//     session, err := sshClient.NewSession()
-
-//     if err != nil {
-
-//         log.Fatal("创建ssh session 失败",err)
-    
-
-//     }
-
-//     defer session.Close()
-//     command :="whoami"
-//     //执行远程命令
-//     combo,err := session.CombinedOutput(command)
-
-//     if err != nil {
-
-//         log.Fatal("远程执行cmd 失败",err,command)
-        
-
-//     }
-//     log.Println("ssh connect succ")
-//     defer session.Close()
-//     result=string(combo)
-//     return result
-// }
+}
--- a/src/tools/SSHExplosion/SSHCoprogram.go
+++ b/src/tools/SSHExplosion/SSHCoprogram.go
@ -2,8 +2,7 @@ package SSHExplosion
 import (
 	"fmt"
 	"sync"
-	// "time"
-	"strings"
+	"log"
 )

 // Pool goroutine Pool
@ -46,31 +45,72 @@ func (p *Pool) Wait() {
 	p.wg.Wait()
 }

-func SSHCoprogram(vul map[string]interface{}) {
+type Task struct {
+	ip       string
+	user     string
+	password string
+ }
+
+func SSHCoprogram(vul map[string]interface{}){
 	readNameFile:=vul["readNameFile"].([]string)
 	readPWDFile:=vul["readPWDFile"].([]string)
-	host:=vul["ip"].(string)
+	host:=vul["ip"].([]string)
 	nums:=vul["nums"].(int)
-	fmt.Println(len(readNameFile),len(readPWDFile))
-	// 这里限制100个并发
-	pool := New(nums) // sync.WaitGroup{}
-	//假设需要发送1000万个http请求，然后我并发100个协程取完成这件事
-	for j := 0; j < len(readNameFile); j++{
-		for i := 0; i < len(readPWDFile); i++ {
-			pool.Add(1) //发现已存在100个人正在发了，那么就会卡住，直到有人完成了宣布自己退出协程了
-			go func(i int) {
-				// fmt.Println(j,i,readPWDFile[i],host)
-				username := readNameFile[j]
-				username = strings.Replace(username,"\n","",-1)
-				passwd := readPWDFile[i]
-				passwd = strings.Replace(passwd,"\n","",-1)
-				result, _:=SshConnect(host,username,passwd)
-				if result {
-					fmt.Println("suc : ",host,username,passwd)
-				}
-				pool.Done()
-			}(i)
-		}
-		pool.Wait()
+
+
+	var tasks []Task
+	for _, user := range readNameFile {
+	   for _, password := range readPWDFile {
+		  for _, ip := range host {
+			 tasks = append(tasks, Task{ip, user, password})
+		  }
+	   }
 	}
+
+	runTask(tasks,nums)
+
+}
+
+
+func runTask(tasks []Task, threads int) {
+	var wg sync.WaitGroup
+	taskCh := make(chan Task, threads*2)
+	for i := 0; i < threads; i++ {
+	   go func() {
+		  for task := range taskCh {
+			 success, _ := SshConnect(task.ip, task.user, task.password)
+			 if success {
+				fmt.Printf("破解%v成功,用户名是%v,密码是%v\n", task.ip, task.user, task.password)
+			 }else{
+				log.Printf("破解%v失败,用户名是%v,密码是%v\n",task.ip, task.user, task.password)
+			 }
+			 wg.Done()
+		  }
+	   }()
+	}
+	for _, task := range tasks {
+	   wg.Add(1)
+	   taskCh <- task
+	}
+	wg.Wait()
+	close(taskCh)
+ }
+
+
+
+//检测开启ssh的IP
+func checkAlivePool(ipList []string,nums int)(aliveIP []string){
+	pool := New(nums)
+	for _,ip:=range ipList{
+		pool.Add(1)		
+		go func(ip string) {
+			v:=checkAlive(ip)
+			if v{
+				aliveIP=append(aliveIP,ip)
+			}
+			pool.Done()
+		}(ip)
+	}
+	pool.Wait()
+	return aliveIP
 }
--- a/src/tools/SSHExplosion/SshExplosion.go
+++ b/src/tools/SSHExplosion/SshExplosion.go
@ -1,19 +1,19 @@
 package SSHExplosion

 import(
-	// "fmt"
+	"fmt"
 )

-func SshExp(){
-	var readNameFile []string
-	var readPWDFile []string
-	
-	readNameFile=readName("../data/dic/name.txt")
-	readPWDFile=readName("../data/dic/dic.txt")
+func SshExp(ipList []string ,nums int){
+	readNameFile,err:=readFile("../data/dic/name.txt")
+	readPWDFile,err1:=readFile("../data/dic/dic.txt")
+	fmt.Println(readNameFile,err,err1)
 	vul:=make(map[string]interface{})
+	aliveIP:=checkAlivePool(ipList[:],nums)
+
 	vul["readNameFile"]=readNameFile
 	vul["readPWDFile"]=readPWDFile
-	vul["ip"]="127.0.0.1"
-	vul["nums"]=500
+	vul["ip"]=aliveIP
+	vul["nums"]=nums
 	SSHCoprogram(vul)
 }