上一篇文章介紹了通過(guò)PowerShell批量掃描IP段和端口�����,在PSNet程序集中添加了Invoke-ScanIPPort函數(shù)��,這里盡管掃描到了指定IP端中監(jiān)聽(tīng)的端口�����,但是未對(duì)端口和相應(yīng)的程序進(jìn)行對(duì)應(yīng),正如我們所知一些常用的應(yīng)用程序使用的默認(rèn)端口是固定的���,通過(guò)收集對(duì)應(yīng)關(guān)系會(huì)便于實(shí)現(xiàn)批量對(duì)IP范圍中存在的業(yè)務(wù)進(jìn)行確認(rèn)���,這個(gè)功能我們將會(huì)在后續(xù)的文章中進(jìn)行介紹。
在掃描到某些特定端口之后�����,我們接下來(lái)就需要尋找到這個(gè)端口對(duì)應(yīng)業(yè)務(wù)的弱密碼和常見(jiàn)密碼�,通過(guò)對(duì)默認(rèn)密碼的掃描,如果嘗試出了正確的密碼����,很多時(shí)候我們能找到滲透測(cè)試時(shí)的重要突破口。對(duì)可以作為滲透測(cè)試時(shí)的弱密碼攻擊的方向通常有ftp����、mysql、sqlserver��、oracle�����、telnet���、ssh���、Tomcat、Weblogic等等��,如果能在掃描到此類(lèi)服務(wù)后�,快速通過(guò)統(tǒng)一的方法掃描到弱密碼將會(huì)大大加快對(duì)敏感信息和權(quán)限提升的進(jìn)度。本文和后續(xù)的文章將會(huì)試圖通過(guò)PowerShell實(shí)現(xiàn)對(duì)上述潛在攻擊點(diǎn)的弱密碼嘗試��,本文首先針對(duì)ftp的密碼 嘗試����。
在PSNet程序集中繼續(xù)進(jìn)行擴(kuò)展,在$env:PSSpace/PSNet/TCPOp/下創(chuàng)建名為Invoke-FtpLogin.ps1的腳本用于在傳入指定ftp地址��、用戶(hù)名和密碼后返回是否登錄成功����。
同時(shí)在$env:PSSpace/PSNet/PSNet.psm1中添加對(duì)Invoke-FtpLogin.ps1程序文件的應(yīng)用,便于在PowerShell初始化時(shí)同時(shí)初始化此函數(shù) :
=====文件名:Invoke-FtpLogin.ps1=====
Function Invoke-FtpLogin{
Param(
[parameter(Mandatory = $true)]
[string]$Site = "ftp://localhost",
[string]$User = "Anonymous",
[string]$Pass = "hello@world",
[int]$Port=21,
[int]$TimeOut=3000,
[int]$ReadWriteTimeout=10000
)
Write-Host "Get FTP site dir listing..."
# Do directory listing
$FTPreq = [System.Net.FtpWebRequest]::Create($Site)
$FTPreq.Timeout = $TimeOut # msec (default is infinite)
$FTPreq.ReadWriteTimeout = $ReadWriteTimeout # msec (default is 300,000 - 5 mins)
$FTPreq.KeepAlive = $false # (default is enabled)
$FTPreq.Credentials = New-Object System.Net.NetworkCredential($User,$Pass)
$FTPreq.Method = [System.Net.WebRequestMethods+FTP]::ListDirectory
try
{
$FTPres = $FTPreq.GetResponse()
Write-Host "$User _ $Pass OK"
$success = $true
#Write-Host $FTPres.StatusCode -nonewline
#Write-Host $FTPres.StatusDescription
$FTPres.Close()
}
catch
{
Write-Host "FAILED: $_"
$success = $false
}
}
