Python大法之告别脚本小子---信息资产收集类脚本编写

端口扫描，顾名思义，就是逐个对一段端口或指定的端口进行扫描。通过扫描结果可以知道一台计算机上都提供了哪些服务，然后就可以通过所提供的这些服务的己知漏洞就可进行攻击。其原理是当一个主机向远端一个服务器的某一个端口提出建立一个连接的请求，如果对方有此项服务，就会应答，如果对方未安装此项服务时，即使你向相应的端口发出请求，对方仍无应答，利用这个原理，如果对所有熟知端口或自己选定的某个范围内的熟知端口分别建立连接，并记录下远端服务器所给予的应答，通过查看一记录就可以知道目标服务器上都安装了哪些服务，这就是端口扫描，通过端口扫描，就可以搜集到很多关于目标主机的各种很有参考价值的信息。例如，对方是否提供FPT服务、WWW服务或其它服务。

代理服务器常用以下端口：
⑴. HTTP协议代理服务器常用端口号：80/8080/3128/8081/9080
⑵. SOCKS代理协议服务器常用端口号：1080
⑶. FTP（文件传输）协议代理服务器常用端口号：21
⑷. Telnet（远程登录）协议代理服务器常用端口：23
HTTP服务器，默认的端口号为80/tcp（木马Executor开放此端口）；
HTTPS（securely transferring web pages）服务器，默认的端口号为443/tcp 443/udp；
Telnet（不安全的文本传送），默认端口号为23/tcp（木马Tiny Telnet Server所开放的端口）；
FTP，默认的端口号为21/tcp（木马Doly Trojan、Fore、Invisible FTP、WebEx、WinCrash和Blade Runner所开放的端口）；
TFTP（Trivial File Transfer Protocol），默认的端口号为69/udp；
SSH（安全登录）、SCP（文件传输）、端口重定向，默认的端口号为22/tcp；
SMTP Simple Mail Transfer Protocol (E-mail），默认的端口号为25/tcp（木马Antigen、Email Password Sender、Haebu Coceda、Shtrilitz Stealth、WinPC、WinSpy都开放这个端口）；
POP3 Post Office Protocol (E-mail) ，默认的端口号为110/tcp；
WebLogic，默认的端口号为7001；
Webshpere应用程序，默认的端口号为9080；
webshpere管理工具，默认的端口号为9090；
JBOSS，默认的端口号为8080；
TOMCAT，默认的端口号为8080；
WIN2003远程登陆，默认的端口号为3389；
Symantec AV/Filter for MSE,默认端口号为 8081；
Oracle 数据库，默认的端口号为1521；
ORACLE EMCTL，默认的端口号为1158；
Oracle XDB（XML 数据库），默认的端口号为8080；
Oracle XDB FTP服务，默认的端口号为2100；
MS SQL*SERVER数据库server，默认的端口号为1433/tcp 1433/udp；
MS SQL*SERVER数据库monitor，默认的端口号为1434/tcp 1434/udp；
QQ，默认的端口号为1080/udp
等等，更具体的去百度吧，啊哈哈

OPEN  --端口是开放的，可以访问，有进程
CLOSED  --端口不会返回任何东西..可能有waf
FILTERED  --可以访问，但是没有程序监听

C:\Users\Administrator>nmap -sV localhost
Starting Nmap 7.70 ( [url]https://nmap.org[/url] ) at 2018-07-03 17:10 ?D1ú±ê×?ê±??
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00053s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 990 closed ports
PORT      STATE SERVICE           VERSION
80/tcp    open  http              Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2j PHP/5.4.45)
135/tcp   open  msrpc             Microsoft Windows RPC
443/tcp   open  ssl/https         VMware Workstation SOAP API 14.1.1
445/tcp   open  microsoft-ds      Microsoft Windows 7 - 10 microsoft-ds (workgroup: WorkGroup)
903/tcp   open  ssl/vmware-auth   VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
1080/tcp  open  http-proxy        Polipo
3306/tcp  open  mysql             MySQL 5.5.53
8088/tcp  open  radan-http?
10000/tcp open  snet-sensor-mgmt?
65000/tcp open  tcpwrapped

#-*- coding: UTF-8 -*-
import socket

def Get_ip(domain):
try:
return socket.gethostbyname(domain)
except socket.error,e:
print '%s: %s'%(domain,e)
return 0

def PortScan(ip):
result_list=list()
port_list=range(1,65535)
for port in port_list:
try:
s=socket.socket()
s.settimeout(0.1)
s.connect((ip,port))
openstr= " PORT:"+str(port) +" OPEN "
print openstr
result_list.append(port)
s.close()
except:
pass
print result_list
def main():
domain = raw_input("PLEASE INPUT YOUR TARGET:")
ip = Get_ip(domain)
print 'IP:'+ip
PortScan(ip)
if __name__=='__main__':
main()

#-*- coding: UTF-8 -*-
import socket
import threading

lock = threading.Lock()
threads = []
def Get_ip(domain):
try:
return socket.gethostbyname(domain)
except socket.error,e:
print '[-]%s: %s'%(domain,e)
return 0

def PortScan(ip,port):
try:
s=socket.socket()
s.settimeout(0.1)
s.connect((ip,port))
lock.acquire()
openstr= "[-] PORT:"+str(port) +" OPEN "
print openstr
lock.release()
s.close()
except:
pass
def main():
banner = '''
_
_ __   ___  _ __| |_ ___  ___ __ _ _ __
| '_ \ / _ \| '__| __/ __|/ __/ _` | '_ \
| |_) | (_) | |  | |_\__ \ (_| (_| | | | |
| .__/ \___/|_|   \__|___/\___\__,_|_| |_|
|_|

'''
print banner
domain = raw_input("PLEASE INPUT YOUR TARGET:")
ip = Get_ip(domain)
print '[-] IP:'+ip
for n in range(1,76):
for p in range((n-1)*880,n*880):
t = threading.Thread(target=PortScan,args=(ip,p))
threads.append(t)
t.start()

for t in threads:
t.join()
print ' This scan completed !'
if __name__=='__main__':
main()

#-*- coding: UTF-8 -*-
import requests
import re
import sys

def writtarget(target):
print target
file = open('result.txt','a')
with file as f:
f.write(target+'\n')

file.close()


def targetopen(httptarget , httpstarget):


header = {
'Connection': 'keep-alive',
'Pragma': 'no-cache',
'Cache-Control': 'no-cache',
'Upgrade-Insecure-Requests': '1',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
'DNT': '1',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'zh-CN,zh;q=0.9,en;q=0.8'
}

try:
reponse_http = requests.get(httptarget, timeout=3, headers=header)
code_http = reponse_http.status_code


if (code_http == 200):
httptarget_result = re.findall('//.*', httptarget)

writtarget(httptarget_result[0][2:])

else:
reponse_https = requests.get(httpstarget, timeout=3, headers=header)
code_https = reponse_https.status_code
if (code_https == 200):
httpstarget_result = re.findall('//.*', httpstarget)

writtarget(httpstarget_result[0][2:])


except:
pass

def domainscan(target):

f = open('domain.txt','r')
for line in f:
httptarget_result = 'http://'+ line.strip() + '.'+target
httpstarget_result = 'https://'+ line.strip() + '.'+target

targetopen(httptarget_result, httpstarget_result)

f.close()

if __name__ == "__main__":
print ' ____                        _       ____             _       '
print '|  _ \  ___  _ __ ___   __ _(_)_ __ | __ ) _ __ _   _| |_ ___ '
print "| | | |/ _ \| '_ ` _ \ / _` | | '_ \|  _ \| '__| | | | __/ _ \  "
print "| |_| | (_) | | | | | | (_| | | | | | |_) | |  | |_| | ||  __/"
print '|____/ \___/|_| |_| |_|\__,_|_|_| |_|____/|_|   \__,_|\__\___|'

file = open('result.txt','w+')
file.truncate()
file.close()
target = raw_input('PLEASE INPUT YOUR DOMAIN(Eg:ichunqiu.com):')
print 'Starting.........'
domainscan(target)
print 'Done ! Results in result.txt'

#-*-coding:utf-8-*-
import requests
import re
key="qq.com"
sites=[]
match='style="text-decoration:none;">(.*?)/'
for i in range(48):
i=i*10
url="http://www.baidu.com.cn/s?wd=site:"+key+"&cl=3&pn=%s"%i
response=requests.get(url).content
subdomains=re.findall(match,response)
sites += list(subdomains)
site=list(set(sites))   #set()实现去重
print site
print "The number of sites is %d"%len(site)
for i in site:
print i

import requests
import re
import sys

def get(domain):
url = 'http://i.links.cn/subdomain/'
payload = ("domain={domain}&b2=1&b3=1&b4=1".format(domain=domain))
r = requests.post(url=url,params=payload)
con = r.text.encode('ISO-8859-1')
a = re.compile('value="(.+?)"> result = a.findall(con)
list = '\n'.join(result)
print list
if __name__ == '__main__':
command= sys.argv[1:]
f = "".join(command)
get(f)

1：网页中发现关键字
2：特定文件的MD5（主要是静态文件、不一定要是MD5）
3：指定URL的关键字
4：指定URL的TAG模式

#-*- coding: UTF-8 -*-
import requests
import json

def what_cms(url):
headers = {
'Connection': 'keep-alive',
'Pragma': 'no-cache',
'Cache-Control': 'no-cache',
'Upgrade-Insecure-Requests': '1',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36',

'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
'DNT': '1',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'zh-CN,zh;q=0.9,en;q=0.8'
}
post={
'hash':'0eca8914342fc63f5a2ef5246b7a3b14_7289fd8cf7f420f594ac165e475f1479',
'url':url,
}
r=requests.post(url='http://whatweb.bugscaner.com/what/',