Python黑帽子 黑客與滲透測試程式設計之道(四)建立一個TCP代理
阿新 • • 發佈:2018-12-19
TCP代理不僅可以將流量從一個主機轉發給另一個主機,而且可以評估基於網路的軟體。在企業級環境下進行滲透測試時,你會經常遇到無法使用Wireshark的情況,無法再Windows系統上載入驅動嗅探本地流量,分段的網路也阻止你使用工具直接嗅探目標主機。作者經常在實際案例中部署簡單的TCP代理以瞭解未知的協議,修改傳送到應用的資料包,或者為模糊測試建立一個測試環境。
程式碼如下:
import sys import socket import threading def server_loop(local_host,local_port,remote_host,remote_port,receive_first): server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: server.bind((local_host,local_port)) except: print "[!!] Failed to listen on %s:%d" % (local_host, local_port) print "[!!] Check for other listening sockets or correct permissions." sys.exit(0) print "[*] Listening on %s:%d" % (local_host, local_port) server.listen(5) while True: client_socket, addr = server.accept() # print the connected data of local print "[==>] Received incoming connection from %s:%d" % (addr[0],addr[1]) # open a thread to connect with computer proxy_thread = threading.Thread(target=proxy_handler,args=(client_socket,remote_host,remote_port,receive_first)) proxy_thread.start() def proxy_handler(client_socket, remote_host,remote_port,receive_first): # connect the computer remote_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) remote_socket.connect((remote_host,remote_port)) # get data from computer if receive_first: remote_buffer = receive_from(remote_socket) hexdump(remote_buffer) # handler the things that had been sent remote_buffer = response_handler(remote_buffer) # send the data if we hava to send to client if len(remote_buffer): print "[<==] Sending %d bytes to localhost." % len(remote_buffer) client_socket.send(remote_buffer) # read the data from local, then send to localhost and host while True: # get data from local local_buffer = receive_from(client_socket) if len(local_buffer): print "[<==] Received %d bytes from localhost." % len(local_buffer) hexdump(local_buffer) # send to local local_buffer = request_handler(local_buffer) # send to computer remote_socket.send(local_buffer) print "[==>] Sent to remote." # get the data that answer remote_buffer = receive_from(remote_socket) if len(remote_buffer): print "[<==] Received %d bytes from remote." % len(remote_buffer) hexdump(remote_buffer) # send to response to handle the data remote_buffer = response_handler(remote_buffer) client_socket.send(remote_buffer) print "[==>] Sent to localhost." if not len(local_buffer) or not len(remote_buffer): client_socket.close() remote_socket.close() print "[*] No more data. Closing connections." break def hexdump(src, length=16): result = [] digits = 4 if isinstance(src, unicode) else 2 for i in xrange(0, len(src), length): s = src[i:i+length] hexa = b' '.join(["%0*X" % (digits, ord(x)) for x in s]) text = b' '.join([x if 0x20 <= ord(x) < 0x7F else b'.' for x in s]) result.append( b"%04X %-*s %s" % (i, length*(digits + 1), hexa,text)) print b'\n'.join(result) def receive_from(connection): buffer = "" connection.settimeout(2) try: while True: data = connection.recv(4096) if not data: break buffer += data except: pass return buffer def request_handler(buffer): return buffer def response_handler(buffer): return buffer def main(): # no fancy command line parsing here if len(sys.argv[1:]) != 5: print "Usage: ./proxy.py [localhost] [localport] [remotehost] [remoteport] [receive_first]" print "Example: ./proxy.py 127.0.0.1 9000 10.12.132.1 9000 True" sys.exit(0) # setup local listening parameters local_host = sys.argv[1] local_port = int(sys.argv[2]) # setup remote target remote_host = sys.argv[3] remote_port = int(sys.argv[4]) # this tells our proxy to connect and receive data # before sending to the remote host receive_first = sys.argv[5] if "True" in receive_first: receive_first = True else: receive_first = False # now spin up our listening socket server_loop(local_host,local_port,remote_host,remote_port,receive_first) main()
書上的測試程式碼是:
[email protected]:~# sudo python ./proxy.py 127.0.0.1 21 ftp.target.ca 21 True
[*] Listening on 127.0.0.1:21
一直沒反應,書上說的是,需要將代理指向真實的FTP伺服器,這樣才能獲得實際的響應。
之後搜尋了一番,在另一個博主這看到了別的測試方法。
在終端輸入以上句子後,在瀏覽器開啟百度,就會有反饋資料:
但是一開始開啟瀏覽器不會有迴應,因為還沒把埠設定為80,按照以下步驟設定,可以得到結果: