最近的测试项目中,由于目标的资产太庞大,3000+个IP,端口扫描情况也是多的难以下手,我首先先人工大概过了一遍敏感端口,一遍下来明显吃不消,这样的人力排查既费时又费力,还存在疏漏,所以写了个脚本,针对web进行内容进行探测,减少了人工确认的工作。
import nmap
import requests
import multiprocessing
from bs4 import BeautifulSoup
headers = {'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36'}
def scan_port(ip):
nm=nmap.PortScanner()
tmp=nm.scan(ip,'80','-sS -Pn')
#print(tmp['scan'].items())
#print('**'*10)
for host,result in tmp['scan'].items():
#print(host)
#print(result['tcp'])
if result['status']['state'] == 'up':
for port in result['tcp']:
if result['tcp'][port]['state'] == 'open':
print('ip: '+f'\033[35m{host}\033[0m'+' TCP端口号:'+str(port)+' state:'+result['tcp'][port]['state'] + ' service: '+result['tcp'][port]['name'])
get_content(host)
'''
print('状态:' + result['udp'][port]['state'])
print('原因:' + result['udp'][port]['reason'])
print('额外信息:' + result['udp'][port]['extrainfo'])
print('名字:' + result['udp'][port]['name'])
print('版本:' + result['udp'][port]['version'])
print('产品:' + result['udp'][port]['product'])
print('CPE:' + result['udp'][port]['cpe'])
print('脚本:' + result['udp'][port]['script'])
'''
def get_content(host):
response = requests.get('http://' + host, headers=headers,verify=False)
response.encoding = response.apparent_encoding
soup = BeautifulSoup(response.text, 'lxml')
if soup.title == None:
print('content:'+f'\033[35m{response.text}\033[0m')
else:
print('content:' + f'\033[35m{soup.title.string}\033[0m')
if __name__ == '__main__':
iplist=open("ipList.txt","r")
for ip in iplist:
ip=ip.strip('\n')
scan_port(ip)
print("All of the IP have been scanned ,Task Done")
效果如下:
image.png
其实还可以加上协程等方式提高脚本的运行速度,脚本有待改进,目前能用就行。
网友评论