编写远控软件(todesk、teamview、anydesk、parsec)的suricata规则-测试(9001317-9001327)
1.主机A开启服务
import socket import threading TCP_PORTS = [443, 5938, 6568, 21115, 21116, 21117, 21118, 21119] UDP_PORTS = [21116, 3389] RDP_NEG_RSP = bytes.fromhex( "03 00 00 13 0e d0 00 00 12 34 56 02 00 08 00 00 00 00") def tcp_sink(port): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) s.bind(("0.0.0.0", port)) s.listen(50) print(f"[+] TCP sink listen {port}") while True: conn, addr = s.accept() try: data = conn.recv(4096) print(f"[TCP {port}] from {addr} len={len(data)}") if port == 3389: conn.sendall(RDP_NEG_RSP) else: try: conn.sendall( b"HTTP/1.1 200 OK\r\nContent-Length: 2\r\n\r\nOK") except Exception: pass except Exception as e: print(f"[TCP {port}] error: {e}") finally: conn.close() def tcp_rdp(): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) s.bind(("0.0.0.0", 3389)) s.listen(50) print("[+] TCP RDP listen 3389") while True: conn, addr = s.accept() try: data = conn.recv(4096) print(f"[TCP 3389] from {addr} len={len(data)}") conn.sendall(RDP_NEG_RSP) except Exception as e: print(f"[TCP 3389] error: {e}") finally: conn.close() def udp_echo(port): s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) s.bind(("0.0.0.0", port)) print(f"[+] UDP listen {port}") while True: data, addr = s.recvfrom(4096) print(f"[UDP {port}] from {addr} len={len(data)}") if port == 21116: s.sendto(b"RUSTDESK-UDP-REPLY-ABCDEFGHIJKLMNOP", addr) elif port == 3389: s.sendto(b"RDP-UDP-REPLY-ABCDEFGHIJKLMNOP", addr) for p in TCP_PORTS: threading.Thread(target=tcp_sink, args=(p,), daemon=True).start() threading.Thread(target=tcp_rdp, daemon=True).start() for p in UDP_PORTS: threading.Thread(target=udp_echo, args=(p,), daemon=True).start() threading.Event().wait()
2.主机B发送测试请求
1.测试9001328 printf 'router17.teamviewer.com\r\n' | nc 10.66.66.1 5938 2.测试9001329 printf 'todesk.com\r\n' | nc 10.66.66.1 443 printf 'todesk.com\r\n' | nc 10.66.66.1 443 3.测试9001335 printf 'relay-1.net.anydesk.com\r\n' | nc 10.66.66.1 6568 4.测试9001342 printf 'AAAA\r\n' | nc 10.66.66.1 6568 printf 'BBBB\r\n' | nc 10.66.66.1 6568 5.测试9001336 printf 'rustdesk.com\r\n' | nc 10.66.66.1 21116 6.测试9001337 printf 'sunlogin.oray.com\r\n' | nc 10.66.66.1 443 7.测试9001338 printf 'parsec.app\r\n' | nc 10.66.66.1 443 8.测试9001339-9001341 python3 - <<'PY' import socket payload = ( b"\x03\x00\x00\x2f\x00\xe0" b"\x00\x00\x00\x00\x00" b"Cookie: mstshash=testuser\r\n" b"\x01\x00\x08\x00" ) s = socket.socket() s.connect(("10.66.66.1", 3389)) s.sendall(payload) print(s.recv(1024)) s.close() PY 9.测试9001330 python3 - <<'PY' import socket s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) s.setsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_TTL, 1) s.sendto(b"\x00", ("239.255.102.18", 50001)) s.close() PY 10.测试9001331-9001332 python3 - <<'PY' import socket s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) s.settimeout(3) s.sendto(b"RUSTDESK-TEST-ABCDEFGHIJKLMN", ("10.66.66.1", 21116)) print(s.recvfrom(2048)) s.close() PY 11.测试9001333-9001334 python3 - <<'PY' import socket s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) s.settimeout(3) s.sendto(b"RDP-UDP-TEST-ABCDEFGHIJKLMN", ("10.66.66.1", 3389)) print(s.recvfrom(2048)) s.close() PY
浙公网安备 33010602011771号