Scapy构建telnet包
文件代码
老师的
from scapy.all import *
#我发第一次握手SYN
ws1=IP(dst="172.16.100.101")/TCP(sport=10000,dport=23,flags='S',seq=1000)
#对方发第二次握手 SA 包
ws2=sr1(ws1)
#我发第三次握手ack包
ws3=IP(dst="172.16.100.101")/TCP(sport=10000,dport=23,flags='A',seq=ws2.ack,ack=ws2.seq+1)
send(ws3)
user_data = b"user1\r\n"
pass_data = b"password1\r\n"
ws4 = IP(dst="172.16.100.101")/TCP(sport=10000,dport=23,flags='PA',seq=ws2.ack,ack=ws2.seq+1)/user_data
ws5 = sr1(ws4)
seq_after_user = ws2.ack + len(user_data)
ws6 = IP(dst="172.16.100.101")/TCP(sport=10000,dport=23,flags='PA',seq=seq_after_user,ack=ws2.seq+1)/pass_data
ws7 = sr1(ws6)
seq_after_pass = seq_after_user + len(pass_data)
cmd_data = b"cat /tmp/test.txt\r\n"
ws8 = IP(dst="172.16.100.101")/TCP(sport=10000,dport=23,flags='PA',seq=seq_after_pass,ack=ws2.seq+1)/cmd_data
ws9 = sr1(ws8)
print(ws9[Raw].load)
其他
from scapy.all import *
import socket
import time
target_ip = "192.168.17.129"
target_port = 23
username = "hxl17"
password = "hxl17"
# 方法1: 使用socket建立连接并发送数据
def telnet_socket_method():
try:
print("[*] Trying socket method...")
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(10)
sock.connect((target_ip, target_port))
print("[+] Socket connected")
# 接收初始数据
initial = sock.recv(1024)
print(f"[+] Initial data: {initial}")
# 发送用户名
sock.send(f"{username}\r\n".encode())
time.sleep(1)
response = sock.recv(1024)
print(f"[+] After username: {response}")
# 发送密码
sock.send(f"{password}\r\n".encode())
time.sleep(1)
response = sock.recv(1024)
print(f"[+] After password: {response}")
# 发送命令
sock.send(b"cat /tmp/test.txt\r\n")
time.sleep(2)
# 接收命令输出
output = sock.recv(4096)
print("=" * 50)
print("COMMAND OUTPUT:")
print(output.decode('utf-8', errors='ignore'))
print("=" * 50)
sock.close()
return True
except Exception as e:
print(f"[-] Socket method failed: {e}")
return False
# 方法2: 使用Scapy但简化选项协商
def telnet_scapy_simple():
print("[*] Trying simplified Scapy method...")
# TCP三次握手
sport = random.randint(1024, 65535)
ip = IP(dst=target_ip)
syn = ip/TCP(sport=sport, dport=target_port, flags="S", seq=1000)
syn_ack = sr1(syn, timeout=5, verbose=0)
if not syn_ack:
print("[-] Connection failed")
return False
# 完成握手
ack = ip/TCP(sport=sport, dport=target_port, flags="A",
seq=syn_ack[TCP].ack, ack=syn_ack[TCP].seq+1)
send(ack, verbose=0)
seq = syn_ack[TCP].ack
ack_seq = syn_ack[TCP].seq + 1
# 接收初始数据但不处理选项
print("[*] Receiving initial data...")
initial = sr1(ip/TCP(sport=sport, dport=target_port, flags="A",
seq=seq, ack=ack_seq), timeout=5, verbose=0)
if initial and initial.haslayer(TCP):
ack_seq = initial[TCP].seq + (len(initial[TCP].payload) if initial[TCP].payload else 0)
print(f"[+] Received initial data, length: {len(initial[TCP].payload) if initial[TCP].payload else 0}")
# 直接发送所有认证数据
auth_data = f"{username}\r\n".encode() + f"{password}\r\n".encode()
auth_pkt = ip/TCP(sport=sport, dport=target_port, flags="PA",
seq=seq, ack=ack_seq)/auth_data
auth_resp = sr1(auth_pkt, timeout=5, verbose=0)
if auth_resp:
seq += len(auth_data)
ack_seq = auth_resp[TCP].seq + (len(auth_resp[TCP].payload) if auth_resp[TCP].payload else 0)
print("[+] Authentication sent")
# 等待一下让服务器处理认证
time.sleep(2)
# 发送命令
cmd_pkt = ip/TCP(sport=sport, dport=target_port, flags="PA",
seq=seq, ack=ack_seq)/b"cat /tmp/test.txt\r\n"
cmd_resp = sr1(cmd_pkt, timeout=5, verbose=0)
if cmd_resp:
print("[+] Command response received")
if cmd_resp.haslayer(TCP) and cmd_resp[TCP].payload:
output = cmd_resp[TCP].payload.load
print("=" * 50)
print("COMMAND OUTPUT:")
print(output.decode('utf-8', errors='ignore'))
print("=" * 50)
return True
else:
print("[-] No command response")
return False
# 方法3: 使用Scapy嗅探模式
def telnet_scapy_sniff():
print("[*] Trying Scapy sniff method...")
sport = random.randint(1024, 65535)
ip = IP(dst=target_ip)
# 建立连接
syn = ip/TCP(sport=sport, dport=target_port, flags="S", seq=1000)
syn_ack = sr1(syn, timeout=5, verbose=0)
if not syn_ack:
return False
ack = ip/TCP(sport=sport, dport=target_port, flags="A",
seq=syn_ack[TCP].ack, ack=syn_ack[TCP].seq+1)
send(ack, verbose=0)
seq = syn_ack[TCP].ack
ack_seq = syn_ack[TCP].seq + 1
# 定义包处理函数
responses = []
def process_packet(pkt):
if pkt.haslayer(TCP) and pkt[TCP].sport == target_port and pkt[TCP].dport == sport:
if pkt[TCP].payload:
payload = bytes(pkt[TCP].payload)
# 过滤掉选项协商数据
if b'\xff' not in payload or len(payload) > 3:
responses.append(payload)
print(f"Received: {payload}")
# 开始嗅探
print("[*] Starting packet capture...")
sniff_thread = threading.Thread(target=lambda: sniff(filter=f"tcp and host {target_ip} and port {target_port}",
prn=process_packet, timeout=10))
sniff_thread.start()
# 发送数据
time.sleep(1)
# 发送用户名
user_pkt = ip/TCP(sport=sport, dport=target_port, flags="PA", seq=seq, ack=ack_seq)/f"{username}\r\n".encode()
send(user_pkt, verbose=0)
seq += len(f"{username}\r\n".encode())
time.sleep(1)
# 发送密码
pass_pkt = ip/TCP(sport=sport, dport=target_port, flags="PA", seq=seq, ack=ack_seq)/f"{password}\r\n".encode()
send(pass_pkt, verbose=0)
seq += len(f"{password}\r\n".encode())
time.sleep(2)
# 发送命令
cmd_pkt = ip/TCP(sport=sport, dport=target_port, flags="PA", seq=seq, ack=ack_seq)/b"cat /tmp/test.txt\r\n"
send(cmd_pkt, verbose=0)
time.sleep(3)
sniff_thread.join()
# 输出结果
if responses:
print("=" * 50)
print("ALL RESPONSES:")
for i, resp in enumerate(responses):
print(f"Response {i+1}: {resp.decode('utf-8', errors='ignore')}")
print("=" * 50)
return True
else:
print("[-] No responses captured")
return False
# 主程序
if __name__ == "__main__":
print(f"[*] Testing Telnet to {target_ip}")
print(f"[*] Username: {username}, Password: {password}")
# 先尝试socket方法
print("\n" + "="*60)
print("METHOD 1: Socket-based Telnet")
print("="*60)
if not telnet_socket_method():
print("\n" + "="*60)
print("METHOD 2: Simplified Scapy")
print("="*60)
if not telnet_scapy_simple():
print("\n" + "="*60)
print("METHOD 3: Scapy with Sniffing")
print("="*60)
import threading
telnet_scapy_sniff()
======================================
from scapy.all import *
import random
target_ip = "192.168.17.129"
target_port = 23
source_port = random.randint(1024, 65535)
username = "hxl17"
password = "hxl17"
print(f"[*] Starting Telnet connection to {target_ip}:{target_port}")
print(f"[*] Username: {username}, Password: {password}")
print(f"[*] Source port: {source_port}")
# TCP三次握手建立连接
ip = IP(dst=target_ip)
syn = ip / TCP(sport=source_port, dport=target_port, flags="S", seq=1000)
print("[*] Sending SYN packet...")
syn_ack = sr1(syn, timeout=5, verbose=0)
if not syn_ack:
print("[-] No SYN-ACK received - connection failed")
exit()
print("[+] Received SYN-ACK")
server_seq = syn_ack[TCP].seq
server_ack = syn_ack[TCP].ack
ack = ip / TCP(sport=source_port, dport=target_port, flags="A", seq=server_ack, ack=server_seq + 1)
send(ack, verbose=0)
print("[+] TCP connection established")
# 初始化序列号
seq = server_ack
ack_seq = server_seq + 1
def handle_telnet_options(payload, current_seq, current_ack_seq):
"""处理Telnet选项协商"""
i = 0
new_seq = current_seq
while i < len(payload):
if payload[i] == 0xFF: # IAC字节
if i + 1 < len(payload):
cmd = payload[i+1]
if cmd == 250: # SB (子选项开始)
# 跳过整个子选项直到SE (240)
j = i + 2
while j < len(payload) and not (payload[j] == 0xFF and j+1 < len(payload) and payload[j+1] == 240):
j += 1
i = j + 2 if j + 2 <= len(payload) else len(payload)
elif cmd == 240: # SE (子选项结束)
i += 2
elif i + 2 < len(payload): # 标准选项协商
opt = payload[i+2]
# 对选项协商进行回复
if cmd == 251: # WILL
response = bytes([0xFF, 253, opt]) # DO
elif cmd == 252: # WONT
response = bytes([0xFF, 254, opt]) # DONT
elif cmd == 253: # DO
response = bytes([0xFF, 251, opt]) # WILL
elif cmd == 254: # DONT
response = bytes([0xFF, 252, opt]) # WONT
else:
response = bytes([0xFF, 252, opt]) # 默认回复WONT
# 发送选项协商响应
option_pkt = IP(dst=target_ip)/TCP(sport=source_port, dport=target_port, flags="PA", seq=new_seq, ack=current_ack_seq)/response
send(option_pkt, verbose=0)
new_seq += len(response)
i += 3
else:
i += 1
else:
i += 1
else:
i += 1
return new_seq
# 接收并处理服务器的初始数据
print("[*] Receiving server initial data...")
initial = sr1(IP(dst=target_ip)/TCP(sport=source_port, dport=target_port, flags="A", seq=seq, ack=ack_seq), timeout=5, verbose=0)
if initial and initial.haslayer(TCP) and initial[TCP].payload:
payload_data = bytes(initial[TCP].payload)
ack_seq = initial[TCP].seq + len(payload_data)
print(f"[+] Server initial data received (length: {len(payload_data)})")
print(f"[*] Raw data: {payload_data}")
# 处理选项协商
seq = handle_telnet_options(payload_data, seq, ack_seq)
# 发送用户名(不等待提示,直接发送)
print(f"[*] Sending username: {username}")
username_pkt = IP(dst=target_ip)/TCP(sport=source_port, dport=target_port, flags="PA", seq=seq, ack=ack_seq)/f"{username}\r\n".encode()
user_resp = sr1(username_pkt, timeout=5, verbose=0)
seq += len(f"{username}\r\n".encode())
if user_resp and user_resp.haslayer(TCP) and user_resp[TCP].payload:
payload_data = bytes(user_resp[TCP].payload)
ack_seq = user_resp[TCP].seq + len(payload_data)
print(f"[+] After username response: {payload_data}")
# 处理可能的选项协商
seq = handle_telnet_options(payload_data, seq, ack_seq)
# 发送密码(不等待提示,直接发送)
print(f"[*] Sending password: {password}")
password_pkt = IP(dst=target_ip)/TCP(sport=source_port, dport=target_port, flags="PA", seq=seq, ack=ack_seq)/f"{password}\r\n".encode()
pass_resp = sr1(password_pkt, timeout=5, verbose=0)
seq += len(f"{password}\r\n".encode())
if pass_resp and pass_resp.haslayer(TCP) and pass_resp[TCP].payload:
payload_data = bytes(pass_resp[TCP].payload)
ack_seq = pass_resp[TCP].seq + len(payload_data)
print(f"[+] After password response: {payload_data}")
# 处理可能的选项协商
seq = handle_telnet_options(payload_data, seq, ack_seq)
# 等待登录成功和命令提示符
print("[*] Waiting for login success and command prompt...")
time.sleep(2) # 给服务器一些时间处理登录
# 检查是否有待接收的数据
prompt_check = sr1(IP(dst=target_ip)/TCP(sport=source_port, dport=target_port, flags="A", seq=seq, ack=ack_seq), timeout=3, verbose=0)
if prompt_check and prompt_check.haslayer(TCP) and prompt_check[TCP].payload:
payload_data = bytes(prompt_check[TCP].payload)
ack_seq = prompt_check[TCP].seq + len(payload_data)
print(f"[+] Prompt received: {payload_data.decode('utf-8', errors='ignore')}")
# 发送cat命令
print("[*] Sending command: cat /tmp/test.txt")
cmd_pkt = IP(dst=target_ip)/TCP(sport=source_port, dport=target_port, flags="PA", seq=seq, ack=ack_seq)/b"cat /tmp/test.txt\r\n"
cmd_resp = sr1(cmd_pkt, timeout=5, verbose=0)
seq += len(b"cat /tmp/test.txt\r\n")
if cmd_resp:
print("[+] Command response received!")
if cmd_resp.haslayer(TCP) and cmd_resp[TCP].payload:
payload_data = bytes(cmd_resp[TCP].payload)
print("=" * 50)
print("COMMAND OUTPUT:")
output = payload_data.decode('utf-8', errors='ignore')
print(output)
print("=" * 50)
else:
print("[-] Response has no payload")
else:
print("[-] No response received for command")
# 尝试多次接收可能的输出
print("[*] Checking for additional command output...")
for i in range(5):
additional = sr1(IP(dst=target_ip)/TCP(sport=source_port, dport=target_port, flags="A", seq=seq, ack=ack_seq), timeout=2, verbose=0)
if additional and additional.haslayer(TCP) and additional[TCP].payload:
payload_data = bytes(additional[TCP].payload)
ack_seq = additional[TCP].seq + len(payload_data)
output = payload_data.decode('utf-8', errors='ignore')
print(f"Additional output {i+1}: {output}")
if output.strip(): # 如果有实际内容,显示出来
print("ACTUAL OUTPUT:", output)
else:
break
# 关闭连接
print("[*] Closing connection...")
fin = IP(dst=target_ip)/TCP(sport=source_port, dport=target_port, flags="FA", seq=seq, ack=ack_seq)
fin_ack = sr1(fin, timeout=3, verbose=0)
if fin_ack:
last_ack = IP(dst=target_ip)/TCP(sport=source_port, dport=target_port, flags="A", seq=fin_ack.ack, ack=fin_ack.seq + 1)
send(last_ack, verbose=0)
print("[+] Connection closed gracefully")
else:
print("[-] No FIN-ACK received")
print("[*] Telnet session completed")
posted on 2025-11-12 22:35 suiseiseki 阅读(0) 评论(0) 收藏 举报
浙公网安备 33010602011771号