2020-12-29 17:17:10 +08:00
|
|
|
|
package Plugins
|
|
|
|
|
|
|
|
|
|
|
|
import (
|
2024-12-19 19:31:32 +08:00
|
|
|
|
"context"
|
2020-12-29 17:17:10 +08:00
|
|
|
|
"fmt"
|
2024-12-18 22:00:18 +08:00
|
|
|
|
"github.com/shadow1ng/fscan/Common"
|
2023-11-13 11:27:01 +08:00
|
|
|
|
"golang.org/x/crypto/ssh"
|
|
|
|
|
|
"io/ioutil"
|
2020-12-29 17:17:10 +08:00
|
|
|
|
"net"
|
|
|
|
|
|
"strings"
|
|
|
|
|
|
"time"
|
|
|
|
|
|
)
|
|
|
|
|
|
|
2024-12-19 16:15:53 +08:00
|
|
|
|
func SshScan(info *Common.HostInfo) (tmperr error) {
|
2024-12-18 22:00:18 +08:00
|
|
|
|
if Common.IsBrute {
|
2021-11-25 10:16:39 +08:00
|
|
|
|
return
|
|
|
|
|
|
}
|
2024-12-18 15:19:53 +08:00
|
|
|
|
|
2024-12-19 19:31:32 +08:00
|
|
|
|
// 增加全局扫描超时
|
|
|
|
|
|
scanCtx, scanCancel := context.WithTimeout(context.Background(), time.Duration(Common.Timeout*2)*time.Second)
|
|
|
|
|
|
defer scanCancel()
|
2024-12-18 15:19:53 +08:00
|
|
|
|
|
2024-12-18 22:00:18 +08:00
|
|
|
|
for _, user := range Common.Userdict["ssh"] {
|
|
|
|
|
|
for _, pass := range Common.Passwords {
|
2024-12-19 19:31:32 +08:00
|
|
|
|
// 使用全局 context 创建子 context
|
|
|
|
|
|
ctx, cancel := context.WithTimeout(scanCtx, time.Duration(Common.Timeout)*time.Second)
|
|
|
|
|
|
|
2024-12-18 15:19:53 +08:00
|
|
|
|
// 替换密码中的用户名占位符
|
2020-12-29 17:17:10 +08:00
|
|
|
|
pass = strings.Replace(pass, "{user}", user, -1)
|
2024-12-19 19:31:32 +08:00
|
|
|
|
currentUser := user
|
|
|
|
|
|
currentPass := pass
|
2024-12-18 15:19:53 +08:00
|
|
|
|
|
2024-12-19 19:31:32 +08:00
|
|
|
|
// 创建结果通道
|
|
|
|
|
|
done := make(chan struct {
|
|
|
|
|
|
success bool
|
|
|
|
|
|
err error
|
|
|
|
|
|
}, 1)
|
|
|
|
|
|
|
|
|
|
|
|
// 在 goroutine 中执行单次连接尝试
|
|
|
|
|
|
go func() {
|
|
|
|
|
|
success, err := SshConn(ctx, info, currentUser, currentPass)
|
|
|
|
|
|
select {
|
|
|
|
|
|
case done <- struct {
|
|
|
|
|
|
success bool
|
|
|
|
|
|
err error
|
|
|
|
|
|
}{success, err}:
|
|
|
|
|
|
case <-ctx.Done():
|
|
|
|
|
|
}
|
|
|
|
|
|
}()
|
|
|
|
|
|
|
|
|
|
|
|
// 等待连接结果或超时
|
|
|
|
|
|
var err error
|
|
|
|
|
|
select {
|
|
|
|
|
|
case result := <-done:
|
|
|
|
|
|
err = result.err
|
|
|
|
|
|
if result.success {
|
|
|
|
|
|
cancel()
|
|
|
|
|
|
return err
|
|
|
|
|
|
}
|
|
|
|
|
|
case <-ctx.Done():
|
|
|
|
|
|
err = fmt.Errorf("[-] 连接超时: %v", ctx.Err())
|
2020-12-29 17:17:10 +08:00
|
|
|
|
}
|
2024-12-18 15:19:53 +08:00
|
|
|
|
|
2024-12-19 19:31:32 +08:00
|
|
|
|
cancel()
|
|
|
|
|
|
|
2024-12-18 15:19:53 +08:00
|
|
|
|
// 记录失败信息
|
2024-12-19 19:31:32 +08:00
|
|
|
|
if err != nil {
|
|
|
|
|
|
errlog := fmt.Sprintf("[-] SSH认证失败 %v:%v User:%v Pass:%v Err:%v",
|
|
|
|
|
|
info.Host, info.Ports, currentUser, currentPass, err)
|
|
|
|
|
|
Common.LogError(errlog)
|
|
|
|
|
|
tmperr = err
|
|
|
|
|
|
}
|
2024-12-18 15:19:53 +08:00
|
|
|
|
|
|
|
|
|
|
// 检查是否需要中断扫描
|
2024-12-18 22:00:18 +08:00
|
|
|
|
if Common.CheckErrs(err) {
|
2024-12-18 15:19:53 +08:00
|
|
|
|
return err
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2024-12-19 19:31:32 +08:00
|
|
|
|
// 检查全局超时
|
|
|
|
|
|
if scanCtx.Err() != nil {
|
|
|
|
|
|
return fmt.Errorf("扫描总时间超时: %v", scanCtx.Err())
|
2024-12-18 15:19:53 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 如果指定了SSH密钥,则不进行密码尝试
|
2024-12-18 22:00:18 +08:00
|
|
|
|
if Common.SshKey != "" {
|
2021-05-31 10:03:01 +08:00
|
|
|
|
return err
|
|
|
|
|
|
}
|
2020-12-29 17:17:10 +08:00
|
|
|
|
}
|
|
|
|
|
|
}
|
2024-12-19 19:31:32 +08:00
|
|
|
|
|
2020-12-29 17:17:10 +08:00
|
|
|
|
return tmperr
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2024-12-19 19:31:32 +08:00
|
|
|
|
func SshConn(ctx context.Context, info *Common.HostInfo, user string, pass string) (flag bool, err error) {
|
2024-12-18 15:19:53 +08:00
|
|
|
|
// 准备认证方法
|
|
|
|
|
|
var auth []ssh.AuthMethod
|
2024-12-18 22:00:18 +08:00
|
|
|
|
if Common.SshKey != "" {
|
|
|
|
|
|
pemBytes, err := ioutil.ReadFile(Common.SshKey)
|
2021-05-31 10:03:01 +08:00
|
|
|
|
if err != nil {
|
2024-12-19 19:31:32 +08:00
|
|
|
|
return false, fmt.Errorf("[-] 读取密钥失败: %v", err)
|
2021-05-31 10:03:01 +08:00
|
|
|
|
}
|
2024-12-18 15:19:53 +08:00
|
|
|
|
|
2021-05-31 10:03:01 +08:00
|
|
|
|
signer, err := ssh.ParsePrivateKey(pemBytes)
|
|
|
|
|
|
if err != nil {
|
2024-12-19 19:31:32 +08:00
|
|
|
|
return false, fmt.Errorf("[-] 解析密钥失败: %v", err)
|
2021-05-31 10:03:01 +08:00
|
|
|
|
}
|
2024-12-18 15:19:53 +08:00
|
|
|
|
auth = []ssh.AuthMethod{ssh.PublicKeys(signer)}
|
2021-05-31 10:03:01 +08:00
|
|
|
|
} else {
|
2024-12-18 15:19:53 +08:00
|
|
|
|
auth = []ssh.AuthMethod{ssh.Password(pass)}
|
2021-05-31 10:03:01 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2020-12-29 17:17:10 +08:00
|
|
|
|
config := &ssh.ClientConfig{
|
2024-12-19 19:31:32 +08:00
|
|
|
|
User: user,
|
|
|
|
|
|
Auth: auth,
|
2020-12-29 17:17:10 +08:00
|
|
|
|
HostKeyCallback: func(hostname string, remote net.Addr, key ssh.PublicKey) error {
|
|
|
|
|
|
return nil
|
|
|
|
|
|
},
|
2024-12-19 19:31:32 +08:00
|
|
|
|
Timeout: time.Duration(Common.Timeout) * time.Second,
|
2020-12-29 17:17:10 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2024-12-19 19:31:32 +08:00
|
|
|
|
// 使用带超时的 Dial
|
|
|
|
|
|
conn, err := (&net.Dialer{Timeout: time.Duration(Common.Timeout) * time.Second}).DialContext(ctx, "tcp", fmt.Sprintf("%v:%v", info.Host, info.Ports))
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return false, err
|
|
|
|
|
|
}
|
|
|
|
|
|
defer conn.Close()
|
|
|
|
|
|
|
|
|
|
|
|
// 设置连接超时
|
|
|
|
|
|
if deadline, ok := ctx.Deadline(); ok {
|
|
|
|
|
|
conn.SetDeadline(deadline)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 创建一个新的 context 用于 SSH 握手
|
|
|
|
|
|
sshCtx, sshCancel := context.WithTimeout(ctx, time.Duration(Common.Timeout)*time.Second)
|
|
|
|
|
|
defer sshCancel()
|
|
|
|
|
|
|
|
|
|
|
|
// 使用 channel 来控制 SSH 握手的超时
|
|
|
|
|
|
sshDone := make(chan struct {
|
|
|
|
|
|
client *ssh.Client
|
|
|
|
|
|
err error
|
|
|
|
|
|
}, 1)
|
|
|
|
|
|
|
|
|
|
|
|
go func() {
|
|
|
|
|
|
sshConn, chans, reqs, err := ssh.NewClientConn(conn, fmt.Sprintf("%v:%v", info.Host, info.Ports), config)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
sshDone <- struct {
|
|
|
|
|
|
client *ssh.Client
|
|
|
|
|
|
err error
|
|
|
|
|
|
}{nil, err}
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
client := ssh.NewClient(sshConn, chans, reqs)
|
|
|
|
|
|
sshDone <- struct {
|
|
|
|
|
|
client *ssh.Client
|
|
|
|
|
|
err error
|
|
|
|
|
|
}{client, nil}
|
|
|
|
|
|
}()
|
|
|
|
|
|
|
|
|
|
|
|
// 等待 SSH 握手完成或超时
|
|
|
|
|
|
var client *ssh.Client
|
|
|
|
|
|
select {
|
|
|
|
|
|
case result := <-sshDone:
|
|
|
|
|
|
if result.err != nil {
|
|
|
|
|
|
return false, result.err
|
|
|
|
|
|
}
|
|
|
|
|
|
client = result.client
|
|
|
|
|
|
case <-sshCtx.Done():
|
|
|
|
|
|
return false, fmt.Errorf("SSH握手超时: %v", sshCtx.Err())
|
|
|
|
|
|
}
|
|
|
|
|
|
defer client.Close()
|
|
|
|
|
|
|
|
|
|
|
|
// 创建会话
|
|
|
|
|
|
session, err := client.NewSession()
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return false, err
|
|
|
|
|
|
}
|
|
|
|
|
|
defer session.Close()
|
|
|
|
|
|
|
|
|
|
|
|
flag = true
|
|
|
|
|
|
|
|
|
|
|
|
if Common.Command != "" {
|
|
|
|
|
|
// 执行命令的通道
|
|
|
|
|
|
cmdDone := make(chan struct {
|
|
|
|
|
|
output []byte
|
|
|
|
|
|
err error
|
|
|
|
|
|
}, 1)
|
|
|
|
|
|
|
|
|
|
|
|
go func() {
|
|
|
|
|
|
output, err := session.CombinedOutput(Common.Command)
|
|
|
|
|
|
select {
|
|
|
|
|
|
case cmdDone <- struct {
|
|
|
|
|
|
output []byte
|
|
|
|
|
|
err error
|
|
|
|
|
|
}{output, err}:
|
|
|
|
|
|
case <-ctx.Done():
|
|
|
|
|
|
}
|
|
|
|
|
|
}()
|
|
|
|
|
|
|
|
|
|
|
|
select {
|
|
|
|
|
|
case <-ctx.Done():
|
|
|
|
|
|
return true, fmt.Errorf("命令执行超时: %v", ctx.Err())
|
|
|
|
|
|
case result := <-cmdDone:
|
|
|
|
|
|
if result.err != nil {
|
|
|
|
|
|
return true, result.err
|
|
|
|
|
|
}
|
|
|
|
|
|
if Common.SshKey != "" {
|
|
|
|
|
|
Common.LogSuccess(fmt.Sprintf("[+] SSH密钥认证成功 %v:%v\n命令输出:\n%v",
|
|
|
|
|
|
info.Host, info.Ports, string(result.output)))
|
2020-12-29 17:17:10 +08:00
|
|
|
|
} else {
|
2024-12-19 19:31:32 +08:00
|
|
|
|
Common.LogSuccess(fmt.Sprintf("[+] SSH认证成功 %v:%v User:%v Pass:%v\n命令输出:\n%v",
|
|
|
|
|
|
info.Host, info.Ports, user, pass, string(result.output)))
|
2020-12-29 17:17:10 +08:00
|
|
|
|
}
|
|
|
|
|
|
}
|
2024-12-19 19:31:32 +08:00
|
|
|
|
} else {
|
|
|
|
|
|
if Common.SshKey != "" {
|
|
|
|
|
|
Common.LogSuccess(fmt.Sprintf("[+] SSH密钥认证成功 %v:%v",
|
|
|
|
|
|
info.Host, info.Ports))
|
|
|
|
|
|
} else {
|
|
|
|
|
|
Common.LogSuccess(fmt.Sprintf("[+] SSH认证成功 %v:%v User:%v Pass:%v",
|
|
|
|
|
|
info.Host, info.Ports, user, pass))
|
|
|
|
|
|
}
|
2020-12-29 17:17:10 +08:00
|
|
|
|
}
|
2024-12-19 19:31:32 +08:00
|
|
|
|
|
|
|
|
|
|
return flag, nil
|
2020-12-29 17:17:10 +08:00
|
|
|
|
}
|
