3389指纹

@Ites

发送
unsigned char sendbuf[] = {0x03, 0x00, 0x00, 0x13, 0x0e, 0xe0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x08, 0x00, 0x03, 0x00, 0x00, 0x00};

接收
/*
        Windows 2000 Advanced Server
        Windoes XP Professional
        Windows Embedded POSReady 2009
        Windows Embedded Standard
*/
unsigned char Win2kxpos[] = {0x03, 0x00, 0x00, 0x0b, 0x06, 0xd0, 0x00, 0x00, 0x12, 0x34, 0x00};

/*
        Windows Server 2003 R2 Enterprise Edition
        Windows Server 2003 Standard x64 Edition
*/
unsigned char Win2003[] = {0x03, 0x00, 0x00, 0x13, 0x0e, 0xd0, 0x00, 0x00, 0x12, 0x34, 0x00, 0x03, 0x00, 0x08, 0x00, 0x02, 0x00, 0x00, 0x00}; // win7-mstsc-recv

/*
        Windows WebServer 2008
        Windows Server 2008 Standard
        Windows Server 2008 Enterprise
*/
unsigned char Win2008[] = {0x03, 0x00, 0x00, 0x13, 0x0e, 0xd0, 0x00, 0x00, 0x12, 0x34, 0x00, 0x02, 0x00, 0x08, 0x00, 0x02, 0x00, 0x00, 0x00}; // win7-mstsc-recv

/*
        Windows 7
        Windows Server 2008 R2 Standard
*/
unsigned char Win7or2008r2[] = {0x03, 0x00, 0x00, 0x13, 0x0e, 0xd0, 0x00, 0x00, 0x12, 0x34, 0x00, 0x02, 0x09, 0x08, 0x00, 0x02, 0x00, 0x00, 0x00}; // win7-mstsc-recv

/* Windows Server 2008 R2 Datacenter */
unsigned char Win2008R2DC[] = {0x03, 0x00, 0x00, 0x13, 0x0e, 0xd0, 0x00, 0x00, 0x12, 0x34, 0x00, 0x02, 0x01, 0x08, 0x00, 0x02, 0x00, 0x00, 0x00}; // win7-mstsc-recv

/* Windows Server 2012 */
unsigned char Win2012[] = {0x03, 0x00, 0x00, 0x13, 0x0e, 0xd0, 0x00, 0x00, 0x12, 0x34, 0x00, 0x02, 0x07, 0x08, 0x00, 0x02, 0x00, 0x00, 0x00}; // win7-mstsc-recv

/*
        Windows Server 2012 R2
        Windows 8
*/
unsigned char Win2012R2or8[] = {0x03, 0x00, 0x00, 0x13, 0x0e, 0xd0, 0x00, 0x00, 0x12, 0x34, 0x00, 0x02, 0x0f, 0x08, 0x00, 0x02, 0x00, 0x00, 0x00}; // win7-mstsc-recv

python代码

#!/usr/bin/python
# coding: utf-8

import socket
import binascii
import sys
import threading
from Queue import Queue


def verify(sock, port):
        while 1:
                buff = sock.recv(2048)
                if not buff:
                        break
                b = bytearray(buff)
                print "[+] %s" % binascii.hexlify(b)
                detect_os(binascii.hexlify(b), port)
                # if len(binascii.hexlify(b)) == 38:
                #         print "[+] RDP Port is %s" % port
                #         sys.exit(0)


def detect_os(res, port):
        d = {
                "2000": "0300000b06d00000123400",
                "2003": "030000130ed000001234000300080002000000",
                "2008": "030000130ed000001234000200080002000000",
                "win7OR2008R2": "030000130ed000001234000209080002000000",
                "2008R2DC": "030000130ed000001234000201080002000000",
                "2012R2OR8": "030000130ed00000123400020f080002000000"
        }
        for key, value in d.iteritems():
                if value == res:
                        print "[+] Os May be: %s" % key
                        print "[+] RDP Port is %s" % port
                        sys.exit(0)
def send_payload(sock):
        sock.send("\x03\x00\x00\x13\x0e\xe0\x00\x00\x00\x00\x00\x01\x00\x08\x00\x03\x00\x00\x00")


def worker():
        while not q.empty():
                port = q.get()
                try:
                        scan(port)
                finally:
                        q.task_done()


def scan(port):
        try:
                s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                s.settimeout(2)
                sys.stdout.write('[+] Check Port %s \r' % port)
                sys.stdout.flush()
                if s.connect_ex((ip, port)) == 0:
                        print "[+] Connect Success %s" % port
                        send_payload(s)
                        verify(s, port)
        except Exception, e:
                # raise e
                pass
        s.close()

if __name__ == '__main__':
        if len(sys.argv) != 2:
                print "Usage: %s IP" % sys.argv[0]
                sys.exit(0)
        ip = sys.argv[1]
        q = Queue()
        map(q.put, xrange(3300, 65535))
        threads = [threading.Thread(target=worker) for i in xrange(50)]
        map(lambda x: x.start(), threads)
        q.join()