3389指纹
@Ites
发送
unsigned char sendbuf[] = {0x03, 0x00, 0x00, 0x13, 0x0e, 0xe0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x08, 0x00, 0x03, 0x00, 0x00, 0x00};
接收
/*
Windows 2000 Advanced Server
Windoes XP Professional
Windows Embedded POSReady 2009
Windows Embedded Standard
*/
unsigned char Win2kxpos[] = {0x03, 0x00, 0x00, 0x0b, 0x06, 0xd0, 0x00, 0x00, 0x12, 0x34, 0x00};
/*
Windows Server 2003 R2 Enterprise Edition
Windows Server 2003 Standard x64 Edition
*/
unsigned char Win2003[] = {0x03, 0x00, 0x00, 0x13, 0x0e, 0xd0, 0x00, 0x00, 0x12, 0x34, 0x00, 0x03, 0x00, 0x08, 0x00, 0x02, 0x00, 0x00, 0x00}; // win7-mstsc-recv
/*
Windows WebServer 2008
Windows Server 2008 Standard
Windows Server 2008 Enterprise
*/
unsigned char Win2008[] = {0x03, 0x00, 0x00, 0x13, 0x0e, 0xd0, 0x00, 0x00, 0x12, 0x34, 0x00, 0x02, 0x00, 0x08, 0x00, 0x02, 0x00, 0x00, 0x00}; // win7-mstsc-recv
/*
Windows 7
Windows Server 2008 R2 Standard
*/
unsigned char Win7or2008r2[] = {0x03, 0x00, 0x00, 0x13, 0x0e, 0xd0, 0x00, 0x00, 0x12, 0x34, 0x00, 0x02, 0x09, 0x08, 0x00, 0x02, 0x00, 0x00, 0x00}; // win7-mstsc-recv
/* Windows Server 2008 R2 Datacenter */
unsigned char Win2008R2DC[] = {0x03, 0x00, 0x00, 0x13, 0x0e, 0xd0, 0x00, 0x00, 0x12, 0x34, 0x00, 0x02, 0x01, 0x08, 0x00, 0x02, 0x00, 0x00, 0x00}; // win7-mstsc-recv
/* Windows Server 2012 */
unsigned char Win2012[] = {0x03, 0x00, 0x00, 0x13, 0x0e, 0xd0, 0x00, 0x00, 0x12, 0x34, 0x00, 0x02, 0x07, 0x08, 0x00, 0x02, 0x00, 0x00, 0x00}; // win7-mstsc-recv
/*
Windows Server 2012 R2
Windows 8
*/
unsigned char Win2012R2or8[] = {0x03, 0x00, 0x00, 0x13, 0x0e, 0xd0, 0x00, 0x00, 0x12, 0x34, 0x00, 0x02, 0x0f, 0x08, 0x00, 0x02, 0x00, 0x00, 0x00}; // win7-mstsc-recv
python代码
#!/usr/bin/python
# coding: utf-8
import socket
import binascii
import sys
import threading
from Queue import Queue
def verify(sock, port):
while 1:
buff = sock.recv(2048)
if not buff:
break
b = bytearray(buff)
print "[+] %s" % binascii.hexlify(b)
detect_os(binascii.hexlify(b), port)
# if len(binascii.hexlify(b)) == 38:
# print "[+] RDP Port is %s" % port
# sys.exit(0)
def detect_os(res, port):
d = {
"2000": "0300000b06d00000123400",
"2003": "030000130ed000001234000300080002000000",
"2008": "030000130ed000001234000200080002000000",
"win7OR2008R2": "030000130ed000001234000209080002000000",
"2008R2DC": "030000130ed000001234000201080002000000",
"2012R2OR8": "030000130ed00000123400020f080002000000"
}
for key, value in d.iteritems():
if value == res:
print "[+] Os May be: %s" % key
print "[+] RDP Port is %s" % port
sys.exit(0)
def send_payload(sock):
sock.send("\x03\x00\x00\x13\x0e\xe0\x00\x00\x00\x00\x00\x01\x00\x08\x00\x03\x00\x00\x00")
def worker():
while not q.empty():
port = q.get()
try:
scan(port)
finally:
q.task_done()
def scan(port):
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(2)
sys.stdout.write('[+] Check Port %s \r' % port)
sys.stdout.flush()
if s.connect_ex((ip, port)) == 0:
print "[+] Connect Success %s" % port
send_payload(s)
verify(s, port)
except Exception, e:
# raise e
pass
s.close()
if __name__ == '__main__':
if len(sys.argv) != 2:
print "Usage: %s IP" % sys.argv[0]
sys.exit(0)
ip = sys.argv[1]
q = Queue()
map(q.put, xrange(3300, 65535))
threads = [threading.Thread(target=worker) for i in xrange(50)]
map(lambda x: x.start(), threads)
q.join()