3389指纹扫描

nmap的扫描原理没怎么探索，只知道使用nmap扫描的时候，目标服务器扫不出来东西。特地分析了下3389远程链接的过程。简单来说是这样的：

• TCP三次握手
• 客户端发送COTP协议
• 服务端发送TPKT

原来是用socket编程这么简单，只需要抓wireshark，把TCP的数据封装为16进制发送出去就行了。

最后的python脚本是这样的：

#!/usr/bin/python
# coding: utf-8

import socket
import binascii
import sys
import threading
from Queue import Queue


def verify(sock, port):
	while 1:
		buff = sock.recv(2048)
		if not buff:
			break
		b = bytearray(buff)
		print "[+] %s" % binascii.hexlify(b)
		detect_os(binascii.hexlify(b), port)
		# if len(binascii.hexlify(b)) == 38:
		# 	print "[+] RDP Port is %s" % port
		# 	sys.exit(0)


def detect_os(res, port):
	d = {
		"2000": "0300000b06d00000123400",
		"2003": "030000130ed000001234000300080002000000",
		"2008": "030000130ed000001234000200080002000000",
		"win7OR2008R2": "030000130ed000001234000209080002000000",
		"2008R2DC": "030000130ed000001234000201080002000000",
		"2012R2OR8": "030000130ed00000123400020f080002000000"
	}
	for key, value in d.iteritems():
		if value == res:
			print "[+] Os May be: %s" % key
			print "[+] RDP Port is %s" % port
			sys.exit(0)
def send_payload(sock):
	sock.send("\x03\x00\x00\x13\x0e\xe0\x00\x00\x00\x00\x00\x01\x00\x08\x00\x03\x00\x00\x00")


def worker():
	while not q.empty():
		port = q.get()
		try:
			scan(port)
		finally:
			q.task_done()


def scan(port):
	try:
		s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
		s.settimeout(2)
		sys.stdout.write('[+] Check Port %s \r' % port)
		sys.stdout.flush()
		if s.connect_ex((ip, port)) == 0:
			print "[+] Connect Success %s" % port
			send_payload(s)
			verify(s, port)
	except Exception, e:
		# raise e
		pass
	s.close()

if __name__ == '__main__':
	if len(sys.argv) != 2:
		print "Usage: %s IP" % sys.argv[0]
		sys.exit(0)
	ip = sys.argv[1]
	q = Queue()
	map(q.put, xrange(3300, 65535))
	threads = [threading.Thread(target=worker) for i in xrange(50)]
	map(lambda x: x.start(), threads)
	q.join()