Auxiliary module을 통한 정보수집
HAHWUL > db_nmap -PN 192.168.56.101
[*] Nmap: Starting Nmap 7.01 ( https://nmap.org ) at 2017-08-04 18:33 KST
[*] Nmap: Nmap scan report for 192.168.56.101
[*] Nmap: Host is up (0.00097s latency).
[*] Nmap: Not shown: 993 filtered ports
[*] Nmap: PORT STATE SERVICE
[*] Nmap: 135/tcp open msrpc
[*] Nmap: 139/tcp open netbios-ssn
[*] Nmap: 445/tcp open microsoft-ds
[*] Nmap: 554/tcp open rtsp
[*] Nmap: 2869/tcp open icslap
[*] Nmap: 5357/tcp open wsdapi
[*] Nmap: 10243/tcp open unknown
[*] Nmap: MAC Address: 08:00:27:69:14:FF (Oracle VirtualBox virtual NIC)
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 19.19 seconds
nmap 스캔 결과로 열려있는 포트정보데 대해 확인이 가능합니다. 우리는 이 정보를 기준으로 각 Service 가 실제 해당 Service 인지, 어떤 버전, 어떤 설정을 사용하고 어떤 정보를 담고있는지 알아야하죠. 먼저 맨 위에 보이는 msrpc 부터 찾아보겠습니다.
Metasploit을 이용해서 msrpc에 대한 모듈을 찾아봅니다.
HAHWUL > search msrpc
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/dcerpc/ms05_017_msmq 2005-04-12 good MS05-017 Microsoft Message Queueing Service Path Overflow
[.....]
관련해서 Exploit이 하나 나오네요. 2005년도꺼라 OS Finger print 이후에 버전의 가능성이 있다고 판단 후 사용 여부를 결정합니다. 두번째론 139 포트인 netbios에 대해 검색해보겠습니다.
HAHWUL > search netbios
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/admin/netbios/netbios_spoof normal NetBIOS Response Brute Force Spoof (Direct)
auxiliary/scanner/http/ntlm_info_enumeration normal Host Information Enumeration via NTLM Authentication
auxiliary/scanner/netbios/nbname normal NetBIOS Information Discovery
auxiliary/server/netbios_spoof_nat 2016-06-14 normal NetBIOS Response "BadTunnel" Brute Force Spoof (NAT Tunnel)
auxiliary/server/wpad normal WPAD.dat File Server
auxiliary/spoof/llmnr/llmnr_response normal LLMNR Spoofer
auxiliary/spoof/nbns/nbns_response normal NetBIOS Name Service Spoofer
여러가지 Auxiliary 모듈이 나옵니다. 일단 netbios의 이름부터 찾아볼까요?
HAHWUL > use auxiliary/scanner/netbios/nbname
HAHWUL auxiliary(nbname) > show options
Module options (auxiliary/scanner/netbios/nbname):
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to probe in each set
RHOSTS yes The target address range or CIDR identifier
RPORT 137 yes The target port (UDP)
THREADS 10 yes The number of concurrent threads
옵션정보에 많은 데이터가 들어가진 않습니다. RHOSTS 설정 후..
HAHWUL auxiliary(nbname) > hosts -R
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
192.168.56.101 08:00:27:69:14:FF Windows 2008 server
RHOSTS => 192.168.56.101
HAHWUL auxiliary(nbname) > run
[*] Sending NetBIOS requests to 192.168.56.101->192.168.56.101 (1 hosts)
[+] 192.168.56.101 [HAHWUL] OS:Windows Names:(HAHWUL, WORKGROUP, __MSBROWSE__) Addresses:(10.0.2.15, 192.168.56.101) Mac:08:00:27:69:14:ff
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
실행해주시면 NetBios의 이름을 얻어옵니다.
ARP Sweep
이번엔 ARP Sweep에 대해 알아보도록 하겠습니다. arp 체크는 local network를 찾아가는데 있어 아주 중요한 기술입니다.HAHWUL > use auxiliary/scanner/discovery/arp_sweep
HAHWUL auxiliary(arp_sweep) >
HAHWUL auxiliary(arp_sweep) > show options
Module options (auxiliary/scanner/discovery/arp_sweep):
Name Current Setting Required Description
---- --------------- -------- -----------
INTERFACE no The name of the interface
RHOSTS yes The target address range or CIDR identifier
SHOST no Source IP Address
SMAC no Source MAC Address
THREADS 1 yes The number of concurrent threads
TIMEOUT 5 yes The number of seconds to wait for new data
HAHWUL auxiliary(arp_sweep) > hosts -R
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
192.168.56.101 08:00:27:69:14:ff hahwul Windows 2008 server
RHOSTS => 192.168.56.101
HAHWUL auxiliary(arp_sweep) > run
[+] 192.168.56.101 appears to be up (CADMUS COMPUTER SYSTEMS).
IPv6 Check
아직 IPv6가 많이 사용되진 않지만, 일부 환경에서는 v6를 사용하기도 합니다. ipv6_neighbor 모듈을 이용해서 IPv6에 대한 체크를 할 수 있습니다.
HAHWUL auxiliary(arp_sweep) > use auxiliary/scanner/discovery/ipv6_neighbor
HAHWUL auxiliary(ipv6_neighbor) >
HAHWUL auxiliary(ipv6_neighbor) >
HAHWUL auxiliary(ipv6_neighbor) > show options
Module options (auxiliary/scanner/discovery/ipv6_neighbor):
Name Current Setting Required Description
---- --------------- -------- -----------
INTERFACE no The name of the interface
PCAPFILE no The name of the PCAP capture file to process
RHOSTS yes The target address range or CIDR identifier
SHOST no Source IP Address
SMAC no Source MAC Address
THREADS 1 yes The number of concurrent threads
TIMEOUT 500 yes The number of seconds to wait for new data
HAHWUL auxiliary(ipv6_neighbor) > hosts -R
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
192.168.56.101 08:00:27:69:14:ff hahwul Windows 2008 server
RHOSTS => 192.168.56.101
HAHWUL auxiliary(ipv6_neighbor) > run
[*] Discovering IPv4 nodes via ARP...
[+] 192.168.56.101 ALIVE
[*] Discovering IPv6 addresses for IPv4 nodes...
[*]
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
있는 경우..
192.168.56.69 maps to IPv6 link local address fe80::5a55:caff:fe14:1e61 과 같은 형태로 나타남
UDP Sweep
UDP Sweep 또한 Network의 정보 파악에 있어 중요한 부분입니다. 해당 모듈을 이용해 UDP를 사용하는 host, service에 대해 찾아냅니다.
HAHWUL auxiliary(udp_probe) > use auxiliary/scanner/discovery/udp_sweep
HAHWUL auxiliary(udp_sweep) > show options
Module options (auxiliary/scanner/discovery/udp_sweep):
Name Current Setting Required Description
---- --------------- -------- -----------
BATCHSIZE 256 yes The number of hosts to probe in each set
RHOSTS yes The target address range or CIDR identifier
THREADS 10 yes The number of concurrent threads
HAHWUL auxiliary(udp_sweep) > hosts -R
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
192.168.56.101 08:00:27:69:14:ff hahwul Windows 2008 server
RHOSTS => 192.168.56.101
HAHWUL auxiliary(udp_sweep) >
HAHWUL auxiliary(udp_sweep) > run
[*] Sending 13 probes to 192.168.56.101->192.168.56.101 (1 hosts)
[*] Discovered NetBIOS on 192.168.56.101:137 (HAHWUL:<00>:U :WORKGROUP:<00>:G :HAHWUL:<20>:U :WORKGROUP:<1e>:G :WORKGROUP:<1d>:U : __MSBROWSE__ :<01>:G :08:00:27:69:14:ff)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Service Scanning
마지막으로 Service Scanning 입니다. 사실 SSH, Telnet 등 여러 서비스에 대해서 aux 모듈을 통해 정보를 얻어낼 수 있습니다. 아래 예시에선 ftp로 진행하겠습니다.
HAHWUL auxiliary(udp_sweep) > use auxiliary/scanner/ftp/anonymous
HAHWUL auxiliary(anonymous) > show optoins
[-] Invalid parameter "optoins", use "show -h" for more information
HAHWUL auxiliary(anonymous) > show options
Module options (auxiliary/scanner/ftp/anonymous):
Name Current Setting Required Description
---- --------------- -------- -----------
FTPPASS mozilla@example.com no The password for the specified username
FTPUSER anonymous no The username to authenticate as
RHOSTS yes The target address range or CIDR identifier
RPORT 21 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads
HAHWUL auxiliary(anonymous) > set RHOSTS 192.168.56.101
RHOSTS => 192.168.56.101
HAHWUL auxiliary(anonymous) > run
[*] 192.168.56.104:21 Anonymous READ/WRITE (220 Microsoft FTP Service)
네트워크 대역 내 Anonymous FTP 가 있는지 체크합니다. 있을 경우 배포 서버로 사용하던가, bounce attack 등 활용 포인트는 존재하죠.
HAHWUL auxiliary(anonymous) > use auxiliary/scanner/ftp/ftp_login
HAHWUL auxiliary(ftp_login) > show options
Module options (auxiliary/scanner/ftp/ftp_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RECORD_GUEST false no Record anonymous/guest logins to the database
RHOSTS yes The target address range or CIDR identifier
RPORT 21 yes The target port (TCP)
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
USERNAME, PASSWORD를 설정하여 Ftp client 처럼 사용할 수 있지만 Brutefoce도 가능합니다.
USER_FILE, PASS_FILE 에 Dic 파일을 맞춰주고 시도 시 BruteForce를 진행합니다.
auxiliary/scanner/ftp/anonymous normal Anonymous FTP Access Detection
auxiliary/scanner/ftp/bison_ftp_traversal 2015-09-28 normal BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure
auxiliary/scanner/ftp/colorado_ftp_traversal 2016-08-11 normal ColoradoFTP Server 1.3 Build 8 Directory Traversal Information Disclosure
auxiliary/scanner/ftp/easy_file_sharing_ftp 2017-03-07 normal Easy File Sharing FTP Server 3.6 Directory Traversal
auxiliary/scanner/ftp/ftp_login normal FTP Authentication Scanner
auxiliary/scanner/ftp/ftp_version normal FTP Version Scanner
auxiliary/scanner/ftp/konica_ftp_traversal 2015-09-22 normal Konica Minolta FTP Utility 1.00 Directory Traversal Information Disclosure
auxiliary/scanner/ftp/pcman_ftp_traversal 2015-09-28 normal PCMan FTP Server 2.0.7 Directory Traversal Information Disclosure
auxiliary/scanner/ftp/titanftp_xcrc_traversal 2010-06-15 normal Titan FTP XCRC Directory Traversal Information Disclosure
auxiliary/scanner/http/titan_ftp_admin_pwd normal Titan FTP Administrative Password Disclosure
auxiliary/scanner/misc/zenworks_preboot_fileaccess normal Novell ZENworks Configuration Management Preboot Service Remote File Access
auxiliary/scanner/portscan/ftpbounce normal FTP Bounce Port Scanner
auxiliary/scanner/quake/server_info normal Gather Quake Server Information
auxiliary/scanner/rsync/modules_list normal List Rsync Modules
auxiliary/scanner/snmp/cisco_config_tftp normal Cisco IOS SNMP Configuration Grabber (TFTP)
auxiliary/scanner/snmp/cisco_upload_file normal Cisco IOS SNMP File Upload (TFTP)
auxiliary/scanner/ssh/cerberus_sftp_enumusers 2014-05-27 normal Cerberus FTP Server SFTP Username Enumeration
auxiliary/scanner/tftp/ipswitch_whatsupgold_tftp 2011-12-12 normal IpSwitch WhatsUp Gold TFTP Directory Traversal
auxiliary/scanner/tftp/netdecision_tftp 2009-05-16 normal NetDecision 4.2 TFTP Directory Traversal
auxiliary/scanner/tftp/tftpbrute normal TFTP Brute Forcer
 |
HAHWULSecurity engineer, Gopher and H4cker!
 |
0 개의 댓글:
Post a Comment