| | at : |
Archive

[MAD-METASPLOIT] 0x11 - Network scanning using Auxiliary Module 하훌 rwxr-xr-x 0 8/07/2017



[MAD-METASPLOIT] 0x11 - Network scanning using Auxiliary Module

Permission rw-r--r--
Author 하훌
Date and Time 8/07/2017
Label
License 크리에이티브 커먼즈 라이선스





Auxiliary module을 통한 정보수집


HAHWUL > db_nmap -PN 192.168.56.101
[*] Nmap: Starting Nmap 7.01 ( https://nmap.org ) at 2017-08-04 18:33 KST
[*] Nmap: Nmap scan report for 192.168.56.101
[*] Nmap: Host is up (0.00097s latency).
[*] Nmap: Not shown: 993 filtered ports
[*] Nmap: PORT      STATE SERVICE
[*] Nmap: 135/tcp   open  msrpc
[*] Nmap: 139/tcp   open  netbios-ssn
[*] Nmap: 445/tcp   open  microsoft-ds
[*] Nmap: 554/tcp   open  rtsp
[*] Nmap: 2869/tcp  open  icslap
[*] Nmap: 5357/tcp  open  wsdapi
[*] Nmap: 10243/tcp open  unknown
[*] Nmap: MAC Address: 08:00:27:69:14:FF (Oracle VirtualBox virtual NIC)
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 19.19 seconds

nmap 스캔 결과로 열려있는 포트정보데 대해 확인이 가능합니다. 우리는 이 정보를 기준으로 각 Service 가 실제 해당 Service 인지, 어떤 버전, 어떤 설정을 사용하고 어떤 정보를 담고있는지 알아야하죠. 먼저 맨 위에 보이는 msrpc 부터 찾아보겠습니다.

Metasploit을 이용해서 msrpc에 대한 모듈을 찾아봅니다.

HAHWUL > search msrpc

Matching Modules
================

   Name                                  Disclosure Date  Rank  Description
   ----                                  ---------------  ----  -----------
   exploit/windows/dcerpc/ms05_017_msmq  2005-04-12       good  MS05-017 Microsoft Message Queueing Service Path Overflow

[.....]

관련해서 Exploit이 하나 나오네요. 2005년도꺼라 OS Finger print 이후에 버전의 가능성이 있다고 판단 후 사용 여부를 결정합니다. 두번째론 139 포트인 netbios에 대해 검색해보겠습니다.


HAHWUL > search netbios

Matching Modules
================

   Name                                          Disclosure Date  Rank    Description
   ----                                          ---------------  ----    -----------
   auxiliary/admin/netbios/netbios_spoof                          normal  NetBIOS Response Brute Force Spoof (Direct)
   auxiliary/scanner/http/ntlm_info_enumeration                   normal  Host Information Enumeration via NTLM Authentication
   auxiliary/scanner/netbios/nbname                               normal  NetBIOS Information Discovery
   auxiliary/server/netbios_spoof_nat            2016-06-14       normal  NetBIOS Response "BadTunnel" Brute Force Spoof (NAT Tunnel)
   auxiliary/server/wpad                                          normal  WPAD.dat File Server
   auxiliary/spoof/llmnr/llmnr_response                           normal  LLMNR Spoofer
   auxiliary/spoof/nbns/nbns_response                             normal  NetBIOS Name Service Spoofer


여러가지 Auxiliary 모듈이 나옵니다. 일단 netbios의 이름부터 찾아볼까요?

HAHWUL > use auxiliary/scanner/netbios/nbname
HAHWUL auxiliary(nbname) > show options

Module options (auxiliary/scanner/netbios/nbname):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   BATCHSIZE  256              yes       The number of hosts to probe in each set
   RHOSTS                      yes       The target address range or CIDR identifier
   RPORT      137              yes       The target port (UDP)
   THREADS    10               yes       The number of concurrent threads

옵션정보에 많은 데이터가 들어가진 않습니다. RHOSTS 설정 후..

HAHWUL auxiliary(nbname) > hosts -R

Hosts
=====

address         mac                name  os_name       os_flavor  os_sp  purpose  info  comments
-------         ---                ----  -------       ---------  -----  -------  ----  --------
192.168.56.101  08:00:27:69:14:FF        Windows 2008                    server      

RHOSTS => 192.168.56.101

HAHWUL auxiliary(nbname) > run

[*] Sending NetBIOS requests to 192.168.56.101->192.168.56.101 (1 hosts)
[+] 192.168.56.101 [HAHWUL] OS:Windows Names:(HAHWUL, WORKGROUP, __MSBROWSE__) Addresses:(10.0.2.15, 192.168.56.101) Mac:08:00:27:69:14:ff
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

실행해주시면 NetBios의 이름을 얻어옵니다.

ARP Sweep

이번엔 ARP Sweep에 대해 알아보도록 하겠습니다. arp 체크는 local network를 찾아가는데 있어 아주 중요한 기술입니다.


HAHWUL > use auxiliary/scanner/discovery/arp_sweep
HAHWUL auxiliary(arp_sweep) > 
HAHWUL auxiliary(arp_sweep) > show options

Module options (auxiliary/scanner/discovery/arp_sweep):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   INTERFACE                   no        The name of the interface
   RHOSTS                      yes       The target address range or CIDR identifier
   SHOST                       no        Source IP Address
   SMAC                        no        Source MAC Address
   THREADS    1                yes       The number of concurrent threads
   TIMEOUT    5                yes       The number of seconds to wait for new data

HAHWUL auxiliary(arp_sweep) > hosts -R

Hosts
=====

address         mac                name    os_name       os_flavor  os_sp  purpose  info  comments
-------         ---                ----    -------       ---------  -----  -------  ----  --------
192.168.56.101  08:00:27:69:14:ff  hahwul  Windows 2008                    server      

RHOSTS => 192.168.56.101

HAHWUL auxiliary(arp_sweep) > run

[+] 192.168.56.101 appears to be up (CADMUS COMPUTER SYSTEMS).


IPv6 Check


아직 IPv6가 많이 사용되진 않지만, 일부 환경에서는 v6를 사용하기도 합니다. ipv6_neighbor 모듈을 이용해서 IPv6에 대한 체크를 할 수 있습니다.

HAHWUL auxiliary(arp_sweep) > use auxiliary/scanner/discovery/ipv6_neighbor
HAHWUL auxiliary(ipv6_neighbor) > 
HAHWUL auxiliary(ipv6_neighbor) > 
HAHWUL auxiliary(ipv6_neighbor) > show options

Module options (auxiliary/scanner/discovery/ipv6_neighbor):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   INTERFACE                   no        The name of the interface
   PCAPFILE                    no        The name of the PCAP capture file to process
   RHOSTS                      yes       The target address range or CIDR identifier
   SHOST                       no        Source IP Address
   SMAC                        no        Source MAC Address
   THREADS    1                yes       The number of concurrent threads
   TIMEOUT    500              yes       The number of seconds to wait for new data

HAHWUL auxiliary(ipv6_neighbor) > hosts -R

Hosts
=====

address         mac                name    os_name       os_flavor  os_sp  purpose  info  comments
-------         ---                ----    -------       ---------  -----  -------  ----  --------
192.168.56.101  08:00:27:69:14:ff  hahwul  Windows 2008                    server      

RHOSTS => 192.168.56.101

HAHWUL auxiliary(ipv6_neighbor) > run

[*] Discovering IPv4 nodes via ARP...
[+]     192.168.56.101 ALIVE
[*] Discovering IPv6 addresses for IPv4 nodes...
[*]
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

있는 경우..

192.168.56.69 maps to IPv6 link local address fe80::5a55:caff:fe14:1e61 과 같은 형태로 나타남


UDP Sweep


UDP Sweep 또한 Network의 정보 파악에 있어 중요한 부분입니다. 해당 모듈을 이용해 UDP를 사용하는 host, service에 대해 찾아냅니다.

HAHWUL auxiliary(udp_probe) > use auxiliary/scanner/discovery/udp_sweep
HAHWUL auxiliary(udp_sweep) > show options

Module options (auxiliary/scanner/discovery/udp_sweep):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   BATCHSIZE  256              yes       The number of hosts to probe in each set
   RHOSTS                      yes       The target address range or CIDR identifier
   THREADS    10               yes       The number of concurrent threads

HAHWUL auxiliary(udp_sweep) > hosts -R

Hosts
=====

address         mac                name    os_name       os_flavor  os_sp  purpose  info  comments
-------         ---                ----    -------       ---------  -----  -------  ----  --------
192.168.56.101  08:00:27:69:14:ff  hahwul  Windows 2008                    server      

RHOSTS => 192.168.56.101

HAHWUL auxiliary(udp_sweep) > 
HAHWUL auxiliary(udp_sweep) > run

[*] Sending 13 probes to 192.168.56.101->192.168.56.101 (1 hosts)
[*] Discovered NetBIOS on 192.168.56.101:137 (HAHWUL:<00>:U :WORKGROUP:<00>:G :HAHWUL:<20>:U :WORKGROUP:<1e>:G :WORKGROUP:<1d>:U : __MSBROWSE__ :<01>:G :08:00:27:69:14:ff)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed


Service Scanning


마지막으로 Service Scanning 입니다. 사실 SSH, Telnet 등 여러 서비스에 대해서 aux 모듈을 통해 정보를 얻어낼 수 있습니다. 아래 예시에선 ftp로 진행하겠습니다.

HAHWUL auxiliary(udp_sweep) > use auxiliary/scanner/ftp/anonymous 
HAHWUL auxiliary(anonymous) > show optoins
[-] Invalid parameter "optoins", use "show -h" for more information
HAHWUL auxiliary(anonymous) > show options

Module options (auxiliary/scanner/ftp/anonymous):

   Name     Current Setting      Required  Description
   ----     ---------------      --------  -----------
   FTPPASS  mozilla@example.com  no        The password for the specified username
   FTPUSER  anonymous            no        The username to authenticate as
   RHOSTS                        yes       The target address range or CIDR identifier
   RPORT    21                   yes       The target port (TCP)
   THREADS  1                    yes       The number of concurrent threads

HAHWUL auxiliary(anonymous) > set RHOSTS 192.168.56.101
RHOSTS => 192.168.56.101
HAHWUL auxiliary(anonymous) > run
[*] 192.168.56.104:21 Anonymous READ/WRITE (220 Microsoft FTP Service)

네트워크 대역 내 Anonymous FTP 가 있는지 체크합니다. 있을 경우 배포 서버로 사용하던가, bounce attack 등 활용 포인트는 존재하죠.

HAHWUL auxiliary(anonymous) > use auxiliary/scanner/ftp/ftp_login 
HAHWUL auxiliary(ftp_login) > show options

Module options (auxiliary/scanner/ftp/ftp_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
   DB_ALL_USERS      false            no        Add all users in the current database to the list
   PASSWORD                           no        A specific password to authenticate with
   PASS_FILE                          no        File containing passwords, one per line
   Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]
   RECORD_GUEST      false            no        Record anonymous/guest logins to the database
   RHOSTS                             yes       The target address range or CIDR identifier
   RPORT             21               yes       The target port (TCP)
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads
   USERNAME                           no        A specific username to authenticate as
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false            no        Try the username as the password for all users
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts


USERNAME, PASSWORD를 설정하여 Ftp client 처럼 사용할 수 있지만 Brutefoce도 가능합니다.
USER_FILE, PASS_FILE 에 Dic 파일을 맞춰주고 시도 시 BruteForce를 진행합니다.

   auxiliary/scanner/ftp/anonymous                                      normal     Anonymous FTP Access Detection
   auxiliary/scanner/ftp/bison_ftp_traversal           2015-09-28       normal     BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure
   auxiliary/scanner/ftp/colorado_ftp_traversal        2016-08-11       normal     ColoradoFTP Server 1.3 Build 8 Directory Traversal Information Disclosure
   auxiliary/scanner/ftp/easy_file_sharing_ftp         2017-03-07       normal     Easy File Sharing FTP Server 3.6 Directory Traversal
   auxiliary/scanner/ftp/ftp_login                                      normal     FTP Authentication Scanner
   auxiliary/scanner/ftp/ftp_version                                    normal     FTP Version Scanner
   auxiliary/scanner/ftp/konica_ftp_traversal          2015-09-22       normal     Konica Minolta FTP Utility 1.00 Directory Traversal Information Disclosure
   auxiliary/scanner/ftp/pcman_ftp_traversal           2015-09-28       normal     PCMan FTP Server 2.0.7 Directory Traversal Information Disclosure
   auxiliary/scanner/ftp/titanftp_xcrc_traversal       2010-06-15       normal     Titan FTP XCRC Directory Traversal Information Disclosure
   auxiliary/scanner/http/titan_ftp_admin_pwd                           normal     Titan FTP Administrative Password Disclosure
   auxiliary/scanner/misc/zenworks_preboot_fileaccess                   normal     Novell ZENworks Configuration Management Preboot Service Remote File Access
   auxiliary/scanner/portscan/ftpbounce                                 normal     FTP Bounce Port Scanner
   auxiliary/scanner/quake/server_info                                  normal     Gather Quake Server Information
   auxiliary/scanner/rsync/modules_list                                 normal     List Rsync Modules
   auxiliary/scanner/snmp/cisco_config_tftp                             normal     Cisco IOS SNMP Configuration Grabber (TFTP)
   auxiliary/scanner/snmp/cisco_upload_file                             normal     Cisco IOS SNMP File Upload (TFTP)
   auxiliary/scanner/ssh/cerberus_sftp_enumusers       2014-05-27       normal     Cerberus FTP Server SFTP Username Enumeration
   auxiliary/scanner/tftp/ipswitch_whatsupgold_tftp    2011-12-12       normal     IpSwitch WhatsUp Gold TFTP Directory Traversal
   auxiliary/scanner/tftp/netdecision_tftp             2009-05-16       normal     NetDecision 4.2 TFTP Directory Traversal
   auxiliary/scanner/tftp/tftpbrute                                     normal     TFTP Brute Forcer



Share







HAHWUL
HACKING | PENETRATION-TEST | CODING
HACKERONE : GIT : 0DAY-TODAY : EXPLOIT-DB : PACKETSTORM
GOOGLE+ | HAHWUL@GMAIL.COM | TWITTER
WWW.HAHWUL.COM




0 개의 댓글:

댓글 쓰기