[MAD-METASPLOIT] 0x11 - Network scanning using Auxiliary Module

by hahwul 6 min read

Auxiliary module을 통한 정보수집

HAHWUL > db_nmap -PN 192.168.56.101 [] Nmap: Starting Nmap 7.01 ( https://nmap.org ) at 2017-08-04 18:33 KST [] Nmap: Nmap scan report for 192.168.56.101 [] Nmap: Host is up (0.00097s latency). [] Nmap: Not shown: 993 filtered ports [] Nmap: PORT STATE SERVICE [] Nmap: 135/tcp open msrpc [] Nmap: 139/tcp open netbios-ssn [] Nmap: 445/tcp open microsoft-ds [] Nmap: 554/tcp open rtsp [] Nmap: 2869/tcp open icslap [] Nmap: 5357/tcp open wsdapi [] Nmap: 10243/tcp open unknown [] Nmap: MAC Address: 08:00:27:69:14:FF (Oracle VirtualBox virtual NIC) [] Nmap: Nmap done: 1 IP address (1 host up) scanned in 19.19 seconds

nmap 스캔 결과로 열려있는 포트정보데 대해 확인이 가능합니다. 우리는 이 정보를 기준으로 각 Service 가 실제 해당 Service 인지, 어떤 버전, 어떤 설정을 사용하고 어떤 정보를 담고있는지 알아야하죠. 먼저 맨 위에 보이는 msrpc 부터 찾아보겠습니다.

Metasploit을 이용해서 msrpc에 대한 모듈을 찾아봅니다.

HAHWUL > search msrpc

Matching Modules

Name Disclosure Date Rank Description —- ————— —- ———– exploit/windows/dcerpc/ms05_017_msmq 2005-04-12 good MS05-017 Microsoft Message Queueing Service Path Overflow

[…..]

관련해서 Exploit이 하나 나오네요. 2005년도꺼라 OS Finger print 이후에 버전의 가능성이 있다고 판단 후 사용 여부를 결정합니다. 두번째론 139 포트인 netbios에 대해 검색해보겠습니다.

HAHWUL > search netbios

Matching Modules

Name Disclosure Date Rank Description —- ————— —- ———– auxiliary/admin/netbios/netbios_spoof normal NetBIOS Response Brute Force Spoof (Direct) auxiliary/scanner/http/ntlm_info_enumeration normal Host Information Enumeration via NTLM Authentication auxiliary/scanner/netbios/nbname normal NetBIOS Information Discovery auxiliary/server/netbios_spoof_nat 2016-06-14 normal NetBIOS Response “BadTunnel” Brute Force Spoof (NAT Tunnel) auxiliary/server/wpad normal WPAD.dat File Server auxiliary/spoof/llmnr/llmnr_response normal LLMNR Spoofer auxiliary/spoof/nbns/nbns_response normal NetBIOS Name Service Spoofer

여러가지 Auxiliary 모듈이 나옵니다. 일단 netbios의 이름부터 찾아볼까요?

HAHWUL > use auxiliary/scanner/netbios/nbname HAHWUL auxiliary(nbname) > show options

Module options (auxiliary/scanner/netbios/nbname):

Name Current Setting Required Description —- ————— ——– ———– BATCHSIZE 256 yes The number of hosts to probe in each set RHOSTS yes The target address range or CIDR identifier RPORT 137 yes The target port (UDP) THREADS 10 yes The number of concurrent threads

옵션정보에 많은 데이터가 들어가진 않습니다. RHOSTS 설정 후..

HAHWUL auxiliary(nbname) > hosts -R

Hosts

address mac name os_name os_flavor os_sp purpose info comments ——- — —- ——- ——— —– ——- —- ——– 192.168.56.101 08:00:27:69:14:FF Windows 2008 server

RHOSTS => 192.168.56.101

HAHWUL auxiliary(nbname) > run

[] Sending NetBIOS requests to 192.168.56.101->192.168.56.101 (1 hosts) [+] 192.168.56.101 [HAHWUL] OS:Windows Names:(HAHWUL, WORKGROUP, MSBROWSE) Addresses:(10.0.2.15, 192.168.56.101) Mac:08:00:27:69:14:ff [] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed

실행해주시면 NetBios의 이름을 얻어옵니다.

ARP Sweep

이번엔 ARP Sweep에 대해 알아보도록 하겠습니다. arp 체크는 local network를 찾아가는데 있어 아주 중요한 기술입니다.

HAHWUL > use auxiliary/scanner/discovery/arp_sweep HAHWUL auxiliary(arp_sweep) > HAHWUL auxiliary(arp_sweep) > show options

Module options (auxiliary/scanner/discovery/arp_sweep):

Name Current Setting Required Description —- ————— ——– ———– INTERFACE no The name of the interface RHOSTS yes The target address range or CIDR identifier SHOST no Source IP Address SMAC no Source MAC Address THREADS 1 yes The number of concurrent threads TIMEOUT 5 yes The number of seconds to wait for new data

HAHWUL auxiliary(arp_sweep) > hosts -R

Hosts

address mac name os_name os_flavor os_sp purpose info comments ——- — —- ——- ——— —– ——- —- ——– 192.168.56.101 08:00:27:69:14:ff hahwul Windows 2008 server

RHOSTS => 192.168.56.101

HAHWUL auxiliary(arp_sweep) > run

[+] 192.168.56.101 appears to be up (CADMUS COMPUTER SYSTEMS).

IPv6 Check

아직 IPv6가 많이 사용되진 않지만, 일부 환경에서는 v6를 사용하기도 합니다. ipv6_neighbor 모듈을 이용해서 IPv6에 대한 체크를 할 수 있습니다.

HAHWUL auxiliary(arp_sweep) > use auxiliary/scanner/discovery/ipv6_neighbor HAHWUL auxiliary(ipv6_neighbor) > HAHWUL auxiliary(ipv6_neighbor) > HAHWUL auxiliary(ipv6_neighbor) > show options

Module options (auxiliary/scanner/discovery/ipv6_neighbor):

Name Current Setting Required Description —- ————— ——– ———– INTERFACE no The name of the interface PCAPFILE no The name of the PCAP capture file to process RHOSTS yes The target address range or CIDR identifier SHOST no Source IP Address SMAC no Source MAC Address THREADS 1 yes The number of concurrent threads TIMEOUT 500 yes The number of seconds to wait for new data

HAHWUL auxiliary(ipv6_neighbor) > hosts -R

Hosts

address mac name os_name os_flavor os_sp purpose info comments ——- — —- ——- ——— —– ——- —- ——– 192.168.56.101 08:00:27:69:14:ff hahwul Windows 2008 server

RHOSTS => 192.168.56.101

HAHWUL auxiliary(ipv6_neighbor) > run

[] Discovering IPv4 nodes via ARP… [+] 192.168.56.101 ALIVE [] Discovering IPv6 addresses for IPv4 nodes… [] [] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed

있는 경우..

192.168.56.69 maps to IPv6 link local address fe80::5a55:caff:fe14:1e61 과 같은 형태로 나타남

UDP Sweep

UDP Sweep 또한 Network의 정보 파악에 있어 중요한 부분입니다. 해당 모듈을 이용해 UDP를 사용하는 host, service에 대해 찾아냅니다.

HAHWUL auxiliary(udp_probe) > use auxiliary/scanner/discovery/udp_sweep HAHWUL auxiliary(udp_sweep) > show options

Module options (auxiliary/scanner/discovery/udp_sweep):

Name Current Setting Required Description —- ————— ——– ———– BATCHSIZE 256 yes The number of hosts to probe in each set RHOSTS yes The target address range or CIDR identifier THREADS 10 yes The number of concurrent threads

HAHWUL auxiliary(udp_sweep) > hosts -R

Hosts

address mac name os_name os_flavor os_sp purpose info comments ——- — —- ——- ——— —– ——- —- ——– 192.168.56.101 08:00:27:69:14:ff hahwul Windows 2008 server

RHOSTS => 192.168.56.101

HAHWUL auxiliary(udp_sweep) > HAHWUL auxiliary(udp_sweep) > run

[] Sending 13 probes to 192.168.56.101->192.168.56.101 (1 hosts) [] Discovered NetBIOS on 192.168.56.101:137 (HAHWUL:<00>:U :WORKGROUP:<00>:G :HAHWUL:<20>:U :WORKGROUP:<1e>:G :WORKGROUP:<1d>:U : MSBROWSE :<01>:G :08:00:27:69:14:ff) [] Scanned 1 of 1 hosts (100% complete) [] Auxiliary module execution completed

Service Scanning

마지막으로 Service Scanning 입니다. 사실 SSH, Telnet 등 여러 서비스에 대해서 aux 모듈을 통해 정보를 얻어낼 수 있습니다. 아래 예시에선 ftp로 진행하겠습니다.

HAHWUL auxiliary(udp_sweep) > use auxiliary/scanner/ftp/anonymous HAHWUL auxiliary(anonymous) > show optoins [-] Invalid parameter “optoins”, use “show -h” for more information HAHWUL auxiliary(anonymous) > show options

Module options (auxiliary/scanner/ftp/anonymous):

Name Current Setting Required Description —- ————— ——– ———– FTPPASS mozilla@example.com no The password for the specified username FTPUSER anonymous no The username to authenticate as RHOSTS yes The target address range or CIDR identifier RPORT 21 yes The target port (TCP) THREADS 1 yes The number of concurrent threads

HAHWUL auxiliary(anonymous) > set RHOSTS 192.168.56.101 RHOSTS => 192.168.56.101 HAHWUL auxiliary(anonymous) > run [*] 192.168.56.104:21 Anonymous READ/WRITE (220 Microsoft FTP Service)

네트워크 대역 내 Anonymous FTP 가 있는지 체크합니다. 있을 경우 배포 서버로 사용하던가, bounce attack 등 활용 포인트는 존재하죠.

HAHWUL auxiliary(anonymous) > use auxiliary/scanner/ftp/ftp_login HAHWUL auxiliary(ftp_login) > show options

Module options (auxiliary/scanner/ftp/ftp_login):

Name Current Setting Required Description —- ————— ——– ———– BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list PASSWORD no A specific password to authenticate with PASS_FILE no File containing passwords, one per line Proxies no A proxy chain of format type:host:port[,type:host:port][…] RECORD_GUEST false no Record anonymous/guest logins to the database RHOSTS yes The target address range or CIDR identifier RPORT 21 yes The target port (TCP) STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads USERNAME no A specific username to authenticate as USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE no File containing usernames, one per line VERBOSE true yes Whether to print output for all attempts

USERNAME, PASSWORD를 설정하여 Ftp client 처럼 사용할 수 있지만 Brutefoce도 가능합니다. USER_FILE, PASS_FILE 에 Dic 파일을 맞춰주고 시도 시 BruteForce를 진행합니다.

auxiliary/scanner/ftp/anonymous normal Anonymous FTP Access Detection auxiliary/scanner/ftp/bison_ftp_traversal 2015-09-28 normal BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure auxiliary/scanner/ftp/colorado_ftp_traversal 2016-08-11 normal ColoradoFTP Server 1.3 Build 8 Directory Traversal Information Disclosure auxiliary/scanner/ftp/easy_file_sharing_ftp 2017-03-07 normal Easy File Sharing FTP Server 3.6 Directory Traversal auxiliary/scanner/ftp/ftp_login normal FTP Authentication Scanner auxiliary/scanner/ftp/ftp_version normal FTP Version Scanner auxiliary/scanner/ftp/konica_ftp_traversal 2015-09-22 normal Konica Minolta FTP Utility 1.00 Directory Traversal Information Disclosure auxiliary/scanner/ftp/pcman_ftp_traversal 2015-09-28 normal PCMan FTP Server 2.0.7 Directory Traversal Information Disclosure auxiliary/scanner/ftp/titanftp_xcrc_traversal 2010-06-15 normal Titan FTP XCRC Directory Traversal Information Disclosure auxiliary/scanner/http/titan_ftp_admin_pwd normal Titan FTP Administrative Password Disclosure auxiliary/scanner/misc/zenworks_preboot_fileaccess normal Novell ZENworks Configuration Management Preboot Service Remote File Access auxiliary/scanner/portscan/ftpbounce normal FTP Bounce Port Scanner auxiliary/scanner/quake/server_info normal Gather Quake Server Information auxiliary/scanner/rsync/modules_list normal List Rsync Modules auxiliary/scanner/snmp/cisco_config_tftp normal Cisco IOS SNMP Configuration Grabber (TFTP) auxiliary/scanner/snmp/cisco_upload_file normal Cisco IOS SNMP File Upload (TFTP) auxiliary/scanner/ssh/cerberus_sftp_enumusers 2014-05-27 normal Cerberus FTP Server SFTP Username Enumeration auxiliary/scanner/tftp/ipswitch_whatsupgold_tftp 2011-12-12 normal IpSwitch WhatsUp Gold TFTP Directory Traversal auxiliary/scanner/tftp/netdecision_tftp 2009-05-16 normal NetDecision 4.2 TFTP Directory Traversal auxiliary/scanner/tftp/tftpbrute normal TFTP Brute Forcer