概要
KaliLinuxを使えるようになるための「準備編」と「基礎編」に続き、「実践編」になります。
「実践編」では、企業でアプリ開発などをしていると利用することが多いものを書いていきます。
「実践編」の初回は、Metasploitableを取り上げます。
その前に
全てのツールを1個ずつ説明するのが、私自身も「把握してない」ので、他の人にお任せしてみます。
やられ役(Metasploitable)の準備
「準備編」と「基礎編」によって、VirtualBoxにKaliLinuxが起動できる状態になっていると思います。
KaliLinuxの「肝」となるのは、社内でセキュリティ関連を担当している人にとっては「脆弱性を確認する方法」を自分の中で「知識」として持つことになります。
いわゆる「使いこなす」ということですね。
そこで重要になってくるのは、「KaliLinuxから検査をする対象のPCをどうやって用意するか」です。
自分のPCをKaliLinuxでいじっても、できる範囲は限られています。
Webサービスへの検査をしようとすると、「Webサービス(いわゆるサーバ)」が必要になりますよね?
さらに言えば、脆弱性が「ある」と確認したいなら「脆弱性を持ったWebサービス(脆弱性を持ったフレームワーク等)」が動作していることが必要になります。
「よし、市場のWebサービスに片っ端から検査してやるぜ」
と考えたそこのアナタ!実行した瞬間に「犯罪を犯した」ことになるので覚悟してください。
「じゃぁ、どうするんだ!」
となると、いわゆる「やられ役」のものがきちんと提供されているんです。
Rapid7:metasploitable
Rapid7で「やられ役」のmetasploitableを提供しています。
現状は、metasploitable2とmetasploitable3が提供されているようです。
2/3では、提供方法などが違っているので、まずは、それぞれの「脆弱性一覧」情報を確認します。
■metasploitable-2
https://docs.rapid7.com/metasploit/metasploitable-2-exploitability-guide
■metasploitable3
https://github.com/rapid7/metasploitable3/wiki/Vulnerabilities
まぁ、どうせなので、両方とも環境を作ってしまいましょう。
入手(metasploitable2/metasploitable3)
■metasploitable2
metasploitable2の入手は、下記に2か所から入手できると記載があります。
SourceForgeからDLすることにします。
Downloadボタンをクリックすると、「metasploitable-linux-2.0.0.zip」が取得できます。(830MB)
■metasploitable3
続いて、metasploitable3の入手ですが、metasploitable3の入手は下記からできます。
ん?と思った人は勘が良いですね。
そう、metasploitable3は、VirtualBoxにVMを作るのに、Vagrantを使うんです。
なので、先に下記のVagrant環境の構築をやっておきましょう。
環境が構築できたら、指示通りにコマンドを実行するだけです。
構築(metasploitable2/metasploitable3)
■metasploitable2
取得した「metasploitable-linux-2.0.0.zip」を解凍します。
VirtualBox側で「新規」でVMを作成します。
名前は適当でいいです。「metasploitable2」だと分かれば・・・
あとは、普通に・・・
仮想マシンを作成する際に、ここで取得した解凍済みの「Metasploitable.vmdk」を選択します。
右側のフォルダアイコンを選んで、
左上の「追加」から、解凍済みの「Metasploitable.vmdk」を選択して追加します。
これで、下記のようにVMが追加されるので、選択して起動します。
ログインid/pwは「msfadmin/msfadmin」です。
■metasploitable3
metasploitable3は、Vagrant upすると「Ubuntu14.04」と「Windows Server2008R2」の2つのBoxが取得されてVirtualBoxにVMが構築されます。
Box取得から構築と、1時間ぐらい頑張ってまっていましょう。
※途中、Timeoutして止まる場合は、一旦「vagrant halt」して、「vagrant up」することで回避できる・・・こともあります。
powershell
PS C:\> mkdir metasploitable3-workspace
ディレクトリ: C:\ Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2022/06/21 09:24 metasploitable3-workspace
PS C:\> cd metasploitable3-workspace
PS C:\metasploitable3-workspace> Invoke-WebRequest -Uri "https://raw.githubusercontent.com/rapid7/metasploitable3/master/Vagrantfile" -OutFile "Vagrantfile"
PS C:\metasploitable3-workspace> vagrant up
Bringing machine 'ub1404' up with 'virtualbox' provider...
Bringing machine 'win2k8' up with 'virtualbox' provider...
==> ub1404: Box 'rapid7/metasploitable3-ub1404' could not be found. Attempting to find and install...
ub1404: Box Provider: virtualbox
ub1404: Box Version: >= 0
==> ub1404: Loading metadata for box 'rapid7/metasploitable3-ub1404'
ub1404: URL: https://vagrantcloud.com/rapid7/metasploitable3-ub1404
==> ub1404: Adding box 'rapid7/metasploitable3-ub1404' (v0.1.12-weekly) for provider: virtualbox
ub1404: Downloading: https://vagrantcloud.com/rapid7/boxes/metasploitable3-ub1404/versions/0.1.12-weekly/providers/virtualbox.box
ub1404:
==> ub1404: Successfully added box 'rapid7/metasploitable3-ub1404' (v0.1.12-weekly) for 'virtualbox'!
==> ub1404: Importing base box 'rapid7/metasploitable3-ub1404'...
==> ub1404: Matching MAC address for NAT networking...
==> ub1404: Checking if box 'rapid7/metasploitable3-ub1404' version '0.1.12-weekly' is up to date...
==> ub1404: Setting the name of the VM: Metasploitable3-ub1404
==> ub1404: Clearing any previously set network interfaces...
==> ub1404: Preparing network interfaces based on configuration...
ub1404: Adapter 1: nat
ub1404: Adapter 2: hostonly
==> ub1404: Forwarding ports...
ub1404: 22 (guest) => 2222 (host) (adapter 1)
==> ub1404: Running 'pre-boot' VM customizations...
==> ub1404: Booting VM...
==> ub1404: Waiting for machine to boot. This may take a few minutes...
ub1404: SSH address: 127.0.0.1:2222
ub1404: SSH username: vagrant
ub1404: SSH auth method: password
Timed out while waiting for the machine to boot. This means that
Vagrant was unable to communicate with the guest machine within
the configured ("config.vm.boot_timeout" value) time period.
If you look above, you should be able to see the error(s) that
Vagrant had when attempting to connect to the machine. These errors
are usually good hints as to what may be wrong.
If you're using a custom box, make sure that networking is properly
working and you're able to connect to the machine. It is a common
problem that networking isn't setup properly in these boxes.
Verify that authentication configurations are also setup properly,
as well.
If the box appears to be booting properly, you may want to increase
the timeout ("config.vm.boot_timeout") value.
PS C:\metasploitable3-workspace> vagrant halt
==> win2k8: VM not created. Moving on...
==> ub1404: Attempting graceful shutdown of VM...
ub1404: Guest communication could not be established! This is usually because
ub1404: SSH is not running, the authentication information was changed,
ub1404: or some other networking issue. Vagrant will force halt, if
ub1404: capable.
==> ub1404: Forcing shutdown of VM...
PS C:\metasploitable3-workspace> vagrant up
Bringing machine 'ub1404' up with 'virtualbox' provider...
Bringing machine 'win2k8' up with 'virtualbox' provider...
==> ub1404: Checking if box 'rapid7/metasploitable3-ub1404' version '0.1.12-weekly' is up to date...
==> ub1404: Clearing any previously set forwarded ports...
==> ub1404: Clearing any previously set network interfaces...
==> ub1404: Preparing network interfaces based on configuration...
ub1404: Adapter 1: nat
ub1404: Adapter 2: hostonly
==> ub1404: Forwarding ports...
ub1404: 22 (guest) => 2222 (host) (adapter 1)
==> ub1404: Running 'pre-boot' VM customizations...
==> ub1404: Booting VM...
==> ub1404: Waiting for machine to boot. This may take a few minutes...
ub1404: SSH address: 127.0.0.1:2222
ub1404: SSH username: vagrant
ub1404: SSH auth method: password
ub1404: Warning: Connection reset. Retrying...
ub1404: Warning: Connection aborted. Retrying...
ub1404: Warning: Connection reset. Retrying...
ub1404: Warning: Connection reset. Retrying...
ub1404: Warning: Connection reset. Retrying...
ub1404: Warning: Connection aborted. Retrying...
ub1404: Warning: Connection reset. Retrying...
ub1404: Warning: Remote connection disconnect. Retrying...
ub1404: Warning: Connection aborted. Retrying...
ub1404: Warning: Connection reset. Retrying...
ub1404: Warning: Connection aborted. Retrying...
ub1404: Warning: Connection reset. Retrying...
ub1404: Warning: Remote connection disconnect. Retrying...
ub1404: Warning: Connection reset. Retrying...
ub1404: Warning: Connection aborted. Retrying...
ub1404: Warning: Remote connection disconnect. Retrying...
ub1404: Warning: Connection reset. Retrying...
ub1404: Warning: Connection aborted. Retrying...
ub1404: Warning: Connection reset. Retrying...
ub1404: Warning: Connection aborted. Retrying...
ub1404: Warning: Connection reset. Retrying...
ub1404: Warning: Connection aborted. Retrying...
ub1404: Warning: Connection reset. Retrying...
ub1404: Warning: Connection aborted. Retrying...
ub1404: Warning: Connection reset. Retrying...
ub1404: Warning: Connection aborted. Retrying...
ub1404: Warning: Connection reset. Retrying...
ub1404: Warning: Connection reset. Retrying...
ub1404: Warning: Connection aborted. Retrying...
ub1404:
ub1404: Inserting generated public key within guest...
ub1404: Removing insecure key from the guest if it's present...
ub1404: Key inserted! Disconnecting and reconnecting using new SSH key...
==> ub1404: Machine booted and ready!
==> ub1404: Checking for guest additions in VM...
ub1404: No guest additions were detected on the base box for this VM! Guest
ub1404: additions are required for forwarded ports, shared folders, host only
ub1404: networking, and more. If SSH fails on this machine, please install
ub1404: the guest additions and repackage the box to continue.
ub1404:
ub1404: This is not an error message; everything may continue to work properly,
ub1404: in which case you may ignore this message.
==> ub1404: Setting hostname...
==> ub1404: Configuring and enabling network interfaces...
==> win2k8: Box 'rapid7/metasploitable3-win2k8' could not be found. Attempting to find and install...
win2k8: Box Provider: virtualbox
win2k8: Box Version: >= 0
==> win2k8: Loading metadata for box 'rapid7/metasploitable3-win2k8'
win2k8: URL: https://vagrantcloud.com/rapid7/metasploitable3-win2k8
==> win2k8: Adding box 'rapid7/metasploitable3-win2k8' (v0.1.0-weekly) for provider: virtualbox
win2k8: Downloading: https://vagrantcloud.com/rapid7/boxes/metasploitable3-win2k8/versions/0.1.0-weekly/providers/virtualbox.box
win2k8:
==> win2k8: Successfully added box 'rapid7/metasploitable3-win2k8' (v0.1.0-weekly) for 'virtualbox'!
==> win2k8: Importing base box 'rapid7/metasploitable3-win2k8'...
==> win2k8: Matching MAC address for NAT networking...
==> win2k8: Checking if box 'rapid7/metasploitable3-win2k8' version '0.1.0-weekly' is up to date...
==> win2k8: Setting the name of the VM: metasploitable3-workspace_win2k8_1655772677118_98959
==> win2k8: Fixed port collision for 22 => 2222. Now on port 2200.
==> win2k8: Clearing any previously set network interfaces...
A host only network interface you're attempting to configure via DHCP
already has a conflicting host only adapter with DHCP enabled. The
DHCP on this adapter is incompatible with the DHCP settings. Two
host only network interfaces are not allowed to overlap, and each
host only network interface can have only one DHCP server. Please
reconfigure your host only network or remove the virtual machine
using the other host only network.
PS C:\metasploitable3-workspace>
とりあえず、構築したら「vagrant halt」で停止させておきます。
Windows Server2008R2は起動時にIPが競合してるって言われてコケるので、haltしてもUbuntuしか停止しません。(もともと停止状態なので)
powershell
PS C:\metasploitable3-workspace> vagrant halt
==> ub1404: Attempting graceful shutdown of VM...
PS C:\metasploitable3-workspace>
Windows Server2008R2でDHCPがエラーになる件(metasploitable3)
この要因は、Vagrantfile内の記述にあります。
Ubuntuは、IPアドレスを指定してますが、WindowsServer2008R2はDHCPにしています。
ub1404.vm.network "private_network", ip: '172.28.128.3'
win2k8.vm.network "private_network", type: "dhcp"
表示されていたメッセージを日本語に訳すとこんな感じです。(サンクスGoogle先生)
DHCPを介して構成しようとしているホストオンリーネットワークインターフェイスには、DHCPが有効になっている競合するホストオンリーアダプターが既にあります。
このアダプタのDHCPは、DHCP設定と互換性がありません。
2つのホストのみのネットワークインターフェイスはオーバーラップできません。
また、各ホストのみのネットワークインターフェイスは1つのDHCPサーバーのみを持つことができます。
ホスト専用ネットワークを再構成するか、他のホスト専用ネットワークを使用して仮想マシンを削除してください。
ふ~ん、じゃぁ、Windows Server2008R2もIP固定しちゃえば・・・とか
ub1404.vm.network "private_network", ip: '172.28.128.3'
win2k8.vm.network "private_network", ip: '172.28.128.4'
よし、vagrant upだ。
PS C:\metasploitable3-workspace> vagrant up
Bringing machine 'ub1404' up with 'virtualbox' provider...
Bringing machine 'win2k8' up with 'virtualbox' provider...
==> ub1404: Checking if box 'rapid7/metasploitable3-ub1404' version '0.1.12-weekly' is up to date...
==> ub1404: Clearing any previously set forwarded ports...
==> ub1404: Clearing any previously set network interfaces...
==> ub1404: Preparing network interfaces based on configuration...
ub1404: Adapter 1: nat
ub1404: Adapter 2: hostonly
==> ub1404: Forwarding ports...
ub1404: 22 (guest) => 2222 (host) (adapter 1)
==> ub1404: Running 'pre-boot' VM customizations...
==> ub1404: Booting VM...
==> ub1404: Waiting for machine to boot. This may take a few minutes...
ub1404: SSH address: 127.0.0.1:2222
ub1404: SSH username: vagrant
ub1404: SSH auth method: password
ub1404: Warning: Connection reset. Retrying...
ub1404: Warning: Connection aborted. Retrying...
==> ub1404: Machine booted and ready!
==> ub1404: Checking for guest additions in VM...
ub1404: No guest additions were detected on the base box for this VM! Guest
ub1404: additions are required for forwarded ports, shared folders, host only
ub1404: networking, and more. If SSH fails on this machine, please install
ub1404: the guest additions and repackage the box to continue.
ub1404:
ub1404: This is not an error message; everything may continue to work properly,
ub1404: in which case you may ignore this message.
==> ub1404: Setting hostname...
==> ub1404: Configuring and enabling network interfaces...
==> ub1404: Machine already provisioned. Run `vagrant provision` or use the `--provision`
==> ub1404: flag to force provisioning. Provisioners marked to run always will still run.
==> win2k8: Checking if box 'rapid7/metasploitable3-win2k8' version '0.1.0-weekly' is up to date...
==> win2k8: Fixed port collision for 22 => 2222. Now on port 2200.
==> win2k8: Clearing any previously set network interfaces...
==> win2k8: Preparing network interfaces based on configuration...
win2k8: Adapter 1: nat
win2k8: Adapter 2: hostonly
==> win2k8: Forwarding ports...
win2k8: 3389 (guest) => 3389 (host) (adapter 1)
win2k8: 22 (guest) => 2200 (host) (adapter 1)
win2k8: 5985 (guest) => 55985 (host) (adapter 1)
win2k8: 5986 (guest) => 55986 (host) (adapter 1)
==> win2k8: Running 'pre-boot' VM customizations...
==> win2k8: Booting VM...
==> win2k8: Waiting for machine to boot. This may take a few minutes...
win2k8: WinRM address: 127.0.0.1:55985
win2k8: WinRM username: vagrant
win2k8: WinRM execution_time_limit: PT2H
win2k8: WinRM transport: negotiate
Timed out while waiting for the machine to boot. This means that
Vagrant was unable to communicate with the guest machine within
the configured ("config.vm.boot_timeout" value) time period.
If you look above, you should be able to see the error(s) that
Vagrant had when attempting to connect to the machine. These errors
are usually good hints as to what may be wrong.
If you're using a custom box, make sure that networking is properly
working and you're able to connect to the machine. It is a common
problem that networking isn't setup properly in these boxes.
Verify that authentication configurations are also setup properly,
as well.
If the box appears to be booting properly, you may want to increase
the timeout ("config.vm.boot_timeout") value.
ぐあっ、、、タイムアウトした・・・w
ただ、一応起動してるっぽいのでOK。
これでいいか。
「vagrant halt」で停止させておく。