EvilSSDP๋ฅผ ์ด์šฉํ•œ SSDP ๋ฐ UPnP ์žฅ์น˜ ์Šคํ‘ธํ•‘

Tip

AWS ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ:HackTricks Training AWS Red Team Expert (ARTE)
GCP ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training GCP Red Team Expert (GRTE) Azure ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks ์ง€์›ํ•˜๊ธฐ

์ž์„ธํ•œ ์ •๋ณด๋Š” https://www.hackingarticles.in/evil-ssdp-spoofing-the-ssdp-and-upnp-devices/๋ฅผ ํ™•์ธํ•˜์„ธ์š”.

SSDP ๋ฐ UPnP ๊ฐœ์š”

SSDP (Simple Service Discovery Protocol)๋Š” ๋„คํŠธ์›Œํฌ ์„œ๋น„์Šค ๊ด‘๊ณ  ๋ฐ ๊ฒ€์ƒ‰์— ์‚ฌ์šฉ๋˜๋ฉฐ, DHCP ๋˜๋Š” DNS ๊ตฌ์„ฑ ์—†์ด UDP ํฌํŠธ 1900์—์„œ ์ž‘๋™ํ•ฉ๋‹ˆ๋‹ค. ์ด๋Š” UPnP (Universal Plug and Play) ์•„ํ‚คํ…์ฒ˜์—์„œ ๊ธฐ๋ณธ์ ์ด๋ฉฐ, PC, ํ”„๋ฆฐํ„ฐ ๋ฐ ๋ชจ๋ฐ”์ผ ์žฅ์น˜์™€ ๊ฐ™์€ ๋„คํŠธ์›Œํฌ ์žฅ์น˜ ๊ฐ„์˜ ์›ํ™œํ•œ ์ƒํ˜ธ์ž‘์šฉ์„ ์ด‰์ง„ํ•ฉ๋‹ˆ๋‹ค. UPnP์˜ ์ œ๋กœ ๊ตฌ์„ฑ ๋„คํŠธ์›Œํ‚น์€ ์žฅ์น˜ ๊ฒ€์ƒ‰, IP ์ฃผ์†Œ ํ• ๋‹น ๋ฐ ์„œ๋น„์Šค ๊ด‘๊ณ ๋ฅผ ์ง€์›ํ•ฉ๋‹ˆ๋‹ค.

UPnP ํ๋ฆ„ ๋ฐ ๊ตฌ์กฐ

UPnP ์•„ํ‚คํ…์ฒ˜๋Š” ์ฃผ์†Œ ์ง€์ •, ๊ฒ€์ƒ‰, ์„ค๋ช…, ์ œ์–ด, ์ด๋ฒคํŠธ ๋ฐ ํ”„๋ ˆ์  ํ…Œ์ด์…˜์˜ ์—ฌ์„ฏ ๊ฐ€์ง€ ๊ณ„์ธต์œผ๋กœ ๊ตฌ์„ฑ๋ฉ๋‹ˆ๋‹ค. ์ฒ˜์Œ์— ์žฅ์น˜๋Š” IP ์ฃผ์†Œ๋ฅผ ์–ป๊ฑฐ๋‚˜ ์ž๊ฐ€ ํ• ๋‹น(AutoIP)ํ•˜๋ ค๊ณ  ์‹œ๋„ํ•ฉ๋‹ˆ๋‹ค. ๊ฒ€์ƒ‰ ๋‹จ๊ณ„๋Š” SSDP๋ฅผ ํฌํ•จํ•˜๋ฉฐ, ์žฅ์น˜๋Š” M-SEARCH ์š”์ฒญ์„ ์ ๊ทน์ ์œผ๋กœ ์ „์†กํ•˜๊ฑฐ๋‚˜ ์„œ๋น„์Šค๋ฅผ ์•Œ๋ฆฌ๊ธฐ ์œ„ํ•ด NOTIFY ๋ฉ”์‹œ์ง€๋ฅผ ์ˆ˜๋™์ ์œผ๋กœ ๋ฐฉ์†กํ•ฉ๋‹ˆ๋‹ค. ํด๋ผ์ด์–ธํŠธ-์žฅ์น˜ ์ƒํ˜ธ์ž‘์šฉ์— ์ค‘์š”ํ•œ ์ œ์–ด ๊ณ„์ธต์€ XML ํŒŒ์ผ์˜ ์žฅ์น˜ ์„ค๋ช…์„ ๊ธฐ๋ฐ˜์œผ๋กœ ๋ช…๋ น ์‹คํ–‰์„ ์œ„ํ•ด SOAP ๋ฉ”์‹œ์ง€๋ฅผ ํ™œ์šฉํ•ฉ๋‹ˆ๋‹ค.

IGD ๋ฐ ๋„๊ตฌ ๊ฐœ์š”

IGD (Internet Gateway Device)๋Š” NAT ์„ค์ •์—์„œ ์ž„์‹œ ํฌํŠธ ๋งคํ•‘์„ ์ด‰์ง„ํ•˜์—ฌ ํ‘œ์ค€ WAN ์ธํ„ฐํŽ˜์ด์Šค ์ œํ•œ์—๋„ ๋ถˆ๊ตฌํ•˜๊ณ  ์—ด๋ฆฐ SOAP ์ œ์–ด ์ง€์ ์„ ํ†ตํ•ด ๋ช…๋ น ์ˆ˜๋ฝ์„ ๊ฐ€๋Šฅํ•˜๊ฒŒ ํ•ฉ๋‹ˆ๋‹ค. Miranda์™€ ๊ฐ™์€ ๋„๊ตฌ๋Š” UPnP ์„œ๋น„์Šค ๊ฒ€์ƒ‰ ๋ฐ ๋ช…๋ น ์‹คํ–‰์„ ์ง€์›ํ•ฉ๋‹ˆ๋‹ค. Umap์€ WAN์—์„œ ์ ‘๊ทผ ๊ฐ€๋Šฅํ•œ UPnP ๋ช…๋ น์„ ๋…ธ์ถœํ•˜๋ฉฐ, upnp-arsenal๊ณผ ๊ฐ™์€ ์ €์žฅ์†Œ๋Š” ๋‹ค์–‘ํ•œ UPnP ๋„๊ตฌ๋ฅผ ์ œ๊ณตํ•ฉ๋‹ˆ๋‹ค. Evil SSDP๋Š” ์Šคํ‘ธํ•‘๋œ UPnP ์žฅ์น˜๋ฅผ ํ†ตํ•ด ํ”ผ์‹ฑ์„ ์ „๋ฌธ์œผ๋กœ ํ•˜๋ฉฐ, ํ•ฉ๋ฒ•์ ์ธ ์„œ๋น„์Šค๋ฅผ ๋ชจ๋ฐฉํ•˜๋Š” ํ…œํ”Œ๋ฆฟ์„ ํ˜ธ์ŠคํŒ…ํ•ฉ๋‹ˆ๋‹ค.

Evil SSDP ์‹ค์šฉ ์‚ฌ์šฉ๋ฒ•

Evil SSDP๋Š” ์„ค๋“๋ ฅ ์žˆ๋Š” ๊ฐ€์งœ UPnP ์žฅ์น˜๋ฅผ ํšจ๊ณผ์ ์œผ๋กœ ์ƒ์„ฑํ•˜์—ฌ ์‚ฌ์šฉ์ž๊ฐ€ ๊ฒ‰๋ณด๊ธฐ์—๋Š” ์ง„์งœ ์„œ๋น„์Šค์™€ ์ƒํ˜ธ์ž‘์šฉํ•˜๋„๋ก ์กฐ์ž‘ํ•ฉ๋‹ˆ๋‹ค. ์ง„์งœ์ฒ˜๋Ÿผ ๋ณด์ด๋Š” ์™ธ๊ด€์— ์†์€ ์‚ฌ์šฉ์ž๋Š” ์ž๊ฒฉ ์ฆ๋ช…๊ณผ ๊ฐ™์€ ๋ฏผ๊ฐํ•œ ์ •๋ณด๋ฅผ ์ œ๊ณตํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์ด ๋„๊ตฌ์˜ ๋‹ค์žฌ๋‹ค๋Šฅํ•จ์€ ์Šค์บ๋„ˆ, Office365 ๋ฐ ๋น„๋ฐ€๋ฒˆํ˜ธ ๊ธˆ๊ณ ์™€ ๊ฐ™์€ ์„œ๋น„์Šค๋ฅผ ๋ชจ๋ฐฉํ•˜๋Š” ๋‹ค์–‘ํ•œ ํ…œํ”Œ๋ฆฟ์œผ๋กœ ํ™•์žฅ๋˜์–ด ์‚ฌ์šฉ์ž ์‹ ๋ขฐ์™€ ๋„คํŠธ์›Œํฌ ๊ฐ€์‹œ์„ฑ์„ ํ™œ์šฉํ•ฉ๋‹ˆ๋‹ค. ์ž๊ฒฉ ์ฆ๋ช…์ด ์บก์ฒ˜๋œ ํ›„, ๊ณต๊ฒฉ์ž๋Š” ํ”ผํ•ด์ž๋ฅผ ์ง€์ •๋œ URL๋กœ ๋ฆฌ๋””๋ ‰์…˜ํ•˜์—ฌ ์†์ž„์ˆ˜์˜ ์‹ ๋ขฐ์„ฑ์„ ์œ ์ง€ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

์™„ํ™” ์ „๋žต

์ด๋Ÿฌํ•œ ์œ„ํ˜‘์— ๋Œ€์‘ํ•˜๊ธฐ ์œ„ํ•ด ๊ถŒ์žฅ๋˜๋Š” ์กฐ์น˜๋Š” ๋‹ค์Œ๊ณผ ๊ฐ™์Šต๋‹ˆ๋‹ค:

  • ํ•„์š”ํ•˜์ง€ ์•Š์„ ๋•Œ ์žฅ์น˜์—์„œ UPnP ๋น„ํ™œ์„ฑํ™”.
  • ์‚ฌ์šฉ์ž์—๊ฒŒ ํ”ผ์‹ฑ ๋ฐ ๋„คํŠธ์›Œํฌ ๋ณด์•ˆ ๊ต์œก.
  • ์•”ํ˜ธํ™”๋˜์ง€ ์•Š์€ ๋ฏผ๊ฐํ•œ ๋ฐ์ดํ„ฐ์— ๋Œ€ํ•œ ๋„คํŠธ์›Œํฌ ํŠธ๋ž˜ํ”ฝ ๋ชจ๋‹ˆํ„ฐ๋ง.

๋ณธ์งˆ์ ์œผ๋กœ, UPnP๋Š” ํŽธ๋ฆฌํ•จ๊ณผ ๋„คํŠธ์›Œํฌ ์œ ๋™์„ฑ์„ ์ œ๊ณตํ•˜์ง€๋งŒ, ์ž ์žฌ์ ์ธ ์•…์šฉ์˜ ๋ฌธ๋„ ์—ด์–ด์ค๋‹ˆ๋‹ค. ์ธ์‹๊ณผ ์ ๊ทน์ ์ธ ๋ฐฉ์–ด๊ฐ€ ๋„คํŠธ์›Œํฌ ๋ฌด๊ฒฐ์„ฑ์„ ๋ณด์žฅํ•˜๋Š” ํ•ต์‹ฌ์ž…๋‹ˆ๋‹ค.

Tip

AWS ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ:HackTricks Training AWS Red Team Expert (ARTE)
GCP ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training GCP Red Team Expert (GRTE) Azure ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks ์ง€์›ํ•˜๊ธฐ