Category: Stuffs, Linux, |
¿ø¹® http://linux.co.kr/tips/content.html?msg_id=1358
ÀÛ¼ºÀÚ : ÁÁÀºÁøÈ£(truefeel, http://coffeenix.net/ ) ÀÛ¼ºÀÏ : 2002.09.14(Åä) ¼öÁ¤ÀÏ : 2003.10.29(¼ö) Á¤¸®, 10.31(±Ý) FreeBSD ¼³Ä¡ Ãß°¡ nmapÀº ¿¸° Æ÷Æ®¸¦ È®ÀÎÇÏ¿© º¸¾È Á¡°ËÀ» À§ÇÑ ´ëÇ¥ÀûÀÎ ÅøÀÌ¸é¼ ¿øÄ¡ ¾Ê´Â ¼¹ö¸¦ ´ë»óÀ¸·Î Æ÷Æ® ½ºÄ³´×°ú ½Ã½ºÅÛÀÇ OS Á¾·ù¿Í ¹öÀüÀ» ¾Ë¾Æ³»´Âµ¥ »ç¿ëµÇ±âµµ ÇÑ´Ù. ÃÖ±Ù¿¡ ³ª¿Â nmap 3.45¹öÀüÀº ¿ÀÇÂµÈ ¼ºñ½ºÀÇ ¹öÀü Á¤º¸±îÁöµµ È®ÀνÃÄÑÁØ´Ù. ------------------------------------------------------------------------------ # nmap -A -T4 -F localhost Starting nmap 3.45 ( http://www.insecure.org/nmap/ ) at 2003-09-16 22:45 KST Interesting ports on truefeel (127.0.0.1): (The 1203 ports scanned but not shown below are in state: closed) PORT¡¡¡¡ STATE SERVICE¡¡¡¡VERSION 21/tcp¡¡ open¡¡ftp¡¡¡¡¡¡¡¡vsFTPd 1.2.0 25/tcp¡¡ open¡¡smtp¡¡¡¡¡¡ Sendmail smtpd Securing..214-2.0.0 This is sendmail version 8.12. 80/tcp¡¡ open¡¡http¡¡¡¡¡¡ Apache httpd 2.0.44 ((Unix) DAV/2 PHP/4.3.2) ... Áß·« ... Running: Linux 2.4.X|2.5.X OS details: Linux Kernel 2.4.0 - 2.5.20, Linux kernel 2.4.20 Uptime 0.505 days (since Tue Sep 16 10:38:25 2003) Nmap run completed -- 1 IP address (1 host up) scanned in 16.859 seconds ------------------------------------------------------------------------------ À§¿¡¼ º¸´Â °Íó·³ nmapÀÇ ¶Ù¾î³ ±â´ÉÀ¸·Î ¾î´À OS¸¦ »ç¿ëÇÏ´ÂÁö ½±°Ô ¾Ë ¼ö ÀÖ´Ù. ÀÌ·¯ÇÑ nmapÀÇ OS¸¦ ¾Ë¾Æ³»´Â ±â´ÉÀº 7´Ü°è(T1~T7)¸¦ °ÅÄ¡°Ô µÈ´Ù. T1 ´Ü°è¿¡¼ ¿¸° Æ÷Æ®·Î SYN ÆÐŶÀ» º¸³»°í, T2¿¡¼ ¿¸° Æ÷Æ®·Î null ÆÐŶ Àü¼Û, T3¿¡¼ ¿¸° Æ÷Æ®·Î SYN, FIN, URG, PSH ÆÐŶÀ» Àü¼Û T5 ºÎÅÍ´Â ´ÝÇôÁø Æ÷Æ®·Î ºñ½ÁÇÑ °úÁ¤À» °ÅÄ¡°Ô µÈ´Ù. ÀÚ~ ÀÌÁ¦ nmap OS fingerprintingÀ» ¸·´Â ¹æ¹ýÀ» ¾Ë¾Æº¸ÀÚ. 1. iplog Åø iplog´Â Æ÷Æ® ½ºÄ³´×À¸ ·Î±ëÇÏ´Â ÅøÀÌ´Ù. TCP Æ÷Æ®, UDP Æ÷Æ® ½ºÄ³´×, TCP null ½ºÄµ, FIN ½ºÄµ, smurf °ø°Ý, Xmas ½ºÄµ, ping Ç÷¯µù, IP fragment °ø°Ý µîÀ» °¨ÁöÇÒ ¼ö ÀÖ´Ù. procmisc ¸ðµå¸¦ Áö¿øÇÏ¿© °°Àº ¼ºê³ÝÀ¸·Î µé¾î¿À´Â ½ºÄ³´×À» °¨ÁöÇÒ ¼ö ÀÖ´Ù. ¶ÇÇÑ OS Á¤º¸¸¦ ¼û±â±âÇÑ ¸ñÀûÀ¸·Îµµ »ç¿ëÇÒ ¼ö ÀÖ´Ù. 1) ¼³Ä¡ http://ojnk.sourceforge.net/ ¿¡¼ iplog-2.2.3.tar.gz À» ¹Þ¾Æ¿Â´Ù. ------------------------------------------------------------------------------ # tar xvfz iplog-2.2.3.tar.gz # cd iplog-2.2.3 # ./configure # make # make install # cp example-iplog.conf /etc/iplog.conf ------------------------------------------------------------------------------ iplog.conf¿¡¼ ´ÙÀ½ 2°¡Áö¸¦ ¼öÁ¤ÇÑ´Ù. ------------------------------------------------------------------------------ user nobody¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡# default´Â iplog »ç¿ëÀÚ·Î ½ÇÇàÇÔ pid-file /var/run/iplog.pid¡¡¡¡# default´Â /var/run/iplog/iplog.pid ÀÓ ------------------------------------------------------------------------------ ¼Ò½º ¼³Ä¡°¡ ±ÍÂúÀº ºÐ Áß ·¹µåÇÞ »ç¿ëÀÚ´Â http://www.rpmfind.net/ ¿¡¼ iplog-2.2.3-fr2.i386.rpm ¹Þ¾Æ ¼³Ä¡ÇÑ´Ù. FreeBSD »ç¿ëÀÚ´Â Æ÷Æ® ½Ã½ºÅÛÀ» ÀÌ¿ëÇؼ ¼³Ä¡ÇÑ´Ù. ½ÇÇà ÆÄÀÏÀº /usr/local/sbin¿¡, ¼³Á¤ÆÄÀÏÀº /usr/local/etc¿¡ ¼³Ä¡µÈ´Ù. ------------------------------------------------------------------------------ # cd /usr/ports/net/iplog/ # make install # make clean ------------------------------------------------------------------------------ 'Æ÷Æ®½Ã½ºÅÛÀÌ ¹¹¿¡¿ä?' ÇÏ´Â ºÐÀº ÃÖÁØÈ£´ÔÀÌ ¾´ ±ÛÀ» Âü°íÇϱ⠹ٶõ´Ù. http://www.bsdnet.co.kr/articles/article.qsp?no=14 2) ½ÇÇà ------------------------------------------------------------------------------ # iplog -o -z -i lo (Å×½ºÆ®¸¦ À§ÇØ lo interface¸¦ ÁöÁ¤ÇÔ) ------------------------------------------------------------------------------ -o µîÀÇ ¿É¼ÇÀÇ Àǹ̴ nmap Å×½ºÆ® ÈÄ¿¡ ¾Ë¾Æº»´Ù. ------------------------------------------------------------------------------ # nmap -sS -O localhost Starting nmap 3.45 ( http://www.insecure.org/nmap/ ) at 2003-10-29 23:37 KST Insufficient responses for TCP sequencing (2), OS detection may be less accurate Insufficient responses for TCP sequencing (3), OS detection may be less accurate Interesting ports on truefeel (127.0.0.1): (The 1651 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 25/tcp open smtp 80/tcp open http ... Áß·« ... No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi ). TCP/IP fingerprint: SInfo(V=3.45%P=i686-pc-linux-gnu%D=10/29%Time=3F9FD0B9%O=25%C=1) T1(Resp=Y%DF=Y%W=7FFF%ACK=S++%Flags=AS%Ops=MNNTNW) T2(Resp=Y%DF=Y%W=100%ACK=O%Flags=BAPRSF%Ops=) T2(Resp=Y%DF=N%W=0%ACK=O%Flags=BARS%Ops=) T2(Resp=Y%DF=Y%W=100%ACK=O%Flags=BPRF%Ops=) T3(Resp=Y%DF=Y%W=7FFF%ACK=S++%Flags=AS%Ops=MNNTNW) T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=) T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=) T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=) PU(Resp=N) Uptime 0.303 days (since Wed Oct 29 16:21:04 2003) Nmap run completed -- 1 IP address (1 host up) scanned in 21.301 seconds ------------------------------------------------------------------------------ nmapÀº T1~T7±îÁö OS ŽÁö Å×½ºÆ® °úÁ¤À» °ÅÃÆÁö¸¸ OS Á¾·ù´Â ¾Ë¾Æ³»Áö ¸øÇßÀ½À» È®ÀÎÇß´Ù. ±×·³ µµ´ëü ½ºÄ³´× ·Î±×´Â ¾îµð¿¡ Àִ°ǰ¡? /etc/iplog.conf ¼³Á¤¿¡ µû¶ó /var/log/iplog¿¡ ÀúÀåµÈ´Ù. ------------------------------------------------------------------------------ ... »ý·« ... Oct 29 23:37:09 ICMP: echo from truefeel (127.0.0.1) (8 bytes) Oct 29 23:37:09 TCP: port 5901 connection attempt from truefeel (127.0.0.1):49574 Oct 29 23:37:09 TCP: port 516 connection attempt from truefeel (127.0.0.1):49574 Oct 29 23:37:09 TCP: port 657 connection attempt from truefeel (127.0.0.1):49574 Oct 29 23:37:09 TCP: port 32 connection attempt from truefeel (127.0.0.1):49574 Oct 29 23:37:09 TCP: port 2044 connection attempt from truefeel (127.0.0.1):49574 Oct 29 23:37:09 TCP: port 737 connection attempt from truefeel (127.0.0.1):49574 Oct 29 23:37:09 TCP: pop2 connection attempt from truefeel (127.0.0.1):49574 Oct 29 23:37:09 TCP: port 872 connection attempt from truefeel (127.0.0.1):49574 Oct 29 23:37:09 TCP: port 670 connection attempt from truefeel (127.0.0.1):49574 Oct 29 23:37:09 TCP: SYN scan detected [ports 5901,516,657,32,2044,737,109,872,670,374,...] from truefeel (127.0.0.1) [port 49574] Oct 29 23:37:12 TCP: Bogus TCP flags set by truefeel (127.0.0.1):49581 (dest port 25) Oct 29 23:37:14 TCP: ipp connection attempt from truefeel (127.0.0.1):40509 ... »ý·« ... ------------------------------------------------------------------------------ 3) ¿É¼Ç°ú ¼³Á¤Àº? -o : ¹é±×¶ó¿îµå·Î ½ÇÇàÇÏÁö ¾Ê´Â´Ù. (±âº» ¹é±×¶ó¿îµå) -z : ÀÌ°Ô ¹Ù·Î ÇÙ½ÉÀÌ´Ù. nmap·Î OS Á¤º¸ ¾Ë¾Æ³»´Â °ÍÀ» ¸·´Â´Ù. -L : log¸¦ ȸéÀ¸·Î Ãâ·ÂÇÑ´Ù. -i : interface¸¦ ÁöÁ¤ÇÑ´Ù. (±âº» eth0) -u : iplog ½ÇÇà »ç¿ëÀÚ ¶Ç´Â UID¸¦ ÁöÁ¤ÇÑ´Ù. (±âº» nobody) -g : iplog ½ÇÇà ±×·ì¸í ¶Ç´Â GID¸¦ ÁöÁ¤ÇÑ´Ù. (±âº» nobody) -l : ·Î±×ÆÄÀÏÀ» ÁöÁ¤ÇÑ´Ù. (±âº» /var/log/iplog) -a : promisc ¸ðµå·Î ÀüȯÇÏ¿© ÁöÁ¤ÇÑ ³×Æ®¿öÅ© ³»ÀÇ ½ºÄ³´×À» ·Î±ëÇÑ´Ù. (¿¹. -a 192.168.123.0/24) -k : iplog ÇÁ·Î¼¼½º¸¦ killÇÑ´Ù. ¹é±×¶ó¿îµå, Æ÷±×¶ó¿îµå ½ÇÇàÁßÀÎ °Í°ú »ó°ü¾øÀÌ kill. -R : iplog¸¦ Àç½ÇÇàÇÑ´Ù. ÀÌ ¸¹Àº ¿É¼ÇÀ» ¾î¶»°Ô »ç¿ëÇϸé ÁÁÀ»±î? ȸéÀ¸·Î ¸ð´ÏÅ͸µÇÑ´Ù¸é # iplog -o -z -L ÆÄÀÏ·Î ·Î±ëÀ» ÇÑ´Ù¸é (ºÎÆýà ½ÇÇàµÇµµ·Ï ÇÏ·Á¸é /etc/rc.d/rc.local µî¿¡ Ãß°¡) # iplog -z /etc/iplog.conf ¼³Á¤ ÆÄÀÏ¿¡¼´Â ¿É¼ÇÀ¸·Î »ç¿ëÇÒ °ÍÀ» ¹Ì¸® ÁöÁ¤ÇØ µÑ ¼ö ÀÖ´Ù. ½ÇÇà »ç¿ëÀÚ, interface, °¨Áö¿¡¼ Á¦¿ÜÇÒ Æ÷Æ® µî 2. iptables ÀÌ¿ëÇÏ´Â ¹æ¹ý iptables¸¦ ÀÌ¿ëÇÏ´Â ¹æ¹ýÀÌ ÀÖÀ¸³ª Ä¿³Î ÆÐÄ¡+iptables ÆÐÄ¡¸¦ ÇؾßÇÏ´Â °úÁ¤ÀÌ ÇÊ¿äÇϸç Ä¿³Î 2.4.19 ÀÌÈÄÀÇ ¹öÀü¿¡ ´ëÇؼ´Â ´õÀÌ»óÀÇ ¹ßÇ¥µµ ÀÖÁö ¾Ê¾Æ °£´ÜÇÏ°Ô ¼³¸íÇÑ´Ù. http://ippersonality.sourceforge.net/ ¿¡¼ ippersonality-20020819-2.4.19.tar.gz ¸¦ ¹Þ¾Æ Ä¿³Î°ú iptables °¢°¢ ÆÐÄ¡¸¦ ÇÑ ÈÄ ÄÄÆÄÀÏÀ» ÇÑ´Ù. ippersonality-20020819-2.4.19/samples µð·ºÅ丮¿¡´Â OS¸¦ ¼ÓÀ̱â À§ÇÑ ÃÑ 10°³ÀÇ ÆÄÀÏÀÌ ÀÖ´Ù. AmigaOS, Dreamcast, FreeBSD, Linux 2.0x, Linux 2.2, MacOS 9, Solaris 8, Tru64 UNIX, Win Me ¶Ç´Â Win 2000, Win 9x ÀÌ·¸°Ô 10°³. Windows¸¦ »ç¿ëÇÏ´Â °Í ó·³ ¼ÓÀÌ·Á¸é ¾î¶»°Ô ÇØ¾ß Çϴ°¡? ÆÐÄ¡µÈ iptables¸¦ ÀÌ¿ëÇؼ ------------------------------------------------------------------------------ # insmod ipt_PERS (¸ðµâÀ» ·Îµù, Ä¿³Î ÄÄÆÄÀϽÿ¡ CONFIG_IP_NF_PERS=m·Î ÇßÀ» ¶§) # /usr/local/sbin/iptables -t mangle -A PREROUTING -s ! ¼¹öIP -d ¼¹öIP -j PERS --tweak dst --local --conf win2k.conf # /usr/local/sbin/iptables -t mangle -A OUTPUT -s ¼¹öIP -d ! ¼¹öIP -j PERS --tweak src --local --conf win2k.conf ------------------------------------------------------------------------------ 3. Âü°í ÀÚ·á * A practical approach for defeating Nmap OS-Fingerprinting http://coffeenix.net/doc/security/nmap_os_fingerprinting.html * IP Personality ÇÁ·ÎÁ§Æ® http://ippersonality.sourceforge.net/ * iplog http://ojnk.sourceforge.net/ * nmap 3.45ÀÇ »õ±â´É, ¹öÀü ½ºÄ³´× (±Û ÁÁÀºÁøÈ£) http://coffeenix.net/board_view.php?bd_code=71 |