= \@ocat |
= \@cat{Stuffs} |
+ \@cat{Linux} |
= \@ecat |
= \TableOfContents |
= |
= \def@bverb={ |
= <tt> |
= \dcSave |
= \noDefault |
= } |
= \def@everb={ |
= \dcRestore |
= </tt> |
= } |
= \def@bverbox=<table style="background-color:#eeeeee; border:1 solid;"><tr><td>\@bverb |
= \def@everbox=\@everb</td></tr></table> |
= |
= ¿ø¹® http://linux.co.kr/tips/content.html?msg_id=1358 |
= \@bverbox |
= \basis |
= ÀÛ¼ºÀÚ : ÁÁÀºÁøÈ£(truefeel, http://coffeenix.net/ ) |
= ÀÛ¼ºÀÏ : 2002.09.14(Åä) |
= ¼öÁ¤ÀÏ : 2003.10.29(¼ö) Á¤¸®, 10.31(±Ý) FreeBSD ¼³Ä¡ Ãß°¡ |
= |
= nmapÀº ¿¸° Æ÷Æ®¸¦ È®ÀÎÇÏ¿© º¸¾È Á¡°ËÀ» À§ÇÑ ´ëÇ¥ÀûÀÎ ÅøÀÌ¸é¼ |
= ¿øÄ¡ ¾Ê´Â ¼¹ö¸¦ ´ë»óÀ¸·Î Æ÷Æ® ½ºÄ³´×°ú ½Ã½ºÅÛÀÇ OS Á¾·ù¿Í ¹öÀüÀ» ¾Ë¾Æ³»´Âµ¥ »ç¿ëµÇ±âµµ ÇÑ´Ù. |
= ÃÖ±Ù¿¡ ³ª¿Â nmap 3.45¹öÀüÀº ¿ÀÇÂµÈ ¼ºñ½ºÀÇ ¹öÀü Á¤º¸±îÁöµµ È®ÀνÃÄÑÁØ´Ù. |
= |
= ------------------------------------------------------------------------------ |
= # nmap -A -T4 -F localhost |
= |
= Starting nmap 3.45 ( http://www.insecure.org/nmap/ ) at 2003-09-16 22:45 KST |
= Interesting ports on truefeel (127.0.0.1): |
= (The 1203 ports scanned but not shown below are in state: closed) |
= PORT¡¡¡¡ STATE SERVICE¡¡¡¡VERSION |
= 21/tcp¡¡ open¡¡ftp¡¡¡¡¡¡¡¡vsFTPd 1.2.0 |
= 25/tcp¡¡ open¡¡smtp¡¡¡¡¡¡ Sendmail smtpd Securing..214-2.0.0 This is sendmail version 8.12. |
= 80/tcp¡¡ open¡¡http¡¡¡¡¡¡ Apache httpd 2.0.44 ((Unix) DAV/2 PHP/4.3.2) |
= ... Áß·« ... |
= Running: Linux 2.4.X|2.5.X |
= OS details: Linux Kernel 2.4.0 - 2.5.20, Linux kernel 2.4.20 |
= Uptime 0.505 days (since Tue Sep 16 10:38:25 2003) |
= |
= Nmap run completed -- 1 IP address (1 host up) scanned in 16.859 seconds |
= ------------------------------------------------------------------------------ |
= |
= À§¿¡¼ º¸´Â °Íó·³ nmapÀÇ ¶Ù¾î³ ±â´ÉÀ¸·Î ¾î´À OS¸¦ »ç¿ëÇÏ´ÂÁö ½±°Ô ¾Ë ¼ö ÀÖ´Ù. |
= |
= ÀÌ·¯ÇÑ nmapÀÇ OS¸¦ ¾Ë¾Æ³»´Â ±â´ÉÀº 7´Ü°è(T1~T7)¸¦ °ÅÄ¡°Ô µÈ´Ù. |
= T1 ´Ü°è¿¡¼ ¿¸° Æ÷Æ®·Î SYN ÆÐŶÀ» º¸³»°í, T2¿¡¼ ¿¸° Æ÷Æ®·Î null ÆÐŶ Àü¼Û, |
= T3¿¡¼ ¿¸° Æ÷Æ®·Î SYN, FIN, URG, PSH ÆÐŶÀ» Àü¼Û |
= T5 ºÎÅÍ´Â ´ÝÇôÁø Æ÷Æ®·Î ºñ½ÁÇÑ °úÁ¤À» °ÅÄ¡°Ô µÈ´Ù. |
= |
= ÀÚ~ ÀÌÁ¦ nmap OS fingerprintingÀ» ¸·´Â ¹æ¹ýÀ» ¾Ë¾Æº¸ÀÚ. |
= |
= 1. iplog Åø |
= |
= iplog´Â Æ÷Æ® ½ºÄ³´×À¸ ·Î±ëÇÏ´Â ÅøÀÌ´Ù. TCP Æ÷Æ®, UDP Æ÷Æ® ½ºÄ³´×, TCP null ½ºÄµ, FIN ½ºÄµ, |
= smurf °ø°Ý, Xmas ½ºÄµ, ping Ç÷¯µù, IP fragment °ø°Ý µîÀ» °¨ÁöÇÒ ¼ö ÀÖ´Ù. |
= procmisc ¸ðµå¸¦ Áö¿øÇÏ¿© °°Àº ¼ºê³ÝÀ¸·Î µé¾î¿À´Â ½ºÄ³´×À» °¨ÁöÇÒ ¼ö ÀÖ´Ù. |
= ¶ÇÇÑ OS Á¤º¸¸¦ ¼û±â±âÇÑ ¸ñÀûÀ¸·Îµµ »ç¿ëÇÒ ¼ö ÀÖ´Ù. |
= |
= 1) ¼³Ä¡ |
= |
= http://ojnk.sourceforge.net/ ¿¡¼ iplog-2.2.3.tar.gz À» ¹Þ¾Æ¿Â´Ù. |
= |
= ------------------------------------------------------------------------------ |
= # tar xvfz iplog-2.2.3.tar.gz |
= # cd iplog-2.2.3 |
= # ./configure |
= # make |
= # make install |
= # cp example-iplog.conf /etc/iplog.conf |
= ------------------------------------------------------------------------------ |
= |
= iplog.conf¿¡¼ ´ÙÀ½ 2°¡Áö¸¦ ¼öÁ¤ÇÑ´Ù. |
= |
= ------------------------------------------------------------------------------ |
= user nobody¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡# default´Â iplog »ç¿ëÀÚ·Î ½ÇÇàÇÔ |
= pid-file /var/run/iplog.pid¡¡¡¡# default´Â /var/run/iplog/iplog.pid ÀÓ |
= ------------------------------------------------------------------------------ |
= |
= ¼Ò½º ¼³Ä¡°¡ ±ÍÂúÀº ºÐ Áß |
= ·¹µåÇÞ »ç¿ëÀÚ´Â http://www.rpmfind.net/ ¿¡¼ iplog-2.2.3-fr2.i386.rpm ¹Þ¾Æ ¼³Ä¡ÇÑ´Ù. |
= |
= FreeBSD »ç¿ëÀÚ´Â Æ÷Æ® ½Ã½ºÅÛÀ» ÀÌ¿ëÇؼ ¼³Ä¡ÇÑ´Ù. |
= ½ÇÇà ÆÄÀÏÀº /usr/local/sbin¿¡, ¼³Á¤ÆÄÀÏÀº /usr/local/etc¿¡ ¼³Ä¡µÈ´Ù. |
= |
= ------------------------------------------------------------------------------ |
= # cd /usr/ports/net/iplog/ |
= # make install |
= # make clean |
= ------------------------------------------------------------------------------ |
= |
= 'Æ÷Æ®½Ã½ºÅÛÀÌ ¹¹¿¡¿ä?' ÇÏ´Â ºÐÀº ÃÖÁØÈ£´ÔÀÌ ¾´ ±ÛÀ» Âü°íÇϱ⠹ٶõ´Ù. |
= http://www.bsdnet.co.kr/articles/article.qsp?no=14 |
= |
= 2) ½ÇÇà |
= |
= ------------------------------------------------------------------------------ |
= # iplog -o -z -i lo (Å×½ºÆ®¸¦ À§ÇØ lo interface¸¦ ÁöÁ¤ÇÔ) |
= ------------------------------------------------------------------------------ |
= |
= -o µîÀÇ ¿É¼ÇÀÇ Àǹ̴ nmap Å×½ºÆ® ÈÄ¿¡ ¾Ë¾Æº»´Ù. |
= |
= ------------------------------------------------------------------------------ |
= # nmap -sS -O localhost |
= |
= Starting nmap 3.45 ( http://www.insecure.org/nmap/ ) at 2003-10-29 23:37 KST |
= Insufficient responses for TCP sequencing (2), OS detection may be less accurate |
= Insufficient responses for TCP sequencing (3), OS detection may be less accurate |
= Interesting ports on truefeel (127.0.0.1): |
= (The 1651 ports scanned but not shown below are in state: closed) |
= PORT STATE SERVICE |
= 25/tcp open smtp |
= 80/tcp open http |
= ... Áß·« ... |
= No exact OS matches for host (If you know what OS is running on it, see |
= http://www.insecure.org/cgi-bin/nmap-submit.cgi ). |
= TCP/IP fingerprint: |
= SInfo(V=3.45%P=i686-pc-linux-gnu%D=10/29%Time=3F9FD0B9%O=25%C=1) |
= T1(Resp=Y%DF=Y%W=7FFF%ACK=S++%Flags=AS%Ops=MNNTNW) |
= T2(Resp=Y%DF=Y%W=100%ACK=O%Flags=BAPRSF%Ops=) |
= T2(Resp=Y%DF=N%W=0%ACK=O%Flags=BARS%Ops=) |
= T2(Resp=Y%DF=Y%W=100%ACK=O%Flags=BPRF%Ops=) |
= T3(Resp=Y%DF=Y%W=7FFF%ACK=S++%Flags=AS%Ops=MNNTNW) |
= T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=) |
= T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=) |
= T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=) |
= T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=) |
= PU(Resp=N) |
= |
= |
= Uptime 0.303 days (since Wed Oct 29 16:21:04 2003) |
= |
= Nmap run completed -- 1 IP address (1 host up) scanned in 21.301 seconds |
= ------------------------------------------------------------------------------ |
= |
= nmapÀº T1~T7±îÁö OS ŽÁö Å×½ºÆ® °úÁ¤À» °ÅÃÆÁö¸¸ OS Á¾·ù´Â ¾Ë¾Æ³»Áö ¸øÇßÀ½À» È®ÀÎÇß´Ù. |
= ±×·³ µµ´ëü ½ºÄ³´× ·Î±×´Â ¾îµð¿¡ Àִ°ǰ¡? /etc/iplog.conf ¼³Á¤¿¡ µû¶ó /var/log/iplog¿¡ ÀúÀåµÈ´Ù. |
= |
= ------------------------------------------------------------------------------ |
= ... »ý·« ... |
= Oct 29 23:37:09 ICMP: echo from truefeel (127.0.0.1) (8 bytes) |
= Oct 29 23:37:09 TCP: port 5901 connection attempt from truefeel (127.0.0.1):49574 |
= Oct 29 23:37:09 TCP: port 516 connection attempt from truefeel (127.0.0.1):49574 |
= Oct 29 23:37:09 TCP: port 657 connection attempt from truefeel (127.0.0.1):49574 |
= Oct 29 23:37:09 TCP: port 32 connection attempt from truefeel (127.0.0.1):49574 |
= Oct 29 23:37:09 TCP: port 2044 connection attempt from truefeel (127.0.0.1):49574 |
= Oct 29 23:37:09 TCP: port 737 connection attempt from truefeel (127.0.0.1):49574 |
= Oct 29 23:37:09 TCP: pop2 connection attempt from truefeel (127.0.0.1):49574 |
= Oct 29 23:37:09 TCP: port 872 connection attempt from truefeel (127.0.0.1):49574 |
= Oct 29 23:37:09 TCP: port 670 connection attempt from truefeel (127.0.0.1):49574 |
= Oct 29 23:37:09 TCP: SYN scan detected [ports 5901,516,657,32,2044,737,109,872,670,374,...] from |
= truefeel (127.0.0.1) [port 49574] |
= Oct 29 23:37:12 TCP: Bogus TCP flags set by truefeel (127.0.0.1):49581 (dest port 25) |
= Oct 29 23:37:14 TCP: ipp connection attempt from truefeel (127.0.0.1):40509 |
= ... »ý·« ... |
= ------------------------------------------------------------------------------ |
= |
= 3) ¿É¼Ç°ú ¼³Á¤Àº? |
= |
= -o : ¹é±×¶ó¿îµå·Î ½ÇÇàÇÏÁö ¾Ê´Â´Ù. (±âº» ¹é±×¶ó¿îµå) |
= -z : ÀÌ°Ô ¹Ù·Î ÇÙ½ÉÀÌ´Ù. nmap·Î OS Á¤º¸ ¾Ë¾Æ³»´Â °ÍÀ» ¸·´Â´Ù. |
= -L : log¸¦ ȸéÀ¸·Î Ãâ·ÂÇÑ´Ù. |
= -i : interface¸¦ ÁöÁ¤ÇÑ´Ù. (±âº» eth0) |
= -u : iplog ½ÇÇà »ç¿ëÀÚ ¶Ç´Â UID¸¦ ÁöÁ¤ÇÑ´Ù. (±âº» nobody) |
= -g : iplog ½ÇÇà ±×·ì¸í ¶Ç´Â GID¸¦ ÁöÁ¤ÇÑ´Ù. (±âº» nobody) |
= -l : ·Î±×ÆÄÀÏÀ» ÁöÁ¤ÇÑ´Ù. (±âº» /var/log/iplog) |
= -a : promisc ¸ðµå·Î ÀüȯÇÏ¿© ÁöÁ¤ÇÑ ³×Æ®¿öÅ© ³»ÀÇ ½ºÄ³´×À» ·Î±ëÇÑ´Ù. (¿¹. -a 192.168.123.0/24) |
= -k : iplog ÇÁ·Î¼¼½º¸¦ killÇÑ´Ù. ¹é±×¶ó¿îµå, Æ÷±×¶ó¿îµå ½ÇÇàÁßÀÎ °Í°ú »ó°ü¾øÀÌ kill. |
= -R : iplog¸¦ Àç½ÇÇàÇÑ´Ù. |
= |
= ÀÌ ¸¹Àº ¿É¼ÇÀ» ¾î¶»°Ô »ç¿ëÇϸé ÁÁÀ»±î? |
= |
= ȸéÀ¸·Î ¸ð´ÏÅ͸µÇÑ´Ù¸é |
= |
= # iplog -o -z -L |
= |
= ÆÄÀÏ·Î ·Î±ëÀ» ÇÑ´Ù¸é (ºÎÆýà ½ÇÇàµÇµµ·Ï ÇÏ·Á¸é /etc/rc.d/rc.local µî¿¡ Ãß°¡) |
= |
= # iplog -z |
= |
= /etc/iplog.conf ¼³Á¤ ÆÄÀÏ¿¡¼´Â ¿É¼ÇÀ¸·Î »ç¿ëÇÒ °ÍÀ» ¹Ì¸® ÁöÁ¤ÇØ µÑ ¼ö ÀÖ´Ù. |
= ½ÇÇà »ç¿ëÀÚ, interface, °¨Áö¿¡¼ Á¦¿ÜÇÒ Æ÷Æ® µî |
= |
= 2. iptables ÀÌ¿ëÇÏ´Â ¹æ¹ý |
= |
= iptables¸¦ ÀÌ¿ëÇÏ´Â ¹æ¹ýÀÌ ÀÖÀ¸³ª Ä¿³Î ÆÐÄ¡+iptables ÆÐÄ¡¸¦ ÇؾßÇÏ´Â °úÁ¤ÀÌ ÇÊ¿äÇϸç |
= Ä¿³Î 2.4.19 ÀÌÈÄÀÇ ¹öÀü¿¡ ´ëÇؼ´Â ´õÀÌ»óÀÇ ¹ßÇ¥µµ ÀÖÁö ¾Ê¾Æ °£´ÜÇÏ°Ô ¼³¸íÇÑ´Ù. |
= |
= http://ippersonality.sourceforge.net/ ¿¡¼ ippersonality-20020819-2.4.19.tar.gz ¸¦ |
= ¹Þ¾Æ Ä¿³Î°ú iptables °¢°¢ ÆÐÄ¡¸¦ ÇÑ ÈÄ ÄÄÆÄÀÏÀ» ÇÑ´Ù. |
= |
= ippersonality-20020819-2.4.19/samples µð·ºÅ丮¿¡´Â OS¸¦ ¼ÓÀ̱â À§ÇÑ ÃÑ 10°³ÀÇ ÆÄÀÏÀÌ ÀÖ´Ù. |
= AmigaOS, Dreamcast, FreeBSD, Linux 2.0x, Linux 2.2, MacOS 9, Solaris 8, Tru64 UNIX, |
= Win Me ¶Ç´Â Win 2000, Win 9x ÀÌ·¸°Ô 10°³. |
= |
= Windows¸¦ »ç¿ëÇÏ´Â °Í ó·³ ¼ÓÀÌ·Á¸é ¾î¶»°Ô ÇØ¾ß Çϴ°¡? |
= |
= ÆÐÄ¡µÈ iptables¸¦ ÀÌ¿ëÇؼ |
= |
= ------------------------------------------------------------------------------ |
= # insmod ipt_PERS (¸ðµâÀ» ·Îµù, Ä¿³Î ÄÄÆÄÀϽÿ¡ CONFIG_IP_NF_PERS=m·Î ÇßÀ» ¶§) |
= # /usr/local/sbin/iptables -t mangle -A PREROUTING -s ! ¼¹öIP -d ¼¹öIP -j PERS --tweak dst --local --conf win2k.conf |
= # /usr/local/sbin/iptables -t mangle -A OUTPUT -s ¼¹öIP -d ! ¼¹öIP -j PERS --tweak src --local --conf win2k.conf |
= ------------------------------------------------------------------------------ |
= |
= 3. Âü°í ÀÚ·á |
= |
= * A practical approach for defeating Nmap OS-Fingerprinting |
= http://coffeenix.net/doc/security/nmap_os_fingerprinting.html |
= * IP Personality ÇÁ·ÎÁ§Æ® |
= http://ippersonality.sourceforge.net/ |
= * iplog |
= http://ojnk.sourceforge.net/ |
= * nmap 3.45ÀÇ »õ±â´É, ¹öÀü ½ºÄ³´× (±Û ÁÁÀºÁøÈ£) |
= http://coffeenix.net/board_view.php?bd_code=71 |
= |
= \easis |
= \@everbox |