Hacking °ü·Ã °Ô½ÃÆÇ |
---|
2002/02/13(17:33) from 210.117.182.162 | |
ÀÛ¼ºÀÚ : °ÁÙ±â (jkkang65@hanmail.net) | Á¶È¸¼ö : 4371 , ÁÙ¼ö : 281 |
ħÀÔ Å½Áö ¹æ¹ý ¹× ÀýÂ÷ |
---|
============================================================================ ¹® ¼ ¹ø È£ : CERTCC-KR-TR-97-005 ¹® ¼ Á¦ ¸ñ : ħÀÔ Å½Áö ¹æ¹ý ¹× ÀýÂ÷ ¹öÀü/ÀÛ¼ºÀÏ : Version 1/ 1997. 6. 7. Sat. ¿ø ¹® : CERT/CC, Intruder Detection Checklist August 1996, Version 1.1 ftp://info.cert.org/pub/tech_tips/intruder_detection_checklist ============================================================================ * ÀÌ ¹®¼´Â ´ç½ÅÀÇ ½Ã½ºÅÛÀÌ Ä§ÀÔ´çÇß´ÂÁö¿¡ ´ëÇÑ °Ë»ç ÀýÂ÷¸¦ ±â¼úÇÑ´Ù. ---------------------------------------------------------------------------- ======================== ³» ¿ë =========================== ---------------------------------------------------------------------------- A. ½Ã½ºÅÛÀÌ Ä§ÀÔ´çÇß´ÂÁö ÈçÀûÀ» »ìÆ캻´Ù. ---------------------------------------------------------------------------- A. ½Ã½ºÅÛÀÌ Ä§ÀÔ´çÇß´ÂÁö ÈçÀûÀ» »ìÆ캻´Ù. ---------------------------------------------------------------------------- * ÀϹÝÀûÀ¸·Î ¼Ò¼Ó±â°üÀÇ Á¤Ã¥°ú ¼ø¼¿¡ µû¶ó Á¶»çÇÑ´Ù. 1. Ưº°ÇÑ Àå¼Ò ¶Ç´Â ÇàÀ§·ÎºÎÅÍÀÇ Á¢¼Ó¿¡ ´ëÇÑ ·Î±×ÆÄÀÏÀ» Á¶»çÇÑ´Ù. - last, syslog, ÇÁ·Î¼¼½º ·Î±×¿Í ±×¹Û¿¡ ´Ù¸¥ ·Î±×µéÀ» Á¶»çÇÑ´Ù. - ¹æȺ® ¶Ç´Â ¶ó¿ìÅÍ¿¡ ÀÇÇÑ ·Î±× ±â·ÏÀÌ ÀÖÀ» °æ¿ì Á¶»çÇÑ´Ù. 2. setuid, setgid ÆÄÀÏÀ» Á¶»çÇÑ´Ù. - ħÀÔÀÚ´Â Á¾Á¾ ÃßÈÄ¿¡ ·çÆ®±ÇÇÑÀ¸·Î Á¢¼ÓÇϱâ À§ÇØ /bin/sh ¶Ç´Â /bin/time°ú °°Àº ¹éµµ¾î ÆÄÀÏÀ» ³²°ÜµÐ´Ù. - ´ÙÀ½ÀÇ ¹æ¹ýÀ¸·Î setuid, setgid ÆÄÀÏÀ» ã´Â´Ù. # find / -user root -perm -4000 -print # find / -group kmem -perm -2000 -print NFS/AFS ¸¶¿îÆ® ½Ã½ºÅÛ¿¡¼´Â ´ÙÀ½°ú °°Àº ¸í·É¾î¸¦ ÀÌ¿ëÇÑ´Ù. #find / -user root -perm -4000 -print -xdev - setuid ÆÄÀÏÀ» ã´Â ´Ù¸¥ ¹æ¹ýÀ¸·Î °¢°¢ÀÇ ÆÄƼ¼Ç¿¡ ´ëÇØ Àû¿ëÇÏ´Â ncheck °¡ ÀÖ´Ù. # ncheck -s /dev/rsd0g 3. ½Ã½ºÅÛÀÇ ¹ÙÀ̳ʸ® ÆÄÀÏÀÇ º¯°æ ¿©ºÎ¸¦ Á¶»çÇÑ´Ù. - ħÀÔÀÚ´Â /etc/inetd.conf °¡ ÂüÁ¶ÇÏ´Â ´ÙÀ½°ú °°Àº ÆÄÀϵéÀ» º¯°æÇÑ ´Ù. login, su, telnet, netstat, ifconfig, ls, find, du, df, libc, sync µî - ¹é¾÷µÈ Ãʱâ ÆÄÀÏ°ú ÇöÀçÀÇ ÆÄÀÏÀ» ºñ±³Çϱâ À§ÇÑ À¯´Ð½ºÀÇ sum ¸í·É ¾î´Â Æ®·ÎÀ̸ñ¸¶ÇÁ·Î±×·¥¿¡ ÀÇÇØ ¹ÏÁö¸øÇÏ´Â °á°ú¸¦ ³ªÅ¸³¾ ¼ö ÀÖÀ¸¹Ç ·Î ´ÙÀ½ ÇÁ·Î±×·¥À» »ç¿ëÇÑ´Ù. cmp, MD5, Tripwire, ±âŸ ´Ù¸¥ ¾ÏÈ£È °Ë»ç À¯Æ¿¸®Æ¼µé 4. Àΰ¡¹ÞÁö ¾ÊÀº ³×Æ®¿öÅ© ¸ð´ÏÅ͸µ ÇÁ·Î±×·¥ÀÇ »ç¿ëÀ» Á¶»çÇÑ´Ù. - ħÀÔÀÚ´Â »ç¿ëÀÚÀÇ °èÁ¤°ú Æнº¿öµå Á¤º¸¸¦ ¾ò±â À§ÇØ sniffer ¶Ç´Â packet sniffer¸¦ »ç¿ëÇÑ´Ù. ½º´ÏÆÛ¿¡ ´ëÇÑ Á¤º¸´Â ´ÙÀ½À» Âü°íÇÔ ftp://info.cert.org/pub/cert_advisories/ CA-94:01.network.monitoring.attacks 5. cron°ú at.À¸·Î ¼öÇàµÇ´Â ¸ðµç ÆÄÀÏÀ» °Ë»çÇÑ´Ù. - ħÀÔÀÚ´Â º¸Åë cron°ú at ¸í·ÉÀ¸·Î ¼öÇàµÇ´Â ÆÄÀϵ鿡 ¹éµµ¾î ÇÁ·Î±×·¥ À» ³²°ÜµÐ´Ù. ±×·¯¹Ç·Î ÀÌ·¯ÇÑ ÇÁ·Î±×·¥À¸·Î ¼öÇàµÇ´Â ÆÄÀϵéÀ» ¾²±â ±ÝÁö·Î ¼³Á¤ÇÑ´Ù. 6. Àΰ¡¹ÞÁö ¾ÊÀº ¼ºñ½º¸¦ Á¶»çÇÑ´Ù. - /etc/inetd.conf¸¦ Á¶»çÇÏ¿© Àΰ¡¹ÞÁö ¾ÊÀº Ãß°¡µÇ°Å³ª º¯°æµÈ ¼ºñ½º ¸¦ Á¶»çÇÑ´Ù. ƯÈ÷ ½©À» ¼öÇàÇÒ ¼ö ÀÖ´Â /bin/sh³ª /bin/csh¸¦ Á¶»çÇÑ ´Ù. 7. /etc/passwd ÆÄÀÏÀ» Á¶»çÇÏ¿© º¯°æµÈ ºÎºÐÀÌ ÀÖ´ÂÁö È®ÀÎÇÑ´Ù. - Ãß°¡µÈ °èÁ¤, Æнº¿öµåÀÇ »ý·«, uid(0·ÎÀÇ)ÀÇ º¯°æ¿©ºÎ¸¦ È®ÀÎÇÑ´Ù. 8. ½Ã½ºÅÛ°ú ³×Æ®¿öÅ© ¼³Á¤ ÆÄÀÏÀÇ Àΰ¡¹ÞÁö ¾ÊÀº Ç׸ñÀ» Á¶»çÇÑ´Ù. - /etc/hosts.equiv, /etc/hosts.lpd°ú ¸ðµç .rhosts ÆÄÀÏ¿¡ '+' Ç׸ñÀÌ ÀÖ´ÂÁö Á¶»çÇؼ Á¦°ÅÇÑ´Ù. 9. ½Ã½ºÅÛ¿¡ ¼û°ÜÁö°Å³ª '.' À¸·Î ½ÃÀÛÇϴ ƯÀÌÇÑ ÆÄÀÏÀÌ ÀÖ´ÂÁö Á¶»çÇÑ´Ù. - ls ¸í·É¾î·Î º¸ÀÌÁö ¾Ê´Â ÆÄÀÏÀ» Á¶»çÇÑ´Ù. # find / -name ".. " -print -xdev # find / -name ".*" -print -xdev | cat -v ÀϹÝÀûÀ¸·Î '.xx' ÆÄÀÏÀ̳ª '.mail' ÆÄÀÏÀÌ Ä§ÀÔÀÚ¿¡ ÀÇÇØ ÀÌ¿ëµÈ´Ù. 10. Áö¿ª ³×Æ®¿öÅ©ÀÇ ¸ðµç ½Ã½ºÅÛÀ» Á¶»çÇÑ´Ù. -- Çѱ¹Á¤º¸º¸È£¼¾ÅÍ CERTCC-KR ħÇØ»ç°í Áö¿ø ¾È³» --------------------------- Àü È : 02-3488-4119 »ß »ß : 015-993-4571 ÇÚµåÆù : 011-732-7821 ÆÑ ½º : 3488-4129 Email : cert@certcc.or.kr ħÇØ»ç°í Á¢¼ö ¹æ¹ýÀº http://www.certcc.or.kr/service.htmlÀ» Âü°í ¹Ù¶÷ ============================================================================ ============================================================================ ¹® ¼ ¹ø È£ : CERTCC-KR ±â¼ú¹®¼ : TR-97-006 ¹® ¼ Á¦ ¸ñ : À¯´Ð½º º¸¾È µµ±¸ ¹öÀü/ÀÛ¼ºÀÏ : Version 1/ 1997. 6. 7. Sat. ¿ø ¹® : CERT/CC, Lists of Security Tools August 1996, Version 1.1 ftp://info.cert.org/pub/tech_tips/security_tools ============================================================================ * ºÒ¹ý »ç¿ëÀÚÀÇ ½Ã½ºÅÛ Ä§ÀÔÀ» ¹æ¾îÇÏ°í ½Ã½ºÅÛÀ» º¸¿ÏÇϴµ¥ µµ¿òÀÌ µÇ´Â º¸¾È µµ±¸µé·Î ¸ðµç º¸¾È µµ±¸¸¦ »ç¿ëÇÒ ¶§´Â º¸¾Èµµ±¸ÀÇ Àû¿ëÀÌ Á¶Á÷ÀÇ º¸¾È Á¤Ã¥ ¹× ÀýÂ÷¿¡ ÀÏÄ¡Çϴ°¡¸¦ È®ÀÎÇϱ⠹ٶ÷. ---------------------------------------------------------------------------- ======================== ³» ¿ë =========================== ---------------------------------------------------------------------------- A. ³×Æ®¿öÅ© °¨½Ã µµ±¸ 1. Argus 2. swatch B. ÀÎÁõ/Æнº¿öµå º¸¾È µµ±¸ 1. Crack 2. shadow passwords C. ¼ºñ½º ÇÊÅ͸µ µµ±¸ 1. TCP/IP wrapper D. Ãë¾à¼º ½ºÄ³´× µµ±¸ 1. ISS(Internet Security Scanner) 2. SATAN(Security Administrator Tools for Analyzing Networks) E. ½Ã½ºÅÛ º¸¾È µµ±¸ 1. COPS(Computer Oracle and Password System) F. ¹«°á¼º °Ë»ç µµ±¸ 1. MD5 2. Tripwire G. ±âŸ µµ±¸µé 1. losf 2. ifstatus 3. smrsh(SendMail Restricted SHell) 4. mail.local ---------------------------------------------------------------------------- A. ³×Æ®¿öÅ© °¨½Ã µµ±¸ ---------------------------------------------------------------------------- 1. Argus Argus´Â ³×Æ®¿öÅ©»óÀÇ ÆÐŶµéÀ» ¸ð´ÏÅ͸µÇÏ´Â Åø·Î Ŭ¶óÀ̾ðÆ®/¼¹ö ¸ðµ¨ ·Î ÀÛµ¿ÇÑ´Ù. ¼öÁýµÈ Á¤º¸´Â ¿©·¯ ÇÁ·ÎÅäÄÝ ºÐ¼®, ħÀÔŽÁö ¹× ¿©·¯ ÇÊ¿ä »çÇ׿¡ Àû¿ëÇϱ⠽¬¿î ÇüÅÂÀÌ´Ù. ftp://ftp.net.cmu.edu/pub/argus-1.5/ 2. swatch Swatch(Simple WATCHer program)´Â ·Î±×ÆÄÀÏÀ» ÇÊÅ͸µÇÏ°í ¸ð´ÏÅ͸µÇÏ´Â Åø·Î. ƯÁ¤ ·Î±×¸¦ Àâ¾Æ³»°í »ç¿ëÀÚ°¡ Á¤ÀÇÇÑ ÀÏÀ» ¼öÇà½ÃŲ´Ù. ftp://ftp.stanford.edu/general/security-tools/swatch/ ---------------------------------------------------------------------------- B. ÀÎÁõ/Æнº¿öµå º¸¾È µµ±¸ ---------------------------------------------------------------------------- 1. Crack Unix DES ¾ÏÈ£È ¾Ë°í¸®ÁòÀ» ÀÌ¿ëÇÏ¿© Æнº¿öµå¸¦ ÃßÃøÇس»´Â ÇÁ·Î±×·¥ÀÌ ´Ù. ÁÖ±âÀûÀ¸·Î ÀÌ µµ±¸¸¦ ÀÌ¿ëÇÏ¿© Ãë¾àÇÑ Æнº¿öµå¸¦ ¹ß°ßÇØ ¾ÈÀüÇÑ ÆÐ ½º¿öµå¸¦ »ç¿ëÇϵµ·Ï ÇÑ´Ù. ftp://info.cert.org/pub/tools/crack/ 2. shadow passwords /etc/passwd ÆÄÀÏ¿¡¼ ¾ÏÈ£ÈµÈ Æнº¿öµå¸¦ Á¦°ÅÇÏ°í shadow ÆÄÀÏ¿¡ ÀúÀå ÇÏ¿© ÀÏ¹Ý »ç¿ëÀÚ°¡ ¾ÏÈ£ÈµÈ Æнº¿öµå¸¦ º¸Áö¸øÇÏ°Ô ÇÑ´Ù. ½Ã½ºÅÛÀÌ shadow±â´ÉÀ» Á¦°øÇÑ´Ù¸é ²À »ç¿ëÇϵµ·Ï ÇÑ´Ù. ---------------------------------------------------------------------------- C. ¼ºñ½º ÇÊÅ͸µ µµ±¸ ---------------------------------------------------------------------------- 1. TCP/IP wrapper Ãß°¡ÀûÀÎ ³×Æ®¿öÅ© ·Î±× ±â´É°ú ƯÁ¤ ½Ã½ºÅÛ ¹× µµ¸ÞÀκ°·Î Á¢¼ÓÀ» Çã°¡ Çϰųª °ÅºÎÇÏ´Â ±â´ÉÀ» Á¦°øÇÑ´Ù. ftp://info.cert.org/pub/tools/tcp_wrappers/ ---------------------------------------------------------------------------- D. Ãë¾à¼º ½ºÄ³´× µµ±¸ ---------------------------------------------------------------------------- 1. ISS(Internet Security Scanner) ÁÖ¾îÁø IP ÁÖ¼Ò ¹üÀ§³»ÀÇ ¸ðµç È£½ºÆ®À» ½ºÄµÇÏ¿© ¾Ë·ÁÁø ¿©·¯ º¸¾È Ãë¾à ¼ºÀ» ã¾Æ³»´Â µµ±¸. ftp://info.cert.org/pub/tools/iss/ 2. SATAN(Security Administrator Tools for Analyzing Networks) ³×Æ®¿öÅ©·Î ¿¬°áµÈ È£½ºÆ®¿¡ ´ëÇÑ ¿©·¯ Á¾·ùÀÇ Á¤º¸¸¦ ¼öÁýÇÏ¿© ¾Ë·ÁÁø Ãë¾à¼ºÀ» Á¡°ËÇÏ´Â µµ±¸. ftp://ftp.win.tue.nl/pub/security/satan-1.1.1.tar.Z SATAN°ú °ü·ÃµÈ ÀÚ·á ftp://info.cert.org/pub/cert_advisories/CA-95:07a.REVISED.satan.vul ---------------------------------------------------------------------------- E. ½Ã½ºÅÛ º¸¾È µµ±¸ ---------------------------------------------------------------------------- 1. COPS(Computer Oracle and Password System) UNIX ½Ã½ºÅÛ¿¡¼ÀÇ º¸¾È ¹®Á¦Á¡À» ¹àÇô³»´Â µµ±¸·Î Ãë¾à¼ºÀ» °íÄ¡Áö´Â ¾Ê °í Ãë¾à¼ºÀ» Á¡°ËÇÏ¿© º¸°íÇÑ´Ù. ftp://info.cert.org/pub/tools/cops/ ---------------------------------------------------------------------------- F. ¹«°á¼º °Ë»ç µµ±¸ ---------------------------------------------------------------------------- 1. MD5 ¾ÏÈ£¸¦ ÀÌ¿ëÇÑ Ã¼Å©¼¶ ÇÁ·Î±×·¥À¸·Î ÀÓÀÇÀÇ ±æÀÌÀÇ ¸Þ½ÃÁö¸¦ ÀÔ·Â¹Þ¾Æ Áö ¹®°ú °°Àº 128 ºñÆ®ÀÇ ¸Þ½ÃÁö ´ÙÀÌÁ¦½ºÆ®(message digest)¸¦ ¸¸µé¾î³½´Ù. ¼·Î ´Ù¸¥ ¸Þ½ÃÁö´Â ¼·Î ´Ù¸¥ ¸Þ½ÃÁö ´ÙÀÌÁ¦½ºÆ®(message digest)¸¦ ¸¸ µé¾î ³»¾î ÆÄÀÏÀÇ º¯Á¶À¯¹«¸¦ ¾Ë¾Æ³¾ ¼ö ÀÖ´Ù. ftp://info.cert.org/pub/tools/md5/ 2. Tripwire ÆÄÀÏ ¹× µð·ºÅ丮ÀÇ ¹«°á¼ºÀ» °Ë»çÇÏ´Â µµ±¸·Î ÁÖ¾îÁø ÆÄÀÏ ¹× µð·ºÅ丮 ¿¡ ´ëÇÑ º¯Á¶À¯¹« ¹× »èÁ¦, Ãß°¡ »çÇ×À» ¾Ë¾Æ³½´Ù. ÁÖ±âÀûÀ¸·Î »ç¿ëÇÏ¿© Áß¿äÇÑ ÆÄÀÏÀÇ º¯Á¶À¯¹«¸¦ ¾Ë¾Æ³»µµ·Ï ÇÑ´Ù. ftp://info.cert.org/pub/tools/tripwire/ ---------------------------------------------------------------------------- G. ±âŸ µµ±¸µé ---------------------------------------------------------------------------- 1. losf ¸ðµç ¿·ÁÁø ÆÄÀÏ°ú ±× ÆÄÀϵéÀ» ¿¬ ÇÁ·Î¼¼½ºµéÀ» ³ª¿ÇÑ´Ù. ħÀÔ ÇÁ·Î±× ·¥À» ŽÁöÇϴµ¥ Áß¿äÇÑ ¿ªÇÒÀ» ÇÑ´Ù. ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/ 2. ifstatus UNIX ½Ã½ºÅÛ¿¡¼ debug ¶Ç´Â promiscuous ¸ðµå¸¦ °¡Áø ³×Æ®¿öÅ© ÀÎÅÍÆäÀÌ ½º¸¦ ã¾Æ³½´Ù. ³×Æ®¿öÅ© ÀÎÅÍÆäÀ̽ºÀÇ debug ¶Ç´Â promiscuous ¸ðµå´Â ħÀÔÀÚ°¡ Æнº¿öµå ¹× ´Ù¸¥ Á¤º¸¸¦ ¾ò±âÀ§ÇØ ³×Æ®¿öÅ©¸¦ °¨½ÃÇÏ°í ÀÖ´Ù´Â ´Ü¼°¡ µÉ ¼ö ÀÖ´Ù. ftp://info.cert.org/pub/tools/ifstatus/ifstatus.tar.Z ftp://coast.cs.purdue.edu/pub/tools/unix/ifstatus/ifstatus.tar.Z 3. smrsh(SendMail Restricted SHell) ÀÏ¹Ý »ç¿ëÀÚ°¡ sendmailÀÇ Ãë¾à¼º(¿¹, pipes Ãë¾à¼º)À» ÀÌ¿ëÇÏ¿© ÀÓÀÇÀÇ ÇÁ·Î±×·¥À» ½ÇÇà½ÃÅ°Áö ¸øÇÏ°ÔÇÏ´Â µµ±¸·Î ¸ðµç sendmail¿¡ ¼³Ä¡ÇÒ °ÍÀ» ±ÇÀåÇÑ´Ù. ftp://info.cert.org/pub/tools/smrsh/ ftp://ftp.uu.net/pub/security/smrsh/ sendmail °ü·Ã Á¤º¸ ftp://info.cert.org/pub/cert_advisories/CA-93:16.sendmail. vulnerability ftp://info.cert.org/pub/cert_advisories/CA-95:11.sun. sendmail-oR.vul 4. mail.local BSD 4.3 UNIX ½Ã½ºÅÛ /bin/mail ÇÁ·Î±×·¥ÀÇ Ãë¾à¼ºÀ» º¸¿ÏÇÑ ÇÁ·Î±×·¥À¸ ·Î ÆÐÄ¡¸¦ ¼³Ä¡ÇÒ ¼ö ¾øÀ» °æ¿ì ÀÌ ÇÁ·Î±×·¥À» ¾²µµ·Ï ÇÑ´Ù. ftp://info.cert.org/pub/tools/mail.local/ mail.local °ü·Ã Á¤º¸ ftp://info.cert.org/pub/cert_advisories/CA-95:02.binmail. vulnerabilities ---------------------------------------------------------------------------- H. ±âŸ ---------------------------------------------------------------------------- * ±âŸ ´Ù¸¥ º¸¾Èµµ±¸¿¡ °üÇÑ Á¤º¸´Â AUSCERT¿¡¼ Á¦°øÇÏ´Â "UNIX Computer Security Checklist"ÀÇ Appendix B¸¦ Âü°íÇϱ⠹ٶ÷. ftp://info.cert.org/pub/tech_tips/AUSCERT_checklist1.1 -- Çѱ¹Á¤º¸º¸È£¼¾ÅÍ CERTCC-KR ħÇØ»ç°í Áö¿ø ¾È³» --------------------------- Àü È : 02-3488-4119 »ß »ß : 015-993-4571 ÇÚµåÆù : 011-732-7821 ÆÑ ½º : 3488-4129 Email : cert@certcc.or.kr ħÇØ»ç°í Á¢¼ö ¹æ¹ýÀº http://www.certcc.or.kr/service.htmlÀ» Âü°í ¹Ù¶÷ ============================================================================ |