Hacking °ü·Ã °Ô½ÃÆÇ

2002/02/13(17:33) from 210.117.182.162
ÀÛ¼ºÀÚ : °­ÁÙ±â (jkkang65@hanmail.net) Á¶È¸¼ö : 4371 , ÁÙ¼ö : 281
ħÀÔ Å½Áö ¹æ¹ý ¹× ÀýÂ÷
============================================================================
¹® ¼­ ¹ø È£ : CERTCC-KR-TR-97-005
¹® ¼­ Á¦ ¸ñ : ħÀÔ Å½Áö ¹æ¹ý ¹× ÀýÂ÷
¹öÀü/ÀÛ¼ºÀÏ : Version 1/ 1997. 6. 7. Sat.
¿ø       ¹® :  CERT/CC, Intruder Detection Checklist
             August 1996, Version 1.1
            ftp://info.cert.org/pub/tech_tips/intruder_detection_checklist
============================================================================
* ÀÌ ¹®¼­´Â ´ç½ÅÀÇ ½Ã½ºÅÛÀÌ Ä§ÀÔ´çÇß´ÂÁö¿¡ ´ëÇÑ °Ë»ç ÀýÂ÷¸¦ ±â¼úÇÑ´Ù.
----------------------------------------------------------------------------
========================   ³»                ¿ë ===========================
----------------------------------------------------------------------------

A. ½Ã½ºÅÛÀÌ Ä§ÀÔ´çÇß´ÂÁö ÈçÀûÀ» »ìÆ캻´Ù.

----------------------------------------------------------------------------
A. ½Ã½ºÅÛÀÌ Ä§ÀÔ´çÇß´ÂÁö ÈçÀûÀ» »ìÆ캻´Ù.
----------------------------------------------------------------------------

  * ÀϹÝÀûÀ¸·Î ¼Ò¼Ó±â°üÀÇ Á¤Ã¥°ú ¼ø¼­¿¡ µû¶ó Á¶»çÇÑ´Ù.

  1. Ưº°ÇÑ Àå¼Ò ¶Ç´Â ÇàÀ§·ÎºÎÅÍÀÇ Á¢¼Ó¿¡ ´ëÇÑ ·Î±×ÆÄÀÏÀ» Á¶»çÇÑ´Ù.
       - last, syslog, ÇÁ·Î¼¼½º ·Î±×¿Í ±×¹Û¿¡ ´Ù¸¥ ·Î±×µéÀ» Á¶»çÇÑ´Ù.
       - ¹æÈ­º® ¶Ç´Â ¶ó¿ìÅÍ¿¡ ÀÇÇÑ ·Î±× ±â·ÏÀÌ ÀÖÀ» °æ¿ì Á¶»çÇÑ´Ù.

  2. setuid, setgid ÆÄÀÏÀ» Á¶»çÇÑ´Ù.
       - ħÀÔÀÚ´Â Á¾Á¾ ÃßÈÄ¿¡ ·çÆ®±ÇÇÑÀ¸·Î Á¢¼ÓÇϱâ À§ÇØ /bin/sh ¶Ç´Â
         /bin/time°ú °°Àº ¹éµµ¾î ÆÄÀÏÀ» ³²°ÜµÐ´Ù.
       - ´ÙÀ½ÀÇ ¹æ¹ýÀ¸·Î setuid, setgid ÆÄÀÏÀ» ã´Â´Ù.
               # find / -user root -perm -4000 -print
               # find / -group kmem -perm -2000 -print
         NFS/AFS ¸¶¿îÆ® ½Ã½ºÅÛ¿¡¼­´Â ´ÙÀ½°ú °°Àº ¸í·É¾î¸¦ ÀÌ¿ëÇÑ´Ù.
               #find / -user root -perm -4000 -print -xdev
       - setuid ÆÄÀÏÀ» ã´Â ´Ù¸¥ ¹æ¹ýÀ¸·Î °¢°¢ÀÇ ÆÄƼ¼Ç¿¡ ´ëÇØ Àû¿ëÇÏ´Â
         ncheck °¡ ÀÖ´Ù.
               # ncheck -s /dev/rsd0g
  3. ½Ã½ºÅÛÀÇ ¹ÙÀ̳ʸ® ÆÄÀÏÀÇ º¯°æ ¿©ºÎ¸¦ Á¶»çÇÑ´Ù.
       - ħÀÔÀÚ´Â /etc/inetd.conf °¡ ÂüÁ¶ÇÏ´Â ´ÙÀ½°ú °°Àº ÆÄÀϵéÀ» º¯°æÇÑ
         ´Ù.
               login, su, telnet, netstat, ifconfig, ls,
               find, du, df, libc, sync µî
       - ¹é¾÷µÈ Ãʱâ ÆÄÀÏ°ú ÇöÀçÀÇ ÆÄÀÏÀ» ºñ±³Çϱâ À§ÇÑ À¯´Ð½ºÀÇ sum ¸í·É
         ¾î´Â Æ®·ÎÀ̸ñ¸¶ÇÁ·Î±×·¥¿¡ ÀÇÇØ ¹ÏÁö¸øÇÏ´Â °á°ú¸¦ ³ªÅ¸³¾ ¼ö ÀÖÀ¸¹Ç
         ·Î ´ÙÀ½ ÇÁ·Î±×·¥À» »ç¿ëÇÑ´Ù.

           cmp, MD5, Tripwire, ±âŸ ´Ù¸¥ ¾Ïȣȭ °Ë»ç À¯Æ¿¸®Æ¼µé

  4. Àΰ¡¹ÞÁö ¾ÊÀº ³×Æ®¿öÅ© ¸ð´ÏÅ͸µ ÇÁ·Î±×·¥ÀÇ »ç¿ëÀ» Á¶»çÇÑ´Ù.
       - ħÀÔÀÚ´Â »ç¿ëÀÚÀÇ °èÁ¤°ú Æнº¿öµå Á¤º¸¸¦ ¾ò±â À§ÇØ sniffer ¶Ç´Â
         packet sniffer¸¦ »ç¿ëÇÑ´Ù. ½º´ÏÆÛ¿¡ ´ëÇÑ Á¤º¸´Â ´ÙÀ½À» Âü°íÇÔ
          ftp://info.cert.org/pub/cert_advisories/              
                CA-94:01.network.monitoring.attacks

  5. cron°ú at.À¸·Î ¼öÇàµÇ´Â ¸ðµç ÆÄÀÏÀ» °Ë»çÇÑ´Ù.
       - ħÀÔÀÚ´Â º¸Åë cron°ú at ¸í·ÉÀ¸·Î ¼öÇàµÇ´Â ÆÄÀϵ鿡 ¹éµµ¾î ÇÁ·Î±×·¥
         À» ³²°ÜµÐ´Ù. ±×·¯¹Ç·Î ÀÌ·¯ÇÑ ÇÁ·Î±×·¥À¸·Î ¼öÇàµÇ´Â ÆÄÀϵéÀ» ¾²±â
         ±ÝÁö·Î ¼³Á¤ÇÑ´Ù.

  6. Àΰ¡¹ÞÁö ¾ÊÀº ¼­ºñ½º¸¦ Á¶»çÇÑ´Ù.
       - /etc/inetd.conf¸¦ Á¶»çÇÏ¿© Àΰ¡¹ÞÁö ¾ÊÀº Ãß°¡µÇ°Å³ª º¯°æµÈ ¼­ºñ½º
         ¸¦ Á¶»çÇÑ´Ù. ƯÈ÷ ½©À» ¼öÇàÇÒ ¼ö ÀÖ´Â /bin/sh³ª /bin/csh¸¦ Á¶»çÇÑ
         ´Ù.

  7. /etc/passwd ÆÄÀÏÀ» Á¶»çÇÏ¿© º¯°æµÈ ºÎºÐÀÌ ÀÖ´ÂÁö È®ÀÎÇÑ´Ù.
       - Ãß°¡µÈ °èÁ¤, Æнº¿öµåÀÇ »ý·«, uid(0·ÎÀÇ)ÀÇ º¯°æ¿©ºÎ¸¦ È®ÀÎÇÑ´Ù.

  8. ½Ã½ºÅÛ°ú ³×Æ®¿öÅ© ¼³Á¤ ÆÄÀÏÀÇ Àΰ¡¹ÞÁö ¾ÊÀº Ç׸ñÀ» Á¶»çÇÑ´Ù.
       - /etc/hosts.equiv, /etc/hosts.lpd°ú ¸ðµç .rhosts ÆÄÀÏ¿¡ '+' Ç׸ñÀÌ
         ÀÖ´ÂÁö Á¶»çÇؼ­ Á¦°ÅÇÑ´Ù.

  9. ½Ã½ºÅÛ¿¡ ¼û°ÜÁö°Å³ª '.' À¸·Î ½ÃÀÛÇϴ ƯÀÌÇÑ ÆÄÀÏÀÌ ÀÖ´ÂÁö Á¶»çÇÑ´Ù.
       - ls ¸í·É¾î·Î º¸ÀÌÁö ¾Ê´Â ÆÄÀÏÀ» Á¶»çÇÑ´Ù.
               # find / -name ".. " -print -xdev
               # find / -name ".*" -print -xdev | cat -v
         ÀϹÝÀûÀ¸·Î '.xx' ÆÄÀÏÀ̳ª '.mail' ÆÄÀÏÀÌ Ä§ÀÔÀÚ¿¡ ÀÇÇØ ÀÌ¿ëµÈ´Ù.

  10. Áö¿ª ³×Æ®¿öÅ©ÀÇ ¸ðµç ½Ã½ºÅÛÀ» Á¶»çÇÑ´Ù.

-- Çѱ¹Á¤º¸º¸È£¼¾ÅÍ CERTCC-KR ħÇØ»ç°í Áö¿ø ¾È³» ---------------------------
Àü È­  : 02-3488-4119                          »ß »ß : 015-993-4571
ÇÚµåÆù : 011-732-7821                          ÆÑ ½º : 3488-4129
Email  : cert@certcc.or.kr
ħÇØ»ç°í Á¢¼ö ¹æ¹ýÀº http://www.certcc.or.kr/service.htmlÀ» Âü°í ¹Ù¶÷
============================================================================

============================================================================
¹® ¼­ ¹ø È£ : CERTCC-KR ±â¼ú¹®¼­ : TR-97-006
¹® ¼­ Á¦ ¸ñ : À¯´Ð½º º¸¾È µµ±¸
¹öÀü/ÀÛ¼ºÀÏ : Version 1/ 1997. 6. 7. Sat.
¿ø       ¹® : CERT/CC, Lists of Security Tools
             August 1996, Version 1.1
               ftp://info.cert.org/pub/tech_tips/security_tools
============================================================================
* ºÒ¹ý »ç¿ëÀÚÀÇ ½Ã½ºÅÛ Ä§ÀÔÀ» ¹æ¾îÇÏ°í ½Ã½ºÅÛÀ» º¸¿ÏÇϴµ¥ µµ¿òÀÌ µÇ´Â º¸¾È
 µµ±¸µé·Î  ¸ðµç º¸¾È µµ±¸¸¦ »ç¿ëÇÒ ¶§´Â º¸¾Èµµ±¸ÀÇ Àû¿ëÀÌ Á¶Á÷ÀÇ º¸¾È Á¤Ã¥
 ¹× ÀýÂ÷¿¡ ÀÏÄ¡Çϴ°¡¸¦ È®ÀÎÇϱ⠹ٶ÷.
----------------------------------------------------------------------------
========================   ³»                ¿ë  ===========================
----------------------------------------------------------------------------

A. ³×Æ®¿öÅ© °¨½Ã µµ±¸
       1. Argus
       2. swatch

B. ÀÎÁõ/Æнº¿öµå º¸¾È µµ±¸
       1. Crack
       2. shadow passwords

C. ¼­ºñ½º ÇÊÅ͸µ µµ±¸
       1. TCP/IP wrapper

D. Ãë¾à¼º ½ºÄ³´× µµ±¸
       1. ISS(Internet Security Scanner)
       2. SATAN(Security Administrator Tools for Analyzing Networks)

E. ½Ã½ºÅÛ º¸¾È µµ±¸
       1. COPS(Computer Oracle and Password System)

F. ¹«°á¼º °Ë»ç µµ±¸
       1. MD5
       2. Tripwire

G. ±âŸ µµ±¸µé
       1. losf
       2. ifstatus
       3. smrsh(SendMail Restricted SHell)
       4. mail.local

----------------------------------------------------------------------------
A. ³×Æ®¿öÅ© °¨½Ã µµ±¸
----------------------------------------------------------------------------
  
  1. Argus
       Argus´Â ³×Æ®¿öÅ©»óÀÇ ÆÐŶµéÀ» ¸ð´ÏÅ͸µÇÏ´Â Åø·Î Ŭ¶óÀ̾ðÆ®/¼­¹ö ¸ðµ¨
      ·Î ÀÛµ¿ÇÑ´Ù. ¼öÁýµÈ Á¤º¸´Â ¿©·¯ ÇÁ·ÎÅäÄÝ ºÐ¼®, ħÀÔŽÁö ¹× ¿©·¯ ÇÊ¿ä
      »çÇ׿¡ Àû¿ëÇϱ⠽¬¿î ÇüÅÂÀÌ´Ù.

          ftp://ftp.net.cmu.edu/pub/argus-1.5/
  
  2. swatch
       Swatch(Simple WATCHer program)´Â ·Î±×ÆÄÀÏÀ» ÇÊÅ͸µÇÏ°í ¸ð´ÏÅ͸µÇÏ´Â
       Åø·Î. ƯÁ¤ ·Î±×¸¦ Àâ¾Æ³»°í »ç¿ëÀÚ°¡ Á¤ÀÇÇÑ ÀÏÀ» ¼öÇà½ÃŲ´Ù.

          ftp://ftp.stanford.edu/general/security-tools/swatch/

----------------------------------------------------------------------------
B. ÀÎÁõ/Æнº¿öµå º¸¾È µµ±¸
----------------------------------------------------------------------------  

  1. Crack
       Unix DES ¾Ïȣȭ ¾Ë°í¸®ÁòÀ» ÀÌ¿ëÇÏ¿© Æнº¿öµå¸¦ ÃßÃøÇس»´Â ÇÁ·Î±×·¥ÀÌ
       ´Ù. ÁÖ±âÀûÀ¸·Î ÀÌ µµ±¸¸¦ ÀÌ¿ëÇÏ¿© Ãë¾àÇÑ Æнº¿öµå¸¦ ¹ß°ßÇØ ¾ÈÀüÇÑ ÆÐ
       ½º¿öµå¸¦ »ç¿ëÇϵµ·Ï ÇÑ´Ù.

          ftp://info.cert.org/pub/tools/crack/

  2. shadow passwords
       /etc/passwd ÆÄÀÏ¿¡¼­ ¾ÏȣȭµÈ Æнº¿öµå¸¦ Á¦°ÅÇÏ°í shadow ÆÄÀÏ¿¡ ÀúÀå
       ÇÏ¿© ÀÏ¹Ý »ç¿ëÀÚ°¡ ¾ÏȣȭµÈ Æнº¿öµå¸¦ º¸Áö¸øÇÏ°Ô ÇÑ´Ù. ½Ã½ºÅÛÀÌ
       shadow±â´ÉÀ» Á¦°øÇÑ´Ù¸é ²À »ç¿ëÇϵµ·Ï ÇÑ´Ù.

----------------------------------------------------------------------------
C. ¼­ºñ½º ÇÊÅ͸µ µµ±¸
----------------------------------------------------------------------------
  
  1. TCP/IP wrapper
       Ãß°¡ÀûÀÎ ³×Æ®¿öÅ© ·Î±× ±â´É°ú ƯÁ¤ ½Ã½ºÅÛ ¹× µµ¸ÞÀκ°·Î Á¢¼ÓÀ» Çã°¡
       Çϰųª °ÅºÎÇÏ´Â ±â´ÉÀ» Á¦°øÇÑ´Ù.
          
          ftp://info.cert.org/pub/tools/tcp_wrappers/

----------------------------------------------------------------------------
D. Ãë¾à¼º ½ºÄ³´× µµ±¸
----------------------------------------------------------------------------
  
  1. ISS(Internet Security Scanner)
       ÁÖ¾îÁø IP ÁÖ¼Ò ¹üÀ§³»ÀÇ ¸ðµç È£½ºÆ®À» ½ºÄµÇÏ¿© ¾Ë·ÁÁø ¿©·¯ º¸¾È Ãë¾à
       ¼ºÀ» ã¾Æ³»´Â µµ±¸.
          
          ftp://info.cert.org/pub/tools/iss/

  2. SATAN(Security Administrator Tools for Analyzing Networks)
       ³×Æ®¿öÅ©·Î ¿¬°áµÈ È£½ºÆ®¿¡ ´ëÇÑ ¿©·¯ Á¾·ùÀÇ Á¤º¸¸¦ ¼öÁýÇÏ¿© ¾Ë·ÁÁø
       Ãë¾à¼ºÀ» Á¡°ËÇÏ´Â µµ±¸.
       
          ftp://ftp.win.tue.nl/pub/security/satan-1.1.1.tar.Z
       
       SATAN°ú °ü·ÃµÈ ÀÚ·á
       
        ftp://info.cert.org/pub/cert_advisories/CA-95:07a.REVISED.satan.vul

----------------------------------------------------------------------------
E. ½Ã½ºÅÛ º¸¾È µµ±¸
----------------------------------------------------------------------------
  
  1. COPS(Computer Oracle and Password System)
       UNIX ½Ã½ºÅÛ¿¡¼­ÀÇ º¸¾È ¹®Á¦Á¡À» ¹àÇô³»´Â µµ±¸·Î Ãë¾à¼ºÀ» °íÄ¡Áö´Â ¾Ê
       °í Ãë¾à¼ºÀ» Á¡°ËÇÏ¿© º¸°íÇÑ´Ù.
       
          ftp://info.cert.org/pub/tools/cops/

----------------------------------------------------------------------------
F. ¹«°á¼º °Ë»ç µµ±¸
----------------------------------------------------------------------------
  
  1. MD5
       ¾ÏÈ£¸¦ ÀÌ¿ëÇÑ Ã¼Å©¼¶ ÇÁ·Î±×·¥À¸·Î ÀÓÀÇÀÇ ±æÀÌÀÇ ¸Þ½ÃÁö¸¦ ÀÔ·Â¹Þ¾Æ Áö
       ¹®°ú °°Àº 128 ºñÆ®ÀÇ ¸Þ½ÃÁö ´ÙÀÌÁ¦½ºÆ®(message digest)¸¦ ¸¸µé¾î³½´Ù.
       ¼­·Î ´Ù¸¥ ¸Þ½ÃÁö´Â ¼­·Î ´Ù¸¥ ¸Þ½ÃÁö ´ÙÀÌÁ¦½ºÆ®(message digest)¸¦ ¸¸
       µé¾î ³»¾î ÆÄÀÏÀÇ º¯Á¶À¯¹«¸¦ ¾Ë¾Æ³¾ ¼ö ÀÖ´Ù.  
       
          ftp://info.cert.org/pub/tools/md5/

  2. Tripwire
       ÆÄÀÏ ¹× µð·ºÅ丮ÀÇ ¹«°á¼ºÀ» °Ë»çÇÏ´Â µµ±¸·Î ÁÖ¾îÁø ÆÄÀÏ ¹× µð·ºÅ丮
       ¿¡ ´ëÇÑ º¯Á¶À¯¹« ¹× »èÁ¦, Ãß°¡ »çÇ×À» ¾Ë¾Æ³½´Ù. ÁÖ±âÀûÀ¸·Î »ç¿ëÇÏ¿©
       Áß¿äÇÑ ÆÄÀÏÀÇ º¯Á¶À¯¹«¸¦ ¾Ë¾Æ³»µµ·Ï ÇÑ´Ù.
       
          ftp://info.cert.org/pub/tools/tripwire/

----------------------------------------------------------------------------
G. ±âŸ µµ±¸µé
----------------------------------------------------------------------------
  
  1. losf
       ¸ðµç ¿­·ÁÁø ÆÄÀÏ°ú ±× ÆÄÀϵéÀ» ¿¬ ÇÁ·Î¼¼½ºµéÀ» ³ª¿­ÇÑ´Ù. ħÀÔ ÇÁ·Î±×
       ·¥À» ŽÁöÇϴµ¥ Áß¿äÇÑ ¿ªÇÒÀ» ÇÑ´Ù.
       
          ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/

  2. ifstatus
       UNIX ½Ã½ºÅÛ¿¡¼­ debug ¶Ç´Â promiscuous ¸ðµå¸¦ °¡Áø ³×Æ®¿öÅ© ÀÎÅÍÆäÀÌ
       ½º¸¦ ã¾Æ³½´Ù. ³×Æ®¿öÅ© ÀÎÅÍÆäÀ̽ºÀÇ debug ¶Ç´Â promiscuous ¸ðµå´Â
       Ä§ÀÔÀÚ°¡ Æнº¿öµå ¹× ´Ù¸¥ Á¤º¸¸¦ ¾ò±âÀ§ÇØ ³×Æ®¿öÅ©¸¦ °¨½ÃÇÏ°í ÀÖ´Ù´Â
       ´Ü¼­°¡ µÉ ¼ö ÀÖ´Ù.
       
          ftp://info.cert.org/pub/tools/ifstatus/ifstatus.tar.Z
          ftp://coast.cs.purdue.edu/pub/tools/unix/ifstatus/ifstatus.tar.Z

  3. smrsh(SendMail Restricted SHell)
       ÀÏ¹Ý »ç¿ëÀÚ°¡ sendmailÀÇ Ãë¾à¼º(¿¹, pipes Ãë¾à¼º)À» ÀÌ¿ëÇÏ¿© ÀÓÀÇÀÇ
       ÇÁ·Î±×·¥À» ½ÇÇà½ÃÅ°Áö ¸øÇÏ°ÔÇÏ´Â µµ±¸·Î ¸ðµç sendmail¿¡ ¼³Ä¡ÇÒ °ÍÀ»
       ±ÇÀåÇÑ´Ù.
       
          ftp://info.cert.org/pub/tools/smrsh/
          ftp://ftp.uu.net/pub/security/smrsh/
       
       sendmail °ü·Ã Á¤º¸
          ftp://info.cert.org/pub/cert_advisories/CA-93:16.sendmail.
                vulnerability
          ftp://info.cert.org/pub/cert_advisories/CA-95:11.sun.
                sendmail-oR.vul

  4. mail.local
       BSD 4.3 UNIX ½Ã½ºÅÛ /bin/mail ÇÁ·Î±×·¥ÀÇ Ãë¾à¼ºÀ» º¸¿ÏÇÑ ÇÁ·Î±×·¥À¸
       ·Î ÆÐÄ¡¸¦ ¼³Ä¡ÇÒ ¼ö ¾øÀ» °æ¿ì ÀÌ ÇÁ·Î±×·¥À» ¾²µµ·Ï ÇÑ´Ù.
       
          ftp://info.cert.org/pub/tools/mail.local/

       mail.local °ü·Ã Á¤º¸
          ftp://info.cert.org/pub/cert_advisories/CA-95:02.binmail.
                vulnerabilities

----------------------------------------------------------------------------
H. ±âŸ
----------------------------------------------------------------------------

  * ±âŸ  ´Ù¸¥  º¸¾Èµµ±¸¿¡  °üÇÑ  Á¤º¸´Â  AUSCERT¿¡¼­  Á¦°øÇÏ´Â   "UNIX
    Computer Security Checklist"ÀÇ Appendix B¸¦ Âü°íÇϱ⠹ٶ÷.

       ftp://info.cert.org/pub/tech_tips/AUSCERT_checklist1.1

-- Çѱ¹Á¤º¸º¸È£¼¾ÅÍ CERTCC-KR ħÇØ»ç°í Áö¿ø ¾È³» ---------------------------
Àü È­  : 02-3488-4119                          »ß »ß : 015-993-4571
ÇÚµåÆù : 011-732-7821                          ÆÑ ½º : 3488-4129
Email  : cert@certcc.or.kr
ħÇØ»ç°í Á¢¼ö ¹æ¹ýÀº http://www.certcc.or.kr/service.htmlÀ» Âü°í ¹Ù¶÷
============================================================================



Modify Delete Post Reply Backward Forward List
Powered by Kang Jul Ki