ISS¿±â

Iss´Â internet security scannerÀÇ ¾àÀÚ·Î¼ ¿ø°Ý È£½ºÆ®ÀÇ Æ÷Æ® ½ºÄµÀ» ±âº»À¸·Î ÇÏ´Â security checkerÀÌ´Ù. ÁÖ·Î publicÇÏ°Ô °ø°³µÇ¾î ÀÖ´Â È£½ºÆ® (ÀÌ¸¦Å×¸é bbs¸¦ µ¹¸®´Â È£½ºÆ®³ª anonymous ftp ¼ºñ½º¸¦ Áö¿øÇÏ´Â È£½ºÆ®)¸¦ ½ºÄµÇÒ ¸ñÀûÀ¸·Î Á¦ÀÛµÇ¾ú´Ù. ÀÌµéÀÌ ¹ßÇ¥ÇÏ¸é¼ ³»°Ç ÇÁ·¹ÀÌÁî·Î internet security simulator¶ó´Â ¸»ÀÌ ½Ç°¨ÀÌ ³¯ÅÙµ¥, SatanÀÌ ¹ßÇ¥µÈ ÈÄ ¸¹Àº ³í¶õÀÌ ÀÏÀÚ issÃøÀº ÀÚ½Åµéµµ ÀÌ¹Ì ±× ±â´ÉÀ» °®Ãá iss ¸¦ ÀÌ¹Ì ¹ßÇ¥Çß¾ú´Ù°í Çß´Ù. ÇÏÁö¸¸ ÀÎÅÍÆäÀÌ½º°¡ »ó´çÈ÷ ÁÁÁö ¾Ê±â ¶§¹®¿¡ ±×¸® ÁÁÀº Æò°¡´Â ¹ÞÁö ¸øÇß´Ù. ±×·³¿¡µµ ºÒ±¸ÇÏ°í ÇÑ¹ø¿¡ ³ÐÀº ¹üÀ§ÀÇ È£½ºÆ®µéÀ» ÇÑ²¨¹ø¿¡ ºü¸¥ ¼Óµµ·Î ½ºÄµÇÒ ¼ö ÀÖ´Ù´Â ÀåÁ¡ÀÌ ÀÖ´Ù.

ÀÌ ÅøÀÌ ÇÒ ¼ö ÀÖ´Â ¹üÀ§´Â bbs °èÁ¤ÀÌ³ª guest °èÁ¤ÀÌ³ª ±âÅ¸ openµÇ±â ½¬¿î ±âº»ÀûÀÎ security holeµé¿¡ °üÇÏ¿© ÁöÁ¤µÈ ¹üÀ§ÀÇ ip¾È¿¡ µç È£½ºÆ® µéÀÇ Æ÷Æ®¸¦ ½ºÄµÇØ ÁØ´Ù. ÀÏ¹Ý À¯Àúµµ ¼Õ½±°Ô ±¸ÇØ¼ »ç ¿ëÇÒ ¼ö ÀÖ±â ¶§¹®¿¡ ¿ÜºÎcrackerµéÀÇ È£½ºÆ® ÇØÅ·ÀÇ ÁØºñ ÀÛ¾÷À¸·Î »ç¿ëµÉ ¼ÒÁöµµ ÀÖ´Ù. ÀÌ·± °æ¿ì¿¡ ´Â ÀºÇàÀÇ ³»ºÎ µµ¸éµµ¸¦ ¿ÜºÎ µµµÏ¿¡°Ô ³Ñ°ÜÁÖ´Â °Í°ú °°Àº È¿°ú¸¦ ºú¾î ³»°Ô µÈ´Ù. ´õ±¸³ª ÀÚ½ÅÀÇ È£½ºÆ®¸¦ ½ºÄµÇÏ´õ¶óµµ ÆÖÄ¡ ´Â ¾ÈÇÏ°í ¾î´À ¹ö±×°¡ ÀÖ´Ù´Â Á¤µµ¸¸ Áö½Ã¸¦ ÇØÁØ´Ù. SatanÀÇ °æ¿ì ¿ì¸ÅÇÑ ½Ã½ºÅÛ °ü¸®ÀÚµéÀÌ ÀÚ½ÅÀÇ È£½ºÆ®¸¦ ¿ÜºÎ¿¡¼ ½ºÄµÇÑ µÚ how_to_hackÀÇ °úÁ¤À» º¸¿©ÁÖ´Â ´ë·Î ½ÇÇàÇÏ¸é¼ procedure ¹× patch ¹æ¹ý±îÁö ÀÍÈ÷°í Á÷Á¢ patch¸¦ ¹Þ¾Æ¿Ã ¼ö ÀÖ°Ô ÇÑ ¹Ý¸é iss´Â ±×·¯ÇÑ Á¡ÀÌ »ó´çÈ÷ ºÎÁ·ÇÏ´Ù°í ¸»ÇÒ ¼ö ÀÖ´Ù. ´õ±¸³ª ÀÎÅÍÆäÀÌ½º°¡ ¹®ÀÚ ±â¹ÝÀÌ±â ¶§¹®¿¡ Ã³À½ ½Ãµµ¸¦ ÇØº¸´Â ÃÊº¸ ½Ã½º ÅÛ °ü¸®ÀÚ¿¡°Ô ¿ÀÈ÷·Á satanÀ» »ç¿ëÇÒ °ÍÀ» ±ÇÇØÁÖ°í ½Í´Ù. ¶ÇÇÑ ³»ºÎ ¼Ò½ºÄÚµå°¡ Áö±ØÈ÷ °£´ÜÇÏ´Ù. ¾îÂ¼¸é ´Ü¼øÇÑ port½ºÄµ¿¡ ±×Ä¥ ¼ö°¡ ÀÖ´Âµ¥ ÀÌ¿¡ ´ëÇØ ÇØÄ¿µéÀº ¿ÀÈ÷·Á ´õ ÁÁÀº µµ±¸¸¦ »ç¿ëÇÏ¿© ÇØÅ·À» ½ÃµµÇÏ°í ÀÖÀ¸¹Ç·Î ´õ¿í ±â´ÉÀ» °·ÂÈ÷ ÇØ¾ßµÉ °ÍÀ¸·Î º»´Ù.

positive

iss ´Â ½ºÄË ¹üÀ§¿¡ ÁöÁ¤µÈ ¿©·¯ È£½ºÆ®¸¦ ºü¸¥ ¼Óµµ·Î Ã¼Å©ÇÒ ¼ö ÀÖ´Ù.
µþ·Á³ª¿À´Â ºÎ°¡ÀûÀÎ toolµéÀ» ÀÌ¿ëÇÏ¿© exploit¿¡ ÀÌ¿ëÇÒ ¼ö ÀÖ´Ù.

negative

iss ÀÇ interface´Â »ç¿ëÀÚµéÀÌ »ç¿ëÇÏ±â¿¡ ±×·¸°Ô ÁÁÀº µµ±¸´Â ¾Æ´Ï´Ù.
iss ´Â ºü¸¥ ¼Óµµ·Î port check¿Í holeÀ» ¾Ë¾Æ ³¾ ¼ö ÀÖ´Ù. ÇÏÁö¸¸ ÀÚ¼¼ÇÑ ºÎ°¡ ¼³¸í ÀÌ ¾øÀ¸¹Ç·Î ÀÌ¸¦ ÀÌÇØÇÏ ·Á¸é ¾î´À Á¤µµÀÇ ¼öÁØÀÌ ÇÊ¿äÇÏ´Ù.
¿ÜºÎ¿¡¼ÀÇ port ½ºÄµ µîÀº ¶Ù¾î³ªÁö¸¸ ÀÚÃ¼ÀûÀÎ ³»ºÎÀÇ OS Â÷¿ø ¹ö±×´Â Ã¼Å©¸¦ ÇØ ÁÖÁö ¸øÇÑ´Ù.

ISS °¡Á®¿À±â

°ø°³ ¹öÀüÀº ¾Æ·¡¿¡¼ ½±°Ô ±¸ÇÒ ¼ö ÀÖ´Ù.

ftp://ftp.cert-kr.or.kr/pub/Security/tools/iss13.tar.gz ftp://ftp.iss.net:/pub/iss/iss13.tar.gz http://iss.net/iss

IssÀÇ »ó¾÷¿ëµµ ÀÖ´Âµ¥ ÈÎ¾À ÀÎÅÍÆäÀÌ½º¿Í ±â´ÉÀÌ ¸·°ÇÏ´Ù°í´Â ÇÏ³ª ¼º´É ¹× ÀÎÅÍÆäÀÌ½º¸¦ ºñ±³ÇÒ ¶§ satan¿¡ ºñÇØ ±â´ÉÀÌ ¸¹ ÀÌ ¶³¾îÁö´Â ÆíÀÌ¾î¼ »ó¾÷¿ëÀ» ±¸ÅÂ¿© ±¸ÇÒ ÀÌÀ¯°¡ ¾ø´Ù.

¶ÇÇÑ °ü·Ã FAQ³ª ³íÀÇ »çÇ×µéÀ» comp.answers, comp.security.unix, comp.security.misc, alt.security, comp.unix.admin, alt. answers¿¡¼ ¾ò¾î º¼ ¼ö ÀÖ´Ù.

ISSÀÇ ¼³Ä¡

iss´Â iss¿Ü¿¡ µ¶¸³ÀûÀ¸·Î ±¸µ¿ÇÒ ¼ö ÀÖ´Â µµ±¸(netbug,strobe,ypx)¸¦ °®´Â´Ù.ÀÌµéÀº iss¸¦ ÁÖ·Î ÇÏ¿© ºÎ°¡Àû ±â´ÉÀ» °¡Áö¸é¼ µ¶¸³ÀûÀÎ ¼º°ÝÀ» °¡Áø´Ù.

issÀÇ »ý¼º
netbugÀÇ »ý¼º
strobeÀÇ »ý¼º
ypxÀÇ »ý¼º

1.issÀÇ »ý¼º
µ¹¾Æ°¡±â
¿ì¼± ¼Ò½º¸¦ °¡Á®¿Â´Ù.(ÁÖ¼Ò¸¦ Ã£¾Æ°¡ ´Ù¿î¹Þ´Â´Ù)

$ pwd
/security/bin
$ ls
iss13.tar.gz
$ /usr/local/bin/zcat iss13.tar.gz | tar xvf -
iss/
iss/Changes : iss development history
iss/Makefile : make file for iss
iss/iss.1 : manual for iss
iss/iss.c : iss main source
iss/readme.iss : readme file for iss
iss/telnet.h : iss.c header file
iss/nfsbug.shar : shell archive file for nfsbug:ÀÌ ÀÚÃ¼µµ µ¶¸³ÀûÀÎ µµ±¸ÀÓ
iss/ypx.shar : shell archive file for ypx:ÀÌ ÀÚÃ¼µµ µ¶¸³ÀûÀÎ µµ±¸ÀÓ
iss/strobe.tar : strove tar file:ÀÌ ÀÚÃ¼µµ µ¶¸³ÀûÀÎ µµ±¸ÀÓ

ls
Changes iss.1 nfsbug.shar strove.tar ypx.shar
Makefile iss.c readme.iss telnet.h

make : this procedure process producting iss
cc -c iss.c -o iss.o
cc -o iss iss.o

»ý¼ºµÈ iss¸¦ °¡Áö°í ¿øÇÏ´Â ½ºÄµÀ» ÇÏ¸é µÈ´Ù. À§ÀÇ ¼Ò½º´Â Solaris l.x¿¡¼´Â ÄÄÆÄÀÏÀÌ Àß µÇÁö¸¸ Solaris 2.x¿¡¼´Â ¶óÀÌ ºê·¯¸®¸¦ Àß ÁöÁ¤ÇÏÁö ¸øÇÑ °æ¿ì ÄÄÆÄÀÏÀÌ ¾ÈµÉ ¼ö°¡ ÀÖ´Ù. 2.nfsbugÀÇ »ý¼º
µ¹¾Æ°¡±â
ÀÌ·²¶§ ¼Ò½º¿¡¼ ¿¡·¯°¡ ¹ß»ýÇÑ System V °è¿ÀÇ include Çì´õÈÀÏ µéÀ» /usr/ucbinclude ¾Æ·¡¿¡ ÀÖ´Â Çì´õÈÀÏµé·Î ¹Ù²Ù¾î ÁØ´Ù.

$ chmod +x *.shar : for run shell archive files
$ mkdir nfsbug
$ mv nfsbug.shar nfsbug
$ cd nfsbug
$ pwd
/security/iss/nfsbug
$ nfsbug.shar
Extracting Makefile
Extracting mount.x
Extracting nfs_prot.x
Extracting nfsbug.c
$ make : for making nfsbug
rpcgen mount.x
cc -ggdb -I. -c mount_clnt.c -o mount_clnt.o
cc -ggdb -I. -c mount_xdr.c -o mount_xdr.o
rpcgen nfs_prot.x
cc -ggdb -I. -c nfs_prot_clnt.c -o nfs_prot_clnt.o
cc -ggdb -I. -c nfs_prot_xdr.c -o nfs_prot_xdr.o
cc -ggdb -I. -c nfsbug.c -o nfsbug.o
¡¦¡¦

»ý¼ºµÈ nfsbug¶ó´Â ÈÀÏÀº nfs file handle guessing ¹× NFS »óÀÇ holeµéÀ» Ã¼Å©ÇØ ÁØ´Ù.
3.strobeÀÇ »ý¼º
µ¹¾Æ°¡±â
$ cd..
$ pwd
/security/iss
$ tar -xvf strobe.tar

À§ÀÇ ¸í·ÉÀ» ½ÇÇà½ÃÅ°¸é ´ÙÀ½°ú °°Àº ÈÀÏµéÀÌ »ý¼ºµÈ´Ù.

$ ls
COPYRIGHT INSTALL VERSION strove.c
CREDITS Makefile strobe.man strobe.services
HISTORY TODO strobe.1

COPYRIGHT : ÀúÀÛ±ÇÀÌ ±â·ÏµÇ ÀÖ´Â ÈÀÏ
CREDITS : ÀúÀÚ¸ñ·Ï°ú °¢ ÀúÀÚµéÀÇ ÇÑÀÏÀ» ±â·ÏÇÑ ÈÀÏ
HISTORY : development °úÁ¤±â·ÏµÈ ÈÀÏ
INSTALL : install¿¡ ÇÊ¿äÇÑ ÈÀÏ
Makefile : make½Ã ÇÊ¿äÇÑ ÈÀÏ
TODO : strobeÀÇ ÇÏ´Â ÀÏ
VERSION : version Ç¥½Ã
strobe.man : manual file
strobe.1 : manual file
strove.c : strobe main file
strobe.services : strobe°¡ checkÇÏ´Â Æ÷Æ® ¸®½ºÆ®

$ cd strobe
$ make

À§ÀÇ ¸í·ÉÀ» ½ÇÇà½ÃÅ°¸é strobe.o¿Í strobe°¡ »ý¼ºµÈ´Ù. ¿©±â¿¡¼ strobe.tar´Â iss pack-
age¿¡ µþ·Á³ª¿À´Â ¼ºê ÇÁ·Î±×·¥ÀÌ´Ù. »ý¼ºµÈ strobe¶ó´Â ÈÀÏÀº ¿ª½Ã ½ºÄ³³Ê·Î¼ ¿äÁò bugtraq¸ÞÀÏ¸µ ¸®½ºÆ®¿¡¼ ³íÀÇµÇ°í ÀÖ ´Â µµ±¸ÀÌ´Ù. TCP port¸¦ ºü¸£°Ô ½ºÄµÇÑ´Ù.

4.ypxÀÇ »ý¼º
µ¹¾Æ°¡±â
$ su
¡¦¡¦
# make install: for install strobe, man pages
# exit
# pwd
/security/iss/strobe
$ cd..
$mkdir ypx
$ mv ypx.shar ypx
$ cd ypx
$ pwd
/security/iss/ypx

ypx.shar¸¦ ÆíÁýÇÏ¿© Çì´õÀÇ µµÅ¥¸ÕÆ®¸¦ µû·Î ÀúÀåÇÏ°í ypx.shar¸¦ ½ÇÇà½ÃÅ²´Ù. Áï, Ã¹ ¶óÀÎºÎÅÍ ´ÙÀ½ ³»¿ëÀÌ ³ª¿À±â Àü±îÁö¸¦ »èÁ¦ÇÑ´Ù.

#! /bin/sh
# This is a shell archive. Remove anything before this line, then unpack
# it by saving it into a file and typing "sh file". To overwrite existing

$ ypx.shar
shar : Extracting "MANIFEST" (504 characters)
shar : Extracting "Makefile" (540 characters)
shar : Extracting "README" (2437 characters)
shar : Extracting "nhost.c" (2553 characters)
shar : Extracting "nhost.h" (122 characters)
shar : Extracting "yp-check.c" (2779 characters)
shar : Extracting "ypx-add.c" (558 characters)
shar : Extracting "ypx-add.h" (117 characters)
shar : Extracting "ypx-boot.c" (1202 characters)
shar : Extracting "ypx-func.c" (2809 characters)
shar : Extracting "ypx-main.c" (1974 characters)
shar : Extracting "ypx-sm.c" (783 characters)
shar : Extracting "ypx-1" (2435 characters)
shar : End of archive (of 1).
You have unpacked all 1 archives.
$ make
cc -g -c ypx-main.c -o ypx-main.o
cc -g -c ypx-func.c -o ypx-func.o
cc -g -c ypx-add.c -o ypx-add.o
cc -g -c ypx-sm.c -o ypx-sm.o
¡¦¡¦

ÀÌ·¸°Ô ÇÔÀ¸·Î¼ ypx°¡ »ý¼ºµÇ¾ú´Ù. ¿©±â¿¡¼ »ý¼ºµÈ ypx´Â Rob Nauta°¡ Á¦ÀÛÇÑ µµ±¸·Î¼ YP&NIS »óÀÇ holeµéÀ» Ã¼Å©ÇØ ÁØ´Ù.

À§¿Í °°Àº °úÁ¤À» °ÅÃÄ ÃÑ ³× °³ÀÇ µ¶¸³ÀûÀ¸·Î ±¸µ¿µÇ´Â µµ±¸ (iss, strobe, nfsbug ±×¸®°í yps)¸¦ ¾òÀ» ¼ö ÀÖ´Ù.

ISS »ç¿ëÇÏ±â

iss »ç¿ë¹ý
netbug »ç¿ë¹ý
strobe »ç¿ë¹ý
ypx »ç¿ë¹ý

1.issÀÇ »ç¿ë

µ¹¾Æ°¡±â ±âº»ÀûÀ¸·Î rusers -l targethost¸¦ ¼öÇàÇÑ´Ù.

d ¿É¼Ç : default account¿¡ ´ëÇÑ ½ºÄµÀ» »ý·«ÇÑ´Ù. ( ¿¹ : Sun ±âÁ¾ÀÇ default id ÀÎ sync µî )
m ¿É¼Ç : mail portÀÇ ½ºÄµÀ» »ý·«ÇÑ´Ù. sendmail version Á¤º¸ µîÀº ÀÌ ¿É¼ÇÀ» ÁöÁ¤ ÇßÀ» ¶§ ¾ò¾î³¾ ¼ö ¾ø´Ù.
v ¿É¼Ç : v ¿É¼ÇÀ» »ç¿ëÇÒ °æ¿ì mail smtp Æ÷Æ®¿¡¼ debug ¿É¼ÇÀÌ »ç¿ë°¡´ÉÇÑÁö ±× ¿ÜÀÇ Á¤º¸¸¦ ¾ò´Â °ÍÀ» »ý·«ÇÑ´Ù. »ç ¿ëÇÏÁö ¾ÊÀ» °æ¿ì´Â ´ÙÀ½°ú °°Àº °ÍÀ» ¾Ë ¼ö ÀÖ´Ù. Target hostÀÇ mail aliases¸¦ ¾ò¾î ³»°í ½ÍÀ» ¶§ »ç¿ëÇÑ´Ù. ´É¼÷ÇÑ ÇØÄ¿¶ó¸é ¿©±â ¿¡¼ ¾ò¾î³½ Á¤º¸¸¦ ÀÌ¿ëÇÏ¿© .rhosts ÈÀÏÀ» sendmail holeÀ» ÀÌ¿ëÇÏ¿© target host ³»¿¡ »ý¼º½ÃÅ°´Â °ÍÀÌ °¡´ÉÇÏ°Ô µÈ´Ù. ( ¿¹ : ÀÌ¸¦ ÀÌ¿ëÇÏ¿© bbs, guest, lp µîÀÇ id¸¦ ÁýÁß °Ë»öÇÑ´Ù.)
f ¿É¼Ç : ftp portÀÇ °Ë»öÀ» »ý·«ÇÏ°í ½ÍÀ» ¶§ »ç¿ëÇÑ´Ù. ÀÌ ¿É¼ÇÀ» »ç¿ëÇÏÁö ¾ÊÀº °æ ¿ì anonymous ftp site°¡ ÀÖ´ÂÁö¸¦ Æ¯È÷ °Ë»öÇÑ´Ù. (°íÀüÀûÀÎ attackÀÌÁö¸¸ ftpÀÇ Á¤º¸ ¸¦ ÀÌ¿ëÇÏ¿© .rhosts¸¦ »ó´ë¹æ È£½ºÆ®¿¡ ³Ö´Â´Ùµç°¡ .forward¸¦ ½É¾î ³Ö ´Âµ¥ ÀÌ¿ëÇÒ ¼ö ÀÖ´Ù.)
r ¿É¼Ç : rpc callÀ» ÀÌ¿ëÇÏ¿© Á¤º¸¸¦ ¾ò¾î³»´Â °úÁ¤À» »ý·«ÇÑ´Ù. (¿¹ : rpcinfo -ptargethost)
y ¿É¼Ç : µ¶¸³ÀûÀ¸·Î ±¸µ¿µÉ ¼ö ÀÖ´Â ÇÁ·Î±×·¥ÀÎ ypx¸¦ È£ÃâÇÏ¿© yp »ó¿¡ ÀÖ´Â hole À» Ã£¾Æ³½´Ù.
e ¿É¼Ç : mountÁ¤º¸¸¦ º¸¿©ÁØ´Ù. ÀÍ¼÷ÇÑ ÇØÄ¿¶ó¸é ÀÌ Á¤º¸¿¡¼ ¾ò¾îÁö´Â °ÍÀÌ every- oneÀ¸·Î ¸¶¿îÆÃ µÇ¾î ÀÖ´Â°¡¸¦ È® ÀÎÇÏ·Á ÇÒ °ÍÀÌ´Ù. ´ÜÁö ¸ðµç mount Á¤º¸¸¦ º¸¿©ÁÖ ´Â °ÍÀÌ ¾Æ´Ñ attack¿¡ À¯È¿ÇÑ everyone mounting Á¤º¸¸¸À» º¸¿©ÁØ´Ù.
p ¿É¼Ç : ¸ðµç Æ÷Æ®¸¦ ´Ù Á¶»çÇÑ´Ù.
q ¿É¼Ç : quick search, ¿ì¼± targetÀ¸·Î Á¤ÇØÁØ È£½ºÆ® ¸®½ºÆ®¿¡¼ address¿Í nameÀ» ¾Ë¾Æ³»±â¸¸ ÇÑ´Ù.
o ¿É¼Ç : ½ºÄµÇÑ Á¤º¸¸¦ default fileÀÎ ISS.log ÈÀÏ·Î ³²±âÁö ¾Ê°í ´Ù¸¥ ÈÀÏ·Î ³²±ä ´Ù.

iss
ISS v1.3 (Internet Security Scanner)
Usage : iss -msrdyvpqefo #1 #2
-m Ignores checking for mail port.
-s xx number of seconds max to wait
-r Ignores Checking for RPC calls
-d Ignores Checking Default Logins such as sync
-y Try to get pw via Ypx
-v Ignores finding Mail Aliases for decode, guest, bbs, lp
-p Scans one Host for all open TCP ports (disables all other options)
-q Turns off Quick Scan so it finds hosts even with no name.
-e Only logs directories that can be mounted by everyone
-f Ignores Checking FTP port for logging in as anonymous
-o <file> send output to non ISS>log file, "-" is stdout
#1 is the inetnet network to start searching on
#2 is the inetnet network to end searching on
(ie. 128.128.128.1 128.128.128.25 will scan all hosts from
128.128.128.1 to 128.128.128.25).

Written By Christopher Klaus ([email protected])
Send me suggestions, bugs, fixes, and ideas. Send flames > /dev/null

$ iss -yp 143.248.0.1 143.248.9.9

À§ÀÇ ¸í·É¾î´Â 143.248.1.1ºÎÅÍ 143.248.9.9¹üÀ§¿¡ µé¾î°¡´Â ¸ðµç È£½ºÆ®¸¦ °Ë»öÇÑ´Ù. Áï, 143.248.x.x.¸¦ ¸ðµÎ °Ë»çÇÏ´Â È¿°ú ÀÌ´Ù.
ISS¸¦ »ç¿ëÇÑ °Ë»ç¿¡ ´ëÇÑ ¿¹Á¦

2.NfsbugÀÇ »ç¿ë

µ¹¾Æ°¡±â
ÀÌ µµ±¸´Â world wide exportable file systemÀ» ¹Ý°ßÇÏ°í ÇöÀç export¸¦ ÇÏ°í ÀÖ´Â °ÍÀ» °ø°ÝÀÚ ÀÔÀå¿¡¼ mountÇÒ ¼ö ÀÖ´ÂÁö ¾ø´ÂÁö portmapper¸¦ ÀÌ¿ëÇÏ¿© °áÁ¤ÇÑ ÈÄ ¾Ë·ÁÁØ´Ù. File handle guessingµµ ÇØÁÖ¾î ÀÌ ¼Ò½º¸¦ °íÃÄ¼ °ø°Ý¿ë µµ±¸·Î »ç¿ëÇÒ ¼ö ÀÖ´Ù. Áï, file handle guessing¿¡ ¼º°øÇÏ´Â Áï½Ã target È£½ºÆ®¿¡ ¿øÇÏ´Â permissionÀÇ ÈÀÏÀ» »ý¼º½ÃÅ³ ¼ö ÀÖ´Ù. ÀÌ´Â ½ÇÁ¦·Î ±¸ÇöµÉ ¼ö ÀÖ´Âµ¥ ÀÌ¸¦ ÀÌ¿ëÇÏ¿© permissionÀÌ 7777ÀÎ shellÀ» ¸¸µé¾ú´Ù¸é ±× È£½ºÆ®¿¡ ÀáÀÔÇÏ¿© »ý¼ºµÈ shellÀ» ¼öÇàÇÏ¿© root ±ÇÇÑÀ» ¾òÀ» ¼ö ÀÖ°Ô µÈ´Ù. ÀÌ µµ±¸´Â ÁÖ·Î nfs¿¡ °ü·ÃµÈ ¹ö±×µé¸¸À» Ã¼Å©ÇÑ´Ù.

nfsbugÀÇ ¿É¼ÇÀº ¾Æ·¡¿Í °°´Ù.

m ¿É¼Ç : mount »óÈ²À» Ã¼Å©ÇÏ´Â °ÍÀ» »ý·«ÇÑ´Ù.
p ¿É¼Ç : portmapper¸¦ ÀÌ¿ëÇÑ Ã¼Å©¸¦ »ý·«ÇÑ´Ù.
h ¿É¼Ç : file handle guessingÀ» »ý·«ÇÑ´Ù.
v ¿É¼Ç : file·Î ÀúÀåÇÏÁö ¾Ê°í Á÷Á¢ stdoutÀ¸·Î º¸³»ÁØ´Ù.

NfsbugÀÇ »ç¿ë¿¹

$ [kus-sakai] nfsbug
Usage : nfsbug [-mphv] host . . .
$ [kus-sakai] nfsbug -v baram.kaist.ac.kr
Connected to NFS mount daemon at baram.kaist.ac.kr using TCP/IP
Connected to NFS server at baram.kaist.ac.kr using UDP/IP
Failed : /home1 : Permission denied
Failed : /home2 : Permission denied
Failed : /home4 : Permission denied
Failed : /home6 : Permission denied
Failed : /var/spool/mail : Permission denied
Failed : /usr : Permission denied
Failed : /export/swap : Permission denied
Failed : /export/root/beta : Permission denied
fsirand pid = 0, gen = 1003963572
fsirand pid = 10, gen = 2023034216
fsirand pid = 20, gen = 1013326747
fsirand pid = 30, gen = 1951003303
fsirand pid = 40, gen = 50015918
fsirand pid = 50, gen = 818608633
fsirand pid = 60, gen = 23576966
¡¦¡¦

Nfsbug¿¡ ´ëÇÑ Æò°¡

Iss subrotine¿¡¼ È£Ãâ µÇ±â ¶§¹®¿¡ µ¶¸³ÀûÀ¸·Î ±¸µ¿½ÃÅ°±â¿¡ ¾à°£ ¾î·Á¿òÀÌ µû¸¥´Ù. IssÀÇ ±âº» ·çÆ¾¿¡¼º ºÒ·¯ »ç¿ëÇÏ´Â °Í ÀÌ ³ªÀ¸¹Ç·Î iss¿¡¼ »ç¿ëÇÒ °ÍÀ» ±ÇÇÑ´Ù. ÀÚÃ¼ÀûÀÎ ¸®Æ÷Æ®¸¦ ³»ÁÖ´Â ºÎºÐÀÌ ¾ø°í, ´Ü¼øÈ÷ Ã¼Å©¸¸ ¼öÇàÇÑ´Ù. ¾î´ÀÁ¤µµ ¼öÁØÀÌ µÇ Áö ¾ÊÀº »ç¶÷ÀÌ¶ó¸é È¸é»ó¿¡ ¶°¿À¸£´Â ¸Þ½ÃÁö°¡ ¹«½¼ ¶æÀÎÁöµµ ¸ð¸¦ °ÍÀÌ´Ù.

3.StrobeÀÇ »ç¿ë

µ¹¾Æ°¡±â
Strobe(Super optimised TCP port surveyor)Àº ypx³ª nfsbug¿Í´Â ´Þ¸® iss¿¡ ¼ÓÇØ ÀÖÁö ¾ÊÀº µ¶¸³ÀûÀÎ µµ±¸ÀÌ¹Ç·Î ypx¿Í nfsbug ¸¦ µ¶¸³ÀûÀ¸·Î »ç¿ëÇßÀ» ¶§¿Í °°Àº ÇÑ°èÁ¡ÀÌ³ª Á¦ÇÑÁ¡Àº ¾ø´Ù. ÀÌ µµ±¸ÀÇ ÀåÁ¡Àº issº¸´Ù ÈÎ¾À ºü¸£°í flexibleÇÏ´Ù´Â Á¡ÀÌ´Ù.

¾÷µ¥ÀÌÆ®µÈ strobe¸¦ ±¸ÇÏ°íÀÚ ÇÒ ¶§¿¡´Â ´ÙÀ½¿¡¼ ±¸ÇÒ ¼ö ÀÖ´Ù.

ftp://suburbia.apana.org.au:/pub/users/proff/original/strobe.tgz

StrobeÀÇ ¿É¼ÇÀº ¾Æ·¡¿Í °°´Ù.

v ¿É¼Ç : stdoutÀ¸·Î Ãâ·ÂÇÑ´Ù.
m ¿É¼Ç, v ¿É¼Ç : Ãâ·Â»óÀÇ Â÷ÀÌÀÏ»Ó v ¿É¼Ç°ú ´ëµ¿¼ÒÀÌÇÏ´Ù.
o ¿É¼Ç : ÈÀÏ·Î ÀúÀåÇÑ´Ù.
b ¿É¼Ç, e ¿É¼Ç : ½ºÄµÇÏ°íÀÚ ÇÏ´Â Æ÷Æ®ÀÇ ¹üÀ§¸¦ ÁöÁ¤ÇÒ ¼ö ÀÖ´Ù.
±âÅ¸ ¿É¼Ç : iss¿Í ´ëµ¿¼ÒÀÌÇÏ¹Ç·Î ÀÚ¼¼ÇÑ ¼³¸íÀº »ý·«ÇÑ´Ù.

StrobeÀÇ »ç¿ë¿¹

$ [kus-sakai] strobe -n 120 -a 80 -i /etc/hosts -s -f -v -S services -o out
strobe 1.02 (c) 1995 Julian Assange -Proff- ([email protected]).
attempting port=1 host=127.0.0.1
127.0.0.1:1 Connection refused
attempting port=1 host=143.248.8.6
143.248.8.6:1 Connection refused
attempting port=1 host=143.248.8.5
143.248.8.5:1 Connection refused
attempting port=1 host=143.248.8.3
143.248.8.3:1 Connection refused
attempting port=1 host=143.248.8.4
¡¦¡¦

4.ypxÀÇ »ç¿ë

µ¹¾Æ°¡±â

Ypx´Â NIS mapÀ» network»óÀ» ÅëÇØ ¾Ë¾Æ³»´Â µµ±¸ÀÌ´Ù. ÀÌ µµ±¸¸¦ »ç¿ëÇÏ¿© ¾Ë¾Æ³½ Á¤º¸¸¦ ÅëÇØ ypx¸¦ ÀÌ¿ëÇÏ¿© passwd ÈÀÏ°ú °°Àº Áß¿äÇÑ ÈÀÏÀ» ¿ø°ÝÀ¸·Î ¾Ë¾Æ ³¾ ¼ö ÀÖ´Â °ÍÀÌ Æ¯Â¡ÀÌ´Ù. ÇÁ·Î±×·¥ °³¹ßÀÚµµ ÀÌ µµ±¸ÀÇ ¾ç¸é¼ºÀ» ÀÎÁ¤ÇÏ¸é¼ ³ª»Û ¿ëµµ·Î ¾²ÀÌÁö ¾Ê±â¸¦ ¹Ù¶ó°í ÀÖ´Ù.

YpxÀÇ ¿É¼ÇÀº ¾Æ·¡¿Í °°´Ù.

d ¿É¼Ç : debug modeÀÌ´Ù. stderr·Î Ãâ·ÂÇÑ´Ù.
g ¿É¼Ç : domain nameÀ» ÃßÃøÇØ ÁØ´Ù. ÇÏÁö¸¸ ¾ÆÁÖ ÃÊº¸ÀûÀÎ ÃßÃøÀÌ¹Ç·Î ½ÇÆÐÇÒ È® ·üÀÌ ³ô´Ù.
m ¿É¼Ç : (ypx -m mapname hostname domainname) NIS mapÀ» ¾Ë¾Æ³½´Ù. Áï, ¿¹·Î ¼ passwd.bynameÀ» ¾Ë¾Æ³¾ ¼ö ÀÖ´Ù.
o ¿É¼Ç : (ypx ¡¦ -o outputfile) ÈÀÏ·Î ÀúÀåÀÌ µÈ´Ù.

YpxÀÇ »ç¿ë¿¹

$ [kus-sakai] ypx -m passwd.byname target.kaist.ac.kr Foo.Bar.AC.KR
audit:##audit:9:9::/etc/security/audit:/bin/csh
ftp:##ftp:400:400:Anonymous FTP:/home6/ftp:/bin/false
bin:##bin:3:3::/bin:

Ypx¿¡ ´ëÇÑ Æò°¡

ExploitÀÇ ÀÔÀå¿¡¼ º¸¸é, ÀÌ µµ±¸¿¡¼ ÇØÁÖ´Â domain name ÃßÃøÀº ±×¾ß¸»·Î À¯Ä¡¿ø ¼öÁØÀÌ¶ó ÇÒ ¼ö ÀÖ´Ù. Domain name¿¡±îÁö ½Å°æÀ» ¾²´Â È£½ºÆ®¶ó¸é ÀâÇô ³ª¿ÀÁö ¾Ê´Â´Ù. ¿ì¼± domain nameÀ» ¾Ë¾Æ ³»¾ú´Ù¸é Áß¿äÇÑ ÈÀÏµéÀ» ¾ò¾î³»´Â °Íµµ °£´ÜÇØÁú °ÍÀÌ ´Ù.

½Ã½ºÅÛ °ü¸®ÀÚÀÇ ÀÔÀå¿¡¼ º¸¸é, iss¿¡¼ È£ÃâÇÏ¿© »ç¿ëÇÒ ¶§´Â issÀÇ ¸®Æ÷Æ® ¾È¿¡ Æ÷ÇÔÀÌ µÇ¹Ç·Î ¾î´ÀÁ¤µµ ¹®¼¸¦ ¾òÀ» ¼ö´Â ÀÖÀ¸³ª µ¶¸³ÀûÀ¸·Î »ç¿ëÇÏ±â¿¡ ÀÍ¼÷Áö ¾ÊÀº ½Ã½ºÅÛ °ü¸®ÀÚµéÀÌ º¸±â¿¡´Â ÇØÅ· µµ±¸¶ó°í ¹Û¿¡ º¼ ¼ö ¾ø´Ù.

IssÀÇ ¼Ò½º ºÐ¼®

³»ºÎ ÇÔ¼öµéÀÌ ¹«½¼ ¿ªÇÒÀ» ÇÏ´ÂÁö °£·«ÇÏ°Ô ±â¼úÇØ º¸µµ·Ï ÇÏ°Ú´Ù.

ctos( ) : socketÀ» ¿¾î¼ Á¢¼ÓÀ» ÇÑ´Ù. socket ÇÁ·Î±×·¥ÀÇ ±âº»ÀÌ µÇ´Â ºÎºÐ.
usage( ) : argument°¡ ´Ù µé¾î¿ÀÁö ¾Ê¾ÒÀ» °æ¿ì ¿É¼Ç°ú »ç¿ë¹ýÀ» Ãâ·ÂÇØ ÁØ´Ù.
clrlog( ) : ±â·ÏÀ¸·Î ³²±æ log file À» Àâ¾ÆÁÖ´Â buffer¸¦ ÃÊ±âÈÇÑ´Ù.
domainguess( ) : domain nameÀ» ÃßÃøÇÏ´Â ºÎºÐÀÌÁö¸¸ ¼öÁØÀÌ ÇüÆí ¾ø´Ù. ¾ÆÁÖ ÃÊº¸ÀûÀÎ ÃßÃø ÀÏ »ÓÀÌ´Ù. ÀÌ ÇÔ¼ö°¡ powe rful ÇÏÁö ¸øÇÏ±â ¶§¹®¿¡ ypx°¡ Á¦ ±â´ÉÀ» ¹ßÈÖÇÏÁö ¸øÇÏ´Â ÇÑ°è°¡ µÇ±âµµ ÇÑ´Ù. ÀÌ ÇÔ¼ö´Â sub ÇÔ¼ö·Î testdomain( )À» È£Ãâ ÇÑ´Ù.
checksmtp( ) : smtp Æ÷Æ®¸¦ ¾Ë¾Æ³½´Ù.
checkall( ) : °á°ú¸¦ ¼öÇÕÇÑ ÈÄ Ãâ·Â Æ÷¸Ë¿¡ ¸Â°Ô Ãâ·ÂÀ» ÇÑ´Ù.
Probe_TCP_Ports( ) : target host ÀÇ ¸ðµç tcp »óÀÇ port¸¦ ½ºÄµÇÑ´Ù. ±× ÈÄ ¿·ÁÀÖ´Â port¸¦ ¸®ÅÏÇØ ÁØ´Ù.
main( ) : ÀÔ·ÂµÈ ¿É¼Ç¿¡ µû¶ó ±×¿¡ ¸Â´Â ÇÔ¼ö¸¦ È£ÃâÇÑ´Ù.

ISS¿­±â

ISS °¡Á®¿À±â

ISSÀÇ ¼³Ä¡

issÀÇ »ý¼º netbugÀÇ »ý¼º strobeÀÇ »ý¼º ypxÀÇ »ý¼º

1.issÀÇ »ý¼º

2.nfsbugÀÇ »ý¼º

3.strobeÀÇ »ý¼º

4.ypxÀÇ »ý¼º