모의 해킹/Snort 2018.02.13 21:25

@ Snort

 

 

192.168.2.50      192.168.2.100          192.168.20.100          192.168.20.101
Kali[vm8]───────[vm8]Firewall[vm1]────┬───────[vm1]snort
                                                                      │             
                                                                      └───────[vm1]Metasploitable2-linux
                                                                               192.168.20.204

 

 

 

@ Metasploitable2-Linux

 

sudo su -

 

 

vi /etc/network/interfaces

 

auto eth0
iface eth0 inet static
 address 192.168.20.204
 netmask 255.255.255.0
 gateway 192.168.20.100

 

:wq!

 

 

 

ifconfig eth0 inet 192.168.20.204 netmask 255.255.255.0 up
route add default gw 192.168.20.100

 

 

ping 192.168.2.50
ping 168.126.63.1

 

 

@ Kali

 

Kali#ping 192.168.20.101
Kali#ping 192.168.20.204

 

 

@ Kali

 

root@kali:~# apt-get install ftp

 

root@kali:~# route add -net 192.168.20.0 netmask 255.255.255.0 gw 192.168.2.100

 

root@kali:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.20.0    192.168.2.100   255.255.255.0   UG    0      0        0 eth0

 

root@kali:~# ping 192.168.20.101 -c 1
PING 192.168.20.101 (192.168.20.101) 56(84) bytes of data.
64 bytes from 192.168.20.101: icmp_seq=1 ttl=63 time=1.03 ms

--- 192.168.20.101 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.031/1.031/1.031/0.000 ms

 

root@kali:~# ping 192.168.20.204 -c 1
PING 192.168.20.204 (192.168.20.204) 56(84) bytes of data.
64 bytes from 192.168.20.204: icmp_seq=1 ttl=63 time=0.866 ms

--- 192.168.20.204 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.866/0.866/0.866/0.000 ms

 

 

1. snort 설치 & 정보 확인 & snort 시작

 

 

1) snort 설치

 

root@Snort:~# apt-get -y install snort snort-common snort-common-libraries snort-doc snort-rules-default

 


2) snort 패키지 확인

 

root@Snort:~# dpkg -l | grep snort
ii  snort                                     2.9.7.0-5                            amd64        flexible Network Intrusion Detection System
ii  snort-common                          2.9.7.0-5                            all          flexible Network Intrusion Detection System - common files
ii  snort-common-libraries                2.9.7.0-5                            amd64        flexible Network Intrusion Detection System - libraries
ii  snort-doc                                 2.9.7.0-5                            all          flexible Network Intrusion Detection System - documentation
ii  snort-rules-default                      2.9.7.0-5                            all          flexible Network Intrusion Detection System - ruleset

 


3) 'snort.debian.conf' 파일 내용 확인

 

root@Snort:~# ls /etc/snort
classification.config  reference.config  snort.debian.conf
community-sid-msg.map  rules             threshold.conf
gen-msg.map            snort.conf        unicode.map

 

root@Snort:~# cat /etc/snort/snort.debian.conf
# snort.debian.config (Debian Snort configuration file)
#
# This file was generated by the post-installation script of the snort
# package using values from the debconf database.
#
# It is used for options that are changed by Debian to leave
# the original configuration files untouched.
#
# This file is automatically updated on upgrades of the snort package
# *only* if it has not been modified since the last upgrade of that package.
#
# If you have edited this file but would like it to be automatically updated
# again, run the following command as root:
#   dpkg-reconfigure snort

DEBIAN_SNORT_STARTUP="boot"
DEBIAN_SNORT_HOME_NET="192.168.20.0/24"
DEBIAN_SNORT_OPTIONS=""
DEBIAN_SNORT_INTERFACE="eth0"
DEBIAN_SNORT_SEND_STATS="true"
DEBIAN_SNORT_STATS_RCPT="root"
DEBIAN_SNORT_STATS_THRESHOLD="1"

 


4) 'snort' 파일 내용 확인

 

root@Snort:~# ls -l /etc/default/snort
-rw-r--r-- 1 root root 1164  6월 30  2015 /etc/default/snort

 

root@Snort:~# cat /etc/default/snort
# Parameters for the daemon
# Add any additional parameteres here.
PARAMS="-m 027 -D -d "
#
# Snort user
# This user will be used to launch snort. Notice that the
# preinst script of the package might do changes to the user
# (home directory, User Name) when the package is upgraded or
# reinstalled.  So, do *not* change this to 'root' or to any other user
# unless you are sure there is no problem with those changes being introduced.
#
SNORTUSER="snort"
#
# Logging directory
# Snort logs will be dropped here and this will be the home
# directory for the SNORTUSER. If you change this value you should
# change the /etc/logrotate.d/snort definition too, otherwise logs
# will not be rotated properly.
#
LOGDIR="/var/log/snort"
#
# Snort group
# This is the group that the snort user will be added to.
#
SNORTGROUP="snort"
#
# Allow Snort's init.d script to work if the configured interfaces
# are not available. Set this to yes if you configure Snort with
# multiple interfaces but some might not be available on boot
# (e.g. wireless interfaces)
#
# Note: In order for this to work the 'iproute' package needs to
# be installed.
ALLOW_UNAVAILABLE="no"

 


5) 'snort.conf' 파일 내용 변경

 

root@Snort:~# vi /etc/snort/snort.conf

 

 

~ 중간 생략 ~

 

###################################################
# Step #1: Set the network variables.  For more information, see README.variables
###################################################

# Setup the network addresses you are protecting
#
# Note to Debian users: this value is overriden when starting
# up the Snort daemon through the init.d script by the
# value of DEBIAN_SNORT_HOME_NET s defined in the
# /etc/snort/snort.debian.conf configuration file
#
ipvar HOME_NET any  <- ipvar HOME_NET 192.168.20.0/24 변경

# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET any

 

~ 중간 생략 ~

 

:wq! 

 

 


6) snort 시작

 

root@Snort:~# service snort start


root@Snort:~# service snort status
● snort.service - LSB: Lightweight network intrusion detection system
   Loaded: loaded (/etc/init.d/snort; generated; vendor preset: disabled)
   Active: active (running) since Tue 2018-02-13 20:42:43 KST; 10s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 1491 ExecStart=/etc/init.d/snort start (code=exited, status=0/SUCCESS
    Tasks: 2 (limit: 4915)
   CGroup: /system.slice/snort.service
           └─1536 /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g sno

 2월 13 20:42:43 Snort snort[1536]:            Preprocessor Object: SF_SDF  Vers
 2월 13 20:42:43 Snort snort[1536]:            Preprocessor Object: SF_DNS  Vers
 2월 13 20:42:43 Snort snort[1536]:            Preprocessor Object: SF_SIP  Vers
 2월 13 20:42:43 Snort snort[1536]:            Preprocessor Object: SF_GTP  Vers
 2월 13 20:42:43 Snort snort[1536]:            Preprocessor Object: SF_SSLPP  Ve
 2월 13 20:42:43 Snort snort[1536]:            Preprocessor Object: SF_SSH  Vers
 2월 13 20:42:43 Snort snort[1536]:            Preprocessor Object: SF_DNP3  Ver
 2월 13 20:42:43 Snort snort[1536]:            Preprocessor Object: SF_MODBUS  V
 2월 13 20:42:43 Snort snort[1536]:            Preprocessor Object: SF_IMAP  Ver
 2월 13 20:42:43 Snort snort[1536]: Commencing packet processing (pid=1536)
lines 1-19/19 (END) q

 

 

 

7) ICMP 룰 설정 및 Snort 테스트

 

root@Snort:~# vi /etc/snort/rules/local.rules

,v 1.11 2004/07/23 20:15:44 bmc Exp $
# ----------------
# LOCAL RULES
# ----------------
# This file intentionally does not come with signatures.  Put your local
# additions here.

alert icmp any any -> any any (msg:"ICMP ping test"; sid:1000001;)


 

:wq! 

 

 

root@Snort:~# snort -c /etc/snort/rules/local.rules
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/rules/local.rules"
Tagged Packet Limit: 256
Log directory = /var/log/snort

 

~ 중간 생략 ~

 

 

root@kali:~# ping 192.168.20.204 -c 3
PING 192.168.20.204 (192.168.20.204) 56(84) bytes of data.
64 bytes from 192.168.20.204: icmp_seq=1 ttl=63 time=0.330 ms
64 bytes from 192.168.20.204: icmp_seq=2 ttl=63 time=0.349 ms
64 bytes from 192.168.20.204: icmp_seq=3 ttl=63 time=0.374 ms

--- 192.168.20.204 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2041ms
rtt min/avg/max/mdev = 0.330/0.351/0.374/0.018 ms

 

 

root@Snort:~# snort -c /etc/snort/rules/local.rules
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/rules/local.rules"
Tagged Packet Limit: 256
Log directory = /var/log/snort

(Ctrl+C)

 

 

root@Snort:~# more /var/log/snort/alert
[**] [1:1000001:0] ICMP ping test [**]
[Priority: 0]
03/06-18:54:37.918357 192.168.2.50 -> 192.168.20.204
ICMP TTL:63 TOS:0x0 ID:12571 IpLen:20 DgmLen:84 DF
Type:8  Code:0  ID:2733   Seq:1  ECHO

[**] [1:1000001:0] ICMP ping test [**]
[Priority: 0]
03/06-18:54:37.918379 192.168.20.204 -> 192.168.2.50
ICMP TTL:64 TOS:0x0 ID:22694 IpLen:20 DgmLen:84
Type:0  Code:0  ID:2733  Seq:1  ECHO REPLY

[**] [1:1000001:0] ICMP ping test [**]
[Priority: 0]
03/06-18:54:38.935661 192.168.2.50 -> 192.168.20.204
ICMP TTL:63 TOS:0x0 ID:12786 IpLen:20 DgmLen:84 DF
Type:8  Code:0  ID:2733   Seq:2  ECHO

[**] [1:1000001:0] ICMP ping test [**]
[Priority: 0]
03/06-18:54:38.935693 192.168.20.204 -> 192.168.2.50
ICMP TTL:64 TOS:0x0 ID:22695 IpLen:20 DgmLen:84
Type:0  Code:0  ID:2733  Seq:2  ECHO REPLY

[**] [1:1000001:0] ICMP ping test [**]
[Priority: 0]
03/06-18:54:39.959598 192.168.2.50 -> 192.168.20.204
ICMP TTL:63 TOS:0x0 ID:12831 IpLen:20 DgmLen:84 DF
Type:8  Code:0  ID:2733   Seq:3  ECHO

[**] [1:1000001:0] ICMP ping test [**]
[Priority: 0]
03/06-18:54:39.959600 192.168.20.204 -> 192.168.2.50
ICMP TTL:64 TOS:0x0 ID:22696 IpLen:20 DgmLen:84
Type:0  Code:0  ID:2733  Seq:3  ECHO REPLY

 

 

root@Snort:~# vi /etc/snort/rules/local.rules

 

,v 1.11 2004/07/23 20:15:44 bmc Exp $
# ----------------
# LOCAL RULES
# ----------------
# This file intentionally does not come with signatures.  Put your local
# additions here.

alert icmp any any -> any any (msg:"ICMP ping test"; sid:1000001;) <- 삭제


 

:wq! 

 

 

root@Snort:~# rm /var/log/snort/*

 

 

 


2. snort 동작 테스트

 

 1) snort 콘솔 디버깅 실시

 

root@Snort:~# service snort stop
root@Snort:~# snort -q -A console -b -c /etc/snort/snort.conf

 

 

 2) Kali에서 타겟(192.168.20.204)로 Ping 실시

 

root@kali:~# ping 192.168.20.204 -c 5
PING 192.168.20.204 (192.168.20.204) 56(84) bytes of data.
64 bytes from 192.168.20.204: icmp_seq=1 ttl=63 time=5.73 ms
64 bytes from 192.168.20.204: icmp_seq=2 ttl=63 time=0.949 ms
64 bytes from 192.168.20.204: icmp_seq=3 ttl=63 time=0.957 ms
64 bytes from 192.168.20.204: icmp_seq=4 ttl=63 time=0.955 ms
64 bytes from 192.168.20.204: icmp_seq=5 ttl=63 time=0.725 ms

--- 192.168.20.204 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4008ms
rtt min/avg/max/mdev = 0.725/1.863/5.730/1.935 ms

 

 

 3) snort 디버깅 확인 

 

02/13-20:45:56.529758  [**] [1:366:7] ICMP PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.2.50 -> 192.168.20.204
02/13-20:45:56.529758  [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.2.50 -> 192.168.20.204
02/13-20:45:57.529409  [**] [1:366:7] ICMP PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.2.50 -> 192.168.20.204
02/13-20:45:57.529409  [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.2.50 -> 192.168.20.204
02/13-20:45:58.531467  [**] [1:366:7] ICMP PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.2.50 -> 192.168.20.204
02/13-20:45:58.531467  [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.2.50 -> 192.168.20.204
02/13-20:45:59.533406  [**] [1:366:7] ICMP PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.2.50 -> 192.168.20.204
02/13-20:45:59.533406  [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.2.50 -> 192.168.20.204
02/13-20:46:00.535311  [**] [1:366:7] ICMP PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.2.50 -> 192.168.20.204
02/13-20:46:00.535311  [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.2.50 -> 192.168.20.204

 


 4) Kali에서 타겟(192.168.20.204)으로 Half-Open Scan 실시

 

root@kali:~# nmap -sS -p 80 192.168.20.204

Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-13 20:47 KST
Nmap scan report for 192.168.20.204
Host is up (0.0012s latency).

PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds

 


 5) snort 디버깅 확인 

 

02/13-20:48:15.612324  [**] [1:469:3] ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} 192.168.2.50 -> 192.168.20.204
02/13-20:48:15.612324  [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.2.50 -> 192.168.20.204
02/13-20:48:15.612330  [**] [1:453:5] ICMP Timestamp Request [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.2.50 -> 192.168.20.204

 


 6) snort 디버깅 중지

 

Ctrl+C (잘 안되면, Ctrl+Z, 그래도 안되면 터미널 하나 또 열어서 kill -9 프로세스 ID)

 


 7) snort rules 내용 확인

 

root@Snort:~# fgrep 'ICMP PING *NIX' /etc/snort/rules/icmp-info.rules
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING *NIX"; itype:8; content:"|10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F|"; depth:32; classtype:misc-activity; sid:366; rev:7;)

 

root@Snort:~# fgrep 'ICMP PING NMAP' /etc/snort/rules/icmp.rules
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP"; dsize:0; itype:8; reference:arachnids,162; classtype:attempted-recon; sid:469; rev:3;)

 

root@Snort:~# cat /etc/snort/snort.conf

 

root@Snort:~# ls /etc/snort/rules/

 


 8) snort 'local.rules' 설정 및 snort 디버깅 실시

 

root@Snort:~# vi /etc/snort/rules/local.rules

# $Id: local.rules,v 1.11 2004/07/23 20:15:44 bmc Exp $
# ----------------
# LOCAL RULES
# ----------------
# This file intentionally does not come with signatures.  Put your local
# additions here.

alert tcp any any -> $HOME_NET 80 (msg: "Web Message Port 80"; sid:1000001; rev:1;)

 

:wq! 

 

 

root@Snort:~# snort -q -A console -b -c /etc/snort/snort.conf

 

 


 9) Kali에서 타겟(192.168.20.204)으로 웹 접속 실시

 

root@kali:~# firefox http://192.168.20.204 &

 


 10) snort 디버깅 확인

 

02/13-21:09:47.342068  [**] [1:1000001:1] Web Message Port 80 [**] [Priority: 0] {TCP} 192.168.2.50:58368 -> 192.168.20.204:80
02/13-21:09:47.345173  [**] [1:1000001:1] Web Message Port 80 [**] [Priority: 0] {TCP} 192.168.2.50:58368 -> 192.168.20.204:80
02/13-21:09:47.345337  [**] [1:1000001:1] Web Message Port 80 [**] [Priority: 0] {TCP} 192.168.2.50:58368 -> 192.168.20.204:80
02/13-21:09:47.357971  [**] [1:1000001:1] Web Message Port 80 [**] [Priority: 0] {TCP} 192.168.2.50:58368 -> 192.168.20.204:80
02/13-21:09:47.511764  [**] [1:1000001:1] Web Message Port 80 [**] [Priority: 0] {TCP} 192.168.2.50:58368 -> 192.168.20.204:80
02/13-21:09:47.512653  [**] [1:1000001:1] Web Message Port 80 [**] [Priority: 0] {TCP} 192.168.2.50:58368 -> 192.168.20.204:80
02/13-21:09:47.534465  [**] [1:1000001:1] Web Message Port 80 [**] [Priority: 0] {TCP} 192.168.2.50:58368 -> 192.168.20.204:80
02/13-21:09:47.576112  [**] [1:1000001:1] Web Message Port 80 [**] [Priority: 0] {TCP} 192.168.2.50:58368 -> 192.168.20.204:80

(Ctrl+C)

 


  11) snort 'local.rules' 설정 삭제

 

root@Snort:~# vi /etc/snort/rules/local.rules 
 

# $Id: local.rules,v 1.11 2004/07/23 20:15:44 bmc Exp $
# ----------------
# LOCAL RULES
# ----------------
# This file intentionally does not come with signatures.  Put your local
# additions here.

alert tcp any any -> $HOME_NET 80 (msg: "Web Message Port 80"; sid:1000001; rev:1;) <- 삭제

 

:wq! 

 

 

 

 

3. snort 예제 I

 

root@Snort:~# vi /etc/snort/rules/local.rules

 

# $Id: local.rules,v 1.11 2004/07/23 20:15:44 bmc Exp $
# ----------------
# LOCAL RULES
# ----------------
# This file intentionally does not come with signatures.  Put your local
# additions here.

 

# ICMP
alert icmp any any -> $HOME_NET any (msg:"## ICMP Echo ##"; itype:8; sid:1000001; rev:1;)
alert icmp $HOME_NET any -> any any (msg:"## ICMP Echo-Reply ##"; itype:0; sid:1000002; rev:1;)

 

# FTP
alert tcp any any -> $HOME_NET 21 (msg:"## FTP Request ##"; content:"USER"; sid:1000003; rev:1;)
alert tcp $HOME_NET 21 -> any any (msg:"## FTP Response ##"; content:"vsFTPd"; sid:1000004; rev:1;)

 

# TELNET
alert tcp any any -> $HOME_NET 23 (msg:"## Telnet Request ##"; sid:1000005; rev:1;)
alert tcp $HOME_NET 23 -> any any (msg:"## Telnet Response ##"; content:"login"; sid:1000006; rev:1;)

 

# Web
alert tcp any any -> $HOME_NET 80 (msg:"## HTTP Request ##"; sid:1000007; rev:1;)
alert tcp $HOME_NET 80 -> any any (msg:"## HTTP Response ##"; sid:1000008; rev:1;)

 

:wq!

 

 

root@Snort:~# snort -q -A console -b -c /etc/snort/snort.conf

 

 

 

root@kali:~# ping 192.168.20.204 -c 1
PING 192.168.20.204 (192.168.20.204) 56(84) bytes of data.
64 bytes from 192.168.20.204: icmp_seq=1 ttl=63 time=10.8 ms

--- 192.168.20.204 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 10.808/10.808/10.808/0.000 ms


root@kali:~# ftp 192.168.20.204
Connected to 192.168.20.204.
220 (vsFTPd 2.3.4)
Name (192.168.20.204:root): msfadmin
331 Please specify the password.
Password: msfadmin
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quit
221 Goodbye.


root@kali:~# telnet 192.168.20.204
Trying 192.168.20.204...
Connected to 192.168.20.204.
Escape character is '^]'.
                _                  _       _ _        _     _      ____ 
 _ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |
| | | | | |  __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | |  __// __/
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|
                            |_|                                         


Warning: Never expose this VM to an untrusted network!

Contact: msfdev[at]metasploit.com

Login with msfadmin/msfadmin to get started


metasploitable login: msfadmin
Password: msfadmin
Last login: Tue Mar  6 03:44:32 EST 2018 on pts/1
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
No mail.
msfadmin@metasploitable:~$ exit
logout
Connection closed by foreign host.

 


root@kali:~# firefox http://192.168.20.204 &
[1] 2515

 

 

root@Snort:~# snort -q -A console -b -c /etc/snort/snort.conf
03/06-20:04:37.577534  [**] [1:366:7] ICMP PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.2.50 -> 192.168.20.204
03/06-20:04:37.577534  [**] [1:1000001:1] ## ICMP Echo ## [**] [Priority: 0] {ICMP} 192.168.2.50 -> 192.168.20.204
03/06-20:04:37.577534  [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.2.50 -> 192.168.20.204
03/06-20:04:37.577784  [**] [1:1000002:1] ## ICMP Echo-Reply ## [**] [Priority: 0] {ICMP} 192.168.20.204 -> 192.168.2.50
03/06-20:04:45.174836  [**] [1:1000004:1] ## FTP Response ## [**] [Priority: 0] {TCP} 192.168.20.204:21 -> 192.168.2.50:44844
03/06-20:04:57.823860  [**] [1:1000003:1] ## FTP Request ## [**] [Priority: 0] {TCP} 192.168.2.50:44844 -> 192.168.20.204:21
03/06-20:05:10.412114  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:10.413062  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:10.413267  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:20.530200  [**] [1:716:13] INFO TELNET access [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.20.204:23 -> 192.168.2.50:32824
03/06-20:05:20.530715  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:20.531333  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:20.531628  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:20.537670  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:20.539350  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:20.539357  [**] [1:1000006:1] ## Telnet Response ## [**] [Priority: 0] {TCP} 192.168.20.204:23 -> 192.168.2.50:32824
03/06-20:05:20.581361  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:22.564314  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:22.565184  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:22.701055  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:22.701750  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:23.468507  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:23.469413  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:23.628569  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:23.629478  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:23.724411  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:23.725173  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:23.852398  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:23.853240  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:24.044943  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:24.045887  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:24.236851  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:24.237819  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:24.516994  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:24.518961  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:24.519740  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:25.284421  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:25.437103  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:25.684350  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:25.980031  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:26.084062  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:26.204037  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:26.396452  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:26.580029  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:26.851982  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:26.867132  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:26.867299  [**] [1:1000006:1] ## Telnet Response ## [**] [Priority: 0] {TCP} 192.168.20.204:23 -> 192.168.2.50:32824
03/06-20:05:26.867904  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:27.379824  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:27.380742  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:27.612310  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:27.613341  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:27.724034  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:27.724889  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:27.899960  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:27.900877  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:28.148636  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:28.149574  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:28.150450  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:28.152893  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:06:43.885601  [**] [1:1000007:1] ## HTTP Request ## [**] [Priority: 0] {TCP} 192.168.2.50:43238 -> 192.168.20.204:80
03/06-20:06:43.885625  [**] [1:1000008:1] ## HTTP Response ## [**] [Priority: 0] {TCP} 192.168.20.204:80 -> 192.168.2.50:43238
03/06-20:06:43.885826  [**] [1:1000007:1] ## HTTP Request ## [**] [Priority: 0] {TCP} 192.168.2.50:43238 -> 192.168.20.204:80
03/06-20:06:43.885932  [**] [1:1000007:1] ## HTTP Request ## [**] [Priority: 0] {TCP} 192.168.2.50:43238 -> 192.168.20.204:80
03/06-20:06:43.885999  [**] [1:1000008:1] ## HTTP Response ## [**] [Priority: 0] {TCP} 192.168.20.204:80 -> 192.168.2.50:43238
03/06-20:06:43.895924  [**] [1:1000008:1] ## HTTP Response ## [**] [Priority: 0] {TCP} 192.168.20.204:80 -> 192.168.2.50:43238
03/06-20:06:43.896184  [**] [1:1000007:1] ## HTTP Request ## [**] [Priority: 0] {TCP} 192.168.2.50:43238 -> 192.168.20.204:80
03/06-20:06:45.233927  [**] [1:1000007:1] ## HTTP Request ## [**] [Priority: 0] {TCP} 192.168.2.50:43238 -> 192.168.20.204:80
03/06-20:06:45.234257  [**] [1:1000008:1] ## HTTP Response ## [**] [Priority: 0] {TCP} 192.168.20.204:80 -> 192.168.2.50:43238
03/06-20:06:45.234477  [**] [1:1000007:1] ## HTTP Request ## [**] [Priority: 0] {TCP} 192.168.2.50:43238 -> 192.168.20.204:80
03/06-20:06:55.249435  [**] [1:1000007:1] ## HTTP Request ## [**] [Priority: 0] {TCP} 192.168.2.50:43238 -> 192.168.20.204:80
03/06-20:06:55.249447  [**] [1:1000008:1] ## HTTP Response ## [**] [Priority: 0] {TCP} 192.168.20.204:80 -> 192.168.2.50:43238
03/06-20:07:00.596894  [**] [1:1000008:1] ## HTTP Response ## [**] [Priority: 0] {TCP} 192.168.20.204:80 -> 192.168.2.50:43238
03/06-20:07:00.597803  [**] [1:1000007:1] ## HTTP Request ## [**] [Priority: 0] {TCP} 192.168.2.50:43238 -> 192.168.20.204:80
03/06-20:07:00.597805  [**] [1:1000008:1] ## HTTP Response ## [**] [Priority: 0] {TCP} 192.168.20.204:80 -> 192.168.2.50:43238

(Ctrl+C)

 

 

root@Snort:~# vi /etc/snort/rules/local.rules

 

 ~ 주석 처리 실시 ~

 

# ICMP
#alert icmp any any -> $HOME_NET any (msg:"## ICMP Echo ##"; itype:8; sid:1000001; rev:1;)
#alert icmp $HOME_NET any -> any any (msg:"## ICMP Echo-Reply ##"; itype:0; sid:1000002; rev:1;)

 

# FTP
#alert tcp any any -> $HOME_NET 21 (msg:"## FTP Request ##"; content:"USER"; sid:1000003; rev:1;)
#alert tcp $HOME_NET 21 -> any any (msg:"## FTP Response ##"; content:"vsFTPd"; sid:1000004; rev:1;)

 

# TELNET
#alert tcp any any -> $HOME_NET 23 (msg:"## Telnet Request ##"; sid:1000005; rev:1;)
#alert tcp $HOME_NET 23 -> any any (msg:"## Telnet Response ##"; content:"login"; sid:1000006; rev:1;)

 

# Web
#alert tcp any any -> $HOME_NET 80 (msg:"## HTTP Request ##"; sid:1000007; rev:1;)
#alert tcp $HOME_NET 80 -> any any (msg:"## HTTP Response ##"; sid:1000008; rev:1;) 

 

:wq!


                                                                                                    

 

[참고] Action 명령어

 

alert - alert 발생 및 패켓 내용 기록
log  - 패켓 내용 기록
pass - 패켓 무시
drop - 패켓 차단 및 로그 기록
reject - 패켓 차단 및 로그 기록(TCP - TCP RST 응답, UDP - ICMP Unreachable 응답)
sdrop - 패켓 차단 및 로그 기록 없음
 

[참고] 옵션 명령어

 

msg - msg:"메세지";
content - content:"문자열";
dsize - dsize:1000<>1500;  또는 dsize:0;
flags - flags:SA; 또는 flags:FPU

 

 

 

4. Snort 예제 II

 

root@Snort:~# vi /etc/snort/rules/local.rules

 

~ 중간 생략 ~

 

# NMAP XMAS Scan
alert tcp any any -> $HOME_NET any (msg:"## NMAP XMAS ##"; flags:FPU; sid:1000009; rev:1;)

 

# ICMP Flooding
alert icmp any any -> $HOME_NET any (msg:"## ICMP Flooding ##"; threshold:type both, track by_src, count 20, seconds 5; sid:1000010; rev:1;)

 

# Ping of Death
alert icmp any any -> $HOME_NET any (msg:"## Ping od Death ##"; content:"|5858585858|"; sid:1000011; rev:1;)

 

# Web Attack
alert tcp any any -> $HOME_NET 80 (msg:"## Web Attack ##"; content:"GET /cmd.exe"; nocase; sid:1000012; rev:1;) 

 

:wq!

 


 

root@Snort:~# snort -q -A console -b -c /etc/snort/snort.conf

 

 

root@kali:~# nmap -sX -p 21 192.168.20.204

Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-06 20:58 KST
Nmap scan report for 192.168.20.204
Host is up (0.0023s latency).

PORT   STATE         SERVICE
21/tcp open|filtered ftp

Nmap done: 1 IP address (1 host up) scanned in 0.72 seconds

 

 

root@kali:~# hping3 -1 192.168.20.204 --flood
HPING 192.168.20.204 (eth0 192.168.20.204): icmp mode set, 28 headers + 0 data bytes
hping in flood mode, no replies will be shown
(Ctrl+C)
--- 192.168.20.204 hping statistic ---
53310 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

 


root@kali:~# hping3 -1 --rand-source 192.168.20.204 -d 50 --flood
HPING 192.168.20.204 (eth0 192.168.20.204): icmp mode set, 28 headers + 50 data bytes
hping in flood mode, no replies will be shown
(Ctrl+C)
--- 192.168.20.204 hping statistic ---
32036 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

 

root@kali:~# wafw00f http://192.168.20.204

 

                                 ^     ^
        _   __  _   ____ _   __  _    _   ____
       ///7/ /.' \ / __////7/ /,' \ ,' \ / __/
      | V V // o // _/ | V V // 0 // 0 // _/
      |_n_,'/_n_//_/   |_n_,' \_,' \_,'/_/
                                <
                                 ...'

    WAFW00F - Web Application Firewall Detection Tool

    By Sandro Gauci && Wendel G. Henrique

Checking http://192.168.20.204
Generic Detection results:
No WAF detected by the generic detection
Number of requests: 13
root@kali:~#

 

 

root@Snort:~# snort -q -A console -b -c /etc/snort/snort.conf

 

내용 확인

 

(Ctrl+C)

 

 

'모의 해킹 > Snort' 카테고리의 다른 글

1. snort  (0) 2018.02.13

Posted by 교육 문의 : 010-9902-9710(김정우 강사)


Q