1day/¿øµ¥ÀÌ/ÇÏ·ç/ÀÏ¿ëÁ÷/È£½ºÆÃ/¼­¹öÈ£½ºÆÃ/ÀÚ·á½Ç/°­ÁÂ/Ä¿¹Â´ÏƼ
Be happy 1day
HOME
ȸ¿ø·Î±×ÀÎ
ID:
PW:

     0 ºÐ
     5 ºÐ
 
À¥È£½ºÆÃ
À¥È£½ºÆà ½Åû¹æ¹ý
¼­ºñ½ºÀÌ¿ë¾à°ü
½Åû¸®½ºÆ® *
ÀԱݸ®½ºÆ® *
°í°´Áö¿ø FAQ
¹®ÀÇÇϱâ
°í°´Áö¿ø
ÆÄÀÏÁú¶ó¼³Á¤(ftp)
pop3¶õ?
SMTP¶õ?
¾Æ¿ô·è¼¼Æùý
³×ÀÓ¼­¹ö
   1Â÷ : ns1.1day.co.kr
..........222.234.222.191
   2Â÷ : ns2.1day.co.kr
..........222.234.223.192
°èÁ¹øÈ£ ¾È³»
....¿ì¸®ÀºÇà(¿øµ¥ÀÌ)
....1005-902-808446
À̸ÞÀÏ ¹®ÀÇ
1day@1day.co.kr
ÀÚ·á½Ç/°­ÁÂ
HTML ű×
ÀÚ¹Ù½ºÅ©¸³Æ®°­ÁÂ
¸®´ª½º±âÃÊ°­ÁÂ
¸®´ª½ºÁß±Þ°­ÁÂ
 


³×Æ®¿öÅ© ½º´ÏÇÎ ±â¼ú ¹× ¹æÁö´ëÃ¥
 1day  | 2004¡¤02¡¤01 20:03 | HIT : 44,778 | VOTE : 12,590 |

 

³×Æ®¿öÅ© ½º´ÏÇÎ ±â¼ú ¹× ¹æÁö´ëÃ¥

CERTCC-KR

cert@certcc.or.kr, http://www.certcc.or.kr
¹ÚÇö¹Ì ¿¬±¸¿ø, hmpark@certcc.or.kr
½ÅÀº°æ ¿¬±¸¿ø, sek@certcc.or.kr
ÀÌÇö¿ì ¿¬±¸¿ø, lotus@certcc.or.kr



[¸ñ Â÷]

I. ½º´ÏÇÎÀ̶õ?

II. ½º´ÏÇÎÀÇ ¿ø¸®

III. ½ºÀ§Äª ȯ°æ¿¡¼­ÀÇ ½º´ÏÇÎ ±â¹ý

1. Switch Jamming
2. ARP Redirect
3. ARP spoofing
4. ICMP Redirect

5. ½ºÀ§Ä¡ÀÇ span/monitor port¸¦ ÀÌ¿ëÇÑ ½º´ÏÇÎ

IV. ½º´ÏÇÎ ¹æÁö ´ëÃ¥

1. ¾Ïȣȭ
2. ½ºÀ§Äª ȯ°æÀÇ ³×Æ®¿öÅ© ±¸¼º

3. ½º´ÏÆÛ Å½Áö
4. ³×Æ®¿öÅ© °ü¸®




I. ½º´ÏÇÎÀ̶õ?

½º´ÏÆÛ(sniffer)´Â ¿ø·¡ Network Associate»çÀÇ µî·Ï»óÇ¥¿´À¸³ª ÇöÀç´Â PC³ª kleenexó·³ ÀϹÝÀûÀÎ ¿ë¾î·Î »ç¿ëµÇ°í ÀÖ´Ù. "sniff"¶ó´Â ´Ü¾îÀÇ ÀǹÌ(³¿»õ¸¦ ¸Ã´Ù, ÄÚ¸¦ ůů°Å¸®´Ù)¿¡¼­µµ ¾Ë ¼ö ÀÖµíÀÌ ½º´ÏÆÛ´Â "ÄÄÇ»ÅÍ ³×Æ®¿öÅ©»ó¿¡ Èê·¯´Ù´Ï´Â Æ®·¡ÇÈÀ» ¿³µè´Â µµÃ»ÀåÄ¡"¶ó°í ¸»ÇÒ ¼ö ÀÖ´Ù. ±×¸®°í "½º´ÏÇÎ"À̶õ ÀÌ·¯ÇÑ ½º´ÏÆÛ¸¦ ÀÌ¿ëÇÏ¿© ³×Æ®¿öÅ©»óÀÇ µ¥ÀÌÅ͸¦ µµÃ»ÇÏ´Â ÇàÀ§¸¦ ¸»ÇÑ´Ù.

ÀÌ·¯ÇÑ ½º´ÏÇÎ °ø°ÝÀº À¥È£½ºÆÃ, ÀÎÅͳݵ¥ÀÌÅͼ¾ÅÍ(IDC) µî°ú °°ÀÌ ¿©·¯ ¾÷ü°¡ °°Àº ³×Æ®¿öÅ©¸¦ °øÀ¯Çϴ ȯ°æ¿¡¼­´Â ¸Å¿ì À§ÇùÀûÀÎ °ø°ÝÀÌ µÉ ¼ö ÀÖ´Ù. ÇϳªÀÇ ½Ã½ºÅÛÀÌ °ø°Ý ´çÇÏ°Ô µÇ¸é ±× ½Ã½ºÅÛÀ» ÀÌ¿ëÇÏ¿© ³×Æ®¿öÅ©¸¦ µµÃ»ÇϰԵǰí, ´Ù¸¥ ½Ã½ºÅÛÀÇ User ID/Passwd¸¦ ¾Ë¾Æ³»°Ô µÈ´Ù. ºñ·Ï ½ºÀ§Äª ȯ°æÀÇ ³×Æ®¿öÅ©¸¦ ±¸ÃàÇÏ¿© ½º´ÏÇÎÀ» ¾î·Æ°Ô ÇÒ ¼ö´Â ÀÖÁö¸¸ À̸¦ ¿ìȸÇÒ ¼ö ÀÖ´Â ¸¹Àº °ø°Ý¹æ¹ýÀÌ Á¸ÀçÇÑ´Ù.

º» ¹®¼­´Â ½ºÀ§Äª ȯ°æ¿¡¼­ÀÇ ½º´ÏÇÎ °ø°Ý ±â¹ý°ú ±×¸®°í ÀÌ¿¡ ´ëÇÑ ´ëÃ¥À» ¼³¸íÇÑ´Ù.

II. ½º´ÏÇÎÀÇ ¿ø¸®

LAN »ó¿¡¼­ °³º° È£½ºÆ®¸¦ ±¸º°Çϱâ À§ÇÑ ¹æ¹ýÀ¸·Î ÀÌ´õ³Ý ÀÎÅÍÆäÀ̽º´Â MAC(Media Access Control) ÁÖ¼Ò¸¦ °®°Ô µÇ¸ç, ¸ðµç ÀÌ´õ³Ý ÀÎÅÍÆäÀ̽ºÀÇ MAC ÁÖ¼Ò´Â ¼­·Î ´Ù¸¥ °ªÀ» °®´Â´Ù. µû¶ó¼­ ·ÎÄà ³×Æ®¿öÅ©»ó¿¡¼­ °¢ °¢ÀÇ È£½ºÆ®´Â À¯ÀÏÇÏ°Ô ±¸º°µÉ ¼ö ÀÖ´Ù.

´ÙÀ½Àº ÀÌ´õ³Ý(ethernet) ÇÁ·¹ÀÓÀÇ Æ÷¸ËÀ» ³ªÅ¸³½´Ù.

destination MAC addr

6 byte

source MAC addr

6 byte

type

2

data

46-1500 byte

CRC

4

<Ç¥ 1> ÀÌ´õ³ÝÀÇ Æ÷¸Ë(RFC 894)

±×¸®°í À§ÀÇ ÀÌ´õ³Ý Æ÷¸ËÀº type¿¡ µû¶ó ´ÙÀ½°ú °°Àº 3°¡Áö Æ÷¸ËÀ¸·Î ±¸¼ºµÈ´Ù.

   

type

0800

IP datagram

46-1500

 
   

type

0806

ARP request/reply

28

PAD

18

   
   

type

8035

RARP request/reply

28

PAD

18

   



ÀÌ´õ³ÝÀº ·ÎÄà ³×Æ®¿öÅ©³»ÀÇ ¸ðµç È£½ºÆ®°¡ °°Àº ¼±(wire)À» °øÀ¯Çϵµ·Ï µÇ¾î ÀÖ´Ù. µû¶ó¼­ °°Àº ³×Æ®¿öÅ©³»ÀÇ ÄÄÇ»ÅÍ´Â ´Ù¸¥ ÄÄÇ»ÅÍ°¡ Åë½ÅÇÏ´Â ¸ðµç Æ®·¡ÇÈÀ» º¼ ¼ö ÀÖ´Ù. ÇÏÁö¸¸ ÀÌ´õ³ÝÀ» Áö³ª´Â ¸ðµç Æ®·¡ÇÈÀ» ¹Þ¾ÆµéÀÌ¸é °ü°è¾ø´Â Æ®·¡ÇȱîÁö ó¸®ÇØ¾ß ÇϹǷΠȿÀ²ÀûÀÌÁö ¸øÇÏ°í ³×Æ®¿öÅ©ÀÇ ¼º´Éµµ ÀúÇ쵃 ¼ö ÀÖ´Ù. ±×·¡¼­ ÀÌ´õ³Ý ÀÎÅÍÆäÀ̽º(LAN Ä«µå)´Â ÀÚ½ÅÀÇ MAC address¸¦ °®Áö ¾Ê´Â Æ®·¡ÇÈÀ» ¹«½ÃÇÏ´Â ÇÊÅ͸µ ±â´ÉÀ» °¡Áö°í ÀÖ´Ù. ÀÌ ÇÊÅ͸µ ±â´ÉÀº ÀÚ½ÅÀÇ MAC address¸¦ °¡Áø Æ®·¡Çȸ¸À» º¸µµ·Ï ÇÑ´Ù.

¶ÇÇÑ ÀÌ´õ³Ý ÀÎÅÍÆäÀ̽º¿¡¼­ ¸ðµç Æ®·¡ÇÈÀ» º¼ ¼ö ÀÖµµ·Ï ÇÏ´Â ±â´ÉÀ» ¼³Á¤ÇÒ ¼öµµ Àִµ¥ À̸¦ "promiscuous mode"¶ó ÇÑ´Ù. ½º´ÏÆÛ´Â ÀÌ´õ³Ý ÀÎÅÍÆäÀ̽º¸¦ ÀÌ·¯ÇÑ "promiscuous mode"·Î ¼³Á¤ÇÏ¿© ·ÎÄà ³×Æ®¿öÅ©¸¦ Áö³ª´Â ¸ðµç Æ®·¡ÇÈÀ» µµÃ»ÇÒ ¼ö ÀÖ°Ô µÈ´Ù.



III. ½ºÀ§Äª ȯ°æ¿¡¼­ÀÇ ½º´ÏÇÎ ±â¹ý

ÀϹÝÀûÀ¸·Î ¾Õ¼­ ¼³¸íÇÑ ½º´ÏÇÎÀ» ¹æÁöÇÏ´Â ¹æ¹ýÀ¸·Î ½ºÀ§Äª Çãºê¸¦ »ç¿ëÇÏ°Ô µÈ´Ù. ½ºÀ§Äª Çãºê´Â ·ÎÄà ³×Æ®¿öÅ©¸¦ ¿©·¯°³ÀÇ ¼¼Å©¸ÕÆ®·Î ³ª´©¾î ¾µ ¼ö ÀÖµµ·Ï Çϴµ¥, °¢ ¼¼±×¸ÕÆ®³»ÀÇ Æ®·¡ÇÈÀº ´Ù¸¥ ¼¼±×¸ÕÆ®·Î Àü´ÞµÇÁö ¾Ê´Â´Ù. µû¶ó¼­ ½ºÀ§Äª Çãºê¸¦ ÀÌ¿ëÇÏ¿© ¾÷¹«º°·Î ¶Ç´Â µ¶¸³ÀûÀÎ »çÀÌÆ®º°·Î ³×Æ®¿öÅ©¸¦ ³ª´©¾î ³õÀ¸¸é ´Ù¸¥ ³×Æ®¿öÅ© ¼¼±×¸ÕÆ®³»ÀÇ ³×Æ®¿öÅ© Æ®·¡ÇÈÀ» µµÃ»ÇÒ ¼ö ¾ø°Ô µÈ´Ù. ÇÏÁö¸¸ Switch Jamming, ARP Redirct³ª ICMP Redirct µîÀÇ ±â¹ýÀ» ÀÌ¿ëÇÏ¿© ´Ù¸¥ ³×Æ®¿öÅ© ¼¼±×¸ÕÆ®ÀÇ µ¥ÀÌÅ͸¦ ½º´ÏÇÎ ÇÒ ¼ö ÀÖ´Â ¹æ¹ýµµ ÀÖ´Ù.

1. Switch Jamming

¸¹Àº Á¾·ùÀÇ ½ºÀ§Ä¡µéÀº ÁÖ¼Ò Å×À̺íÀÌ °¡µæÂ÷°Ô µÇ¸é(Full) ¸ðµç ³×Æ®¿öÅ© ¼¼±×¸ÕÆ®·Î Æ®·¹ÇÈÀ» ºê·ÎµåÄɽºÆÃÇÏ°Ô µÈ´Ù. µû¶ó¼­ °ø°ÝÀÚ´Â À§Á¶µÈ MAC ÁÖ¼Ò¸¦ Áö¼ÓÀûÀ¸·Î ³×Æ®¿öÅ©¿¡ È긲À¸·Î¼­ ½ºÀ§Äª ÇãºêÀÇ ÁÖ¼Ò Å×À̺íÀ» ¿À¹öÇÃ·Î¿ì ½ÃÄÑ ´Ù¸¥ ³×Æ®¿öÅ© ¼¼±×¸ÕÆ®ÀÇ µ¥ÀÌÅ͸¦ ½º´ÏÇÎ ÇÒ ¼ö ÀÖ°Ô µÈ´Ù. ÀÌ´Â º¸¾È ¿ø¸®ÀÇ ÇϳªÀÎ "Fail close(½Ã½ºÅÛ¿¡ ÀÌ»óÀÌ ÀÖÀ» °æ¿ì º¸¾È±â´ÉÀÌ ¹«·ÂÈ­µÇ´Â °ÍÀ» ¹æÁöÇÏ´Â ¿ø¸®)"¸¦ µû¸£Áö ¾Ê±â ¶§¹®¿¡ ¹ß»ýÇÑ´Ù. ½ºÀ§Ä¡µéÀº »ç½Ç»ó º¸¾Èº¸´Ù´Â ±â´É°ú ¼º´É À§ÁÖ·Î µðÀÚÀÎ µÇ¾î ÀÖ´Ù.

´ÙÀ½Àº arp flooding °ø°ÝÀ» ÇÒ ¶§ ¹ß»ýÇÏ´Â ÀÓÀÇÀÇ arp ÆÐŶÀ» tcpdump¸¦ ÀÌ¿ëÇÏ¿© ÀâÀº°ÍÀÌ´Ù. °ø°ÝÀÚ°¡ ¸¸µé¾î³½ ÀÌ·¯ÇÑ ÀÓÀÇÀÇ arp ÆÐŶÀÇ MAC ÁÖ¼Ò´Â ½ºÀ§Ä¡ÀÇ ÁÖ¼Ò Å×À̺íÀ» ¿À¹öÇÃ·Î¿ì ½ÃÅ°°Ô µÈ´Ù.

[root@consult /root]# tcpdump -e arp

tcpdump: listening on eth0

07:44:23.898915 79:94:74:11:d7:dc bc:47:d8:7b:31:51 arp 42: arp reply 82.195.6.82 is-at 79:94:74:11:d7:dc
07:44:23.898954 b8:29:3:9c:9e:5c 3f:cf:9b:70:fa:14 arp 42: arp reply 204.227.135.56 is-at b8:29:3:9c:9e:5c
07:44:23.898991 5:6f:25:db:4b:76 97:a0:d6:c7:f1:8f arp 42: arp reply 158.81.199.91 is-at 5:6f:25:db:4b:76
07:44:23.899027 f0:f4:2c:8f:50:f7 a6:ca:21:a1:dd:26 arp 42: arp reply 114.215.48.176 is-at f0:f4:2c:8f:50:f7
07:44:23.899063 10:3:1:5b:78:9f de:d0:b:d0:60:fa arp 42: arp reply 171.63.250.67 is-at 10:3:1:5b:78:9f
07:44:23.899099 c4:8c:89:15:83:fb 7d:cc:32:5b:f2:42 arp 42: arp reply 235.178.172.145 is-at c4:8c:89:15:83:fb
07:44:23.899136 5d:f2:9d:d4:92:49 5d:95:c2:bd:8f:86 arp 42: arp reply 19.140.139.241 is-at 5d:f2:9d:d4:92:49
07:44:23.899172 49:19:9a:cc:14:85 8c:49:56:7e:8b:b2 arp 42: arp reply 127.191.23.251 is-at 49:19:9a:cc:14:85
07:44:23.899209 71:28:86:3:70:99 90:4e:aa:20:d3:f2 arp 42: arp reply 143.251.139.236 is-at 71:28:86:3:70:99
...


2. ARP Redirect °ø°Ý

¸ÕÀú Á¤»óÀûÀÎ ARP Protocol¿¡ ´ëÇÏ¿© ¼³¸íÇÑ´Ù. IP µ¥ÀÌÅÍ ±×·¥¿¡¼­ IP ÁÖ¼Ò´Â 32 bit ±¸Á¶·Î µÇ¾î ÀÖ°í ÀÌ´õ³Ý ÁÖ¼Ò(MAC ÁÖ¼Ò)´Â 48 bitÀÇ Å©±â¸¦ °®´Â´Ù. ´Ù¸¥ È£½ºÆ®·Î ftp³ª telnet µî°ú °°Àº ³×Æ®¿öÅ© ¿¬°áÀ» Çϱâ À§Çؼ­´Â »ó´ë¹æ È£½ºÆ®ÀÇ ÀÌ´õ³Ý ÁÖ¼Ò¸¦ ¾Ë¾Æ¾ß ÇÑ´Ù. Áï, »ç¿ëÀÚ´Â IP ÁÖ¼Ò¸¦ ÀÌ¿ëÇÏ¿© ¿¬°áÀ» ÇÏÁö¸¸ ÀÌ´õ³Ý»ó¿¡¼­´Â ÀÌ´õ³Ý ÁÖ¼Ò¸¦ ÀÌ¿ëÇÏ°Ô µÈ´Ù. À̸¦ À§ÇÏ¿© IPÁÖ¼Ò¸¦ ÀÌ´õ³Ý ÁÖ¼Ò·Î º¯È¯½ÃÄÑ ÁÖ¾î¾ß Çϴµ¥ À̸¦ ARP(Address Resolution Protocol)¶ó ÇÑ´Ù. ±×¸®°í ±× ¿ª °úÁ¤À» RARP(Reverse Address Resolution Protocol)¶ó ÇÑ´Ù. ARP¸¦ ÀÌ¿ëÇÏ¿© »ó´ë È£½ºÆ®ÀÇ ÀÌ´õ³Ý ÁÖ¼Ò¸¦ ¾Ë¾Æ³»´Â °úÁ¤Àº ´ÙÀ½°ú °°´Ù.

¨ç ¸ÕÀú ³×Æ®¿öÅ©³»ÀÇ ¸ðµç È£½ºÆ®¿¡ "ARP Request"¶ó°í ºÒ¸®´Â ÀÌ´õ³Ý ÇÁ·¹ÀÓÀ» º¸³½´Ù. ¿¬°áÇÏ°íÀÚ Çϴ ȣ½ºÆ®ÀÇ IP ÁÖ¼Ò¸¦ Æ÷ÇÔÇÑ ARP Request´Â ÀÌ´õ³Ý»óÀÇ ¸ðµç ´Ù¸¥ È£½ºÆ®µé¿¡°Ô "ÀÌ IP ÁÖ¼Ò¸¦ »ç¿ëÇϴ ȣ½ºÆ®´Â ³ª¿¡°Ô Çϵå¿þ¾î ÁÖ¼Ò(ÀÌ´õ³Ý ÁÖ¼Ò)¸¦ ¾Ë·ÁÁֽÿÀ"¶ó´Â Àǹ̸¦ °®´Â´Ù.

¨è ARP Request¸¦ ¹ÞÀº È£½ºÆ® Áß ÇØ´ç IP¸¦ »ç¿ëÇϴ ȣ½ºÆ®´Â ÀÚ½ÅÀÇ Çϵå¿þ¾î ÁÖ¼Ò(ÀÌ´õ³Ý ÁÖ¼Ò)¸¦ ARP Request¸¦ º¸³½ È£½ºÆ®¿¡°Ô¸¸ º¸³»ÁÖ°Ô µÇ´Âµ¥ À̸¦ ARP Reply¶ó°í ÇÑ´Ù.

¨é ÀÌÈÄ µÎ È£½ºÆ®°£ÀÇ Åë½Å(ftp, telnet µî)À» À§ÇÏ¿© »ó´ë¹æÀÇ ÀÌ´õ³Ý ÁÖ¼Ò¸¦ »ç¿ëÇÏ°Ô µÇ¸ç, IP datagramÀ» ¼Û¼ö½ÅÇÒ ¼ö ÀÖ°Ô µÈ´Ù.

´ÙÀ½ ±×¸²Àº ARP Request¿Í ARP ReplyÀÇ °úÁ¤À» º¸¿©ÁÖ°í ÀÖ´Ù.


´ÙÀ½Àº ½ÇÁ¦·Î 172.16.2.15 ¹ø È£½ºÆ®¿¡¼­ 172.16.2.26¹øÀ¸·Î pingÀ» ÇßÀ» °æ¿ì ³ªÅ¸³ª´Â arp Æ®·¡ÇÈÀÌ´Ù. arp request/reply¸¦ ±³È¯ÇÑ µÎ È£½ºÆ®´Â »ó´ë¹æÀÇ MAC ÁÖ¼Ò¸¦ °¢°¢ÀÇ arp cache¿¡ ÀúÀåÇÏ°Ô µÈ´Ù. µû¶ó¼­ ¸¶Áö¸· ¶óÀο¡¼­ 172.16.2.26¹ø È£½ºÆ®°¡ 15¹ø È£½ºÆ®·Î echo reply¸¦ º¸³¾¶§´Â arp request/reply °úÁ¤À» °ÅÄ¡Áö ¾Ê¾Æµµ µÈ´Ù.

[root@consult /root]# tcpdump -e host 172.16.2.26

tcpdump: listening on eth0

18:16:25.880837 0:0:e8:76:e8:bb Broadcast arp 60: arp who-has 172.16.2.26 tell 172.16.2.15
18:16:25.881021 0:c0:26:27:b:1c 0:0:e8:76:e8:bb arp 60: arp reply 172.16.2.26 is-at 0:c0:26:27:b:1c
18:16:25.881243 0:0:e8:76:e8:bb 0:c0:26:27:b:1c ip 74: 172.16.2.15 > 172.16.2.26: icmp: echo request
18:16:25.881407 0:c0:26:27:b:1c 0:0:e8:76:e8:bb ip 74: 172.16.2.26 > 172.16.2.15: icmp: echo reply

"ARP Redirect" °ø°ÝÀº À§Á¶µÈ arp reply¸¦ º¸³»´Â ¹æ¹ýÀ» »ç¿ëÇÑ´Ù. Áï °ø°ÝÀÚ È£½ºÆ®°¡ "³ªÀÇ MAC ÁÖ¼Ò°¡ ¶ó¿ìÅÍÀÇ MAC ÁÖ¼ÒÀÌ´Ù"¶ó´Â À§Á¶µÈ arp reply¸¦ ºê·ÎµåÄɽºÆ®·Î ³×Æ®¿öÅ©¿¡ ÁÖ±âÀûÀ¸·Î º¸³»¾î, ½ºÀ§Äª ³×Æ®¿öÅ©»óÀÇ ´Ù¸¥ ¸ðµç È£½ºÆ®µéÀÌ °ø°ÝÀÚ È£½ºÆ®¸¦ ¶ó¿ìÅÍ·Î ¹Ï°Ô²ûÇÑ´Ù. °á±¹ ¿ÜºÎ ³×Æ®¿öÅ©¿ÍÀÇ ¸ðµç Æ®·¡ÇÈÀº °ø°ÝÀÚ È£½ºÆ®¸¦ ÅëÇÏ¿© Áö³ª°¡°Ô µÇ°í °ø°ÝÀÚ´Â ½º´ÏÆÛ¸¦ ÅëÇÏ¿© ÇÊ¿äÇÑ Á¤º¸¸¦ µµÃ»ÇÒ ¼ö ÀÖ°Ô µÈ´Ù.

¡Ø ARP Protocol specification¿¡ ÀÇÇϸé ÀÌ¹Ì cache¿¡ ÀúÀåÇÏ°í ÀÖ´Â IP¿¡ ´ëÇÑ ARP request¸¦ ¹Þ°ÔµÇ¸é È£½ºÆ®´Â ARP request¸¦ º¸³½ È£½ºÆ®ÀÇ MAC ÁÖ¼Ò¸¦ cahe¿¡ ¾÷µ¥ÀÌÆ® ÇÏ°Ô µÈ´Ù°í ³ª¿Í ÀÖ´Ù. ±×¸®°í ÀÌ·¯ÇÑ cacheÀÇ ¾÷µ¥ÀÌÆ® ±â´ÉÀº arp reply¿¡µµ Àû¿ëµÇ´Â °ÍÀ¸·Î º¸À̸ç, À§ÀÇ °ø°ÝÀÌ ¼º°øÇÒ ¼ö ÀÖ´Â ¿äÀÎÀÌ µÈ´Ù. ÇÏÁö¸¸ ½Ã½ºÅÛ¿¡ µû¶ó ´Ù¸¦ ¼öµµ ÀÖ´Ù.

À̶§ °ø°Ý È£½ºÆ®´Â IP Forwarding ±â´ÉÀ» ¼³Á¤ÇÏ¿©¾ß °ø°Ý È£½ºÆ®·Î ¿À´Â ¸ðµç Æ®·¡ÇÈÀ» ¿ø·¡ÀÇ °ÔÀÌÆ®¿þÀÌ·Î Forwarding ÇØÁÙ ¼ö ÀÖ´Ù. ±×·¸Áö ¾ÊÀ¸¸é ¿ÜºÎ·Î ³ª°¡´Â ¸ðµç ³×Æ®¿öÅ© ¿¬°áÀÌ ²÷¾îÁö°Ô µÈ´Ù.

´ÙÀ½Àº "arpredirect"¶ó´Â °ø°Ý ÇÁ·Î±×·¥À¸·Î °ø°ÝÇßÀ» ¶§ ³×Æ®¿öÅ©»ó¿¡ ³ªÅ¸³ª´Â arp ÆÐŶÀ» tcpdump¸¦ ÀÌ¿ëÇÏ¿© ÀâÀº ¸ð½ÀÀÌ´Ù. °ø°ÝÀÌ ³¡³¯¶§´Â ¿ø·¡ÀÇ arp ¸ÅÇÎÀ» º¹¿øÇÏ¿© ³×Æ®¿öÅ© ¿¬°áÀÌ ²÷¾îÁöÁö ¾Êµµ·Ï ÇÏ°í ÀÖ´Ù.

[root@consult dsniff-1.8]# arpredirect 172.16.2.1

intercepting traffic from LAN to 172.16.2.1 (^C to exit)...

restoring original ARP mapping for 172.16.2.1

[root@consult dsniff-1.8]#

[root@consult /root]# tcpdump -e arp

(°ø°ÝÀÚ È£½ºÆ®°¡ ¶ó¿ìÅÍ·Î °¡ÀåÇÏ´Â °ø°Ý)
15:29:36.887943
0:50:da:d3:1f:d3
Broadcast arp 60: arp reply
172.16.2.1
is-at 0:50:da:d3:1f:d3
15:29:38.895089
0:50:da:d3:1f:d3
Broadcast arp 60: arp reply
172.16.2.1
is-at 0:50:da:d3:1f:d3
15:30:01.005097
0:50:da:d3:1f:d3
Broadcast arp 60: arp reply
172.16.2.1
is-at 0:50:da:d3:1f:d3
15:30:05.025086
0:50:da:d3:1f:d3
Broadcast arp 60: arp reply
172.16.2.1
is-at 0:50:da:d3:1f:d3
 
(°ø°ÝÀÚ MAC)
         
(¶ó¿ìÅÍ IP)
  (°ø°ÝÀÚÀÇ MAC)

...

(°ø°ÝÀÌ ³¡³¯ ¶§ ³×Æ®¿öÅ©¸¦ º¹¿øÇÏ´Â °úÁ¤)
15:52:55.025088
0:60:2f:a3:9a:1c
Broadcast arp 60: arp reply
172.16.2.1
is-at 0:60:2f:a3:9a:1c
15:52:57.035050
0:60:2f:a3:9a:1c
Broadcast arp 60: arp reply
172.16.2.1
is-at 0:60:2f:a3:9a:1c
15:52:59.045050
0:60:2f:a3:9a:1c
Broadcast arp 60: arp reply
172.16.2.1
is-at 0:60:2f:a3:9a:1c
(¶ó¿ìÅÍ MAC)
        (¶ó¿ìÅÍ IP)  
(¶ó¿ìÅÍ MAC)

¡Ø À§Á¶µÈ ÆÐŶÀ» ÁÖ±âÀûÀ¸·Î º¸³»´Â ÀÌÀ¯´Â ´Ù¸¥ È£½ºÆ®ÀÇ arp cache¸¦ Áö¼ÓÀûÀ¸·Î À§Á¶Çϱâ À§Çؼ­ ÀÌ´Ù.

À§¿Í °°Àº °ø°ÝÀ» ÇÏ°ÔµÇ¸é ´Ù¸¥ ¸ðµç È£½ºÆ®µéÀº °ø°ÝÀÚ È£½ºÆ®¸¦ ¶ó¿ìÅÍ·Î ÀνÄÇÏ°í ¿ÜºÎ·Î ¿¬°áµÇ´Â ¸ðµç Æ®·¡ÇÈÀ» °ø°Ý È£½ºÆ®·Î º¸³»°Ô µÇ´Âµ¥ À̶§ °ø°ÝÀÚ´Â ´ÙÀ½°ú °°ÀÌ IP Forwarding ±â´ÉÀ» ÀÌ¿ëÇÏ¿© ¿ø·¡ÀÇ ¸ñÀûÁö·Î ÆÐŶÀ» Forwarding Çؾ߸¸ ³×Æ®¿öÅ©°¡ ²÷¾îÁöÁö ¾Ê°ÔµÇ°í, °ø°ÝÀÚ´Â Áö³ª°¡´Â ÆÐŶÀ» ½º´ÏÇÎÇÒ ¼ö ÀÖ´Ù.

[root@consult fragrouter-1.6]# ./fragrouter -B1

fragrouter: base-1: normal IP forwarding

172.16.2.15.1297 > 203.233.150.11.23: . ack 390289256 win 7636 (DF)
172.16.2.142.1287 > 203.233.150.11.53: udp 36
172.16.2.142.1288 > 210.116.114.147.80: S 13774318:13774318(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)
172.16.2.15.1297 > 203.233.150.11.23: . ack 390289317 win 7575 (DF)
172.16.2.15.1300 > 203.233.150.39.23: . ack 1685228460 win 7865 (DF)
172.16.2.142.1288 > 210.116.114.147.80: . ack 97085742 win 8760 (DF)
172.16.2.142.1288 > 210.116.114.147.80: P 13774319:13774505(186) ack 97085742 win 8760 (DF)
...

3. ARP spoofing °ø°Ý

ARP redirect¿Í ºñ½ÁÇÑ °ø°Ý ¹æ¹ýÀ¸·Î ´Ù¸¥ ¼¼±×¸ÕÆ®¿¡ Á¸ÀçÇϴ ȣ½ºÆ®°£ÀÇ Æ®·¡ÇÈÀ» ½º´ÏÇÎÇÏ°íÀÚ ÇÒ ¶§ »ç¿ëµÈ´Ù. °ø°ÝÀÚ´Â ÀÚ½ÅÀÇ MAC ÁÖ¼Ò¸¦ ½º´ÏÇÎÇÏ°íÀÚ ÇÏ´Â µÎ È£½ºÆ®ÀÇ MAC ÁÖ¼Ò·Î À§ÀåÇÏ´Â arp reply(¶Ç´Â request) ÆÐŶÀ» ³×Æ®¿öÅ©¿¡ »Ñ¸°´Ù. Áï "³ªÀÇ(°ø°ÝÀÚÀÇ) MAC ÁÖ¼Ò°¡ ½º´ÏÇÎÇÏ°íÀÚ Çϴ ȣ½ºÆ®ÀÇ MAC ÁÖ¼ÒÀÌ´Ù"¶ó´Â arp reply¸¦ °¢ °¢ÀÇ È£½ºÆ®¿¡°Ô º¸³»°Ô µÈ´Ù.

ÀÌ·¯ÇÑ arp reply¸¦ ¹ÞÀº µÎ È£½ºÆ®´Â ÀÚ½ÅÀÇ arp cache¸¦ ¾÷µ¥ÀÌÆ® ÇÏ°Ô µÇ°í, µÎ È£½ºÆ®°£¿¡ ¿¬°áÀÌ ÀϾ ¶§ °ø°ÝÀÚ È£½ºÆ®ÀÇ MAC ÁÖ¼Ò¸¦ »ç¿ëÇÏ°Ô µÈ´Ù. °á±¹ µÎ È£½ºÆ®°£ÀÇ ¸ðµç Æ®·¢ÇÈÀº °ø°ÝÀÚ°¡ À§Ä¡ÇÑ ¼¼±×¸ÕÆ®·Î µé¾î¿À°Ô µÈ´Ù.

ÀÌ·¯ÇÑ °æ¿ì arp redirect °ø°Ý°ú ¸¶Âù°¡Áö·Î °ø°ÝÀÚ È£½ºÆ®·Î ³Ñ¾î¿À´Â Æ®·¡ÇÈÀ» º»·¡ÀÇ È£½ºÆ®·Î relay ÇØÁÖ¾î¾ß¸¸ µÎ È£½ºÆ® °£¿¡ Á¤»óÀûÀÎ ¿¬°áÀ» ÇÒ ¼ö ÀÖ°Ô µÇ°í ½º´ÏÇεµ ÇÒ ¼ö ÀÖ´Ù. ±×·¸Áö ¾ÊÀ¸¸é µÎ È£½º°£ÀÇ ¿¬°áÀº ÀÌ·ç¾î Áú ¼ö ¾ø°Ô µÇ°í °á±¹ ½º´ÏÇεµ ÇÒ ¼ö ¾ø°Ô µÈ´Ù.

´ÙÀ½Àº "arpmitm"À̶ó´Â °ø°Ý ÇÁ·Î±×·¥À» ÀÌ¿ëÇÏ¿© 172.16.2.15¿Í 172.16.2.18¹ø È£½ºÆ®°£ÀÇ Æ®·¡ÇÈÀ» ½º´ÏÇÎ Çϱâ À§ÇÑ °ø°ÝÇßÀ» ¶§ ³×Æ®¿öÅ©»ó¿¡ ³ªÅ¸³ª´Â arp ÆÐŶÀ» tcpdump¸¦ ÀÌ¿ëÇÏ¿© ÀâÀº ¸ð½ÀÀÌ´Ù.


Usage: ./arpmitm <ip1> <mac1> <ip2> <mac2> <attacker's mac>

[root@consult]# ./arpmitm 172.16.2.15
00:00:E8:76:E8:BB
172.16.2.18
00:C0:26:28:F9:C7
00:50:DA:D3:1F:D3
(15¹øÀÇ MAC)
(18¹øÀÇ MAC)
(°ø°ÝÀÚÀÇ MAC)

/*
* ARP MITM attack tool. (c) xdr 2000
* $Id: arpmitm.c,v 1.2 2000/03/28 21:26:48 xdr Exp $
*/

--- Starting ARP MITM ---

endpoint-1 (172.16.2.15) at 00:00:E8:76:E8:BB [ether] on eth0
endpoint-2 (172.16.2.18) at 00:C0:26:28:F9:C7 [ether] on eth0

-------------------------

[0x0]: Sending mitm to: endpoint-1 endpoint-2
[0x1]: Sending mitm to: endpoint-1 endpoint-2
...


[root@consult tools]# tcpdump -e arp

tcpdump: listening on eth0

(°ø°ÝÀÚ È£½ºÆ®°¡ Target È£½ºÆ®·Î °¡ÀåÇÏ´Â °ø°Ý)

([0x0]: Sending mitm to: endpoint-1 endpoint-2¿¡ ÇØ´çÇÏ´Â ÆÐŶ)
16:38:30.915146 0:50:da:d3:1f:d3 0:c0:26:28:f9:c7 arp 42: arp reply 172.16.2.15 is-at 0:50:da:d3:1f:d3
16:38:31.225158 0:50:da:d3:1f:d3 0:0:e8:76:e8:bb arp 42: arp reply 172.16.2.18 is-at 0:50:da:d3:1f:d3

([0x1]: Sending mitm to: endpoint-1 endpoint-2¿¡ ÇØ´çÇÏ´Â ÆÐŶ)
16:38:41.545139 0:50:da:d3:1f:d3 0:c0:26:28:f9:c7 arp 42: arp reply 172.16.2.15 is-at 0:50:da:d3:1f:d3
  (°ø°ÝÀÚ MAC) (18¹ø È£½ºÆ® MAC)     (°ø°ÝÀÚ MAC)
16:38:41.855131 0:50:da:d3:1f:d3 0:0:e8:76:e8:bb arp 42: arp reply 172.16.2.18 is-at 0:50:da:d3:1f:d3
  (°ø°ÝÀÚ MAC) (15¹ø È£½ºÆ® MAC)     (°ø°ÝÀÚ MAC)

...

¡Ø À§Á¶µÈ ÆÐŶÀ» ÁÖ±âÀûÀ¸·Î º¸³»´Â ÀÌÀ¯´Â Target È£½ºÆ®ÀÇ arp cache¸¦ Áö¼ÓÀûÀ¸·Î À§Á¶Çϱâ À§Çؼ­ ÀÌ´Ù.

4. ICMP Redirect °ø°Ý

ICMP(Internet Control Message Protocol)´Â ³×Æ®¿öÅ© ¿¡·¯ ¸Þ½ÃÁö¸¦ Àü¼ÛÇϰųª ³×Æ®¿öÅ© È帧À» ÅëÁ¦Çϱâ À§ÇÑ ÇÁ·ÎÅäÄÝÀε¥ ICMP Redirect¸¦ ÀÌ¿ëÇؼ­ ½º´ÏÇÎ ÇÒ ¼ö ÀÖ´Â ¹æ¹ýÀÌ Á¸ÀçÇÑ´Ù.

ICMP Redirect ¸Þ½ÃÁö´Â ÇϳªÀÇ ³×Æ®¿öÅ©¿¡ ¿©·¯°³ÀÇ ¶ó¿ìÅÍ°¡ ÀÖÀ» °æ¿ì, È£½ºÆ®°¡ ÆÐŶÀ» ¿Ã¹Ù¸¥ ¶ó¿ìÅÍ¿¡°Ô º¸³»µµ·Ï ¾Ë·ÁÁÖ´Â ¿ªÇÒÀ» ÇÑ´Ù. °ø°ÝÀÚ´Â À̸¦ ¾Ç¿ëÇÏ¿© ´Ù¸¥ ¼¼±×¸ÕÆ®¿¡ Àִ ȣ½ºÆ®¿¡°Ô À§Á¶µÈ ICMP Redirect ¸Þ½ÃÁö¸¦ º¸³» °ø°ÝÀÚÀÇ È£½ºÆ®·Î ÆÐŶÀ» º¸³»µµ·ÏÇÏ¿© ÆÐŶÀ» ½º´ÏÇÎÇÏ´Â ¹æ¹ýÀÌ´Ù.

5. ½ºÀ§Ä¡ÀÇ span/monitor port¸¦ ÀÌ¿ëÇÑ ½º´ÏÇÎ

ÀÌ ¹æ¹ýÀº ½ºÀ§Ä¡¿¡ ÀÖ´Â monitor Æ÷Æ®¸¦ ÀÌ¿ëÇÏ¿© ½º´ÏÇÎ ÇÏ´Â ¹æ¹ýÀÌ´Ù. monitor Æ÷Æ®¶õ ½ºÀ§Ä¡¸¦ Åë°úÇÏ´Â ¸ðµç Æ®·¡ÇÈÀ» º¼ ¼ö ÀÖ´Â Æ÷Æ®·Î ³×Æ®¿öÅ© °ü¸®¸¦ À§ÇØ ¸¸µé¾î ³õÀº °ÍÀÌÁö¸¸ °ø°ÝÀÚ°¡ Æ®·¡ÇȵéÀ» ½º´ÏÇÎÇÏ´Â ÁÁÀº Àå¼Ò¸¦ Á¦°øÇÑ´Ù.

 



IV. ½º´ÏÇÎ ¹æÁö ´ëÃ¥

³×Æ®¿öÅ© ¼³Á¤À» ÅëÇÏ¿© ½º´ÏÇÎÀ» ¾î·Æ°Ô ÇÏ´Â ¸¹Àº ¹æ¹ýÀÌ ÀÖÀ¸³ª °¡Àå ÁÁÀº ¹æ¹ýÀº µ¥ÀÌÅ͸¦ ¾Ïȣȭ ÇÏ´Â °ÍÀÌ´Ù. µ¥ÀÌÅ͸¦ ¾Ïȣȭ ÇÏ°ÔµÇ¸é ½º´ÏÇÎÀ» ÇÏ´õ¶óµµ ³»¿ëÀ» º¼ ¼ö ¾ø°Ô µÈ´Ù. SSL, PGP µî ÀÎÅÍ³Ý º¸¾ÈÀ» À§ÇÑ ¸¹Àº ¾Ïȣȭ ÇÁ·ÎÅäÄÝÀÌ Á¸ÀçÇÑ´Ù.

ÇÏÁö¸¸, ÀÏ°üµÈ ¾ÏÈ£ ÇÁ·ÎÅäÄÝÀÇ ºÎÀç, »ç¿ëÀÇ ¾î·Á¿ò, ¾ÏÈ£ ¾îÇø®ÄÉÀ̼ÇÀÇ ºÎÀç·Î ÀÎÇÏ¿© ¾Ïȣȭ¸¦ »ç¿ëÇÒ ¼ö ¾ø´Â °æ¿ì°¡ ¸¹ÀÌ ÀÖÀ¸¸ç, ÀÌ·¯ÇÑ °æ¿ì °¡´ÉÇÑÇÑ ½º´ÏÇÎ °ø°ÝÀ» ¾î·Æµµ·Ï ³×Æ®¿öÅ©¸¦ ¼³Á¤ÇÏ°í °ü¸®ÇÏ¿©¾ß ÇÑ´Ù. ƯÈ÷, À¥È£½ºÆÃ, ÀÎÅͳݵ¥ÀÌÅͼ¾ÅÍ(IDC) µî°ú °°ÀÌ ¿©·¯ ¾÷ü°¡ °°Àº ³×Æ®¿öÅ©¸¦ °øÀ¯Çϴ ȯ°æ¿¡¼­´Â ½º´ÏÇÎÀ¸·ÎºÎÅÍÀÇ º¸¾È ´ëÃ¥ÀÌ ¸¶·Ã µÇ¾î¾ß ÇÑ´Ù.

½º´ÏÇÎ ¹æÁö¸¦ À§ÇÑ ´ëÃ¥À¸·Î ¸ÕÀú ³×Æ®¿öÅ©¸¦ ½º´ÏÇÎÇϴ ȣ½ºÆ®¸¦ ÁÖ±âÀûÀ¸·Î Á¡°ËÇÏ´Â ¹æ¹ýÀÌ ÀÖ´Ù. ÀÌ·¯ÇÑ Á¡°ËÀ» ÅëÇÏ¿© ´©°¡ ³×Æ®¿öÅ©¸¦ µµÃ»ÇÏ´ÂÁö ŽÁöÇÏ¿© Á¶Ä¡ÇÏ¿©¾ß ÇÑ´Ù. ¸î ¸î ħÀÔŽÁö½Ã½ºÅÛ(IDS)Àº ÀÌ·¯ÇÑ ½º´ÏÇÎ °ø°ÝÀ» ŽÁöÇÒ ¼ö ÀÖ´Ù. ¶ÇÇÑ ½ºÀ§Äª ȯ°æÀÇ ³×Æ®¿öÅ©¸¦ ±¸¼ºÇÏ¿©(ºñ·Ï ½º´ÏÇÎÀÌ °¡´ÉÇϱâ´Â ÇÏÁö¸¸) µÇµµ·Ï ½º´ÏÇÎÀÌ ¾î·Æµµ·Ï ÇÏ¿©¾ß ÇÑ´Ù.

1. ¾Ïȣȭ

1.1 SSL

¾ÏȣȭµÈ À¥¼­ÇÎÀ» °¡´ÉÇÏ°Ô ÇØÁÖ´Â SSL(Secure Sockets Layer)Àº ¸¹Àº À¥¼­¹ö¿Í ºê¶ó¿ìÀú¿¡ ±¸ÇöµÇ¾î ÀÖ´Ù. ±×¸®°í ´ëºÎºÐÀÇ ÀüÀÚ»ó°Å·¡ »çÀÌÆ®¿¡ Á¢¼ÓÇÏ¿© ½Å¿ëÄ«µå Á¤º¸¸¦ º¸³¾ ¶§ »ç¿ëµÈ´Ù.

Âü°í »çÀÌÆ® : http://www.modssl.org/

1.2 PGP and S/MIME

ÀüÀÚ¸ÞÀÏ(E-mail) ¶ÇÇÑ ¸¹Àº ¹æ¹ýÀ¸·Î ½º´ÏÇεǰí ÀÖ´Ù. ÀÎÅͳݻóÀ¸ ¿©·¯°÷¿¡¼­ ¸ð´ÏÅ͸µµÉ ¼öµµ ÀÖÀ¸¸ç, À߸ø Àü´ÞµÉ ¼öµµ ÀÖ´Ù. ÀüÀÚ¸ÞÀÏÀ» º¸È£Çϱâ À§ÇÑ °¡Àå ¾ÈÀüÇÑ ¹æ¹ýÀº ¸ÞÀÏÀ» ¾Ïȣȭ ÇÏ´Â ¹æ¹ýÀ̸ç, °¡Àå ´ëÇ¥ÀûÀÎ ¹æ¹ýÀº PGP¿Í S/MIMEÀ» »ç¿ëÇÑ´Ù. PGP´Â add-on Á¦Ç°À¸·Î »ç¿ëµÇ°í ÀÖÀ¸¸ç, S/MIMEÀº ÀüÀÚ¸ÞÀÏ ÇÁ·Î±×·¥¿¡ ±¸ÇöµÇ¾î ÀÖ´Ù.

1.3 ssh

ssh(Secure Shell)Àº À¯´Ð½º ½Ã½ºÅÛ¿¡ ¾ÏȣȭµÈ ·Î±×ÀÎÀ» Á¦°øÇÏ´Â »ç½Ç»ó Ç¥ÁØÀ¸·Î »ç¿ëµÇ°í ÀÖ´Ù. telnet ´ë½Å¿¡ ¹ÝµíÀÌ sshÀ» »ç¿ëÇÏ¿©¾ß ÇÑ´Ù. sshÀ» Á¦°øÇÏ´Â ¸¹Àº °ø°³µÈ µµ±¸µéÀÌ Á¸Àç ÇÑ´Ù.

1.4 VPN

VPN(Virtual Private Networks)Àº ÀÎÅͳݻ󿡼­ ¾ÏȣȭµÈ Æ®·¡ÇÈÀ» Á¦°øÇÑ´Ù. ÇÏÁö¸¸ VPNÀ» Á¦°øÇÏ´Â ½Ã½ºÅÛÀÌ ÇØÅ·´çÇÒ °æ¿ì¿¡´Â ¾Ïȣȭ µÇ±â ÀÌÀüÀÇ µ¥ÀÌÅÍ°¡ ½º´ÏÇÎ ´çÇÒ ¼ö ÀÖ´Ù.

2. ½ºÀ§Äª ȯ°æÀÇ ³×Æ®¿öÅ© ±¸¼º

½ºÀ§Ä¡¸¦ ÀÌ¿ëÇÏ¿© ¾÷¹« ¼º°Ý¿¡ µû¶ó ±×¸®°í ó¸®ÇÏ´Â µ¥ÀÌÅÍ¿¡ µû¶ó ¼¼±×¸ÕÆ®¸¦ ±¸ºÐÇÏ¿© ³×Æ®¿öÅ©¸¦ ±¸¼ºÇÒ ¼ö ÀÖ´Ù. ½ºÀ§Ä¡´Â Æ®·¡ÇÈÀ» Àü´ÞÇÒ ¶§ ¸ðµç ¼¼±×¸ÕÆ®·Î ºê·ÎµåÄɽºÆ® ÇÏÁö ¾Ê°í ÇØ´ç ¼¼±×¸ÕÆ®¿¡¸¸ Àü´ÞÇϹǷΠÀÏ¹Ý Çãºê¸¦ »ç¿ëÇÏ´Â °Íº¸´Ù ¾ÈÀüÇÏ´Ù. ÇÏÁö¸¸ ¾Õ¼­ ¼³¸íÇÑ "½ºÀ§Äª ȯ°æ¿¡¼­ÀÇ ½º´ÏÇÎ ±â¹ý"°ú °°Àº °ø°ÝÀ» ÇÒ ¼ö ÀÖ´Ù. ¶ÇÇÑ °°Àº ¼¼±×¸ÕÆ®³»¿¡¼­ÀÇ ½º´ÏÇÎÀº ¸·À» ¼ö ¾ø´Ù.

½ºÀ§Ä¡¸¦ ¼³Á¤ÇÒ °æ¿ì, ½ºÀ§Ä¡ÀÇ ÁÖ¼Ò Å×À̺íÀ» staticÇÏ°Ô ¼³Á¤ÇÏ¿© "½ºÀ§Äª ȯ°æ¿¡¼­ÀÇ ½º´ÏÇÎ"À» ¸·À» ¼ö ÀÖ´Â ¹æ¹ýÀÌ ÀÖ´Ù. ¾Æ·¡¿Í °°ÀÌ ½ºÀ§Ä¡ÀÇ °¢ Æ÷Æ®¿¡ ´ëÇÏ¿© MAC ÁÖ¼Ò¸¦ static(permanent)ÇÏ°Ô ´ëÀÀ½ÃÅ°¸é ARP spoofing, ARP redirect µîÀÇ °ø°ÝÀ» ¸·À» ¼ö ÀÖ´Ù. ÀÌ·¯ÇÑ ¹æ¹ýÀº º¸¾È°ü¸®¿¡ ¸¹Àº ½Ã°£À» ¼Ò¸ðÇÏ°Ô µÇÁö¸¸ ¸Å¿ì È¿°úÀûÀÎ ´ëÀÀ¹æ¹ý ÀÌ´Ù.

Æ÷Æ®

MAC ÁÖ¼Ò

permanence

1

0:60:2f:a3:9a:16

Yes

2

0:60:97:c4:f:3e

Yes

3

8:0:20:79:c9:ea

Yes

4

0:60:97:c4:f:3e

Yes

5

0:a0:24:28:c4:47

Yes

...

...

...

<Ç¥ 5> Switch TableÀ» StaticÀ¸·Î ¼³Á¤

3. ½º´ÏÆÛ Å½Áö

¸ðµç ½º´ÏÆÛ´Â ³×Æ®¿öÅ© ÀÎÅÍÆäÀ̽º¸¦ "promiscuous mode"·Î ¼³Á¤ÇÏ¿© ³×Æ®¿öÅ©¸¦ µµÃ»ÇÏ°Ô µÈ´Ù. µû¶ó¼­ È£½ºÆ®°¡ "promiscuous mode"·Î ¼³Á¤µÇ¾î ÀÖ´ÂÁö ÁÖ±âÀûÀ¸·Î Á¡°ËÇÏ¿© ½º´ÏÆÛ°¡ ½ÇÇàµÇ°í ÀÖ´Â ½Ã½ºÅÛÀ» ŽÁöÇÏ¿©¾ß ÇÑ´Ù. ½º´ÏÇÎ ±â¼ú°ú ¸¶Âù°¡Áö·Î ½º´ÏÆÛ¸¦ ŽÁöÇÏ´Â ¹æ¹ýµµ °íµµÈ­ µÇ°í ÀÖ´Ù. ´ÙÀ½Àº "promiscuous mode"·Î ¼³Á¤µÈ ½Ã½ºÅÛÀ» ŽÁöÇÏ´Â ¹æ¹ý¿¡ ´ëÇÏ¿© ¼³¸íÇÑ´Ù. ¾Æ·¡ÀÇ ´ëºÎºÐÀÇ ¹æ¹ýµéÀº ÁÖ·Î ·ÎÄà ³×Æ®¿öÅ©³»¿¡¼­ ŽÁö°¡´ÉÇÑ ¹æ¹ýÀÌ´Ù.

3.1 pingÀ» ÀÌ¿ëÇÏ´Â ¹æ¹ý

´ëºÎºÐÀÇ ½º´ÏÆÛ´Â ÀÏ¹Ý TCP/IP ½ºÅû󿡼­ µ¿ÀÛÇϱ⠶§¹®¿¡ request¸¦ ¹ÞÀ¸¸é ±×¿¡ ÇØ´çÇÏ´Â response¸¦ Àü´ÞÇϰԵȴÙ. pingÀ» ÀÌ¿ëÇÑ ½º´ÏÆÛ Å½Áö ¹æ¹ýÀº ÀǽÉÀÌ °¡´Â ½Ã½ºÅÛ¿¡°Ô pingÀ» º¸³»´Âµ¥ MAC ÁÖ¼Ò¸¦ À§ÀåÇÏ¿© º¸³»´Â ¹æ¹ýÀÌ´Ù.

¨ç MAC ÁÖ¼Ò¸¦ À§Á¶ÇÏ¿©(·ÎÄà ³×Æ®¿öÅ©¿¡ Á¸ÀçÇÏÁö ¾Ê´Â MAC ÁÖ¼Ò »ç¿ë)ÇÏ¿© ping(ICMP Echo Request)À» ´Ù¸¥ ½Ã½ºÅÛ¿¡°Ô º¸³½´Ù.

¨è¨é ¸¸¾à ping reply(ICMP Echo Reply)¸¦ ¹Þ°ÔµÇ¸é, ÇØ´ç È£½ºÆ®°¡ ½º´ÏÇÎÀ» ÇÏ°í ÀÖ´Â °ÍÀÌ´Ù. ¿Ö³ÄÇϸé Á¸ÀçÇÏÁö ¾Ê´Â MAC ÁÖ¼Ò¸¦ »ç¿ëÇ߱⠶§¹®¿¡ ½º´ÏÇÎÀ» ÇÏÁö ¾Ê´Â È£½ºÆ®´Â ´©±¸µµ ping request¸¦ º¼ ¼ö ¾ø°ÔµÇ¸ç, reply¸¦ ÇÏÁö ¾Ê°Ô µÈ´Ù.

´ÙÀ½Àº "sentinel" À̶ó´Â ½º´ÏÆÛ Å½Áöµµ±¸¸¦ ÀÌ¿ëÇÏ¿© 33¹ø È£½ºÆ®¿¡ ´ëÇÏ¿© ping Å×½ºÆ®¸¦ ÇÏ´Â °úÁ¤ÀÌ´Ù. Å×½ºÆ® °á°ú°¡ "positive"¶ó°í ³ª¿À¸ç ÀÌ´Â 33¹ø È£½ºÆ®°¡ "promiscuous mode"·Î ¼³Á¤µÇ¾î ÀÖÀ½À» ÀǹÌÇÑ´Ù.

Usage:

./sentinel [method] [-t <target ip>] [options]

Methods:

[ -a ARP test ]

[ -d DNS test ] (requires -f (non-existent host) option

[ -i ICMP Ping Latency test ]

[ -e ICMP Etherping test ]

[root@consult sentinel-0.8]# ./sentinel -e -t 172.16.2.33

[ The Sentinel Project: Remote promiscuous detection ]

[ Subterrain Security Group (c) 2000 ]

Running on: 'consult' running on Linux 2.2.12-4 on a(n) i686

Device: eth0

Source IP Address: 172.16.2.31

Source Hardware Address: 0:50:da:d3:1f:d3

Target: 172.16.2.33

Performing ICMP etherping test

Sending out 10 bogus ICMP ECHO packets..

Results: 172.16.2.33 tested positive to etherping test.

´ÙÀ½Àº sentinelÀÌ ½ÇÇàµÉ ¶§ ³×Æ®¿öÅ©¿¡ ³ªÅ¸³ª´Â Æ®·¡ÇÈÀ» º¸¿©ÁØ´Ù. 6, 8¹ø ¶óÀο¡¼­ "icmp: echo reply"°¡ ȸ½ÅµÇ´Â °ÍÀ» º¼ ¼ö ÀÖ´Ù.

1: [root@consult Sniffer]# tcpdump -e host 172.16.2.33

2: tcpdump: listening on eth0

3: 07:35:59.985065 0:50:da:d3:1f:d3
ff:0:0:0:0:0
ip 42: consult.certcc.or.kr > 172.16.2.33: icmp: echo request
(À§Á¶µÈ MAC)

4: 07:35:59.985716 0:80:c7:33:16:c2 Broadcast arp 60: arp who-has consult.certcc.or.kr tell 172.16.2.33

5: 07:35:59.985761 0:50:da:d3:1f:d3 0:80:c7:33:16:c2 arp 42: arp reply consult.certcc.or.kr is-at 0:50:da:d3:1f:d3

6: 07:35:59.986172 0:80:c7:33:16:c2 0:50:da:d3:1f:d3 ip 60: 172.16.2.33 > consult.certcc.or.kr: icmp: echo reply

7: 07:36:00.995056 0:50:da:d3:1f:d3 ff:0:0:0:0:0 ip 42: consult.certcc.or.kr > 172.16.2.33: icmp: echo request

8: 07:36:00.995571 0:80:c7:33:16:c2 0:50:da:d3:1f:d3 ip 60: 172.16.2.33 > consult.certcc.or.kr: icmp: echo reply

3.2 ARP¸¦ ÀÌ¿ëÇÏ´Â ¹æ¹ý

ping ¹æ¹ý°ú À¯»çÇÑ ¹æ¹ýÀ¸·Î non-broadcast·Î À§Á¶µÈ ARP request¸¦ º¸³ÂÀ» ¶§ ARP response°¡ ¿À¸é »ó´ë¹æ È£½ºÆ®°¡ "promiscuous mode"·Î ¼³Á¤µÇ¾î ÀÖ´Â °ÍÀÌ´Ù.

´ÙÀ½Àº 33¹ø È£½ºÆ®¿¡°Ô À§Á¶µÈ ARP request¸¦ º¸³»¾î ARP reply°¡ ¿À´ÂÁö¸¦ Å×½ºÆ®ÇÏ´Â °úÁ¤ÀÌ´Ù. ¸¶Âù°¡Áö·Î °á°ú°¡ "positive"·Î ³ª¿À°Ô µÇ¸é ÀÌ´Â 33¹ø È£½ºÆ®°¡ "promiscuous mode"·Î ¼³Á¤µÇ¾î ÀÖÀ½À» ÀǹÌÇÑ´Ù.

 

[root@consult sentinel-0.8]# ./sentinel -a -t 172.16.2.33

[ The Sentinel Project: Remote promiscuous detection ]

[ Subterrain Security Group (c) 2000 ]

Running on: 'consult' running on Linux 2.2.12-4 on a(n) i686

Device: eth0

Source IP Address: 172.16.2.31

Source Hardware Address: 0:50:da:d3:1f:d3

Target: 172.16.2.33

Performing ARP test

Sending out 10 bogus ARP requests..

Results: 172.16.2.33 tested positive to arp test.

´ÙÀ½Àº sentinelÀÌ ½ÇÇàµÉ ¶§ ³×Æ®¿öÅ©¿¡ ³ªÅ¸³ª´Â Æ®·¡ÇÈÀ» º¸¿©ÁØ´Ù. 4, 6¹ø ¶óÀο¡¼­ arp reply°¡ ȸ½ÅµÇ´Â °ÍÀ» º¼ ¼ö ÀÖ´Ù.

1: [root@consult Sniffer]# tcpdump -e arp
2: tcpdump: listening on eth0

3: 07:34:03.485066
ff:0:0:0:0:0 ff:0:0:0:0:0
arp 42: arp who-has 172.16.2.33 tell consult.certcc.or.kr (0:50:da:d3:1f:d3)
(À§Á¶µÈ MAC)

4: 07:34:03.485549 0:80:c7:33:16:c2 0:50:da:d3:1f:d3 arp 60: arp reply 172.16.2.33 is-at 0:80:c7:33:16:c2

5: 07:34:04.495057 ff:0:0:0:0:0 ff:0:0:0:0:0 arp 42: arp who-has 172.16.2.33 tell consult.certcc.or.kr (0:50:da:d3:1f:d3)
  (À§Á¶µÈ MAC)  

6: 07:34:04.495968 0:80:c7:33:16:c2 0:50:da:d3:1f:d3 arp 60: arp reply 172.16.2.33 is-at 0:80:c7:33:16:c2

3.3 DNS ¹æ¹ý

ÀϹÝÀûÀ¸·Î ½º´ÏÇÎ ÇÁ·Î±×·¥Àº »ç¿ëÀÚÀÇ ÆíÀǸ¦ À§ÇÏ¿© ½º´ÏÇÎÇÑ ½Ã½ºÅÛÀÇ IP ÁÖ¼Ò¸¦ º¸¿©ÁÖÁö ¾Ê°í µµ¸ÞÀÎ ³×ÀÓÀ» º¸¿©ÁÖ±â À§ÇÏ¿© Inverse-DNS lookupÀ» ¼öÇàÇÏ°Ô µÈ´Ù. µû¶ó¼­ DNS Æ®·¡ÇÈÀ» °¨½ÃÇÏ¿© ½º´ÏÆÛ¸¦ ŽÁöÇÒ ¼öµµ ÀÖ´Ù.

ÀÌ ¹æ¹ýÀº ¿ø°Ý ¶Ç´Â ·ÎÄà ³×Æ®¿öÅ© ¸ðµÎ¿¡¼­ ÇÒ ¼ö ÀÖ´Â ¹æ¹ýÀÌ´Ù. ¿ø°Ý¿¡¼­ Å×½ºÆ® ´ë»ó ³×Æ®¿öÅ©·Î Ping sweepÀ» º¸³»°í, µé¾î¿À´Â Inverse-DNS lookupÀ» °¨½ÃÇÏ¿© ½º´ÏÆÛ¸¦ ŽÁöÇÒ ¼ö ÀÖ´Ù. ·ÎÄÿ¡¼­ ÇÒ °æ¿ì¿¡´Â À§Á¶µÈ IP ÁÖ¼Ò·Î IP datagramÀ» º¸³»°í ÀÌ¿¡ ´ëÇÑ DNS lookupÀÌ ÀÖ´ÂÁö °¨½ÃÇÏ¿© ½º´ÏÆÛ¸¦ ŽÁöÇÒ ¼ö ÀÖ´Ù.

3.4 À¯ÀÎ(decoy) ¹æ¹ý

½º´ÏÆÛ¸¦ ½ÇÇàÇÏ´Â °ø°ÝÀÚ´Â ÀϹÝÀûÀ¸·Î »ç¿ëÀÚ ID¿Í Æнº¿öµå¸¦ µµÃ»ÇÑ´Ù. ±×¸®°í µµÃ»ÇÑ ID¿Í Æнº¿öµå¸¦ ÀÌ¿ëÇÏ¿© ´Ù¸¥ ½Ã½ºÅÛÀ» °ø°ÝÇÏ°Ô µÈ´Ù. µû¶ó¼­ ³×Æ®¿öÅ©»ó¿¡ Ŭ¶óÀ̾ðÆ®/¼­¹ö¸¦ ¼³Á¤ÇÏ¿© ¹Ì¸®¼³Á¤µÈ »ç¿ëÀÚ ID¿Í Æнº¿öµå¸¦ Áö¼ÓÀûÀ¸·Î Èê·Á °ø°ÝÀÚ°¡ ÀÌ Æнº¿öµå¸¦ »ç¿ëÇÏ°Ô ²ûÇÑ´Ù. °ü¸®ÀÚ´Â IDS ¶Ç´Â ³×Æ®¿öÅ© °¨½Ã ÇÁ·Î±×·¥À» ÀÌ¿ëÇÏ¿© ÀÌ·¯ÇÑ ¹Ì¸®¼³Á¤µÈ ID¿Í Æнº¿öµå¸¦ »ç¿ëÇÏ´Â ½Ã½ºÅÛÀ» ŽÁöÇÔÀ¸·Î¼­ ½º´ÏÆÛ¸¦ ŽÁöÇÒ ¼ö ÀÖ´Ù.

http://www.zurich.ibm.com/Technology/Security/extern/gsal/sniffer_detector.html

3.5 host method

È£½ºÆ® ´ÜÀ§¿¡¼­ "promiscuous mode"¸¦ È®ÀÎÇÏ´Â ¹æ¹ýÀ¸·Î "ifconfig -a" ¸í·ÉÀ» ÀÌ¿ëÇÏ¿© È®ÀÎÇÒ ¼ö ÀÖ´Ù. ´ÙÀ½ÀÇ °á°ú¿¡¼­ "PROMISC" ºÎºÐÀ» º¸°í "promiscuous mode"°¡ ¼³Á¤µÇ¾î ÀÖÀ½À» ¾Ë ¼ö ÀÖ´Ù.

[root@lotus]# ifconfig -a

eth0 Link encap:Ethernet HWaddr 00:50:DA:50:1C:D3
inet addr:172.16.2.31 Bcast:172.16.2.255 Mask:255.255.255.0

UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:538138 errors:0 dropped:0 overruns:0 frame:0
TX packets:317739 errors:0 dropped:0 overruns:0 carrier:2

collisions:251 txqueuelen:100
Interrupt:3 Base address:0x300

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:40 errors:0 dropped:0 overruns:0 frame:0
TX packets:40 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0

4. ³×Æ®¿öÅ© °ü¸®

¾Õ¼­ ¼³¸í¹Ù¿Í °°ÀÌ ½º´ÏÆÛ¸¦ ŽÁöÇÒ ¼ö ÀÖ´Â ¸¹Àº ¹æ¹ýÀÌ Á¸ÀçÇÏ¸ç ¶ÇÇÑ À̸¦ ±¸ÇöÇÑ °ø°³¿ë µµ±¸°¡ ÀÖ´Ù. ³×Æ®¿öÅ© °ü¸®ÀÚ´Â ÀÌ·¯ÇÑ µµ±¸¸¦ ÀÌ¿ëÇÏ¿© ÁÖ±âÀûÀ¸·Î ½º´ÏÆÛÀÇ ¼³Ä¡ ¿©ºÎ¸¦ °¨½ÃÇÔÀ¸·Î¼­ ¿ÜºÎ·ÎºÎÅÍÀÇ °ø°ÝÀÚ¸¦ Æ÷ÇÔÇÏ¿© ¾ÇÀÇÀÇ ³»ºÎ »ç¿ëÀÚ¸¦ ŽÁöÇÒ ¼ö ÀÖ´Ù. ´ÙÀ½Àº ¾Õ¼­ ¼³¸íÇÑ °ø°ÝÀ» ŽÁöÇϴµ¥ »ç¿ëÇÒ ¼ö ÀÖ´Â °ø°³¿ë µµ±¸¿¡ ´ëÇÏ¿© ¼³¸íÇÑ´Ù.

4.1 ARPwatch

ARP Æ®·¡ÇÈÀ» ¸ð´ÏÅ͸µÇÏ¿© MAC/IP ¸ÅĪÀ» °¨½ÃÇÏ´Â ÇÁ·Î±×·¥À¸·Î Ãʱ⿡ ¼³Á¤µÈ ARP ¿£Æ®¸®(ethernet/ip addr)°¡ º¯ÇÏ°Ô µÇ¸é À̸¦ ŽÁöÇÏ¿© °ü¸®ÀÚ¿¡°Ô ¸ÞÀÏ·Î Å뺸ÇØ ÁÖ´Â µµ±¸ÀÌ´Ù. ´ëºÎºÐÀÇ °ø°Ý±â¹ýÀÌ À§Á¶µÈ ARP¸¦ »ç¿ëÇϱ⠶§¹®¿¡ À̸¦ ½±°Ô ŽÁöÇÒ ¼ö ÀÖ´Ù. ´ÙÀ½Àº "arpwatch -d"¸¦ ½ÇÇàÇÏ¿© Ãʱâ ethernet/ip ½Ö¿¡ ´ëÇÑ µ¥ÀÌÅͺ£À̽º¸¦ ¸¸µç °ÍÀÌ´Ù. ÀÌÈÄ "arpwatch"¸¦ ½ÇÇàÇÏ°Ô µÇ¸é Ãß°¡µÇ°Å³ª º¯°æµÇ´Â ethernet/ip ½Ö¿¡ ´ëÇÏ¿© ¸ÞÀÏÀ» ÅëÇÏ¿© °æ°í¸¦ ÁְԵȴÙ. °ü¸®ÀÚ´Â ¸ÞÀÏÀ» ÅëÇÏ¿© ARP¸¦ ÀÌ¿ëÇÑ °ø°ÝÀ» ŽÁöÇÏ°í ´ëÀÀÇÒ ¼ö ÀÖ´Ù.

0:x:x:a3:x:6a

0:x:x:c4:x:3e

8:x:x:79:x:ea

0:x:x:c4:x:3e

0:x:x:28:x:47

8:x:x:b7:x:72

...

172.x.x.1

172.x.x.1

172.x.x.71

172.x.x.80

172.x.x.82

172.x.x.45

...

963475326

963473482

963465559

963474080

963469967

963475326

...

arp.dat ÆÄÀÏ("arpwatch -d"·Î ¸ð´ÏÅ͸µÇÑ °á°ú)


ARPwatch ´Ù¿î·Îµå »çÀÌÆ® : ftp://ftp.ee.lbl.gov/

4.2 Sentinel

SentinelÀº ¾Õ¼­ ¼³¸íÇÑ ½º´ÏÆÛ¸¦ ŽÁöÇÏ´Â ¹æ¹ýÀ» ±¸ÇöÇÑ µµ±¸ÀÌ´Ù. 4°¡Áö ¹æ¹ýÀ¸·Î ½º´ÏÆÛ¸¦ ŽÁöÇÒ ¼ö Àִµ¥ ÀÌÁß "ICMP Ping Latency test(-i ¿É¼Ç)"´Â ¾ÆÁ÷ ±¸ÇöµÇÁö ¾Ê¾Ò´Ù. ³×Æ®¿öÅ© °ü¸®ÀÚ´Â ³»ºÎ ³×Æ®¿öÅ©ÀÇ ¸ðµç È£½ºÆ®¿¡ ´ëÇÏ¿© ÀÌ¿Í °°Àº µµ±¸¸¦ »ç¿ëÇÏ¿© ÁÖ±âÀûÀ¸·Î ½º´ÏÆÛ°¡ ¼³Ä¡µÇ¾î ÀÖ´ÂÁö Á¡°ËÇØ º¸¾Æ¾ß ÇÑ´Ù. ±×¸®°í ½º´ÏÆÛ°¡ ¼³Ä¡µÈ °ÍÀ¸·Î ÀǽÉÀÌ °¡´Â È£½ºÆ®´Â öÀúÇÑ ºÐ¼®¸¦ ¼öÇàÇÏ°í ¸¸¾à ħÀÔÀ» ´çÇÏ¿´À» °æ¿ì¿¡´Â º¹±¸¸¦ Çϵµ·Ï ÇÏ¿©¾ß ÇÑ´Ù. ½Ã½ºÅÛ ºÐ¼® ¹× º¹±¸¿¡ ´ëÇؼ­´Â ´Ù¸¥ ±â¼ú¹®¼­¿¡¼­ ´Ù·çµµ·Ï ÇÑ´Ù.

Methods:

[ -a ARP test ]
[ -d DNS test ] (requires -f (non-existent host) option
[ -i ICMP Ping Latency test ]
[ -e ICMP Etherping test ]

´ÙÀ½Àº sentinelÀ» ÀÌ¿ëÇÏ¿© ½º´ÏÆÛ¸¦ ŽÁöÇÏ´Â ¿¹ÀÌ´Ù.

# ./sentinel -t 192.168.1.2 -a ; arp test against 192.168.1.2
# ./sentinel -t 192.168.1.2 -e ; etherping test against 192.168.1.2
# ./sentinel -t 192.168.1.2 -f 1.1.1.1 -d ; dns test against 192.168.1.2
# ./sentinel -t 192.168.1.2 -f 1.1.1.1 -d -a -e ; all of promisc detection tests against 192.168.1.2

Sentinel ´Ù¿î·Îµå »çÀÌÆ® : http://www.packetfactory.net/projects/sentinel/

[Âü°í¹®Çå ¹× Âü°í»çÀÌÆ®]

1. TCP/IP Illustrated, Volume1, The Protocols, W.Richard Stevens, ADDISON-WESLEY
2. dsniff, http://www.monkey.org/~dugsong/dsniff/
3. arpwatch, ftp://ftp.ee.lbl.gov/
4. Sentinel Project, http://www.subterrain.net/projects/sentinel
5. The Hunt Project, http://www.cri.cz/kra/index.html
6. arpmitm, http://teso.scene.at/releases.php3
7. Sniffing FAQ, http://www.securitymap.net/docs/faq/sniffing-faq.htm






Ãâó : cert
     
15   MySQL ¿¡·¯Äڵ庰 ¿¡·¯¸Þ¼¼Áö ÀÔ´Ï´Ù.  1day 05¡¤08¡¤16 468033
14   ÀÎÅͳÝÀÇ »Ñ¸® TCP/IP ³×Æ®¿öÅ© ¹Ù·Î¾Ë±â  1day 04¡¤02¡¤12 37331
13   ·¹µåÇÞ ½Ã½ºÅÛ ÃÖ½ÅÀ¸·Î À¯ÁöÇÏ±â  1day 04¡¤02¡¤03 35378
12   Sendmail ¸ÞÀϼ­¹öÀÇ ½ºÆÔ¸±·¹ÀÌ ´ëÀÀ¹æ¹ý  1day 04¡¤02¡¤01 38266
11   Ä§ÇØ»ç°í ´ëÀÀ¹æ¹ý ¹× ÀýÂ÷  1day 04¡¤02¡¤01 35838
  ³×Æ®¿öÅ© ½º´ÏÇÎ ±â¼ú ¹× ¹æÁö´ëÃ¥  1day 04¡¤02¡¤01 44778
9   À©µµ¿ì NT¼­¹ö ¹× IIS º¸¾È °ü¸®  1day 04¡¤02¡¤01 44956
8   Solaris Network Kernel Tunning for Security  1day 04¡¤01¡¤31 39858
7   ¾ÈÀüÇÑ À¯´Ð½º ÇÁ·Î±×·¡¹ÖÀ» À§ÇÑ Áöħ¼­ V.0.7  1day 04¡¤01¡¤30 38970
6   Abnormal IP Packets  1day 04¡¤01¡¤28 41225
5   DNS ¾ÈÀü¿î¿ë°¡ÀÌµå  1day 04¡¤01¡¤20 51857
4   MTX ¿ú¹ÙÀÌ·¯½º ºÐ¼® º¸°í¼­  1day 04¡¤01¡¤17 37928
3   IP FragmentationÀ» ÀÌ¿ëÇÑ °ø°Ý±â¼úµé  1day 04¡¤01¡¤14 38777
2   ¸®´ª½º ½Ã½ºÅÛ °ü¸®ÀÚ¸¦ À§ÇÑ º¸¾È Áöħ¥°  1day 04¡¤01¡¤14 38021
1   ¿î¿µÃ¼Á¦¿Í Ä¿³Î Â÷¿ø¿¡¼­ÀÇ Æ©´× ¹× º¸..  1day 04¡¤01¡¤11 35425
1
Copyright 1999-2024 Zeroboard / skin by GGAMBO
Copyright (c) 2003~2004 by 1day all rights reserved.