sigscr101.html

黑客培训教程

678/1200 &nbsp; 2 Virtual Exec<BR>&nbsp;&nbsp; 28 L E 10581C8 &nbsp; &nbsp; 
&nbsp; &nbsp; &nbsp; 28 &nbsp; &nbsp; &nbsp; &nbsp; 20 &nbsp;&nbsp; 1400&nbsp; 
824/1000 &nbsp; 0 UDP Echo<BR>&nbsp; &nbsp; 5 M E 10581C8 &nbsp;&nbsp; &nbsp; 
&nbsp; &nbsp; &nbsp; 0 &nbsp; &nbsp; &nbsp; &nbsp; 52 &nbsp; &nbsp; &nbsp; 
0&nbsp; 898/1000 &nbsp; 0 BOOTP Server<BR>&nbsp; &nbsp; 6 H E 1010ABA &nbsp; 
&nbsp; &nbsp; 485848 &nbsp;&nbsp; &nbsp; 74667 &nbsp;&nbsp; 6506&nbsp; 536/900 
&nbsp;&nbsp; 0 IP Input<BR>&nbsp; &nbsp; 7 M E 1062DA6 &nbsp; &nbsp; &nbsp; 
&nbsp; &nbsp; 68 &nbsp;&nbsp; &nbsp; 21114 &nbsp; &nbsp; &nbsp; 3&nbsp; 804/1000 
&nbsp; 0 TCP Timer<BR>&nbsp; &nbsp; 8 L E 1063FA4 &nbsp;&nbsp; &nbsp; &nbsp; 
&nbsp; 164 &nbsp;&nbsp; &nbsp; &nbsp; 161 &nbsp;&nbsp; 1018&nbsp; 766/1000 
&nbsp; 0 TCP Protocols<BR>&nbsp; &nbsp; 9 L E 101E646 &nbsp; &nbsp; &nbsp; 
&nbsp; 1568 &nbsp; &nbsp; &nbsp; 2321 &nbsp; &nbsp; 675&nbsp; 854/1000 &nbsp; 0 
ARP Input<BR>&nbsp;&nbsp; 10 L E 1010ABA &nbsp;&nbsp; &nbsp; &nbsp; &nbsp; 
&nbsp; 0 &nbsp;&nbsp; &nbsp; &nbsp; &nbsp; 1 &nbsp; &nbsp; &nbsp; 0&nbsp; 
938/1000 &nbsp; 0 Probe Input<BR>&nbsp;&nbsp; 29 L E 10581C8 &nbsp; &nbsp; 
&nbsp; &nbsp; &nbsp; 24 &nbsp; &nbsp; &nbsp; &nbsp; 20 &nbsp;&nbsp; 1200&nbsp; 
824/1000 &nbsp; 0 UDP Echo<BR>&nbsp;&nbsp; 12 M E 1035092 &nbsp;&nbsp; &nbsp; 
&nbsp; &nbsp; &nbsp; 0 &nbsp;&nbsp; &nbsp; &nbsp; &nbsp; 2 &nbsp; &nbsp; &nbsp; 
0&nbsp; 968/1000 &nbsp; 0 Timers<BR>&nbsp;&nbsp; 13 H E 1010ABA &nbsp;&nbsp; 
&nbsp; &nbsp; 19472 &nbsp;&nbsp; &nbsp; 54616 &nbsp; &nbsp; 356&nbsp; 412/500 
&nbsp;&nbsp; 0 Net Input<BR>&nbsp;&nbsp; 14 M T 100E474 &nbsp;&nbsp; &nbsp; 
&nbsp; &nbsp; 336 &nbsp; &nbsp; 104907 &nbsp; &nbsp; &nbsp; 3&nbsp; 790/1000 
&nbsp; 0 TTY Background<BR>&nbsp;&nbsp; 15 L E 10E2722 &nbsp;&nbsp; &nbsp; 
&nbsp; &nbsp; &nbsp; 0 &nbsp;&nbsp; &nbsp; &nbsp; &nbsp; 1 &nbsp; &nbsp; &nbsp; 
0&nbsp; 896/1000 &nbsp; 0 IP SNMP<BR>&nbsp;&nbsp; 30 L E 10581C8 &nbsp;&nbsp; 
&nbsp; &nbsp; &nbsp; &nbsp; 0 &nbsp; &nbsp; &nbsp; &nbsp; 20 &nbsp; &nbsp; 
&nbsp; 0&nbsp; 946/1000 &nbsp; 0 UDP Discard<BR>&nbsp;&nbsp; 31 L E 10581C8 
&nbsp;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 0 &nbsp; &nbsp; &nbsp; &nbsp; 20 &nbsp; 
&nbsp; &nbsp; 0&nbsp; 946/1000 &nbsp; 0 UDP Discard<BR><BR>With the command 
&#8220;show stacks&#8221; you&#8217;ll get more information about the 
daemons.<BR><BR>CiscoRouter#show stacks<BR><BR>Minimum process 
stacks:<BR>Free/Size&nbsp; Name<BR>734/1000&nbsp; Init<BR>970/1000&nbsp; Pakmon 
Init<BR>962/1000&nbsp; MOP Protocols<BR>934/1000&nbsp; UDP 
Discard<BR>678/1200&nbsp; Virtual Exec<BR>786/1000&nbsp; TCP 
Discard<BR>782/1000&nbsp; TCP Echo<BR>820/1000&nbsp; UDP Echo<BR><BR>Interrupt 
level stacks:<BR>Level &nbsp;&nbsp; Called Free/Size&nbsp; Name<BR>&nbsp; 3 
&nbsp; &nbsp; &nbsp; &nbsp; 417&nbsp; 964/1000&nbsp; Serial interface state 
change interrupt<BR>&nbsp; 4 &nbsp;&nbsp; &nbsp; 580538&nbsp; 886/1000&nbsp; 
Network interfaces<BR>&nbsp; 5 &nbsp;&nbsp; &nbsp; &nbsp; &nbsp; 46&nbsp; 
968/1000&nbsp; Console Uart<BR><BR><BR>
<DIV align=left><BIG><B>Securing IGS-CR</B></BIG><BR></DIV><BR>We need the 
combination of the remote and locally gathered information to stop the 
unnecessary daemons&#8230; We have several ways to do this:<BR><BR>The simplest way is 
to use the program &#8216;setup&#8217;. Here we can say for example, do not load the SNMP 
daemon by simple entering &#8216;yes or no&#8217; by the options. <BR>I know not many people 
will try this way to unload the unnecessary daemons, because: one it&#8217;s not easy 
to find; and two you really have to know what you&#8217;re doing. But it&#8217;s possible to 
read out the whole memory stack and find the right offset of a daemon and 
rewrite the memory so the daemon will be killed. <BR>As far I know the IGS 
series do not have an internal (network) firewall or such, properly the newer 
ones does have it. I will not discuss how to set-up the firewall, because simply 
said I don&#8217;t know how to do this right now. What I do want to mention is with 
this type of firewall you have the option to filter the daemons for unwanted 
connections. You can create rules like, 169.254.0.11 may connect to the telnet 
daemon but 169.254.0.20 may not. Well you get the idea, don&#8217;t you? <BR><BR>To 
completely secure the IGS-CR we have to use the first two ways, first we use way 
one and if then not all unnecessary daemons are stopped we&#8217;re using way two too. 
It&#8217;s possible that you want to kill different daemons then I&#8217;m going to do&#8230; most 
likely were talking about daemons who can&#8217;t be stopped with the &#8216;setup&#8217; menu. 
And daemons that can&#8217;t be stopped with way one have to be stopped with way two, 
and that requires a lot of search-time by yourself.<BR><BR>Way one is rather 
simple, just type in &#8220;setup&#8221; and walk through the menu. To verify afterwards you 
have stopped some unnecessary daemons type, &#8220;show processes&#8221; before and after 
you have walked through the setup. Compare both outputs with each other, and see 
for yourself if something has changed.<BR><BR>I know that you cannot stop all 
unnecessary daemons with this setup program, but I try to show you how to stop 
them &#8216;the second way&#8217;&#8230;<BR><BR>I&#8217;m going try to stop the daemon listed 
below&#8230;<BR><BR>&nbsp;&nbsp; &#8220;15 L E 10E2722 &nbsp;&nbsp; &nbsp; &nbsp; &nbsp; 
&nbsp; 0 &nbsp;&nbsp; &nbsp; &nbsp; &nbsp; 1 &nbsp; &nbsp; &nbsp; 0&nbsp; 
896/1000 &nbsp; 0 IP SNMP&#8221;<BR><BR>With the command &#8220;show memory&#8221;, you&#8217;ll get a 
stack dump from the whole memory. This could come in handy if we want to 
overwrite a specific location of the memory&#8230; We can (re)-write the memory with 
the command &#8220;write memory or erase [start stack &#8211; end stack] [new 
data]&#8221;.<BR><BR>Address &nbsp; Bytes Prev. &nbsp; &nbsp; Next &nbsp; &nbsp; 
&nbsp; Ref&nbsp; PrevF &nbsp; NextF &nbsp;&nbsp; Alloc PC &nbsp; 
What<BR><BR>58850 &nbsp;&nbsp; &nbsp; 112 &nbsp;&nbsp; 587E0 &nbsp; 588C0 
&nbsp;&nbsp; &nbsp; 1 &nbsp;&nbsp; &nbsp; &nbsp; * &nbsp;&nbsp; &nbsp; &nbsp; 
&nbsp; * &nbsp;&nbsp; &nbsp; &nbsp; 1057FA8 &nbsp;&nbsp; IP SNMP<BR><BR>&nbsp; 
PID Q T &nbsp;&nbsp; &nbsp; PC Runtime (ms) &nbsp;&nbsp; Invoked &nbsp; uSecs 
&nbsp;&nbsp; Stacks &nbsp; &nbsp; TTY &nbsp; Process<BR>&nbsp; 15 &nbsp;&nbsp; L 
E &nbsp;&nbsp; &nbsp; 10E2722 &nbsp; &nbsp; &nbsp; &nbsp; 0 &nbsp; &nbsp; &nbsp; 
&nbsp; &nbsp; 1 &nbsp;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 0 &nbsp; &nbsp; 
896/1000 &nbsp;&nbsp; &nbsp; 0 &nbsp; &nbsp; IP SNMP<BR><BR>We could also kill 
the so called PID address, because this depends which router you&#8217;re have I&#8217;m not 
going to explain this any further. Just find the appropriate command in your 
Cisco Router manual.<BR><BR>After you have killed some daemons check if they are 
really stopped. I know that rewriting the stack is a tricky operation, and it 
could be that your Cisco Router will stop functioning. To reset all data in the 
NVRAM (where all configuration is being stored) type in the enabled mode &#8220;erase 
startup config&#8221; and &#8220;reload&#8221;. Remember while doing so, you loose all your 
configuration and such. The first time the Cisco Router is booting from flash 
memory, consult your Cisco Router manual for specific 
information.<BR><BR><BR>Ok, so far for this time&#8230; I have to spend my other hours 
at learning myself more about Cisco Systems products.<BR><BR>Some 
links:<BR><BR>http://freshmeat.net/projects/nmap/<BR>http://www.cisco.com/<BR>http://www.netterm.com/<BR><BR><BR>If 
you have any questions or other comment related to this paper you can drop a 
mail at mailpop3@crosswinds.net<BR><BR><BR><BR><BR><BR><BR>
<DIV align=center>Copyright (C) 2001, Data Wizard, The 
Netherlands.<BR></DIV><BR></BODY></HTML>