MSCAN 분석 보고서
작성자 정보
- 웹관리자 작성
- 작성일
컨텐츠 정보
- 5,310 조회
- 0 추천
-
목록
본문
MSCAN 분석 보고서
1998. 8
김 상정/CERTCC-KR, 한국정보보호센터
1. 개요
MSCAN은 jsbach라는 해커가 만든 취약점 스캐닝 도구이며, 1998. 6 버전 1.0이 공개되었다. 이 프로그램은 네트워크의 블록 전체를 스캐닝하여 그 블록내에 있는 시스템들에 대해 여러종류의 취약점을 한번에 스캐닝할 수 있다. 아래에서는 이 프로그램의 동작 과정과 대책을 알아보기로 한다.
2. MSCAN의 기능 및 특징
mscan은 네임 서비스를 이용하여 test.com, 123.456 등 네트워크 블록 전체를 스캐닝 하여 사용되고 있는 IP 주소를 찾아내어 그 내용을 파일에 저장하여 이용하는데, 이때 기본적으로 저장되는 파일 이름은 ".ipdb" 라는 파일이다.
일단 공격대상 네트워크에 대한 스캐닝이 이루어지면, 이를 이용하여 그 네트워크내에 있는시스템들에 대해 취약점을 스캐닝한다. mscan이 스캐닝하는 취약점들은 다음과 같다.
-
wingate
-
phf, handler, test-cgi
-
NFS exports, statd, named
-
X server, ipopd, imapd
mscan은 우선 대상 시스템에 telnet 접속을 맺어 그 시스템의 OS를 알아낸 후 취약점들에 대한 스캐닝을 하여 그 결과를 보여준다.
가. 실행화면
|
[root@alzza ...]# ./mscan -r 123.456.789 -b > 123.456.789.log - . . . mscan by jsbach --june/1998. thanks to #kode for keeping me sane this year, being my friends, and inspiring me to write this prog.
|
나. 결과화면
다음은 mscan을 이용하여 스캐닝한 결과이다.
|
-**-' scanning 123.456.789.51 `-**- '*********************` '*********************` - checking OS for 123.456.789.57 IRIX (IRIS) 123.456.789.57: SCAN: runs IRIX. &$!$&!@($!- fingering ze h0st 123.456.789.57 -**-' scanning 123.456.789.57 `-**- PORTSCAN: runs httpd. PORTSCAN: runs finger. PORTSCAN: runs telnet. PORTSCAN: runs X windows '*********************` '*********************` - checking OS for 123.456.789.52
|
|
ebian Linux 1.1 Copyright (C) 1993-1996 Debian Association, Inc. and others 123.456.789.52: SCAN: runs linux. -**-' scanning 123.456.789.52 `-**- 123.456.789.52: VULN: runs /cgi-bin/phf. haha! 123.456.789.52: VULN: runs /cgi-bin/test-cgi. PORTSCAN: runs httpd. PORTSCAN: runs finger. PORTSCAN: runs telnet. PORTSCAN: runs imapd. 123.456.789.52: SCAN: this box is a nameserver. 123.456.789.52: VULN: pop open and other holes '*********************` '*********************` - checking OS for 123.456.789.58 HP-UX hpux B.10.20 A 9000/811 (ttyp2) -**-' scanning 123.456.789.58 `-**- PORTSCAN: runs X windows 123.456.789.58: SCAN: this box is a nameserver. '*********************` '*********************` - checking OS for 123.456.789.117 ALzzA Linux release 5.0-kr (Patch Man) Kernel 2.0.32 on an i586 123.456.789.117: SCAN: runs linux. -**-' scanning 123.456.789.117 `-**- PORTSCAN: runs httpd. PORTSCAN: runs finger.
|
|
PORTSCAN: runs telnet. PORTSCAN: runs imapd. PORTSCAN: runs X windows 123.456.789.117: SCAN: this box is a nameserver. alzza.test.com: VULN: linux box vulnerable to named overflow. 123.456.789.117: VULN: pop open and other holes '*********************` '*********************`
|
3. MSCAN의 탐지 및 대책
아래에 나오는 로그는 리눅스 시스템에서 사용되는 로그 파일들을 위주로 정리하였다.
가. 웹서버 로그
아래에서 보이는 바와 같이 mscan은 웹서버의 cgi-bin에 있는 phf, test-cgi, handler라는 cgi 프로그램의 존재 유무를 스캐닝한다. 이러한 cgi 프로그램들은 Apache 웹서버를 설치할 때 기본적으로 설치되는데, 이들은 시스템의 공격에 사용될 수 있는 취약점을 가지고 있기 때문에 삭제하거나 패치를 적용해야 한다.
alzza.test.com - - [28/Aug/1998:23:21:32 +0900] "GET /cgi-bin/phf" 200 1262
alzza.test.com - - [28/Aug/1998:23:21:32 +0900] "GET /cgi-bin/test-cgi" 200 420
alzza.test.com - - [28/Aug/1998:23:21:32 +0900] "GET /cgi-bin/handler" 404 -
alzza.test.com - - [28/Aug/1998:23:28:55 +0900] "GET /cgi-bin/phf" 200 1262
alzza.test.com - - [28/Aug/1998:23:28:55 +0900] "GET /cgi-bin/test-cgi" 200 420
alzza.test.com - - [28/Aug/1998:23:28:55 +0900] "GET /cgi-bin/handler" 404 -
alzza.test.com - - [28/Aug/1998:23:32:41 +0900] "GET /cgi-bin/phf" 200 1262
alzza.test.com - - [28/Aug/1998:23:32:41 +0900] "GET /cgi-bin/test-cgi" 200 420
alzza.test.com - - [28/Aug/1998:23:32:41 +0900] "GET /cgi-bin/handler" 404 -
alzza.test.com - - [29/Aug/1998:01:20:14 +0900] "lynx http://www.hacked.com/cgi-
[Fri Aug 28 23:21:32 1998] access to /var/web/cgi-bin/handler failed for alzza.test.com, reason: script not found or unable to stat
[Fri Aug 28 23:28:55 1998] access to /var/web/cgi-bin/handler failed for alzza.test.com, reason: script not found or unable to stat
[Fri Aug 28 23:32:41 1998] access to /var/web/cgi-bin/handler failed for alzza.test.com, reason: script not found or unable to stat
나. 메일로그
시스템에서 ipop나 imap 서비스가 제공되고 있는지를 스캐닝한다. ipop과 imap에는 버퍼오버플로우 취약점이 존재하므로 공격자는 이를 이용하여 관리자(root) 권한을 얻을 수 있다. 이러한 프로그램들은 최신버전으로 패치하거나 tcpwrapper와 라우터를 이용한 접근 제어를 사용한다. 특히 imap은 해킹툴을 사용하여 쉽게 관리자(root) 권한을 획득할 수 있으므로 꼭 필요하지 않다면 inetd.conf 파일에서 주석처리를 하여 서비스를 제공하지 않도록 한다.
Aug 28 14:31:52 alzza imapd[1300]: Broken pipe, while reading line user=??? host=UNKNOWN
Aug 28 14:31:52 alzza ipop3d[1301]: Connection broken while reading line user=??? host=UNKNOWN
Aug 28 14:31:52 alzza ipop3d[1303]: Connection broken while reading line user=??? host=UNKNOWN
Aug 28 14:31:52 alzza ipop3d[1305]: Connection broken while reading line user=??? host=UNKNOWN
Aug 28 14:31:54 alzza sendmail[1298]: NOQUEUE: Null connection from root@alzza.test.com [123.456.789.117]
다. secure 로그
mscan에 의해 취약점 스캐닝을 당하면 다음과 같은 로그가 같은 시간대에 연속적으로 나타나게 된다.
Aug 28 14:31:50 alzza in.fingerd[1299]: connect from 123.456.789.117
Aug 28 14:31:50 alzza imapd[1300]: connect from 123.456.789.117
Aug 28 14:31:50 alzza ipop3d[1301]: connect from 123.456.789.117
Aug 28 14:31:50 alzza in.telnetd[1304]: connect from 123.456.789.117
Aug 28 14:31:50 alzza in.telnetd[1302]: connect from 123.456.789.117
Aug 28 14:31:50 alzza ipop3d[1303]: connect from 123.456.789.117
Aug 28 14:31:50 alzza ipop3d[1305]: connect from 123.456.789.117
라. messages 로그
Aug 28 14:31:51 alzza identd[1306]: from: 123.456.789.52 ( kitty.test.com ) for: 6244, 25
Aug 28 14:31:52 alzza identd[1306]: Successful lookup: 6244 , 25 : root.root
Aug 28 14:31:52 alzza telnetd[1302]: ttloop: read: Broken pipe
Aug 28 14:31:53 alzza identd[1307]: from: 123.456.789.117 ( alzza.test.com ) for: 5632, 25
Aug 28 14:31:53 alzza identd[1307]: Successful lookup: 5632 , 25 : root.root
Aug 28 14:32:24 alzza identd[1309]: from: 123.456.789.58 ( ns.test.com ) for: 5781, 25
Aug 28 14:32:24 alzza identd[1309]: Successful lookup: 5781 , 25 : root.root
마. tcpdump 로그(첨부 참조)
tcpdump 로그를 보면 네임서비스에 대한 요청이 엄청나게 증가했음을 볼 수 있으며, 그 외에 취약점 스캐닝을 위한 패킷정보가 나타나 있음을 볼 수 있다. mscan 공격이 인터넷 상에서 이루어질 때에 네트워크에 상당히 많은 부하를 줄 수 있음을 알 수 있으며, 특히 네임서버에 대한 부하가 크다.
14:38:19.459109 0:0:c:8d:24:df 0:0:c:8d:24:df loopback 60:
0000 0100 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000
14:38:21.969109 kitty.test.com.1192 > 210.116.239.255.sunrpc: udp 100
14:38:28.299109 kisa1.test.com.finger > alzza.test.com.6266: F 3185928987:3185928987(0) ack 3769291987 win 8760 (DF)
14:38:28.379109 alzza.test.com.1882 > ns.test.com.domain: 46628+ (45)
14:38:28.379109 ns.test.com.domain > alzza.test.com.1882: 46628* 1/1/0 (114)
14:38:29.459109 0:0:c:8d:24:df 0:0:c:8d:24:df loopback 60:
0000 0100 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000
14:38:30.879109 0:0:c:8d:24:df > 1:0:c:cc:cc:cc sap aa ui/C len=270
0c00 0100 0965 6167 6c65 0002 0011 0000
0001 0101 cc00 04d2 74ef fe00 0300 0d45
7468 6572 6e65 7431 0004 00
14:38:35.989109 kitty.test.com.1193 > 210.116.239.255.sunrpc: udp 100
14:38:39.459109 0:0:c:8d:24:df 0:0:c:8d:24:df loopback 60:
0000 0100 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000
14:38:39.989109 kitty.test.com.1193 > 210.116.239.255.sunrpc: udp 100
14:38:45.999109 kitty.test.com.1193 > 210.116.239.255.sunrpc: udp 100
14:38:49.459109 0:0:c:8d:24:df 0:0:c:8d:24:df loopback 60:
0000 0100 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000
14:38:54.009109 kitty.test.com.1193 > 210.116.239.255.sunrpc: udp 100
14:38:59.459109 0:0:c:8d:24:df 0:0:c:8d:24:df loopback 60:
0000 0100 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000
14:38:59.879109 arp who-has kisa1.test.com tell alzza.test.com
14:39:04.019109 kitty.test.com.1193 > 210.116.239.255.sunrpc: udp 100
14:39:09.459109 0:0:c:8d:24:df 0:0:c:8d:24:df loopback 60:
0000 0100 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000
14:39:10.969109 alzza.test.com.1883 > ns.test.com.domain: 40076+ (46)
14:39:10.979109 ns.test.com.domain > alzza.test.com.1883: 40076 NXDomain* 0/1/0 (124)
14:39:11.009109 alzza.test.com.1884 > ns.test.com.domain: 40077+ (46)
14:39:11.009109 ns.test.com.domain > alzza.test.com.1884: 40077 NXDomain* 0/1/0 (124)
14:39:11.029109 alzza.test.com.1885 > ns.test.com.domain: 40078+ (46)
14:39:11.029109 ns.test.com.domain > alzza.test.com.1885: 40078 NXDomain* 0/1/0 (124)
(중간생략)
14:39:12.769109 alzza.test.com.1128 > ns.test.com.domain: 40326+ (44)
14:39:12.769109 ns.test.com.domain > alzza.test.com.1128: 40326 NXDomain* 0/1/0 (122)
14:39:12.769109 alzza.test.com.1129 > ns.test.com.domain: 40327+ (44)
14:39:12.769109 ns.test.com.domain > alzza.test.com.1129: 40327 NXDomain* 0/1/0 (122)
14:39:12.829109 alzza.test.com.6677 > ns.test.com.finger: S 48339747:48339747(0) win 512 <mss 1460>
14:39:12.829109 ns.test.com.finger > alzza.test.com.6677: R 0:0(0) ack 48339748 win 0
14:39:12.839109 alzza.test.com.6678 > ns.test.com.telnet: S 2064144310:2064144310(0) win 512 <mss 1460>
14:39:12.839109 ns.test.com.telnet > alzza.test.com.6678: S 9344001:9344001(0) ack 2064144311 win 32768 <mss 1460> (DF)
14:39:12.839109 alzza.test.com.6678 > ns.test.com.telnet: . ack 1 win 32120 (DF)
14:39:12.839109 alzza.test.com.6678 > ns.test.com.telnet: F 1:1(0) ack 1 win 32120
14:39:12.839109 ns.test.com.telnet > alzza.test.com.6678: . ack 2 win 32768 (DF)
14:39:12.849109 alzza.test.com.6679 > ns.test.com.http: S 2515072590:2515072590(0) win 512 <mss 1460>
14:39:12.849109 ns.test.com.http > alzza.test.com.6679: R 0:0(0) ack 2515072591 win 0
14:39:12.849109 alzza.test.com.6680 > ns.test.com.imap: S 971845181:971845181(0) win 512 <mss 1460>
14:39:12.849109 ns.test.com.imap > alzza.test.com.6680: R 0:0(0) ack 971845182 win 0
14:39:12.849109 alzza.test.com.6681 > ns.test.com.domain: S 4276611997:4276611997(0) win 512 <mss 1460>
14:39:12.849109 ns.test.com.domain > alzza.test.com.6681: S 9408001:9408001(0) ack 4276611998 win 32768 <mss 1460> (DF)
14:39:12.849109 alzza.test.com.6681 > ns.test.com.domain: . ack 1 win 32120 (DF)
14:39:12.859109 alzza.test.com.6681 > ns.test.com.domain: F 1:1(0) ack 1 win 32120
14:39:12.859109 ns.test.com.domain > alzza.test.com.6681: . ack 2 win 32768 (DF)
14:39:12.859109 ns.test.com.domain > alzza.test.com.6681: F 1:1(0) ack 2 win 32768 (DF)
14:39:12.859109 alzza.test.com.6681 > ns.test.com.domain: . ack 2 win 32120 (DF)
14:39:12.859109 alzza.test.com.6724 > ns.test.com.pop-3: S 3849651862:3849651862(0) win 512 <mss 1460>
14:39:12.859109 ns.test.com.pop-3 > alzza.test.com.6724: R 0:0(0) ack 3849651863 win 0
14:39:12.859109 alzza.test.com.6726 > ns.test.com.telnet: S 1858442825:1858442825(0) win 512 <mss 1460>
14:39:12.869109 ns.test.com.telnet > alzza.test.com.6726: S 9472001:9472001(0) ack 1858442826 win 32768 <mss 1460> (DF)
14:39:12.869109 alzza.test.com.6726 > ns.test.com.telnet: . ack 1 win 32120 (DF)
14:39:12.869109 alzza.test.com.6727 > iris.test.com.finger: S 3103008016:3103008016(0) win 512 <mss 1460>
14:39:12.869109 iris.test.com.finger > alzza.test.com.6727: S 1342144000:1342144000(0) ack 3103008017 win 61320 <mss 1460> (DF)
14:39:12.869109 alzza.test.com.6727 > iris.test.com.finger: . ack 1 win 32120 (DF)
14:39:12.869109 alzza.test.com.1130 > ns.test.com.domain: 46630+ (45)
14:39:12.869109 alzza.test.com.6727 > iris.test.com.finger: F 1:1(0) ack 1 win 32120
14:39:12.869109 alzza.test.com.6728 > iris.test.com.telnet: S 2140912206:2140912206(0) win 512 <mss 1460>
14:39:12.869109 iris.test.com.finger > alzza.test.com.6727: . ack 2 win 61320 (DF)
14:39:12.869109 iris.test.com.telnet > alzza.test.com.6728: S 1342208000:1342208000(0) ack 2140912207 win 61320 <mss 1460> (DF)
14:39:12.869109 alzza.test.com.6728 > iris.test.com.telnet: . ack 1 win 32120 (DF)
14:39:12.869109 ns.test.com.domain > alzza.test.com.1130: 46630* 1/1/0 (113)
14:39:12.889109 alzza.test.com.6728 > iris.test.com.telnet: F 1:1(0) ack 1 win 32120
14:39:12.889109 iris.test.com.telnet > alzza.test.com.6728: . ack 2 win 61320 (DF)
14:39:12.889109 alzza.test.com.6729 > iris.test.com.http: S 3426048735:3426048735(0) win 512 <mss 1460>
14:39:12.889109 iris.test.com.http > alzza.test.com.6729: S 1342272000:1342272000(0) ack 3426048736 win 61320 <mss 1460> (DF)
14:39:12.889109 alzza.test.com.6729 > iris.test.com.http: . ack 1 win 32120 (DF)
14:39:12.889109 alzza.test.com.6729 > iris.test.com.http: F 1:1(0) ack 1 win 32120
14:39:12.889109 iris.test.com.http > alzza.test.com.6729: . ack 2 win 61320 (DF)
14:39:12.889109 ns.test.com.telnet > alzza.test.com.6678: P 1:4(3) ack 2 win 32768 (DF)
14:39:12.889109 alzza.test.com.6678 > ns.test.com.telnet: R 2064144312:2064144312(0) win 0
14:39:12.889109 iris.test.com.finger > alzza.test.com.6727: F 1:1(0) ack 2 win 61320 (DF)
14:39:12.889109 alzza.test.com.6727 > iris.test.com.finger: . ack 2 win 32120 (DF)
14:39:12.899109 alzza.test.com.6730 > iris.test.com.imap: S 1068057409:1068057409(0) win 512 <mss 1460>
14:39:12.899109 iris.test.com.imap > alzza.test.com.6730: R 0:0(0) ack 1068057410 win 0
14:39:12.899109 alzza.test.com.6772 > iris.test.com.domain: S 596435165:596435165(0) win 512 <mss 1460>
14:39:12.899109 iris.test.com.domain > alzza.test.com.6772: R 0:0(0) ack 596435166 win 0
14:39:12.899109 alzza.test.com.6773 > iris.test.com.pop-3: S 3486262900:3486262900(0) win 512 <mss 1460>
14:39:12.899109 iris.test.com.pop-3 > alzza.test.com.6773: R 0:0(0) ack 3486262901 win 0
14:39:12.899109 alzza.test.com.6774 > iris.test.com.telnet: S 1441978899:1441978899(0) win 512 <mss 1460>
14:39:12.899109 iris.test.com.telnet > alzza.test.com.6774: S 1342336000:1342336000(0) ack 1441978900 win 61320 <mss 1460> (DF)
14:39:12.909109 alzza.test.com.6774 > iris.test.com.telnet: . ack 1 win 32120 (DF)
14:39:12.919109 ns.test.com.telnet > alzza.test.com.6726: P 1:4(3) ack 1 win 32768 (DF)
14:39:12.929109 iris.test.com.1082 > ns.test.com.domain: 58316+ (46)
14:39:12.939109 alzza.test.com.6726 > ns.test.com.telnet: . ack 4 win 32120 (DF)
14:39:12.939109 ns.test.com.domain > iris.test.com.1082: 58316* 1/1/0 (115)
14:39:12.949109 iris.test.com.1083 > ns.test.com.domain: 14210+ (46)
14:39:12.949109 ns.test.com.domain > iris.test.com.1083: 14210* 1/1/0 (115)
14:39:12.959109 alzza.test.com.6726 > ns.test.com.telnet: P 1:4(3) ack 4 win 32120 (DF)
14:39:12.969109 arp who-has kitty.test.com tell alzza.test.com
14:39:12.969109 arp reply kitty.test.com is-at 0:a0:24:28:c4:47
14:39:12.969109 alzza.test.com.6775 > kitty.test.com.finger: S 1968520053:1968520053(0) win 512 <mss 1460>
14:39:12.969109 kitty.test.com.finger > alzza.test.com.6775: S 492868525:492868525(0) ack 1968520054 win 15360 <mss 1460>
14:39:12.969109 alzza.test.com.6775 > kitty.test.com.finger: . ack 1 win 32120 (DF)
14:39:12.969109 iris.test.com.1084 > ns.test.com.domain: 26315+ (46)
14:39:12.969109 ns.test.com.domain > iris.test.com.1084: 26315* 1/1/0 (115)
14:39:12.969109 iris.test.com.http > alzza.test.com.6729: F 1:1(0) ack 2 win 61320 (DF)
14:39:12.969109 alzza.test.com.6729 > iris.test.com.http: . ack 2 win 32120 (DF)
14:39:12.969109 iris.test.com.1085 > ns.test.com.domain: 26316+ (32)
14:39:12.969109 ns.test.com.domain > iris.test.com.1085: 26316* 1/1/0 (73)
14:39:12.979109 iris.test.com.1086 > ns.test.com.domain: 58317+ (32)
14:39:12.979109 ns.test.com.domain > iris.test.com.1086: 58317* 1/1/0 (73)
14:39:12.979109 iris.test.com.telnet > alzza.test.com.6774: P 1:13(12) ack 1 win 61320 (DF)
14:39:12.979109 iris.test.com.telnet > alzza.test.com.6728: P 1:13(12) ack 2 win 61320 (DF)
14:39:12.979109 alzza.test.com.6728 > iris.test.com.telnet: R 2140912208:2140912208(0) win 0
14:39:12.989109 alzza.test.com.6774 > iris.test.com.telnet: P 1:4(3) ack 13 win 32120 (DF)
14:39:12.999109 ns.test.com.telnet > alzza.test.com.6726: . ack 4 win 32768 (DF)
14:39:13.009109 alzza.test.com.6775 > kitty.test.com.finger: F 1:1(0) ack 1 win 32120
14:39:13.009109 alzza.test.com.6999 > kitty.test.com.telnet: S 4169640745:4169640745(0) win 512 <mss 1460>
14:39:13.009109 kitty.test.com.finger > alzza.test.com.6775: . ack 2 win 15360
14:39:13.009109 kitty.test.com.telnet > alzza.test.com.6999: S 2796186031:2796186031(0) ack 4169640746 win 15360 <mss 1460>
14:39:13.009109 alzza.test.com.6999 > kitty.test.com.telnet: . ack 1 win 32120 (DF)
14:39:13.019109 alzza.test.com.6999 > kitty.test.com.telnet: F 1:1(0) ack 1 win 32120
14:39:13.019109 alzza.test.com.7047 > kitty.test.com.http: S 2238932516:2238932516(0) win 512 <mss 1460>
14:39:13.019109 kitty.test.com.telnet > alzza.test.com.6999: . ack 2 win 15360
14:39:13.019109 kitty.test.com.http > alzza.test.com.7047: S 3633919846:3633919846(0) ack 2238932517 win 15360 <mss 1460>
14:39:13.019109 alzza.test.com.7047 > kitty.test.com.http: . ack 1 win 32120 (DF)
14:39:13.029109 alzza.test.com.7047 > kitty.test.com.http: F 1:1(0) ack 1 win 32120
14:39:13.029109 alzza.test.com.7095 > kitty.test.com.imap: S 3505020738:3505020738(0) win 512 <mss 1460>
14:39:13.029109 kitty.test.com.http > alzza.test.com.7047: . ack 2 win 15360
14:39:13.029109 kitty.test.com.imap > alzza.test.com.7095: S 2992784284:2992784284(0) ack 3505020739 win 15360 <mss 1460>
14:39:13.029109 alzza.test.com.7095 > kitty.test.com.imap: . ack 1 win 32120 (DF)
14:39:13.029109 kitty.test.com.http > alzza.test.com.7047: F 1:1(0) ack 2 win 15360
14:39:13.029109 alzza.test.com.7047 > kitty.test.com.http: . ack 2 win 32120 (DF)
14:39:13.029109 alzza.test.com.7095 > kitty.test.com.imap: F 1:1(0) ack 1 win 32120
14:39:13.029109 kitty.test.com.imap > alzza.test.com.7095: . ack 2 win 15360
14:39:13.029109 alzza.test.com.7137 > kitty.test.com.domain: S 2947996404:2947996404(0) win 512 <mss 1460>
14:39:13.029109 kitty.test.com.domain > alzza.test.com.7137: S 3601501248:3601501248(0) ack 2947996405 win 15360 <mss 1460>
14:39:13.029109 alzza.test.com.7137 > kitty.test.com.domain: . ack 1 win 32120 (DF)
14:39:13.059109 alzza.test.com.7137 > kitty.test.com.domain: F 1:1(0) ack 1 win 32120
14:39:13.059109 alzza.test.com.7151 > kitty.test.com.pop-3: S 2779421767:2779421767(0) win 512 <mss 1460>
14:39:13.059109 kitty.test.com.domain > alzza.test.com.7137: . ack 2 win 15360
14:39:13.059109 kitty.test.com.pop-3 > alzza.test.com.7151: S 47860019:47860019(0) ack 2779421768 win 15360 <mss 1460>
14:39:13.059109 alzza.test.com.7151 > kitty.test.com.pop-3: . ack 1 win 32120 (DF)
14:39:13.059109 alzza.test.com.7151 > kitty.test.com.pop-3: F 1:1(0) ack 1 win 32120
14:39:13.059109 alzza.test.com.7167 > kitty.test.com.telnet: S 1515502578:1515502578(0) win 512 <mss 1460>
14:39:13.059109 kitty.test.com.pop-3 > alzza.test.com.7151: . ack 2 win 15360
14:39:13.059109 kitty.test.com.telnet > alzza.test.com.7167: S 2085487305:2085487305(0) ack 1515502579 win 15360 <mss 1460>
14:39:13.059109 alzza.test.com.7167 > kitty.test.com.telnet: . ack 1 win 32120 (DF)
14:39:13.059109 kitty.test.com.domain > alzza.test.com.7137: F 1:1(0) ack 2 win 15360
14:39:13.059109 alzza.test.com.7137 > kitty.test.com.domain: . ack 2 win 32120 (DF)
14:39:13.119109 iris.test.com.telnet > alzza.test.com.6774: . ack 4 win 61320 (DF)
14:39:13.119109 alzza.test.com.6774 > iris.test.com.telnet: P 4:13(9) ack 13 win 32120 (DF)
14:39:13.139109 kitty.test.com.telnet > alzza.test.com.6999: P 1:13(12) ack 2 win 15360 (DF)
14:39:13.139109 alzza.test.com.6999 > kitty.test.com.telnet: R
4169640747:4169640747(0) win 0
14:39:13.149109 iris.test.com.telnet > alzza.test.com.6774: P 13:28(15) ack 13 win 61320 (DF)
14:39:13.149109 alzza.test.com.6774 > iris.test.com.telnet: P 13:16(3) ack 28 win 32120 (DF)
14:39:13.219109 kitty.test.com.telnet > alzza.test.com.7167: P 1:13(12) ack 1 win 15360 (DF)
14:39:13.219109 alzza.test.com.7167 > kitty.test.com.telnet: P 1:4(3) ack 13 win 32120 (DF)
14:39:13.229109 kitty.test.com.telnet > alzza.test.com.7167: . ack 4 win 15360
14:39:13.229109 alzza.test.com.7167 > kitty.test.com.telnet: P 4:13(9) ack 13 win 32120 (DF)
14:39:13.239109 kitty.test.com.pop-3 > alzza.test.com.7151: P 1:81(80) ack 2 win 15360 (DF)
14:39:13.239109 alzza.test.com.7151 > kitty.test.com.pop-3: R 2779421769:2779421769(0) win 0
14:39:13.249109 kitty.test.com.telnet > alzza.test.com.7167: . ack 13 win 15360
14:39:13.279109 kitty.test.com.telnet > alzza.test.com.7167: P 13:28(15) ack 13 win 15360 (DF)
14:39:13.279109 alzza.test.com.7167 > kitty.test.com.telnet: P 13:16(3) ack 28 win 32120 (DF)
14:39:13.279109 kitty.test.com.finger > alzza.test.com.6775: F 1:1(0) ack 2 win 15360
14:39:13.279109 alzza.test.com.6775 > kitty.test.com.finger: . ack 2 win 32120 (DF)
14:39:13.289109 kitty.test.com.telnet > alzza.test.com.7167: . ack 16 win 15360
14:39:13.289109 alzza.test.com.7167 > kitty.test.com.telnet: P 16:22(6) ack 28 win 32120 (DF)
14:39:13.289109 kitty.test.com.telnet > alzza.test.com.7167: P 28:110(82) ack 22 win 15360 (DF)
14:39:13.309109 alzza.test.com.7167 > kitty.test.com.telnet: . ack 110 win 32120 (DF)
14:39:13.309109 kitty.test.com.telnet > alzza.test.com.7167: P 110:112(2) ack 22 win 15360 (DF)
14:39:13.319109 iris.test.com.telnet > alzza.test.com.6774: . ack 16 win 61320 (DF)
14:39:13.319109 alzza.test.com.6774 > iris.test.com.telnet: P 16:22(6) ack 28 win 32120 (DF)
14:39:13.319109 iris.test.com.telnet > alzza.test.com.6774: P 28:54(26) ack 22 win 61320 (DF)
14:39:13.329109 alzza.test.com.7167 > kitty.test.com.telnet: . ack 112 win 32120 (DF)
14:39:13.329109 kitty.test.com.telnet > alzza.test.com.7167: P 112:125(13) ack 22 win 15360 (DF)
14:39:13.339109 alzza.test.com.6774 > iris.test.com.telnet: . ack 54 win 32120 (DF)
14:39:13.339109 iris.test.com.telnet > alzza.test.com.6774: P 54:61(7) ack 22 win 61320 (DF)
14:39:13.349109 alzza.test.com.7167 > kitty.test.com.telnet: . ack 125 win 32120 (DF)
14:39:13.359109 alzza.test.com.6774 > iris.test.com.telnet: . ack 61 win 32120 (DF)
14:39:13.409109 alzza.test.com.7168 > iris.test.com.finger: S 2423511339:2423511339(0) win 512 <mss 1460>
14:39:13.409109 iris.test.com.finger > alzza.test.com.7168: S 1342464000:1342464000(0) ack 2423511340 win 61320 <mss 1460> (DF)
14:39:13.409109 alzza.test.com.7168 > iris.test.com.finger: . ack 1 win 32120 (DF)
14:39:13.409109 alzza.test.com.7168 > iris.test.com.finger: P 1:513(512) ack 1 win 32120 (DF)
14:39:13.449109 iris.test.com.finger > alzza.test.com.7168: P 1:174(173) ack 513 win 61320 (DF)
14:39:13.449109 alzza.test.com.7169 > iris.test.com.http: S 1062609218:1062609218(0) win 512 <mss 1460>
14:39:13.449109 iris.test.com.http > alzza.test.com.7169: S 1342592000:1342592000(0) ack 1062609219 win 61320 <mss 1460> (DF)
14:39:13.449109 alzza.test.com.7169 > iris.test.com.http: . ack 1 win 32120 (DF)
14:39:13.449109 iris.test.com.finger > alzza.test.com.7168: F 174:174(0) ack 513 win 61320 (DF)
14:39:13.449109 alzza.test.com.7168 > iris.test.com.finger: . ack 175 win 32120 (DF)
14:39:13.449109 alzza.test.com.7169 > iris.test.com.http: P 1:33(32) ack 1 win 32120 (DF)
14:39:13.459109 alzza.test.com.683 > kitty.test.com.sunrpc: S 3161940796:3161940796(0) win 512 <mss 1460>
14:39:13.459109 kitty.test.com.sunrpc > alzza.test.com.683: S 129561885:129561885(0) ack 3161940797 win 15360 <mss 1460>
14:39:13.459109 alzza.test.com.683 > kitty.test.com.sunrpc: . ack 1 win 32120 (DF)
14:39:13.459109 alzza.test.com.683 > kitty.test.com.sunrpc: P 1:45(44) ack 1 win 32120 (DF)
14:39:13.459109 kitty.test.com.sunrpc > alzza.test.com.683: P 1:113(112) ack 45 win 15360 (DF)
14:39:13.479109 alzza.test.com.683 > kitty.test.com.sunrpc: . ack 113 win 32120 (DF)
14:39:13.479109 iris.test.com.1087 > ns.test.com.domain: 5523+ (46)
14:39:13.479109 ns.test.com.domain > iris.test.com.1087: 5523* 1/1/0 (115)
14:39:13.489109 iris.test.com.http > alzza.test.com.7169: P 1:144(143) ack 33 win 61320 (DF)
14:39:13.489109 alzza.test.com.7169 > iris.test.com.http: F 33:33(0) ack 144 win 32120
14:39:13.489109 iris.test.com.http > alzza.test.com.7169: . ack 34 win 61320 (DF)
14:39:13.489109 alzza.test.com.7170 > iris.test.com.http: S 1241844152:1241844152(0) win 512 <mss 1460>
14:39:13.489109 iris.test.com.http > alzza.test.com.7169: F 144:144(0) ack 34 win 61320 (DF)
14:39:13.489109 alzza.test.com.7169 > iris.test.com.http: . ack 145 win 32120 (DF)
14:39:13.489109 iris.test.com.http > alzza.test.com.7170: S 1342656000:1342656000(0) ack 1241844153 win 61320 <mss 1460> (DF)
14:39:13.489109 alzza.test.com.7170 > iris.test.com.http: . ack 1 win 32120 (DF)
14:39:13.489109 alzza.test.com.7170 > iris.test.com.http: P 1:33(32) ack 1 win 32120 (DF)
14:39:13.519109 iris.test.com.http > alzza.test.com.7170: . ack 33 win 61288 (DF)
14:39:13.529109 iris.test.com.1088 > ns.test.com.domain: 58166+ (46)
14:39:13.529109 ns.test.com.domain > iris.test.com.1088: 58166* 1/1/0 (115)
14:39:13.529109 iris.test.com.http > alzza.test.com.7170: P 1:149(148) ack 33 win 61320 (DF)
14:39:13.529109 iris.test.com.http > alzza.test.com.7170: F 149:149(0) ack 33 win 61320 (DF)
14:39:13.529109 alzza.test.com.7170 > iris.test.com.http: . ack 150 win 32120 (DF)
14:39:13.539109 alzza.test.com.7170 > iris.test.com.http: F 33:33(0) ack 150 win 32120
14:39:13.549109 iris.test.com.http > alzza.test.com.7170: . ack 34 win 61320 (DF)
14:39:13.549109 alzza.test.com.7171 > iris.test.com.http: S 176063362:176063362(0) win 512 <mss 1460>
14:39:13.549109 iris.test.com.http > alzza.test.com.7171: S 1342720000:1342720000(0) ack 176063363 win 61320 <mss 1460> (DF)
14:39:13.549109 alzza.test.com.7171 > iris.test.com.http: . ack 1 win 32120 (DF)
14:39:13.549109 alzza.test.com.7171 > iris.test.com.http: P 1:33(32) ack 1 win 32120 (DF)
14:39:13.579109 iris.test.com.1089 > ns.test.com.domain: 35737+ (46)
14:39:13.579109 ns.test.com.domain > iris.test.com.1089: 35737* 1/1/0 (115)
14:39:13.619109 iris.test.com.http > alzza.test.com.7171: P 1:132(131) ack 33 win 61320 (DF)
14:39:13.619109 iris.test.com.http > alzza.test.com.7171: F 132:132(0) ack 33 win 61320 (DF)
14:39:13.619109 alzza.test.com.7171 > iris.test.com.http: . ack 133 win 32120 (DF)
14:39:13.649109 alzza.test.com.7171 > iris.test.com.http: F 33:33(0) ack 133 win 32120
14:39:13.649109 iris.test.com.http > alzza.test.com.7171: . ack 34 win 61320 (DF)
14:39:13.649109 alzza.test.com.6774 > iris.test.com.telnet: F 22:22(0) ack 61 win 32120
14:39:13.649109 alzza.test.com.7168 > iris.test.com.finger: F 513:513(0) ack 175 win 32120
14:39:13.649109 iris.test.com.telnet > alzza.test.com.6774: . ack 23 win 61320 (DF)
14:39:13.649109 iris.test.com.finger > alzza.test.com.7168: . ack 514 win 61320 (DF)
14:39:13.659109 iris.test.com.telnet > alzza.test.com.6774: F 61:61(0) ack 23 win 61320 (DF)
14:39:13.659109 alzza.test.com.6774 > iris.test.com.telnet: . ack 62 win 32120 (DF)
14:39:13.679109 alzza.test.com.7172 > kitty.test.com.http: S 2310228059:2310228059(0) win 512 <mss 1460>
14:39:13.679109 kitty.test.com.http > alzza.test.com.7172: S 1227715197:1227715197(0) ack 2310228060 win 15360 <mss 1460>
14:39:13.679109 alzza.test.com.7172 > kitty.test.com.http: . ack 1 win 32120 (DF)
14:39:13.689109 alzza.test.com.7172 > kitty.test.com.http: P 1:33(32) ack 1 win 32120 (DF)
14:39:13.699109 kitty.test.com.http > alzza.test.com.7172: . ack 33 win 15360
14:39:13.709109 kitty.test.com.http > alzza.test.com.7172: P 1:1025(1024) ack 33 win 15360 (DF)
14:39:13.709109 kitty.test.com.http > alzza.test.com.7172: P 1025:1263(238) ack 33 win 15360 (DF)
14:39:13.709109 kitty.test.com.http > alzza.test.com.7172: F 1263:1263(0) ack 33 win 15360
14:39:13.709109 alzza.test.com.7172 > kitty.test.com.http: . ack 1264 win 30857 (DF)
14:39:13.709109 alzza.test.com.7172 > kitty.test.com.http: F 33:33(0) ack 1264 win 32120
14:39:13.709109 kitty.test.com.http > alzza.test.com.7172: . ack 34 win 15360
14:39:13.719109 alzza.test.com.7174 > kitty.test.com.http: S 621122256:621122256(0) win 512 <mss 1460>
14:39:13.719109 kitty.test.com.http > alzza.test.com.7174: S 902569071:902569071(0) ack 621122257 win 15360 <mss 1460>
14:39:13.719109 alzza.test.com.7174 > kitty.test.com.http: . ack 1 win 32120 (DF)
14:39:13.719109 alzza.test.com.7174 > kitty.test.com.http: P 1:33(32) ack 1 win 32120 (DF)
14:39:13.729109 kitty.test.com.http > alzza.test.com.7174: . ack 33 win 15360
14:39:13.779109 kitty.test.com.http > alzza.test.com.7174: P 1:421(420) ack 33 win 15360 (DF)
14:39:13.789109 kitty.test.com.http > alzza.test.com.7174: F 421:421(0) ack 33 win 15360
14:39:13.789109 alzza.test.com.7174 > kitty.test.com.http: . ack 422 win 32120 (DF)
14:39:13.789109 alzza.test.com.7174 > kitty.test.com.http: F 33:33(0) ack 422 win 32120
14:39:13.789109 kitty.test.com.http > alzza.test.com.7174: . ack 34 win 15360
14:39:13.789109 alzza.test.com.7225 > kitty.test.com.http: S 3304442766:3304442766(0) win 512 <mss 1460>
14:39:13.789109 kitty.test.com.http > alzza.test.com.7225: S 1705783765:1705783765(0) ack 3304442767 win 15360 <mss 1460>
14:39:13.789109 alzza.test.com.7225 > kitty.test.com.http: . ack 1 win 32120 (DF)
14:39:13.789109 alzza.test.com.7225 > kitty.test.com.http: P 1:33(32) ack 1 win 32120 (DF)
14:39:13.789109 kitty.test.com.http > alzza.test.com.7225: P 1:150(149) ack 33 win 15360 (DF)
14:39:13.789109 kitty.test.com.http > alzza.test.com.7225: F 150:150(0) ack 33 win 15360
14:39:13.789109 alzza.test.com.7225 > kitty.test.com.http: . ack 151 win 32120 (DF)
14:39:13.789109 alzza.test.com.7225 > kitty.test.com.http: F 33:33(0) ack 151 win 32120
14:39:13.789109 kitty.test.com.http > alzza.test.com.7225: . ack 34 win 15360
14:39:13.789109 alzza.test.com.7228 > kitty.test.com.domain: S 3970086650:3970086650(0) win 512 <mss 1460>
14:39:13.789109 kitty.test.com.domain > alzza.test.com.7228: S 1228033020:1228033020(0) ack 3970086651 win 15360 <mss 1460>
14:39:13.789109 alzza.test.com.7228 > kitty.test.com.domain: . ack 1 win 32120 (DF)
14:39:13.879109 alzza.test.com.7228 > kitty.test.com.domain: P 1:3(2) ack 1 win 32120 (DF)
14:39:13.899109 kitty.test.com.domain > alzza.test.com.7228: . ack 3 win 15360
14:39:13.899109 alzza.test.com.7228 > kitty.test.com.domain: P 3:30(27) ack 1 win 32120 (DF)
14:39:13.899109 kitty.test.com.domain > alzza.test.com.7228: P 1:3(2) ack 30 win 15360 (DF)
14:39:13.919109 alzza.test.com.7228 > kitty.test.com.domain: . ack 3 win 32120 (DF)
14:39:13.919109 kitty.test.com.domain > alzza.test.com.7228: P 3:30(27) ack 30 win 15360 (DF)
14:39:13.919109 alzza.test.com.7228 > kitty.test.com.domain: F 30:30(0) ack 30 win 32120
14:39:13.919109 kitty.test.com.domain > alzza.test.com.7228: . ack 31 win 15360
14:39:13.919109 alzza.test.com.7167 > kitty.test.com.telnet: F 22:22(0) ack 125 win 32120
14:39:13.919109 alzza.test.com.683 > kitty.test.com.sunrpc: F 45:45(0) ack 113 win 32120
14:39:13.919109 kitty.test.com.telnet > alzza.test.com.7167: . ack 23 win 15360
14:39:13.919109 kitty.test.com.sunrpc > alzza.test.com.683: . ack 46 win 15360
14:39:13.919109 kitty.test.com.domain > alzza.test.com.7228: F 30:30(0) ack 31 win 15360
14:39:13.919109 alzza.test.com.7228 > kitty.test.com.domain: . ack 31 win 32120 (DF)
14:39:13.919109 kitty.test.com.sunrpc > alzza.test.com.683: F 113:113(0) ack 46 win 15360
14:39:13.919109 alzza.test.com.683 > kitty.test.com.sunrpc: . ack 114 win 32120 (DF)
14:39:13.919109 kitty.test.com.telnet > alzza.test.com.7167: F 125:125(0) ack 23 win 15360
14:39:13.919109 alzza.test.com.7167 > kitty.test.com.telnet: . ack 126 win 32120 (DF)
14:39:16.029109 kitty.test.com.1193 > 210.116.239.255.sunrpc: udp 100
14:39:18.239109 kitty.test.com.imap > alzza.test.com.7095: F 1:1(0) ack 2 win 15360
14:39:18.239109 alzza.test.com.7095 > kitty.test.com.imap: . ack 2 win 32120 (DF)
14:39:19.459109 0:0:c:8d:24:df 0:0:c:8d:24:df loopback 60:
0000 0100 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000
14:39:22.859109 alzza.test.com.6726 > ns.test.com.telnet: F 4:4(0) ack 4 win 32120
14:39:22.859109 ns.test.com.telnet > alzza.test.com.6726: . ack 5 win 32768 (DF)
관련자료
-
이전
-
다음
