정보보안기사/필기2023년2회PBT리뷰

정보기 필기 2023년 2회 PBT 문제 06번 POF

멋쟁이천재사자 2023. 6. 30. 21:08

23년 2회 필기 PBT 시험을 66점으로 합격했습니다. 7월29일 실기 시험을 준비하며, 어려웠던 문제와 틀린 문제를 정리해보겠습니다. 다른 문제들은 https://it-freelancer.tistory.com/1210 에서 확인 가능합니다.

 

문제

6. POF(Passive OS Fingerprinting) 툴 기능 중 인터페이스를 무차별 모드로 설정하는 옵션은?
① -r file
② -L

③ -P
④ -i iface

 

 

시험 후기

POF 처음들어봄.

무차별모드하면 promiscuous 가 떠오름

③ -P 의 P 가 promiscuous 의 P 아닐까 찍어봄

 

 

정답

시험 직후 가답안은 3번이었는데 최종은 1234 모두 정답 처리됨

 

 

실제 시험 문제와 제출 답안

문제번호의 X 표시는 99프로 찍었다는 표시이며 / 표시는 자신이 없다는 표시임

 

 

공부하면서

 

POF(Passive OS Fingerprinting) 에는 다양한 툴들이 있어서 전원 정답 처리했을수 있다. 또한 문제는 p0f 라는 툴을 의도하고 문제를 출제를 한것으로 보이지만 정답은 -p 즉 소문자 p다. 대문자 P 로 실습을 해보니 오류가 난다.

 

 

pof 라는 툴이 있는지 실행해보고 설치를 시도해 보았다. 없다.

[root@centos ~]# pof
bash: pof: 명령을 찾을 수 없습니다...
[root@centos ~]# yum install pof
Loaded plugins: fastestmirror, langpacks
-- 중략 --
No package pof available.
Error: Nothing to do

 

 


위키에서 확인해보니 많은 Fingerprinting Tools 가 있다.

https://en.wikipedia.org/wiki/TCP/IP_stack_fingerprinting

 

TCP/IP stack fingerprinting - Wikipedia

From Wikipedia, the free encyclopedia Remote detection of the characteristics of a TCP/IP stack Passive OS Fingerprinting method and diagram. TCP/IP stack fingerprinting is the remote detection of the characteristics of a TCP/IP stack implementation. The c

en.wikipedia.org

 

A list of TCP/OS Fingerprinting Tools
- Zardaxt.py[8] – Passive open-source TCP/IP Fingerprinting Tool.
ㅍEttercap – passive TCP/IP stack fingerprinting.
- Nmap – comprehensive active stack fingerprinting.
- p0f – comprehensive passive TCP/IP stack fingerprinting.
- NetSleuth – free passive fingerprinting and analysis tool
- PacketFence[9] – open source NAC with passive DHCP fingerprinting.
- Satori – passive CDP, DHCP, ICMP, HPSP, HTTP, TCP/IP and other stack fingerprinting.
- SinFP – single-port active/passive fingerprinting.
- XProbe2 – active TCP/IP stack fingerprinting.
- queso - well-known tool from the late 1990s which is no longer being updated for modern operating systems

 

p0f 가 passive 툴중이 하나다. 가운데 글자가 영문 O 가 아니고 숫자 0 이다

 


https://en.wikipedia.org/wiki/P0f

 

p0f - Wikipedia

From Wikipedia, the free encyclopedia TCP/IP stack fingerprinting tool p0f is a passive TCP/IP stack fingerprinting tool. p0f can attempt to identify the system running on machines that send network traffic to the box it is running on, or to a machine that

en.wikipedia.org

 

 

yum install p0f 로 설치한 다음 옵션을 살펴보았다.

[root@centos ~]# p0f --help
--- p0f 3.09b by Michal Zalewski <lcamtuf@coredump.cx> ---

p0f: invalid option -- '-'
Usage: p0f [ ...options... ] [ 'filter rule' ]

Network interface options:

  -i iface  - listen on the specified network interface
  -r file   - read offline pcap data from a given file
  -p        - put the listening interface in promiscuous mode
  -L        - list all available interfaces

Operating mode and output settings:

  -f file   - read fingerprint database from 'file' (/etc/p0f/p0f.fp)
  -o file   - write information to the specified log file
  -s name   - answer to API queries at a named unix socket
  -u user   - switch to the specified unprivileged account and chroot
  -d        - fork into background (requires -o or -s)

Performance-related options:

  -S limit  - limit number of parallel API connections (20)
  -t c,h    - set connection / host cache age limits (30s,120m)
  -m c,h    - cap the number of active connections / hosts (1000,10000)

Optional filter expressions (man tcpdump) can be specified in the command
line to prevent p0f from looking at incidental network traffic.

Problems? You can reach the author at <lcamtuf@coredump.cx>.

 

Network interface options 에 시험 문제에 나온 내용들이 그대로 있다.

  -i iface  - listen on the specified network interface
  -r file   - read offline pcap data from a given file
  -p        - put the listening interface in promiscuous mode
  -L        - list all available interfaces

 

 

P가 시험에서는 대문자였는데 가능한 옵션은 소문자 p다. 대문자 P 로 실습을 해보니 오류가 난다.

[root@centos ~]# p0f -P
--- p0f 3.09b by Michal Zalewski <lcamtuf@coredump.cx> ---

p0f: invalid option -- 'P'
Usage: p0f [ ...options... ] [ 'filter rule' ]
...


[root@centos ~]# p0f -p
--- p0f 3.09b by Michal Zalewski <lcamtuf@coredump.cx> ---

[+] Closed 1 file descriptor.
[+] Loaded 322 signatures from '/etc/p0f/p0f.fp'.
[+] Intercepting traffic on default interface 'enp0s3'.
[+] Default packet filtering configured [+VLAN].
[+] Entered main event loop.

^C[!] WARNING: User-initiated shutdown.

All done. Processed 0 packets.

 


④ 번 항목 -i iface 테스트를 해보았다. 샘플페이지(http://192.168.35.166/) 방문 한 번에도 꽤 많은 로그가 지나간다.
p0f -i enp0s8 (실습 환경 interface 이름 enp0s8)

[root@centos ~]# p0f -i enp0s8
--- p0f 3.09b by Michal Zalewski <lcamtuf@coredump.cx> ---

[+] Closed 1 file descriptor.
[+] Loaded 322 signatures from '/etc/p0f/p0f.fp'.
[+] Intercepting traffic on interface 'enp0s8'.
[+] Default packet filtering configured [+VLAN].
[+] Entered main event loop.

.-[ 192.168.35.66/59803 -> 192.168.35.166/80 (syn) ]-
|
| client   = 192.168.35.66/59803
| os       = Windows 7 or 8
| dist     = 0
| params   = none
| raw_sig  = 4:128+0:0:1460:8192,2:mss,nop,ws,nop,nop,sok:df,id+:0
|
`----

.-[ 192.168.35.66/59803 -> 192.168.35.166/80 (mtu) ]-
|
| client   = 192.168.35.66/59803
| link     = Ethernet or modem
| raw_mtu  = 1500
|
`----

.-[ 192.168.35.66/59803 -> 192.168.35.166/80 (syn+ack) ]-
|
| server   = 192.168.35.166/80
| os       = ???
| dist     = 0
| params   = none
| raw_sig  = 4:64+0:0:1460:mss*20,7:mss,nop,nop,sok,nop,ws:df:0
|
`----

.-[ 192.168.35.66/59803 -> 192.168.35.166/80 (mtu) ]-
|
| server   = 192.168.35.166/80
| link     = Ethernet or modem
| raw_mtu  = 1500
|
`----

.-[ 192.168.35.66/59803 -> 192.168.35.166/80 (http request) ]-
|
| client   = 192.168.35.66/59803
| app      = Firefox 10.x or newer
| lang     = Korean
| params   = none
| raw_sig  = 1:Host,User-Agent,Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8],Acc                                                            ept-Language=[ko-KR,ko;q=0.8,en-US;q=0.5,en;q=0.3],Accept-Encoding=[gzip, deflate],Connection=[keep-alive],Upgrade-Insecure-Reque                                                            sts=[1]:Accept-Charset,Keep-Alive:Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
|
`----

.-[ 192.168.35.66/59803 -> 192.168.35.166/80 (http response) ]-
|
| server   = 192.168.35.166/80
| app      = Apache 2.x
| lang     = none
| params   = none
| raw_sig  = 1:Date,Server,?Last-Modified,?ETag,Accept-Ranges=[bytes],?Content-Length,Keep-Alive=[timeout=5, max=100],Connection=                                                            [Keep-Alive],Content-Type::Apache/2.4.6 (CentOS)
|
`----

.-[ 192.168.35.66/59804 -> 192.168.35.166/80 (syn) ]-
|
| client   = 192.168.35.66/59804
| os       = Windows 7 or 8
| dist     = 0
| params   = none
| raw_sig  = 4:128+0:0:1460:8192,2:mss,nop,ws,nop,nop,sok:df,id+:0
|
`----

.-[ 192.168.35.66/59804 -> 192.168.35.166/80 (mtu) ]-
|
| client   = 192.168.35.66/59804
| link     = Ethernet or modem
| raw_mtu  = 1500
|
`----

.-[ 192.168.35.66/59804 -> 192.168.35.166/80 (syn+ack) ]-
|
| server   = 192.168.35.166/80
| os       = ???
| dist     = 0
| params   = none
| raw_sig  = 4:64+0:0:1460:mss*20,7:mss,nop,nop,sok,nop,ws:df:0
|
`----

.-[ 192.168.35.66/59804 -> 192.168.35.166/80 (mtu) ]-
|
| server   = 192.168.35.166/80
| link     = Ethernet or modem
| raw_mtu  = 1500
|
`----

.-[ 192.168.35.66/59804 -> 192.168.35.166/80 (http request) ]-
|
| client   = 192.168.35.66/59804
| app      = ???
| lang     = Korean
| params   = none
| raw_sig  = 1:Host,User-Agent,Accept=[application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8],Accept-Language=[ko-KR                                                            ,ko;q=0.8,en-US;q=0.5,en;q=0.3],Accept-Encoding=[identity],Connection=[keep-alive],?Referer:Accept-Charset,Keep-Alive:Mozilla/5.0                                                             (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
|
`----

.-[ 192.168.35.66/59804 -> 192.168.35.166/80 (http response) ]-
|
| server   = 192.168.35.166/80
| app      = Apache 2.x
| lang     = none
| params   = none
| raw_sig  = 1:Date,Server,?Content-Length,Keep-Alive=[timeout=5, max=100],Connection=[Keep-Alive],Content-Type:Accept-Ranges:Apa                                                            che/2.4.6 (CentOS)
|
`----