/l3/trainings/xg-ids/2005-12-19/fbsd2.linux.nt/user :1 :2 :3 :4 :5 :6 :7 :8 :9 :10 :11 :12 :13 :14 :15 :16 :17 :18 :19 :20 :21 :22
[ править ]

Журнал лабораторных работ

Содержание

Журнал

Суббота (12/23/06)

/dev/ttyp2
17:21:32
$sudo g 192.168.15.110 
ARPING 192.168.15.110
60 bytes from 00:13:8f:2f:ac:5e (192.168.15.110): index=0 time=9.755 msec
60 bytes from 00:13:8f:2f:ac:5e (192.168.15.110): index=1 time=9.956 msec
60 bytes from 00:13:8f:2f:ac:5e (192.168.15.110): index=2 time=9.958 msec
^C
--- 192.168.15.110 statistics ---
3 packets transmitted, 3 packets received,   0% unanswered
17:21:39
$arping 192.168.15.110 
arping: must run as root
/dev/ttyp4
17:22:57
#ping 192.168.15.103 
PING 192.168.15.103 (192.168.15.103): 56 data bytes
^C
--- 192.168.15.103 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
17:23:10
#arng 192.168.15.103 
ARPING 192.168.15.103
60 bytes from 00:04:75:82:53:43 (192.168.15.103): index=0 time=9.953 msec
60 bytes from 00:04:75:82:53:43 (192.168.15.103): index=1 time=9.962 msec
^C
--- 192.168.15.103 statistics ---
4 packets transmitted, 2 packets received,  50% unanswered
17:23:18
#ping 192.168.15.103 
PING 192.168.15.103 (192.168.15.103): 56 data bytes
^C
--- 192.168.15.103 ping statistics ---
42 packets transmitted, 0 packets received, 100% packet loss
17:24:11
#ping 192.168.15.103 
PING 192.168.15.103 (192.168.15.103): 56 data bytes
^C
--- 192.168.15.103 ping statistics ---
107 packets transmitted, 0 packets received, 100% packet loss
17:26:00
#nmap &
[1] 67460
Nmap 3.81 Usage: nmap [Scan Type(s)] [Options] <host or net list>
Some Common Scan Types ('*' options require root privileges)
* -sS TCP SYN stealth port scan (default if privileged (root))
  -sT TCP connect() port scan (default for unprivileged users)
* -sU UDP port scan
  -sP ping scan (Find any reachable machines)
* -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only)
  -sV Version scan probes open ports determining service & app names/versions
  -sR RPC scan (use with other scan types)
...
  -6 scans via IPv6 rather than IPv4
  -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane> General timing policy
  -n/-R Never do DNS resolution/Always resolve [default: sometimes resolve]
  -oN/-oX/-oG <logfile> Output normal/XML/grepable scan logs to <logfile>
  -iL <inputfile> Get targets from file; Use '-' for stdin
* -S <your_IP>/-e <devicename> Specify source address or network interface
  --interactive Go into interactive mode (then press h for help)
Example: nmap -v -sS -O www.my.com 192.168.0.0/16 '192.88-90.*.*'
SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES
[1]+  Exit 255                nmap
/dev/ttyp2
17:26:12
$ssh user@m04
Password:
Password:
Password:
Last login: Fri Dec 23 17:10:02 2005 from fbsd2.linux.nt
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
        The Regents of the University of California.  All rights reserved.
FreeBSD 6.0-RELEASE (GENERIC) #0: Thu Nov  3 09:36:13 UTC 2005
Welcome to FreeBSD!
Before seeking technical support, please use the following resources:
o  Security advisories and updated errata information for all releases are
...
   along with the mailing lists, can be searched by going to
   http://www.FreeBSD.org/search/.  If the doc distribution has
   been installed, they're also available formatted in /usr/share/doc.
If you still have a question or problem, please take the output of
`uname -a', along with any relevant error messages, and email it
as a question to the questions@FreeBSD.org mailing list.  If you are
unfamiliar with FreeBSD's directory layout, please refer to the hier(7)
manual page.  If you are not familiar with manual pages, type `man man'.
You may also use sysinstall(8) to re-enter the installation and
configuration utility.  Edit /etc/motd to change this login announcement.
/dev/ttyp4
17:26:19
#nmap -o 192.168.15.110 
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-12-23 17:26 EET
No target machines/networks specified!
QUITTING!
17:26:48
#nmap -o 192.168.15.110 
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-12-23 17:26 EET
No target machines/networks specified!
QUITTING!
17:27:57
#ps -waux | grep hone
user     64151  0.0  3.1 37240 32056  ??  S     4:17PM   0:24.02 kpdf /home/user/Desktop/simulating_networks_with_honeyd.pdf -icon kpdf -
root     67563  0.0  0.1  1508  1024  p5  S+    5:28PM   0:00.00 grep hone
17:28:07
#honeyd -i rl0 -f /usr/local/etc/honeyd.conf 192.168.15.110
Honeyd V1.0 Copyright (c) 2002-2004 Niels Provos
honeyd[67588]: started with -i rl0 -f /usr/local/etc/honeyd.conf 192.168.15.110
Warning: Impossible SI range in Class fingerprint "IBM OS/400 V4R2M0"
Warning: Impossible SI range in Class fingerprint "Microsoft Windows NT 4.0 SP3"
honeyd[67588]: listening promiscuously on rl0: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip and (host 192.168.15.110))) and not ether src 00:13:8f:2f:ac:5e
Honeyd starting as background process
/dev/ttyp2
17:28:11
$exit 
exit
Connection to fbsd4.linux.nt closed.
/dev/ttyp4
17:28:35
#ps -waux | grep hone
user     64151  0.0  3.1 37240 32056  ??  S     4:17PM   0:24.05 kpdf /home/user/Desktop/simulating_networks_with_honeyd.pdf -icon kpdf -
root     67679  0.0  0.2  3272  2300  p5  R+    5:28PM   0:00.00 grep hone (bash)
17:28:44
#killall honeyd 
No matching processes were found
17:28:52
#killall arpd










17:28:57




#arpd -i rl0 192.168.15.110-192.168.15.112


arpd[67747]: listening on rl0: arp and (dst net 192.168.15.110/31 or dst net 192.168.15.112/32) and not ether src 00:13:8f:2f:ac:5e











17:29:10




#honeyd -i rl0 -f /usr/local/etc/honeyd.conf 192.168.15.110


Honeyd V1.0 Copyright (c) 2002-2004 Niels Provos
honeyd[67761]: started with -i rl0 -f /usr/local/etc/honeyd.conf 192.168.15.110
Warning: Impossible SI range in Class fingerprint "IBM OS/400 V4R2M0"
Warning: Impossible SI range in Class fingerprint "Microsoft Windows NT 4.0 SP3"
honeyd[67761]: listening promiscuously on rl0: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip and (host 192.168.15.110))) and not ether src 00:13:8f:2f:ac:5e
Honeyd starting as background process











17:29:18




#sockstat -4


USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
root     arpd       67748 4  udp4   *:*                   *:*
root     sshd       61248 3  tcp4   192.168.15.22:22      192.168.15.25:1108
root     sshd       60739 3  tcp4   192.168.15.22:22      192.168.15.24:60272
root     sshd       57409 3  tcp4   192.168.15.22:22      192.168.15.254:59903
www      httpd      32112 16 tcp4   *:80                  *:*
www      httpd      32111 16 tcp4   *:80                  *:*
www      httpd      32110 16 tcp4   *:80                  *:*
www      httpd      32107 16 tcp4   *:80                  *:*
root     nessusd    32060 4  tcp4   *:1241                *:*
...
root     syslog-ng  557   8  udp4   192.168.15.22:52817   192.168.15.3:514
www      httpd      548   16 tcp4   *:80                  *:*
www      httpd      547   16 tcp4   *:80                  *:*
www      httpd      546   16 tcp4   *:80                  *:*
www      httpd      545   16 tcp4   *:80                  *:*
www      httpd      544   16 tcp4   *:80                  *:*
mysql    mysqld     543   3  tcp4   *:3306                *:*
root     httpd      471   16 tcp4   *:80                  *:*
root     sendmail   435   3  tcp4   127.0.0.1:25          *:*
root     sshd       429   4  tcp4   *:22                  *:*











/dev/ttyp2
17:29:25




$sudo nmap -o 192.168.15.110





Password:
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-12-23 17:29 EET
No target machines/networks specified!
QUITTING!











17:29:40




$ping 192.168.15.110





PING 192.168.15.110 (192.168.15.110): 56 data bytes
^C
--- 192.168.15.110 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss











17:29:55




$ping 192.168.15.110





PING 192.168.15.110 (192.168.15.110): 56 data bytes
^C
--- 192.168.15.110 ping statistics ---
9 packets transmitted, 0 packets received, 100% packet loss











/dev/ttyp4
17:29:56




#ps -waux | grep hon


user     64151  0.0  3.1 37240 32056  ??  S     4:17PM   0:24.14 kpdf /home/user/Desktop/simulating_networks_with_honeyd.pdf -icon kpdf -
root     67912  0.0  0.1  1504  1020  p5  S+    5:30PM   0:00.00 grep hon











17:30:25




#honeyd -d rl0 -f /usr/local/etc/honeyd.conf 192.168.15.110


Honeyd V1.0 Copyright (c) 2002-2004 Niels Provos
honeyd[67946]: started with -d -i rl0 -f /usr/local/etc/honeyd.conf 192.168.15.110
Warning: Impossible SI range in Class fingerprint "IBM OS/400 V4R2M0"
Warning: Impossible SI range in Class fingerprint "Microsoft Windows NT 4.0 SP3"
honeyd[67946]: listening promiscuously on rl0: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip and (host 192.168.15.110))) and not ether src 00:13:8f:2f:ac:5e
honeyd[67946]: Demoting process privileges to uid 32767, gid 32767
honeyd[67946]: Sending ICMP Echo Reply: 192.168.15.110 -> 192.168.15.24
honeyd[67946]: Sending ICMP Echo Reply: 192.168.15.110 -> 192.168.15.24
honeyd[67946]: Sending ICMP Echo Reply: 192.168.15.110 -> 192.168.15.24
honeyd[67946]: Sending ICMP Echo Reply: 192.168.15.110 -> 192.168.15.24
honeyd[67946]: Sending ICMP Echo Reply: 192.168.15.110 -> 192.168.15.24
honeyd[67946]: Sending ICMP Echo Reply: 192.168.15.110 -> 192.168.15.24
honeyd[67946]: Sending ICMP Echo Reply: 192.168.15.110 -> 192.168.15.24
honeyd[67946]: Sending ICMP Echo Reply: 192.168.15.110 -> 192.168.15.24
honeyd[67946]: Sending ICMP Echo Reply: 192.168.15.110 -> 192.168.15.24
^Choneyd[67946]: exiting on signal 2











/dev/ttyp2
17:30:32




$ping 192.168.15.110





PING 192.168.15.110 (192.168.15.110): 56 data bytes
^C
--- 192.168.15.110 ping statistics ---
7 packets transmitted, 0 packets received, 100% packet loss











17:30:39




$ssh user@m04


Password:
Last login: Fri Dec 23 17:29:23 2005 from fbsd2.linux.nt
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
        The Regents of the University of California.  All rights reserved.
FreeBSD 6.0-RELEASE (GENERIC) #0: Thu Nov  3 09:36:13 UTC 2005
Welcome to FreeBSD!
Before seeking technical support, please use the following resources:
o  Security advisories and updated errata information for all releases are
   at http://www.FreeBSD.org/releases/ - always consult the ERRATA section
   for your release first as it's updated frequently.
o  The Handbook and FAQ documents are at http://www.FreeBSD.org/ and,
   along with the mailing lists, can be searched by going to
   http://www.FreeBSD.org/search/.  If the doc distribution has
   been installed, they're also available formatted in /usr/share/doc.
If you still have a question or problem, please take the output of
`uname -a', along with any relevant error messages, and email it
as a question to the questions@FreeBSD.org mailing list.  If you are
unfamiliar with FreeBSD's directory layout, please refer to the hier(7)
manual page.  If you are not familiar with manual pages, type `man man'.
You may also use sysinstall(8) to re-enter the installation and
configuration utility.  Edit /etc/motd to change this login announcement.











/dev/ttyp4
17:31:20




#honeyd -d -i rl0 -f /usr/local/etc/honeyd.conf 192.168.15.110


Honeyd V1.0 Copyright (c) 2002-2004 Niels Provos
honeyd[68012]: started with -d -i rl0 -f /usr/local/etc/honeyd.conf 192.168.15.110
Warning: Impossible SI range in Class fingerprint "IBM OS/400 V4R2M0"
Warning: Impossible SI range in Class fingerprint "Microsoft Windows NT 4.0 SP3"
honeyd[68012]: listening promiscuously on rl0: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip and (host 192.168.15.110))) and not ether src 00:13:8f:2f:ac:5e
honeyd[68012]: Demoting process privileges to uid 32767, gid 32767
honeyd[68012]: Sending ICMP Echo Reply: 192.168.15.110 -> 192.168.15.24
honeyd[68012]: Sending ICMP Echo Reply: 192.168.15.110 -> 192.168.15.24
^Choneyd[68012]: exiting on signal 2











/dev/ttyp2
17:31:30




$exit





exit
Connection to fbsd4.linux.nt closed.











/dev/ttyp4
17:32:00




#pkg_info -Lx honeyd


Information for honeyd-1.0_1:
Files:
/usr/local/man/man1/honeydctl.1.gz
/usr/local/man/man8/honeyd.8.gz
/usr/local/bin/honeyd
/usr/local/bin/honeydctl
/usr/local/include/honeyd/debug.h
/usr/local/include/honeyd/hooks.h
/usr/local/include/honeyd/plugins.h
/usr/local/include/honeyd/plugins_config.h
...
/usr/local/share/honeyd/scripts/mydoom.pl
/usr/local/share/honeyd/scripts/README.mydoom
/usr/local/share/honeyd/scripts/cmdexe.pl
/usr/local/share/honeyd/scripts/README.cmdexe
/usr/local/share/honeyd/scripts/README.kuang2
/usr/local/share/honeyd/scripts/INSTALL.kuang2
/usr/local/share/honeyd/scripts/kuang2.pl
/usr/local/share/honeyd/scripts/kuang2.conf
/usr/local/share/honeyd/scripts/smtp.pl
/usr/local/share/honeyd/scripts/proxy.pl











17:32:13




#cat /usr/local/share/honeyd/nmap.assoc


Sun SunOS 4.1.1 - 4.1.4 (or derivative);Sun Solaris 9 (SunOS 2.9)
Sun RSC (Remote System Control card) v1.14 (in Solaris 2.7);Sun Solaris 7 (SunOS 2.7)
#Ericsson Tigris Access Server Software V. 12.1.*;
#Tahoe OS 1.2.1 running on Tahoe router;
#Tally 9112 Printer;
#Tandberg X-terminal;
#Tandem NSK D39;
#Tandem NSK D40;
#Tektronix Phaser 350 firmware 3.3 (printer);
#Tektronix Phaser 360 printer;
...
#Xyplex Terminal Server v6.0.2S5;
#Xyplex Terminal Server CSERV-20 software v6.0.4;
#Print Server: Zero One Tech 3000, Hawking PN7117, or EUSSO UPS1211-B;
#ZoomAir IG-4165 wireless gateway (WAP);
#Zyxel XyWALL 50 (ZyNOS 3.52);
#Zyxel ZyNOS based broadband router (ZyNOS) or Intel Express ISDN router;
#Zyxel Prestige 642R-11 ASDL router running ZyNOS;
#ZyXEL P480 ISDN router running ZyNOS v2.42(O.00);
#Hardware: Zyxel Prestige broadband router;
#ZyXEL Prestige 700/Netgear MA314 broadband router;











17:32:38




#cat /usr/local/share/honeyd/nmap.assoc


Sun SunOS 4.1.1 - 4.1.4 (or derivative);Sun Solaris 9 (SunOS 2.9)
Sun RSC (Remote System Control card) v1.14 (in Solaris 2.7);Sun Solaris 7 (SunOS 2.7)
#Ericsson Tigris Access Server Software V. 12.1.*;
#Tahoe OS 1.2.1 running on Tahoe router;
#Tally 9112 Printer;
#Tandberg X-terminal;
#Tandem NSK D39;
#Tandem NSK D40;
#Tektronix Phaser 350 firmware 3.3 (printer);
#Tektronix Phaser 360 printer;
...
#Xyplex Terminal Server v6.0.2S5;
#Xyplex Terminal Server CSERV-20 software v6.0.4;
#Print Server: Zero One Tech 3000, Hawking PN7117, or EUSSO UPS1211-B;
#ZoomAir IG-4165 wireless gateway (WAP);
#Zyxel XyWALL 50 (ZyNOS 3.52);
#Zyxel ZyNOS based broadband router (ZyNOS) or Intel Express ISDN router;
#Zyxel Prestige 642R-11 ASDL router running ZyNOS;
#ZyXEL P480 ISDN router running ZyNOS v2.42(O.00);
#Hardware: Zyxel Prestige broadband router;
#ZyXEL Prestige 700/Netgear MA314 broadband router;











17:32:40




#pkg_info -Lx honeyd


Information for honeyd-1.0_1:
Files:
/usr/local/man/man1/honeydctl.1.gz
/usr/local/man/man8/honeyd.8.gz
/usr/local/bin/honeyd
/usr/local/bin/honeydctl
/usr/local/include/honeyd/debug.h
/usr/local/include/honeyd/hooks.h
/usr/local/include/honeyd/plugins.h
/usr/local/include/honeyd/plugins_config.h
...
/usr/local/share/honeyd/scripts/mydoom.pl
/usr/local/share/honeyd/scripts/README.mydoom
/usr/local/share/honeyd/scripts/cmdexe.pl
/usr/local/share/honeyd/scripts/README.cmdexe
/usr/local/share/honeyd/scripts/README.kuang2
/usr/local/share/honeyd/scripts/INSTALL.kuang2
/usr/local/share/honeyd/scripts/kuang2.pl
/usr/local/share/honeyd/scripts/kuang2.conf
/usr/local/share/honeyd/scripts/smtp.pl
/usr/local/share/honeyd/scripts/proxy.pl











/dev/ttyp2
17:32:45




$ping 192.168.15.110


PING 192.168.15.110 (192.168.15.110): 56 data bytes
64 bytes from 192.168.15.110: icmp_seq=0 ttl=128 time=0.566 ms
64 bytes from 192.168.15.110: icmp_seq=1 ttl=128 time=0.473 ms
64 bytes from 192.168.15.110: icmp_seq=2 ttl=128 time=0.442 ms
64 bytes from 192.168.15.110: icmp_seq=3 ttl=128 time=0.450 ms
64 bytes from 192.168.15.110: icmp_seq=4 ttl=128 time=0.481 ms
64 bytes from 192.168.15.110: icmp_seq=5 ttl=128 time=0.448 ms
64 bytes from 192.168.15.110: icmp_seq=6 ttl=128 time=0.457 ms
64 bytes from 192.168.15.110: icmp_seq=7 ttl=128 time=0.454 ms
64 bytes from 192.168.15.110: icmp_seq=8 ttl=128 time=0.452 ms
^C
--- 192.168.15.110 ping statistics ---
11 packets transmitted, 9 packets received, 18% packet loss
round-trip min/avg/max/stddev = 0.442/0.469/0.566/0.036 ms











17:33:00




$sudo nmap -o 192.168.15.110





Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-12-23 17:33 EET
No target machines/networks specified!
QUITTING!











/dev/ttyp4
17:33:02




#honeyd -d -i rl0 -f /usr/local/etc/honeyd.conf 192.168.15.110


honeyd[68150]: Killing attempted connection: tcp (192.168.15.24:36766 - 192.168.15.110:156)
honeyd[68150]: couldn't send packet: Permission denied
honeyd[68150]: Killing attempted connection: tcp (192.168.15.24:36766 - 192.168.15.110:1670)
honeyd[68150]: couldn't send packet: Permission denied
honeyd[68150]: Killing attempted connection: tcp (192.168.15.24:36766 - 192.168.15.110:360)
honeyd[68150]: couldn't send packet: Permission denied
honeyd[68150]: Killing attempted connection: tcp (192.168.15.24:36766 - 192.168.15.110:624)
honeyd[68150]: couldn't send packet: Permission denied
honeyd[68150]: Killing attempted connection: tcp (192.168.15.24:36766 - 192.168.15.110:1436)
honeyd[68150]: couldn't send packet: Permission denied
...
honeyd[68150]: couldn't send packet: Permission denied
honeyd[68150]: Killing attempted connection: tcp (192.168.15.24:36766 - 192.168.15.110:635)
honeyd[68150]: couldn't send packet: Permission denied
honeyd[68150]: Killing attempted connection: tcp (192.168.15.24:36766 - 192.168.15.110:1424)
honeyd[68150]: couldn't send packet: Permission denied
honeyd[68150]: Killing attempted connection: tcp (192.168.15.24:36766 - 192.168.15.110:716)
honeyd[68150]: couldn't send packet: Permission denied
honeyd[68150]: Killing attempted connection: tcp (192.168.15.24:36766 - 192.168.15.110:361)
honeyd[68150]: couldn't send packet: Permission denied
honeyd[68150]: Killing attempted connection: tcp (192.168.15.24:36766 - 192.168.15.110:879)











/dev/ttyp2
17:33:04




$ping 192.168.15.110





PING 192.168.15.110 (192.168.15.110): 56 data bytes
^C
--- 192.168.15.110 ping statistics ---
6 packets transmitted, 0 packets received, 100% packet loss











17:33:25




$ping 192.168.15.110


PING 192.168.15.110 (192.168.15.110): 56 data bytes
64 bytes from 192.168.15.110: icmp_seq=0 ttl=128 time=0.492 ms
64 bytes from 192.168.15.110: icmp_seq=1 ttl=128 time=0.446 ms
^C
--- 192.168.15.110 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.446/0.469/0.492/0.023 ms











17:33:30




$sudo nmap -o 192.168.15.110





Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-12-23 17:33 EET
No target machines/networks specified!
QUITTING!











17:34:35




$ping 192.168.15.110





PING 192.168.15.110 (192.168.15.110): 56 data bytes
^C
--- 192.168.15.110 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss











17:34:47




$arng 192.168.15.110





arping: must run as root











17:34:50




$sudo g 192.168.15.110





Password:
ARPING 192.168.15.110
^C
--- 192.168.15.110 statistics ---
3 packets transmitted, 0 packets received, 100% unanswered











17:35:01




$ps -waux | grep honey


user     68358  0.0  0.1  1436   904  p3  R+    5:44PM   0:00.00 grep honey
32767    68150  0.0  0.3  3704  3212  p5  S+    5:33PM   0:00.80 honeyd -d -i rl0 -f /usr/local/etc/honeyd.conf 192.168.15.110











17:35:21




$ping 192.168.15.110


PING 192.168.15.110 (192.168.15.110): 56 data bytes
64 bytes from 192.168.15.110: icmp_seq=0 ttl=128 time=4.619 ms
64 bytes from 192.168.15.110: icmp_seq=1 ttl=128 time=0.456 ms
^C
--- 192.168.15.110 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.456/2.538/4.619/2.081 ms











17:35:25




$sudo nmap -o 192.168.15.110





Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-12-23 17:35 EET
No target machines/networks specified!
QUITTING!











17:35:27




$ping 192.168.15.110


PING 192.168.15.110 (192.168.15.110): 56 data bytes
64 bytes from 192.168.15.110: icmp_seq=0 ttl=128 time=0.423 ms
64 bytes from 192.168.15.110: icmp_seq=1 ttl=128 time=0.448 ms
64 bytes from 192.168.15.110: icmp_seq=2 ttl=128 time=0.469 ms
64 bytes from 192.168.15.110: icmp_seq=3 ttl=128 time=0.459 ms
^C
--- 192.168.15.110 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.423/0.450/0.469/0.017 ms











17:35:32




$sudo nmap 192.168.15.110


Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-12-23 17:35 EET
All 1663 scanned ports on 192.168.15.110 are: closed
MAC Address: 00:13:8F:2F:AC:5E (Unknown)
Nmap finished: 1 IP address (1 host up) scanned in 0.735 seconds











17:36:15




$ping 192.168.15.110


PING 192.168.15.110 (192.168.15.110): 56 data bytes
64 bytes from 192.168.15.110: icmp_seq=0 ttl=128 time=0.576 ms
64 bytes from 192.168.15.110: icmp_seq=1 ttl=128 time=0.443 ms
^C
--- 192.168.15.110 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.443/0.509/0.576/0.067 ms











17:36:19




$man nmap










17:36:33




$exit


exit
Connection to fbsd4.linux.nt closed.











/dev/ttyp4
17:45:06




#honeyd -i rl0 -f /usr/local/etc/honeyd.conf 192.168.15.110


Honeyd V1.0 Copyright (c) 2002-2004 Niels Provos
honeyd[68418]: started with -i rl0 -f /usr/local/etc/honeyd.conf 192.168.15.110
Warning: Impossible SI range in Class fingerprint "IBM OS/400 V4R2M0"
Warning: Impossible SI range in Class fingerprint "Microsoft Windows NT 4.0 SP3"
honeyd[68418]: listening promiscuously on rl0: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip and (host 192.168.15.110))) and not ether src 00:13:8f:2f:ac:5e
Honeyd starting as background process











/dev/ttyp2
17:45:20




$ps -waux | grep honey


user     68469  0.0  0.1  1508  1024  p3  S+    5:45PM   0:00.00 grep honey











/dev/ttyp4
17:45:31




#honeyd -d -i rl0 -f /usr/local/etc/honeyd.conf 192.168.15.110


honeyd[68510]: couldn't send packet: Permission denied
honeyd[68510]: Killing attempted connection: tcp (192.168.15.24:59726 - 192.168.15.110:388)
honeyd[68510]: couldn't send packet: Permission denied
honeyd[68510]: Killing attempted connection: tcp (192.168.15.24:59726 - 192.168.15.110:417)
honeyd[68510]: couldn't send packet: Permission denied
honeyd[68510]: Killing attempted connection: tcp (192.168.15.24:59726 - 192.168.15.110:221)
honeyd[68510]: couldn't send packet: Permission denied
honeyd[68510]: Killing attempted connection: tcp (192.168.15.24:59726 - 192.168.15.110:3)
honeyd[68510]: couldn't send packet: Permission denied
honeyd[68510]: Killing attempted connection: tcp (192.168.15.24:59726 - 192.168.15.110:437)
...
honeyd[68510]: Killing attempted connection: tcp (192.168.15.24:59726 - 192.168.15.110:7009)
honeyd[68510]: couldn't send packet: Permission denied
honeyd[68510]: Killing attempted connection: tcp (192.168.15.24:59726 - 192.168.15.110:1414)
honeyd[68510]: couldn't send packet: Permission denied
honeyd[68510]: Killing attempted connection: tcp (192.168.15.24:59726 - 192.168.15.110:741)
honeyd[68510]: couldn't send packet: Permission denied
honeyd[68510]: Killing attempted connection: tcp (192.168.15.24:59726 - 192.168.15.110:1489)
honeyd[68510]: couldn't send packet: Permission denied
honeyd[68510]: Killing attempted connection: tcp (192.168.15.24:59726 - 192.168.15.110:149)
honeyd[68510]: couldn't send packet: Permission denied











/dev/ttyp2
17:45:39




$ps -waux | grep honey


32767    68510  1.8  0.3  3704  3176  p5  S+    5:45PM   0:00.11 honeyd -d -i rl0 -f /usr/local/etc/honeyd.conf 192.168.15.110











17:48:16




$ssh user@m04


Password:
Last login: Fri Dec 23 17:32:43 2005 from fbsd2.linux.nt
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
        The Regents of the University of California.  All rights reserved.
FreeBSD 6.0-RELEASE (GENERIC) #0: Thu Nov  3 09:36:13 UTC 2005
Welcome to FreeBSD!
Before seeking technical support, please use the following resources:
o  Security advisories and updated errata information for all releases are
   at http://www.FreeBSD.org/releases/ - always consult the ERRATA section
   for your release first as it's updated frequently.
o  The Handbook and FAQ documents are at http://www.FreeBSD.org/ and,
   along with the mailing lists, can be searched by going to
   http://www.FreeBSD.org/search/.  If the doc distribution has
   been installed, they're also available formatted in /usr/share/doc.
If you still have a question or problem, please take the output of
`uname -a', along with any relevant error messages, and email it
as a question to the questions@FreeBSD.org mailing list.  If you are
unfamiliar with FreeBSD's directory layout, please refer to the hier(7)
manual page.  If you are not familiar with manual pages, type `man man'.
You may also use sysinstall(8) to re-enter the installation and
configuration utility.  Edit /etc/motd to change this login announcement.











17:50:13




$ping 192.168.15.110





PING 192.168.15.110 (192.168.15.110): 56 data bytes
^C
--- 192.168.15.110 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss











17:50:31




$ping 192.168.15.110


PING 192.168.15.110 (192.168.15.110): 56 data bytes
64 bytes from 192.168.15.110: icmp_seq=2 ttl=128 time=0.962 ms
^C
--- 192.168.15.110 ping statistics ---
3 packets transmitted, 1 packets received, 66% packet loss
round-trip min/avg/max/stddev = 0.962/0.962/0.962/0.000 ms











17:50:41




$sudo nmap -o 192.168.15.110





Password:
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-12-23 17:50 EET
No target machines/networks specified!
QUITTING!











17:50:42




$ssh user@m04


Password:
Last login: Fri Dec 23 17:50:28 2005 from fbsd2.linux.nt
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
        The Regents of the University of California.  All rights reserved.
FreeBSD 6.0-RELEASE (GENERIC) #0: Thu Nov  3 09:36:13 UTC 2005
Welcome to FreeBSD!
Before seeking technical support, please use the following resources:
o  Security advisories and updated errata information for all releases are
   at http://www.FreeBSD.org/releases/ - always consult the ERRATA section
   for your release first as it's updated frequently.
o  The Handbook and FAQ documents are at http://www.FreeBSD.org/ and,
   along with the mailing lists, can be searched by going to
   http://www.FreeBSD.org/search/.  If the doc distribution has
   been installed, they're also available formatted in /usr/share/doc.
If you still have a question or problem, please take the output of
`uname -a', along with any relevant error messages, and email it
as a question to the questions@FreeBSD.org mailing list.  If you are
unfamiliar with FreeBSD's directory layout, please refer to the hier(7)
manual page.  If you are not familiar with manual pages, type `man man'.
You may also use sysinstall(8) to re-enter the installation and
configuration utility.  Edit /etc/motd to change this login announcement.











17:50:58




$sudo nmap -o 192.168.15.110





Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-12-23 17:51 EET
No target machines/networks specified!
QUITTING!











17:51:05




$sudo nmap -O192.168.15.110


Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-12-23 17:51 EET
Warning:  OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
All 1663 scanned ports on 192.168.15.110 are: closed
MAC Address: 00:13:8F:2F:AC:5E (Unknown)
Too many fingerprints match this host to give specific OS details
Nmap finished: 1 IP address (1 host up) scanned in 6.722 seconds











17:51:17




$exit


exit
Connection to fbsd4.linux.nt closed.











/dev/ttyp4
17:51:49




#nohup  -d -i rl0 -f /usr/local/etc/honeyd.conf 192.168.15.110





appending output to nohup.out











17:52:03




#honeyd -d -i rl0 -f /usr/local/etc/honeyd.conf 192.168.15.110


Honeyd V1.0 Copyright (c) 2002-2004 Niels Provos
honeyd[68696]: started with -d -i rl0 -f /usr/local/etc/honeyd.conf 192.168.15.110
Warning: Impossible SI range in Class fingerprint "IBM OS/400 V4R2M0"
Warning: Impossible SI range in Class fingerprint "Microsoft Windows NT 4.0 SP3"
honeyd[68696]: listening promiscuously on rl0: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip and (host 192.168.15.110))) and not ether src 00:13:8f:2f:ac:5e
honeyd[68696]: Demoting process privileges to uid 32767, gid 32767
^Z
[1]+  Stopped                 honeyd -d -i rl0 -f /usr/local/etc/honeyd.conf 192.168.15.110











17:52:28




#bg 1


[1]+ honeyd -d -i rl0 -f /usr/local/etc/honeyd.conf 192.168.15.110 &











17:52:31




#ping 192.168.15.110





PING 192.168.15.110 (192.168.15.110): 56 data bytes
ping: sendto: Host is down
ping: sendto: Host is down
ping: sendto: Host is down
^C
--- 192.168.15.110 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss











17:52:43




#arng 192.168.15.110





ARPING 192.168.15.110
^C
--- 192.168.15.110 statistics ---
4 packets transmitted, 0 packets received, 100% unanswered











17:52:55




#bg 1





bash: bg: job 1 already in background











17:52:58




#fg 1


honeyd -d -i rl0 -f /usr/local/etc/honeyd.conf 192.168.15.110
^Z
[1]+  Stopped                 honeyd -d -i rl0 -f /usr/local/etc/honeyd.conf 192.168.15.110











17:53:10




#bg 1


[1]+ honeyd -d -i rl0 -f /usr/local/etc/honeyd.conf 192.168.15.110 &











17:53:14




#ps -waux | grep honey


32767    68696  0.0  0.3  3704  3180  p5  S     5:52PM   0:00.13 honeyd -d -i rl0 -f /usr/local/etc/honeyd.conf 192.168.15.110











17:54:57




#fg 1


honeyd -d -i rl0 -f /usr/local/etc/honeyd.conf 192.168.15.110
^Choneyd[68696]: exiting on signal 2











17:55:02




#honeyd -d -i rl0 -f /usr/local/etc/honeyd.conf 192.168.15.110 &


[1] 68912
Honeyd V1.0 Copyright (c) 2002-2004 Niels Provos
honeyd[68912]: started with -d -i rl0 -f /usr/local/etc/honeyd.conf 192.168.15.110
Warning: Impossible SI range in Class fingerprint "IBM OS/400 V4R2M0"











17:55:10




#Warning: Impossible SI range in Class fingerprint "Microsoft Windows NT 4.0 SP3"


honeyd[68912]: listening promiscuously on rl0: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip and (host 192.168.15.110))) and not ether src 00:13:8f:2f:ac:5e
honeyd[68912]: Demoting process privileges to uid 32767, gid 32767











17:55:14




#ps -waux | grep honey


32767    68912  1.0  0.3  3704  3180  p5  S     5:55PM   0:00.11 honeyd -d -i rl0 -f /usr/local/etc/honeyd.conf 192.168.15.110











17:55:43




#fg 1


honeyd -d -i rl0 -f /usr/local/etc/honeyd.conf 192.168.15.110
^Choneyd[68912]: exiting on signal 2











17:55:55




#nohup  -d -i rl0 -f /usr/local/etc/honeyd.conf 192.168.15.110 &


[1] 69019
appending output to nohup.out











17:56:05




#ps -waux | grep honey


32767    69019  2.7  0.3  3704  3176  p5  S     5:56PM   0:00.11 honeyd -d -i rl0 -f /usr/local/etc/honeyd.conf 192.168.15.110
root     69045  0.0  0.1  1440   592  p5  R+    5:56PM   0:00.00 grep honey











17:56:10




#telnet 192.168.15.110





Trying 192.168.15.110...
^C











17:58:47




#telnet 192.168.15.110 80





Trying 192.168.15.110...
^C











17:59:37




#vi /usr/local/etc/honeyd.conf










17:59:59




#pkg_info -Lx honeyd


Information for honeyd-1.0_1:
Files:
/usr/local/man/man1/honeydctl.1.gz
/usr/local/man/man8/honeyd.8.gz
/usr/local/bin/honeyd
/usr/local/bin/honeydctl
/usr/local/include/honeyd/debug.h
/usr/local/include/honeyd/hooks.h
/usr/local/include/honeyd/plugins.h
/usr/local/include/honeyd/plugins_config.h
...
/usr/local/share/honeyd/scripts/mydoom.pl
/usr/local/share/honeyd/scripts/README.mydoom
/usr/local/share/honeyd/scripts/cmdexe.pl
/usr/local/share/honeyd/scripts/README.cmdexe
/usr/local/share/honeyd/scripts/README.kuang2
/usr/local/share/honeyd/scripts/INSTALL.kuang2
/usr/local/share/honeyd/scripts/kuang2.pl
/usr/local/share/honeyd/scripts/kuang2.conf
/usr/local/share/honeyd/scripts/smtp.pl
/usr/local/share/honeyd/scripts/proxy.pl











18:00:12




#cat /usr/local/share/honeyd/scripts/web.sh


#!/bin/sh
REQUEST=""
while read name
do
        LINE=`echo "$name" | egrep -i "[a-z:]"`
        if [ -z "$LINE" ]
        then
                break
        fi
        echo "$name" >> /tmp/log
...
08-21-01  11:28a      <DIR>          AdminScripts
08-21-01   6:43p      <DIR>          ftproot
07-09-00  12:04a      <DIR>          iissamples
07-03-00   2:09a      <DIR>          mailroot
07-16-00   3:49p      <DIR>          Scripts
07-09-00   3:10p      <DIR>          webpub
07-16-00   4:43p      <DIR>          wwwroot
             0 file(s)              0 bytes
            20 dir(s)     290,897,920 bytes free
_eof_











18:00:39




#vi /usr/local/etc/honeyd.conf


4c4,6
< add windows tcp port 80 "perl scripts/iis-0.95/iisemul8.pl"
---
> #add windows tcp port 80 "perl scripts/iis-0.95/iisemul8.pl"
> add windows tcp port 80 "/usr/local/share/honeyd/scripts/web.sh
> "









/dev/ttyp2
18:01:09




$telnet 192.168.15.110 80





Trying 192.168.15.110...
telnet: connect to address 192.168.15.110: Connection refused
telnet: Unable to connect to remote host











18:01:34




$vi /usr/local/etc/honeyd.conf










/dev/ttyp4
18:02:48




#vi /usr/local/etc/honeyd.conf










18:03:16




#vi /usr/local/etc/honeyd.conf










18:04:54




#pkg_version honeyd





ORBit2                              =
OpenEXR                             =
adns                                =
aide                                =
apache                              =
apr-nothr-db4                       =
arpd                                =
arping                              =
arpwatch                            =
arts                                =
...
chkrootkit                          =
cjk-cdrtools                        =
cowsay                              =
cscope                              =
cups-base                           =
cyrus-sasl                          =
dasher                              =
db4                                 =
db42                                =
^C











18:05:07




#pkg_version | grep





^C











18:05:19




#pkg_info





pkg_info: can't find package 'honeyd' installed or in a file!











18:05:29




#pkg_info | grep honeyd


honeyd-1.0_1        Simulate virtual network hosts (honeypots)











18:06:26




#vi /usr/local/etc/honeyd.conf


5,6c5
< add windows tcp port 80 "/usr/local/share/honeyd/scripts/web.sh
< "
---
> add windows tcp port 80 "/usr/local/share/honeyd/scripts/web.sh"









18:07:12




#killall honeyd


[1]+  Done                    nohup honeyd -d -i rl0 -f /usr/local/etc/honeyd.conf 192.168.15.110











18:07:27




#nohup honeyd -d -i rl0 -f /usr/local/etc/honeyd.conf 192.168.15.110 &


appending output to nohup.out
[1] 71132











18:07:39




#vi /usr/local/etc/honeyd.conf










/dev/ttyp2
18:08:19




$telnet 192.168.15.110 80





Trying 192.168.15.110...
telnet: connect to address 192.168.15.110: Connection refused
telnet: Unable to connect to remote host











/dev/ttyp4
18:09:16




#cat /usr/local/share/honeyd/scripts/web.sh


#!/bin/sh
REQUEST=""
while read name
do
        LINE=`echo "$name" | egrep -i "[a-z:]"`
        if [ -z "$LINE" ]
        then
                break
        fi
        echo "$name" >> /tmp/log
...
08-21-01  11:28a      <DIR>          AdminScripts
08-21-01   6:43p      <DIR>          ftproot
07-09-00  12:04a      <DIR>          iissamples
07-03-00   2:09a      <DIR>          mailroot
07-16-00   3:49p      <DIR>          Scripts
07-09-00   3:10p      <DIR>          webpub
07-16-00   4:43p      <DIR>          wwwroot
             0 file(s)              0 bytes
            20 dir(s)     290,897,920 bytes free
_eof_











/dev/ttyp2
18:09:49




$ping 192.168.15.110


PING 192.168.15.110 (192.168.15.110): 56 data bytes
64 bytes from 192.168.15.110: icmp_seq=0 ttl=128 time=0.491 ms
64 bytes from 192.168.15.110: icmp_seq=1 ttl=128 time=0.454 ms
^C
--- 192.168.15.110 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.454/0.473/0.491/0.018 ms











/dev/ttyp4
18:09:52




#killall honeyd


[1]+  Done                    nohup honeyd -d -i rl0 -f /usr/local/etc/honeyd.conf 192.168.15.110











18:09:56




#nohup honeyd -d -i rl0 -f /usr/local/etc/honeyd.conf 192.168.15.110 &


[1] 71239
appending output to nohup.out











18:10:00




#telnet 192.168.15.1350 80





192.168.15.1350: hostname nor servname provided, or not known









Файлы
  • /usr/local/share/honeyd/nmap.assoc
  • /usr/local/share/honeyd/scripts/web.sh
    • /usr/local/share/honeyd/nmap.assoc
    

    >
    Sun SunOS 4.1.1 - 4.1.4 (or derivative);Sun Solaris 9 (SunOS 2.9)
Sun RSC (Remote System Control card) v1.14 (in Solaris 2.7);Sun Solaris 7 (SunOS 2.7)
#Ericsson Tigris Access Server Software V. 12.1.*;
#Tahoe OS 1.2.1 running on Tahoe router;
#Tally 9112 Printer;
#Tandberg X-terminal;
#Tandem NSK D39;
#Tandem NSK D40;
#Tektronix Phaser 350 firmware 3.3 (printer);
#Tektronix Phaser 360 printer;
#Tektronix Phaser(TM) printer with share ethernet card, firmware version 3.01;
#Tektronix Phaser 560 printer;
#Telebit's NetBlazer 3.0 router;
#Telebit NetBlazer router Version 3.05;
#Telebit NetBlazer Version 3.1, patch level 13;
#Telindus 11xx ADSL Router;
#Telocity (DirectTVDSL) Gateway x2 Model;
#Teltrend (aka Securicor 3net) Router;
#DEC TOPS-20 Monitor 7(21733),KL-10 (DEC 2065);
#DEC TOPS-20 Monitor 7(102540)-1,TD-1;
#Toshiba TR650 ISDN Router;
#TurtleBeach Audiotron network MP3 player;
#TurtleBeach Audiotron network MP3 player;
#Turtle Beach AudioTron 100 network MP3 player;
#DEC Ultrix 4.1;
#Ultrix 4.2 - 4.5;
#US Robotics USR8022 broadband wireless router (WAP);
#US Robotics Total Control NETServer Card;
#3Com / USR TotalSwitch Firmware: 02.02.00R;
#VersaNet ISP-Accelerator(TM) Remote Access Server;
#Virtual Access LinXpeed Pro 120 router running Software 7.4.33CM;
#VxWorks 5.3.x bases system (usually an ethernet hub or switch such as HP ProCurve) or Bay Networks MicroAnnex XL terminal server;
#WatchGuard Firebox SOHO V5.x firewall;
#Minolta QMS Printer running VxWorks 5.4.2;
Microsoft Windows 3.1 with Trumpet Winsock 2.0 revision B;Microsoft Windows XP Professional
Windows for Workgroups 3.11 / TCP/IP-32 3.11b stack or Windows 98;Microsoft Windows 98/98SE
Microsoft Windows 95 4.00.950B;Microsoft Windows XP Professional
Windows NT 3.10 (Build 528);Microsoft Windows NT 4 Service Pack 4 and Above
Microsoft Windows NT 3.51 SP5, NT 4.0 or 95/98/98SE;Microsoft Windows NT 4 Service Pack 4 and Above
Microsoft Windows 98SE;Microsoft Windows 98/98SE
Microsoft Windows 98SE;Microsoft Windows 98/98SE
Microsoft PocketPC 3.0.11171 running on Compaq iPAQ 3870 Pocket PC;Microsoft Windows XP Professional
Microsoft Windows 95 4.00.950B (IE 5 5.00 2314.1003);Microsoft Windows XP Professional
Microsoft Windows 98SE + IE5.5sp1;Microsoft Windows 98/98SE
Microsfot Windows 98SE with security patch A;Microsoft Windows 98/98SE
Microsoft Windows 98 4.10.1998;Microsoft Windows 98/98SE
Microsoft Windows 98 SP2;Microsoft Windows 2000/2000SP1/2000SP2/2000SP3
Microsoft Windows 98SE 4.10.2222A;Microsoft Windows 98/98SE
Microsoft Windows NT 4.0 SP3;Microsoft Windows 2000/2000SP1/2000SP2/2000SP3
Microsoft Windows NT 4.0 SP3;Microsoft Windows 2000/2000SP1/2000SP2/2000SP3
Microsoft Windows 95/98/NT 4.0 or PocketPC;Microsoft Windows XP Professional
Microsoft Windows NT 4.0 SP5-SP6;Microsoft Windows NT 4 Service Pack 4 and Above
Microsoft Windows NT 4.0 Workstation SP6a;Microsoft Windows NT 4 Service Pack 4 and Above
Microsoft Windows NT 4.0 SP6a;Microsoft Windows NT 4 Service Pack 4 and Above
Microsoft Windows NT 4.0 Workstation SP6a;Microsoft Windows NT 4 Service Pack 4 and Above
Microsoft Windows NT 4.0 Workstation SP6a;Microsoft Windows NT 4 Service Pack 4 and Above
Microsoft Windows NT 4.0 Server SP5-SP6;Microsoft Windows NT 4 Service Pack 4 and Above
Microsoft Windows NT 4.0 SP 6a + hotfixes;Microsoft Windows 2000/2000SP1/2000SP2/2000SP3
Microsoft Windows NT 4.0 Terminal Server Edition;Microsoft Windows NT 4 Service Pack 4 and Above
HP Journada running Microsoft Windows CE 2.11 (Handheld/PC Pro 3.0 PDA);Microsoft Windows XP Professional
Microsoft Windows 98;Microsoft Windows 98/98SE
Microsoft Windows 98 SP1;Microsoft Windows 2000/2000SP1/2000SP2/2000SP3
Microsoft Windows NT 5 Beta2 or Beta3;Microsoft Windows NT 4 Service Pack 4 and Above
Microsoft Windows .NET Enterprise Server (build 3604-3790);Microsoft Windows XP Professional
Microsoft Windows .NET Enterprise Server RC2 (Version 5.2, build 3718.dnsrv.021114-1947);Microsoft Windows XP Professional
Microsoft Windows Server 2003 Standard Edition;Microsoft Windows XP Professional
Microsoft Windows Server 2003;Microsoft Windows XP Professional
Microsoft Windows Server 2003 Enterprise Edition;Microsoft Windows XP Professional
Microsoft Windows Server 2003;Microsoft Windows XP Professional
Microsoft Windows Millennium Edition (Me), Windows 2000 Professional or Advanced Server, or Windows XP;Microsoft Windows XP Professional
Microsoft Windows 2000 Server SP3;Microsoft Windows 2000/2000SP1/2000SP2/2000SP3
Microsoft Windows Millennium Edition (Me);Microsoft Windows XP Professional
Microsoft Windows 2000 Server SP2;Microsoft Windows 2000/2000SP1/2000SP2/2000SP3
Microsoft Windows 2000 Server SP3 or Windows XP Professional SP1;Microsoft Windows XP Professional
Microsoft Windows 2000 SP2;Microsoft Windows 2000/2000SP1/2000SP2/2000SP3
Microsoft Windows 2000 Server SP3;Microsoft Windows 2000/2000SP1/2000SP2/2000SP3
Microsoft Windows 2000 Server SP3;Microsoft Windows 2000/2000SP1/2000SP2/2000SP3
Microsoft Windows 2000 SP3;Microsoft Windows 2000/2000SP1/2000SP2/2000SP3
Microsoft Windows 2000 SP3;Microsoft Windows 2000/2000SP1/2000SP2/2000SP3
Microsoft Windows 2000 SP3;Microsoft Windows 2000/2000SP1/2000SP2/2000SP3
Microsoft Windows 2000 SP3;Microsoft Windows 2000/2000SP1/2000SP2/2000SP3
Microsoft Windows 2000 Professional SP2 or Windows XP SP1;Microsoft Windows XP Professional
Microsoft Windows 2000 Server SP3;Microsoft Windows 2000/2000SP1/2000SP2/2000SP3
Microsoft Windows 2000 SP3;Microsoft Windows 2000/2000SP1/2000SP2/2000SP3
Microsoft Windows 2000 SP3;Microsoft Windows 2000/2000SP1/2000SP2/2000SP3
Microsoft Windows 2000 SP3;Microsoft Windows 2000/2000SP1/2000SP2/2000SP3
Microsoft Windows 2000 Professional SP3;Microsoft Windows XP Professional
Microsoft Windows 2000 Advanced Server SP3;Microsoft Windows 2000/2000SP1/2000SP2/2000SP3
Microsoft Windows 2000 Advanced Server SP3;Microsoft Windows 2000/2000SP1/2000SP2/2000SP3
Microsoft Windows Millennium Edition (Me);Microsoft Windows XP Professional
Microsoft Windows 2000 Professional;Microsoft Windows XP Professional
Microsoft Windows 2000 SP1;Microsoft Windows 2000/2000SP1/2000SP2/2000SP3
Microsoft Windows XP Home Edition;Microsoft Windows XP Professional
Microsoft Windows XP Professional or Windows 2000 Professional SP2+;Microsoft Windows XP Professional
Microsoft Windows 2000 SP3;Microsoft Windows 2000/2000SP1/2000SP2/2000SP3
Microsoft Windows Millennium Edition (Me), Windows 2000, or Windows XP;Microsoft Windows XP Professional
Microsoft Windows 2000 Professional RC1 or Windows 2000 Advanced Server Beta3;Microsoft Windows XP Professional
Microsoft Windows XP Professional RC1+ through final release;Microsoft Windows XP Professional
Microsoft Windows XP SP1;Microsoft Windows XP Professional
Microsoft Windows XP Professional SP1;Microsoft Windows XP Professional
Microsoft Windows XP SP1;Microsoft Windows XP Professional
Microsoft Windows XP SP1 or Windows 2000 SP3;Microsoft Windows 2000/2000SP1/2000SP2/2000SP3
Microsoft Windows XP Professional;Microsoft Windows XP Professional
Microsoft Windows XP SP1;Microsoft Windows XP Professional
Microsoft Windows XP Professional SP1;Microsoft Windows XP Professional
Microsoft Windows XP Professional SP1;Microsoft Windows XP Professional
Microsoft Windows XP Professional SP1 or Windows 2000 Advanced Server SP3;Microsoft Windows XP Professional
Microsoft Windows XP Professional Version 5.1 Build 2600;Microsoft Windows XP Professional
Microsoft Windows XP Professional SP1 or Windows 2000 SP3;Microsoft Windows XP Professional
Microsoft Windows XP Professional SP1;Microsoft Windows XP Professional
Microsoft Windows XP Professional SP1;Microsoft Windows XP Professional
Microsoft Xbox (modified) running evolutionX;Microsoft Windows XP Professional
Microsoft Xbox (modified) running evolutionX;Microsoft Windows XP Professional
Microsoft Xbox running Debian Linux 2.4.20;Linux Kernel 2.4.5 and above
WNOS 5.0 on Microsoft DOS 6.22;Microsoft Windows XP Professional
#WTI Network Power Switch v3.02;
#XCD Xconnect print server, firmware version CC8S-3.58 (98.09.21);
#Xerox 8830 Plotter;
#Xerox Document Centre ColorSeries 50;
#Xerox Document Centre 440 w/ CentreWare Internet Services;
#Xerox DocuPrint C55;
#Xerox DocuPrint N24/N32/N40 Network Laser Printer;
#Xerox DocuPrint N40;
#Xerox Docuprint N2125 network printer;
xMach free distributed OS version 0.1 current;Mac OS X 10.1.5
#Xylan OmniSwitch 5x/9x ethernet switch, Xylogics Annex-III Comm server R10.0, or Hitachi HI-UX/WE2;
#Xyplex 1600 terminal server running MAXserver V6.0.2 firmware;
#Xylogics Remote Annex 4000 terminal server running LynxOS realtime OS;
#Cabletron Systems SSR 8000 smart switch router System Software, Version 3.1.B.16;
#Cabletron Smart Switch Router 8600;
#CasheFlow CacheOS (CacheFlow 500-5000 web proxy cache) CFOS 2.1.08 - 2.2.1;
#CacheFlow CacheOS 3.1 on a model 6000 web proxy cache;
#Cacheflow 6x5 web proxy cache running CacheOS 3.1.19-4.1.05;
#CacheFlow 6000 web proxy cache running CacheOS 4.1.05;
#CastleNet AR502/GlobespanVirata GS8100 (same thing) DSL router;
#Cayman 2E DSL/CABLE router;
#Chase IOLAN Terminal Server v3.5.02 CDi;
#Chase IOLAN terminal server;
#Xyplex Network 9000 terminal server;
#Xyplex Terminal Server v6.0.2S5;
#Xyplex Terminal Server CSERV-20 software v6.0.4;
#Print Server: Zero One Tech 3000, Hawking PN7117, or EUSSO UPS1211-B;
#ZoomAir IG-4165 wireless gateway (WAP);
#Zyxel XyWALL 50 (ZyNOS 3.52);
#Zyxel ZyNOS based broadband router (ZyNOS) or Intel Express ISDN router;
#Zyxel Prestige 642R-11 ASDL router running ZyNOS;
#ZyXEL P480 ISDN router running ZyNOS v2.42(O.00);
#Hardware: Zyxel Prestige broadband router;
#ZyXEL Prestige 700/Netgear MA314 broadband router;

    /usr/local/share/honeyd/scripts/web.sh
    

    >
    #!/bin/sh
REQUEST=""
while read name
do
        LINE=`echo "$name" | egrep -i "[a-z:]"`
        if [ -z "$LINE" ]
        then
                break
        fi
        echo "$name" >> /tmp/log
        NEWREQUEST=`echo "$name" | grep "GET .scripts.*cmd.exe.*dir.* HTTP/1.0"`
        if [ ! -z "$NEWREQUEST" ] ; then
                REQUEST=$NEWREQUEST
        fi
done
if [ -z "$REQUEST" ] ; then
        cat << _eof_
HTTP/1.1 404 NOT FOUND
Server: Microsoft-IIS/5.0
P3P: CP='ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI'
Content-Location: http://cpmsftwbw27/default.htm
Date: Thu, 04 Apr 2002 06:42:18 GMT
Content-Type: text/html
Accept-Ranges: bytes
<html><title>You are in Error</title>
<body>
<h1>You are in Error</h1>
O strange and inconceivable thing! We did not really die, we were not really buried, we were not really crucified and raised again, but our imitation was but a figure, while our salvation is in reality. Christ was actually crucified, and actually buried, and truly rose again; and all these things have been vouchsafed to us, that we, by imitation communicating in His sufferings, might gain salvatio
<p>
St. Cyril of Jerusalem, On the Christian Sacraments.
</body>
</html>
_eof_
        exit 0
fi
DATE=`date`
cat << _eof_
HTTP/1.0 200 OK
Date: $DATE
Server: Microsoft-IIS/5.0
Connection: close
Content-Type: text/plain
 Volume in drive C is Webserver
 Volume Serial Number is 3421-07F5
 Directory of C:\inetpub
01-20-02   3:58a      <DIR>          .
08-21-01   9:12a      <DIR>          ..
08-21-01  11:28a      <DIR>          AdminScripts
08-21-01   6:43p      <DIR>          ftproot
07-09-00  12:04a      <DIR>          iissamples
07-03-00   2:09a      <DIR>          mailroot
07-16-00   3:49p      <DIR>          Scripts
07-09-00   3:10p      <DIR>          webpub
07-16-00   4:43p      <DIR>          wwwroot
             0 file(s)              0 bytes
            20 dir(s)     290,897,920 bytes free
_eof_

    Статистика
    Время первой команды журнала17:21:32 2006-12-23
    Время последней команды журнала18:10:00 2006-12-23
    Количество командных строк в журнале101
    Процент команд с ненулевым кодом завершения, %32.67
    Процент синтаксически неверно набранных команд, % 0.00
    Суммарное время работы с терминалом *, час 0.81
    Количество командных строк в единицу времени, команда/мин 2.08
    Частота использования команд
    ping17|=============| 13.93%
    nmap11|=========|  9.02%
    grep11|=========|  9.02%
    sudo10|========|  8.20%
    ps9|=======|  7.38%
    honeyd9|=======|  7.38%
    vi7|=====|  5.74%
    telnet5|====|  4.10%
    pkg_info5|====|  4.10%
    nohup4|===|  3.28%
    cat4|===|  3.28%
    killall4|===|  3.28%
    ssh4|===|  3.28%
    exit4|===|  3.28%
    fg3|==|  2.46%
    bg3|==|  2.46%
    arng3|==|  2.46%
    pkg_version2|=|  1.64%
    g2|=|  1.64%
    sockstat1||  0.82%
    man1||  0.82%
    arpd1||  0.82%
    arping1||  0.82%
    Warning:1||  0.82%
    ____
    *) Интервалы неактивности длительностью 30 минут и более не учитываются
    Справка
        Для того чтобы использовать LiLaLo, не нужно знать ничего особенного:
    всё происходит само собой.
    Однако, чтобы ведение и последующее использование журналов
    было как можно более эффективным, желательно иметь в виду следующее:
    
      
    
    1.  
    В журнал автоматически попадают все команды, данные в любом терминале системы.
    
      2. 
    
    2. 
    Для того чтобы убедиться, что журнал на текущем терминале ведётся, 
    и команды записываются, дайте команду w.
    В поле WHAT, соответствующем текущему терминалу, 
    должна быть указана программа script.
    
      3. 
    
    3. 
    Команды, при наборе которых были допущены синтаксические ошибки, 
    выводятся перечёркнутым текстом:

      

      


      $ l s-l
      

      bash: l: command not found

      
      		

      

      

      
    
      4. 
    
    4. 
    Если код завершения команды равен нулю, 
    команда была выполнена без ошибок.
    Команды, код завершения которых отличен от нуля, выделяются цветом.

      

      


      $ test 5 -lt 4
      

      		

      

      
    Обратите внимание на то, что код завершения команды может быть отличен от нуля
    не только в тех случаях, когда команда была выполнена с ошибкой.
    Многие команды используют код завершения, например, для того чтобы показать результаты проверки

      
    
      5. 
    
    5. 
    Команды, ход выполнения которых был прерван пользователем, выделяются цветом.

      

      


      $ find / -name abc
      

      find: /home/devi-orig/.gnome2: Keine Berechtigung
find: /home/devi-orig/.gnome2_private: Keine Berechtigung
find: /home/devi-orig/.nautilus/metafiles: Keine Berechtigung
find: /home/devi-orig/.metacity: Keine Berechtigung
find: /home/devi-orig/.inkscape: Keine Berechtigung
^C

      
      		

      

      

      
    
      6. 
    
    6. 
    Команды, выполненные с привилегиями суперпользователя,
    выделяются слева красной чертой.

      

      


      # id
      

      uid=0(root) gid=0(root) Gruppen=0(root)

      
      		

      

      
    
      
    
      7. 
    
    7. 
    Изменения, внесённые в текстовый файл с помощью редактора, 
    запоминаются и показываются в журнале в формате ed.
    Строки, начинающиеся символом "<", удалены, а строки,
    начинающиеся символом ">" -- добавлены.

      

      


      $ vi ~/.bashrc
      

      2a3,5
>    if [ -f /usr/local/etc/bash_completion ]; then
>         . /usr/local/etc/bash_completion
>        fi

      		

      

      
    
      
    
      8. 
    
    8. 
    Для того чтобы изменить файл в соответствии с показанными в диффшоте
    изменениями, можно воспользоваться командой patch.
    Нужно скопировать изменения, запустить программу patch, указав в
    качестве её аргумента файл, к которому применяются изменения,
    и всавить скопированный текст:

      

      


      $ patch ~/.bashrc
      
      		

      

      
    В данном случае изменения применяются к файлу ~/.bashrc
    
      9. 
    
    9. 
    Для того чтобы получить краткую справочную информацию о команде, 
    нужно подвести к ней мышь. Во всплывающей подсказке появится краткое
    описание команды.
    
      
    
      
    Если справочная информация о команде есть, 
    команда выделяется голубым фоном, например: vi.
    Если справочная информация отсутствует,
    команда выделяется розовым фоном, например: notepad.exe.
    Справочная информация может отсутствовать в том случае, 
    если (1) команда введена неверно; (2) если распознавание команды LiLaLo выполнено неверно;
    (3) если информация о команде неизвестна LiLaLo.
    Последнее возможно для редких команд.
    
      10. 
    
    10. 
    Большие, в особенности многострочные, всплывающие подсказки лучше 
    всего показываются браузерами KDE Konqueror, Apple Safari и Microsoft Internet Explorer.
    В браузерах Mozilla и Firefox они отображаются не полностью, 
    а вместо перевода строки выводится специальный символ.
    
      11. 
    
    11. 
    Время ввода команды, показанное в журнале, соответствует времени 
    начала ввода командной строки, которое равно тому моменту, 
    когда на терминале появилось приглашение интерпретатора
    
      12. 
    
    12. 
    Имя терминала, на котором была введена команда, показано в специальном блоке.
    Этот блок показывается только в том случае, если терминал
    текущей команды отличается от терминала предыдущей.
    
      13. 
    
    13. 
    Вывод не интересующих вас в настоящий момент элементов журнала,
    таких как время, имя терминала и других, можно отключить.
    Для этого нужно воспользоваться формой управления журналом
    вверху страницы.
    
      14. 
    
    14. 
    Небольшие комментарии к командам можно вставлять прямо из командной строки.
    Комментарий вводится прямо в командную строку, после символов #^ или #v.
    Символы ^ и v показывают направление выбора команды, к которой относится комментарий:
    ^ - к предыдущей, v - к следующей.
    Например, если в командной строке было введено:

      $ whoami

      

      user

      

      $ #^ Интересно, кто я?

      
    в журнале это будет выглядеть так:
    

      $ whoami

      

      user

      

      

        Интересно, кто я?
       
       
    
      15. 
    
    15. 
    Если комментарий содержит несколько строк,
    его можно вставить в журнал следующим образом:

      $ whoami

      

      user

      

      $ cat > /dev/null #^ Интересно, кто я?

      

      Программа whoami выводит имя пользователя, под которым 
мы зарегистрировались в системе.
-
Она не может ответить на вопрос о нашем назначении 
в этом мире.

      
    В журнале это будет выглядеть так:

      

      


      $ whoami
      

      user

      

      Интересно, кто я?
      
Программа whoami выводит имя пользователя, под которым
      
мы зарегистрировались в системе.
      

      
Она не может ответить на вопрос о нашем назначении
      
в этом мире.
      

      
      		

      

      
    Для разделения нескольких абзацев между собой
    используйте символ "-", один в строке.
    
      

      16. 
    
    16. 
    Комментарии, не относящиеся непосредственно ни к какой из команд, 
    добавляются точно таким же способом, только вместо симолов #^ или #v 
    нужно использовать символы #=
    
      17. 

    
    17. 
    Содержимое файла может быть показано в журнале.
    Для этого его нужно вывести с помощью программы cat.
    Если вывод команды отметить симоволами #!, 
    содержимое файла будет показано в журнале
    в специально отведённой для этого секции.
    
      18. 

    
      
    
    18. 
    Для того чтобы вставить скриншот интересующего вас окна в журнал,
    нужно воспользоваться командой l3shot.
    После того как команда вызвана, нужно с помощью мыши выбрать окно, которое
    должно быть в журнале.
    
      19. 
    
      

    
      
    
    19. 
    Команды в журнале расположены в хронологическом порядке.
    Если две команды давались одна за другой, но на разных терминалах,
    в журнале они будут рядом, даже если они не имеют друг к другу никакого отношения.

      1
    2
3   
    4

      
    Группы команд, выполненных на разных терминалах, разделяются специальной линией.
    Под этой линией в правом углу показано имя терминала, на котором выполнялись команды.
    Для того чтобы посмотреть команды только одного сенса, 
    нужно щёкнуть по этому названию.
    
      20. 
    
      

    

    О программе
        
    
    LiLaLo (L3) расшифровывается как Live Lab Log.
    
    Программа разработана для повышения эффективности обучения Unix/Linux-системам.
    
    (c) Игорь Чубин, 2004-2008
    
    
    
$Id$