亚欧色一区w666天堂,色情一区二区三区免费看,少妇特黄A片一区二区三区,亚洲人成网站999久久久综合,国产av熟女一区二区三区

  • 發布文章
  • 消息中心
點贊
收藏
評論
分享
原(yuan)創

主機安全研究系列-Linux虛機環境鑒別

2023-06-14 06:01:46
74
0

主(zhu)機安全研究系列-Linux虛機環(huan)境鑒別
|--企業藍軍(jun)定位到一臺(tai)Linux服(fu)務器時(shi),如何鑒別主機所處環境是安全(quan)攻(gong)防研究的(de)(de)第一步也是最重(zhong)要(yao)的(de)(de)一步

背景(jing)知識(shi):

  • Linux主(zhu)機操作指令
  • KVM虛(xu)擬化
  • Docker容器
  • Hypervisor
  • OpenStack


具(ju)備以(yi)(yi)上部分基礎知識(shi)后,可(ke)以(yi)(yi)基于自身工(gong)作經驗以(yi)(yi)及虛擬機特征(zheng)進行Linux主(zhu)機/云主(zhu)機環境的(de)鑒別

直(zhi)接進入正題

命令1

cat /proc/cpuinfo


  #該命令的結果包含了CPU相關屬性,其屬性中flag的值是研究者需要首先關注的
   

[root@ecm-0090 ~]# cat /proc/cpuinfo
      processor       : 0
      vendor_id       : GenuineIntel
      cpu family      : 6
      model           : 85
      model name      : Intel Xeon Processor (Cascadelake)
      stepping        : 5
      microcode       : 0x1
      cpu MHz         : 2992.968
      cache size      : 16384 KB
      physical id     : 0
      siblings        : 1
      core id         : 0
      cpu cores       : 1
      apicid          : 0
      initial apicid  : 0
      fpu             : yes
      fpu_exception   : yes
      cpuid level     : 13
      wp              : yes
      flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch ssbd ibrs ibpb stibp ibrs_enhanced fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid avx512f avx512dq rdseed adx smap clflushopt clwb avx512cd avx512bw avx512vl xsaveopt xsavec xgetbv1 arat umip pku ospke avx512_vnni spec_ctrl intel_stibp arch_capabilities
      bogomips        : 5985.93
      clflush size    : 64
      cache_alignment : 64
      address sizes   : 46 bits physical, 48 bits virtual
      power management:


    其中Flag參數是cpu支持的功(gong)能;隨后可(ke)直(zhi)接檢(jian)索Flag參數中是否包含hypervisor標志(zhi)位

grep flags /proc/cpuinfo 2>/dev/null | grep --color=auto hypervisor


    #檢索關鍵字可幫助研究者節省時間,直接進行定位,如下命令會直接將"hypervisor"關鍵字標紅

[root@ecm-0090 ~]# grep flags /proc/cpuinfo 2>/dev/null | grep --color=auto hypervisor
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch ssbd ibrs ibpb stibp ibrs_enhanced fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid avx512f avx512dq rdseed adx smap clflushopt clwb avx512cd avx512bw avx512vl xsaveopt xsavec xgetbv1 arat umip pku ospke avx512_vnni spec_ctrl intel_stibp arch_capabilities

 

確定主機為虛擬機環境后,研究者可進一步進行識別虛機類型
    

systemd-detect-virt

”systemd-detect-virt 用于檢測系統的運行環境是否為虛擬化環境,以及更進一步檢測是哪種虛擬化環境,比如是哪種虛擬機或哪種容器。“

引用如下表格:

Type ID Product
虛(xu)擬機 qemu QEMU 軟件虛(xu)擬(ni)機(ji)(未使用KVM)
kvm Linux 內核虛擬機(使用除(chu) Oracle Virtualbox 之(zhi)外(wai)的其他虛擬機管理程(cheng)序)
zvm s390 z/VM
vmware VMware 虛擬機(ji)
microsoft Hyper-V 虛擬機
oracle Oracle VirtualBox 虛擬(ni)機
xen Xen 虛擬機(僅 domU, 非(fei) dom0)
bochs Bochs 模擬器
uml User-mode Linux
parallels Parallels Desktop, Parallels Server
bhyve bhyve, FreeBSD hypervisor
qnx QNX hypervisor
容器 openvz OpenVZ/Virtuozzo
lxc LXC 容器
lxc-libvirt 通過(guo) libvirt 實(shi)現(xian)的(de)容器
systemd-nspawn systemd 最(zui)簡(jian)容器

docker

 Docker 容(rong)器
rkt rkt 應用容器

來源://www.wenjiangs.com/doc/systemd-systemd-detect-virt

  [root@ecm-0090 ~]# systemd-detect-virt
  kvm

研究者可基于上圖引用的表格內容與實際測試內容進行判斷

命令2

[root@ecm-0090 ~]# dmidecode
        # dmidecode 3.1
        Getting SMBIOS data from sysfs.
        SMBIOS 2.8 present.
        9 structures occupying 474 bytes.
        Table at 0x000F5A70.

        Handle 0x0000, DMI type 0, 24 bytes
        BIOS Information
                Vendor: SeaBIOS
                Version: 1.13.0-2.ctl2
                Release Date: 04/01/2014
                Address: 0xE8000
                Runtime Size: 96 kB
                ROM Size: 64 kB
                Characteristics:
                        BIOS characteristics not supported
                        Targeted content distribution is supported
                BIOS Revision: 0.0

        Handle 0x0100, DMI type 1, 27 bytes
        System Information
                Manufacturer: %{distro}
                Product Name: OpenStack Compute
                Version: 17.0.3-1.ctl2
                Serial Number: c7bcb18b-642f-0496-e611-b8cf62e64dcb
                UUID: af19741c-f634-4d92-9f7e-8dabcf558ee3
                Wake-up Type: Power Switch
                SKU Number: Not Specified
                Family: Virtual Machine

        Handle 0x0300, DMI type 3, 22 bytes
        Chassis Information
                Manufacturer: Red Hat
                Type: Other
                Lock: Not Present
                Version: RHEL 7.6.0 PC (i440FX + PIIX, 1996)
                Serial Number: Not Specified
                Asset Tag: Not Specified
                Boot-up State: Safe
                Power Supply State: Safe
                Thermal State: Safe
                Security Status: Unknown
                OEM Information: 0x00000000
                Height: Unspecified
                Number Of Power Cords: Unspecified
                Contained Elements: 0
                SKU Number: Not Specified

        Handle 0x0400, DMI type 4, 42 bytes
        Processor Information
                Socket Designation: CPU 0
                Type: Central Processor
                Family: Other
                Manufacturer: Red Hat
                ID: 55 06 05 00 FF FB 8B 0F
                Version: RHEL 7.6.0 PC (i440FX + PIIX, 1996)
                Voltage: Unknown
                External Clock: Unknown
                Max Speed: 2000 MHz
                Current Speed: 2000 MHz
                Status: Populated, Enabled
                Upgrade: Other
                L1 Cache Handle: Not Provided
                L2 Cache Handle: Not Provided
                L3 Cache Handle: Not Provided
                Serial Number: Not Specified
                Asset Tag: Not Specified
                Part Number: Not Specified
                Core Count: 1
                Core Enabled: 1
                Thread Count: 1
                Characteristics: None

        Handle 0x1000, DMI type 16, 23 bytes
        Physical Memory Array
                Location: Other
                Use: System Memory
                Error Correction Type: Multi-bit ECC
                Maximum Capacity: 2 GB
                Error Information Handle: Not Provided
                Number Of Devices: 1

        Handle 0x1100, DMI type 17, 40 bytes
        Memory Device
                Array Handle: 0x1000
                Error Information Handle: Not Provided
                Total Width: Unknown
                Data Width: Unknown
                Size: 2048 MB
                Form Factor: DIMM
                Set: None
                Locator: DIMM 0
                Bank Locator: Not Specified
                Type: RAM
                Type Detail: Other
                Speed: Unknown
                Manufacturer: Red Hat
                Serial Number: Not Specified
                Asset Tag: Not Specified
                Part Number: Not Specified
                Rank: Unknown
                Configured Clock Speed: Unknown
                Minimum Voltage: Unknown
                Maximum Voltage: Unknown
                Configured Voltage: Unknown

        Handle 0x1300, DMI type 19, 31 bytes
        Memory Array Mapped Address
                Starting Address: 0x00000000000
                Ending Address: 0x0007FFFFFFF
                Range Size: 2 GB
                Physical Array Handle: 0x1000
                Partition Width: 1

        Handle 0x2000, DMI type 32, 11 bytes
        System Boot Information
                Status: No errors detected

        Handle 0x7F00, DMI type 127, 4 bytes
        End Of Table

     ;   #dmidecode -s system-product-name 支持帶參數輸出,會直接在終端輸出其中system-product-name項(xiang)的(de)值

[root@ecm-0090 ~]# dmidecode -s system-product-name
OpenStack Compute
[root@ecm-0090 ~]# dmidecode -s
dmidecode: option requires an argument -- 's'
String keyword expected
Valid string keywords are:
  bios-vendor
  bios-version
  bios-release-date
  system-manufacturer
  system-product-name
  system-version
  system-serial-number
  system-uuid
  system-family
  baseboard-manufacturer
  baseboard-product-name
  baseboard-version
  baseboard-serial-number
  baseboard-asset-tag
  chassis-manufacturer
  chassis-type
  chassis-version
  chassis-serial-number
  chassis-asset-tag
  processor-family
  processor-manufacturer
  processor-version
  processor-frequency

以(yi)上參數為可選參數,對定位(wei)虛機(ji)環境來說(shuo)system-product-name是非常關鍵的

命令(ling)3

  command -v docker
  command -v lxc
  command -v rkt
  command -v kubectl
  command -v podman
  command -v runc


  以(yi)上命令均(jun)為容器相關elf的簡(jian)單判斷,若存在對應(ying)輸出,則(ze)可以(yi)判斷為對應(ying)容器

  #容器(qi)特征相對(dui)較(jiao)多,既可(ke)以(yi)從(cong)特殊進程名(ming)判斷(duan)(duan),也可(ke)以(yi)從(cong)特征文(wen)件(jian)例(li)如.dockerenv判斷(duan)(duan),若(ruo)經驗相對(dui)豐富甚至可(ke)以(yi)直接查(cha)看文(wen)件(jian)分區系統(tong)overlay或檢索docketSocket連接

 

本文只作研究(jiu)性內(nei)容參(can)考,不(bu)指導實戰。

版(ban)權(quan)聲明:本文(wen)內(nei)容系天(tian)翼(yi)云實(shi)名用戶自發(fa)貢(gong)獻(xian),版(ban)權(quan)歸原作者所有(you),天(tian)翼(yi)云開發(fa)者社區不(bu)擁有(you)其著作權(quan),亦不(bu)承(cheng)擔相應法律責(ze)任,未經(jing)許可(ke),不(bu)得轉載。

如有疑問或(huo)爭議,請聯系ctyunbbs@chinatelecom.cn刪(shan)除。

0條評論
0 / 1000
S4nM1
3文章(zhang)數
0粉絲數
S4nM1
3 文(wen)章 | 0 粉絲
S4nM1
3文章數
0粉(fen)絲數(shu)
S4nM1
3 文章 | 0 粉絲
原(yuan)創

主機安全研究系列-Linux虛機環境鑒別

2023-06-14 06:01:46
74
0

主(zhu)機(ji)安全(quan)研究系列(lie)-Linux虛機(ji)環(huan)境鑒別
|--企業藍軍定位(wei)到一臺Linux服務器時,如何鑒別主機所處環境(jing)是安全攻防研究的第一步也(ye)是最(zui)重要(yao)的一步

背景知識:

  • Linux主機操作指令(ling)
  • KVM虛(xu)擬(ni)化(hua)
  • Docker容器
  • Hypervisor
  • OpenStack


具(ju)備以上部分基(ji)礎知(zhi)識后,可以基(ji)于(yu)自身(shen)工作經驗以及虛擬機特征進行Linux主機/云主機環境的鑒別

直接進入正題

命(ming)令(ling)1

cat /proc/cpuinfo


  #該命令的結果包含了CPU相關屬性,其屬性中flag的值是研究者需要首先關注的
   

[root@ecm-0090 ~]# cat /proc/cpuinfo
      processor       : 0
      vendor_id       : GenuineIntel
      cpu family      : 6
      model           : 85
      model name      : Intel Xeon Processor (Cascadelake)
      stepping        : 5
      microcode       : 0x1
      cpu MHz         : 2992.968
      cache size      : 16384 KB
      physical id     : 0
      siblings        : 1
      core id         : 0
      cpu cores       : 1
      apicid          : 0
      initial apicid  : 0
      fpu             : yes
      fpu_exception   : yes
      cpuid level     : 13
      wp              : yes
      flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch ssbd ibrs ibpb stibp ibrs_enhanced fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid avx512f avx512dq rdseed adx smap clflushopt clwb avx512cd avx512bw avx512vl xsaveopt xsavec xgetbv1 arat umip pku ospke avx512_vnni spec_ctrl intel_stibp arch_capabilities
      bogomips        : 5985.93
      clflush size    : 64
      cache_alignment : 64
      address sizes   : 46 bits physical, 48 bits virtual
      power management:


    其中(zhong)Flag參(can)數(shu)是cpu支(zhi)持的功(gong)能;隨后可直(zhi)接檢索Flag參(can)數(shu)中(zhong)是否(fou)包含hypervisor標志位

grep flags /proc/cpuinfo 2>/dev/null | grep --color=auto hypervisor


    #檢索關鍵字可幫助研究者節省時間,直接進行定位,如下命令會直接將"hypervisor"關鍵字標紅

[root@ecm-0090 ~]# grep flags /proc/cpuinfo 2>/dev/null | grep --color=auto hypervisor
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology eagerfpu pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch ssbd ibrs ibpb stibp ibrs_enhanced fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid avx512f avx512dq rdseed adx smap clflushopt clwb avx512cd avx512bw avx512vl xsaveopt xsavec xgetbv1 arat umip pku ospke avx512_vnni spec_ctrl intel_stibp arch_capabilities

 

確定主機為虛擬機環境后,研究者可進一步進行識別虛機類型
    

systemd-detect-virt

”systemd-detect-virt 用于檢測系統的運行環境是否為虛擬化環境,以及更進一步檢測是哪種虛擬化環境,比如是哪種虛擬機或哪種容器。“

引用如下表格:

Type ID Product
虛擬機 qemu QEMU 軟件虛擬機(未使用KVM)
kvm Linux 內核虛擬機(使用除 Oracle Virtualbox 之外的其他虛擬機管(guan)理程序)
zvm s390 z/VM
vmware VMware 虛(xu)擬(ni)機
microsoft Hyper-V 虛擬(ni)機
oracle Oracle VirtualBox 虛擬機
xen Xen 虛擬機(僅 domU, 非 dom0)
bochs Bochs 模擬器
uml User-mode Linux
parallels Parallels Desktop, Parallels Server
bhyve bhyve, FreeBSD hypervisor
qnx QNX hypervisor
容器 openvz OpenVZ/Virtuozzo
lxc LXC 容器
lxc-libvirt 通過(guo) libvirt 實現的容器
systemd-nspawn systemd 最簡容(rong)器

docker

 Docker 容器
rkt rkt 應(ying)用(yong)容器

來源(yuan)://www.wenjiangs.com/doc/systemd-systemd-detect-virt

  [root@ecm-0090 ~]# systemd-detect-virt
  kvm

研究者可基于上圖引用的表格內容與實際測試內容進行判斷

命(ming)令2

[root@ecm-0090 ~]# dmidecode
        # dmidecode 3.1
        Getting SMBIOS data from sysfs.
        SMBIOS 2.8 present.
        9 structures occupying 474 bytes.
        Table at 0x000F5A70.

        Handle 0x0000, DMI type 0, 24 bytes
        BIOS Information
                Vendor: SeaBIOS
                Version: 1.13.0-2.ctl2
                Release Date: 04/01/2014
                Address: 0xE8000
                Runtime Size: 96 kB
                ROM Size: 64 kB
                Characteristics:
                        BIOS characteristics not supported
                        Targeted content distribution is supported
                BIOS Revision: 0.0

        Handle 0x0100, DMI type 1, 27 bytes
        System Information
                Manufacturer: %{distro}
                Product Name: OpenStack Compute
                Version: 17.0.3-1.ctl2
                Serial Number: c7bcb18b-642f-0496-e611-b8cf62e64dcb
                UUID: af19741c-f634-4d92-9f7e-8dabcf558ee3
                Wake-up Type: Power Switch
                SKU Number: Not Specified
                Family: Virtual Machine

        Handle 0x0300, DMI type 3, 22 bytes
        Chassis Information
                Manufacturer: Red Hat
                Type: Other
                Lock: Not Present
                Version: RHEL 7.6.0 PC (i440FX + PIIX, 1996)
                Serial Number: Not Specified
                Asset Tag: Not Specified
                Boot-up State: Safe
                Power Supply State: Safe
                Thermal State: Safe
                Security Status: Unknown
                OEM Information: 0x00000000
                Height: Unspecified
                Number Of Power Cords: Unspecified
                Contained Elements: 0
                SKU Number: Not Specified

        Handle 0x0400, DMI type 4, 42 bytes
        Processor Information
                Socket Designation: CPU 0
                Type: Central Processor
                Family: Other
                Manufacturer: Red Hat
                ID: 55 06 05 00 FF FB 8B 0F
                Version: RHEL 7.6.0 PC (i440FX + PIIX, 1996)
                Voltage: Unknown
                External Clock: Unknown
                Max Speed: 2000 MHz
                Current Speed: 2000 MHz
                Status: Populated, Enabled
                Upgrade: Other
                L1 Cache Handle: Not Provided
                L2 Cache Handle: Not Provided
                L3 Cache Handle: Not Provided
                Serial Number: Not Specified
                Asset Tag: Not Specified
                Part Number: Not Specified
                Core Count: 1
                Core Enabled: 1
                Thread Count: 1
                Characteristics: None

        Handle 0x1000, DMI type 16, 23 bytes
        Physical Memory Array
                Location: Other
                Use: System Memory
                Error Correction Type: Multi-bit ECC
                Maximum Capacity: 2 GB
                Error Information Handle: Not Provided
                Number Of Devices: 1

        Handle 0x1100, DMI type 17, 40 bytes
        Memory Device
                Array Handle: 0x1000
                Error Information Handle: Not Provided
                Total Width: Unknown
                Data Width: Unknown
                Size: 2048 MB
                Form Factor: DIMM
                Set: None
                Locator: DIMM 0
                Bank Locator: Not Specified
                Type: RAM
                Type Detail: Other
                Speed: Unknown
                Manufacturer: Red Hat
                Serial Number: Not Specified
                Asset Tag: Not Specified
                Part Number: Not Specified
                Rank: Unknown
                Configured Clock Speed: Unknown
                Minimum Voltage: Unknown
                Maximum Voltage: Unknown
                Configured Voltage: Unknown

        Handle 0x1300, DMI type 19, 31 bytes
        Memory Array Mapped Address
                Starting Address: 0x00000000000
                Ending Address: 0x0007FFFFFFF
                Range Size: 2 GB
                Physical Array Handle: 0x1000
                Partition Width: 1

        Handle 0x2000, DMI type 32, 11 bytes
        System Boot Information
                Status: No errors detected

        Handle 0x7F00, DMI type 127, 4 bytes
        End Of Table

        #dmidecode -s system-product-name 支(zhi)持帶(dai)參(can)數輸出,會直接在(zai)終端輸出其(qi)中system-product-name項的值

[root@ecm-0090 ~]# dmidecode -s system-product-name
OpenStack Compute
[root@ecm-0090 ~]# dmidecode -s
dmidecode: option requires an argument -- 's'
String keyword expected
Valid string keywords are:
  bios-vendor
  bios-version
  bios-release-date
  system-manufacturer
  system-product-name
  system-version
  system-serial-number
  system-uuid
  system-family
  baseboard-manufacturer
  baseboard-product-name
  baseboard-version
  baseboard-serial-number
  baseboard-asset-tag
  chassis-manufacturer
  chassis-type
  chassis-version
  chassis-serial-number
  chassis-asset-tag
  processor-family
  processor-manufacturer
  processor-version
  processor-frequency

以上參數為可選參數,對(dui)定位虛機環境來說system-product-name是非常關鍵的

命令(ling)3

  command -v docker
  command -v lxc
  command -v rkt
  command -v kubectl
  command -v podman
  command -v runc


  以(yi)上命(ming)令均(jun)為(wei)容(rong)器(qi)相關elf的(de)簡單判斷,若存在對應(ying)輸出,則(ze)可(ke)以(yi)判斷為(wei)對應(ying)容(rong)器(qi)

  #容器特征相對較多,既可(ke)以(yi)從特殊進程名判斷,也可(ke)以(yi)從特征文件例如(ru).dockerenv判斷,若經驗相對豐富甚至(zhi)可(ke)以(yi)直接查(cha)看文件分區系統overlay或(huo)檢索(suo)docketSocket連(lian)接

 

本文(wen)只作研究(jiu)性內容參考,不指導實戰。

版權聲明:本文內容系天(tian)翼(yi)云實(shi)名用戶自(zi)發貢獻,版權歸原作(zuo)者(zhe)所(suo)有,天(tian)翼(yi)云開(kai)發者(zhe)社區不擁有其著(zhu)作(zuo)權,亦不承擔相(xiang)應法律責任,未(wei)經許可,不得(de)轉(zhuan)載。

如(ru)有疑問或(huo)爭議,請聯系ctyunbbs@chinatelecom.cn刪除(chu)。

文章來自個人專欄
文章(zhang) | 訂(ding)閱(yue)
0條評論
0 / 1000
請輸入你的評論
1
1