记一次在黑盒环境下使用网络设备(华为)寻找主机
记一次在黑盒环境下使用网络设备寻找主机
一、前记
目前就职于某政府单位。最近接到公安的探针报警,说我们机房内有机器挖矿。
问题在于,我现在只有一台核心交换机。怎么找到这台干坏事的机器呢?
二、材料
目前我手上有的各种网络设备的密码,核心交换机,以及出问题的机器 10.120.10.200 。
三、干活
1. 核心交换机查询
[~C05_35U_6881_MGBU01]dis ip int br
*down: administratively down
!down: FIB overload down
^down: standby
(l): loopback
(s): spoofing
(d): Dampening Suppressed
The number of interface that is UP in Physical is 20
The number of interface that is DOWN in Physical is 1
The number of interface that is UP in Protocol is 20
The number of interface that is DOWN in Protocol is 1
Interface IP Address/Mask Physical Protocol VPN
MEth0/0/0 unassigned down down --
NULL0 unassigned up up(s) --
Vlanif3 10.120.10.254/24 up up --
Vlanif4 10.120.12.62/26 up up --
Vlanif5 10.120.12.126/26 up up --
Vlanif8 10.120.11.254/24 up up --
Vlanif9 10.120.12.190/26 up up --
Vlanif10 11.125.0.129/28 up up --
Vlanif12 10.120.14.190/26 up up --
Vlanif13 192.168.0.97/28 up up --
Vlanif14 192.168.0.113/28 up up --
Vlanif15 11.125.0.145/28 up up --
[~C05_35U_6881_MGBU01]dis ip routing-table
Proto: Protocol Pre: Preference
Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
Routing Table : _public_
Destinations : 66 Routes : 70
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Static 60 0 RD 10.120.14.1 Vlanif44
10.120.0.28/32 Static 60 0 RD 192.168.0.114 Vlanif14
Static 60 0 RD 192.168.0.115 Vlanif14
10.120.0.32/32 Static 60 0 RD 192.168.0.114 Vlanif14
Static 60 0 RD 192.168.0.115 Vlanif14
10.120.0.62/32 Static 60 0 RD 192.168.0.114 Vlanif14
Static 60 0 RD 192.168.0.115 Vlanif14
10.120.10.0/24 Direct 0 0 D 10.120.10.254 Vlanif3
10.120.10.254/32 Direct 0 0 D 127.0.0.1 Vlanif3
10.120.10.255/32 Direct 0 0 D 127.0.0.1 Vlanif3
10.120.11.0/24 Direct 0 0 D 10.120.11.254 Vlanif8
10.120.11.254/32 Direct 0 0 D 127.0.0.1 Vlanif8
10.120.11.255/32 Direct 0 0 D 127.0.0.1 Vlanif8
10.120.12.0/26 Direct 0 0 D 10.120.12.62 Vlanif4
10.120.12.62/32 Direct 0 0 D 127.0.0.1 Vlanif4
可见,该主机所属网段是 VLAN 3 的接口。由于该接口的特殊性,需要做进一步的检查。
[~C05_35U_6881_MGBU01]display vlan 3
--------------------------------------------------------------------------------
U: Up; D: Down; TG: Tagged; UT: Untagged;
MP: Vlan-mapping; ST: Vlan-stacking;
#: ProtocolTransparent-vlan; *: Management-vlan;
MAC-LRN: MAC-address learning; STAT: Statistic;
BC: Broadcast; MC: Multicast; UC: Unknown-unicast;
FWD: Forward; DSD: Discard;
--------------------------------------------------------------------------------
VID Ports
--------------------------------------------------------------------------------
3 TG:Eth-Trunk3(U) Eth-Trunk4(U) 10GE1/0/38(D)
VID Type Status Property MAC-LRN STAT BC MC UC Description
--------------------------------------------------------------------------------
3 common enable default enable disable FWD FWD FWD VLAN 0003
可见,接口为 TG:Eth-Trunk3(U) Eth-Trunk4(U) 10GE1/0/38(D)
<C05_35U_6881_MGBU01>dis arp
ARP Entry Types: D - Dynamic, S - Static, I - Interface, O - OpenFlow, RD - Redirect
EXP: Expire-time VLAN:VLAN or Bridge Domain
IP ADDRESS MAC ADDRESS EXP(M) TYPE/VLAN INTERFACE VPN-INSTANCE
----------------------------------------------------------------------------------------
10.120.10.200 1418-7763-3173 11 D/3 Eth-Trunk4
除去 10GE1/0/38(D) 本身只是单接口,另外 Trunk 都有汇聚可能。
[~C05_35U_6881_MGBU01]dis interface Eth-Trunk 4
Eth-Trunk3 current state : UP (ifindex: 141)
Line protocol current state : UP
Last line protocol up time : 2020-03-27 10:31:51
Description:
Switch Port, PVID : 1, TPID : 8100(Hex), Hash Arithmetic : profile default, Maximal BW : 20Gbps, Current BW : 20Gbps, The Maximum Frame Length is 9216
Internet protocol processing : disabled
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is acb3-b535-f411
Current system time: 2021-02-24 14:43:32
Physical is ETH_TRUNK
Last 300 seconds input rate 961 bits/sec, 0 packets/sec
Last 300 seconds output rate 957 bits/sec, 0 packets/sec
Input: 59177804 packets,28146780073 bytes
39604781 unicast,2299 broadcast,19570724 multicast
0 errors,0 drops
Output:40692923 packets,8376191683 bytes
27765438 unicast,8061080 broadcast,4866405 multicast
0 errors,0 drops
Last 300 seconds input utility rate: 0.01%
Last 300 seconds output utility rate: 0.01%
----------------------------------------------------------
PortName Status Weight
----------------------------------------------------------
10GE1/0/33 UP 1
10GE2/0/33 UP 1
----------------------------------------------------------
The Number of Ports in Trunk : 2
The Number of Up Ports in Trunk : 2
结论:本地 10GE1/0/33 与下层设备互联
2. 下层设备
再由于该设备是核心交换机,也就是说底下一定有其他设备连接。
[~C05_35U_6881_MGBU01]dis lldp neighbor brief
Local Interface Exptime(s) Neighbor Interface Neighbor Device
-------------------------------------------------------------------------------
100GE1/0/1 109 100GE2/0/1 C05_35U_6881_MGBU01
100GE1/0/2 109 100GE2/0/2 C05_35U_6881_MGBU01
100GE2/0/1 95 100GE1/0/1 C05_35U_6881_MGBU01
100GE2/0/2 95 100GE1/0/2 C05_35U_6881_MGBU01
10GE1/0/32 112 10GE1/0/2 C07_33U_5855_BMC01
10GE1/0/33 101 10GE1/0/2 c07_35U_5855_BMC02
10GE1/0/47 112 Ten-GigabitEthernet2/0/40H3C
10GE2/0/32 112 10GE1/0/1 C07_33U_5855_BMC01
10GE2/0/33 101 10GE1/0/1 c07_35U_5855_BMC02
10GE2/0/47 91 Ten-GigabitEthernet1/0/40H3C
我们看到 10GE1/0/1 与我互联,再查询单个接口的 IP 地址
[~C05_35U_6881_MGBU01]dis lldp neighbor interface 10GE2/0/33
10GE2/0/32 has 1 neighbor(s):
Neighbor index :1
Chassis type :MAC Address
Chassis ID :acb3-b53e-b3b1
Port ID subtype :Interface Name
Port ID :10GE1/0/1
Port description :--
System name :C07_33U_5855_BMC01
System description :Huawei Versatile Routing Platform Software
VRP (R) software, Version 8.180 (CE5855EI V200R005C10SPC800)
Copyright (C) 2012-2018 Huawei Technologies Co., Ltd.
HUAWEI CE5855-48T4S2Q-EI
System capabilities supported :bridge router
System capabilities enabled :bridge router
Management address type :IPv4
Management address :10.120.10.106
Expired time :116s
Port VLAN ID(PVID) :1
Port and Protocol VLAN ID(PPVID) :unsupported
VLAN name of VLAN 1 :VLAN1
Protocol identity :--
Auto-negotiation supported :No
Auto-negotiation enabled :No
OperMau :speed (10000) /duplex (Full)
Link aggregation supported :Yes
Link aggregation enabled :Yes
Aggregation port ID :1
Maximum frame Size :9216
Port Identity :--
Discovered time :2020-04-17 10:26:45
EEE support :No
Transmit Tw :65535
Receive Tw :65535
Fallback Receive Tw :0
Echo Transmit Tw :0
Echo Receive Tw :0
Network Card ID :--
对端 ip 地址为 10.120.10.106
<C05_35U_6881_MGBU01>telnet 10.120.10.106
Trying 10.120.10.106 ...
Press CTRL+K to abort
Connected to 10.120.10.106 ...
Warning: Telnet is not a secure protocol, and it is recommended to use Stelnet.
Username:huawei
Password:
Warning: The initial password poses security risks.
The password needs to be changed. Change now? [Y/N]:n
Info: The max number of VTY users is 5, the number of current VTY users online is 1, and total number of terminal users online is 1.
The current login time is 2021-02-24 15:24:36.
The last login time is 2021-02-24 13:16:59 from 10.120.10.254 through Telnet.
<c07_35U_5855_BMC02>
访问一下对端主机,获取 arp 地址。
<c07_35U_5855_BMC02>ping 10.120.10.200
PING 10.120.10.200: 56 data bytes, press CTRL_C to break
Reply from 10.120.10.200: bytes=56 Sequence=1 ttl=64 time=9 ms
Reply from 10.120.10.200: bytes=56 Sequence=2 ttl=64 time=2 ms
Reply from 10.120.10.200: bytes=56 Sequence=3 ttl=64 time=4 ms
Reply from 10.120.10.200: bytes=56 Sequence=4 ttl=64 time=4 ms
Reply from 10.120.10.200: bytes=56 Sequence=5 ttl=64 time=4 ms
--- 10.120.10.200 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 2/4/9 ms
<c07_35U_5855_BMC02>dis arp
ARP Entry Types: D - Dynamic, S - Static, I - Interface, O - OpenFlow
EXP: Expire-time
IP ADDRESS MAC ADDRESS EXP(M) TYPE/VLAN INTERFACE VPN-INSTANCE
------------------------------------------------------------------------------
10.120.10.106 acb3-b53e-b365 I Vlanif3
10.120.10.26 b405-5d07-94ec 15 D/3 GE1/0/1
10.120.10.27 b405-5d05-e9b6 9 D/3 GE1/0/2
10.120.10.28 b405-5d07-937e 9 D/3 GE1/0/3
10.120.10.101 acb3-b535-f430 16 D/3 Eth-Trunk1
10.120.10.105 acb3-b53e-b3b5 4 D/3 Eth-Trunk1
10.120.10.180 74ea-c82f-21c8 8 D/3 GE1/0/20
10.120.10.184 943b-b0b0-5df6 5 D/3 GE1/0/18
10.120.10.186 542b-de51-b36c 12 D/3 GE1/0/22
10.120.10.187 c400-ada2-18fc 20 D/3 GE1/0/17
10.120.10.200 1418-7763-3173 20 D/3 GE1/0/13
10.120.10.254 acb3-b535-f415 20 D/3 Eth-Trunk1
----------------------------------------------------------------------------------------
Total:12 Dynamic:11 Static:0 Interface:1 OpenFlow:0
得知 GE1/0/13 接口进来的流量,再次判断看是否还有其他网络设备以确定是否是主机。
Local Interface Exptime(s) Neighbor Interface Neighbor Device
-------------------------------------------------------------------------------
10GE1/0/1 101 10GE2/0/33 C05_35U_6881_MGBU01
10GE1/0/2 116 10GE1/0/33 C05_35U_6881_MGBU01
GE1/0/18 101 943b-b0b0-5df6
GE1/0/20 109 GigabitEthernet1/0/0 H3C
GE1/0/21 114 80e4-559d-427f
GE1/0/22 111 542b-de51-b36c
无该记录,主机无误。
四、机房判断
由于没有巡线仪,只能通过最简单的拔掉交换机上的口子来判断哪台主机失去网络。
最终找到了,这台干坏事的主机。
五、感谢
- 感谢戴老板的 lldp 命令
- 感谢余星星的 arp 思路
- 感谢共事的其他人
(完)
