Transcript Slides 8 - USC Upstate: Faculty

SCSC 555
Fundamentals of Linux operating
system
 Vulnerabilities of Linux operating
system
 Remote attacks on Linux
 Protecting Linux operating system

2
Linux default directories
Linux file system
history
•Minix file system
•Extended File System
(Ext)
•Second Extended File
System (Ext2fs)
•Third Extended File
System (Ext3fs)
(read details on text)
3
4

File system
◦
◦
◦
◦
◦
◦

Enables directories or folders organization
Establishes a file-naming convention
Includes utilities to compress or encrypt files
Provides for both file and data integrity
Enables error recovery
Stores information about files and folders
File systems store information about files in
information nodes (inodes)
5

Information stored in an inode
◦
◦
◦
◦
◦
◦

An inode number
Owner of the file
Group the file belongs to
Size of the file
Date the file was created
Date the file was last modified or read
File systems use a fixed number of inodes
◦ mounts a file system as a subfile system of the root
file system
6

mount command is used to mount file
systems
7
Linux File System (continued)
 df command displays the currently
mounted file systems
8
Linux Network Commands
9
Linux Network Commands
10
Fundamentals of Linux operating
system
 Vulnerabilities of Linux operating
system
 Remote attacks on Linux
 Protecting Linux operating system

11

UNIX has been around for quite some time
◦ Attackers have had plenty of time to discover vulnerabilities
in *NIX systems
◦ Enumeration tools can also be used against Linux systems

Nessus can be used to enumerate Linux systems
 Discover vulnerabilities related to SMB and NetBIOS
 Enumerate shared resources
 Discover the root password
12
13
14
Common known vulnerabilities (CVE)
15
Fundamentals of Linux operating
system
 Vulnerabilities of Linux operating
system
 Remote attacks on Linux
 Protecting Linux operating system

16

Differentiate between local attacks and
remote attacks
◦ Remote attacks are harder to perform
◦ Attacking a network remotely requires
 Knowing what system a remote user is operating
 The attacked system’s password and login accounts
17

Footprinting techniques
◦ Used to find out information about a target system
◦ footprinting tools include: Whois databases, DNS zone
transfers, Nessus, and port scanning tools

Determining the OS version the attacked computer
is running
◦ Check newsgroups for details on posted messages
◦ Knowing a company’s e-mail address makes the
search easier
18



Goal
◦ To get OS information from company employees
Common techniques
◦ Urgency
◦ Quid pro quo
◦ Status quo
◦ Kindness
◦ Position
Train your employees about social engineering
techniques
19

Trojan programs spread as
◦ E-mail attachments
◦ Fake patches or security fixes that can be
downloaded from the Internet

Trojan program functions
◦
◦
◦
◦
Allow for remote administration
Create a FTP server on attacked machine
Steal passwords
Log all keys a user enters, and e-mail results to the
attacker
20

Linux Trojan programs disguised as legitimate
programs
◦ can use legitimate outbound ports
◦ Firewalls and IDSs cannot identify this traffic as malicious
 E.g.: Sheepshank use port 80 FTTP GET (p214)

It is easier to protect systems from already
identified Trojan programs
◦ E.g., Trojan.Linux.JBellz, Remote Shell, Dextenea
21


Rootkits
◦ Contain Trojan binary programs ready to be
installed by an intruder with root access to the
system
◦ Attacker hide the tools used for later attacks
◦ Replace legitimate commands with Trojan
programs
◦ E.g.: LRK5
Tool to check rootkits
◦ Rootkit Hunter
◦ Chkrootkit
22
• Scan the system(s) for un-patched code/module
• Intruders usually focus on a small number of exploits
23

Trojan horse is a malicious
program that is disguised as
legitimate software
◦ Trojan horse programs bundled in
the form of “Rootkits”.
◦ Originally written for Sun’s
Berkeley flavor of Unix (SunOS 4)
"
24

A rootkit is a set of tools used by an intruder after
cracking a computer system.
◦ help the attacker maintain his or her access to the system and
use it for malicious purposes.
◦ Hides data that indicates an intruder has control of your system
◦ Rootkits exist for a variety of operating systems such as Linux,
Solaris and Microsoft Windows.
25

Rootkits were first developed for Unix
◦ Back in 1980’s determining what was happening on
your Unix box wasn’t too hard
◦ a set of tools “service tools” report status, maintain
logs and provide user feedback to the current state
of the system.
26
Scheduler information
Eg: crontab
Future
User account information
Process/File information
Network information
Eg: who, last, login, passwd
Eg: ls, find, du, top, pidof, du
Eg:netstat, ifconfig, rshd, telnet
Present
System/User Logs
Eg: /var/log/messages
Past
27


Early Rootkits were bundle of program that replaced
these service binary with trojans
For example: a binary of “last” with following wrapper
script
last | awk '$1 !~ /malliciousUserName/
{print $0}'
28

Linux RootKit 5 (lrk5)
◦ written by Lord Somer
◦ one of the most full-featured RootKits
◦ includes Trojan versions of the following:
 chfn, chsh, crontab, du, find, ifconfig, inetd, killall,
login, ls, netstat, passwd, pidof, ps, rshd, syslogd,
tcpd, top, sshd, and su
29

Get a program to scan /bin/login and see if it
has been corrupted
◦ Tools like Tripwrie can check the Integrity of the file
if an hash has been generated at install time.

Identify and replace the files that have been
modified.
◦ Use md5 checksum to check for the authenticity of
the program.
30








Chkrootkit
Tripwire
Rkscan
Carbonite
Rkdet
Checkps
LSM (Loadable Security Module)
LCAP (Linux Kernel Capability Bounding Set Editor)
31
aliens
sniffer
basename
dirname
grep
identd
asp
wted
biff
echo
inetdconf
mail
bindshell
scalper
chfn
egrep
hdparm
killall
lkm
slapper
chsh
env
ifconfig
ldsopreloa
d
rexedcs
amd
cron
find
su
login
du
z2
date
fingerd
inetd
ls
mingetty
pop3
sendmail
telnetd
w
write
pidof
slogin
syslogd
tcpdump
traceroute
timed
passwd
rshd
tcpd
sshd
tar
top
rpcinfo
gpm
pstree
ps
named
netstat
pop2
rlogind
lsof
init
32
01. lrk3, lrk4, lrk5, lrk6
(and variants);
 02. Solaris rootkit;
 03. FreeBSD rootkit;
 04. t0rn (and variants);
 05. Ambient's Rootkit
(ARK);
 06. Ramen Worm;
 07. rh[67]-shaper;
 08. RSHA;
 09. Romanian rootkit;
 10. RK17;
 11. Lion Worm;
 12. Adore Worm;
 13. LPD Worm;
 14. kenny-rk;
 15. Adore LKM;
 16. ShitC Worm;

17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
Omega Worm;
Wormkit Worm;
Maniac-RK;
dsc-rootkit;
Ducoci rootkit;
x.c Worm;
RST.b trojan;
duarawkz;
knark LKM;
Monkit;
Hidrootkit;
Bobkit;
Pizdakit;
t0rn v8.0;
Showtee;
Optickit;
T.R.K;
34.
35.
36.
37.
38.
D;
39.
40.
41.
42.
43.
44.
45.
46.
47.
MithRa's Rootkit;
George;
SucKIT;
Scalper;
Slapper A, B, C and
OpenBSD rk v1;
Illogic rootkit;
SK rootkit.
sebek LKM;
Romanian rootkit;
LOC rootkit;
shv4 rootkit;
Aquatica rootkit;
ZK rootkit;
33

Buffer overflows write code to the OS’s
memory
◦ Then run some type of program
◦ Can elevate the attacker’s permissions to the level
of the owner

A buffer overflow program looks like
34

The program compiles, but returns the
following error
35

Guidelines to help reduce this type of attack
◦ Avoids functions known to have buffer overflow
vulnerabilities
 strcpy()
 strcat()
 sprintf()
 gets()
◦ Configure OS to not allow code in the stack to run any other
executable code in the stack
◦ Use compilers that warn programmers when functions
listed in the first bullet are used
36



Sniffers work by setting a network card adapter in
promiscuous mode
◦ NIC accepts all packets that traverse the network
cable
Attacker can analyze packets and learn user names
and passwords
◦ Avoid using protocols such as Telnet, HTTP, and
FTP that send data in clear text
Sniffers
◦ Tcpdump, Ethereal (wireshark)
37
Fundamentals of Linux operating
system
 Vulnerabilities of Linux operating
system
 Remote attacks on Linux
 Protecting Linux operating system

38



Users must be told not to reveal information
to outsiders
Make customers aware that many exploits
can be downloaded from Web sites
Teach users to be suspicious of people
asking questions about the system they are
using
◦ Verify caller’s identity
◦ Call back technique
39

Keeping current on new kernel releases and
security updates
◦ Installing these fixes is essential to protecting your
system
◦ automated tools for updating your systems
40