Transcript Networking in Linux

Hacking Unix/Linux

Footprinting, Scanning,
Enumeration
Footprinting: Similar to Windows but using different tools:




Network enumeration: using whois and finding authoritative
name server.
DNS interrogation: using nslookup for zone transfer , host to
find e-mail server, and traceroute for network
reconnaissance. Also dig.
Ubuntu: use System, Administration, Network Tools for ping,
whois, traceroute, etc.
Scanning: again similar to Windows with different tools :

Nmap and Nmapfe: use sudo apt-get install nmap and sudo apt-get
install nmapfe to setup. Use sudo nmapfe for graphical interface.



ping sweeps, port scanning: tcp and udp, OS detection.
Countermeasures: Snort and Psionic Port Sentry: documentation.
(seen later in IPS/IDS)
Enumeration: UNIX enumeration.


UNIX Users and group enumeration: finger (see this example) and
tftp should be disabled and killed.
Basic daemons: sendmail, rpc, NFS, NIS -- all have known
vulnerabilities, setup and latest security patches should be applied
Getting started

Vulnerability mapping: identify specific software
vulnerabilities (e.g. sendmail, telnet, ftp, NFS, apache).

Quest for root: root or nothing ? Su - root.

Remote access: gaining access via the network




Local access: having access to a shell or login to the system



exploit a listening daemon/service
a UNIX system performing routing with IP forwarding enabled
user-initiated remote execution (hostile Web site, Trojan horses,
etc)
privilege escalation attacks (from login to root)
once a remote access exploits a vulnerability it gains local shell
access
Brute force attacks: (we will see John the Ripper but not
Hydra)


remote login programs: telnet, ftp, rlogin.rsh,ssh, http plus
a tool to crack the username/password combination. The
/etc/passwd file. You should use shadow passwords.
Remote access

Data driven attacks: sending data to an active service that
causes unintended results, generally allowing access to the
system
 Buffer Overflow: same Windows vulnerabilities (C programs).
Countermeasures: basically good programming practices,
testing, auditing, safer compilers, etc.
 Input Validation: failure in validating input and accepting
extraneous input (hack code!!!). Produces similar results to
buffer overflow and the countermeasure is the same: safe
programming.

Shell access: after gaining access using a data driven attack the
first objective is to open a shell window to enter commands.
 Traditional shell access: telnet, rlogin,ssh (admins can close
most).
 Using X-Windows to run xterm in the remote (target) machine
and display in the intruder machine, using its client/server
features.
 Reverse telnet and back channels: admins can remove X, then
what? Run nc (netcat) in the intruder and run malicious code in
the target creating a telnet connection from target to intruder.

Common remote access
attacks
FTP: do not run anonymous
FTP in the same server you have
regular accounts and ftp with user authentication. Keep up to date
with vulnerabilities (e.g. wu-ftpd, a popular ftp, had a vulnerability
in exec). Better yet, only use ssh/scp.

Sendmail: a very complex mail server (over 80,000 lines of
code), which few understand. It is needed in almost all UNIX
machines and in most cases should not be disabled. Qmail is a
potential replacement.



Remote Procedure Call: rpcinfo (as root) let us see the
running rpc services. Best defense is to limit the use of RPC
services to the minimum.
NFS: do not export the file system to everyone, or enable NFS
selectively (not active in the MISLab), files saved locally, not in the
network.
DNS: disable BIND in machines NOT used as DNS servers (type ps
aux to see what processes are running, also look for
/etc/name.boot). Discussing named is beyond the scope of this
course (another difficult daemon to setup safely). Test for buffer
overflow using dig @ipnumber version.bind chaos txt
Local access

Password cracking: We cannot decrypt a password, we use
a dictionary, or other type of algorithm to generate passwords,
encrypt them using the crypt function, DES, etc, and compare
with hash in the passwd file. Crack 5 and John the Ripper are two
of “the best of the breed.”






Local buffer overflow: same problems and countermeasures.
Symlinks: ln -s /this /that, when you cat this you see that.
Signals in UNIX: you re-start, start, stop daemons sending
signals: SIGXXX.
Core dump: memory (core) dumps are snapshots of the memory
when an error occurs. Delete it or it stays. ulimit set to 0 cancel
core dumps.
Shared libraries: replace a standard library file with a rogue one,
granting privileges to the intruder, when used.
Kernel problems: upgrades to the kernel may create security
flaws, which will be found, patched, etc. Linux particularly
vulnerable (growing).
File and directory permissions: SUID files -- a necessary evil.