Post on 18-Nov-2014
description
Hands-On Ethical Hands-On Ethical Hacking and Network Hacking and Network
DefenseDefense
Chapter 9Chapter 9Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities
22
ObjectivesObjectives
Describe the fundamentals of the Linux Describe the fundamentals of the Linux operating systemoperating system
Describe the vulnerabilities of the Linux Describe the vulnerabilities of the Linux operating systemoperating system
Describe Linux remote attacksDescribe Linux remote attacks
Explain countermeasures for protecting the Explain countermeasures for protecting the Linux operating systemLinux operating system
33
Review of Linux FundamentalsReview of Linux Fundamentals
Linux is a version of UNIXLinux is a version of UNIX Usually available freeUsually available free Red HatRed Hat
Includes documentation and support for a feeIncludes documentation and support for a fee
Linux creates default directoriesLinux creates default directories
44
55
66
Linux Exploration DemoLinux Exploration Demo
See link Ch 9bSee link Ch 9b
77
Linux File SystemLinux File System
Provides directory structureProvides directory structure
Establishes a file-naming conventionEstablishes a file-naming convention
Includes utilities to compress or encrypt filesIncludes utilities to compress or encrypt files
Provides for both file and data integrityProvides for both file and data integrity
Enables error recoveryEnables error recovery
Stores information about files and foldersStores information about files and folders
*NIX systems store information about files in *NIX systems store information about files in information nodes (inodes)information nodes (inodes)
88
inodesinodes
Information stored in an inodeInformation stored in an inode An inode numberAn inode number Owner of the fileOwner of the file Group the file belongs toGroup the file belongs to Size of the fileSize of the file Date the file was createdDate the file was created Date the file was last modified or readDate the file was last modified or read
There is a fixed number of inodesThere is a fixed number of inodes By default, one inode per 4 KB of disk spaceBy default, one inode per 4 KB of disk space
99
Mounting Mounting
In Windows, each device has a letterIn Windows, each device has a letter A: for floppy, C: for hard disk, and so onA: for floppy, C: for hard disk, and so on
*NIX mounts a file system (usually a drive) *NIX mounts a file system (usually a drive) as a subfile system of the root file system /as a subfile system of the root file system /
mountmount command is used to mount file command is used to mount file systemssystems or to display currently mounted file systemsor to display currently mounted file systems
dfdf command displays disk usage of command displays disk usage of mounted file systemsmounted file systems
1010
mount and df in Ubuntumount and df in Ubuntu
1111
*NIX File System History*NIX File System History
Minix file systemMinix file system Max. size 64 MB, Max. file name 14 charsMax. size 64 MB, Max. file name 14 chars
Extended File System (Ext)Extended File System (Ext) Max. size 2 GB, Max. file name 256 charsMax. size 2 GB, Max. file name 256 chars
Second Extended File System (Ext2fs)Second Extended File System (Ext2fs) Max. size 4 TB, better performance and Max. size 4 TB, better performance and
stabilitystability
Third Extended File System (Ext3fs)Third Extended File System (Ext3fs) Journaling—recovers from crashes betterJournaling—recovers from crashes better
1212
Linux CommandsLinux Commands
1313
1414
Getting HelpGetting Help
Many of these commands have multiple Many of these commands have multiple parameters and additional functionalityparameters and additional functionality
Use these commands to get help. Use these commands to get help. (Replace (Replace command command with the command you with the command you want help with, such as want help with, such as ifconfigifconfig)) command command --help--help man man commandcommand
1515
Linux OS VulnerabilitiesLinux OS Vulnerabilities
UNIX has been around for quite some timeUNIX has been around for quite some time
Attackers have had plenty of time to Attackers have had plenty of time to discover vulnerabilities in *NIX systemsdiscover vulnerabilities in *NIX systems
Enumeration tools can also be used Enumeration tools can also be used against Linux systemsagainst Linux systems
Nessus can be used to enumerate Linux Nessus can be used to enumerate Linux systemssystems
1616
Nessus Scanning a Linux ServerNessus Scanning a Linux Server
1717
Linux OS Vulnerabilities Linux OS Vulnerabilities (continued)(continued)
Nessus can be used toNessus can be used to Discover vulnerabilities related to SMB and Discover vulnerabilities related to SMB and
NetBIOSNetBIOS Discover other vulnerabilitiesDiscover other vulnerabilities Enumerate shared resourcesEnumerate shared resources
1818
Linux OS Vulnerabilities Linux OS Vulnerabilities (continued)(continued)
Test Linux computer against common Test Linux computer against common known vulnerabilitiesknown vulnerabilities Review the CVE and CAN informationReview the CVE and CAN information See links Ch 9m, n, oSee links Ch 9m, n, o
1919
2020
Remote Access Attacks on Remote Access Attacks on Linux SystemsLinux Systems
Differentiate between local attacks and Differentiate between local attacks and remote attacksremote attacks Remote attacks are harder to perform Remote attacks are harder to perform
Attacking a network remotely requiresAttacking a network remotely requires Knowing what system a remote user is Knowing what system a remote user is
operatingoperating The attacked system’s password and login The attacked system’s password and login
accountsaccounts
2121
Footprinting an Attacked Footprinting an Attacked SystemSystem
Footprinting techniquesFootprinting techniques Used to find out information about a target Used to find out information about a target
systemsystem
Determining the OS version the attacked Determining the OS version the attacked computer is runningcomputer is running Check newsgroups for details on posted Check newsgroups for details on posted
messagesmessages Knowing a company’s e-mail address makes Knowing a company’s e-mail address makes
the search easierthe search easier
2222
Other Footprinting ToolsOther Footprinting Tools
Whois databasesWhois databases
DNS zone transfersDNS zone transfers
NessusNessus
Port scanning toolsPort scanning tools
2323
Using Social Engineering to Using Social Engineering to Attack Remote Linux SystemsAttack Remote Linux SystemsGoalGoal To get OS information from company employeesTo get OS information from company employees
Common techniquesCommon techniques UrgencyUrgency Quid pro quoQuid pro quo Status quoStatus quo KindnessKindness PositionPosition
Train your employees about social engineering Train your employees about social engineering techniquestechniques
2424
TrojansTrojans
Trojan programs spread asTrojan programs spread as E-mail attachmentsE-mail attachments Fake patches or security fixes that can be Fake patches or security fixes that can be
downloaded from the Internetdownloaded from the Internet
Trojan program functionsTrojan program functions Allow for remote administrationAllow for remote administration Create a FTP server on attacked machineCreate a FTP server on attacked machine Steal passwordsSteal passwords Log all keys a user enters, and e-mail results to the Log all keys a user enters, and e-mail results to the
attackerattacker
2525
TrojansTrojans
Trojan programs can use legitimate Trojan programs can use legitimate outbound portsoutbound ports Firewalls and IDSs cannot identify this traffic Firewalls and IDSs cannot identify this traffic
as maliciousas malicious Example: Sheepshank uses HTTP GETsExample: Sheepshank uses HTTP GETs
It is easier to protect systems from It is easier to protect systems from already identified Trojan programsalready identified Trojan programs See links Ch 9e, f, gSee links Ch 9e, f, g
2626
Installing Trojan Programs Installing Trojan Programs (continued)(continued)
RootkitsRootkits Contain Trojan binary programs ready to be Contain Trojan binary programs ready to be
installed by an intruder with root access to installed by an intruder with root access to the systemthe system
Replace legitimate commands with Trojan Replace legitimate commands with Trojan programsprograms
Hides the tools used for later attacksHides the tools used for later attacks Example: LRK5Example: LRK5
2727
LRK5LRK5
See Links Ch 9h, i, jSee Links Ch 9h, i, j
2828
Rootkit DetectorsRootkit Detectors
Security testers should check their Linux Security testers should check their Linux systems for rootkitssystems for rootkits Rootkit Hunter (Link Ch 9l)Rootkit Hunter (Link Ch 9l) Chkrootkit (Link Ch 9l)Chkrootkit (Link Ch 9l) Rootkit Profiler (Link Ch 9k)Rootkit Profiler (Link Ch 9k)
2929
Demonstration of rkhunterDemonstration of rkhunter
sudo apt-get install rkhuntersudo apt-get install rkhunter
sudo rkhunter -csudo rkhunter -c
3030
Creating Buffer Overflow Creating Buffer Overflow ProgramsPrograms
Buffer overflows write code to the OS’s Buffer overflows write code to the OS’s memorymemory Then run some type of programThen run some type of program Can elevate the attacker’s permissions to the Can elevate the attacker’s permissions to the
level of the ownerlevel of the owner
Security testers should know what a buffer Security testers should know what a buffer overflow program looks likeoverflow program looks like
3131
Creating Buffer Overflow Creating Buffer Overflow Programs (continued)Programs (continued)
A C program that causes a buffer overflowA C program that causes a buffer overflow
3232
Creating Buffer Overflow Creating Buffer Overflow Programs (continued)Programs (continued)
The program compiles, but returns the following The program compiles, but returns the following error error
3333
Creating Buffer Overflow Creating Buffer Overflow Programs (continued)Programs (continued)
A C code snippet that fills the stack with A C code snippet that fills the stack with shell codeshell code
3434
Avoiding Buffer OverflowsAvoiding Buffer Overflows
Write code that avoids functions known to Write code that avoids functions known to have buffer overflow vulnerabilitieshave buffer overflow vulnerabilities
strcpy()strcpy()
strcat()strcat()
sprintf()sprintf()
gets()gets()
Configure OS to not allow code in the stack to run Configure OS to not allow code in the stack to run any other executable code in the stackany other executable code in the stack
Some compilers like gcc warn programmers when Some compilers like gcc warn programmers when dangerous functions are useddangerous functions are used
3535
Using Sniffers to Gain Access to Using Sniffers to Gain Access to Remote Linux SystemsRemote Linux Systems
Sniffers work by setting a network card adapter Sniffers work by setting a network card adapter in promiscuous modein promiscuous mode NIC accepts all packets that traverse the network NIC accepts all packets that traverse the network
cablecable
Attacker can analyze packets and learn user Attacker can analyze packets and learn user names and passwordsnames and passwords Avoid using protocols such as Telnet, HTTP, and Avoid using protocols such as Telnet, HTTP, and
FTP that send data in clear textFTP that send data in clear text
SniffersSniffers Tcpdump, Ethereal (now Wireshark)Tcpdump, Ethereal (now Wireshark)
3636
Countermeasures Against Linux Countermeasures Against Linux Remote AttacksRemote Attacks
Measures includeMeasures include User awareness trainingUser awareness training Keeping current on new kernel releases and Keeping current on new kernel releases and
security updatessecurity updates
3737
User Awareness TrainingUser Awareness Training
Social EngineeringSocial Engineering Users must be told not to reveal information to Users must be told not to reveal information to
outsidersoutsiders Make customers aware that many exploits Make customers aware that many exploits
can be downloaded from Web sitescan be downloaded from Web sites Teach users to be suspicious of people Teach users to be suspicious of people
asking questions about the system they are asking questions about the system they are usingusing
Verify caller’s identityVerify caller’s identity
Call back techniqueCall back technique
3838
Keeping CurrentKeeping Current
Never-ending battle Never-ending battle New vulnerabilities are discovered dailyNew vulnerabilities are discovered daily New patches are issued to fix new New patches are issued to fix new
vulnerabilitiesvulnerabilities
Installing these fixes is essential to Installing these fixes is essential to protecting your systemprotecting your system
Many OSs are shipped with automated Many OSs are shipped with automated tools for updating your systemstools for updating your systems
3939
4040