Transcript Hacking Linux Based on Hatch, Lee, and Kurtz ISBN 0-07-212773-2

Hacking Linux
Based on
Hacking Linux Exposed
Hatch, Lee, and Kurtz
ISBN 0-07-212773-2
Looking into Linux
Linux security overview
Proactive measures and recovering
Stages of hacking – again
Mapping your machine and network
Social Engineering, Trojans, and other tricks
Physical attacks
Attacking over the network
Abusing the network itself
Elevating user privilege
Password cracking
Maintaining access
Server issues and vulnerabilities
Mail and ftp
Web servers and dynamic content
Access control and firewalls
Linux security overview
Porque
You are easy
You can be used as anonymous access
You are Linux and thus open source
The OS source is available
But the developers are self-policing – developer culture and Bugtraq
Access control methods
Password security
Controls on users
Privileged ports
Virtual memory gets reclaimed
Proactive measures and recovering
Proactive measures
Insecurity scanners – finding your own weakness
Scan detectors – is someone eyeballing you?
Hardening your system
Log file analysis
File system integrity checks
Recovering from being hacked
Detecting if you have been hacked
What to do after a breakin
Mapping your machine and network
Public domain looking
Online searches
Whois databases
Ping sweeps
DNS issues
Traceroutes
Port scanning
OS detection
Active stack fingerprinting
Passive stack fingerprinting
Mapping, continued
Enumerating RPC services
What authentication level is used
What services – NFS, NIS, other PRC
NFS file sharing
What is exportable – and to what users
SNMP possibilities
Network insecurity scanners
Canned stuff that combines all these approaches
Social Engineering, Trojans, and other tricks
Social engineering
Trojan horses
Viruses and worms
IRC backdoors
Physical attacks
Attacking the office
Sneaky pete installs something
Boot access is root access
Boot passwords are in the flash ROM
Setup helps a little bit
Encrypted filesystems
Attacking over the network
Using the network itself
TCP/IP
The public phone system
Default or bad configurations
NFS mounts
Netscape defaults
Squid
X-Windows system
TCP/IP
Structure (header and function)
TCP
Flag bits (Urgent, Ack, Push, Reset, Syn, Fin)
UDP – less structure and functionality
ICMP – Control messages – many hacking possibilities
IP – Underlies these three protocols – host-to-host
The public phone system
Modem attacks
Wardialing – mechanized dialing used to find modems
Attacks on modem internal protocols – Hayes not-so-smart Modem
Idea was to shut off sound, store a new number, disconnect and redial
Moldavia
Countermeasures
One-time-pad login modules
Passwording
Biometrics
More network attacks
Default passwords and password guessing
Sniffers
How they work
Common versions
Vulnerabilities
Buffer overflows
Vulnerable services
Vulnerable scripts
Unnecessary services and detecting them
Using netstat, lsof, nmap
How to turn them off – inetd.conf
Abusing the network itself
DNS Exploits
Routing issues
Advanced sniffing and session hijacking
Hunt
Dsniff
Man-in-the-middle attacks
Denial of service (DoS) attacks
Floods
TCP/IP attacks
More abuse and countermeasures
Abusing trust relationships
Implementing egress filtering
Elevating user privilege
Users and privileges
Elevation of privilege
Trusted paths and trojan horses
Password storage and use
Special purpose groups and device access
Sudo
Suid programs
Hacker suids on mounted file systems
Countering poor programming
Password cracking
How they work
More advanced algorithms
Cracking programs
Shadow passwords
Pluggable modules, etc.
Maintaining access
Using the r commands, rsh, rexe, etc.
Passwordless access using ssh
Network accessible root shells
Trojaned system programs
Back doors
Trail hiding
Kernel hacks
Remote access methods - Unix
Primary methods
Exploiting a listening service (TCP/IP)
System must be running services listening on some port
First enumerate, then specific exploit for that service
Using source routing to cross firewall or router
Router must have source routing disabled, or at least protected
User-triggered traps
Example: browsing as root and encountering malicious code
Exploiting system with network interface in promiscuous mode
Sniffer can sniff a malicious packet that was put there to catch any
victim
Brute force attacks
Password attacks
These can use any service that uses a logname/password for access
Many utilities exist for automating
Countermeasures are improved password analyzers, delay in login on
incorrect passwords, detecting repeated login attempts
User password education – don’t use same password everywhere
Data driven attacks
Buffer and stack overflows work because of weak C libraries
Basic idea is to send an “egg” with code that goes on stack (used for
local variables and return address)