Hacking Linux Based on Hacking Linux Exposed Hatch, Lee, and Kurtz ISBN 0-07-212773-2 Looking into Linux Linux security overview Proactive measures and recovering Stages of hacking – again Mapping your machine and network Social Engineering, Trojans, and other tricks Physical attacks Attacking over the network Abusing the network itself Elevating user privilege Password cracking Maintaining access Server issues and vulnerabilities Mail and ftp Web servers and dynamic content Access control and firewalls Linux security overview Porque You are easy You can be used as anonymous access You are Linux and thus open source The OS source is available But the developers are self-policing – developer culture and Bugtraq Access control methods Password security Controls on users Privileged ports Virtual memory gets reclaimed Proactive measures and recovering Proactive measures Insecurity scanners – finding your own weakness Scan detectors – is someone eyeballing you? Hardening your system Log file analysis File system integrity checks Recovering from being hacked Detecting if you have been hacked What to do after a breakin Mapping your machine and network Public domain looking Online searches Whois databases Ping sweeps DNS issues Traceroutes Port scanning OS detection Active stack fingerprinting Passive stack fingerprinting Mapping, continued Enumerating RPC services What authentication level is used What services – NFS, NIS, other PRC NFS file sharing What is exportable – and to what users SNMP possibilities Network insecurity scanners Canned stuff that combines all these approaches Social Engineering, Trojans, and other tricks Social engineering Trojan horses Viruses and worms IRC backdoors Physical attacks Attacking the office Sneaky pete installs something Boot access is root access Boot passwords are in the flash ROM Setup helps a little bit Encrypted filesystems Attacking over the network Using the network itself TCP/IP The public phone system Default or bad configurations NFS mounts Netscape defaults Squid X-Windows system TCP/IP Structure (header and function) TCP Flag bits (Urgent, Ack, Push, Reset, Syn, Fin) UDP – less structure and functionality ICMP – Control messages – many hacking possibilities IP – Underlies these three protocols – host-to-host The public phone system Modem attacks Wardialing – mechanized dialing used to find modems Attacks on modem internal protocols – Hayes not-so-smart Modem Idea was to shut off sound, store a new number, disconnect and redial Moldavia Countermeasures One-time-pad login modules Passwording Biometrics More network attacks Default passwords and password guessing Sniffers How they work Common versions Vulnerabilities Buffer overflows Vulnerable services Vulnerable scripts Unnecessary services and detecting them Using netstat, lsof, nmap How to turn them off – inetd.conf Abusing the network itself DNS Exploits Routing issues Advanced sniffing and session hijacking Hunt Dsniff Man-in-the-middle attacks Denial of service (DoS) attacks Floods TCP/IP attacks More abuse and countermeasures Abusing trust relationships Implementing egress filtering Elevating user privilege Users and privileges Elevation of privilege Trusted paths and trojan horses Password storage and use Special purpose groups and device access Sudo Suid programs Hacker suids on mounted file systems Countering poor programming Password cracking How they work More advanced algorithms Cracking programs Shadow passwords Pluggable modules, etc. Maintaining access Using the r commands, rsh, rexe, etc. Passwordless access using ssh Network accessible root shells Trojaned system programs Back doors Trail hiding Kernel hacks Remote access methods - Unix Primary methods Exploiting a listening service (TCP/IP) System must be running services listening on some port First enumerate, then specific exploit for that service Using source routing to cross firewall or router Router must have source routing disabled, or at least protected User-triggered traps Example: browsing as root and encountering malicious code Exploiting system with network interface in promiscuous mode Sniffer can sniff a malicious packet that was put there to catch any victim Brute force attacks Password attacks These can use any service that uses a logname/password for access Many utilities exist for automating Countermeasures are improved password analyzers, delay in login on incorrect passwords, detecting repeated login attempts User password education – don’t use same password everywhere Data driven attacks Buffer and stack overflows work because of weak C libraries Basic idea is to send an “egg” with code that goes on stack (used for local variables and return address)