You have seen how useful automated assessment tools can be and how Linux is a good platform for performing security tests. Therefore, this Apply Your Knowledge will have you examine some automated assessment tools and one of the best online exploit databases.
5.1. Exploring the SecurityForest.com Website
SecurityForest.com is a collaboratively edited Forest consisting of Trees, which anyone can contribute to. These trees break out in an ordered fashion. The tools and exploits that are available for each step of a penetration test and for the exploits are available for specific networks, systems, and applications.
Estimated Time: 10 minutes.
5.2 Running the Nessus Server
In this exercise, you will run the Nessus server and look at some of its settings.
Estimated Time: 30 minutes.
Exam Prep Questions
How can a Linux user list what processes are running if he suspects something has been loaded that is not approved?
You have been hired by Bob's Burgers to scan its network for vulnerabilities. They would like you to perform a system-level scan. Which of the following programs should you use?
You have been able to get a terminal window open on a remote Linux host. You now need to use a command line web browser to download a privilege escalation tool. Which of the following will work?
While hacking away at your roommate's Linux computer, you accessed his passwd file. Here is what you found.
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin: daemon:x:2:2:daemon:/sbin:
Where is the root password?
Which of the following will allow you to set the user to full access, the group to read-only, and all others to no access?
Your team lead has asked you to make absolute changes to a file's permissions. Which of the following would be correct?
Which of the following is not a valid Linux user group?
You have been exploring the files and directory structure of the new Linux server. What are the entries of the /etc/hosts file made up of?
At the prompt of your Linux server, you enter cat /etc/passwd. In the following output line, what is the function of 100?
Where will an attacker find the system password file in a Linux machine that is restricted to root and contains encrypted passwords?
Most modern versions of Linux use which of the following password encryption standards by default?
Which of the following is an LKM rootkit?
How can Tripwire help prevent against Trojan horses and rootkits?
Which of the following will allow you to set the user to full access, the group to read and write access, and all others to read access?
Which of the following programs can be used to build a jail around a program, such as FTP, to prevent hackers from gaining access to unauthorized folders and files?
Answers to Exam Questions
1. D. The ps command gives a snapshot of the currently running processes, including ps itself. Answer A is incorrect because netstat is a command-line tool that displays a list of the active connections a computer currently has. Answer B is incorrect as ls only provides a directory listing. Answer C is incorrect, as echo displays entered characters on the screen.
2. C. SARA is a system level scanner that can scan various ports and attempt to verify what is running on each and what vulnerabilities are present. Answer A is incorrect, as Flawfinder is a source code scanner. Answers B and D are incorrect because both N-Stealth and Whisker are web application scanners and do not perform system level scans.
3. B. Lynx is a basic browser that can be used to pull down the needed code. Answer A is incorrect because TFTP is not used for web browsing. Answer C is incorrect, as Explorer is a Windows-based web browser. Answer D is incorrect, as Firefox is a GUI tool.
4. B. The password has been shadowed. You can determine this because there is an x in the second field. Answer A is incorrect, as the password has been shadowed. Answer C is incorrect because the password is not being stored in the passwd file. You might or might not be able to see it depending on if you are logged in as root. Answer D is incorrect, as the SAM is only used in Windows. There is no SAM file in Linux.
5. C. The command for file and folder permissions is chmod, and the proper setting would be 740. Answer A is incorrect, as a setting of 777 would give read, write, and execute rights to the owner, group, and all others. Answers B and D are incorrect because chroot is not used for file permissions.
6. D. Absolute mode will require the use of octal values, such as chmod 320. Answers A, B, and C are incorrect. Chroot is not used to set file permissions; chmod a+rwx is a valid command; buy is in symbolic form.
7. C. The three valid groups in Red Hat Linux include super users, system users, and normal users. Therefore, answers A, B, and D are incorrect. Guest is a default group found in the Windows environment.
8. D. The /etc/host file stores IP addresses and is used for hostname to IP address resolution. Answers A, B, and C are incorrect, as subnet masks, default gateways, and allow or deny statements are not found there.
9. C. The structure of the passwd file is such: Account Name:Password:UID:GID:User Information:Directory:Program. In this case, the 100 falls under the GID. Answers A, B, and D are therefore incorrect, as they do not specify the correct field.
10. B. The shadow file is used to prevent hacker and ordinary users from viewing encrypted passwords. Answer A is incorrect because the host file is used for name resolution. Answer C is incorrect, as the passwd file is not restricted to root. Answer D is incorrect, as inetd is a configuration file and not related to passwords.
11. A. Most versions of Linux, such as Red Hat, use MD5 by default. If you choose not to use MD5, you can choose DES, although it limits passwords to eight alphanumeric characters. Therefore, answer B is incorrect. Answers C and D are incorrect because Linux does not use AES or Diffie Hellman for password encryption.
12. C. Adorm is a loadable kernel module (LKM) rootkit. A loadable kernel module runs in kernel space but can be loaded separately after the system is running. Answers A and B are incorrect because Flea and T0rm are not LKM rootkits. Answer D is incorrect, as Chkroot is a rootkit detector.
13. A. Tripwire works with a database that maintains information about the byte count of files. If the byte count has changed, it will identify the finding and set a notification flag. Answers B, C, and D are incorrect, as Tripwire does not harden applications, it does not scan source code, and it does not build a jail that limits the access of attackers.
14. C. The command for file and folder permissions is chmod, and the proper setting would be 764. Answer A is incorrect because a setting of 746 would give read, write, and execute rights to the owner, read to the group, and read and write to all others. Answers B and D are incorrect, as chroot is not used for file permissions.
15. D. Chrooting is one of the hardening procedures that can be performed to a Linux system. It creates additional borders in case of zero day threats so that hackers are jailed in specific folders. Answer A is incorrect, as Tripwire is used to verify no changes have occurred to files and folders without your knowledge. Answer B, chmod, is incorrect because it is used to set file and folder permissions. Answer C is incorrect because loadable kernel modules are used by rootkits.
Suggested Reading and Resources
www.frozentech.com/content/livecd.phpBootable Linux distribution list
www.rootkit.nlRootkit hunter website
www.nsa.gov/snacNSA hardening guidelines
www.iss.netISS Internet scanner website
www.eeye.comRetina security scanner
www.arc.comSARA security scanner
www.bindview.comVLAD security scanner
Trojans and Backdoors