Testing for Vulnerabilities | Hacking Knoppix (ExtremeTech)

It's not enough to want to batten down the hatches if you don't know which hatches need battening. On a computer system, you need to know where the possible holes are, and Knoppix can help you test for and then mitigate vulnerabilities.

Verifying the Absence of Rootkits with Chkrootkit

If your computer gets cracked, rootkits (also called root kits) are definitely a concern. Basically, a cracker can leave a rootkit behind that lets him easily access and control the machine in the future, while making it hard to detect his comings and goings. There are two kinds of rootkits: kernel level, which replace pieces of the Linux kernel with malicious code, and application level, which replace regular programs (such as ls, cd, less, and so on) with seemingly similar programs that are actually Trojan horses up to no good. With Knoppix, you can root out the rootkits and keep your computer safe.

Note

For more information on rootkits, see the Wikipedia article at http://en.wikipedia.org/wiki/Rootkit, or view search results at SecurityFocus with http://search.securityfocus.com/swsearch?query=rootkit&sbm=infocus&metaname=alldoc.

Knoppix uses a command-line program called chkrootkit to do its work. It tests for (at this time) 59 different rootkits, worms, and LKMs (Linux Kernel Modules, the kernel-level rootkits discussed previously). Check out the complete list at the chkrootkit Website, http://www.chkrootkit.org.

To run chkrootkit, open your terminal and enter the following command:

 $ sudo chkrootkit

Immediately chkrootkit kicks into action, scanning your machine for known rootkits and poking about, looking to see if anything has been tampered with. As it works, the program spits out its progress on your command line, leading to about a hundred lines or so that look like this:

 Checking 'timed'... not found Checking 'traceroute'... not infected Checking 'vdir'... not infected Checking 'w'... not infected Checking 'write'... not infected Checking 'aliens'... no suspect files Searching for sniffer's logs, it may take a while... nothing found Searching for HiDrootkit's default dir... nothing found Searching for t0rn's default files and dirs... nothing found

If a nasty were on your computer, you'd see the name, following by INFECTED. Clearly it's a bit overwhelming to see a list of everything that's not infected because it would be easy to miss the one line informing you that you are infected, so it's better to run chkrootkit with the -q (for "quiet") option, like this:

 $ sudo chkrootkit -q

The -q option will only show you warnings or lines indicating an infection, which should make things crystal clear. Much better!

Tip

When you run chkrootkit on Knoppix, you're going to see these warnings:

 /usr/bin/strings: Warning: '/' is not an ordinary file You have  8 process hidden for readdir command You have  8 process hidden for ps command Warning: Possible LKM Trojan installed

Don't freak out — because of the way Knoppix works, these lines show up. Your readdir and ps commands are not infected.

If you think that some particular programs are fishy, check them by specifying the programs on the command line, like this:

 $ sudo chkrootkit ps tar ls

The results are reassuring, to say the least:

 ROOTDIR is '/' Checking 'ps'... not infected Checking 'tar'... not infected Checking 'ls'... not infected

Of course, if you use the -q option, chkrootkit only lets you know if one of those programs is infected.

Because you're using Knoppix, any examinations performed by chkrootkit operate, by default, on the Knoppix CD itself. While this is interesting, it isn't particularly helpful. More likely, you'll want to use Knoppix to examine a system that you suspect is compromised. In such a situation, use the -r option, which tells chkrootkit to scan a different drive as though it were the root drive. For example, your machine's hard drive is probably located at /mnt/hda1 once you've booted Knoppix, so you'd run the following to check it:

 $ sudo chkrootkit -q -r /mnt/hda1

Adjust, of course, to suit your partitions.

Tip

Don't forget that because chkrootkit runs on the command line, it's easy to set up a cron job that does an automatic scan every night at a specified time and then sends a report to you letting you know if anything amiss was detected. This isn't as applicable when you're using Knoppix because you'd typically run just a single scan on a system and be done with it, but it's still useful to know. In /etc/crontab, add a line like the following (adjust the path to chkrootkit as appropriate for your system):

 03000 (chkrootkit -q 2>&1 | mail -s "chkrootkit scan report" email@youraddress.com)

Unfortunately, if you find that the system you're examining has in fact been rooted, your best option is just to reinstall your OS and make sure that all updates have been applied and that the system is hardened before turning it loose back on a network. It's no fun, but that's the only way to ensure that you don't miss something and continue to allow some miscreant access to your box.

Scanning for Open Ports with Nmap

To find out what ports are open on a machine, the gold standard is Nmap. Nmap actually does its job in three steps: pinging the computer in question (or several, if you want) to determine whether it's on the network, scanning ports to ascertain what services are running on the machine, and figuring out the operating system of the box. Each of these steps is almost endlessly configurable within Nmap, enough so that a short book could be written on the software. This section focuses on common tasks for which you would use Nmap.

Note

If you don't know what ports are, check out http://en.wikipedia.org/wiki/Port_(computing), http://en.wikipedia.org/wiki/Socket, and http://en.wikipedia.org/wiki/List_of_well-known_ports_(computing) for a quick overview.

First, choose the computers you want to scan. If you have only one machine you're interested in, that's easy: just specify its IP address or domain name. If you're interested in several machines, you can give a range of IP addresses — 192.168.0.1-5, for instance — or you can use a mask. It's not easy to remember what the various masks mean, so here's a handy table that may help you keep things straight:

IP Address/Mask	What It Means
192.168.0.1/32	Just that computer: 192.168.0.1
192.168.0.1/24	The entire Class C range of addresses for that network: 253 addresses total First octet is always between 192–223 192.168.0.0–255
172.16.0.1/16	The entire Class B range of addresses for that network: 65,532 addresses total First octet is always between 128–191 172.16.0–255.0–255
10.0.0.1/8	The entire Class A range of addresses for that network: 16,777,214 addresses total First octet is always between 0–127 10.0–255.0–255.0–255

For more on IP addresses and classes, read through the excellent "Connected: An Internet Encyclopedia," available at http://freesoft.org/CIE/Course/index.htm. Head over to http://en.wikipedia.org/wiki/Classful_network for a quick overview, and then play with the IP Subnet Mask Calculator at http://subnet-calculator.com/subnet.php.

Now that you know which machines you're going to query, perform the simplest Nmap scan possible — a look at your own Knoppix box — by running the following:

 $ nmap 127.0.0.1

In just a second or two, you should get this response:

 Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-03-24 23:09 EST Interesting ports on Knoppix (127.0.0.1): (The 1661 ports scanned but not shown below are in state: closed) PORT     STATE SERVICE 68/tcp   open dhcpclient 6000/tcp open X11 Nmap run completed -- 1 IP address (1 host up) scanned in 0.199 seconds

Note a couple of interesting things here. The Knoppix box has only two ports open — the DHCP client and X11 — which is pretty good. But notice that Nmap only scans 1661 ports by default, and there are plenty more (ports can go up to 65535) that might hold something interesting.

If you don't care about hiding your scan and you just want to find out what machines are running on your network, try a quick Nmap ping scan, like this:

 $ nmap -sP 192.168.0.1/24

The results for my network are as follows:

 Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-03-24 23:58 EST Host 192.168.0.1 appears to be up. Host 192.168.0.6 appears to be up. Host 192.168.0.10 appears to be up. Host 192.168.0.13 appears to be up. Host 192.168.0.100 appears to be up. Host 192.168.0.103 appears to be up. Host 192.168.0.104 appears to be up. Nmap run completed -- 256 IP addresses (7 hosts up) scanned in 3.020 seconds

Yup, that's correct: seven machines on my network. It gets more interesting when that same scan is run with root privileges:

 $ sudo nmap -sP 192.168.0.1/24

Here are my results:

 Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-03-25 00:01 EST Host 192.168.0.0 seems to be a subnet broadcast address (returned 4 extra pings). Host 192.168.0.1 appears to be up. MAC Address: 00:12:17:31:4F:C4 (Cisco-Linksys) Host 192.168.0.6 appears to be up. MAC Address: 00:C0:4F:A1:25:4A (Dell Computer) Host 192.168.0.10 appears to be up. MAC Address: 00:B0:D0:FE:87:68 (Dell Computer) Host 192.168.0.13 appears to be up. MAC Address: 00:C0:4F:A1:25:89 (Dell Computer) Host 192.168.0.100 appears to be up. MAC Address: 00:C0:4F:A1:27:BF (Dell Computer) Host 192.168.0.103 appears to be up. MAC Address: 00:0D:88:66:FB:87 (D-Link) Host 192.168.0.104 appears to be up. Host 192.168.0.108 appears to be up. MAC Address: 00:11:D8:90:D6:7F (Asustek Computer) Host 192.168.0.255 seems to be a subnet broadcast address (returned 4 extra pings). Nmap run completed -- 256 IP addresses (8 hosts up) scanned in 4.390 seconds

When run by root, Nmap gives you the MAC address of each machine's NIC, and the manufacturer of that NIC (of course, now that you know the NICs, you can try to spoof them, but that's a different book).

Realize that the last two scans were in no way hidden. Any admin reviewing logs on the machines just scanned would have to notice something fishy going on. Nmap, however, can do much more to hide itself.

Caution

Now that you've done your machine, try your local network — as long as it's your network. Do not try this at work without permission, and do not use Nmap against random IP blocks or machines on the Internet. You may get visits from the authorities that will not be any fun. With that warning out of the way, if your LAN uses 192.168.0.x as its base, try nmap 192.168.0.1/24; if you use a different scheme, fill those numbers in and go to town.

For a stealthier scan, use SYN scanning. Here's an example of running SYN scanning against one machine on a LAN:

 $ sudo nmap -sS 192.168.0.6

You have to use sudo because a stealth scan requires root privileges. Try it without sudo — Nmap immediately shuts you down. When the scan finishes, Nmap gives you some new information (in this example, some lines have been redacted for the sake of brevity):

 Interesting ports on 192.168.0.6: (The 1653 ports scanned but not shown below are in state: closed) PORT     STATE SERVICE 22/tcp   open ssh 139/tcp  open netbios-ssn 445/tcp  open microsoft-ds 631/tcp  open ipp 901/tcp  open samba-swat 2049/tcp open nfs MAC Address: 00:C0:4F:A1:25:4A (Dell Computer)

A lot more ports are open — not really surprising because this machine shares data back and forth all over the LAN. More important, this scan would be far more difficult to detect.

Note

Why is a SYN scan harder to detect? The inventor of Nmap tells you himself, at http://www.insecure.org/nmap/nmap_doc.html#syn.

For even more information about the target, use the -O option, which tells Nmap to try to figure out the operating system of the machine it's scanning, in tandem with the -v option, which tells Nmap to be verbose (use -vv for even more verbosity). Combining those with the stealth scan on an example Linux box gives you this command:

 $ sudo nmap -v -O -sS 192.168.0.6

This produces a lengthy result, which has been condensed into the following:

 Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-03-25 00:48 EST Initiating SYN Stealth Scan against 192.168.0.6 [1663 ports] at 00:48 ... The SYN Stealth Scan took 0.21s to scan 1663 total ports. ... Host 192.168.0.6 appears to be up ... good. Interesting ports on 192.168.0.6: (The 1653 ports scanned but not shown below are in state: closed) PORT     STATE SERVICE 22/tcp   open ssh 139/tcp  open netbios-ssn 445/tcp  open microsoft-ds 631/tcp  open ipp 901/tcp  open samba-swat 2049/tcp open nfs MAC Address: 00:C0:4F:A1:25:4A (Dell Computer) Device type: general purpose Running: Linux 2.4.X|2.5.X OS details: Linux 2.4.0 - 2.5.20 Uptime 32.150 days (since Sun Feb 20 21:12:15 2005) TCP Sequence Prediction: Class=random positive increments                          Difficulty=5555644 (Good luck!) ... Nmap run completed -- 1 IP address (1 host up) scanned in 2.583 seconds

Wow! Lots of stuff here, including open ports and services, the MAC address and manufacturer, OS details, machine uptime (32 days — not bad!), and the difficulty level for getting in to the computer.

You can also adjust the timing that Nmap uses when it scans. Include the -T5 option, and Nmap scans at an "insane" speed (that's Nmap's word, not mine) that will definitely get picked up by anyone looking for something suspicious. On the other hand, -T0, the "paranoid" speed, sends a packet every five minutes or so. Your scan will take a looooong time, but it also will probably go undetected by both machines and humans. Try the numbers between 0 and 5; when I used -T2 against one machine, the scan took 674 seconds — that's more than 11 minutes!

This overview should be enough to get you started with Nmap. It's a powerful tool that anyone involved in security ends up using constantly; in that respect, it's kind of like a hammer to a construction worker. The best thing for you to do now is start reading about Nmap and, more important, play with it.

Note

There's a vast amount of really useful information about Nmap on the Web. The Nmap man page is long and very detailed, but also make sure you visit the Nmap Website, at http://insecure.org/nmap, especially Fyodor's "The Art of Port Scanning," located at http://insecure.org/nmap/nmap_doc.html. It's a bit out of date now, but still contains an excellent overview you should read.

For tutorials, check out Andrew J. Bennieston's "NMAP — A Stealth Port Scanner" (http://security-forums.com/forum/viewtopic.php?t=7872) and Lamont Granquist's short but sweet email guide from 1999 (http://seclists.org/lists/nmap-hackers/1999/Apr-Jun/0004.html).

By the way, here's how cool Nmap really is: It was actually used (correctly!) by Trinity in The Matrix Reloaded. See for yourself at http://images.insecure.org/nmap/images/matrix/.

Checking for Dangerous Weaknesses with Nessus

Nmap tells you about a machine's OS and its open ports, but once you have that information, what can you do with it? Well, if you're a black hat hacker, it's time to pull out Nessus, the open-source vulnerability scanner, and determine whether there are any holes you can exploit. If you're trying to protect a network against black hats, then it's time to pull out Nessus, the open-source vulnerability scanner, and determine whether there are any holes that someone can exploit that you need to repair now.

There are commercial tools costing thousands of dollars that do the same thing that Nessus does for free, which is essentially look at the ports on a computer (usually by making use of Nmap), figuring out what services are running on those ports, and performing a variety of appropriate tests to determine whether any known security vulnerabilities exist on that machine. In addition, Nessus has some compelling features that make it attractive, especially to the Knoppix user thinking of combining Knoppix and Nessus to test a computer or even an entire LAN.

Before configuring Nessus, you need to understand that Nessus is really two interlocking pieces of software: a server and a client. The idea is that you can install the Nessus server on one computer (or more, if you'd like) on a network, and then connect to the server using the Nessus clients installed on any computer. If you're running Nessus on Knoppix, however, you probably don't need such a complicated arrangement. Instead, you'll want to run both the client and the server on the same machine, which is extremely workable.

Nessus uses plug-ins to work. Basically, a Nessus plug-in is a test for a particular weakness. As new security issues are published, volunteers write plug-ins for Nessus to probe the problem. There are thousands of plug-ins for Nessus, testing an amazing variety of exploitable holes. It's important that you update your Nessus plug-ins before you run the program by entering sudo nessus-update-plugins on the command line; that downloads any new additions to the Nessus arsenal. New plug-ins are published almost every day, so it's a good idea to run that command whenever you're going to use Nessus.

Note

The Knoppix developers have made it really easy to use Nessus by performing a lot of actions behind the scenes so you don't have to do them. If you want to know the whole process — because you want to run Nessus on a non-Knoppix machine, for instance — you really should read Harry Anderson's excellent three-part series on Nessus at SecurityFocus: http://securityfocus.com/infocus/1741, http://securityfocus.com/infocus/1753, and http://securityfocus.com/infocus/1759.

From the K menu, select System → Security → NESSUS Security Tool — Network Scanner. That starts the server portion of Nessus in the background, and then opens up the Nessus client, which looks like what is shown in Figure 6-1.

image from book
Figure 6-1: Nessus is now open and ready to configure.

Knoppix has already set up a user for you, so simply enter knoppix in the Login textbox and the Password textbox and click Log in. Nessus asks you about accepting the security certificate it wants to use to encrypt traffic between the client and the server, as shown in Figure 6-2.

image from book
Figure 6-2: Nessus sets up an SSL certificate to encrypt traffic.

Because both client and server are on the same machine, and because you have to trust the Knoppix developers here, leave the first option chosen, and click OK. Another window opens, asking if you want to accept the certificate; click Yes.

The next window warns you that dangerous plug-ins have been disabled. Click OK, and you find yourself logged in to Nessus, with the Plugins tab visible and ready to go, as shown in Figure 6-3.

image from book
Figure 6-3: Choose the plug-ins you want to use when scanning with Nessus.

Keep in mind that some Nessus plug-ins can cause the machine being probed to lock up or crash, so Nessus disables those by default. It's easy, however, to enable those plug-ins. The question is, should you?

If you're testing computers under your control, I recommend enabling the dangerous plug-ins. After all, the bad guys might very well do so, so shouldn't you? However, you should weigh the possibility of crashing your machine against any security gains. In other words, yes, it would be good to make sure that your company's email server is safe against all forms of cracking, but don't run Nessus to test things during the middle of the work day.

Caution

Do not run Nessus against computers that are not under your control. Your scan may very well look like an attack, and you could get into serious trouble with the authorities. Be careful with Nessus!

If you decide to enable every plug-in, even the dangerous ones, you first have to go to the Scan Options tab and uncheck Safe Checks. You're now ready to live on the edge.

Of course, if you don't need to test everything, or you simply can't afford the possibility that you might crash the computer you're examining, use the defaults. You'll still get a lot of useful information from Nessus.

You'll recall from the Nmap discussion that there are different kinds of scanning methods you can use. In fact, Nessus uses Nmap to perform its scans, as you can see on the Prefs tab. The first option on that tab is TCP scanning technique; I'd use the SYN scan because it's quick and sneaky.

Note

Because of limited space, this section doesn't cover the entire Prefs tab, but if you're going to use Nessus effectively, you really should familiarize yourself with all of your options here. The best place to go for this information is the Nessus Knowledge Base, which goes through every single option in the program. It's awesome, and you can find it at http://edgeos.com/nessuskb/.

There's one last thing to set, and in some ways it's the most important option of all: the computer(s) you want to scan. Go to the Target tab, shown in Figure 6-4.

image from book
Figure 6-4: Choose which computer(s) you want to examine with Nessus.

You can specify targets the same way you can using Nmap, with any of the following:

IP address
Domain name
Range of IP addresses
Subnet

For example, 192.168.0.6 is a Linux box on my LAN used for file sharing, among other tasks. I enter that IP address in the Target(s) field, click Start the Scan, and Nessus takes off. The window changes to one labeled Scanning Network from Localhost, and a few seconds later the progress of Nessus at work is displayed. A scan can take quite a while, so you may want to move on to other things and let Nessus do its job. Eventually Nessus finishes, and you get a report window, shown in Figure 6-5.

image from book
Figure 6-5: Nessus presents you with a report after its scan and analysis.

To get to the meat of the report, click on the subnet in the Subnet box to populate the Host box. Then click on the IP listed in the Host box to populate the Port box. The items listed in the Port box are what you need to read. An orange triangle icon next to a list item indicates a Security Warning, and a lightbulb icon tells you that there's a Security Note on that item. Lack of an icon means that Nessus (and Nmap) detected a service running on that port but found no potential problems with it.

You should look at every Security Note because you might find something interesting, and certainly review every Security Warning. Every time Nessus warns you of a potential problem, it also gives you advice about mitigating the issue, and often includes a link to follow for further information or even a patch.

If you decide to save the report, whether to establish a baseline for that particular system or to show your boss ("Look at all the pretty graphs and numbers!"), click Save Report and then pick the format you'd like to use. You have a variety to pick from, including the following:

NBE: Enables you to open it again using Nessus
XML: Suitable if you want to manipulate the data yourself
LaTeX: Also good for manipulating and creating your own report formats
HTML: An attractive, clickable report, with links to the Nessus Web site for further info
ASCII: Plain text
HTML with pies and graphs: A pretty, graphical clickable report, perfect for your PHB (pointy-haired boss)

The first couple of times you use Nessus, save a report using each of the formats so that you can get a handle on the pros and cons of each one. Either of the HTML formats can be tremendously helpful because they include links to resources that the normal report doesn't provide.

Nessus is an amazingly powerful tool, one that you'll find yourself using often on your own systems. Remember that it's better for you to find out the weaknesses on your own computers and network before the bad guys do, and Nessus is an awesome way to do so. Use it!