Picking the Right Platform
Apply Your Knowledge
You have seen how useful automated assessment tools can be and how Linux is a good platform for performing security tests. Therefore, this Apply Your Knowledge will have you examine some automated assessment tools and one of the best online exploit databases.
Exercises
5.1. Exploring the SecurityForest.com Website
SecurityForest.com is a collaboratively edited Forest consisting of Trees, which anyone can contribute to. These trees break out in an ordered fashion. The tools and exploits that are available for each step of a penetration test and for the exploits are available for specific networks, systems, and applications.
Estimated Time: 10 minutes.
- Open your browser and go to www.securityforest.com.
- You will notice on the left of the screen that several trees are listed.
- Click on the Exploit Tree online interface.
- This page will have links for applications, systems, and networks. Click on the applications link.
- On this page, you will see links for all the applications that have been listed in the database. Find the link for web servers and click on the link for the IIs application.
- Under IIs, locate the Jill-win32.c exploit code. After you find the code, you can view it by clicking on the view button. If you have identified an IIs server susceptible to the IPP printer buffer overflow, this tool could be compiled and executed to take advantage of that vulnerability.
- Continue to explore the SecurityForest website. If you return to the main page, you will see that there is also a database of tools under the tool tree link that lists all tools by category.
- Finally, click on the Exploitation Framework link. The Exploitation Framework is similar to the Metasploit database, except that it leverages the huge amount of exploits in the exploit tree. A movie is available that demonstrates the tool at http://www.securityforest.com/wiki/index.php/Exploitation_Framework_Screenshots page. The actual browser-based Windows tool can be downloaded from www.securityforest.com/wiki/index.php/Exploitation_Framework_Download.
5.2 Running the Nessus Server
In this exercise, you will run the Nessus server and look at some of its settings.
Estimated Time: 30 minutes.
- Boot up Knoppix STD. The install files can be found on the enclosed CD or can be downloaded from www.knoppix-std.org.
- Open a terminal window and make sure that you are running as root. If not, type su.
- You will need to add a user to the Nessus server. This can be accomplished by typing Nessus-adduser from the prompt.
- After a user is added, you will want to start the Nessus server daemon by typing in the following: /etc/init.d/nessusd start.
- Once the daemon is started, you can type nessus at the command line to start the Nessus client. You will now be prompted to log in to Nessus. Enter the username and password you created in step 3.
- Click OK on the warning page that warns about dangerous plugins. This message basically states that some plugins can cause some servers to crash or hang. If you were to run this tool on a production network, this is something you would want to discuss with management before making a decision on how to proceed.
- Browse through the parameters available on each tab. These include: Plugins, Prefs, Scan Options, Target Selection, and User.
- Under the Network tab, enter the target device you would like to scan. Make sure that this is a system you have permission to perform a scan on. Start the assessment by clicking on Start the Scan.
- On the Get Updates Setup Files page, select Yes, download the updated Setup files (Recommended), and then click Next. You'll need to register to get updates. Updates are seven days behind for non-paying customers.
- After the scan is finished, review the results. This information could be added to your test report had this been an actual test.
- The next step of a real assessment would be to patch, harden, and update the systems that were found to be vulnerable.
Exam Prep Questions
| 1. |
How can a Linux user list what processes are running if he suspects something has been loaded that is not approved?
|
| 2. |
You have been hired by Bob's Burgers to scan its network for vulnerabilities. They would like you to perform a system-level scan. Which of the following programs should you use?
|
| 3. |
You have been able to get a terminal window open on a remote Linux host. You now need to use a command line web browser to download a privilege escalation tool. Which of the following will work?
|
| 4. |
While hacking away at your roommate's Linux computer, you accessed his passwd file. Here is what you found. root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin: daemon:x:2:2:daemon:/sbin: Where is the root password?
|
| 5. |
Which of the following will allow you to set the user to full access, the group to read-only, and all others to no access?
|
| 6. |
Your team lead has asked you to make absolute changes to a file's permissions. Which of the following would be correct?
|
| 7. |
Which of the following is not a valid Linux user group?
|
| 8. |
You have been exploring the files and directory structure of the new Linux server. What are the entries of the /etc/hosts file made up of?
|
| 9. |
At the prompt of your Linux server, you enter cat /etc/passwd. In the following output line, what is the function of 100? chubs:2cX1eDm8cFiJYc:500:100:chubs Lex:/home/chubs/bin/bash
|
| 10. |
Where will an attacker find the system password file in a Linux machine that is restricted to root and contains encrypted passwords?
|
| 11. |
Most modern versions of Linux use which of the following password encryption standards by default?
|
| 12. |
Which of the following is an LKM rootkit?
|
| 13. |
How can Tripwire help prevent against Trojan horses and rootkits?
|
| 14. |
Which of the following will allow you to set the user to full access, the group to read and write access, and all others to read access?
|
| 15. |
Which of the following programs can be used to build a jail around a program, such as FTP, to prevent hackers from gaining access to unauthorized folders and files?
|
A. netstatAnswers to Exam Questions
| A1: |
1. D. The ps command gives a snapshot of the currently running processes, including ps itself. Answer A is incorrect because netstat is a command-line tool that displays a list of the active connections a computer currently has. Answer B is incorrect as ls only provides a directory listing. Answer C is incorrect, as echo displays entered characters on the screen. |
| A2: |
2. C. SARA is a system level scanner that can scan various ports and attempt to verify what is running on each and what vulnerabilities are present. Answer A is incorrect, as Flawfinder is a source code scanner. Answers B and D are incorrect because both N-Stealth and Whisker are web application scanners and do not perform system level scans. |
| A3: |
3. B. Lynx is a basic browser that can be used to pull down the needed code. Answer A is incorrect because TFTP is not used for web browsing. Answer C is incorrect, as Explorer is a Windows-based web browser. Answer D is incorrect, as Firefox is a GUI tool. |
| A4: |
4. B. The password has been shadowed. You can determine this because there is an x in the second field. Answer A is incorrect, as the password has been shadowed. Answer C is incorrect because the password is not being stored in the passwd file. You might or might not be able to see it depending on if you are logged in as root. Answer D is incorrect, as the SAM is only used in Windows. There is no SAM file in Linux. |
| A5: |
5. C. The command for file and folder permissions is chmod, and the proper setting would be 740. Answer A is incorrect, as a setting of 777 would give read, write, and execute rights to the owner, group, and all others. Answers B and D are incorrect because chroot is not used for file permissions. |
| A6: |
6. D. Absolute mode will require the use of octal values, such as chmod 320. Answers A, B, and C are incorrect. Chroot is not used to set file permissions; chmod a+rwx is a valid command; buy is in symbolic form. |
| A7: |
7. C. The three valid groups in Red Hat Linux include super users, system users, and normal users. Therefore, answers A, B, and D are incorrect. Guest is a default group found in the Windows environment. |
| A8: |
8. D. The /etc/host file stores IP addresses and is used for hostname to IP address resolution. Answers A, B, and C are incorrect, as subnet masks, default gateways, and allow or deny statements are not found there. |
| A9: |
9. C. The structure of the passwd file is such: Account Name:Password:UID:GID:User Information:Directory:Program. In this case, the 100 falls under the GID. Answers A, B, and D are therefore incorrect, as they do not specify the correct field. |
| A10: |
10. B. The shadow file is used to prevent hacker and ordinary users from viewing encrypted passwords. Answer A is incorrect because the host file is used for name resolution. Answer C is incorrect, as the passwd file is not restricted to root. Answer D is incorrect, as inetd is a configuration file and not related to passwords. |
| A11: |
11. A. Most versions of Linux, such as Red Hat, use MD5 by default. If you choose not to use MD5, you can choose DES, although it limits passwords to eight alphanumeric characters. Therefore, answer B is incorrect. Answers C and D are incorrect because Linux does not use AES or Diffie Hellman for password encryption. |
| A12: |
12. C. Adorm is a loadable kernel module (LKM) rootkit. A loadable kernel module runs in kernel space but can be loaded separately after the system is running. Answers A and B are incorrect because Flea and T0rm are not LKM rootkits. Answer D is incorrect, as Chkroot is a rootkit detector. |
| A13: |
13. A. Tripwire works with a database that maintains information about the byte count of files. If the byte count has changed, it will identify the finding and set a notification flag. Answers B, C, and D are incorrect, as Tripwire does not harden applications, it does not scan source code, and it does not build a jail that limits the access of attackers. |
| A14: |
14. C. The command for file and folder permissions is chmod, and the proper setting would be 764. Answer A is incorrect because a setting of 746 would give read, write, and execute rights to the owner, read to the group, and read and write to all others. Answers B and D are incorrect, as chroot is not used for file permissions. |
| A15: |
15. D. Chrooting is one of the hardening procedures that can be performed to a Linux system. It creates additional borders in case of zero day threats so that hackers are jailed in specific folders. Answer A is incorrect, as Tripwire is used to verify no changes have occurred to files and folders without your knowledge. Answer B, chmod, is incorrect because it is used to set file and folder permissions. Answer C is incorrect because loadable kernel modules are used by rootkits. |
Suggested Reading and Resources
www.frozentech.com/content/livecd.phpBootable Linux distribution list
www.antiserver.it/Backdoor-RootkitRootkit downloads
www.chkrootkit.orgChkrootkit website
www.rootkit.nlRootkit hunter website
www.nsa.gov/snacNSA hardening guidelines
www.nessus.orgNessus website
www.saintcorporation.comSAINT website
www.iss.netISS Internet scanner website
www.symantec.comNetRecon
www.eeye.comRetina security scanner
www.arc.comSARA security scanner
www.bindview.comVLAD security scanner
www.metasploit.comMetasploit framework
www.immunitysec.com/products-canvas.shtm/Canvas
www.coresecurity.comCoreIMPACT
Trojans and Backdoors |
Part I: Exam Preparation
The Business Aspects of Penetration Testing
- The Business Aspects of Penetration Testing
- Study Strategies
- Security Fundamentals
- Security Testing
- Hacker and Cracker Descriptions
- Ethical Hackers
- Test PlansKeeping It Legal
- Ethics and Legality
- Summary
- Key Terms
- Apply Your Knowledge
The Technical Foundations of Hacking
- The Technical Foundations of Hacking
- Study Strategies
- The Attackers Process
- The Ethical Hackers Process
- Security and the Stack
- Summary
- Key Terms
- Apply Your Knowledge
Footprinting and Scanning
- Footprinting and Scanning
- Study Strategies
- Determining Assessment Scope
- The Seven-Step Information Gathering Process
- Summary
- Key Terms
- Apply Your Knowledge
Enumeration and System Hacking
- Enumeration and System Hacking
- Study Strategies
- The Architecture of Windows Computers
- Enumeration
- Windows Hacking
- Summary
- Key Terms
- Apply Your Knowledge
Linux and Automated Security Assessment Tools
- Linux and Automated Security Assessment Tools
- Study Strategies
- Linux
- Automated Assessment Tools
- Picking the Right Platform
- Summary
- Key Terms
- Apply Your Knowledge
Trojans and Backdoors
- Trojans and Backdoors
- Study Strategies
- An Overview of TrojansThe History of Trojans
- Covert Communications
- Trojan and Backdoor Countermeasures
- Summary
- Key Terms
- Apply Your Knowledge
Sniffers, Session Hijacking, and Denial of Service
- Sniffers, Session Hijacking, and Denial of Service
- Study Strategies
- Sniffers
- Session Hijacking
- Denial of Service
- Summary
- Key Terms
- Apply Your Knowledge
Web Server Hacking, Web Applications, and Database Attacks
- Web Server Hacking, Web Applications, and Database Attacks
- Study Strategies
- Web Server Hacking
- Web Application Hacking
- Database Overview
- Summary
- Key Terms
- Apply Your Knowledge
Wireless Technologies, Security, and Attacks
- Wireless Technologies, Security, and Attacks
- Study Strategies
- Wireless TechnologiesA Brief History
- Wireless LANs
- Wireless Hacking Tools
- Securing Wireless Networks
- Summary
- Key Terms
- Apply Your Knowledge
IDS, Firewalls, and Honeypots
- IDS, Firewalls, and Honeypots
- Study Strategies
- Intrusion Detection Systems
- Firewalls
- Honeypots
- Summary
- Key Terms
- Apply Your Knowledge
Buffer Overflows, Viruses, and Worms
- Buffer Overflows, Viruses, and Worms
- Study Strategies
- Buffer Overflows
- Viruses and Worms
- Summary
- Key Terms
- Apply Your Knowledge
Cryptographic Attacks and Defenses
- Cryptographic Attacks and Defenses
- Study Strategies
- Functions of Cryptography
- History of Cryptography
- Algorithms
- Hashing
- Digital Signatures
- Steganography
- Digital Certificates
- Public Key Infrastructure
- Protocols, Standards, and Applications
- Encryption Cracking and Tools
- Summary
- Key Terms
- Apply Your Knowledge
Physical Security and Social Engineering
- Physical Security and Social Engineering
- Study Strategies
- Physical Security
- Social Engineering
- Summary
- Key Terms
- Apply Your Knowledge
Part II: Final Review
- Fast Facts
- Ethics and Legality
- Footprinting
- Scanning
- Enumeration
- System Hacking
- Trojans and Backdoors
- Sniffers
- Denial of Service
- Social Engineering
- Session Hijacking
- Hacking Web Servers
- Web Application Vulnerabilities
- Web-Based Password Cracking Techniques
- SQL Injection
- Hacking Wireless Networks
- Virus and Worms
- Physical Security
- Linux Hacking
- Evading Firewalls, IDS, and Honeypots
- Buffer Overflows
- Cryptography
- Penetration Testing
- Certified Ethical Hacker
- Practice Exam Questions
- Answers to Practice Exam Questions
- Glossary
Part III: Appendixes
Appendix A. Using the ExamGear Special Edition Software
- Appendix A. Using the ExamGear Special Edition Software
- Exam Simulation
- Study Tools
- How ExamGear Special Edition Works
- Installing ExamGear Special Edition
- Using ExamGear Special Edition
- Contacting Que Certification
- License
- Software and Documentation
- License Term and Charges
- Title
- Updates
- Limited Warranty and Disclaimer
- Limitation of Liability
- Miscellaneous
- U.S. Government Restricted Rights
EAN: 2147483647
Pages: 247
