linux vulnerabilities

40
Hands-On Ethical Hands-On Ethical Hacking and Network Hacking and Network Defense Defense Chapter 9 Chapter 9 Linux Operating System Vulnerabilities Linux Operating System Vulnerabilities

Upload: securitytubenet

Post on 18-Nov-2014

2.700 views

Category:

Education


2 download

DESCRIPTION

http://www.securitytube.net for videos on hacking, security and cracking.

TRANSCRIPT

Page 1: Linux Vulnerabilities

Hands-On Ethical Hands-On Ethical Hacking and Network Hacking and Network

DefenseDefense

Chapter 9Chapter 9Linux Operating System VulnerabilitiesLinux Operating System Vulnerabilities

Page 2: Linux Vulnerabilities

22

ObjectivesObjectives

Describe the fundamentals of the Linux Describe the fundamentals of the Linux operating systemoperating system

Describe the vulnerabilities of the Linux Describe the vulnerabilities of the Linux operating systemoperating system

Describe Linux remote attacksDescribe Linux remote attacks

Explain countermeasures for protecting the Explain countermeasures for protecting the Linux operating systemLinux operating system

Page 3: Linux Vulnerabilities

33

Review of Linux FundamentalsReview of Linux Fundamentals

Linux is a version of UNIXLinux is a version of UNIX Usually available freeUsually available free Red HatRed Hat

Includes documentation and support for a feeIncludes documentation and support for a fee

Linux creates default directoriesLinux creates default directories

Page 4: Linux Vulnerabilities

44

Page 5: Linux Vulnerabilities

55

Page 6: Linux Vulnerabilities

66

Linux Exploration DemoLinux Exploration Demo

See link Ch 9bSee link Ch 9b

Page 7: Linux Vulnerabilities

77

Linux File SystemLinux File System

Provides directory structureProvides directory structure

Establishes a file-naming conventionEstablishes a file-naming convention

Includes utilities to compress or encrypt filesIncludes utilities to compress or encrypt files

Provides for both file and data integrityProvides for both file and data integrity

Enables error recoveryEnables error recovery

Stores information about files and foldersStores information about files and folders

*NIX systems store information about files in *NIX systems store information about files in information nodes (inodes)information nodes (inodes)

Page 8: Linux Vulnerabilities

88

inodesinodes

Information stored in an inodeInformation stored in an inode An inode numberAn inode number Owner of the fileOwner of the file Group the file belongs toGroup the file belongs to Size of the fileSize of the file Date the file was createdDate the file was created Date the file was last modified or readDate the file was last modified or read

There is a fixed number of inodesThere is a fixed number of inodes By default, one inode per 4 KB of disk spaceBy default, one inode per 4 KB of disk space

Page 9: Linux Vulnerabilities

99

Mounting Mounting

In Windows, each device has a letterIn Windows, each device has a letter A: for floppy, C: for hard disk, and so onA: for floppy, C: for hard disk, and so on

*NIX mounts a file system (usually a drive) *NIX mounts a file system (usually a drive) as a subfile system of the root file system /as a subfile system of the root file system /

mountmount command is used to mount file command is used to mount file systemssystems or to display currently mounted file systemsor to display currently mounted file systems

dfdf command displays disk usage of command displays disk usage of mounted file systemsmounted file systems

Page 10: Linux Vulnerabilities

1010

mount and df in Ubuntumount and df in Ubuntu

Page 11: Linux Vulnerabilities

1111

*NIX File System History*NIX File System History

Minix file systemMinix file system Max. size 64 MB, Max. file name 14 charsMax. size 64 MB, Max. file name 14 chars

Extended File System (Ext)Extended File System (Ext) Max. size 2 GB, Max. file name 256 charsMax. size 2 GB, Max. file name 256 chars

Second Extended File System (Ext2fs)Second Extended File System (Ext2fs) Max. size 4 TB, better performance and Max. size 4 TB, better performance and

stabilitystability

Third Extended File System (Ext3fs)Third Extended File System (Ext3fs) Journaling—recovers from crashes betterJournaling—recovers from crashes better

Page 12: Linux Vulnerabilities

1212

Linux CommandsLinux Commands

Page 13: Linux Vulnerabilities

1313

Page 14: Linux Vulnerabilities

1414

Getting HelpGetting Help

Many of these commands have multiple Many of these commands have multiple parameters and additional functionalityparameters and additional functionality

Use these commands to get help. Use these commands to get help. (Replace (Replace command command with the command you with the command you want help with, such as want help with, such as ifconfigifconfig)) command command --help--help man man commandcommand

Page 15: Linux Vulnerabilities

1515

Linux OS VulnerabilitiesLinux OS Vulnerabilities

UNIX has been around for quite some timeUNIX has been around for quite some time

Attackers have had plenty of time to Attackers have had plenty of time to discover vulnerabilities in *NIX systemsdiscover vulnerabilities in *NIX systems

Enumeration tools can also be used Enumeration tools can also be used against Linux systemsagainst Linux systems

Nessus can be used to enumerate Linux Nessus can be used to enumerate Linux systemssystems

Page 16: Linux Vulnerabilities

1616

Nessus Scanning a Linux ServerNessus Scanning a Linux Server

Page 17: Linux Vulnerabilities

1717

Linux OS Vulnerabilities Linux OS Vulnerabilities (continued)(continued)

Nessus can be used toNessus can be used to Discover vulnerabilities related to SMB and Discover vulnerabilities related to SMB and

NetBIOSNetBIOS Discover other vulnerabilitiesDiscover other vulnerabilities Enumerate shared resourcesEnumerate shared resources

Page 18: Linux Vulnerabilities

1818

Linux OS Vulnerabilities Linux OS Vulnerabilities (continued)(continued)

Test Linux computer against common Test Linux computer against common known vulnerabilitiesknown vulnerabilities Review the CVE and CAN informationReview the CVE and CAN information See links Ch 9m, n, oSee links Ch 9m, n, o

Page 19: Linux Vulnerabilities

1919

Page 20: Linux Vulnerabilities

2020

Remote Access Attacks on Remote Access Attacks on Linux SystemsLinux Systems

Differentiate between local attacks and Differentiate between local attacks and remote attacksremote attacks Remote attacks are harder to perform Remote attacks are harder to perform

Attacking a network remotely requiresAttacking a network remotely requires Knowing what system a remote user is Knowing what system a remote user is

operatingoperating The attacked system’s password and login The attacked system’s password and login

accountsaccounts

Page 21: Linux Vulnerabilities

2121

Footprinting an Attacked Footprinting an Attacked SystemSystem

Footprinting techniquesFootprinting techniques Used to find out information about a target Used to find out information about a target

systemsystem

Determining the OS version the attacked Determining the OS version the attacked computer is runningcomputer is running Check newsgroups for details on posted Check newsgroups for details on posted

messagesmessages Knowing a company’s e-mail address makes Knowing a company’s e-mail address makes

the search easierthe search easier

Page 22: Linux Vulnerabilities

2222

Other Footprinting ToolsOther Footprinting Tools

Whois databasesWhois databases

DNS zone transfersDNS zone transfers

NessusNessus

Port scanning toolsPort scanning tools

Page 23: Linux Vulnerabilities

2323

Using Social Engineering to Using Social Engineering to Attack Remote Linux SystemsAttack Remote Linux SystemsGoalGoal To get OS information from company employeesTo get OS information from company employees

Common techniquesCommon techniques UrgencyUrgency Quid pro quoQuid pro quo Status quoStatus quo KindnessKindness PositionPosition

Train your employees about social engineering Train your employees about social engineering techniquestechniques

Page 24: Linux Vulnerabilities

2424

TrojansTrojans

Trojan programs spread asTrojan programs spread as E-mail attachmentsE-mail attachments Fake patches or security fixes that can be Fake patches or security fixes that can be

downloaded from the Internetdownloaded from the Internet

Trojan program functionsTrojan program functions Allow for remote administrationAllow for remote administration Create a FTP server on attacked machineCreate a FTP server on attacked machine Steal passwordsSteal passwords Log all keys a user enters, and e-mail results to the Log all keys a user enters, and e-mail results to the

attackerattacker

Page 25: Linux Vulnerabilities

2525

TrojansTrojans

Trojan programs can use legitimate Trojan programs can use legitimate outbound portsoutbound ports Firewalls and IDSs cannot identify this traffic Firewalls and IDSs cannot identify this traffic

as maliciousas malicious Example: Sheepshank uses HTTP GETsExample: Sheepshank uses HTTP GETs

It is easier to protect systems from It is easier to protect systems from already identified Trojan programsalready identified Trojan programs See links Ch 9e, f, gSee links Ch 9e, f, g

Page 26: Linux Vulnerabilities

2626

Installing Trojan Programs Installing Trojan Programs (continued)(continued)

RootkitsRootkits Contain Trojan binary programs ready to be Contain Trojan binary programs ready to be

installed by an intruder with root access to installed by an intruder with root access to the systemthe system

Replace legitimate commands with Trojan Replace legitimate commands with Trojan programsprograms

Hides the tools used for later attacksHides the tools used for later attacks Example: LRK5Example: LRK5

Page 27: Linux Vulnerabilities

2727

LRK5LRK5

See Links Ch 9h, i, jSee Links Ch 9h, i, j

Page 28: Linux Vulnerabilities

2828

Rootkit DetectorsRootkit Detectors

Security testers should check their Linux Security testers should check their Linux systems for rootkitssystems for rootkits Rootkit Hunter (Link Ch 9l)Rootkit Hunter (Link Ch 9l) Chkrootkit (Link Ch 9l)Chkrootkit (Link Ch 9l) Rootkit Profiler (Link Ch 9k)Rootkit Profiler (Link Ch 9k)

Page 29: Linux Vulnerabilities

2929

Demonstration of rkhunterDemonstration of rkhunter

sudo apt-get install rkhuntersudo apt-get install rkhunter

sudo rkhunter -csudo rkhunter -c

Page 30: Linux Vulnerabilities

3030

Creating Buffer Overflow Creating Buffer Overflow ProgramsPrograms

Buffer overflows write code to the OS’s Buffer overflows write code to the OS’s memorymemory Then run some type of programThen run some type of program Can elevate the attacker’s permissions to the Can elevate the attacker’s permissions to the

level of the ownerlevel of the owner

Security testers should know what a buffer Security testers should know what a buffer overflow program looks likeoverflow program looks like

Page 31: Linux Vulnerabilities

3131

Creating Buffer Overflow Creating Buffer Overflow Programs (continued)Programs (continued)

A C program that causes a buffer overflowA C program that causes a buffer overflow

Page 32: Linux Vulnerabilities

3232

Creating Buffer Overflow Creating Buffer Overflow Programs (continued)Programs (continued)

The program compiles, but returns the following The program compiles, but returns the following error error

Page 33: Linux Vulnerabilities

3333

Creating Buffer Overflow Creating Buffer Overflow Programs (continued)Programs (continued)

A C code snippet that fills the stack with A C code snippet that fills the stack with shell codeshell code

Page 34: Linux Vulnerabilities

3434

Avoiding Buffer OverflowsAvoiding Buffer Overflows

Write code that avoids functions known to Write code that avoids functions known to have buffer overflow vulnerabilitieshave buffer overflow vulnerabilities

strcpy()strcpy()

strcat()strcat()

sprintf()sprintf()

gets()gets()

Configure OS to not allow code in the stack to run Configure OS to not allow code in the stack to run any other executable code in the stackany other executable code in the stack

Some compilers like gcc warn programmers when Some compilers like gcc warn programmers when dangerous functions are useddangerous functions are used

Page 35: Linux Vulnerabilities

3535

Using Sniffers to Gain Access to Using Sniffers to Gain Access to Remote Linux SystemsRemote Linux Systems

Sniffers work by setting a network card adapter Sniffers work by setting a network card adapter in promiscuous modein promiscuous mode NIC accepts all packets that traverse the network NIC accepts all packets that traverse the network

cablecable

Attacker can analyze packets and learn user Attacker can analyze packets and learn user names and passwordsnames and passwords Avoid using protocols such as Telnet, HTTP, and Avoid using protocols such as Telnet, HTTP, and

FTP that send data in clear textFTP that send data in clear text

SniffersSniffers Tcpdump, Ethereal (now Wireshark)Tcpdump, Ethereal (now Wireshark)

Page 36: Linux Vulnerabilities

3636

Countermeasures Against Linux Countermeasures Against Linux Remote AttacksRemote Attacks

Measures includeMeasures include User awareness trainingUser awareness training Keeping current on new kernel releases and Keeping current on new kernel releases and

security updatessecurity updates

Page 37: Linux Vulnerabilities

3737

User Awareness TrainingUser Awareness Training

Social EngineeringSocial Engineering Users must be told not to reveal information to Users must be told not to reveal information to

outsidersoutsiders Make customers aware that many exploits Make customers aware that many exploits

can be downloaded from Web sitescan be downloaded from Web sites Teach users to be suspicious of people Teach users to be suspicious of people

asking questions about the system they are asking questions about the system they are usingusing

Verify caller’s identityVerify caller’s identity

Call back techniqueCall back technique

Page 38: Linux Vulnerabilities

3838

Keeping CurrentKeeping Current

Never-ending battle Never-ending battle New vulnerabilities are discovered dailyNew vulnerabilities are discovered daily New patches are issued to fix new New patches are issued to fix new

vulnerabilitiesvulnerabilities

Installing these fixes is essential to Installing these fixes is essential to protecting your systemprotecting your system

Many OSs are shipped with automated Many OSs are shipped with automated tools for updating your systemstools for updating your systems

Page 39: Linux Vulnerabilities

3939

Page 40: Linux Vulnerabilities

4040