Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hacking Unix/Linux.

Published byBeryl McKinney Modified over 8 years ago

Similar presentations

Presentation on theme: "Hacking Unix/Linux."— Presentation transcript:

1 Hacking Unix/Linux

2 Footprinting, Scanning, Enumeration
Footprinting: Similar to Windows but using different tools: Network enumeration: using whois and finding authoritative name server. DNS interrogation: using nslookup for zone transfer , host to find server, and traceroute for network reconnaissance. Also dig. Ubuntu: use System, Administration, Network Tools for ping, whois, traceroute, etc. Scanning: again similar to Windows with different tools : Nmap and Nmapfe: use sudo apt-get install nmap and sudo apt-get install nmapfe to setup. Use sudo nmapfe for graphical interface. ping sweeps, port scanning: tcp and udp, OS detection. Countermeasures: Snort and Psionic Port Sentry: documentation. (seen later in IPS/IDS) Enumeration: UNIX enumeration. UNIX Users and group enumeration: finger (see this example) and tftp should be disabled and killed. Basic daemons: sendmail, rpc, NFS, NIS -- all have known vulnerabilities, setup and latest security patches should be applied carefully.

3 Getting started Vulnerability mapping: identify specific software vulnerabilities (e.g. sendmail, telnet, ftp, NFS, apache). Quest for root: root or nothing ? Su - root. Remote access: gaining access via the network exploit a listening daemon/service a UNIX system performing routing with IP forwarding enabled user-initiated remote execution (hostile Web site, Trojan horses, etc) Local access: having access to a shell or login to the system privilege escalation attacks (from login to root) once a remote access exploits a vulnerability it gains local shell access Brute force attacks: (we will see John the Ripper but not Hydra) remote login programs: telnet, ftp, rlogin.rsh,ssh, http plus a tool to crack the username/password combination. The /etc/passwd file. You should use shadow passwords. Countermeasures: password education and software (e.g. checkpassd)

4 Remote access Data driven attacks: sending data to an active service that causes unintended results, generally allowing access to the system Buffer Overflow: same Windows vulnerabilities (C programs). Countermeasures: basically good programming practices, testing, auditing, safer compilers, etc. Input Validation: failure in validating input and accepting extraneous input (hack code!!!). Produces similar results to buffer overflow and the countermeasure is the same: safe programming. Shell access: after gaining access using a data driven attack the first objective is to open a shell window to enter commands. Traditional shell access: telnet, rlogin,ssh (admins can close most). Using X-Windows to run xterm in the remote (target) machine and display in the intruder machine, using its client/server features. Reverse telnet and back channels: admins can remove X, then what? Run nc (netcat) in the intruder and run malicious code in the target creating a telnet connection from target to intruder. Countermeasures: remove X (servers), chmod 750 telnet (Linux, root only), better yet only use ssh.

5 Common remote access attacks
FTP: do not run anonymous FTP in the same server you have regular accounts and ftp with user authentication. Keep up to date with vulnerabilities (e.g. wu-ftpd, a popular ftp, had a vulnerability in exec). Better yet, only use ssh/scp. Sendmail: a very complex mail server (over 80,000 lines of code), which few understand. It is needed in almost all UNIX machines and in most cases should not be disabled. Qmail is a potential replacement. Remote Procedure Call: rpcinfo (as root) let us see the running rpc services. Best defense is to limit the use of RPC services to the minimum. NFS: do not export the file system to everyone, or enable NFS selectively (not active in the MISLab), files saved locally, not in the network. DNS: disable BIND in machines NOT used as DNS servers (type ps aux to see what processes are running, also look for /etc/name.boot). Discussing named is beyond the scope of this course (another difficult daemon to setup safely). Test for buffer overflow using version.bind chaos txt X Windows: use xhost to add, delete, names and hosts which can access X-Windows. Not a strong line of defense. Again, remove X-Windows from servers

6 Local access Password cracking: We cannot decrypt a password, we use a dictionary, or other type of algorithm to generate passwords, encrypt them using the crypt function, DES, etc, and compare with hash in the passwd file. Crack 5 and John the Ripper are two of “the best of the breed.” Local buffer overflow: same problems and countermeasures. Symlinks: ln -s /this /that, when you cat this you see that. Signals in UNIX: you re-start, start, stop daemons sending signals: SIGXXX. Core dump: memory (core) dumps are snapshots of the memory when an error occurs. Delete it or it stays. ulimit set to 0 cancel core dumps. Shared libraries: replace a standard library file with a rogue one, granting privileges to the intruder, when used. Kernel problems: upgrades to the kernel may create security flaws, which will be found, patched, etc. Linux particularly vulnerable (growing). File and directory permissions: SUID files -- a necessary evil. Some applications need to run as root and be used by regular users (solution: SUID). The find command list these files, and there are many of them. World writable files are another problem.

Download ppt "Hacking Unix/Linux."

Similar presentations

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.
Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.

Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.

ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.
Forces that Have Brought the world to it’s knees over the centuries.

Forces that Have Brought the world to it’s knees over the centuries.
Hacking Linux Based on Hacking Linux Exposed Hatch, Lee, and Kurtz ISBN 0-07-212773-2.

Hacking Linux Based on Hacking Linux Exposed Hatch, Lee, and Kurtz ISBN
Linux Security An overview notes from Linux Network Security HowTO.

Linux Security An overview notes from Linux Network Security HowTO.
Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.

Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/031 A Real World Attack: wu-ftp Cao er kai ( 曹爾凱 )

Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/031 A Real World Attack: wu-ftp Cao er kai ( 曹爾凱 )
Enumeration. Local IP addresses Local IP addresses (review)  Some special IP addresses  localhost 127.0.0.1 (loopback address)  Internal networks 

Enumeration. Local IP addresses Local IP addresses (review)  Some special IP addresses  localhost (loopback address)  Internal networks 
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
Hacking Web Server Defiana Arnaldy, M.Si 0818 0296 4763.

Hacking Web Server Defiana Arnaldy, M.Si
Telnet/SSH: Connecting to Hosts Internet Technology1.

Telnet/SSH: Connecting to Hosts Internet Technology1.
Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.

Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
Remote Control and Advanced Techniques. Remote Control Software What do they do? Connect through dial-in and/or TCP/IP. Replicate remote screen on local.

Remote Control and Advanced Techniques. Remote Control Software What do they do? Connect through dial-in and/or TCP/IP. Replicate remote screen on local.
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.

1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.

Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.

Similar presentations

Ads by Google