Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Hands-On Ethical Hacking and Network Defense: Linux Operating System Vulnerabilities

Download as ppt, pdf, or txt
Download as ppt, pdf, or txt
You are on page 1of 40

Hands-On Ethical

Hacking and Network


Defense
Chapter 9
Linux Operating System Vulnerabilities

Objectives
Describe the fundamentals of the Linux
operating system
Describe the vulnerabilities of the Linux
operating system
Describe Linux remote attacks
Explain countermeasures for protecting the
Linux operating system

Review of Linux Fundamentals


Linux is a version of UNIX

Usually available free


Red Hat
Includes documentation and support for a fee

Linux creates default directories

Linux Exploration Demo


See link Ch 9b

Linux File System


Provides directory structure
Establishes a file-naming convention
Includes utilities to compress or encrypt
files
Provides for both file and data integrity
Enables error recovery
Stores information about files and folders
*NIX systems store information about files
in information nodes (inodes)

inodes
Information stored in an inode

An inode number
Owner of the file
Group the file belongs to
Size of the file
Date the file was created
Date the file was last modified or read

There is a fixed number of inodes

By default, one inode per 4 KB of disk space


8

Mounting
In Windows, each device has a letter

A: for floppy, C: for hard disk, and so on

*NIX mounts a file system (usually a drive)


as a subfile system of the root file system /
mount command is used to mount file
systems

or to display currently mounted file systems

df command displays disk usage of


mounted file systems
9

mount and df in Ubuntu

10

*NIX File System History


Minix file system

Max. size 64 MB, Max. file name 14 chars

Extended File System (Ext)

Max. size 2 GB, Max. file name 256 chars

Second Extended File System (Ext2fs)

Max. size 4 TB, better performance and


stability

Third Extended File System (Ext3fs)

Journalingrecovers from crashes better


11

Linux Commands

12

13

Getting Help
Many of these commands have multiple
parameters and additional functionality
Use these commands to get help.
(Replace command with the command you
want help with, such as ifconfig)

command --help
man command

14

Linux OS Vulnerabilities
UNIX has been around for quite some time
Attackers have had plenty of time to
discover vulnerabilities in *NIX systems
Enumeration tools can also be used
against Linux systems
Nessus can be used to enumerate Linux
systems
15

Nessus Scanning a Linux Server

16

Linux OS Vulnerabilities
(continued)
Nessus can be used to

Discover vulnerabilities related to SMB and


NetBIOS
Discover other vulnerabilities
Enumerate shared resources

17

Linux OS Vulnerabilities
(continued)
Test Linux computer against common
known vulnerabilities

Review the CVE and CAN information


See links Ch 9m, n, o

18

19

Remote Access Attacks on


Linux Systems
Differentiate between local attacks and
remote attacks

Remote attacks are harder to perform

Attacking a network remotely requires

Knowing what system a remote user is


operating
The attacked systems password and login
accounts
20

Footprinting an Attacked
System
Footprinting techniques

Used to find out information about a target


system

Determining the OS version the attacked


computer is running

Check newsgroups for details on posted


messages
Knowing a companys e-mail address makes
the search easier
21

Other Footprinting Tools


Whois databases
DNS zone transfers
Nessus
Port scanning tools

22

Using Social Engineering to


Attack Remote Linux Systems
Goal

To get OS information from company


employees

Common techniques

Urgency
Quid pro quo
Status quo
Kindness
Position

Train your employees about social engineering


techniques

23

Trojans
Trojan programs spread as

E-mail attachments
Fake patches or security fixes that can be
downloaded from the Internet

Trojan program functions

Allow for remote administration


Create a FTP server on attacked machine
Steal passwords
Log all keys a user enters, and e-mail results
to the attacker
24

Trojans
Trojan programs can use legitimate
outbound ports

Firewalls and IDSs cannot identify this traffic


as malicious
Example: Sheepshank uses HTTP GETs

It is easier to protect systems from


already identified Trojan programs

See links Ch 9e, f, g

25

Installing Trojan Programs


(continued)
Rootkits

Contain Trojan binary programs ready to be


installed by an intruder with root access to
the system
Replace legitimate commands with Trojan
programs
Hides the tools used for later attacks
Example: LRK5

26

LRK5
See Links Ch 9h, i, j

27

Rootkit Detectors
Security testers should check their Linux
systems for rootkits

Rootkit Hunter (Link Ch 9l)


Chkrootkit (Link Ch 9l)
Rootkit Profiler (Link Ch 9k)

28

Demonstration of rkhunter
sudo apt-get install rkhunter
sudo rkhunter -c

29

Creating Buffer Overflow


Programs
Buffer overflows write code to the OSs
memory

Then run some type of program


Can elevate the attackers permissions to the
level of the owner

Security testers should know what a buffer


overflow program looks like

30

Creating Buffer Overflow


Programs (continued)
A C program that causes a buffer overflow

31

Creating Buffer Overflow


Programs (continued)
The program compiles, but returns the
following error

32

Creating Buffer Overflow


Programs (continued)
A C code snippet that fills the stack with
shell code

33

Avoiding Buffer Overflows


Write code that avoids functions known to
have buffer overflow vulnerabilities
strcpy()
strcat()
sprintf()
gets()

Configure OS to not allow code in the stack to


run any other executable code in the stack
Some compilers like gcc warn programmers
when dangerous functions are used
34

Using Sniffers to Gain Access to


Remote Linux Systems
Sniffers work by setting a network card
adapter in promiscuous mode

NIC accepts all packets that traverse the


network cable

Attacker can analyze packets and learn


user names and passwords

Avoid using protocols such as Telnet, HTTP,


and FTP that send data in clear text

Sniffers

Tcpdump, Ethereal (now Wireshark)

35

Countermeasures Against Linux


Remote Attacks
Measures include

User awareness training


Keeping current on new kernel releases and
security updates

36

User Awareness Training


Social Engineering

Users must be told not to reveal information to


outsiders
Make customers aware that many exploits
can be downloaded from Web sites
Teach users to be suspicious of people
asking questions about the system they are
using
Verify callers identity
Call back technique
37

Keeping Current
Never-ending battle

New vulnerabilities are discovered daily


New patches are issued to fix new
vulnerabilities

Installing these fixes is essential to


protecting your system
Many OSs are shipped with automated
tools for updating your systems

38

39

40

You might also like