1 / 52

ISEC0514 Computer Systems Security and Privacy

ISEC0514 Computer Systems Security and Privacy. Lecture Notes #8 Hardening UNIX/Linux. UNIX Hacking. The most common target for a hacker is to get to user root, which can control everything on a UNIX server. UNIX hacking include common footprinting and enumeration techniques.

yuri
Download Presentation

ISEC0514 Computer Systems Security and Privacy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ISEC0514Computer Systems Securityand Privacy Lecture Notes #8 Hardening UNIX/Linux

  2. UNIX Hacking • The most common target for a hacker is to get to user root, which can control everything on a UNIX server. • UNIX hacking include common footprinting and enumeration techniques. • Gathering public information • Port scanning • Various enumeration techniques • These information leads to system compromise.

  3. Gathering Public Information • Web sites • Internal web sites • External web sites • Public FTP server • IP address information through whois database • DNS • Server addresses • MX records • Tools: host, nslookup, dig • google

  4. DNS Information [root@test ~]# host -l -a miss.com Trying "miss.com" ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14233 ;; flags: qraara; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;miss.com. IN AXFR ;; ANSWER SECTION: miss.com. 10800 IN SOA miss.com. admin.miss.com. ... miss.com. 10800 IN NS pentarget.miss.com. miss.com. 10800 IN MX 10 pentarget.miss.com. ns.miss.com. 10800 IN CNAME pentarget.miss.com. pentarget.miss.com. 10800 IN A 192.168.4.3 pentest.miss.com. 10800 IN A 192.168.4.2 www.miss.com. 10800 IN CNAME pentarget.miss.com. miss.com. 10800 IN SOA miss.com. admin.miss.com. ...

  5. DNS Hardening • DNS configuration can hardened (Bind - /etc/named.conf). • Allow query to any clients. • Allow transfer only to secondary servers. • Allow recursion only to local clients. options { ... allow-query { any; }; allow-transfer { localhost; 192.168.4.4; }; allow-recursion { localhost; 192.168.4.0/24; }; recursion yes; ... };

  6. DNS Hardening • Hardening result: [root@testnfs]# host -l -a miss.com Trying "miss.com" ; Transfer failed. Trying "miss.com" Host miss.com not found: 9(NOTAUTH) Received 40 bytes from 192.168.4.3#53 in 1 ms ; Transfer failed.

  7. Network Enumeration • traceroute • Ping sweep • Port scanning

  8. Traceroute • Network topology can be found by using traceroute. • Firewall location may also be located. [bash]$ traceroute example.com traceroute to example.com (192.168.1.7), 30 hops max, 38 byte packets 1 (10.1.1.1) 4.264 ms 4.245 ms 4.226 ms 2 (10.2.1.1) 9.155 ms 9.181 ms 9.180 ms 3 (192.168.10.90) 9.224 ms 9.183 ms 9.145 ms 4 (192.168.10.33) 9.660 ms 9.771 ms 9.737 ms 5 (192.168.10.217) 12.654 ms 10.145 ms 9.945 ms 6 (192.168.11.173) 10.235 ms 9.968 ms 10.024 ms 7 (192.168.12.97) 133.128 ms 77.520 ms 218.464 ms 8 (192.168.13.78) 65.065 ms 65.189 ms 65.168 ms 9 (192.168.14.252) 64.998 ms 65.021 ms 65.301 ms 10 (192.168.100.130) 82.511 ms 66.022 ms 66.170 11 www.example.com (192.168.1.7) 82.355 ms 81.644 ms 84.238 ms

  9. Traceroute Countemeasures • You cannot block inbound traceroute from the outside network, since it can be any kind of IP packets. • However, you can block outbound ICMP TTL-exceeded (ICMP type 11), which is the response of the internal machines to the traceroute source. Any IP packets Local Machines FW Attacker ICMP TTL-exceeded

  10. Ping Sweeps • Ping sweep can be done by sending ICMP-echo (type 8) from the outside and wait for ICMP-echo-reply (type 0). • Ping sweep can also be done by using other techniques, such as sending ICMP-info-request (type 15). • Tools: • nmap • fping • hping2

  11. Ping Sweeps [root@test static]# ./icmpenum USAGE: ./icmpenum [opts] [-c class C] [-d dev] [-i 1-3] [-s src] [-t sec] hosts ... -c class C in x.x.x.0 form -iicmp type to send/receive, types include the following: 1 echo/echo reply (default) 2 timestamp request/reply 3 info request/reply 4 mask request/reply -d device to grab local IP or sniff from, default is eth0 -s spoofed source address -t time in seconds to wait for all replies (default 5) [root@test static]# ./icmpenum -i 2 -i eth0 -c 192.168.4.1 192.168.4.2 is up 192.168.4.3 is up

  12. Ping Sweep Countermeasures • Block ICMP echo and other unused types.

  13. Port Scanners and OS Detection • Port scanning tools • nmap • strobe • tcp_scan, udp_scan (part of SAINT) • netcat (nc) • OS detection tools • nmap • queso

  14. Detecting Port Scanners • There are several tools that can be used to detect port scanning activities. • psad • scanlogd (TCP only) • Snort • Some software can also integrate with firewall, so that further scanning can be prevented.

  15. Banner Grabbing • Possible information include • Secure shell server software and protocol version • Mail server software • Tools • telnet • netcat • amap • vmap

  16. Banner Grabbing [root@test static]# telnet 192.168.4.3 22 Trying 192.168.4.3... Connected to 192.168.4.3. Escape character is '^]'. SSH-2.0-OpenSSH_5.2 Protocol mismatch. Connection closed by foreign host. [root@test static]# telnet 192.168.4.3 25 220 relay.mut.ac.th ESMTP Sendmail 8.13.8/8.14.2; ... quit 221 2.0.0 xxx.xxx.ac.th closing connection Connection to host lost.

  17. FTP Enumeration • An attacker may use any FTP client to scan directory structure inside an FTP server to check whether you have any wrong permission settings in the server. • Most anonymous FTP server allows password to be any e-mail address. • If a world-writable directory is found, the attacker will have a way to upload (hack)tools to your server and find the way it execute it later. • If the FTP server software has security issues, the attacker may launch an exploit against it. • Successful exploit will give the attacker a user with FTP service privilege.

  18. SMTP Enumeration • SMTP server may be used to gain more information about users on the target machine. • SMTP special command like VRFY can be used to confirm valid usernames. • EXPN can be used to expand usernames in a mailing list.

  19. SMTP Enumeration [root$]telnet 10.219.100.1 25 Trying 10.219.100.1... Connected to 10.219.100.1. Escape character is '^]'. 220 mail.example.com ESMTP Sendmail Tue, 15 Jul 2008 vrfy root 250 root <root@mail.example.com> expn test 250 test <test@mail.example.com> expn mailing-list 250 .... the whole list of subscribers ... quit 221 mail.example.com closing connection

  20. TFTP Enumeration • Trivial File Transfer Protocol (TFTP) is a UDP-based protocol for unauthenticated “quick and dirty” file transfers. • TFTP runs on UDP port 69. • TFTP is commonly used to transfer devices ROM images and configuration backups/restores. • Configuration can have valuable information to the attacker, such as passwords or hashes of the network devices. • You should always block TFTP request from trusted addresses.

  21. Finger Enumeration • On old UNIX servers, finger service may be running. • The attacker may get the list of logged-in users, as well as, valid user names. • Finger service is not common in modern UNIX anymore. [root$]finger 0@192.168.202.34 [192.168.202.34] Line User Host(s) Idle Location * 2 vty 0 idle 0 192.168.202.14

  22. RPC Enumeration • All RPC-based services must be registered to the RPC server. • Common RPC services include NIS and NFS. • rpcinfo command can be used to enumerate available services, service versions, and open ports. • RPC server itself runs on TCP and UDP port 111. • RPC server service is commonly referred to as rpcbind or portmapper.

  23. RPC Enumeration [root@test static]# rpcinfo -p 192.168.4.3 program vers proto port service 100000 4 tcp 111 portmapper 100000 4 udp 111 portmapper 100024 1 udp 50626 status 100024 1 tcp 34440 status 100011 2 udp 875 rquotad 100011 2 tcp 875 rquotad 100021 4 udp 51211 nlockmgr 100021 4 tcp 49851 nlockmgr 100003 3 tcp 2049 nfs 100003 4 tcp 2049 nfs 100003 3 udp 2049 nfs 100003 4 udp 2049 nfs 100005 2 udp 47214 mountd 100005 2 tcp 46771 mountd 100005 3 udp 47214 mountd 100005 3 tcp 46771 mountd

  24. R-cmd Enumeration • R-commands are used in traditional UNIX to support remote administration tasks. • Authentication is controlled using a config file called .rhosts in the home directory of the target user. • Common misconfiguration is to put a plus symbol (+) to be in the rhosts file. This allows every machine to remote control the target machine as the specified user. • R-commands include: rexec, rsh, rlogin, rcp. • R-commands are not common in modern UNIX. SSH should be used as replacement.

  25. R-cmd Enumeration hammer$ cat .rhosts gryphon.csi.cam.ac.uk oneeye.csi.cam.ac.uk gryphon$ rlogin hammer.thor Last login: Mon Oct 11 13:10:02 from gryphon.csi.cam.ac.uk Solaris Release 2.5 [hammer] Linux Redhat Release 4.2 hammer$ gryphon$ rsh -l rjd4 hammer.thor.cam.ac.uk uname -n hammer.thor.cam.ac.uk

  26. NIS Enumeration • NIS data can be retrieved using ypcat and ypmatch command. • NIS data may be accessed remotely, but the attacker needs to know the NIS domain name. [root@pentarget ~]# nisdomainname miss [root@pentarget ~]# ypcatpasswd testnis1:!!:1001:1001::/home/testnis1:/bin/bash test1:!!:501:501::/home/test1:/bin/bash admin:$6$OKCPxAVpdPN$pn...pVp8B6i.:500:500::/home/admin:/bin/bash [root@pentarget ~]# ypmatch admin passwd admin:$6$OKCPxAVpdPN$pn...pVp8B6i.:500:500::/home/admin:/bin/bash [root@pentarget ~]#

  27. Hardening NIS • Configure (/var/log/)securenets configuration files to allow NIS access only from NIS client machines. • Make NIS domain name harder to guess. • Note that NIS domain name can be found easily if you can log into the NIS client machine.

  28. NFS Enumeration • NFS exports can be remotely found by using showmount command. • NFS authentication, by default, is checked against IP address of the NFS client machines. • If the address is trusted, any UID supplied by the client will be trusted by the server too. • Any misconfiguration on the NFS exports may lead to system compromise. • nfsshell is another tool to interact with NFS server directly.

  29. NFS Attacks [root@pentarget ~]# cat /etc/exports /home *(rw) /mnt pentarget.miss.com(rw) /usr *(ro) [root@pentest static]# showmount -e 192.168.4.3 Export list for 192.168.4.3: /usr * /home * /mnt pentarget.miss.com

  30. NFS Attacks [root@pentest ~]# mount 192.168.4.3:/home /mnt [root@pentest ~]# ls -l /mnt total 12 drwx------. 26 admin admin 4096 2010-02-18 16:05 admin drwx------. 6 501 501 4096 2010-02-16 15:22 test1 [root@pentest ~]# useradd -u 501 hoho [root@pentest ~]# id hoho uid=501(hoho) gid=501(hoho) groups=501(hoho) [root@pentest ~]# su - hoho [hoho@pentest test1]$ cd /mnt/test1 [hoho@pentest test1]$ mkdir .ssh [hoho@pentest test1]$ cd .ssh [hoho@pentest .ssh]$ cp ~/.ssh/id_rsa.pub authorized_keys [hoho@pentest .ssh]$ chmod 644 authorized_keys [hoho@pentest .ssh]$ chmod 700 .

  31. NFS Attacks [hoho@pentest .ssh]$ ls -la total 12 drwx------. 2 hohohoho 4096 2010-02-18 17:29 . drwx------. 7 hohohoho 4096 2010-02-18 17:28 .. -rw-r--r--. 1 hohohoho 403 2010-02-18 17:29 authorized_keys [hoho@pentest .ssh]$ ssh-agent SSH_AUTH_SOCK=/tmp/ssh-jGbArm2818/agent.2818; export SSH_AUTH_SOCK; SSH_AGENT_PID=2819; export SSH_AGENT_PID; echo Agent pid 2819; [hoho@pentest .ssh]$ SSH_AUTH_SOCK=/tmp/ssh-jGbArm2818/agent.2818; export SSH_AUTH_SOCK; [hoho@pentest .ssh]$ SSH_AGENT_PID=2819; export SSH_AGENT_PID;

  32. NFS Attacks [hoho@pentest .ssh]$ ssh-add Enter passphrase for /home/hoho/.ssh/id_rsa: Identity added: /home/hoho/.ssh/id_rsa (/home/hoho/.ssh/id_rsa) [hoho@pentest .ssh]$ ssh -l test1 192.168.4.3 ... Last login: Tue Feb 16 15:24:27 2010 from 192.168.4.2 [test1@pentarget ~]$ id uid=501(test1) gid=501(test1) groups=501(test1)

  33. Hardening NFS • Only export file systems to trusted machines. • Export file systems read-only if possible. • Use root ownership of exported files and directories. • Do not export the server's executables. • Always use showmount command to double-check that you configure it securely. • Do not allow users to log into the NFS server. • Use TCP_Wrappers to block NFS access, if possible.

  34. X-Windows Security • X-Windows allows many privileges to remote access including: • Capture keystrokes • Kill windows • Capture windows • Remap keyboard keys • X access control is xhost authentication. • Xhost authentication is IP-based. Most users simple type “xhost +” to allow access. • This means that anyone can access the X-Windows system on the server.

  35. X-Windows Security • xscan can be used to scan for X-Windows access on the networks. • xlsclients list all windows on a display • xkill kills any window. • xwd dumps a screen to a file. • xwud displays a image created by xwd.

  36. X-Windows Security [testnis1@pentarget ~]$ id uid=1001(testnis1) gid=1001(testnis1) groups=1001(testnis1) [testnis1@pentarget ~]$ xlsclients xlsclients: unable to open display "" [admin@pentarget ~]$ xhost + Access control disabled, clients can connect from any host [admin@pentarget ~]$

  37. X-Windows Security [testnis1@pentarget ~]$ xlsclients -display :0.0 –l ... Window 0xe00001: Machine: pentarget.miss.com Name: Terminal Icon Name: gnome-terminal Command: gnome-terminal Instance/Class: gnome-terminal/Gnome-terminal Window 0x4200001: Machine: pentarget.miss.com Name: Firefox Icon Name: firefox Command: firefox Instance/Class: firefox/Firefox ... [testnis1@pentarget ~]$ xkill -display :0.0 -id 0x4200001 xkill: killing creator of resource 0x4200001

  38. Vulnerability Mapping • After gaining security information on the server, a hacker can manually map it to get potential vulnerabilities. • This process is called vulnerability mapping which can be done by: • Manually map gathered information to find potential vulnerabilities. • Public and proof-of-concept exploits can be used to test whether vulnerabilities can successfully exploited. • Use vulnerability scanners to find potential exploits, but this is noisy.

  39. Vulnerability Mapping • Script kiddies simply skip vulnerability mapping process, and shoot everything at the target. • It’s common to get windows exploits targeting UNIX/Linux servers.

  40. Vulnerability Mapping • Common vulnerability mapping process include: • Perform network reconnaissance against the target system. • Map attributes such as operating system, architecture, and specific versions of listening services to known vulnerabilities and exploits. • Perform target acquisition by identifying and selecting key systems. • Enumerate and prioritize potential points of entry.

  41. System Access • There are two type of gaining access to a UNIX/Linux server. • Remote access is done by gaining access via the network or communication channel. • Local access is done by having actual command shell and escalating to a higher privileges. This is usually called privilege escalation attacks.

  42. System Access • Remote access and local access are related. • Attackers remotely exploit a vulnerability in a listening service and then gaining local shell access. • Once shell access is obtained, the attackers are considered to be local on the system. • Then, attackers escalate their local privileges to root.

  43. Brute-Force Attack • Password brute-force attack can be conducted on several services including: • telnet • ftp • R-commands • Secure shell (SSH) • POP3, IMAP • HTTP, HTTPS • CVS/SVN

  44. Brute-Force Attack • Tools: • Hydra • ADM-pop.c • SNMPBrute

  45. Brute-Force Attack Countermeasures • Use strong passwords by enforcing password policy. • This can be done setting configurations and additional software • Cracklib • System configurations • /etc/security/login.conf • PAM

  46. Brute-Force Attack Countermeasures • In addition to general password strength recommendations, • Log multiple authentication failures. • Implement account lockout where possible (beware of DoS attack). • Disable unused services. • Use stronger authentication when possible, for example • One-time password (OTP). • public key authentication. • Security tokens.

  47. Attacks from Bad Coding • Attacks from bad coding behavior include: • Buffer overflow attacks • Format string attacks • Weak input validation • Integer overflow and integer sign attacks • Dangling pointer attacks

  48. Countermeasures • Always update software with security patches. • Beware of obsolete software. • Use secure coding practices. • Conduct software audits regularly. • Disable unused services.

  49. Stack Protection • Administrators may disable stack execution to lower chances of getting attacked by stack overflow techniques. • This can be done by modify settings in proper (OS-dependent) configuration files. • Solaris: /etc/system • Linux: depends on distributions • This does not prevent other similar techniques, such as heap overflow.

  50. Generic UNIX Protection • For all UNIX machines, following protection measures can be done: • Separate networks for UNIX servers from clients. • Using TCP_Wrappers. • Enable host-based firewall. • Consider what traffic should pass firewall. • RPC traffic can remain inside DMZ. • Enforce password policy. • Do not share admin accounts. • Centralize logs to a log server (syslog). • Disable root login (except for recovery). • Implement sudo. • Letting users perform tasks as root or privileged user.

More Related