Advanced Unix
33
Advanced Unix Advanced Unix
description
Advanced Unix. Roses are #FF0000 Violets are #0000FF All My Base Are Belong To You. Bastille Linux. http://www.bastille-linux.org Well best laid plans oft go awry… Bastille Linux does not work on FC6 It will work on FC5, 4, 3, etc… Prerequisites for Bastille are: - PowerPoint PPT Presentation
Transcript of Advanced Unix
Advanced UnixAdvanced Unix
Roses are #FF0000Violets are #0000FF
All My BaseAre Belong To You
Bastille LinuxBastille Linux
http://www.bastille-linux.orghttp://www.bastille-linux.org Well best laid plans oft go awry…Well best laid plans oft go awry… Bastille Linux does not work on FC6Bastille Linux does not work on FC6 It will work on FC5, 4, 3, etc…It will work on FC5, 4, 3, etc… Prerequisites for Bastille are:Prerequisites for Bastille are:
• TKTK - an open source, cross-platform widget - an open source, cross-platform widget toolkit, that is, a library of basic elements for toolkit, that is, a library of basic elements for building a graphical user interface (GUI). building a graphical user interface (GUI).
• CursesCurses - a terminal control library for Unix-like - a terminal control library for Unix-like systems, enabling the construction of text user systems, enabling the construction of text user interface (TUI) applicationsinterface (TUI) applications
Bastille LinuxBastille Linux
If TK or Curses are not installed use If TK or Curses are not installed use the following commands to install:the following commands to install:• yum install tkyum install tk• yum install perl-Cursesyum install perl-Curses
To run Bastille use the following To run Bastille use the following commands:commands:• GUI Mode: bastille –xGUI Mode: bastille –x• TUI Mode: bastille -cTUI Mode: bastille -c
Bastille LinuxBastille Linux
If you are running FC6 you’ll have If you are running FC6 you’ll have to wait a little while before they to wait a little while before they support itsupport it
In the mean while a quick demo…In the mean while a quick demo…
Post ScannersPost Scanners
Port scanners are a useful toolsPort scanners are a useful tools Port scanners are software designed to Port scanners are software designed to
search a network host or hosts for open search a network host or hosts for open ports. ports.
This is often used by administrators to This is often used by administrators to check the security of their check the security of their system/networks and by crackers to system/networks and by crackers to detect attack pointsdetect attack points
Port ScannersPort Scanners
There are numerous port scanners There are numerous port scanners available today. Freeware, available today. Freeware, Shareware and Commercial of the Shareware and Commercial of the Shelf (COTS)Shelf (COTS)
Many Network/Security Many Network/Security Administrators use port scanners to Administrators use port scanners to detect unauthorized services running detect unauthorized services running on their networkon their network
Port ScannersPort Scanners
NmapNmap: ("Network Mapper") is an : ("Network Mapper") is an open source utility for network open source utility for network exploration or security auditing. It exploration or security auditing. It was designed to rapidly scan large was designed to rapidly scan large networks.networks.
FoundstoneFoundstone Vision Vision: Reports all open : Reports all open TCP and UDP ports and maps them to TCP and UDP ports and maps them to the owning process or application. the owning process or application.
Port ScannersPort Scanners
Foundstone Fport: Identify unknown Foundstone Fport: Identify unknown open ports and their associated open ports and their associated applicationsapplications
Foundstone Scanline: Formerly Foundstone Scanline: Formerly FScan. Command line port scannerFScan. Command line port scanner
Foundstone SuperScan: Powerful TCP Foundstone SuperScan: Powerful TCP port scanner, pinger, resolverport scanner, pinger, resolver
……and many, many more…and many, many more…
nmapnmap
Version 3.70 (should be installed on Version 3.70 (should be installed on your class hard drive)your class hard drive)
Written by Fyodor: Written by Fyodor: [email protected]@dhp.com http://www.insecure.org/nmap/http://www.insecure.org/nmap/ To install on your FC6 system:To install on your FC6 system:
• yum install nmapyum install nmap Go ahead an do this now if you Go ahead an do this now if you
haven’t already…haven’t already…
Types of ScansTypes of Scans
TCP Scan TCP Scan – simple scan to detect open ports (aka listeners)– simple scan to detect open ports (aka listeners) ACK scanACK scan - can find packets allowed through a stateless - can find packets allowed through a stateless
packet filter. packet filter. FIN scanFIN scan - can determine if ports are open/closed, even if - can determine if ports are open/closed, even if
SYN packets are filtered. SYN packets are filtered. Protocol scanProtocol scan - determines what IP level protocols (TCP, UDP, - determines what IP level protocols (TCP, UDP,
GRE, etc.) are enabled. GRE, etc.) are enabled. Proxy scanProxy scan - a proxy (SOCKS or HTTP) is used to perform the - a proxy (SOCKS or HTTP) is used to perform the
scan. The target will see the proxy's IP address as the scan. The target will see the proxy's IP address as the source. This can also be done using some FTP servers. source. This can also be done using some FTP servers.
Idle ScanIdle Scan - Another method of scanning without revealing - Another method of scanning without revealing your IP address, taking advantage of the predictable ipid your IP address, taking advantage of the predictable ipid flaw. flaw.
ICMP scanICMP scan - determines if a host responds to ICMP requests, - determines if a host responds to ICMP requests, such as echo (ping), netmask, etc. such as echo (ping), netmask, etc.
Types of ScansTypes of Scans
TCP connectTCP connect TYP SYN (TYP SYN (a.k.a.a.k.a. half-open) half-open) TCP FIN (TCP FIN (a.k.a.a.k.a. stealth) stealth) TCP SYN/FIN using IP fragmentsTCP SYN/FIN using IP fragments TCP ftp proxy (TCP ftp proxy (a.k.a.a.k.a. bounce attack) bounce attack) UCP raw ICMP port unreachableUCP raw ICMP port unreachable RPC scanRPC scan ACK/WIN scanACK/WIN scan Ping scanPing scan
TCP connectTCP connect
Goal: find open TCP ports; option –sTGoal: find open TCP ports; option –sT Open a connection to port Open a connection to port pp on the target on the target If it succeeds, something is listening on If it succeeds, something is listening on
that portthat port Repeat for desired values of Repeat for desired values of ppAdvantages:Advantages:
• fast; can do many ports in parallelfast; can do many ports in parallel• no special privileges neededno special privileges needed
Disadvantages:Disadvantages:• easy to detect and block (filter)easy to detect and block (filter)
ExampleExample# nmap -sT zonker# nmap -sT zonker
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-06-22 Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-06-22 15:01 PDT15:01 PDT
Interesting ports on zonker.wal (10.1.2.3):Interesting ports on zonker.wal (10.1.2.3):(The 1653 ports scanned but not shown below are in state: closed)(The 1653 ports scanned but not shown below are in state: closed)Port State ServicePort State Service21/tcp open ftp21/tcp open ftp22/tcp open ssh22/tcp open ssh23/tcp open telnet23/tcp open telnet25/tcp open smtp25/tcp open smtp111/tcp open rpcbind111/tcp open rpcbind513/tcp open login513/tcp open login514/tcp open shell514/tcp open shell759/tcp open con759/tcp open con873/tcp open rsync873/tcp open rsync6000/tcp open X116000/tcp open X11
Nmap run completed -- 1 IP address (1 host up) scanned in 1.733 Nmap run completed -- 1 IP address (1 host up) scanned in 1.733 secondsseconds
TYP SYN (TYP SYN (a.k.a.a.k.a. half-open) half-open)
Goal: find open TCP ports; option –sSGoal: find open TCP ports; option –sS Craft and send a SYN to port Craft and send a SYN to port pp on target on target ACK: someone listening; RST: no-one ACK: someone listening; RST: no-one
listeninglistening Send RST to tear down (incipient) Send RST to tear down (incipient)
connectionconnection Repeat for desired values of Repeat for desired values of ppAdvantages:Advantages:
• many sites don’t log thismany sites don’t log this
Disadvantages:Disadvantages:• need need rootroot to craft the initial SYN to craft the initial SYN
ExampleExample# nmap -sS zonker# nmap -sS zonker
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-06-Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-06-22 14:58 PDT22 14:58 PDT
Interesting ports on zonker.wal (10.1.2.3):Interesting ports on zonker.wal (10.1.2.3):(The 1653 ports scanned but not shown below are in state: closed)(The 1653 ports scanned but not shown below are in state: closed)Port State ServicePort State Service21/tcp open ftp21/tcp open ftp22/tcp open ssh22/tcp open ssh23/tcp open telnet23/tcp open telnet25/tcp open smtp25/tcp open smtp111/tcp open rpcbind111/tcp open rpcbind513/tcp open login513/tcp open login514/tcp open shell514/tcp open shell759/tcp open con759/tcp open con873/tcp open rsync873/tcp open rsync6000/tcp open X116000/tcp open X11
Nmap run completed -- 1 IP address (1 host up) scanned in 2.100 Nmap run completed -- 1 IP address (1 host up) scanned in 2.100 secondsseconds
TCP FIN (TCP FIN (a.k.a.a.k.a. stealth) stealth)
Goal: find open TCP ports; option –sFGoal: find open TCP ports; option –sF Send FIN to port Send FIN to port pp on target on target If RST, port closed; if nothing, port openIf RST, port closed; if nothing, port open Repeat for desired values of Repeat for desired values of ppAdvantages:Advantages:
• even fewer log thiseven fewer log this
Disadvantages:Disadvantages:• some systems always send RSTs (some systems always send RSTs (ee..gg., IRIX, ., IRIX,
Windows)Windows)
ExampleExample# nmap -sF zonker# nmap -sF zonker
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-06-Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-06-22 15:04 PDT22 15:04 PDT
Interesting ports on zonker.wal (10.1.2.3):Interesting ports on zonker.wal (10.1.2.3):(The 1653 ports scanned but not shown below are in state: closed)(The 1653 ports scanned but not shown below are in state: closed)Port State ServicePort State Service21/tcp open|filtered ftp21/tcp open|filtered ftp22/tcp open|filtered ssh22/tcp open|filtered ssh23/tcp open|filtered telnet23/tcp open|filtered telnet25/tcp open|filtered smtp25/tcp open|filtered smtp111/tcp open|filtered rpcbind111/tcp open|filtered rpcbind513/tcp open|filtered login513/tcp open|filtered login514/tcp open|filtered shell514/tcp open|filtered shell759/tcp open|filtered con759/tcp open|filtered con873/tcp open|filtered rsync873/tcp open|filtered rsync6000/tcp open|filtered X116000/tcp open|filtered X11
Nmap run completed -- 1 IP address (1 host up) scanned in 4.228 Nmap run completed -- 1 IP address (1 host up) scanned in 4.228 secondsseconds
VariantsVariants
Option –sXOption –sX• Christmas tree packet (FIN, URG, PUSH Christmas tree packet (FIN, URG, PUSH
flags)flags)
Option -sNOption -sN• Null packet (all flags turned off)Null packet (all flags turned off)
Same expected result as for –sFSame expected result as for –sF
TCP SYN/FIN TCP SYN/FIN Using IP FragmentsUsing IP Fragments
Goal: find open TCP ports; option –f Goal: find open TCP ports; option –f (modifies –SF, –sX, –sN, –sS)(modifies –SF, –sX, –sN, –sS) Split the header up over several Split the header up over several packetspacketsAdvantages:Advantages:
• makes it harder for packet filters to makes it harder for packet filters to detect probedetect probe
Disadvantages:Disadvantages:• can cause monitoring tools to crashcan cause monitoring tools to crash• high overhead on networkshigh overhead on networks
TCP FTP Proxy TCP FTP Proxy ((a.k.a.a.k.a. Bounce Attack) Bounce Attack)
Goal: find open TCP ports; optionGoal: find open TCP ports; option––b b useruser::passwordpassword@@serverhostserverhost::portport Connect to Connect to serverhostserverhost using using useruser with with passwordpassword Set up proxy to port Set up proxy to port pp on target (use PORT) on target (use PORT) Send over an Send over an lsls of current directory of current directory
• if no-one’s there, if no-one’s there, ftpftp server returns 425 message server returns 425 message• if someone listening, if someone listening, ftpftp server returns 150 message server returns 150 message
Repeat for desired values of Repeat for desired values of ppThis hides who is doing the probingThis hides who is doing the probing
ExampleExample# nmap -b anonymous:[email protected] zonker.wal# nmap -b anonymous:[email protected] zonker.wal
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )Starting nmap V. 3.00 ( www.insecure.org/nmap/ )Hint: if your bounce scan target hosts aren't reachable from here, remember to use -P0 Hint: if your bounce scan target hosts aren't reachable from here, remember to use -P0 so we don't try and ping them prior to the scanso we don't try and ping them prior to the scanInteresting ports on zonker.wal (10.1.2.3):Interesting ports on zonker.wal (10.1.2.3):(The 1591 ports scanned but not shown below are in state: closed)(The 1591 ports scanned but not shown below are in state: closed)Port State ServicePort State Service20/tcp open ftp-data 20/tcp open ftp-data 21/tcp open ftp 21/tcp open ftp 22/tcp open ssh 22/tcp open ssh 24/tcp open priv-mail 24/tcp open priv-mail 25/tcp open smtp 25/tcp open smtp 80/tcp open http 80/tcp open http 111/tcp open sunrpc 111/tcp open sunrpc 515/tcp open printer 515/tcp open printer 1023/tcp open unknown 1023/tcp open unknown 6000/tcp open X11 6000/tcp open X11
Nmap run completed -- 1 IP address (1 host up) scanned in 37 secondsNmap run completed -- 1 IP address (1 host up) scanned in 37 seconds
if ICMP echos are blocked,give –P0 to prevent checkfor being up
UDP Raw ICMP Port UDP Raw ICMP Port UnreachableUnreachable
Goal: find UDP ports with listeners; option –sUGoal: find UDP ports with listeners; option –sU Send 0 byte UDP packet to port Send 0 byte UDP packet to port pp on target on target Wait for ICMP port unreachable messageWait for ICMP port unreachable message
• if you get it, no-one’s listeningif you get it, no-one’s listening• if you don’t, someone isif you don’t, someone is
Repeat for desired values of Repeat for desired values of pp
Disadvantage:Disadvantage:• usually slow due to ICMP error rate limitsusually slow due to ICMP error rate limits
ExampleExample# nmap -sU zonker.wal# nmap -sU zonker.wal
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-06-22 15:57 Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-06-22 15:57 PDTPDT
Interesting ports on zonker.wal (10.1.2.3):Interesting ports on zonker.wal (10.1.2.3):(The 1467 ports scanned but not shown below are in state: closed)(The 1467 ports scanned but not shown below are in state: closed)Port State ServicePort State Service68/udp open|filtered dhcpclient68/udp open|filtered dhcpclient111/udp open|filtered rpcbind 111/udp open|filtered rpcbind 123/udp open|filtered ntp 123/udp open|filtered ntp 513/udp open|filtered who 513/udp open|filtered who 631/udp open|filtered unknown 631/udp open|filtered unknown 800/udp open|filtered mdbs_daemon 800/udp open|filtered mdbs_daemon 866/udp open|filtered unknown 866/udp open|filtered unknown
Nmap run completed -- 1 IP address (1 host up) scanned in 1492.935 secondsNmap run completed -- 1 IP address (1 host up) scanned in 1492.935 seconds
RPC ScanRPC Scan
Goal: find ports with RPC services; Goal: find ports with RPC services; option –sR (use with –sT, –sU)option –sR (use with –sT, –sU) If port If port pp on target is open, send RPC on target is open, send RPC NULLNULL
commandcommand• goal is to determine if goal is to determine if pp is an RPC port; is an RPC port;
if so, what program, version number is if so, what program, version number is served thereserved there
ExampleExample# nmap -sT -sR zonker.wal# nmap -sT -sR zonker.wal
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-06-22 16:57 Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-06-22 16:57 PDTPDT
Interesting ports on zonker.wal (10.1.2.3):Interesting ports on zonker.wal (10.1.2.3):(The 1654 ports scanned but not shown below are in state: closed)(The 1654 ports scanned but not shown below are in state: closed)Port State Service (RPC)Port State Service (RPC)21/tcp open ftp 21/tcp open ftp 22/tcp open ssh 22/tcp open ssh 24/tcp open priv-mail 24/tcp open priv-mail 25/tcp open smtp 25/tcp open smtp 80/tcp open http 80/tcp open http 111/tcp open sunrpc (rpcbind V2) 111/tcp open sunrpc (rpcbind V2) 515/tcp open printer 515/tcp open printer 1023/tcp open (nfs V2) 1023/tcp open (nfs V2) 6000/tcp open X11 6000/tcp open X11
Nmap run completed -- 1 IP address (1 host up) scanned in 1.962 secondsNmap run completed -- 1 IP address (1 host up) scanned in 1.962 seconds
ACK/WIN scanACK/WIN scan
Goal: see if intervening firewall is packet Goal: see if intervening firewall is packet filter or stateful; option –sAfilter or stateful; option –sA Send ACK to port Send ACK to port pp on target on target Response RST: unfiltered, can get through Response RST: unfiltered, can get through itit Response ICMP unreachable, nothing: Response ICMP unreachable, nothing: filtered,filtered,
probably droppedprobably dropped
Ping ScanPing Scan
Goal: see which hosts are up; option –Goal: see which hosts are up; option –sPsP
Send ICMP echo to all IP addresses Send ICMP echo to all IP addresses on networkon network
Send ACK packet to port 80Send ACK packet to port 80• RST back means it’s upRST back means it’s up
Send SYN packet, wait for RST or Send SYN packet, wait for RST or SYN/ACKSYN/ACK
Default is first two in parallelDefault is first two in parallel
ExampleExample# nmap -sP 10.1.2.1-127# nmap -sP 10.1.2.1-127
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-06-22 16:57 Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-06-22 16:57 PDTPDT
Host joanie.wal (10.1.2.1) appears to be up.Host joanie.wal (10.1.2.1) appears to be up.
……
Host mike.wal (10.1.2.125) appears to be up.Host mike.wal (10.1.2.125) appears to be up.
Nmap run completed -- 127 IP addresses (48 hosts up) scanned in 4 secondsNmap run completed -- 127 IP addresses (48 hosts up) scanned in 4 seconds
TargetsTargets
hostnamehostname IP addressIP address * is wildcard* is wildcard /mask/mask
Example: a class C network is:Example: a class C network is:
10.1.2.*10.1.2.*
10.1.2.0-25510.1.2.0-255
10.1.2.0/2410.1.2.0/24
Other Interesting OptionsOther Interesting Options
––OO guess the OS typeguess the OS type• Indicates how hard guessing wasIndicates how hard guessing was
––g g pp source port is source port is pp• Sometimes setting this to 53 (DNS) gets Sometimes setting this to 53 (DNS) gets
you through when others won’tyou through when others won’t
––rr do do notnot randomize order of ports randomize order of ports scannedscanned
––p p pp limit scans to ports in given rangelimit scans to ports in given range• Example: –p 1-10,30-60,345,60000–Example: –p 1-10,30-60,345,60000–
A Couple of More …A Couple of More …
––L L ff targets come from file targets come from file ff––II get login name of user get login name of user
running serverrunning server• remote system must honor remote system must honor identident
protocolprotocol• if they send back a crypto hash, you if they send back a crypto hash, you
know nothing moreknow nothing more• veryvery useful to see if the web server is useful to see if the web server is
running as running as rootroot … …
Timing OptionsTiming Options
Option –TOption –Ttimingtiming controls scan controls scanparanoidparanoid serialize scans, 5 min between packetsserialize scans, 5 min between packetssneakysneaky paranoid but 15 sec between packetsparanoid but 15 sec between packetspolitepolite serialize, wait ≥0.4 sec between packetsserialize, wait ≥0.4 sec between packetsnormalnormal default behavior (adaptive)default behavior (adaptive)aggressiveaggressive 5 min timeout per host, wait 5 min timeout per host, wait
<1.25 sec for probe responses<1.25 sec for probe responsesinsaneinsane aggressive with 75 sec timeouts and <0.3 aggressive with 75 sec timeouts and <0.3
sec waitssec waits
