Advanced Unix

33
Advanced Unix Advanced Unix

description

Advanced Unix. Roses are #FF0000 Violets are #0000FF All My Base Are Belong To You. Bastille Linux. http://www.bastille-linux.org Well best laid plans oft go awry… Bastille Linux does not work on FC6 It will work on FC5, 4, 3, etc… Prerequisites for Bastille are: - PowerPoint PPT Presentation

Transcript of Advanced Unix

Page 1: Advanced Unix

Advanced UnixAdvanced Unix

Page 2: Advanced Unix

Roses are #FF0000Violets are #0000FF

All My BaseAre Belong To You

Page 3: Advanced Unix

Bastille LinuxBastille Linux

http://www.bastille-linux.orghttp://www.bastille-linux.org Well best laid plans oft go awry…Well best laid plans oft go awry… Bastille Linux does not work on FC6Bastille Linux does not work on FC6 It will work on FC5, 4, 3, etc…It will work on FC5, 4, 3, etc… Prerequisites for Bastille are:Prerequisites for Bastille are:

• TKTK - an open source, cross-platform widget - an open source, cross-platform widget toolkit, that is, a library of basic elements for toolkit, that is, a library of basic elements for building a graphical user interface (GUI). building a graphical user interface (GUI).

• CursesCurses - a terminal control library for Unix-like - a terminal control library for Unix-like systems, enabling the construction of text user systems, enabling the construction of text user interface (TUI) applicationsinterface (TUI) applications

Page 4: Advanced Unix

Bastille LinuxBastille Linux

If TK or Curses are not installed use If TK or Curses are not installed use the following commands to install:the following commands to install:• yum install tkyum install tk• yum install perl-Cursesyum install perl-Curses

To run Bastille use the following To run Bastille use the following commands:commands:• GUI Mode: bastille –xGUI Mode: bastille –x• TUI Mode: bastille -cTUI Mode: bastille -c

Page 5: Advanced Unix

Bastille LinuxBastille Linux

If you are running FC6 you’ll have If you are running FC6 you’ll have to wait a little while before they to wait a little while before they support itsupport it

In the mean while a quick demo…In the mean while a quick demo…

Page 6: Advanced Unix

Post ScannersPost Scanners

Port scanners are a useful toolsPort scanners are a useful tools Port scanners are software designed to Port scanners are software designed to

search a network host or hosts for open search a network host or hosts for open ports. ports.

This is often used by administrators to This is often used by administrators to check the security of their check the security of their system/networks and by crackers to system/networks and by crackers to detect attack pointsdetect attack points

Page 7: Advanced Unix

Port ScannersPort Scanners

There are numerous port scanners There are numerous port scanners available today. Freeware, available today. Freeware, Shareware and Commercial of the Shareware and Commercial of the Shelf (COTS)Shelf (COTS)

Many Network/Security Many Network/Security Administrators use port scanners to Administrators use port scanners to detect unauthorized services running detect unauthorized services running on their networkon their network

Page 8: Advanced Unix

Port ScannersPort Scanners

NmapNmap: ("Network Mapper") is an : ("Network Mapper") is an open source utility for network open source utility for network exploration or security auditing. It exploration or security auditing. It was designed to rapidly scan large was designed to rapidly scan large networks.networks.

FoundstoneFoundstone Vision Vision: Reports all open : Reports all open TCP and UDP ports and maps them to TCP and UDP ports and maps them to the owning process or application. the owning process or application.

Page 9: Advanced Unix

Port ScannersPort Scanners

Foundstone Fport: Identify unknown Foundstone Fport: Identify unknown open ports and their associated open ports and their associated applicationsapplications

Foundstone Scanline: Formerly Foundstone Scanline: Formerly FScan. Command line port scannerFScan. Command line port scanner

Foundstone SuperScan: Powerful TCP Foundstone SuperScan: Powerful TCP port scanner, pinger, resolverport scanner, pinger, resolver

……and many, many more…and many, many more…

Page 10: Advanced Unix

nmapnmap

Version 3.70 (should be installed on Version 3.70 (should be installed on your class hard drive)your class hard drive)

Written by Fyodor: Written by Fyodor: [email protected]@dhp.com http://www.insecure.org/nmap/http://www.insecure.org/nmap/ To install on your FC6 system:To install on your FC6 system:

• yum install nmapyum install nmap Go ahead an do this now if you Go ahead an do this now if you

haven’t already…haven’t already…

Page 11: Advanced Unix

Types of ScansTypes of Scans

TCP Scan TCP Scan – simple scan to detect open ports (aka listeners)– simple scan to detect open ports (aka listeners) ACK scanACK scan - can find packets allowed through a stateless - can find packets allowed through a stateless

packet filter. packet filter. FIN scanFIN scan - can determine if ports are open/closed, even if - can determine if ports are open/closed, even if

SYN packets are filtered. SYN packets are filtered. Protocol scanProtocol scan - determines what IP level protocols (TCP, UDP, - determines what IP level protocols (TCP, UDP,

GRE, etc.) are enabled. GRE, etc.) are enabled. Proxy scanProxy scan - a proxy (SOCKS or HTTP) is used to perform the - a proxy (SOCKS or HTTP) is used to perform the

scan. The target will see the proxy's IP address as the scan. The target will see the proxy's IP address as the source. This can also be done using some FTP servers. source. This can also be done using some FTP servers.

Idle ScanIdle Scan - Another method of scanning without revealing - Another method of scanning without revealing your IP address, taking advantage of the predictable ipid your IP address, taking advantage of the predictable ipid flaw. flaw.

ICMP scanICMP scan - determines if a host responds to ICMP requests, - determines if a host responds to ICMP requests, such as echo (ping), netmask, etc. such as echo (ping), netmask, etc.

Page 12: Advanced Unix

Types of ScansTypes of Scans

TCP connectTCP connect TYP SYN (TYP SYN (a.k.a.a.k.a. half-open) half-open) TCP FIN (TCP FIN (a.k.a.a.k.a. stealth) stealth) TCP SYN/FIN using IP fragmentsTCP SYN/FIN using IP fragments TCP ftp proxy (TCP ftp proxy (a.k.a.a.k.a. bounce attack) bounce attack) UCP raw ICMP port unreachableUCP raw ICMP port unreachable RPC scanRPC scan ACK/WIN scanACK/WIN scan Ping scanPing scan

Page 13: Advanced Unix

TCP connectTCP connect

Goal: find open TCP ports; option –sTGoal: find open TCP ports; option –sT Open a connection to port Open a connection to port pp on the target on the target If it succeeds, something is listening on If it succeeds, something is listening on

that portthat port Repeat for desired values of Repeat for desired values of ppAdvantages:Advantages:

• fast; can do many ports in parallelfast; can do many ports in parallel• no special privileges neededno special privileges needed

Disadvantages:Disadvantages:• easy to detect and block (filter)easy to detect and block (filter)

Page 14: Advanced Unix

ExampleExample# nmap -sT zonker# nmap -sT zonker

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-06-22 Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-06-22 15:01 PDT15:01 PDT

Interesting ports on zonker.wal (10.1.2.3):Interesting ports on zonker.wal (10.1.2.3):(The 1653 ports scanned but not shown below are in state: closed)(The 1653 ports scanned but not shown below are in state: closed)Port State ServicePort State Service21/tcp open ftp21/tcp open ftp22/tcp open ssh22/tcp open ssh23/tcp open telnet23/tcp open telnet25/tcp open smtp25/tcp open smtp111/tcp open rpcbind111/tcp open rpcbind513/tcp open login513/tcp open login514/tcp open shell514/tcp open shell759/tcp open con759/tcp open con873/tcp open rsync873/tcp open rsync6000/tcp open X116000/tcp open X11

Nmap run completed -- 1 IP address (1 host up) scanned in 1.733 Nmap run completed -- 1 IP address (1 host up) scanned in 1.733 secondsseconds

Page 15: Advanced Unix

TYP SYN (TYP SYN (a.k.a.a.k.a. half-open) half-open)

Goal: find open TCP ports; option –sSGoal: find open TCP ports; option –sS Craft and send a SYN to port Craft and send a SYN to port pp on target on target ACK: someone listening; RST: no-one ACK: someone listening; RST: no-one

listeninglistening Send RST to tear down (incipient) Send RST to tear down (incipient)

connectionconnection Repeat for desired values of Repeat for desired values of ppAdvantages:Advantages:

• many sites don’t log thismany sites don’t log this

Disadvantages:Disadvantages:• need need rootroot to craft the initial SYN to craft the initial SYN

Page 16: Advanced Unix

ExampleExample# nmap -sS zonker# nmap -sS zonker

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-06-Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-06-22 14:58 PDT22 14:58 PDT

Interesting ports on zonker.wal (10.1.2.3):Interesting ports on zonker.wal (10.1.2.3):(The 1653 ports scanned but not shown below are in state: closed)(The 1653 ports scanned but not shown below are in state: closed)Port State ServicePort State Service21/tcp open ftp21/tcp open ftp22/tcp open ssh22/tcp open ssh23/tcp open telnet23/tcp open telnet25/tcp open smtp25/tcp open smtp111/tcp open rpcbind111/tcp open rpcbind513/tcp open login513/tcp open login514/tcp open shell514/tcp open shell759/tcp open con759/tcp open con873/tcp open rsync873/tcp open rsync6000/tcp open X116000/tcp open X11

Nmap run completed -- 1 IP address (1 host up) scanned in 2.100 Nmap run completed -- 1 IP address (1 host up) scanned in 2.100 secondsseconds

Page 17: Advanced Unix

TCP FIN (TCP FIN (a.k.a.a.k.a. stealth) stealth)

Goal: find open TCP ports; option –sFGoal: find open TCP ports; option –sF Send FIN to port Send FIN to port pp on target on target If RST, port closed; if nothing, port openIf RST, port closed; if nothing, port open Repeat for desired values of Repeat for desired values of ppAdvantages:Advantages:

• even fewer log thiseven fewer log this

Disadvantages:Disadvantages:• some systems always send RSTs (some systems always send RSTs (ee..gg., IRIX, ., IRIX,

Windows)Windows)

Page 18: Advanced Unix

ExampleExample# nmap -sF zonker# nmap -sF zonker

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-06-Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-06-22 15:04 PDT22 15:04 PDT

Interesting ports on zonker.wal (10.1.2.3):Interesting ports on zonker.wal (10.1.2.3):(The 1653 ports scanned but not shown below are in state: closed)(The 1653 ports scanned but not shown below are in state: closed)Port State ServicePort State Service21/tcp open|filtered ftp21/tcp open|filtered ftp22/tcp open|filtered ssh22/tcp open|filtered ssh23/tcp open|filtered telnet23/tcp open|filtered telnet25/tcp open|filtered smtp25/tcp open|filtered smtp111/tcp open|filtered rpcbind111/tcp open|filtered rpcbind513/tcp open|filtered login513/tcp open|filtered login514/tcp open|filtered shell514/tcp open|filtered shell759/tcp open|filtered con759/tcp open|filtered con873/tcp open|filtered rsync873/tcp open|filtered rsync6000/tcp open|filtered X116000/tcp open|filtered X11

Nmap run completed -- 1 IP address (1 host up) scanned in 4.228 Nmap run completed -- 1 IP address (1 host up) scanned in 4.228 secondsseconds

Page 19: Advanced Unix

VariantsVariants

Option –sXOption –sX• Christmas tree packet (FIN, URG, PUSH Christmas tree packet (FIN, URG, PUSH

flags)flags)

Option -sNOption -sN• Null packet (all flags turned off)Null packet (all flags turned off)

Same expected result as for –sFSame expected result as for –sF

Page 20: Advanced Unix

TCP SYN/FIN TCP SYN/FIN Using IP FragmentsUsing IP Fragments

Goal: find open TCP ports; option –f Goal: find open TCP ports; option –f (modifies –SF, –sX, –sN, –sS)(modifies –SF, –sX, –sN, –sS) Split the header up over several Split the header up over several packetspacketsAdvantages:Advantages:

• makes it harder for packet filters to makes it harder for packet filters to detect probedetect probe

Disadvantages:Disadvantages:• can cause monitoring tools to crashcan cause monitoring tools to crash• high overhead on networkshigh overhead on networks

Page 21: Advanced Unix

TCP FTP Proxy TCP FTP Proxy ((a.k.a.a.k.a. Bounce Attack) Bounce Attack)

Goal: find open TCP ports; optionGoal: find open TCP ports; option––b b useruser::passwordpassword@@serverhostserverhost::portport Connect to Connect to serverhostserverhost using using useruser with with passwordpassword Set up proxy to port Set up proxy to port pp on target (use PORT) on target (use PORT) Send over an Send over an lsls of current directory of current directory

• if no-one’s there, if no-one’s there, ftpftp server returns 425 message server returns 425 message• if someone listening, if someone listening, ftpftp server returns 150 message server returns 150 message

Repeat for desired values of Repeat for desired values of ppThis hides who is doing the probingThis hides who is doing the probing

Page 22: Advanced Unix

ExampleExample# nmap -b anonymous:[email protected] zonker.wal# nmap -b anonymous:[email protected] zonker.wal

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )Starting nmap V. 3.00 ( www.insecure.org/nmap/ )Hint: if your bounce scan target hosts aren't reachable from here, remember to use -P0 Hint: if your bounce scan target hosts aren't reachable from here, remember to use -P0 so we don't try and ping them prior to the scanso we don't try and ping them prior to the scanInteresting ports on zonker.wal (10.1.2.3):Interesting ports on zonker.wal (10.1.2.3):(The 1591 ports scanned but not shown below are in state: closed)(The 1591 ports scanned but not shown below are in state: closed)Port State ServicePort State Service20/tcp open ftp-data 20/tcp open ftp-data 21/tcp open ftp 21/tcp open ftp 22/tcp open ssh 22/tcp open ssh 24/tcp open priv-mail 24/tcp open priv-mail 25/tcp open smtp 25/tcp open smtp 80/tcp open http 80/tcp open http 111/tcp open sunrpc 111/tcp open sunrpc 515/tcp open printer 515/tcp open printer 1023/tcp open unknown 1023/tcp open unknown 6000/tcp open X11 6000/tcp open X11

Nmap run completed -- 1 IP address (1 host up) scanned in 37 secondsNmap run completed -- 1 IP address (1 host up) scanned in 37 seconds

if ICMP echos are blocked,give –P0 to prevent checkfor being up

Page 23: Advanced Unix

UDP Raw ICMP Port UDP Raw ICMP Port UnreachableUnreachable

Goal: find UDP ports with listeners; option –sUGoal: find UDP ports with listeners; option –sU Send 0 byte UDP packet to port Send 0 byte UDP packet to port pp on target on target Wait for ICMP port unreachable messageWait for ICMP port unreachable message

• if you get it, no-one’s listeningif you get it, no-one’s listening• if you don’t, someone isif you don’t, someone is

Repeat for desired values of Repeat for desired values of pp

Disadvantage:Disadvantage:• usually slow due to ICMP error rate limitsusually slow due to ICMP error rate limits

Page 24: Advanced Unix

ExampleExample# nmap -sU zonker.wal# nmap -sU zonker.wal

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-06-22 15:57 Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-06-22 15:57 PDTPDT

Interesting ports on zonker.wal (10.1.2.3):Interesting ports on zonker.wal (10.1.2.3):(The 1467 ports scanned but not shown below are in state: closed)(The 1467 ports scanned but not shown below are in state: closed)Port State ServicePort State Service68/udp open|filtered dhcpclient68/udp open|filtered dhcpclient111/udp open|filtered rpcbind 111/udp open|filtered rpcbind 123/udp open|filtered ntp 123/udp open|filtered ntp 513/udp open|filtered who 513/udp open|filtered who 631/udp open|filtered unknown 631/udp open|filtered unknown 800/udp open|filtered mdbs_daemon 800/udp open|filtered mdbs_daemon 866/udp open|filtered unknown 866/udp open|filtered unknown

Nmap run completed -- 1 IP address (1 host up) scanned in 1492.935 secondsNmap run completed -- 1 IP address (1 host up) scanned in 1492.935 seconds

Page 25: Advanced Unix

RPC ScanRPC Scan

Goal: find ports with RPC services; Goal: find ports with RPC services; option –sR (use with –sT, –sU)option –sR (use with –sT, –sU) If port If port pp on target is open, send RPC on target is open, send RPC NULLNULL

commandcommand• goal is to determine if goal is to determine if pp is an RPC port; is an RPC port;

if so, what program, version number is if so, what program, version number is served thereserved there

Page 26: Advanced Unix

ExampleExample# nmap -sT -sR zonker.wal# nmap -sT -sR zonker.wal

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-06-22 16:57 Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-06-22 16:57 PDTPDT

Interesting ports on zonker.wal (10.1.2.3):Interesting ports on zonker.wal (10.1.2.3):(The 1654 ports scanned but not shown below are in state: closed)(The 1654 ports scanned but not shown below are in state: closed)Port State Service (RPC)Port State Service (RPC)21/tcp open ftp 21/tcp open ftp 22/tcp open ssh 22/tcp open ssh 24/tcp open priv-mail 24/tcp open priv-mail 25/tcp open smtp 25/tcp open smtp 80/tcp open http 80/tcp open http 111/tcp open sunrpc (rpcbind V2) 111/tcp open sunrpc (rpcbind V2) 515/tcp open printer 515/tcp open printer 1023/tcp open (nfs V2) 1023/tcp open (nfs V2) 6000/tcp open X11 6000/tcp open X11

Nmap run completed -- 1 IP address (1 host up) scanned in 1.962 secondsNmap run completed -- 1 IP address (1 host up) scanned in 1.962 seconds

Page 27: Advanced Unix

ACK/WIN scanACK/WIN scan

Goal: see if intervening firewall is packet Goal: see if intervening firewall is packet filter or stateful; option –sAfilter or stateful; option –sA Send ACK to port Send ACK to port pp on target on target Response RST: unfiltered, can get through Response RST: unfiltered, can get through itit Response ICMP unreachable, nothing: Response ICMP unreachable, nothing: filtered,filtered,

probably droppedprobably dropped

Page 28: Advanced Unix

Ping ScanPing Scan

Goal: see which hosts are up; option –Goal: see which hosts are up; option –sPsP

Send ICMP echo to all IP addresses Send ICMP echo to all IP addresses on networkon network

Send ACK packet to port 80Send ACK packet to port 80• RST back means it’s upRST back means it’s up

Send SYN packet, wait for RST or Send SYN packet, wait for RST or SYN/ACKSYN/ACK

Default is first two in parallelDefault is first two in parallel

Page 29: Advanced Unix

ExampleExample# nmap -sP 10.1.2.1-127# nmap -sP 10.1.2.1-127

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-06-22 16:57 Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-06-22 16:57 PDTPDT

Host joanie.wal (10.1.2.1) appears to be up.Host joanie.wal (10.1.2.1) appears to be up.

……

Host mike.wal (10.1.2.125) appears to be up.Host mike.wal (10.1.2.125) appears to be up.

Nmap run completed -- 127 IP addresses (48 hosts up) scanned in 4 secondsNmap run completed -- 127 IP addresses (48 hosts up) scanned in 4 seconds

Page 30: Advanced Unix

TargetsTargets

hostnamehostname IP addressIP address * is wildcard* is wildcard /mask/mask

Example: a class C network is:Example: a class C network is:

10.1.2.*10.1.2.*

10.1.2.0-25510.1.2.0-255

10.1.2.0/2410.1.2.0/24

Page 31: Advanced Unix

Other Interesting OptionsOther Interesting Options

––OO guess the OS typeguess the OS type• Indicates how hard guessing wasIndicates how hard guessing was

––g g pp source port is source port is pp• Sometimes setting this to 53 (DNS) gets Sometimes setting this to 53 (DNS) gets

you through when others won’tyou through when others won’t

––rr do do notnot randomize order of ports randomize order of ports scannedscanned

––p p pp limit scans to ports in given rangelimit scans to ports in given range• Example: –p 1-10,30-60,345,60000–Example: –p 1-10,30-60,345,60000–

Page 32: Advanced Unix

A Couple of More …A Couple of More …

––L L ff targets come from file targets come from file ff––II get login name of user get login name of user

running serverrunning server• remote system must honor remote system must honor identident

protocolprotocol• if they send back a crypto hash, you if they send back a crypto hash, you

know nothing moreknow nothing more• veryvery useful to see if the web server is useful to see if the web server is

running as running as rootroot … …

Page 33: Advanced Unix

Timing OptionsTiming Options

Option –TOption –Ttimingtiming controls scan controls scanparanoidparanoid serialize scans, 5 min between packetsserialize scans, 5 min between packetssneakysneaky paranoid but 15 sec between packetsparanoid but 15 sec between packetspolitepolite serialize, wait ≥0.4 sec between packetsserialize, wait ≥0.4 sec between packetsnormalnormal default behavior (adaptive)default behavior (adaptive)aggressiveaggressive 5 min timeout per host, wait 5 min timeout per host, wait

<1.25 sec for probe responses<1.25 sec for probe responsesinsaneinsane aggressive with 75 sec timeouts and <0.3 aggressive with 75 sec timeouts and <0.3

sec waitssec waits