i UNIX/LINUX SYSTEM SECURITY ASSESSMENT – Part 1 – All things in moderation

UNIX/LINUX SYSTEM SECURITY ASSESSMENT – Part 1

UNIX systems are attacked more often than windows system. There are certain reasons related to this:
– Open Source: As UNIX (especially open source UNIX like systems) is open source more bugs are found in the source code and exploited.
– Availability: There are more GNU Linux and UNIX boxes connected to the internet.

In this post, we will discuss together unix/linux system security assessment.

Check list
1. IDENTIFY LIVE HOSTS
2. IDENTIFY PORTS AND SERVICES
3. ENUMERATION ATTACK
4. EXAMINE COMMON PROTOCOLS
5. EXAMINING UNIX SYSTEM

1. IDENTIFY LIVE HOSTS
Being able to map the network of the target, both public and private, will provide us with the basic elements to initiate a full attack, and to organize it properly.

Active Scans
Active scans we can using like Nmap to scan a range of IP Addresses with different scanning methods.Of course, you may know one IP address and/or hostname for your target. We can use host/nslookup and/or dig to find additional hosts in the target’s network.

#nslookup
Nslookup -ls: list DNS domain
Nslookup

C:\Users>nslookup aloha.com
Server: UnKnown
Address: fe80::1
Non-authoritative answer:
Name: aloha.com
Addresses: 2400:cb00:2048:1::6818:754f
2400:cb00:2048:1::6818:744f
104.24.116.79
104.24.117.79

#dig
dig : Get domain infomation
dig A +noall + answer: get all IP Address
dig MX +noall + answer : Get IP address mail server
dig NS +noall + answer: Get list DNS

#nmap
nmap range-ip
Option:
-sT: scan use TCP connect
-sS: scan use TCP SYN
-sU: scan use UDP
-A: detect OS and Service
-sV: detect service common

Passive Scans

If you are inside your target’s network, in the same switch, or hub, you may be able to make use of the passive scan technique, where no packet is sent to the network, but your network adapter, in combination with a good sniffer like ettercap, will take packets that you’re network adapter reads, thus showing the found IP addresses and optionally OS-fingerprinting them. It uses the “legal” traffic the host sees to make the scan, thus being “passive”.[oissg]

2. IDENTIFY PORTS AND SERVICES

In the first scan, we will do a search with common ports, we can use nmap -F switch. If we find or know for sure the service is running. By the second way, we scan with the Port range from 1 to 65535. We can use the command: nmap -sV.

#nmap
nmap range-ip
Option:
-sT: scan use TCP connect
-sS: scan use TCP SYN
-sU: scan use UDP
-A: detect OS and Service
-sV: detect service common

3. ENUMERATION ATTACK
Enumeration attacks are used to get information from the related service. For example, from NetBIOS we can get Shares, computer names, server names, OS release, etc. From finger, we can get usernames and how long and how much they work on the system. We will provide examples of different types of enumeration.
Expected Result:
Usernames, Email Addresses, login/logout time, Plan files, Default Shell.
Tool: finger, rwho, ruser,…

FINGER
Finger services expose system user information to any entity on the network. Finger works on port 79 TCP/UDP by default.
Helps attacker to guess user accounts by performing guessing usernames. Inform attacker if user has new email.
Helps attacker to guess the operating system.

Options:
#finger -l @target.com
#finger -l [email protected]

RWHO
This is similar to finger. Attack is only for local segment. It’s a remote connecty of who command. It’s a combination of who information from all of the systems in the local network running rwho server(daemon). It works on udp port 513.
Comand:
#rwho -a user1 user2 user3

Example:
#rwho -a user1 user2 user3
user1 cygnus:pts0 Jan 17 11:20 :12
user3 aquila:ttyp0 Jan 15 09:52 :22
user2 lyra:pts7 Jan 17 13:15 1:32
user1 lyra:pts8 Jan 17 14:15 1:01

4. EXAMINE COMMON PROTOCOLS
We will scan service use nmap:
#nmap -sS -PN -n -sV -sC IP_address
Common protocols:
SNMP
TFTP
FTP
SMTP
HTTP
Telnet

5. EXAMINING UNIX SYSTEM
Remote attack
– Passwork attacks
– DOS or DDOS
– RPC attack
– Stack overflow attack
– Heap overflow attack
– Integer overflow attack
– Format String attack
– Web server attack
– Mail server attack
– X11-insecurities
– NFS Share attack
Local attack
– Symlink attacks
– File and Directory Permission Attacks
– Race condition attacks
– System call attacks
– Key logger attacks
– Booting from other operating system

Leave a Reply