i UNIX/LINUX SYSTEM SECURITY ASSESSMENT – PART 2 – All things in moderation

UNIX/LINUX SYSTEM SECURITY ASSESSMENT – PART 2

Testing common protocols

We can using nmap scan port and service on unix system.
Command: # nmap -sS -PN -n -sV -sC IP_address

SNMP

Process:
1. Determine SNMP community strings on the target
2. Get MIB values by SNMPwalking and pilfer for information
3. Compromise the System

1. Determine SNMP community strings on the target
We can do it in two ways:
– Guess Community strings
– Bruteforce community string
– OS scan the device and use default password lists
– Sniffing

2. Get MIB values by SNMPwalking and pilfer for information
– Identify OS(using nmap: #nmap -sS ip/domain -O)
– Identify server uptime
– Identify processes/services((using nmap: #nmap -sS ip/domain -O))
– Identify users
– Identify shares

3. Compromise the System

Examine Trivial File Transfer Protocol (TFTP)

Process:
– Accessing TFTP Prompt
– Checking status
– Connecting to TFTP Server
– Guessing and grabbing the file

Accessing TFTP Prompt

Checking status
Examples:
tftp>status

Connecting to TFTP Server
Examples:
tftp> connect

Guessing and grabbing the file
In this step an tester needs to guess relevant file with path. Most of the time files are located in their default location[s]. File names are easy to guess.
Examples:
tftp>get /etc/passwd

FTP

Performs a search for server errors and performs a test attack on that server.
– Bruteforce password
– ARP Poisoning Attack and Password Sniffing Attack
– The FTP protocol sends the username / password as clear text, so it can be hacked into password compression. First, we need to identify IPs in the network. You can use nmap or use the command: arp -a
Example:
Steps to sniffing packets using ettercap:
– Enable IP forwarding on the attacker’s machine:
Run command: #echo 1 > /proc/sys/net/ipv4/ip_forward
– Run ettercap sniffing packets between client and FTP server:
#ettercap –iface eth4 –text –quiet –mitmarp /ip_client/ /ip_server/
– Tracking traffic to find information when the client logs on

HTTP

Discover the Supported Methods
We use netcat with command:
$ nc domain_name 80
OPTION /HTTP/1.1
Host: domain_name

Or use nmap with script http-method NSE:
$ nmap -p 80(or 443) –script http-methods domain_name

Testing for arbitrary HTTP methods
We will using netcat testing HTTP methods.

Testing for HEAD access control bypass
Find a page to visit that has a security constraint such that it would normally force a 302 redirect to a log in page or forces a log in directly. The test URL in this example works like this, as do many web applications. However, if the tester obtains a “200” response that is not a login page, it is possible to bypass authentication and thus authorization.

References
[1] https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)
[2] Information Systems Security Assessment Framework (ISSAF) draft 0.2

Leave a Reply