Picking the Right Platform

Apply Your Knowledge

You have seen how useful automated assessment tools can be and how Linux is a good platform for performing security tests. Therefore, this Apply Your Knowledge will have you examine some automated assessment tools and one of the best online exploit databases.

Exercises

5.1. Exploring the SecurityForest.com Website

SecurityForest.com is a collaboratively edited Forest consisting of Trees, which anyone can contribute to. These trees break out in an ordered fashion. The tools and exploits that are available for each step of a penetration test and for the exploits are available for specific networks, systems, and applications.

Estimated Time: 10 minutes.

  1. Open your browser and go to www.securityforest.com.
  2. You will notice on the left of the screen that several trees are listed.
  3. Click on the Exploit Tree online interface.
  4. This page will have links for applications, systems, and networks. Click on the applications link.
  5. On this page, you will see links for all the applications that have been listed in the database. Find the link for web servers and click on the link for the IIs application.
  6. Under IIs, locate the Jill-win32.c exploit code. After you find the code, you can view it by clicking on the view button. If you have identified an IIs server susceptible to the IPP printer buffer overflow, this tool could be compiled and executed to take advantage of that vulnerability.
  7. Continue to explore the SecurityForest website. If you return to the main page, you will see that there is also a database of tools under the tool tree link that lists all tools by category.
  8. Finally, click on the Exploitation Framework link. The Exploitation Framework is similar to the Metasploit database, except that it leverages the huge amount of exploits in the exploit tree. A movie is available that demonstrates the tool at http://www.securityforest.com/wiki/index.php/Exploitation_Framework_Screenshots page. The actual browser-based Windows tool can be downloaded from www.securityforest.com/wiki/index.php/Exploitation_Framework_Download.

5.2 Running the Nessus Server

In this exercise, you will run the Nessus server and look at some of its settings.

Estimated Time: 30 minutes.

  1. Boot up Knoppix STD. The install files can be found on the enclosed CD or can be downloaded from www.knoppix-std.org.
  2. Open a terminal window and make sure that you are running as root. If not, type su.
  3. You will need to add a user to the Nessus server. This can be accomplished by typing Nessus-adduser from the prompt.
  4. After a user is added, you will want to start the Nessus server daemon by typing in the following: /etc/init.d/nessusd start.
  5. Once the daemon is started, you can type nessus at the command line to start the Nessus client. You will now be prompted to log in to Nessus. Enter the username and password you created in step 3.
  6. Click OK on the warning page that warns about dangerous plugins. This message basically states that some plugins can cause some servers to crash or hang. If you were to run this tool on a production network, this is something you would want to discuss with management before making a decision on how to proceed.
  7. Browse through the parameters available on each tab. These include: Plugins, Prefs, Scan Options, Target Selection, and User.
  8. Under the Network tab, enter the target device you would like to scan. Make sure that this is a system you have permission to perform a scan on. Start the assessment by clicking on Start the Scan.
  9. On the Get Updates Setup Files page, select Yes, download the updated Setup files (Recommended), and then click Next. You'll need to register to get updates. Updates are seven days behind for non-paying customers.
  10. After the scan is finished, review the results. This information could be added to your test report had this been an actual test.
  11. The next step of a real assessment would be to patch, harden, and update the systems that were found to be vulnerable.

Exam Prep Questions

1.

How can a Linux user list what processes are running if he suspects something has been loaded that is not approved?

A. netstat

B. ls

C. echo

D. ps

2.

You have been hired by Bob's Burgers to scan its network for vulnerabilities. They would like you to perform a system-level scan. Which of the following programs should you use?

A. Flawfinder

B. N-Stealth

C. SARA

D. Whisker

3.

You have been able to get a terminal window open on a remote Linux host. You now need to use a command line web browser to download a privilege escalation tool. Which of the following will work?

A. TFTP

B. Lynx

C. Explorer

D. Firefox

4.

While hacking away at your roommate's Linux computer, you accessed his passwd file. Here is what you found.

root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin: daemon:x:2:2:daemon:/sbin:  

Where is the root password?

A. No password has been set.

B. The password has been shadowed.

C. The password is not visible because you are not logged in as root.

D. The password is not in this file; it is in the SAM.

   
5.

Which of the following will allow you to set the user to full access, the group to read-only, and all others to no access?

A. chmod 777

B. chroot 777

C. chmod 740

D. chroot 740

6.

Your team lead has asked you to make absolute changes to a file's permissions. Which of the following would be correct?

A. chroot a+rwx

B. Chmod a+rwx

C. chroot 320

D. Chmod 320

7.

Which of the following is not a valid Linux user group?

A. System users

B. Super users

C. Guests

D. Normal users

8.

You have been exploring the files and directory structure of the new Linux server. What are the entries of the /etc/hosts file made up of?

A. The IP address, the mask, and the deny or allow statement.

B. The IP address and status of approved or denied addresses.

C. The IP address, the subnet mask, and the default gateway.

D. The IP address, the hostname, and any alias.

9.

At the prompt of your Linux server, you enter cat /etc/passwd. In the following output line, what is the function of 100?

chubs:2cX1eDm8cFiJYc:500:100:chubs Lex:/home/chubs/bin/bash  

A. The User ID

B. The 100th user created

C. The Group ID

D. A binary value

   
10.

Where will an attacker find the system password file in a Linux machine that is restricted to root and contains encrypted passwords?

A. /etc/hosts

B. /etc/shadow

C. /etc/passwd

D. /etc/inetd.conf

11.

Most modern versions of Linux use which of the following password encryption standards by default?

A. MD5

B. DES

C. AES

D. Diffie Hellman

12.

Which of the following is an LKM rootkit?

A. Flea

B. T0rm

C. Adore

D. Chkroot

13.

How can Tripwire help prevent against Trojan horses and rootkits?

A. It helps you catch changes to system utilities.

B. It hardens applications against attack.

C. It scans application source code and finds potential buffer overflows.

D. It builds a jail that only gives hackers access to a few predefined folders.

14.

Which of the following will allow you to set the user to full access, the group to read and write access, and all others to read access?

A. chmod 746

B. chroot 644

C. chmod 764

D. chroot 746

   
15.

Which of the following programs can be used to build a jail around a program, such as FTP, to prevent hackers from gaining access to unauthorized folders and files?

A. Tripwire

B. Chmod

C. Loadable kernel modules

D. Chrooting

Answers to Exam Questions

A1:

1. D. The ps command gives a snapshot of the currently running processes, including ps itself. Answer A is incorrect because netstat is a command-line tool that displays a list of the active connections a computer currently has. Answer B is incorrect as ls only provides a directory listing. Answer C is incorrect, as echo displays entered characters on the screen.

A2:

2. C. SARA is a system level scanner that can scan various ports and attempt to verify what is running on each and what vulnerabilities are present. Answer A is incorrect, as Flawfinder is a source code scanner. Answers B and D are incorrect because both N-Stealth and Whisker are web application scanners and do not perform system level scans.

A3:

3. B. Lynx is a basic browser that can be used to pull down the needed code. Answer A is incorrect because TFTP is not used for web browsing. Answer C is incorrect, as Explorer is a Windows-based web browser. Answer D is incorrect, as Firefox is a GUI tool.

A4:

4. B. The password has been shadowed. You can determine this because there is an x in the second field. Answer A is incorrect, as the password has been shadowed. Answer C is incorrect because the password is not being stored in the passwd file. You might or might not be able to see it depending on if you are logged in as root. Answer D is incorrect, as the SAM is only used in Windows. There is no SAM file in Linux.

A5:

5. C. The command for file and folder permissions is chmod, and the proper setting would be 740. Answer A is incorrect, as a setting of 777 would give read, write, and execute rights to the owner, group, and all others. Answers B and D are incorrect because chroot is not used for file permissions.

A6:

6. D. Absolute mode will require the use of octal values, such as chmod 320. Answers A, B, and C are incorrect. Chroot is not used to set file permissions; chmod a+rwx is a valid command; buy is in symbolic form.

A7:

7. C. The three valid groups in Red Hat Linux include super users, system users, and normal users. Therefore, answers A, B, and D are incorrect. Guest is a default group found in the Windows environment.

A8:

8. D. The /etc/host file stores IP addresses and is used for hostname to IP address resolution. Answers A, B, and C are incorrect, as subnet masks, default gateways, and allow or deny statements are not found there.

   
A9:

9. C. The structure of the passwd file is such: Account Name:Password:UID:GID:User Information:Directory:Program. In this case, the 100 falls under the GID. Answers A, B, and D are therefore incorrect, as they do not specify the correct field.

A10:

10. B. The shadow file is used to prevent hacker and ordinary users from viewing encrypted passwords. Answer A is incorrect because the host file is used for name resolution. Answer C is incorrect, as the passwd file is not restricted to root. Answer D is incorrect, as inetd is a configuration file and not related to passwords.

A11:

11. A. Most versions of Linux, such as Red Hat, use MD5 by default. If you choose not to use MD5, you can choose DES, although it limits passwords to eight alphanumeric characters. Therefore, answer B is incorrect. Answers C and D are incorrect because Linux does not use AES or Diffie Hellman for password encryption.

A12:

12. C. Adorm is a loadable kernel module (LKM) rootkit. A loadable kernel module runs in kernel space but can be loaded separately after the system is running. Answers A and B are incorrect because Flea and T0rm are not LKM rootkits. Answer D is incorrect, as Chkroot is a rootkit detector.

A13:

13. A. Tripwire works with a database that maintains information about the byte count of files. If the byte count has changed, it will identify the finding and set a notification flag. Answers B, C, and D are incorrect, as Tripwire does not harden applications, it does not scan source code, and it does not build a jail that limits the access of attackers.

A14:

14. C. The command for file and folder permissions is chmod, and the proper setting would be 764. Answer A is incorrect because a setting of 746 would give read, write, and execute rights to the owner, read to the group, and read and write to all others. Answers B and D are incorrect, as chroot is not used for file permissions.

A15:

15. D. Chrooting is one of the hardening procedures that can be performed to a Linux system. It creates additional borders in case of zero day threats so that hackers are jailed in specific folders. Answer A is incorrect, as Tripwire is used to verify no changes have occurred to files and folders without your knowledge. Answer B, chmod, is incorrect because it is used to set file and folder permissions. Answer C is incorrect because loadable kernel modules are used by rootkits.

Suggested Reading and Resources

www.frozentech.com/content/livecd.phpBootable Linux distribution list

www.antiserver.it/Backdoor-RootkitRootkit downloads

www.chkrootkit.orgChkrootkit website

www.rootkit.nlRootkit hunter website

www.nsa.gov/snacNSA hardening guidelines

www.nessus.orgNessus website

www.saintcorporation.comSAINT website

www.iss.netISS Internet scanner website

www.symantec.comNetRecon

www.eeye.comRetina security scanner

www.arc.comSARA security scanner

www.bindview.comVLAD security scanner

www.metasploit.comMetasploit framework

www.immunitysec.com/products-canvas.shtm/Canvas

www.coresecurity.comCoreIMPACT

Trojans and Backdoors

Категории