CEH - 5: Linux & Automated assessment tools

1. Whisker 2. N-stealth 3. Webinspect 4. Nikto 5. AppDetective

Application Level Scanners Purpose - look at vulnerability at running programs. Name five tools?

Four automated exploit tools: 1 - Metasploit 2 - Browser Exploitation Framework 3 - CANVAS 4 - Core IMPACT

Automated Exploit Tools (e.g. use under potential of going to jail) * combines scanning, assessing, reporting and exploiting vulnerability functions in one tool Name four (4) Examples?

cat = man = chmod = change permissions cp=copy; mv= move; rm=delete passwd=change password pwd = current directory ps=process id

Explain the unix commands: 1. cat, man, cd, chmod, 2. cp, mv, rm, rm -r, ls 3. history; ifconfig 4. passwd, pwd 5. ps, kill 6. useradd <username>; su <username>

Automated Assessment Tool Categories: 1. Source code scanners 2. Application Scanners 3. System Scanners

Austomated Assessment Tools Can be devided into three categories; which are?

(blank)

Hacking Linux cont - Gaining access (remote attacks) - exploit a process or program - exploit a TCP/UDP listening service - exploit vulnerabilities in a system providing routing or security services - exploit the user - local attacks Privilege escalation - usually a local attack is used - objective-gain full control over app/sys

(blank)

Hacking Linux cont - 1. Reconnaissance = acitve/passive gathering 2. Scanning = find open ports and apps (e.g. 21(ftp); 27 (time); 79 (finger)...) 3. Enumeration =? Banner grabbing Fing - reocver the name associated with an email address SMTP - vrfy and expn command - to guess users on the system Rwho and rusers - info about various users on system

MD5sum & Tripwire - detection tools for modified binaries (ipconfig and netstat - for example) Example rootkits: Flea; T0rm; Adorm; TDSS/Alureon Rootkit detection tools: - Chkrootkit - McAfee Rootkit Detective - TrendMicro RootkitBuster

Hacking Linux cont- * Traditional rootkits replace binaries, such as ipconfig and netstat with trojaned versions (easy to detect) - what are the detction tools for this? * Rootkits targeting loadable kernel module (LKM) - rootkit loaded as a driver/kernel extension; can corrupt the kernel and avoid detection Example rootkits???

4 hardening tools are: 1. Chroot 2. TCP Wrapper 3. Tripwire 4. Logging

Hardening Linux * Identify vulnerabilities and patch and sedure the system - place firewall in front - filter and control traffic with ipchains and iptables - remove unneeded programs & services - follow "principle of least privilege" - follow NSA hardening guildelines - Name 4 hardening tools?

UID = user ID GID = Group ID root always has UID 0 and GID 0

UID=? GID=? root value for UID & GID =?

/bin = /etc - info about users and group ids stored in /etc/passwd file

Whats in the following linux directors a. /bin b. /dev c. /etc d. /home e. /mnt f. /sbin g. /usr

To compile a program in Linux, the following three commands are used? ./configure make make install

Compressing, Installing & Compiling Linux * Tar - common compression tool; does NOT do file compression ??? * GZIP is used for file compression * To compile a program in Linux, the following three commands are used?

1. MD5 is default encryption; but DES an be used as well 2. DES limits passwords to 8 characters 3. /etc/shadow file is used for add passwd security. only ROOT has access to it. Use MORE /ETC/SHADOW cmd to see the file while logged in as root. 4. Passwd's in linux use salts. 1 of 4096 values help to further scramble the password when encrypted.

Passwords & Shadow File * password encryption can be selected uring install 1 - default encryption? But ____ can be used as well. 2. DES limits passwords to ___ characters? 3. /etc/____ file is used for add password security. only ___ has access to it; use ___ command to see it while logged in as root. 4. Passwd's in linux use salts. 1 of___ values help to further scramble the password when encrypted.

Password cracking tool = John the Ripper

Linux Passwords * passwd's one of weakest auth methods * Additional auth => biometrics/tokens * Pluggable Authentication Models (PAM) - controls interaction between user and application * Password cracking tool = ?

(blank)

Maintaining access and covering tracks ROOTKITS - hide attackers presence and provide backdoor - require root access - categories: a. hypervisor b. hardware/firmware c. boot loader d. library level e. app level f. kernel level

What are some system level scannes (9 total)? 1. Nessus 2. NeWT 3. SAINT 4. SARA 5. IIS Internet Scanner 6. NetRecon 7. Retina 8. LANguard 9. VLAD

System level scanners: * Can be used to scan entire system(s) for vulnerabilities * can be used remotely * CANNOT audit source code and might crash the system * not considered stealth What are some system level scannes (9 total)?

Five(5) tools for source code scanners? 1. Flawfinder 2. Rough auditing tools for security (RATS) 3. StackGuard 4. Microsoft / GS 5. Libsafe

Source Code Scanners * used to examine the source code of an application and detect sedurity problems * can detect buffer overflow, race conditions, privilege escalations and tainted output Name 5 Tools for source code scanners?