Linux system security
1. System weak password detection
1.1 joth the Ripper (referred to as JR)
- A cryptanalysis tool that supports dictionary brute force cracking
- Through the password analysis of the shadow file, the password strength can be detected
- Link: Official website
(1) First, drag the prepared john toolkit directly to the /opt directory through xshell, and unzip it
(2) To install software compilation tools, you need to use the following three tools, if you haven’t installed them, you can install
yum install -y gcc gcc-c++ make
(3) Switch to the src subdirectory to compile and install
cd /opt/john-1.8.0/src
(4) Compile and install
make clean linux-x86-64
(5) Prepare the password file to be cracked. We know that the password file is in /etc/passwd. We copy this file to the opt directory and name it
cp /etc/shadow /opt/shadow.txt
(6) Perform brute force cracking
cd /opt/john-1.8.0/run
./john /opt/shadow.txt
(7) View the list of accounts that have been cracked
./john --show /opt/shadow.txt
清空已破解出的账户列表,以便重新分析
john.pot
使用指定的字典文件进行破解
./john --wordlist=./password.lst /opt/shadow.txt
Second, network port scanning
2.1 NMAP
- A powerful network scanning and security detection tool
- Official website link
- Install package nmap-6.40-7.el7.x86_64.rpm in CentOS 7.3 CD
Check if it is installed before use:
rpm -qa | grep nmap
yum install -y nmap
Common NMAP options and scan types The
format is:
nmap [scan type] [options] <scan target…>
Common options
p:
Specify the port to be scanned.
-n:
Disable reverse DNS resolution (to speed up scanning).
-sS:
TCP SYN scan (half-open scan), only SYN packets are sent to the target. If a SYN/ACK response packet is received, the target port is considered to be listening and the connection is immediately disconnected; otherwise, the target port is considered not open.
-sT:
TCP connection scanning, this is a complete TCP scanning method (default scanning type), used to establish a TCP connection, if successful, the target port is considered to be listening for services, otherwise the target port is considered not open.
-sF:
TCP FIN scan, open ports will ignore such data packets, closed ports will respond to RST data packets. Many firewalls only perform simple filtering on SYN packets and ignore other forms of TCP attack packets. This type of scan can indirectly detect the robustness of the firewall.
-sU:
UDP scan, which detects which UDP services the target host provides. The speed of UDP scan will be slower.
-sP:
ICMP scan, similar to ping detection, quickly determine whether the target host is alive, and do not perform other scans.
-P0:
Skip ping detection. This method considers that all target hosts are alive. When the other party does not respond to ICMP requests, this method can avoid abandoning scanning due to failure to ping.
Example to
view the open TCP port of the machine:
nmap -sT 127.0.0.1
Check the open UDP port of this machine:
nmap -sU 127.0.0.1
检测192.168.1.0/24网段有哪些主机提供HTTP服务:
nmap -p 80 192.168.1.0/24
检测192.168.1.0/24网段有哪些存活主机:
nmap -n -sP 192.168.1.0/24
2.2 netstat
The function of the netstat command is to display network connection, routing table and network interface information, allowing users to know which network connections are currently operating
The format is:
netstat [option]
Common command options:
-a:
Display all active network connection information in the host (including service ports in listening and non-monitoring states).
-n:
Display related host address, port and other information in digital form.
-t:
View information related to TCP.
-u:
Display information related to UDP protocol.
-p:
Display the process number and process name information associated with the network connection (this option requires root privileges).
-r:
Display routing table information.
-l:
display the network connection and port information in the monitoring state
Example to
view the network status information of the TCP protocol that the machine is running:
neteatat -natp
View the network status information of the UDP protocol that the machine is running:
neteatat -naup
