Welcome To H@CK3R5 CORn3R

2008-09-22T07:19:00.000-07:00

Module 17: Cryptography

Overview

Having dealt with various security concerns and countermeasures in the preceding modules, it is obvious that cryptography as a security measure is here to stay. In this module we will try to understand the use of cryptography over the Internet through:

· Public Key Infrastructure (PKI)

· RSA

· MD-5

· Secure Hash Algorithm (SHA)

· Secure Socket Layer (SSL)

· Pretty Good Privacy (PGP)

· SSH

We will also be looking at the effort required to crack these encryption techniques and explore attacker methodologies if any that are relevant to the discussion.

It is to be noted that encryption is no longer an exemptible option when conducting ecommerce. Given the importance it bears on ecommerce, it is one area that will have its share of security concerns as well. Encryption on its own cannot guarantee foolproof security. It must be combined with good security policies and practices if an organization needs to protect its information assets and extend it to its stakeholders.

Public-key Cryptography

· Public-key cryptography was invented in 1976 by Whitfield Diffie and Martin Hellman.

· In this system, each person gets a pair of keys, called the public key and the private key.

· Each person's public key is published while the private key is kept secret.

· Anyone can send a confidential message just using public information, but it can only be decrypted with a private key that is in the sole possession of the intended recipient.

Cryptography can be classified as the study of techniques and applications that depend on the existence of difficult problems. A cryptanalyst attempts to compromise cryptographic mechanisms, and cryptology (from the Greek kryptós lógos, meaning "hidden word") is the discipline of cryptography and cryptanalysis combined.

Note

The concept of public-key cryptography was introduced in 1976 by Whitfield Diffie and Martin Hellman in order to solve the key management problem. In their concept, each person gets a pair of keys, one called the public key and the other called the private key. Each person's public key is published while the private key is kept secret. This eliminates the need for the sender and receiver to share secret information, as all communications involve only public keys, and no private key is ever transmitted or shared. This option also secured the communication against eavesdropping or betrayal.

The only requirement is that public keys must be associated with their users in a trusted manner. With PKI, anyone can send a confidential message by using public information, though the message can only be decrypted with a private key, which is in the possession of the intended recipient. Furthermore, public-key cryptography meets the need for privacy and authentication.

Working of Encryption

When Alice wishes to send a secret message to Bob, she looks up Bob's public key in a directory, uses it to encrypt the message and sends it off. Bob then uses his private key to decrypt the message and read it. No one listening in can decrypt the message. Anyone can send an encrypted message to Bob but only Bob can read it. Thus, although many people may know the public key of a Bob and use it to verify Bob's signatures, they cannot discover Bob's private key and use it to forge digital signatures. This is referred to as the principle of "irreversibility."

To sign a message, Alice does a computation involving both her private key and the message itself; the output is called the digital signature and is attached to the message, which is then sent. If Bob wants to verify the signature, he does some computation involving the message, the purported signature, and Alice's public key. If the result holds properly in a simple mathematical relation, the signature is verified as being genuine; otherwise, the signature may be fraudulent or the message might have been altered.

Digital Signature

Concept

What is a digital signature?

A digital signature is a cryptographic means of authentication. Public key cryptography that uses an asymmetric key algorithm is used for creating the digital signature. The complementary keys are termed the private key (which is known only to the signer and used to create the digital signature), and the public key (which is more widely known and is used by a relying party to verify the digital signature).

Another process, termed a "hash function," is used in both creating and verifying a digital signature. A hash function is an algorithm which creates a digital representation or "fingerprint" in the form of a "hash value" or "hash result" of a standard length which is usually much smaller than the message but unique to it. Any change to the message invariably produces a different hash result when the same hash function is used. In the case of a secure hash function, termed a "one - way hash function," it is not possible to derive the original message from the hash value.

Verification of a digital signature is accomplished by computing a new hash result of the original message by means of the same hash function used to create the digital signature. Then, using the public key and the new hash result, the verifier checks: (1) whether the digital signature was created using the corresponding private key; and (2) whether the newly computed hash result matches the original hash result which was transformed into the digital signature during the signing process.

To associate a key pair with a prospective signer, a certification authority issues a certificate, which is an electronic record that lists a public key as the subject of the certificate, and confirms that the signer identified in the certificate holds the corresponding private key. The prospective signer is termed as the subscriber.

A certificate's principal function is to bind a key pair with a particular subscriber. The recipient of the certificate desiring to rely upon a digital signature created by the subscriber named in the certificate can use the public key listed in the certificate to verify that the digital signature was created with the corresponding private key.

The certification authority digitally signs the certificate to assure authenticity of both the message and identity in the certificate. The issuing certification authority's digital signature on the certificate can be verified by using the public key of the certification authority listed in another certificate by another certificate authority and that other certificate can in turn be authenticated by the public key listed in yet another certificate, and so on.

To make a public key and its identification with a specific subscriber readily a vailable for use in verification, the certificate may be published in a repository. Repositories are on-line databases of certificates and other information available for retrieval and use in verifying digital signatures. Retrieval can be accomplished automatically by having the verification program directly inquire of the repository to obtain certificates as needed.

If the subscriber loses control of the private key, the certificate becomes unreliable, and the certification authority may suspend or revoke the certificate.

RSA (Rivest Shamir Adleman)

· RSA is a public-key cryptosystem developed by MIT professors Ronald L Rivest, Adi Shamir, Leonard M Adleman in 1977 in an effort to help ensure internet security.

· RSA uses modular arithmetic and elementary number theory to do computation using two very large prime numbers.

· RSA encryption is widely used and is the 'defacto' encryption standard.

Note

RSA is a public-key cryptosystem for both encryption and authentication which was invented in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman. In practice, the RSA system is often used together with a secret-key cryptosystem, such as DES. The RSA system is used widely in a wide variety of products, platforms, and industries. The RSA algorithm is built into current operating systems by Microsoft, Apple, Sun, and Novell. In hardware, the RSA algorithm can be found in secure telephones, on Ethernet network cards, and on smart cards.

If Alice wishes to send an encrypted message to Bob, she will first encrypt the message with DES, using a randomly chosen DES key. Then she will look up Bob's public key and use it to encrypt the DES key. The DES-encrypted message and the RSA-encrypted DES key together form the RSA digital envelope which is sent to Bob. When Bob receives the digital envelope, he will decrypt the DES key with his private key, and then use the DES key to decrypt the message itself. This combines the high speed of DES with the key management convenience of the RSA system.

RSA works as follows: two large prime numbers are taken (say a and b), and their product is determined (c = ab, where c is called the modulus). A number (e) is chosen such that it is less than c and relatively prime to (a-1) (b-1), which means that e and (a-1) (b-1) have no common factors except 1. Apart from this, another number f is chosen such that (ef - 1) is divisible by (a-1) (b-1). The values e and f are called the public and private exponents, respectively. The public key is the pair (c, e); the private key is (c, f).

It is considered to be difficult to obtain the private key f from the public key. However if someone can factor c into a and b, then he / she can decipher the private key f. Thus the security of the RSA system is based on the assumption that factoring is difficult to carry out and therefore the cryptographic technique safe.

Example of RSA algorithm

RSA retains its security from the apparent difficulty in factoring very large composites. However it is possible that an advance in number theory may lead to the discovery of a polynomial time factoring algorithm. There are three factors that can aggravate the path towards compromising RSA security. These are advances in factoring technique, computing power and the decrease in the cost of computing hardware. Let us look at an example to illustrate the working of RSA as discussed before. For P = 61 and Q = 53, PQ = 3233. Taking a public exponent E = 17 and a private exponent D = 2753, we can encrypt a plain text 123 as shown below:

The encryption function is:

         encrypt {T} = {T^E} mod PQ

The decryption function is:

         decrypt {C} = {C^D} mod PQ

                         = {C^2753} mod 3233

To encrypt the plaintext value 123, do this:

         encrypt{123} = {123^17} mod 3233

                      = 337587917446653715596592958817679803 mod 3233

                      = 855

To decrypt the ciphertext value 855, do this:

         decrypt {855} = {855^2753} mod 3233

                             = 123

RSA Attacks

· Brute forcing RSA factoring

· Esoteric attack

· Chosen cipher text attack

· Low encryption exponent attack

· Error analysis

· Other attacks

Brute Force RSA Factoring

This is possible when an attacker has access to the public-key. This implies that the attacker has e and n. The goal is to obtain the private key d. To get d, n needs to be factored (which will yield p and q, which can then be used to calculate d). Factoring n is the best known attack against RSA to date. Some of the algorithms used for factoring are as follows:

· Trial division: The oldest and least efficient. Exponential running time. Try all the prime numbers less than sqrt (n).

· Quadratic Sieve (QS): The fastest algorithm for numbers smaller than 110 digits.

· Multiple Polynomial Quadratic Sieve (MPQS): Faster version of QS.

· Double Large Prime Variation of the MPQS: Faster still.

· Number Field Sieve (NFS): Currently the fastest algorithm known for numbers larger than 110 digits.

These algorithms represent the state of the art in warfare against large composite numbers. The table below estimates the effort required to factor some common PGP-based RSA public-key modulus lengths using the General Number Field Sieve:

KeySize	MIPS-years required to factor

512	30,000
768	200,000,000
1024	300,000,000,000
2048	300,000,000,000,000,000,000

The next chart shows some estimates for the equivalences in brute force key searches of symmetric keys and brute force factoring of asymmetric keys, using the NFS.

Symmetric	Asymmetric

56-bits	384-bits
64-bits	512-bits
8o-bits	768-bits
112-bits	1792-bits
128-bits	2304-bits

Esoteric RSA attacks

These attacks depend on the weakness in certain implementations of the RSA protocol.

Chosen cipher-text attack

An attacker listens in on the insecure channel in which RSA messages are passed. The attacker collects an encrypted message c, from the target (destined for some other party). The attacker wants to be able to read this message without having to mount a serious factoring effort. In other words, he wants m=c^d.

To recover m, the attacker first chooses a random number, r <>

x=r^e mod n (He encrypts r with the target's public-key)

y=xc mod n (Multiplies the target ciphertext with the temp)

t=r^-1 mod n (Multiplicative inverse of r mod n)

The attacker counts on the fact that: If x=r^e mod n, Then r=x^d mod n

The attacker then gets the target to sign y with her private-key, (which actually decrypts y) and sends u=y^d mod n to the attacker. The attacker simply computes:

tu mod n = (r^-1) (y^d) mod n = (r^-1)(x^d)(c^d) mod n = (c^d) mod n = m

To foil this attack do not sign some random documents presented. Sign a one-way hash of the message instead.

Low encryption exponent e

If the encryption exponent is small (common values are 3, 17, and 65537) then public-key operations are significantly faster. The only problem lies in using small values for e as a public exponent for encrypting small messages. For instance, if e is 3 and m is a smaller number than the cubic root of n, then the message can be recovered simply by taking the cubic root of m because:

m [for m <>

therefore:

3rdroot(m^3) = m.

To defend against this attack, simply pad the message with a nonce before encryption, such that m^3 will always be reduced mod n.

Error Analysis

Shamir and others have discovered an attack against most cryptosystems (DES, IDEA, and RSA) which can be used if the attacker can somehow force the encryption/decryption engine to make errors. By analyzing the form of the output to known input when the engine is forced to make one bit errors somewhere in its operation, most cryptosystems can be broken easily. Again however this is primarily of interest to people who use some encryption scheme where the input, output, and encryption is accessible to the attacker.

Other RSA attacks

There are other attacks against RSA, such as the common modulus attack in which several users share n, but have different values for e and d. Sharing a common modulus with several users, can enable an attacker to recover a message without factoring n. If d is up to one quarter the size of n and e is less than n, d can be recovered without factoring. PGP does not choose small values for the decryption exponent.

MD5

· The MD5 algorithm takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" digest of the input.

· The MD5 algorithm is intended for digital signature applications, where a large file must be "compressed" in a secure manner before being encrypted with a private (secret) key under a public-key cryptosystem such as RSA.

Concept

A hash function H is a transformation that takes a variable-size input m and returns a fixed-size string, which is called the hash value h (that is, h = H(m)). The basic requirements for a cryptographic hash function are:

· the input can be of any length,

· the output has a fixed length,

· H(x) is relatively easy to compute for any given x,

· H(x) is one-way,

· H(x) is collision-free.

A hash function H is said to be one-way if it is hard to invert, where "hard to invert" means that given a hash value h, it is computationally infeasible to find some input x such that H(x) = h.

If, given a message x, it is computationally infeasible to find a message y not equal to x such that H(x) = H(y) then H is said to be a weakly collision-free hash function.

A strongly collision-free hash function H is one for which it is computationally infeasible to find any two messages x and y such that H(x) = H(y).

The main role of a cryptographic hash function is in the provision of digital signatures. Since hash functions are generally faster than digital signature algorithms, it is typical to compute the digital signature to some document by computing the signature on the document's hash value, which is small compared to the document itself. Additionally, a digest can be made public without revealing the contents of the document from which it is derived.

MD2, MD4, and MD5 are message-digest algorithms developed by Rivest. They are meant for digital signature applications where a large message has to be "compressed" in a secure manner before being signed with the private key. All three algorithms take a message of arbitrary length and produce a 128-bit message digest. While the structures of these algorithms are somewhat similar, the design of MD2 is quite different from that of MD4 and MD5 and MD2 was optimized for 8-bit machines, whereas MD4 and MD5 were aimed at 32-bit machines.

MD4 was developed by Rivest in 1990. The message is padded to ensure that its length in bits plus 448 is divisible 512. A 64-bit binary representation of the original length of the message is then concatenated to the message. Attacks on versions of MD4 were developed very quickly and Dobbertin showed how collisions for the full version of MD4 could be found in under a minute on a typical PC.

MD5 was developed by Rivest in 1991. It is basically MD4 with "safety-belts" and while it is slightly slower than MD4, it is more secure. The algorithm consists of four distinct rounds, which have a slightly different design from that of MD4. Message-digest size, as well as padding requirements, remains the same.

Brute Force of MD5

The strength of any one-way hash is defined by how well it can randomize an arbitrary message and produces a unique output. There are two types of brute force attacks against a one-way hash function, normal brute force and the birthday attack.

SHA (Secure Hash Algorithm)

· The SHA algorithm takes as input a message of arbitrary length and produces as output a 160-bit" fingerprint" or "message digest" of the input.

· The algorithm is slightly slower than MD5, but the larger message digest makes it more secret against brute-force collision and inversion attacks.

Note

The Secure Hash Algorithm (SHA), the algorithm specified in the Secure Hash Standard(SHS), was developed by NIST and published as a federal information processing standard (FIPS PUB 180). SHA-1 was a revision to SHA that was published in 1994. The revision corrected an unpublished flaw in SHA. Its design is very similar to the MD4 family of hash functions developed by Rivest.

SHA is a cryptographic message digest algorithm similar to the MD4 family of hash functions developed by Rivest. The algorithm takes a message of less than 2 64 bits in length and produces a 160-bit message digest which is designed so that it should be computationally expensive to find a text which matches a given hash. The algorithm is slightly slower than MD5, but the larger message digest makes it more secure against brute-force collision and inversion attacks.

SHA is part of the Capstone project. Capstone is the U.S. government's long-term project to develop a set of standards for publicly available cryptography, as authorized by the Computer Security Act of 1987. The primary agencies responsible for Capstone are NIST and the NSA. There are four major components of Capstone: a bulk data encryption algorithm, a digital signature algorithm, a key exchange protocol, and a hash function. The data encryption algorithm is called Skipjack. The digital signature algorithm is DSA and the hash function is SHA.

SSL (Secure Socket Layer)

· SSL stands for Secure Sockets Layer, SSL is a protocol developed by Netscape for transmitting private documents via the Internet.

· SSL works by using a private key to encrypt data that is transferred over the SSL connection.

· SSL Protocol is application protocol independent.

Note

SSL stands for Secure Sockets Layer, SSL is a protocol developed by Netscape for transmitting private documents via the Internet. SSL works by using a private key to encrypt data that is transferred over the SSL connection.

The SSL Protocol is designed to provide privacy between two communicating applications (a client and a server). Second, the protocol is designed to authenticate the server, and optionally the client. SSL requires a reliable transport protocol (e.g. TCP) for data transmission and reception.

The advantage of the SSL Protocol is that it is application protocol independent. A "higher level" application protocol (e.g. HTTP, FTP, TELNET, etc.) can layer on top of the SSL Protocol transparently. The SSL Protocol can negotiate an encryption algorithm and session key as well as authenticate a server before the application protocol transmits or receives its first byte of data. All of the application protocol data is transmitted encrypted, ensuring privacy.

The SSL protocol provides "channel security" which has three basic properties:

· The channel is private. Encryption is used for all messages after a simple handshake is used to define a secret key.

· The channel is authenticated. The server endpoint of the conversation is always authenticated, while the client endpoint is optionally authenticated.

· The channel is reliable. The message transport includes a message integrity check (using a MAC).

An SSL session is stateful. It is the responsibility of the SSL Handshake protocol to coordinate the states of the client and server, thereby allowing the protocol state machines of each to operate consistently, despite the fact that the state is not exactly parallel.

Logically the state is represented twice, once as the current operating state, and again as the pending state. Additionally, separate read and write states are maintained. When the client or server receives a change cipher spec message, it copies the pending read state into the current read state. When the client or server sends a change cipher spec message, it copies the pending write state into the current write state. When the handshake negotiation is complete, the client and server exchange change cipher spec messages, and then communicate using the newly agreed-upon cipher spec.

An SSL session may include multiple secure connections; in addition, parties may have multiple simultaneous sessions. The session state includes the following elements:

· Session Identifier - An arbitrary byte sequence chosen by the server to identify an active or resumable session state

· Peer Certificate - X509.v3[X509] certificate of the peer. This element of the state may be null.

· Compression Method - The algorithm used to compress data prior to encryption.

· Cipher Spec - Specifies the bulk data encryption algorithm (such as null, DES, etc.) and a MAC algorithm (such as MD5 or SHA). It also defines cryptographic attributes such as the hash_size.

· Master Secret - 48-byte secret shared between the client and server.

· Is Resumable - A flag indicating whether the session can be used to initiate new connections.

The connection state includes the following elements:

· Server and client random - Byte sequences that are chosen by the server and client for each connection.

· Server write MAC secret - The secret used in MAC operations on data written by the server.

· Client write MAC secret - The secret used in MAC operations on data written by the client.

· Server write key - The bulk cipher key for data encrypted by the server and decrypted by the client.

· Client write key - The bulk cipher key for data encrypted by the client and decrypted by the server.

· Initialization vectors - When a block cipher in CBC mode is used, an initialization vector (IV) is maintained for each key. This field is first initialized by the SSL handshake protocol. Thereafter the final ciphertext block from each record is preserved for use with the following record.

· Sequence numbers - Each party maintains separate sequence numbers for transmitted and received messages for each connection. When a party sends or receives a change cipher spec message, the appropriate sequence number is set to zero. Sequence numbers are of type uint64 and may not exceed 264 -1.

SSL Handshake Protocol Flow

SSL Handshake Protocol operates on top of the SSL Record Layer. When a SSL client and server first start communicating, they agree on a protocol version, select cryptographic algorithms, optionally authenticate each other, and use public-key encryption techniques to generate shared secrets. These processes are performed in the handshake protocol, which can be summarized as follows:

1. The client sends a client hello message to which the server must respond with a server hello message, or else a fatal error will occur and the connection will fail. The client hello and server hello are used to establish security enhancement capabilities between client and server. The client hello and server hello establish the following attributes: protocol version, session ID, cipher suite, and compression method.

2. Following the hello messages, the server will send its certificate, if it is to be authenticated. Additionally, a server key exchange message may be sent, if it is required. If the server is authenticated, it may request a certificate from the client, if that is appropriate to the cipher suite selected.

3. Now the server will send the server hello done message, indicating that the hello-message phase of the handshake is complete. The server will then wait for a client response.

4. If the server has sent a certificate request message, the client must send either the certificate message or a no certificate alert. The client key exchange message is now sent, and the content of that message will depend on the public key algorithm selected between the client hello and the server hello. If the client has sent a certificate with signing ability, a digitally-signed certificate verifies message is sent to explicitly verify the certificate.

5. At this point, a change cipher spec message is sent by the client, and the client copies the pending Cipher Spec into the current Cipher Spec. The client then immediately sends the finished message under the new algorithms, keys, and secrets. In response, the server will send its own change cipher spec message, transfer the pending to the current Cipher Spec, and send its Finished message under the new Cipher Spec. At this point, the handshake is complete and the client and server may begin to exchange application layer data.

When the client and server decide to resume a previous session or duplicate an existing session (instead of negotiating new security parameters) the message flow is as follows:

· The client sends a client hello using the Session ID of the session to be resumed. The Server then checks its session cache for a match. If a match is found, and the server is willing to re-establish the connection under the specified session state, it will send a server hello with the same Session ID value. At this point, both client and server must send change cipher spec messages and proceed directly to finished messages. Once the re-establishment is complete, the client and server may begin to exchange application layer data. If a Session ID match is not found, the server generates a new session ID and the SSL client and server perform a full handshake.

RC5

· RC5 is a fast block cipher designed by RSA Security in 1994.

· It is a parameterized algorithm with a variable block size, a variable key size and a variable number of rounds. The key size is 128 bit.

· RC6 is a block cipher based on RC5. Like RC5, RC6 is a parameterized algorithm where the block size, the key size and the number of rounds are variable again. The upper limit on the key size is 2040 bits.

Note

RC5 is a fast block cipher designed by Ronald Rivest for RSA Data Security (now RSASecurity) in 1994. It is a parameterized algorithm with a variable block size, a variable key size, and a variable number of rounds. Allowable choices for the block size are 32 bits (for experimentation and evaluation purposes only), 64 bits (for use a drop-in replacement for DES), and 128 bits. The number of rounds can range from 0 to 255, while the key can range from 0 bits to 2040 bits in size. Such built-in variability provides flexibility at all levels of security.

There are three routines in RC5: key expansion, encryption, and decryption. In the key-expansion routine, the user-provided secret key is expanded to fill a key table whose size depends on the number of rounds. The key table is then used in both encryption and decryption. The encryption routine consists of three primitive operations: integer addition, bitwise XOR, and variable rotation. The exceptional simplicity of RC5 makes it easy to implement and analyze. Indeed, like the RSA system, the encryption steps of RC5 can be written on the "back of an envelope".

The heavy use of data-dependent rotations and the mixture of different operations provide the security of RC5. RC6 is a block cipher based on RC5 and designed by Rivest, Sidney, and Yin for RSA Security. Like RC5, RC6 is a parameterized algorithm where the block size, the key size, and the number of rounds are variable; again, the upper limit on the key size is 2040 bits. There are two main new features in RC6 compared to RC5: the inclusion of integer multiplication and the use of four b/4-bit working registers instead of two b/2-bit registers as in RC5 (b is the block size). Integer multiplication is used to increase the diffusion achieved per round so that fewer rounds are needed and the speed of the cipher can be increased. The reason for using four working registers instead of two is technical rather than theoretical. Namely, the default block size of the AES is 128 bits; while RC5 deals with 64-bit operations when using this block size, 32-bit operations are preferable given the intended architecture of the AES.

What is SSH?

· The program SSH (Secure Shell) is a secure replacement for telnet and the Berkeley r-utilities (rlogin, rsh, rcp and rdist).

· It provides an encrypted channel for logging into another computer over a network, executing commands on a remote computer, and moving files from one computer to another.

· SSH provides a strong host-to host and user authentication as well as secure encrypted communications over an insecure internet.

· SSH2 is a more secure, efficient and portable version of SSH that includes SFTP, an SSH2 tunneled FTP.

Note

Secure Shell is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over unsecure channels. It i s intended as a replacement for telnet, rlogin, rsh, and rcp. For SSH2, there is a replacement for FTP: sftp.

Additionally, Secure Shell provides secure X connections and secure forwarding of arbitrary TCP connections. The difference between SSH1 and SSH2 is they are two entirely different protocols. SSH1 and SSH2 encrypt at different parts of the packets, and SSH1 uses server and host keys to authenticate systems where SSH2 only uses host keys. SSH2 is a complete rewrite of the protocol, and it does not use the same networking implementation that SSH1 does. Also, SSH2 is more secure. It should be noted that the SSH1 and SSH2 protocols are in fact different and not compatible with each other. In a nutshell, SSH2 is a rewrite of the SSH1 protocol, with improvements to security, performance, and portability.

The SSH1 protocol is not being developed anymore, as SSH2 is being developed as the standard.

· There are structural weaknesses in SSH1 which leave it open to additional attacks

· SSH1 is subject to a man-in-the-middle attack

· SSH1 has more supported platforms

· SSH1 supports .rhosts authentication (it's against the draft for SSH2

· SSH1 has more diverse authentication support (AFS, Kerberos, etc.)

· Performance for SSH2 is not equal to SSH1

SSH Communications Security is the developer of Secure Shell (secsh) protocol and maintains the releases of SSH1 and SSH2. Secure Shell authenticates using one or more of the following:

· Password (the /etc/passwd or /etc/shadow in UNIX)

· User public key (RSA or DSA, depending on the release)

· Kerberos (for SSH1)

· Hostbased (.rhosts or /etc/hosts. equiv in SSH1 or public key in SSH2)

Secure Shell protects against:

· IP spoofing, where a remote host sends out packets which pretend to come from another, trusted host. Ssh even protects against a spoofer on the local network, who can pretend he is your router to the outside.

· IP source routing, where a host can pretend that an IP packet comes from another, trusted host.

· DNS spoofing, where an attacker forges name server records

· Interception of cleartext passwords and other data by intermediate hosts

· Manipulation of data by people in control of intermediate hosts

· Attacks based on listening to X authentication data and spoofed connection to the X11 server

Government Access to Keys(GAK)

· Government Access to Keys ( also known as key escrow) means that software companies will give copies of all keys ( or at least enough of the key that the remainder could be cracked very easily) to the government.

· The government promises that they would hold the keys in a secure way and only use them to crack keys when a court issues a warrant to do so.

· To the government, this issue is similar to the ability to wiretap phones.

Government access to decryption keys is considered by many to be the overriding desire of most national security agencies. It is a continuing battleground between law enforcement agencies (LEAs) and civil liberty groups.

Note

A key escrow encryption system (or, simply escrowed encryption system) is an encryption system with a backup decryption capability that allows authorized persons, under certain prescribed conditions, to decrypt ciphertext with the help of information supplied by one or more trusted parties who hold special data recovery keys.

The data recovery keys are not normally the same as those used to encrypt and decrypt the data, but rather provide a means of determining the data encryption/decryption keys. The term key escrow is used to refer to the safeguarding of these data recovery keys. Other terms used include key archive, key backup, and data recovery system.

Key recovery systems have gained prominence due to the desire of government intelligence and law enforcement agencies to guarantee that they have access to encrypted information without the knowledge or consent of encryption users. A properly designed cryptosystem makes it essentially impossible to recover encrypted data without knowledge of the correct key. In some cases this creates a potential problem for the users of encryption themselves; the cost of keeping unauthorized parties out is that if keys are lost or unavailable at the time they are needed, the owners of the encrypted data will be unable to make use of their own information.

The ultimate goal of government-driven key recovery encryption, as stated in the U.S. Department of Commerce's recent encryption regulations, "envisions a worldwide key management infrastructure with the use of key escrow and key recovery encryption items."

The Clipper Chip is a cryptographic device supposedly intended to protect private communications while at the same time permitting government agents to obtain the "keys" upon presentation of what has been vaguely characterized as "legal authorization." The "keys" are held by two government "escrow agents" and would enable the government to access the encrypted private communication. While Clipper would be used to encrypt voice transmissions, a similar chip known as Capstone would be used to encrypt data.

The underlying cryptographic algorithm, known as Skipjack, was developed by the National Security Agency (NSA), a super-secret military intelligence agency responsible for intercepting foreign government communications and breaking the codes that protect such transmissions. The Skipjack algorithm uses 8o-bit keys. If it is as good as NSA claims, cryptanalyzing it will require searching through all these keys or doing about a million billion billion encryptions. This makes it sixteen million times as hard to break as DES. From the viewpoint of a user, any key escrow system diminishes security. It puts potential for access to the user's communications in the hands of an escrow agent who's intentions, policies, security capabilities, and future cannot be entirely known.

RSA Challenge

· The RSA Factoring challenge is an effort, sponsored by RSA Laboratories, to learn about the actual difficulty of factoring large numbers of the type used in RSA keys.

· A set of eight challenge numbers, ranging in size from 576 bits to 2048 bits are given.

The RSA Factoring challenge is an effort, sponsored by RSA Laboratories, to learn about the actual difficulty of factoring large numbers of the type used in RSA keys. A set of eight challenge numbers, ranging in size from 576 bits to 2048 bits are given. Each number is the product of two large primes, similar to the modulus of an RSA key pair.

The RSA challenge numbers were generated using a secure process that guarantees that the factors of each number cannot be obtained by any method other than factoring the published value. No one, not even RSA Laboratories, knows the factors of any of the challenge numbers.

The generation took place on a Compaq laptop PC with no network connection of any kind . The factoring of a challenge-number of specific length does not mean that the RSA cryptosystem is "broken." It does not even mean, necessarily, that keys of the same length as the factored challenge number must be discarded. It simply gives us an idea of the amount of work required to factor a modulus of a given size. This can be translated into an estimate of the cost of breaking a particular RSA key pair.

The table below provides an estimate of the resources required to factor numbers of various bit lengths in a time period of one year. The Machines column is the number of 500 MHz Pentium (or comparable) machines needed. The Memory column is the amount of RAM required in each machine.

Number Length (bits)	Machines	Memory
430	1	trivial
760	215,000	4 Gb
1020	342,000,000	170 Gb
1620	1.6 x 10¹⁵	120 Tb

As shown, to factor a 760-bit number in one year would require 215,000 Pentium-class machines, each with 4 Gigabytes of physical RAM.

The best known algorithm for factoring large numbers is the General Number Field Sieve (GNFS). GNFS consists of a sieving phase that searches a fixed set of prime numbers for candidates that have a particular algebraic relationship, modulo the number to be factored. This is followed by a matrix solving phase that creates a large matrix from the candidate values, and then solves it to determine the factors.

The sieving phase may be done in distributed fashion, on a large number of processors simultaneously. The matrix solving phase requires massive amounts of storage and is typically performed on a large supercomputer.

distributed.net

www.distributed.net

· An attempt to crack RC5 encryption using network of computers world wide

· The client utility when downloaded from distributed.net runs the crack algorithm as screensaver and send results to the distributed.net connected servers.

· The challenge is still running...

distributed.net is a non-profit organization committed to serving as a gathering point for topics relating to distributed computing, or the process by which countless computers work together toward solving a particular problem. The history of the organization, the organization's ongoing projects, the individuals involved in the organization and the organization's short term and long term goals all relate to finding new ways for computers connected to the Internet being used during "idle" time. This process is realized through the development of software which allows computers currently not in use to communicate via the Internet allowing an unlimited amount of computers to work toward one common goal.

To date, distributed.net has used its processes and technologies to solve encryption contests on the Internet. It is through the application of this concept that distributed.net has been able to develop and refine these techniques, improving on the range, scope, and variety of tasks which are suitable for this technology. In response to the RC5 -32/12/7 (56 bit) Secret Key Challenge, a contest testing RSA Lab's 56 bit encryption algorithm technology, a group of individuals began development of software tools designed to work towards solving the challenge. A program was created (the client) which was then installed on many machines and performed the complex calculations necessary to solve the challenge. Additionally, a network of servers was designed and created which could coordinate all the client computers. The large task of testing 72 quadrillion keys was then split up and delegated to each client machine. As each client completed its parcel of assigned work, it would report back to the server the results and then be assigned another parcel of work.

In this manner of organized cooperation, many small computers can equal and even surpass the computing power of the largest mainframes. On May 8th, 1997 this effort become distributed.net with Adam L. Beberg acting as founder and chief organizer of this non-profit organization. On July 8th 1997, a new version of the "client" software became available. This version (v2) allowed for easier reporting, faster processing, and much more flexible operation.

On October 22, 1997 after 212 days of work the RC5-56 challenge was solved. At the end of the contest, 4000 active teams of volunteers (in total processing over 7 billion keys each second) at a combined computing power equivalent to more than 26 thousand high-end personal computers, managed to evaluate 46% of the possible solutions. A computer managed by Jo Hermans of Brussels found the solution. Of the $10,000 prize money $8,000 was donated to Project Gutenberg/CMU, $1,000 was awarded Jo Hermans and his teammates, and $1,000 was retained by distributed.net to cover their costs.

After some restructuring and development time, a second project began running on January 13th 1998. The second encryption contest, DES II-1, took only 40 days for completion. DES II-1 was cracked on Feb 23, 1998. The successful completion of this challenge brought a prize of $5,000, of which $3,000 was given to the Free Software Foundation, another non-profit venture.

On January 18, 1999, at 9am, DES III commenced, distributed.net, with the aid of EFF?s Deep Crack in addition to the distributed.net clients, took part and completed this challenge on January 19, 1999 at 7am, less than 24 hours after the challenge commenced.

On November 17, 1999, at midnight, distributed.net started participating in the CSC challenge. CSC is an encryption challenge that is organized by CS Communications and Systems to demonstrate how weak a 56-bit key is against brute force attacks, distributed.net was also successful at this challenge. On January 16, 2000, at 6:30am, the winning key was received.

On July 14, 2002 after 1,757 days and 58,747,597,657 work units tested the RC5-64 challenge was solved when a P3-450 running Windows 2000 in Tokyo returned the winning key to the distributed.net key servers. The task was completed by 331,252 participants. Our peak rate of 270,147,024 kkeys/sec is equivalent to 32,504 800MHz Apple PowerBook G4 laptops or 45,998 2GHz AMD Athlon XP machines or (to use some rc5-56 numbers) nearly a half million Pentium Pro 200s.

Distributed.net is also currently working on OGR-24 (Optimal 24-mark Golomb Ruler), and has resources in place to continue straight onto OGR-25. This is done in the same way as RC5-64, by volunteers using v2.8 or above of the client software.

Volunteer participation in distributed.net is estimated at over 60,000 individuals from nearly every nation and region in the world. With combined resources of as many as 500,000 computers, distributed.net represents the first large-scale collaborative computing effort ever undertaken.

PGP Pretty Good Privacy

· Pretty Good Privacy (PGP) is a software package originally developed by Philip R Zimmermann that provides cryptographic routines for emails and file storage applications.

· Zimmermann took existing cryptosystems and cryptographic protocols and developed a program that can run on multiple platforms. It provides message encryption, digital signatures, data compression and e-mail compatibility.

Tools

Pretty Good Privacy (PGP) is a software package originally developed by Phil Zimmerman that provides cryptographic routines for e-mail and file storage applications. Zimmerman took existing cryptosystems and cryptographic protocols and developed a freeware program that can run on multiple platforms. It provides message encryption, digital signatures, data compression, and e-mail compatibility.

The algorithms used for message encryption are RSA for key transport and IDEA for bulk encryption of messages. Digital signatures are achieved by the use of RSA for signing and MD5 for computing the message digest. The freeware program ZIP is used to compress messages for transmission and storage. E-mail compatibility is achieved by the use of Radix-64 conversion.

PGP is basically used for 4 things.

a. Encrypting a message or file so that only the recipient can decrypt and read it. The sender, by digitally signing with PGP, can also guarantee to the recipient, that the message or file must have come from the sender and not an impostor.

b. Clear signing a plain text message guarantees that it can only have come from the sender and not an impostor. In a plain text message, the text is readable by anyone (i.e. is 'plain') but a PGP digital signature is attached. E.g. News group postings

c. Encrypting computer files so that they cannot be decrypted by anyone other than the person who encrypted them.

d. Really deleting files (i.e. overwriting the content so that it can't be recovered and read by anyone else) rather than just removing the file name from a directory/folder.

PGP signature is different for every message the user signs because PGP does a calculation on the message using the user's secret key (which is unique to the user). As every message is different, the signature is different too so nobody can cut and paste signatures from one message to another. Each key is a very long number, such as 1024 bits (around 300 decimal digits) expressed as a paragraph of specially formatted text.

Example:

-----BEGIN PGP PUBLIC KEY BLOCK——

mQCNAzGvwGAAAAEEAMQXI06gfdoZzy2Ngdqua6Zf6q4Bfdote 8qGHk9RncuEHSBf

2DrqYrkVmn6cANJp/HdBkJH39LcKybOGbxiahmjVnngPp+PzvX8+Wi7kQ5NP267S

0JIituePxuklEQ5pqywHw8yxtOGIqLj kJtb/pRvZyiCOCywlbj nbPFHw2SetAAUR

tCZSb2JpbiBXaG10dGxlIDxmaXJzdHByQG96ZWlhaWwuY2 9tLmF1PokAlQMFEDGv

WGE52zxR8NknrQEBbVOD/lgJSldscj2bFJOuD9LOY+LSTj71yxdONZ3cycPZ+3zp

ShCNcsqNAGvHXDtqcGQrNrxHmYqnKBaJ/+46n/FSkDnt/bvEAbl05m+6T5oTK8h+

MaaVuvdcphwKfIPQbIoI6LcmtwSdOcyBBndp+0+02xOxhcd2Qx7Gni7J+fz8mmOy

=Ysjn

-----END PGP PUBLIC KEY BLOCK-----

Hacking Tool: PGP Crack

http://munitions.iglu.cjb.net/dolphin.cgi?action=render&category=0406

· PGP crack is a program designed to brute-force a conventionally encrypted file with PGP or a PGP secret key.

· The file "pgpfile" must not be ascii-armored. The file "phraselist" should be a file containing all of the passphrases that will be used to attempt to crack the encrypted file.

Tool

PGPCrack is a program designed to brute-force a conventionally encrypted file encrypted with PGP or a PGP secret key. It relies on a separate dictionary file, trying each word as a potential passphrase. On a conventionally encrypted PGP file, the utility cycled through over 15,000 words a second on a 100 MHz Pentium.

PGPCrack works by reading the first 23 bytes of the file to be cracked. The last 18 bytes of this array are the only bytes used to crack the file. Next it reads each line of the phraselist, removes the newline character, hashes the line with MD5, and uses that as a key to decrypt the ten bytes in IDEA-CFB mode. PGP can detect whether a valid passphrase has been entered by making sure that the 7th and 9th, and the 8th and loth bytes are the same. If it appears that a passphrase is valid, it then uses bytes 0–7 as an IV to decrypt the next 8 bytes of the file. If the most significant bit of the first byte of this array is 1, then it prints the passphrase.

Secret key cracking works quite a bit differently. After the passphrase is hashed, the IV and each encrypted MPI are decrypted in IDEA-CFB mode. Then a simple checksum is calculated over the plaintext of each MPI (the checksum is not calculated over N and E). The checksum calculation includes the length fields of each MPI. The checksum algorithm consists of a running addition of every byte. The output is a 16-bit integer. The output is then compared with the unencrypted checksum stored in the secret key file. The command line should be the following: pgpcrack [phraselist] [pgpfile]

"Phraselist" is a list of passphrases that PGPCrack attempts to use to decrypt the file "pgpfile". "Logfile" is an optional parameter that will specify to what file the cracked password will be written.

Summary

· Using Public Key Infrastructure (PKI), anyone can send a confidential message using public in f ormation, which can only be decrypted with a private key in the sole possession of the intended recipient.

· RSA encryption is widely used and is a 'de-facto' encryption standard.

· The MD5 algorithm is intended for digital signature applications, where a large file must be compressed securely before being encrypted

· SHA algorithm takes as input a message of arbitrary length and produces as output a l6o-bit message digest of the input.

· Secure Sockets Layer, SSL is a protocol for transmitting private documents via the Internet.

· RC5 is a fast block cipher designed by RSA Security.

· SSH (Secure Shell) is a secure replacement for telnet and the Berkeley r-utilities and this provides an encrypted channel for logging into another computer over a network, executing commands on a remote computer, and moving files from one computer to another.

2008-09-22T07:16:00.000-07:00

Module 16: Linux Hacking

Overview

In this module we will be looking at hacking Linux systems. Linux is fast emerging as an affordable yet available operating system. As the popularity is growing so is the attention of players with malicious intent to break in to the systems. Therefore we intent to discuss various aspects dealing with hacking the Linux systems in this module. BY the completion of this module, you will be familiar with the following aspects:

· Why Linux?

· Compiling Programs in Linux

· Scanning Networks and Mapping Networks

· Password Cracking in Linux

· SARA

· TARA

· Sniffing

· A Pinger in disguise

· Session Hijacking

· Linux Rootkits

· IP Chains and IP Tables

· Linux Security Countermeasures

Why Linux?

· Majority of servers around the globe are running on Linux / Unix-like platforms

· Easy to get and Easy on pocket

· There are many types of Linux -Distributions /Distros / Flavors such as Red Hat, Mandrake, Yellow Dog, Debian etc.

· Source code is available

· Easy to modify.

· Easy to develop a program on Linux.

Linux is an operating system that can be downloaded free and "belongs" to an entire community of developers, not one corporate entity. With more and more people looking for an alternative to Windows, Linux has recently grown in popularity and is quickly becoming a favorite among major corporations and curious desktop users. Not only does it give users a choice of operating systems, it also proves itself valuable with its power, flexibility, and reliability.

Linux supports most of the major protocols, and quite a few of the minor ones. Support for Internet, Novell, Windows, and Appletalk networking have been part of the Linux kernel for some time now. With support for Simple Network Management Protocol and other services (such as Domain Name Service), Linux is also well suited to serving large networks. Since Linux was developed by a team of programmers over the Internet, its networking features were given high priority. Linux is capable of acting as client and/or server to any of the popular operating systems in use today, and is quite capable of being used to run Internet Service Providers.

Linux is an implementation of the UNIX design philosophy, which means that it is a multi-user system. This has numerous advantages, even for a system where only one or two people will be using it. Security, which is necessary for protection of sensitive information, is built into Linux at selectable levels. More importantly, the system is designed to multi-task. Whether one user is running several programs or several users are running one program, Linux is capable of managing the traffic.

Another huge advantage of an open system is a large number of software authors and beta testers. This makes the software testing and refinement process faster and better. Because there is not a lot of commercial software for Linux, most software written for Linux is written because the authors want to do it and there need be no compromise of quality.

Linux is "Free" in two senses. In one sense, the Linux consumer is free to modify the system and do anything he or she wishes with it. In another sense, acquiring Linux does not necessarily require any cash outlay at all.

There are two very popular methods for acquiring and distributing Linux: FTP and CD-ROM. Most of the major Linux distributions (Red Hat, Debian, Slackware, Caldera) are available for free download from several popular sites. Though time consuming, it does not cost anything beyond connection charges.

Linux is one of the more stable operating systems available today. This is due in large part to the fact that Linux was written by programmers who were writing for other programmers and not for the corporate system. There are currently two mature program packaging standards in the Linux world - SuSE and Mandrake. Debian and Red Hat each have their own packaging systems; both will check dependencies, both can upgrade an entire running system without a reboot. This makes it easy to upgrade parts or all of a system, as well as add new software, or remove unwanted software.

Compiling Programs in Linux

· There are generally 3 steps to compiling programs under Linux.

1. Configuring how the program will be complied

2. Compiling the program

3. Installing the program

4.                 $ ./configure

5.                 $ make

6.                 $ su

7.                 Password

8.                 $ make install

9.                 $ exit

The fact that Linux is an open source operating system means that there are efforts going on continuously to improve the system. Therefore if a user is downloading a file (which is bound to happen more often than not) to add functionality to his system, he will have to compile the file on his system. The following is a brief look into how this process takes place. It helps to remember, that most Linux programs are beta at best and there can and will contain errors or bugs. However, the percentage of programs that compile without problems has increased significantly recently.

Note

Usually the download is some sort of tarball on the user's disk. The first step towards compilation is to uncompress it and untar it to a directory. By convention, most users untar programs to the directory: /usr/src. This helps in maintaining version history and cleaning up after. The Linux tar program can uncompress and untar a file at the same time if the file is compressed using gzip. That means the user needs to just cd to the /usr/src directory and type:

  tar -xzvf / {path to file}/{filename.tar.gz} [Enter]

and it will uncompress and untar. A quick explanation of the flags:

· x - untar the file

· z - uncompress the file

· v - verbose-commented

· f - What follows is the file the user wants to untar

For compiling, the user issues the "make" command. In order for "make" to start compiling, it must have a file named: Makefile.

There are three common ways to start the compile: simple, Imake, and configure.

Simple compile: If there is a file called Makefile - no Imake or configure files, this method is used to compile the file. This method of compiling has the most problems because nothing is configured to the computer.

make [Enter]

make install [Enter]

and if all goes well, the program can be run.

Imake: This is an older way to compile. If on listing the directory there is an Imake file and no Makefile, this method is used.

xmkmf [Enter]

make [Enter]

make install [Enter]

Configure: this method of compiling if there is a file named configure in the directory. This is the easiest way to compile and probably has the highest chance of compiling correctly. Essentially it checks the entire system for every possible library and support file to ensure that the file can compile the program, and then creates the Makefiles with the correct information. To compile, type:

./configure [Enter]

make [Enter]

make install [Enter]

The most common cause of not compiling is missing files. Almost all programs rely on support programs/files/libraries. If they are missing, the program cannot compile. The wrong version will kill just as much as not having it at all. The next most common problem is missing include files. Sometimes having multiple versions of the same library can cause problems as each version could put its header files in different places.

Scanning Networks

· Once the IP address of a target system is known, an attacker can begin the process of port scanning, looking for holes in the system through which the attacker can gain access.

· A typical system has 2^16 -1 port numbers and one TCP port and one UDP port for each number.

· Each one of these ports are a potential way into the system.

· The most popular Scanning tool for Linux is Nmap.

Note

Scanning is the art of finding machines on a network and testing them to see what ports are listening. Scanning networks and hosts is the first method a cracker will use before launching an attack.

Tools

Two interesting tools on Linux are Fping and Nmap. Fping sends multiple ICMP request packets simultaneously and processes the reply as they occur. This makes ping sweeps faster. Fping can be fed with an ip address or can be given a list of ip address on a file.

Scanning helps one to know what services are running on a machine. This will show the open ports on which services are listening for connections. Once the targets are identified, an intruder is able to scan for listening ports.

Port scanning is the process of connecting to TCP and UDP ports on the target system to determine what services are running or in a listening state. Identifying listening ports is essential to determine the type of operating system and application in use on the system.

Types of port scanning:

1. TCP connect scan: This type of scan connects to the target port and completes a full three-way handshake (SYN, SYN/ACK and ACK).

2. TCP SYN scan: This is also called half-open scanning because it does not complete the three-way handshake, rather a SYN packet is sent and upon receiving a SYN/ACK packet it is determined that the target machines port is in a listening state and if an RST/ACK packet is received , it indicates that the port is not listening.

3. TCP FIN scan: This technique sends a FIN packet to the target port and based on RFC 793 the target system should send back an RST for all closed ports.

4. TCP Xmas Tree scan: This technique sends a FIN, URG and PUSH packet to the target port and based on RFC 793 the target system should send back an RST for all closed ports.

5. TCP Null scan: This technique turns off all flags and based on RFC 793, the target system should send back an RST for all closed ports.

6. TCP ACK scan: This technique is used to map out firewall rule sets. It can help determine if the firewall is a simple packet filter allowing only established connections or a stateful firewall performing advance packet filtering.

7. TCP Windows scan: This type of scan can detect both filtered and non-filtered ports on some systems due to anomaly in the way TCP windows size is reported.

8. TCP RPC scan: This technique is specific to UNIX systems and is used to detect and identify Remote Procedure Call (RPC) ports and their associated program and version number.

9. UDP scan: This technique sends a UDP packet to the target port. If the target ports responds with an "ICMP port unreachable" message, the port is closed, if not then the port is open. This is a slow process since UDP is a connectionless protocol; the accuracy of this technique is dependent on many factors related to utilization of network and system resources.

Hacking Tool: Nmap

http://www.insecure.org/nmap

· Stealth Scan, TCP SYN

·                nmap -v -sS 192.168.0.0/24

· UDP Scan

·                nmap -v -sU 192.168.0.0/24

· Stealth Scan, No Ping

·                nmap -v -sS -P0 192.168.0.0/24

· Fingerprint

·                nmap -v -0 192.168.0.0/24 #TCP

Tools

Nmap is covered under the GNU General Public License (GPL) and can be downloaded free of charge from http://www.insecure.org/nmap. It comes as tarred source as well as RPM format. The usage syntax of Nmap is fairly simple. Options to nmap on the command-line are different types of scans that are specified with the -s flag. A ping scan, for example, is "-sP". Options are then specified, followed by the hosts or networks to be targeted. Nmap's functionality is greatly increased when run as root.

Nmap is flexible in specifying targets. The user can scan one host or scan entire networks by pointing Nmap to the network address with a "/mask" appended to it. Targeting "victim/24" will target the Class C network, whereas "victim/16" will target the Class B. Nmap also allows the user to specify networks with wild cards, as in 192.168.7.*, which is the same as 192.168.7.0/24, or 192.168.7.1,4,5-16 to scan the selected hosts on that subnet.

Users are able to sweep entire networks looking for targets with Nmap. This is usually done with a ping scan by using the "-sP" flag. A TCP "ping" will send an ACK to each machine on a target network. Machines that are alive on the network will respond with a TCP RST. To use the TCP "ping" option with a ping scan, the "-PT" flag is included to specific port on the target network.

Nmap has been covered in detail in module three and readers are advised to refer to that to learn more about the OS fingerprinting and other scan options.

Scanning Networks

· One essential type of tool for any attacker or defender is the vulnerability scanner.

· These tool allow the attacker to connect to a target system and check for such vulnerabilities as configuration errors, default configuration settings that allow attackers access, and the most recently reported system vulnerabilities.

· The preferred open-source tool for this is Nessus.

· Nessus is an extremely powerful network scanner. It can also be configured to run a variety of attacks.

The 'Nessus' Project was started in early 1998, and first released in April 1998. The "Nessus" Project provides to the internet community a free, powerful, up-to-date and easy to use remote security scanner. Nessus allows the user to audit remotely a given network and determine whether attackers may break into it, or misuse it in some way.

Tools

Nessus Security Scanner's architecture is a little different from the other scanners as it uses a client/server model. This allows a central server to do all the scanning while results are monitored and reviewed on distributed administrative clients. The scanning engine is Unix-based, while the administrative consoles can be run under Windows or Unix X Windows. Nessus Security Scanner supports command-line interaction as well. Not only is Nessus Security Scanner open source, but the architecture for creating vulnerability checks is quite open as well.

There is also a multi-platform client written in Java. All communication between client and server is encrypted. The current Nessus database contains signatures for, and is therefore able to detect hundreds of vulnerabilities in UNIX, Windows, and commonly-used web CGI scripts; additionally, the Nessus database detects DDoS zombies and Trojans. To scan hosts for vulnerabilities, install client and server, create a new server user, and connect. Problem reports generated by Nessus are easy to read and are exportable to other software.

Unlike many other security scanners, Nessus does not take anything for granted. That is, it will not consider that a given service is running on a fixed port. It will also not determine if security vulnerability is present by just regarding the version number of the remote service, but will really try to exploit it. Plugins are the core of Nessus because they contain a set of scripts to check vulnerabilities in a network, e.g., backdoors, DoS, wide-open ports, etc. These scripts are written in the language called NASL (Nessus Attack Scripting Language) and can be found in /usr/local/lib/nessus/plugin. The user can also develop their own scripts.

Cheops

Tools

Cheops (KEE-ops) is a Network management tool for mapping and monitoring the network. It has host/network discovery functionality as well as OS detection of hosts.

Cheops is an Open Source Network User Interface. It is designed to be the network equivalent of a Swiss-army knife, unifying your network utilities. Cheops does for the network what a file manager does for the file system.

Cheops can optionally determine the OS of hosts on the network, selecting appropriate icons for them. Cheops can show the routes taken to access areas of the network. This feature is designed for larger networks, with routers, subnets, etc. This mapping not only makes hierarchy clearer, but can show unusual routing issues.

Cheops includes a generalized TCP port scanner to see what ports on the network are in use. It can be used to retrieve version information for certain services, to be sure any given host is up-to-date with the latest revision of its services.

Cheops includes a simple integrated SNMP browser, including write capability, using the UCD SNMP library. Cheops also supports a plug-in interface, which includes support for SNMP plug-ins, similar in concept to those of HP Openview.

Cheops can monitor critical servers, and immediately notify the concerned person through its event log, standard e-mail, and soon via paging, when things go wrong. The network administrator can know exactly which system is up or down, and just when problems occur. Right clicking on a host quickly shows a list of common services it supports, and rapid, easy access to them.

Port scan detection tools

· Scanlogd - detects and logs TCP port scans. http://www.openwall.com/scanlogd/

Scanlogd only logs port scans. It does not prevent them. You will only receive summarized information in the system's log.

· Abacus Portsentry http://www.psionic.com/abacus/portsentry/

Portscan detection daemon Portsentry has the ability to detect port scans (including stealth scans) on the network interfaces of your server. Upon alarm it can block the attacker via hosts.deny, dropped route or firewall rule.

Tools

PortSentry is part of the Abacus Project suite of tools. The Abacus Project is an initiative to release low-maintenance, generic, and reliable host based intrusion detection software to the Internet community. More information can be obtained from http://www.psionic.com.

PortSentry has a number of options to detect port scans, when it finds one it can react in the following ways:

· A log indicating the incident is made via syslog()

· The target host is automatically dropped into /etc/hosts. deny for TCP Wrappers

· The local host is automatically re-configured to route all traffic to the target to a dead host to make the target system disappear.

· The local host is automatically re-configured to drop all packets from the target via a local packet filter

PortSentry has four "stealth" scan detection modes. Method one uses a pre-defined list of ports to watch over. If someone pokes at them it activates. The second method is what I call "inverse" port binding. Where every port under a range is watched *except* for those that the system has bound for network daemons when the PortSentry starts or ones that you have manually excluded. This is a very sensitive way for looking for port probes, but also the most prone to false alarms.

scanlogd is a TCP port scan detection tool, originally designed to illustrate various attacks an IDS developer has to deal with. Scanlogd detects port scans and writes one line per scan via the syslog (3) mechanism. If a source address sends multiple packets to different ports in a short time, the event will be logged. The format of the messages is:

Saddr [: sport] to daddr [and others,] ports port [, port...], flags [, TOS TOS] [, TTL TTL] @HH:MM:SS

The fields in square brackets are optional; sport, TOS, and TTL will only be displayed if they were constant during the scan. The flags field represents TCP control bits seen in packets coming to the system from the address of the scan. It is a combination of eight characters, with each corresponding to one of the six defined and two reserved TCP control bits. Control bits that were always set are encoded with an uppercase letter, and a lowercase letter is used if the bit was always clear. A question mark is used to indicate bits that changed from packet to packet.

Scanlogd needs a way to obtain raw IP packets that either come to the system scanlogd is running on, or travel across a network segment that is directly connected to the system. Current versions of scanlogd can be built with support for one of several packet capture interfaces. As of version 2.0, scanlogd is aware of the raw socket interface on Linux, libnids, and libpcap. The use of libpcap alone is discouraged.

Password Cracking in Linux

· Xcrack

(http://packetstorm.linuxsecurity.com/Crackers/)

· Xcrack doesn't do much with rules.

· It will find any passwords that match words in the dictionary file the user provides, but it won't apply any combinations or modifications of those words.

· It is a comparatively fast tool.

Tools

Xcrack (http://packetstorm.linuxsecurity.com/Crackers/)

Xcrack is a simple dictionary based password cracking tool. It will find any passwords that match words in the dictionary file the user provide. It does not generate permutation combination of the words provided in the dictionary to arrive at the right password. For this reason, it is a comparatively faster tool, though efficacy might be less.

Hacking Tool: John the Ripper

http://www.openwall.com/john/

· John the Ripper require the user to have a copy of the password file.

· This is a relatively fast password cracker, and the most popular amongst the hacker community.

Cracking times, using the default dictionaries that come with the Linux system are as follows:

User ecc with password eccecc took less than a second

User root with password doodle took less than 2 seconds.

Tools

John the Ripper is a password cracker, available for many flavors of UNIX (11 are officially supported, not counting different architectures), DOS, Win32, BeOS, and OpenVMS. Its primary purpose is to detect weak passwords. Besides several crypt password hash types most commonly found on various UNIX flavors, supported out of the box are Kerberos AFS and Windows NT/2000/XP LM hashes, plus several more with contributed patches.

John the Ripper is a part of Owl, Debian GNU/Linux, SuSE, very recent versions of Mandrake Linux, and EnGarde Linux. It is in the ports/packages collections of FreeBSD, NetBSD, and OpenBSD.

SARA (Security Auditor's Research Assistant)

http://www-arc.com/sara

· The Security Auditor's Research Assistant (SARA) is a third generation Unix-based security analysis tool that supports the FBI Top 20 Consensus on Security.

· SARA operates on most Unix-type platforms including Linux & Mac OS X

· SARA is the upgrade of SATAN tool.

· Getting SARA up and running is a straight forward compilation process, and the rest is done via a browser.

Tools

SARA (Security Auditor's Research Assistant), a derivative of the Security Administrator Tool for Analyzing Networks (SATAN), remotely probes systems via the network and stores its findings in a database. The results can be viewed with any Level 2 HTML browser that supports the http protocol.

When no primary_target(s) are specified on the command line, SARA starts up in interactive mode and takes commands from the HTML user interface.

When primary_target(s) are specified on the command line, SARA collects data from the named hosts, and, possibly, from hosts that it discovers while probing a primary host. A primary target can be a host name, a host address, or a network number. In the latter case, SARA collects data from each host in the named network.

SARA can generate reports of hosts by type, service, and vulnerability by trust relationship. In addition, it offers tutorials that explain the nature of vulnerabilities and how they can be eliminated.

By default, the behavior of SARA is controlled by a configuration file (config/sara.cf). The defaults can be overruled via command-line options or via buttons etc. in the HTML user interface.

Sniffit

· http://reptile.rug.ac.be/^coder/sniffit/sniffit.html

· Sniffit is one of the most famous and fastest Ethernet sniffers for Linux.

· You can run it either on the command line with optional plug-ins and filters or in interactive mode, which is the preferred mode.

· The interactive mode of Sniffit allows you to monitor connections in real-time and therefore sniff real-time too!

Note

Remember to download the patch and then recompile Sniffit, for optimum results!

Tools

Sniffit runs on LINUX, SunOS, Solaris, FreeBSD and IRIX. The main reason to use sniffit vs. other packet sniffers is the way that is captures the data transferred within sessions. This could be useful, for example, when capturing text-based protocols like HTTP, FTP, and SMTP.

Sniffit can be run either on the command line with optional plug-ins and filters or in interactive mode, which is the preferred mode. The interactive mode of Sniffit allows monitoring connections in real-time.

Sniffers can only be run by root. Sniffers can only log packets that 'travel' on their Ethernet cable. Working with '-d' or '-a' give raw packets, they are still packed in IP, when logging to files, only send data is logged, the packets are 'unwrapped'.

Hacking Tool: HPing2

http://www.hping.org

· Hping is a command-line oriented TCP/IP packet assembly/analyzer.

· More commonly known for its use as a pinging utility, HPing carries a hidden but handy usage, that is a Backdoor Trojan.

· Just enter the following command on your victim

·                $ ./hping2 -I eth) -9ecc | /bin/sh

Then Telnet into any port of your victim and invoke commands remotely on your victim's host by preceding any Unix/Linux commands with ecc

$ telnet victim.com 80

$ eccecho This Text imitates a trojan shovel

Tools

hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface expands the functionality of a common "ping" program (used to test hosts that are online), but hping isn't only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel with custom-crafted TCP, ICMP and other Internet protocol packets. Crafting packets will allow an attacker to probe firewall rule-sets and find entry points into the targeted system or network. HPing will run on any Linux distro, as well as Net/Free/OpenBSD systems, and lastly it will run on Solaris as well. It is used to test both hosts and firewalls. hping2 can handle fragmentation, arbitrary packets body and size and can be used in order to transfer files encapsulated under supported protocols. Using hping2 the user can:

· Test firewall rules

· Advanced port scanning

· Test net performance using different protocols,

· Packet size, TOS (type of service) and fragmentation.

· Path MTU discovery

· Transferring files between even really fascist firewall rules.

· Traceroute-like under different protocols.

· Firewalk-like usage.

· Remote OS fingerprinting.

· TCP/IP stack auditing.

Session Hijacking

· Using a combination of sniffing and spoofing techniques, session hijacking tools allow an attacker to steal a valid, established login session.

· Examples of such sessions are Telnet and FTP sessions. With a successful session hijacking attempt, the victim's login session vanishes and he usually attributes it to network problems and logs in again.

· There are generally two types of Session Hijacking Techniques:

1. Host-Based Session Hijacking

2. Network-Based Session Hijacking

Note

Many systems have statistical weaknesses in the methods that are used to generate TCP/IP initial sequence numbers, possibly allowing an attacker to hijack or close TCP/IP sessions. Using a combination of sniffing and spoofing techniques, session hijacking tools allow an attacker to steal a valid, established login session. Examples of such sessions are Telnet and FTP sessions. With a successful session hijacking attempt, the victim's login session vanishes and he usually attributes it to network problems and logs in again.

If attackers know the TCP/IP initial sequence number and the amount of traffic that has been sent, they may be able to close the TCP/IP session, hijack it, or inject arbitrary data. In this type of attack, it is not necessary for the attacker to know the next sequence number. They can send a flood of packets that contain likely sequence numbers so that the one packet containing the correct number will be accepted. If the set of possible sequence numbers is small enough, it becomes practical for an attacker to send packets set with all possible sequence numbers. The larger the available bandwidth of a system, the larger the set of packets can be.

To protect against these types of attacks, many operating systems use pseudo-random number generators to choose the TCP/IP initial sequence number for the TCP/IP session. However, many of these pseudo-random number generators are statistically weak and make sequence number-based attacks not just possible, but practical.

Host-Based Session Hijacking requires the attacker to have root on either source/destination machines. On a Linux system, the attacker uses a tool to interact with local terminal devices/ttys that are used in telnet sessions. If the attacker has root, he will then be able to read all session data from the target's tty and places key strokes into the tty. This is rarely used, as it requires the attacker to obtain root access on either machines.

This session-hijacking technique uses a sniffing technique on a segment of the network carrying traffic passing from the source to the destination to monitor the packets and the TCP sequence numbers. When the attacker decides to hijack a session, the attacker inserts traffic into the network with the source IP of the actual source instead of his own IP, placing the correct TCP sequence numbers on the packets.

This prompts the destination machine to think that the traffic came from legitimate source and follows the commands. And the attacker has hijacked the session. Note: Use of strong authentication cannot protect against successful Session hijackings; whereas encrypting the conversation offers some protection.

Session hijacking has been described in detail in the earlier modules. While the essence is the same, we will explore the various tools available to an attacker to do this in a Linux environment. Readers are advised to refresh the contextual information from the previous modules.

Hacking Tool: Hunt

http://lin.fsid.cvut.cz/^kra/index.html

· One of Hunt's advantages over other session hijacking tools is that it uses techniques to avoid ACK storms.

· Hunt avoids this ACK storm and the dropping of the connection by using ARP spoofing to establish the attacker's machine as a relay between Source and Destination.

· Now the Attacker uses Hunt to sniff the packets the Source and Destination sends over this connection. The Attacker can choose to acts as a relay and forward these packets to their intended destinations, or he can hijack the session.

· The attacker can type in commands that are forwarded to Destination but which the Source can't see. Any commands the Source types in can be seen on the Attacker's screen, but they are not sent to Destination. Then Hunt allows the attacker to restore the connection back to the Source when he/she is done with it.

Tools

A sniffer is a program/device that eavesdrops on network traffic and grabs information traveling over the network. Sniffers are basically data interception programs. A sniffer is usually passive, it only collects data. Hence, it becomes extremely difficult to detect sniffers. When installed on a computer, a sniffer will generate some small amount of traffic, though, and is therefore detectable. The best way to secure against sniffing is to use encryption. According to Pavel Krauz, the main goal of the HUNT project is to develop tools for exploiting well-known weaknesses in the TCP/IP protocol suite.

Hunt is considered by security professionals to be one of the best session hijacking tools available as it is well written and has a comprehensive feature set. Hunt does not have the graphical interface of similar tools such as IPWatcher and T-sight, but the text based user interface is fairly easy to use and has the benefit of enabling Hunt to be used over a telnet session.

Hunt was developed by Pavel Krauz. Hunt's hijacking capabilities are primarily aimed at telnet and rlogin traffic and enable an attacker to view active sessions on an Ethernet LAN and then select one of them to hijack. Hunt is a program for intruding into a connection, watching it and resetting it. Note that hunt is operating on Ethernet and is best used for connections which can be watched through it. However, it is possible to do something even for hosts on another segment or hosts that are on switched ports.

ARP spoofing with Hunt

ARP enables systems to map IP addresses to the machine's physical addresses. ARP maps IP addresses to MAC addresses for systems connected to Ethernet LANs. Consider an illustrative scenario where Alice wants to send data to Bob.

Normally, if the ARP program on Alice finds a mapping for Bob's IP address in the ARP cache, it will allow Alice to address the data with Bob's MAC address and send it to him. Otherwise, the ARP program on Alice will send out an ARP request to all machines on the Ethernet segment. When Bob answers, Alice will send her data to Bob and will store Bob's MAC address in her ARP cache.

Sometimes it is possible for a machine to send out an ARP reply without an explicit ARP request. Usually, most systems accept this forged answer and update their ARP cache to accommodate it. This weakness allows ARP spoofing to take place.

Linux Rootkits

· One way an intruder can maintain access to a compromised system is by installing a rootkit.

· A rootkit contains a set of tools and replacement executables for many of the operating system's critical components, used to hide evidence of the attacker's presence and to give the attacker backdoor access to the system.

· Rootkits require root access to to install, but once set up, the attacker can get root access back at any time.

We revisit rootkits here basing our discussion on Linux rootkits. Conventionally, UNIX and Linux have been known to have rootkits built, as the intruder is aware of the code. Here we will focus on rootkits that use the LKM or Loadable Kernel Module.

A brief review: Rootkits appeared in the early 90's, and one of the first advisories came out in Feb 1994. This advisory from CERT-CC addressed "Ongoing Network Monitoring Attacks" CA-1994-01 revised on September 19, 1997. Rootkits have increased in popularity since then and are getting increasingly difficult to detect. The most common rootkits are used for SunOS and Linux operating systems. Rootkits contain several different programs. A typical rootkit will include an Ethernet Sniffer, which is designed to sniff out passwords. Rootkits can also include Trojan programs used as backdoors such as inetd or login. Support programs such as ps, netstat, rshd, and ls to hide the attacker directories or processes. Finally, log cleaners, such as zap, zap2, or z2, are used to remove login entries from the wtmp, utmp, and lastlog files. Some rootkits also enable services such as telnet, shell, and finger. The rootkit may also include scripts that will clean up other files in the /var/log and var/adm directories. Using the modified programs of ls, ps, and df installed on the box, the intruder can "hide" his/her files and programs from the legitimate system administrator.

The intruder next uses programs within the rootkit to clean up the extensive log files generated from the initial vulnerability exploitation. The intruder then uses the installed backdoor program for future access to the compromised system in order to retrieve sniffer logs or launch another attack. If a rootkit is properly installed and the log-files are cleaned correctly, a normal system administrator is unaware that the intrusion has even occurred until another site contacts him or the disks fill because of the sniffer logs.

The most severe threat to system security that can be caused by a rootkit comes from those that deploy LKM (Loadable Kernel Module) trojans. Loadable Kernel Modules are a mechanism for adding functionality to an operating-system kernel without requiring a kernel recompilation. Even if an infected system is rebooted, the LKM process will reload the Trojan during boot-up just like any other kernel module. Loadable Kernel Modules are used by many operating systems including Linux, Solaris, and FreeBSD.

The LKM rootkits facilitate the subversion of system binaries. Knark, Adore, and Rtkit are just a few of many LKM rootkits available today. As they run as part of the kernel, these rootkits are less detectable than conventional ones.

Let us see how a typical backdoor can be installed by an intruder.

The goal of backdoor is to give access to the hacker despite measures by the compromised system's administrator, with least amount of time and visibility. The backdoor that gives local user root access can be: set uid programs, trojaned system programs, cron job backdoor.

Set uid programs. The attacker may plant some set uid shell program in the file system, which when executed will grant the root to the attacker.

Trojaned system programs. The attacker can alter some system programs, such as "login" that will give him root access.

Cron job backdoor. The attacker may add or modify the jobs of the cron while his program is running so that he can get root access.

The backdoor that gives remote user root access can be: ".rhost" file ssh authorized keys, bind shell, trojaned service.

· ".rhosts" file. Once "+ +" is in some user's .rhosts file, anybody can log into that account from anywhere without password.

· ssh authorized keys. The attacker may put his public key into victims ssh configuration file "authorized_keys", so that he can log into that account without password.

· Bind shell. The attacker can bind the shell to certain TCP port. Anybody doing a telnet to that port will have an interactive shell. More sophisticated backdoors of this kind can be UDP based, or unconnected TCP, or even ICMP based.

· Trojaned service. Any open service can be trojaned to give access to remote user. For example, trojaned the inetd program creates a bind shell at certain port, or trojaned ssh daemon give access to certain password.

After the intruder plants and runs the backdoor, his attention turns to hiding his files and processes. However, these can be easily detected by the system administrator - especially if the system is running tripwire.

Let us see how a LKM rootkit helps achieve the attacker's needs.

In the case of LKM trojaned rootkits, the attacker can put LKM in /tmp or /var/tmp, the directory that the system administrator cannot monitor. Moreover, he can effectively hide files, processes, and network connections. Since he can modify the kernel structures, he can replace the original system calls with his own version.

· To hide files. Commands like "ls", "du" use sys_getdents() to obtain the information of a directory. The LKM will just filter out files such that they are hidden.

· To hide processes. In Linux implementations, process information is mapped to a directory in /proc file system. An attacker can modify sys_getdents() and mark this process as invisible in the task structure. The normal implementation is to set task's flag (signal number) to some unused value.

· To hide network connections. Similar to process hiding, the attacker can try to hide something inside /proc/net/tcp and /proc/net/udp files. He can trojan the sys_read () so that whenever the system reads these two files and a line matching certain string, the system call will not reveal the network connection.

· To redirect file execution. Sometimes, the intruder may want to replace the system binaries, like "login", without changing the file. He can replace sys_execve () so that whenever the system tries to execute the "login" program, it will be re-directed to execute the intruder's version of login program.

· To hide sniffer. Here we refer to hiding the promiscuous flag of the network interface. The system call to Trojan in this case is sys_ioctl().

· To communicate with LKM. Once the hacker has his LKM installed, he will attempt to modify some system calls such that when a special parameter is passed, the system call will be subverted.

· To hide LKM. A perfect LKM must be able to hide itself from the administrator. The LKM's in the system are kept in a single linked list. To hide a LKM an attacker can just remove it from the list so that command such as "lsmod" will not reveal it.

· To hide symbols in the LKM. Normally functions defined in the LKM will be exported so that other LKM can use them. An attacker can use a macro and put it at the end of LKM to prevent any symbols from being exported.

Linux Rootkit v4 (LR4)

· Linux Rootkit is IV the latest version of a well known trojan package for Linux system. The rootkit comes with following utility programs and trojaned system commands: bindshell, chfn, chsh, crontab, du, find, fix, ifconfig, inetd, killall, linsniffer, login, ls, netstat, oasswd, pidof, ps, rshd, sniffchk, syslogd, tcpd, top, wted, z2

· In the example below we will try the change shell command (chsh). Compile only chsh in chsh-directory and use 'fix' to replace the original with the trojan version.

·                $ make

·

·                gcc -c -pipe -02 -m486 -fomit -frame-pointer -I. -I -

·                DSBINDER=\ "\" -DUSRSBINDER=\ "\" -DLOGDIR=\ "\" -

·                DVARPATH=\ "\" chsh.c -o chsh.o

·

·                gcc -c -pipe -02 -m486 -fomit -frame-pointer -I. -I - DSBINDER=\ "\" -DUSRSBINDER=\ "\" -DLOGDIR=\ "\" -

·                DVARPATH=\ "\" setpwnam.c -o setpwnam.o

·

·                gcc -s -N chsh.o setpwnam.o -o chsh

·                $../fix /usr/bin/chsh ./chsh ../backup/chsh

· Once done, the chsh command will spawn a root shell to any user who logs on to the Linux System

Tools

Linux Rootkit IV (lrk4) is written by Lord Somer and was released in November 1998. Other examples of Linux rootkits are lrk, lnrk, lrk2, and lrk3. Most versions include normal rootkit components such as sniffers (linsniffer or sniffit) log editors/erasers (z2, uted, lled), and Trojan horse/backdoor replacement programs to allow remote access, user access to gain root privileges, hide files, process, and connections.

Linux Rootkit IV is a very easy rootkit to use, and install. Installation of lrk4 included nothing more that executing the 'make install'. To install a shadow kit you execute the 'make shadow install'. Lrk4 will only work on Linux 2.X kernels. It is a package with sources to several trojaned system commands. When compiled and installed, they give the user running the command a root shell or some other useful functionality, like hiding certain processes, files, sockets etc. Some of special functionalities are initiated by given a secret password (default password in the package is 'satori') when the program asks for any specific thing, such as new shell, login name, password or whatever is specific to the command.

The user will need root-privileges to install most of those commands, since he will have to replace existing system files and usually set 'suid'-parameter for it. Therefore the attacker has to either root-compromise the victim computer or the local administrator has to accidentally install them. The rootkit comes with following utility programs and trojaned system commands: bindshell, chfn, chsh, crontab, du, find, fix, ifconfig, inetd, killall, linsniffer, login, ls, netstat, passwd, pidof, ps, rshd, sniffchk, syslogd, tcpd, top, wted, z2

Below is a short description of the utilities within lrk4.

1. - Modified programs that hide the intruder:

o ls, find, du - these programs will not count or display the intruder files the data file is ROOTKIT_FILES_FILE, defaults to /dev/ptyr. NOTE: all files can be listed with the 'ls-/' if SHOWFLAG is enables. Will hide any files/directories with the names, ptyr, hack.dir, and W4r3z.

o ps, top, pidof - these programs will not display the intruders processes

o netstat -- will not display traffic from or to specified IP addresses, user-ids, or ports

o killall - will not kill the intruders hidden processes

o ifconfig - will not display the PROMISC flag when sniffer is running

o crontab - will hide the crackers entries - the hidden crontab entry is in the /dev/hda02 by default

o tcpd - will not log connections listed in the configuration file

o syslogd -- will not log connections listed in the configuration file

2. - Trojaned programs with backdoors:

o chfn - new full name enter password will drop rootshell

o chsh - new shell enter password will drop rootshell

o passwd - rootshell if is entered as current password

o login - will allow the cracker to log in under any username with the rootkit password (satori)-also if root is refused username (rewt) will work and will disable the history logging

3. - Trojaned network daemons:

o inetd - rootshell listening on port 5002. the rootkit password most be entered in as the first line (satori)

o rshd - the username is the rootkit password, a root shell is bound to the port [ rsh (hostname) -l (rootkit password) ]

4. - Utilities:

o FIX - replaces and fixes timestamp/checksum information on files

o linsniffer - a packet sniffer

o sniffchk - checks to make sure the sniffer alive

o wted - wtmp/utmp editor

o z2 - erases entries in the wtmp/utmp/lastlog entries for a username -will only null the entry

o bindshell - binds a rootshell to a port (31337) by default

Rootkit Countermeasures

chkrootkit is a tool to locally check for signs of a rootkit.

It contains chkrootkit, a shell script that checks system binaries for rootkit modification.

http://www.chkrootkit.org/

The security of an unmodified Linux system depends on the correctness of the kernel, all the privileged applications, and each of their configurations. A problem in any one of these areas may allow the compromise of the entire system. In contrast, the security of a modified system based on the Security-enhanced Linux kernel depends primarily on the correctness of the kernel and its security policy configuration. While problems with the correctness or configuration of applications may allow the limited compromise of individual user programs and system daemons, they do not pose a threat to the security of other user programs and system daemons or to the security of the system as a whole.

Attack Methods

The typical Rootkit attack proceeds as follows: The intruders use a stolen or easily guessed password to log in to a host. They then gain unauthorized root access by exploiting known vulnerabilities in rdist, sendmail, /bin/mail, loadmodule, rpc.ypupdated, lpr, or passwd. The intruders ftp Rootkit to the host, unpack, compile, and install it; then they collect more username/password pairs and attack more hosts.

Unless the intruder did a poor job of removing traces of his or her visit from the log files, attacks can be hard to detect. Most system administrators don't know their site has been invaded until they are contacted by someone at another site or their disks begin filling up due to the sniffer's logs. Some of the countermeasures apart from encryption are:

chkrootkit is a tool to locally check for signs of a rootkit. It contains:

· chkrootkit: a shell script that checks system binaries for rootkit modification.

· ifpromisc.c: checks if the network interface is in promiscuous mode.

· chklastlog.c: checks for lastlog deletions.

· chkwtmp.c: checks for wtmp deletions.

· check_wtmpx.c: checks for wtmpx deletions. (Solaris only)

· chkproc.c: checks for signs of LKM trojans.

· chkdirs.c: checks for signs of LKM trojans.

· strings.c: quick and dirty strings replacement.

Tripwire is a system integrity check tool that does not just look for "attack signatures". Tripwire first creates a database that monitors the binary signature, size, expected change of size, etc. Tripwire includes four cryptographic checksums of the content of each file that Tripwire uses to create the original database. When the software performs a system check, it will compare the system with the baseline of original database. If a modification has occurred Tripwire will alert the System Manager Station by a violation alert and the System Administrator by an email, the violation alert will show what files/directories were modified, added, or deleted.

Bastille Linux is a series of scripts which tighten up security on stock Linux systems, by changing permissions and disabling features. Taken to extreme, this will also prevent legitimate work and is more suitable for hardening a dedicated loghost or fileserver than a development system.

LIDS - Linux Intrusion Detection System - is a series of kernel patches that enable module and mountpoint locking. LIDS are available from LIDS.org.

dtk or "Deception Toolkit" is a kit of fake daemons and services designed to waste an intruder's time. dtk is available from all.net/dtk/example.html

Rkdet is a daemon intended to catch someone installing a rootkit or running a packet sniffer. It is designed to run continually with a small footprint under an innocuous name. When triggered, it sends email, appends to a logfile, and disables networking or halts the system.

Secure Linux project: The NSA has a Secure Linux project which includes mandatory access control architecture. The Security-enhanced Linux kernel enforces mandatory access control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs. When confined in this way, the ability of these user programs and system daemons to cause harm when compromised (via buffer overflows or misconfigurations, for example) is reduced or eliminated. This confinement mechanism operates independently of the traditional Linux access control mechanisms. It has no concept of a "root" super-user, and does not share the well-known shortcomings of the traditional Linux security mechanisms (such as a dependence on setuid/setgid binaries).

chkrootkit detects the following rootkits

1. Irk3, irk4, Irk5, Irk6 (and some variants);

2. Solaris rootkit;

3. FreeBSD rootkit;

4. torn (including some variants and torn v8)

5. Ambient's Rootkit for Linus (ARK);

6. Ramen Worm;

7. rh[67]-sharper

8. RSHA;

9. Romanian rootkit;

10. RK 17; Lion Worm;

11. Adore Worm;

12. LPD Worm;

13. Keeny-rk;

14. Adore LKM;

15. ShitC Worm;

16. Omega Worm;

17. Wormkit Worm;

18. Maniac-RK;

19. Dsc-rootkit;

20. Ducoci rootkit;

21. x.c Worm;

22. RST.b trojan;

23. duarawkz;

24. knark LKM;

25. Monkit;

26. Hidrootkit; Bobkit;

27. Pizdakit;

28. torn (v8.0 variant);

29. Showtee;

30. Optickit;

31. T.R.K;

32. MithRa's Rootkit;

33. George;

34. SucKIT;

35. Scalper (FreeBSD/Apach echunked encoding worm);

36. Slapper A, B, C and D

37. (Linux/Apache mod_ssl Worm);

38. OpenBSD rk v1;

39. Illogic rootkit;

40. SK rootkit.

41. Sebek LKM;

42. Romanian rootkit;

43. LOC rootkit;

The following rootkits, worms and LKMs are currently detected:

01. lrks, lrk3, lrk4, lrk5, lrk6 (and variants);	02. Solaris rootkit;	03. FreeBSD rootkit;
04. torn (and variants);	05. Ambient's Rootkit (ARK);	06. Ramen Worm;
07. rh[67]-shaper;	08. RSHA;	09. Romanian rootkit;
10. RK17;	11. Lion Worm;	12. Adore Worm;
13. LPD Worm;	14. kenny-rk;	15. Adore LKM;
16. ShitC Worm;	17. Omega Worm;	18. Wormkit Worm;
19. Maniac-RK;	20. dsc-rootkit;	21. Ducoci rootkit;
22. x.c Worm;	23. RST.b trojan;	24. duarawkz;
25. knark LKM;	26. Monkit;	27. Hidrootkit;
28. Bobkit;	29. Pizdakit;	30. torn v8.0;
31. Showtee;	32. Optickit;	33. T.R.K;
34. MithRa's Rootkit;	35. George;	36. SucKIT;
37. Scalper;	38. Slapper A, B, C and D;	39. OpenBSD rk v1;
40. Illogic rootkit;	41. SK rootkit.	42. sebek LKM;
43. Romanian rootkit;	44. LOC rootkit;	45. shv4 rootkit;
46. Aquatica rootkit;	47. ZK rootkit;	48. 55808.A Worm;
49. TC2 Worm;	50. Volc rootkit;	51. Gold2 rootkit;
52. Anonoying rootkit;

Linux Firewall: IPChains

· IPChains is a very general TCP/IP packet filter, it allows you to ACCEPT, DENY, MASQ, REDIRECT, or RETURN packets.

· There are three chains that are always defined: input, output and forward.

· The chain is executed whenever a packet is destined for a network interface:

o the output chain is executed whenever a packet is exiting a network interface, destined elsewhere

o the forward chain is executed whenever a packet must traverse between multiple interfaces

· Chains are just rule sets that are executed in order, whenever a packet matches a rule then that specific target is executed.

Tools

Linux IP firewall chaining software is a program that uses the kernel IP packet filtering capability. A packet filter looks at the header of a packet and decides the fate of the entire packet. It can decide to DENY the packet (discard the packet as if it had never received it), ACCEPT (let the packet pass through), or REJECT (like deny, but notify the source of the packet).

ipchains is a rewrite of the well-known ipfwadm, which was a rewrite of BSD's ipfw, and was used to build firewalls in 2.0.x kernels. There are many reasons for this rewrite but perhaps the most important is ipfwadm couldn't allow protocols other than TCP, UDP or ICMP and it didn't handle fragments.

Example:

# ipchains -A input -j DENY -p all -l -s 127.0.0.0/8 -i etho -d 0.0.0.0/0

This rule prevents packets that have addresses beginning with 127. from entering the machine. The reason for this is that any IP address starting with 127. is a loopback address, and only used internally. That means that any packet coming into the ppp or ethernet device matching this rule is spoofed.

In the above example, input refers to the chain. There are three built-in chains: input, output and forward. The input chain refers to packets that are coming into the machine. These packets can be coming from a variety of sources. The output chain refers to packets that are leaving the machine. Again, these packets can be leaving through any interface which connects the computer to any network. The forward chain refers to packets that are received that are not destined for the machine. These packets are being routed through the machine. Note that each packet that passes through the forward chain also passes through both the input and output chains.

IPTables

· IPTables is the replacement of userspace tool ipchains in the Linux 2.4 kernel and beyond. IPTables has many more features than IPChains.

· Connection tracking capability, i.e. the ability to do stateful packet inspection.

· Simplified behavior of packets negotiating the built-in chains (INPUT, OUTPUT and FORWARD)

· A clean separation of packet filtering and network address translation (NAT).

· Rate-limited connection and logging capability

· The ability to filter on tcp flag and tcp options, and also MAC addresses.

To simplify aspects of datagram processing in the kernel firewalling code and produce a filtering framework that was both much cleaner and much more flexible, Paul Russell made a new framework called netfilter.

The iptables utility is used to configure netfilter filtering rules. Its syntax borrows heavily from the ipchains command, but differs in one very significant respect: it is extensible. What this means is that its functionality can be extended without recompiling it. It manages this trick by using shared libraries.

The iptables command is used to configure both IP filtering and Network Address Translation. To facilitate this, there are two tables of rules called filter and nat. The filter table is assumed if you do not specify the -t option to override it. Five built-in chains are also provided. The INPUT and FORWARD chains are available for the filter table, the PREROUTING and POSTROUTING chains are available for the nat table, and the OUTPUT chain is available for both tables.

All connection tracking is handled in the PREROUTING chain, except locally generated packets which are handled in the OUTPUT chain. This implies that iptables does all recalculation of states within the PREROUTING chain. If an initial packet is sent in a stream, the state gets set to NEW within the OUTPUT chain, and when the system receives a return packet, the state gets changed in the PREROUTING chain to ESTABLISHED. If the first packet is not originated by the local machine, the NEW state is set within the PREROUTING chain. So, all state changes and calculations are done within the PREROUTING and OUTPUT chains of the nat table.

Syntax: iptables [-t table] command [match] [target/jump]

In IPTables, there are four types of ICMP that can be categorized as NEW or ESTABLISHED:

· Echo request (ping, 8) and echo reply (pong, 0)

· Timestamp request (13) and reply (14)

· Information request (15) and reply (16)

· Address mask request (17) and reply (18)

The requests in each case are classified as NEW and reply as ESTABLISHED.

Other types of ICMP are not request-reply based and can only be related to other connections.

Linux Tools: Application Security

· Whisker (http://www.wiretrip.net)

Rain.Forest.Puppy's excellent CGIvulnerability scanner.

· Flawfinder (http://www.dwheeler.ccm/fawfinder/)

Flawfinder is a Python program which searches through souircve code for potential security flaws, listing potential security flaws sorted by risk, with the most potentially dangerous flaws shown first, this risk level depends not only on the function, but on the values of the parameters of the function.

· StackGuard (hhtp://www.immunix.org)

StackGuard is a compiler that emits programs hardened against "stack smashing" attacks. Stack smashing attacks are a common form of penetration attack. Programs that have been compiled with StackGuard are largely immune to stack smashing attack Protection requires no source code changes at all.

· Libsafe (http://www.avayalabs.com/project/libsafe/index.html)

It is generally accepted that the best solution to buffer overflow and format string attacks is to fix the defective programs

· Whisker (http://www.wiretrip.net)

Rain.Forest.Puppy's excellent CGI vulnerability scanner.

· Flawfinder (http://www.dwheeler.com/flawfinder/)

Flawfinder is a Python program which searches through source code for potential security flaws, listing potential security flaws sorted by risk, with the most potentially dangerous flaws shown first. This risk level depends not only on the function, but also on the values of the parameters of the function.

· StackGuard (hhtp://www.immunix.org)

StackGuard is a compiler that emits programs hardened against "stack smashing" attacks. Stack smashing attacks are a common form of penetration attack. Programs that have been compiled with StackGuard are largely immune to stack smashing attack. Protection requires no source code changes at all.

· Libsafe (http://www.avayalabs.com/project/libsafe/index.html)

It is generally accepted that the best solution to buffer overflow and format string attacks is to fix the defective programs.

Linux Tools: Intrusion Detection Systems

o Tripwire (http://www.tripwire.com)

A file and directory integrity checker.

o LIDS (http://www.turbolinux.com.cn/lids/)

The LIDS (Linux Intrusion Detection System) is an intrusion detection /defense system in the Linux kernel. The goal is to protect Linux systems disabling some system calls in the kernel itself.

o AIDE (http://www.cs.tut.fi/^rammer/aide.html)

AIDE (Advanced Intrusion detection Environment) is an Open Source IDS package.

o Snort (http://www.snort.org)

Flexible packet sniffer/logger that detects attacks, snort is a libpcap-based packet sniffer/logger which can be used as a lightweight Network Intrusion Detection System.

o Samhain (http://samhain.sourceforge.net)

Samhain is designed for intuitive configuration and tamper-resistance, and can be configured as a client/server application to monitor many hosts on a network from a single central location.

· Tripwire (http://www.tripwire.com) - A file and directory integrity checker.

· LIDS (http://www.turbolinux.com.cn/lids/)

The LIDS (Linux Intrusion Detection System) is an intrusion detection /defense system in the Linux kernel. The goal is to protect Linux systems disabling some system calls in the kernel itself.

· AIDE (http://www.cs.tut.fi/^rammer/aide.html)

AIDE (Advanced Intrusion detection Environment) is an Open Source IDS package.

· Snort (http://www.snort.org)

Flexible packet sniffer/logger that detects attacks. Snort is a libpcap-based packet sniffer/logger, which can be used as a lightweight Network Intrusion Detection System.

· Samhain (http://samhain.sourceforge.net)

Samhain is designed for intuitive configuration and tamper-resistance, and can be configured as a client/server application to monitor many hosts on a network from a single central location.

Linux Tools: Security Testing Tools

o NMap (http://www.insecure.org/nmap)

Premier network auditing and testing tool.

o LSOF (ftp://vic.cc.pudue.edu/pub/tools/unix/lsof)

LSOF lists open files for running Unix/Linux processes.

o Netcat (http://www.atstake.com/research/tools/index.html)

Netcat is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol.

o Hping2 (http://www.kyuzz.org/antirez/hping/)

hping2 is a network tool able to send custom ICMP/UDP/TCP packets and to display target replies like ping does with ICMP replies.

o Nemesis (http://www.packetninja.net/nemesis/)

The Nemesis Project is designed to be a command-line based, portable human IP stack for Unix/Linux

· NMap (http://www.insecure.org/nmap)

Premier network auditing and testing tool.

· LSOF (ftp://vic.cc.pudue.edu/pub/tools/unix/lsof)

LSOF lists open files for running Unix/Linux processes.

· Netcat (http://www.atstake.com/research/tools/index.html)

Netcat is a simple UNIX utility, which reads and writes data across network connections, using TCP or UDP protocol.

· Hping2 (http://www.kyuzz.org/antirez/hping/)

hping2 is a network tool able to send custom ICMP/UDP/TCP packets and to display target replies as ping does with ICMP replies.

· Nemesis (http://www.packetninja.net/nemesis/)

The Nemesis Project is designed to be a command-line based, portable human IP stack for Unix/Linux

Linux Tools: Encryption

o Stunnel (http://www.stunnel.org)

Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer) available on both Unix and Windows. Stunnel can allow you to secure non-SSL aware daemons and protocols (like POP, IMAP, NNTP, LDAP, etc) by having Stunnel provide the encryption, requiring no changes to daemon's code.

o OpenSSH /SSH (http://www.openssh.com/)

SSH (Secure Shell is a program for logging into a remote machine and for executinmg commands on a remote machine. It provides secure encrypted communications between two untrusted hosts over an insecure network.

o GnuPG (http://www.gnupg.org)

GnuPG is a complete and free replacement for PGP. Since it does not use the patented IDEA algorithm, it can be used without any restrictions.

· Stunnel (http://www.stunnel.org)

Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer) available on both UNIX and Windows. Stunnel can allow you to secure non-SSL aware daemons and protocols (like POP, IMAP, NNTP, LDAP, etc) by having Stunnel provide the encryption, requiring no changes to daemon's code.

· OpenSSH /SSH (http://www.openssh.com/)

SSH (Secure Shell is a program for logging into a remote machine and for executing commands on a remote machine. It provides secure encrypted communications between two untrusted hosts over an insecure network.

· GnuPG (http://www.gnupg.org)

GnuPG is a complete and free replacement for PGP. Since it does not use the patented IDEA algorithm, it can be used without any restrictions.

Linux Tools: Log and Traffic Monitors

o MRTG (http://www.mrtg.org)

The Multi-Router Traffic Grapher (MRTG) is a tool to monitor the traffic load on network-links.

o Swatch (http://www.stanford.edu/^atkins/swatch/)

Swatch, the simple watch daemon is a program for Unix system logging.

o Timbersee http://www.fastcoder.net/^thumper/software/sysadmin/timbersee/)

Timbersee is a program very similar to the Swatch program.

o Logsurf(http://www.cert.dfn.de/eng/logsurf/)

The program log surfer was designed to monitor any text-based logfiles on the system in realtime.

o TCP Wrappers (ftp://ftp.prcupine.org/pub/security/index.html)

Wietse Venema's network logger, also known as TCPD or LOG_TCP. These programs log the client hostname of incoming telnet, ftp, rsh, rlogin, finger etc. requests.

· MRTG (http://www.mrtg.org)

The Multi-Router Traffic Grapher (MRTG) is a tool to monitor the traffic load on network-links.

· Swatch (http://www.stanford.edu/^atkins/swatch/)

Swatch, the simple watch daemon is a program for UNIX system logging.

· Timbersee http://www.fastcoder.net/^thumper/software/sysadmin/timbersee/)

Timbersee is a program very similar to the Swatch program.

· Logsurf (http://www.cert.dfn.de/eng/logsurf/)

The program log surfer was designed to monitor any text-based log files on the system in real-time.

· TCP Wrappers (ftp://ftp.prcupine.org/pub/security/index.html)

Wietse Venema's network logger, also known as TCPD or LOG_TCP. These programs log the client hostname of incoming telnet, ftp, rsh, rlogin, finger etc. requests.

Linux Tools: Log and Traffic Monitors

o IPLog (http://ojnk.sourceforge.net/)

iplog is a TCP?IP traffic logger. Currently, it is capable of logging TCP, UDP and ICMP traffic.

o IPTraf(http://cebu.mozcom.com/riker/iptraf/)

IPTraf is an ncurses based IP LAN monitor that generates various network statistics including TCP info, UDP counts, ICMP and OSPF information, Ethernet load info, node stats, IP checksum errors and others.

o Ntop (http://www.ntop.org)

ntop is a Unix/Linux tool that shows the network usage, similar to what the popular "top" Unix/Linux command does.

· IPLog (http://ojnk.sourceforge.net/)

iplog is a TCP. IP traffic logger. Currently, it is capable of logging TCP, UDP and ICMP traffic.

· IPTraf (http://cebu.mozcom.com/riker/iptraf/)

· Ntop (http://www.ntop.org)

ntop is a Unix/Linux tool that shows the network usage, similar to what the popular "top" Unix/Linux command does.

Linux Security Countermeasures

Physical Security:

lock your computer physical in a secure place.

Password Security:

Do not assign easy-to-guess password.

Do not share your account with other person.

Check user account with null passwd (without passwd) in /etc/shadow.

Network Security:

Close the door first by denying access from network by default.

$ cat "ALL:ALL" >> /etc/hosts.deny

Stop all unused services such as sendmail, NFS.

$ chkconfig --list

$ chkconfig --del sendmail

$ chkconfig --del nfslock

$ chkconfig --del rpc

Check system logs in /var/log regularly especially /var/log/secure.

Update your Linus system regularly.

Checking the errata (bug fixes) in

http://www.redhat.com/support/errata

The update packages can be found in ftp://updates.redhat.com

Countermeasures

· Physical Security

o It is ideal to restrict physical access the computer system so that unauthorized people don't get to misuse the system.

· Password Security

o Assign hard to guess passwords which are long enough.

o Ensure procedural discipline so that passwords are kept private

o Ensure that system does not accept null password or other defaults

· Network Security

o Ensure all default network accesses are denied

$ cat: ALL: ALL" >> /etc/hosts.deny

o Ensure that only essential services are running. Stop unused services like sendmail, NFS etc

$ chkconfig --list

$ chkconfig --del sendmail

$ chkconfig --del nfslock

$ chkconfig --del rpc

o Verify system logs at regular intervals to check for suspicious activity - (System logs in /var/log/secure)

· Patch the Linux system and keep it up to date

o Check for bug fixes at the vendor site

o Update packages as and when available at the Update site of the vendor.

Summary

· Linux is gaining popularity and is fast becoming a stable industry strength OS.

· Once the IP address of a target system is known, an attacker can begin port scanning, looking for holes in the system for gaining access. Nmap being a popular tool.

· Password cracking tools are available for Linux as well.

· Sniffers as well as Packet assembly/analyzing tools for Linux provide attackers with the edge that they have dealing with other OSs.

· Attackers with root privileges can engage in session hijacking as well.

· Trojans, backdoors, worms are also prevalent in the Linux environment.

· As with any other system, a well developed integrated procedure is to be put in place to counter the threats that exist.