Fundamentals of Linux Platform Security

Transcription

1 Fundamentals of Linux Platform Security Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012

2 Hands-On Network Security Module 1 Reconnaissance Tools

3 Roadmap Review of generally useful tools Linux (Unix) centric General overview Several tools revisited later There are many, many other useful tools Some introduced in course modules Most freely available on the Internet 3

4 Tool Basics less, man su, sudo ifconfig netstat tcpdump wireshark, tshark tcpreplay traceroute tcptraceroute nmap/zenmap netcat ps top vmstat lsof /proc whois nslookup, dig Accounting Miscellany 4

5 less, man less Standard paginating tool for Unix/Linux man Standard manual page tool for Unix/Linux 5

6 su su id Change to user id If no id, change to the superuser (root) Authenticate by giving new user s password Starts a command shell with new user s privileges Invocation su su Like su, but executes a login shell, which gets the correct command search paths 6

7 sudo sudo command Run commands as root Authenticate by giving your own password Runs command with the root s privileges Convenience & control Control who may sudo and what commands they can run Log operations performed under sudo Config file /etc/sudoers Invocation sudo service network restart Runs the service command with root privileges sudo -s Executes a command shell with root privileges sudo -i Like su -, this executes a login shell with root privileges 7

8 ifconfig Get (and set) network interface configuration IP address and mask Hardware address Bytes sent/received/dropped/overrun/ /sbin/ifconfig [interface] [options] Useful to discover host s IP address(es) and interface status 8

9 netstat Displays network-related status Network connections Routing tables Interface statistics Multicast memberships 9

10 /bin/netstat w/o args, displays open sockets -a display listening sockets also -t show active TCP sockets -u show active UDP sockets -p show PID and process name -r display routing tables -n don t convert host addresses to names netstat 10

11 libpcap Packet capture library Obtains packets from host platform Created at LBL Maintained at Sources, no binaries Version released June 12,

12 tcpdump Full-content packet capture and display Packet input Directly from network interface From libpcap-format file Packet output To screen To libpcap-format file Packet filtering Version released June 12, 2012 at 12

13 tcpdump /usr/sbin/tcpdump -i in listen on interface in -n don t convert host addresses to names -X dump packet in hex and ascii -e dump Ethernet header also -r fn read from pcap-format file -w fn write out pcap-format file Documentation at 13

14 wireshark, tshark Full-content packet capture and display Built-in protocol dissectors 1,170 protocols and counting (version 1.6.5) Packet input Directly from network interface From libpcap-format file, and many other formats Packet output Interactive, screen-oriented Packet filtering On capture On display 14

15 wireshark, tshark Other features capinfos dumpcap editcap mergecap text2pcap 15

16 tcpreplay Sends stored packets to network Useful for presenting fixed inputs to IDSs Packet input From libpcap-format file Packet output To network interface Features tcpprep determine client/server packets and prepare cache tcpreplay replay pcap files at user-determined speeds tcprewrite edit TCP, IP, Layer 2 headers on the fly tcpbridge bridge network segments with tcprewrite tcpcapinfo pcap file decoder 16

17 tcpreplay Canonical invocation tcpreplay -i eth0 sample.pcap Options: -t as fast as possible -M rate send at this rate (Mbps) -p # send this number of packets per second -x m send mtimes as fast Some packets are not meant to be replayed 17

18 traceroute Uses TTL field in IP packet to map a network packet s path from source to destination host Generates a serial list of routers between source and destination Depends on ICMP messages If ICMP is blocked at the border, this won t work Maintained at 18

19 tcptraceroute Uses TCP SYN packets instead of ICMP or UDP echo Originally developed & maintained at Now inactive Better to use a modern traceroute s T option 19

20 nmap/zenmap Network mapping tool Version 5.50 released January, 2011 Really a network scanner Swiss army knife Two-step process Identifies hosts on specified network segment(s) Scans specified ports on each host Read the man page thoroughly Especially for limitations Zenmap is a GUI for nmap Generally under-appreciated 20

21 nmap nmap subnet e.g /26 -n don t map addresses to names -ss TCP SYN port scan -st TCP connect port scan -su UDP port scan -sv detect service verions -s several more advanced scans -O use fingerprinting to guess remote OS -T manually set scan rate -p range range of ports to scan many more Maintained at 21

22 netcat TCP/UDP utility the original, from the portable version Another, older, swiss army knife Features Send and receive TCP/UDP Listen on arbitrary ports TCP proxies Shell-script clients & servers Read the man page thoroughly Generally under-appreciated 22

23 ps Process status utility Features Standard & custom process status listings Resource utilization summaries Read the man page thoroughly 23

24 ps ps (none) show your processes ax show all processes l show your processes, long format u show your processes, user format v show your processes, virtual memory format -l show your processes, long format -f show your processes, full format -F show your processes, extra full format -H show your processes, tree format -Lm show all processes, with threads many more 24

25 top Display Linux tasks Features Dynamic process listings Ordered by specified resource System utilization summaries An interactive interface for process manipulation An extensive interactive interface for configuration Read the man page thoroughly 25

26 top top (none) show summary and process stats, updated every 3 secs -d n every n secs -u user stats for user user only Interactive commands 1 toggle between aggregate and individual CPU stats k kill a process O change sort order r renice a process u show stats for specified user h interactive help many more 26

27 vmstat Report virtual memory statistics Reports Processes running Physical memory usage Swap space I/O Block I/O System interrupts and context switches CPU utilization all in 80 characters 27

28 vmstat vmstat (none) show status n show status every n seconds -a show active/inactive instead of buffered/cached -f # fork() system calls since boot -m show kernel memory management stats (slabinfo) 28

29 lsof List open files Created for UNIX to find running processes preventing filesystem unmounts Many additional Linux features For each process, shows Root and current directories Mapped shared memory libraries Open file names, descriptors, major/minor/inode numbers Open sockets, states, peer names Mapped shared memory libraries 29

30 lsof lsof (none) shows open files for all devices for all processes -p pid shows open files for process pid -u user shows open files for user name or uid user /dev/sdx shows open files for device /dev/sdx /path/file shows process that have /path/file open shows processes connected to host host many more 30

31 /proc File-system view of userland Features Global system status Per-process status Much more detail than e.g. ps Official interface for system information Addresses a long-standing need in UNIX 31

32 whois Looks up information stored in various Network Information Centers (NICs) for several Top Level Domains (TLDs).edu,.com,.net,.org Useful for finding remote domain administrators 32

33 nslookup, dig Tools for querying DNS name servers Useful for turning IP addresses into names And vice versa Can retrieve all DNS RRs, e.g. MX, nslookup superseded by dig 33

34 Accounting Linux process accounting Writes an accounting record each time a process finishes Commands sudo accton on turn accounting on sudo accton off turn accounting off sa show accounting information lastcomm show last command executed by users Caveat Notoriously inaccurate To whom should the op-complete interrupt processing be charged? 34

35 Miscellany strings Useful for extracting text from arbitrary files nice Used to lower (or raise, if root) the scheduling priority of a process dstat Unified, one line, customizable system status 35