Chapter 13
IN THIS CHAPTER
Examining Linux and macOS testing tools
Port-scanning hosts
Gleaning information without logging in
Exploiting common vulnerabilities when logged in to Linux and macOS
Minimizing Linux and macOS security risks
Linux hasn’t made inroads onto the enterprise desktop the way that Windows has, but its offshoot, macOS, certainly has. Both Linux and Macs are prevalent in enterprises, so you need to make sure that they fall within the scope of your security testing. A common misconception is that Linux and macOS (and its predecessor, OS X) are more secure than Windows. More and more often, however, these operating systems (OSes) are shown to be susceptible to the same types of security vulnerabilities that afflict Windows, so you can’t let your guard down.
Criminal hackers are increasingly attacking Linux and macOS because of their popularity and growing use in today’s network environment. Because some versions of Linux are free (in the sense that you don’t have to pay for the base operating system), many organizations are installing Linux for their web servers and email servers in the hope of saving money and having a more-secure system. Linux has grown in popularity for other reasons as well, including the following:
On the workstation side, OS X and macOS are mainstream in business today. These OSes are based on Unix/Linux cores and are susceptible to many of the Linux flaws that I discuss in this chapter.
Based on what I see in my work, Linux is less vulnerable to common security flaws (especially in terms of missing third-party patches for Adobe, Java, and similar companies’ programs) than Windows. When comparing any current distribution of Linux, such as Ubuntu and Red Hat/Fedora, with Windows 7 or Windows 10, I tend to find more weaknesses in the Windows systems. Chalk this fact up to widespread use, more features, or uneducated users, but a lot more can happen in a Windows environment.
That said, Linux certainly isn’t flawless. In addition to the password attacks I cover in Chapter 8, certain remote and local attacks against Linux-based systems are possible. In this chapter, I show you some security issues in the Linux operating system and outline some countermeasures to plug the holes so that you can keep the bad guys out. Don’t let the title of this chapter fool you; a lot of this information applies to all flavors of Unix.
Vulnerabilities and attacks against Linux are creating business risks in a growing number of organizations, especially e-commerce companies, network and IT/security vendors, and cloud service providers that rely on Linux for many of their systems (including their own products). When Linux and macOS systems are hacked, the victim organizations can experience the same side effects as their Windows-using counterparts, including:
You can use many Linux-based security tools to test your Linux and macOS systems. Some tools are much better than others. I find that my Windows-based commercial tools do as good a job as any. My favorites are:
https://www.kali.org
) toolset on a bootable DVD or .iso
image file.https://www.netscantools.com
) for port scanning, OS enumeration, and more.Nexpose (https://www.rapid7.com/products/nexpose
) for detailed port scanning, OS enumeration, and vulnerability testing.
A tool such as Nexpose can perform pretty much all the security testing you need to find flaws in Linux. Another popular commercial alternative is offered by Qualys (www.qualys.com
).
https://nmap.org
) for OS fingerprinting and detailed port scanning.www.tenable.com/products/nessus-vulnerability-scanner
) for OS fingerprinting, port scanning, and vulnerability testing.Many other Linux hacking and testing tools are available at SourceForge (https://sourceforge.net
). Find a set of tools — preferably as few as possible — that can do the job you need to do and that you feel comfortable working with. As I've said before, you often (not always) get what you pay for.
You can scan your Linux and macOS systems and gather information from both outside (if the system is a publicly accessible host) and inside your network. That way, you can see what the bad guys see from both directions.
Linux services, called daemons, are the programs that run on a system and serve up various services and applications for users.
The vulnerabilities inherent in your Linux systems depend on what services are running. You can perform basic port scans to glean information about what’s running.
The NetScanTools Pro results in Figure 13-1 show many potentially vulnerable services on this Linux system, such as the services of SSH, DNS, and TFTP.
In addition to NetScanTools Pro, you can run a vulnerability scanner such as Nexpose against the system to try to gather more information. Note all the missing patches in this macOS High Sierra system shown in Figure 13-2.
Keep in mind that you’re going to find the most vulnerabilities in Linux and macOS by performing authenticated vulnerability scans, which is particularly important to do because it shows you what’s exploitable by users or malware on your systems. Even Linux and macOS are susceptible to malware! You’ll want to run such scans at least once per year or after any major application or OS upgrades on your workstations and servers.
Figure 13-3 shows the awesome feature of Nexpose that allows you to test your login credentials before kicking off a vulnerability scan of your network.
What’s the big deal about this feature, you say? Well, first, it can be a whole lot of hassle to think that you’re entering the proper login credentials into the scanner, only to find out hours later that the logins weren’t successful, which can invalidate the scan you ran. It can also be a threat to your budget (or wallet, if you work for yourself) if you’re charged by the scan only to discover that you have to rescan hundreds or even thousands of network hosts. I’ve been down that road many times, and it’s a real pain, to say the least.
The Windows-based NetScanTools Pro can also determine the version of Linux that’s running, as shown in Figure 13-5.
Although you can’t prevent system scanning, you can implement the following countermeasures to keep the bad guys from gleaning too much information about your systems and using it against you somehow:
https://sourceforge.net/projects/sentrytools
), a local agent such as Snare (https://www.snaresolutions.com/products/snare-agents
), or McAfee Host Intrusion Prevention for Server (https://www.mcafee.com/us/products/host-ips-for-server.aspx
) that ties into a larger security incident and event management system that monitors for and correlates network events, anomalies, and breaches.When you know which daemons and applications are running — such as FTP, Telnet, and a web server — it’s nice to know exactly which versions are running so that you can look up their associated vulnerabilities and decide whether to turn them off. The National Vulnerability Database site (https://nvd.nist.gov
) is a good resource for looking up vulnerabilities.
Several security tools can uncover vulnerabilities in your Linux systems. These tools may not identify all applications down to the version number, but they’re a powerful way of collecting system information.
Be especially mindful of these common security weaknesses in Linux systems:
Many web servers run on Linux, so you can’t overlook the importance of checking for weaknesses in Apache as well as Tomcat or other applications. A common Linux vulnerability, for example, is that usernames can be determined via Apache when it doesn’t have the UserDir directive disabled in its httpd.conf
file. You can exploit this weakness manually by browsing to well-known user folders such as http://www.your~site.com/user_name
or, better, by using a vulnerability scanner such as Netsparker (https://www.netsparker.com
) or Nexpose to enumerate the system automatically. Either way, you may be able to find out which Linux users exist and then launch a web password cracking attack. You can also access system files (including /etc/passwd
) via vulnerable CGI and PHP code. I cover hacking web applications in Chapter 15.
Likewise, File Transfer Protocol (FTP) often runs unsecured on Linux systems. I've found Linux systems with anonymous FTP enabled that were sharing sensitive health-care and financial information to everyone on the local network. Talk about a lack of accountability! Don’t forget to look for the simple stuff. When testing Linux, you can dig deep into the kernel and do this or that to carry out some über-complex exploit, but the little things usually get you. Look for the low-hanging fruit on your network, as that stuff will get you into the most trouble the quickest.
The following tools can perform in-depth analysis beyond port scanning to enumerate your Linux systems and see what others can see:
-sV
command-line switch.
netstat
shows the services running on a local machine. Enter this command while logged in:
netstat –anp
lsof
) displays processes that are listening and files that are open on the system.You can and should disable the unneeded services on your Linux systems, which is one of the best ways to keep your Linux system secure. Like reducing the number of entry points (such as open doors and windows) in your house, the more entry points you eliminate, the fewer places an intruder can break in.
The best method of disabling unneeded services depends on whether the daemon is loaded in the first place. You have several places to disable services, depending on the version of Linux you're running.
If it makes good business sense to do so (that is, if you don’t need the services), disable unneeded services by commenting out the loading of daemons you don’t use. Follow these steps:
ps -aux
The process ID (PID) for each daemon, including inetd, is listed onscreen. In Figure 13-7, the PID for the sshd (Secure Shell daemon) is 646.
/etc/inetd.conf
in the Linux text editor vi by entering the command:
vi /etc/inetd.conf
or
/etc/xinetd.conf
Move the cursor to the beginning of the line of the daemon that you want to disable, such as httpd (web server daemon), and type # at the beginning of the line.
This step comments out the line and prevents it from loading when you reboot the server or restart inetd. It’s also good for record keeping and change management.
To exit vi and save your changes, press Esc to exit the insert mode, type :wq, and then press Enter.
This step tells vi that you want to write your changes and quit.
kill –HUP PID
If you don’t have an inetd.conf
file (or if it's empty), your version of Linux is probably running the xinetd program — a more-secure replacement for inetd — to listen for incoming network application requests. You can edit the /etc/xinetd.conf
file in this case. For more information on the use of xinetd and xinetd.conf
, enter man xinetd or man xinetd.conf at a Linux command prompt. If you're running Red Hat 7.0 or later, you can run the /sbin/chkconfig
program to turn off the daemons you don’t want to load.
You can also enter chkconfig --list at a command prompt to see what services are enabled in the xinetd.conf
file.
If you want to disable a specific service, such as snmp, enter the following:
chkconfig --del snmpd
TCP Wrappers can control access to critical services that you run, such as FTP and HTTP. This program controls access for TCP services and logs their use, helping you control access via host name or IP address and track malicious activities.
You can find more information about TCP Wrappers at ftp://ftp.porcupine.org/pub/security/index.html
.
Linux and all the flavors of Unix are file-based OSes. Practically everything that’s done on the system involves the manipulation of files, which is why so many attacks against Linux are at the file level.
If hackers can capture a user ID and password by using a network analyzer or can crash an application and gain access via a buffer overflow, one thing they look for is what users are trusted by the local system. For that reason, it’s critical to assess these files yourself. The /etc/hosts.equiv
and .rhosts
files list this information.
The /etc/hosts.equiv
file won't give away root access information, but it does specify which accounts on the system can access services on the local host. If tribe were listed in this file, for example, all users on the tribe system would be allowed access. As with the .rhosts
file, external hackers can read this file and then spoof their IP address and host name to gain unauthorized access to the local system. Attackers can also use the names located in the .rhosts
and hosts.equiv
files to look for the names of other computers to exploit.
The highly important $home/.rhosts
files in Linux specify which remote users can access the Berkeley Software Distribution (BSD) r-commands (such as rsh, rcp, and rlogin) on the local system without a password. This file is in a specific user's (including root’s) home directory, such as /home/jsmith
. A .rhosts
file may look like this:
tribe scott
tribe eddie
+tribe geoff
This file allows users Scott and Eddie on the remote-system tribe to log in to the local host with the same privileges as the local user. If a plus sign (+) is entered in the remote-host and user fields, any user from any host could log in to the local system. The hacker can add entries into this file by using either of these tricks:
This configuration file is a prime target for a malicious attack. On most Linux systems I’ve tested, these files aren’t enabled by default. But a user can create one in his or her home directory on the system intentionally or accidentally, which can create a major security hole in the system.
Use both of the following countermeasures to prevent hacker attacks against the .rhosts
and hosts.equiv
files in your Linux system.
A good way to prevent abuse of these files is to disable the BSD r-commands. You can disable these commands in two ways:
shell
, login
, and exec
in inetd.conf
.rexec
, rlogin
, and rsh
files located in the /etc/xinetd.d
directory. Open each file in a text editor, and change disable=no
to disable=yes
, as shown in Figure 13-8.A couple of countermeasures can block rogue access of the .rhosts
and hosts.equiv
files:
.rhosts
: Enter this command in each user’s home directory: chmod 600 .rhosts
hosts.equiv
: Enter this command in the /etc
directory: chmod 600 hosts.equiv
You can also use Open Source Tripwire (http://sourceforge.net/projects/tripwire
) to monitor these files and alert you when access is obtained or changes are made.
The Network File System (NFS) is used to mount remote file systems (similar to shares in Windows) from the local machine. Given the remote access nature of NFS, it certainly has its fair share of hacks. I cover additional storage vulnerabilities and hacks in Chapter 16.
If NFS was set up improperly or its configuration was been tampered with — namely, the /etc/exports
file, which contains a setting that allows the world to read the entire file system — remote hackers can easily obtain remote access and do anything they want on the system. Assuming that no access control list is in place, all it takes is a line, such as the following, in the /etc/exports
file:
/ rw
This line says that anyone can mount the root partition remotely in a read-write fashion. The following conditions must also be true:
/etc/hosts.allow
file.This remote-mounting capability is easy to misconfigure. It's often related to a Linux administrator’s misunderstanding what it takes to share NFS mounts and resorting to the easiest way to get it working. If someone can gain remote access, the system is theirs.
The best defense against NFS hacking depends on whether you need the service running.
/etc/exports
and /etc/hosts.allow
files are configured properly to keep the world outside your network.In Linux, special file types allow programs to run with the file owner's rights: SetUID (for user IDs) and SetGID (for group IDs).
SetUID and SetGID are required when a user runs a program that needs full access to the system to perform its tasks. When a user invokes the passwd program to change his or her password, for example, the program is loaded and run without root’s or any other user’s privileges. This is done so that the user can run the program and the program can update the password database without the root account’s being involved in the process.
By default, rogue programs that run with root privileges can be easily hidden. An external attacker or malicious insider might do this to hide hacking files, such as rootkits, on the system. This can be done with SetUID and SetGID coding in hacking programs.
You can test for rogue programs by using both manual and automated testing methods.
The following commands can identify and print to the screen SetUID and SetGID programs:
find / -perm -4000 –print
find / -perm -2000 –print
find / -perm -2 -type f –print
find / -name ".*"
You probably have hundreds of files in each of these categories, so don’t be alarmed. When you discover files with these attributes set, you need to make sure that they’re supposed to have those attributes by researching in your documentation or on the Internet or by comparing them with a known-secure system or data backup.
You can use an automated file integrity monitoring program to alert you when these types of changes are made. This practice is what I recommend; it’s a lot easier than manual checks on an ongoing basis. Security controls can include:
ftp://ftp.cerias.purdue.edu/pub/tools/unix/scanners/cops
), finds files that have changed in status, such as a new SetUID or removed SetGID.RPC and other vulnerable daemons are common targets for buffer-overflow attacks. Buffer-overflow attacks are how hackers often get in to modify system files, read database files, and more.
In a buffer-overflow attack, the attacker manually sends strings of information to the victim Linux machine or writes a script that does so. These strings contain the following:
exec ("/bin/sh")
creates a shell command prompt, for example.If an attacked application (such as FTP or RPC) is running as root, this situation can give attackers root permissions in their remote shells. Specific examples of vulnerable software running on Linux are Samba, MySQL, and Mozilla Firefox. Depending on the version, this software can be exploited with commercial or free tools such as Metasploit (https://www.metasploit.com
) to obtain remote command prompts, add backdoor user accounts, change ownership of files, and more. I cover Metasploit in Chapter 12.
Three main countermeasures can help prevent buffer-overflow attacks:
Enable another access control mechanism, such as TCP Wrappers, that authenticates users with a password.
Don't just enable access controls via an IP address or host name, which can easily be spoofed.
As always, make sure that your systems have been updated with the latest kernel and software updates.
Some Linux vulnerabilities involve the bad guy’s being at the system console — something that’s entirely possible given the insider threats that every organization faces.
If an attacker is at the system console, anything goes, including rebooting the system (even if no one is logged in) by pressing Ctrl+Alt+Delete. After the system is rebooted, the attacker can start it in single-user mode, which allows him to zero out the root password or possibly read the entire shadow password file. I cover password cracking in Chapter 8.
Edit your /etc/inittab
file, and comment out (place a #
sign in front of) the line that reads ca::ctrlaltdel:/sbin/shutdown -t3 -r now
, shown in the last line of Figure 13-9. These changes prevent someone from rebooting the system by pressing Ctrl+Alt+Delete. Be forewarned that this change also prevents you from legitimately pressing Ctrl+Alt+Delete.
For Linux-based laptops, use disk-encryption software from WinMagic (https://www.winmagic.com
) or Symantec EndPoint Encryption (https://www.symantec.com/products/endpoint-encryption
). If you don't, when a laptop is lost or stolen, you could very well have a data breach on your hands, not to mention the state and federal compliance, and disclosure-law requirements that go along with it. Not good!
Assess critical and often-overlooked security issues on your Linux and macOS systems, such as the following:
You can perform all these assessments manually or use an automated tool. Figure 13-10 shows the initiation of the Tiger security-auditing tool (www.nongnu.org/tiger
), and Figure 13-11 shows a portion of the audit results. Talk about some great bang for no buck!
Alternatives to Tiger include Linux Security Auditing Tool (http://usat.sourceforge.net
) and Bastille Unix (http://bastille-linux.sourceforge.net
).
Ongoing patching is perhaps the best thing you can do to enhance and maintain the security of your Linux and macOS systems. Regardless of the Linux distribution you use, using a tool to assist in your patching efforts makes your job a lot easier.
For Linux, the process is different in every distribution. You can use the following tools, based on your specific distribution:
.rpm
extension that Red Hat and other freeware and open-source developers use to package their programs. RPM Packet Manager was originally a Red Hatsystem but is now available for many versions of Linux.For macOS, the updates are pushed to the computer locally, and unfortunately, it’s up to the user to install the updates by default.
Commercial patch-management tools have additional features, such as correlating patches with vulnerabilities and automatically deploying appropriate patches. Commercial tools that can help with Linux and macOS patch management include ManageEngine (https://www.manageengine.com/products/desktop-central/mac-management.html
), GFI LanGuard (https://www.gfi.com/products-and-solutions/network-security-solutions/gfi-languard/specifications/patch-management-for-operating-systems
), and KACE Systems Management Appliance (https://www.quest.com/products/kace-systems-management-appliance
).
18.191.216.163