Taking turns: N weapons for finding vulnerabilities in Linux

Article Title: taking turns: N weapons for finding vulnerabilities in Linux. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

　　Before reading this article, we also need to have a certain understanding of the basic security features of the Linux system.

The Linux operating system is an open-source free operating system. It is not only secure, stable, and low-cost, but also seldom finds virus spreading. Therefore, linux has always been regarded as an enemy of Microsoft Windows. In recent years, with the increasing popularity of Linux operating systems in China, as more and more servers, workstations, and PCs begin to use Linux software, of course, more and more security enthusiasts have begun to become interested in this operating system. The purpose of this article is to provide users with a more detailed and comprehensive understanding of the features and usage of high-quality Hack software in Linux at the fastest speed. Today, we will first learn about N weapons for bots.

A vulnerability scanner is a program that automatically detects remote or local host security vulnerabilities. Like Windows systems, when a hacker obtains a list of target hosts, he can use some Linux scanner programs to find these host vulnerabilities. In this way, attackers can find various TCP ports on the server, services provided, Web service software versions, and these services and security vulnerabilities. For system administrators, if they can detect and stop these behaviors in time, they can also greatly reduce the incidence of intrusion events. According to general standards, vulnerability scanners can be divided into two types: Host vulnerability Scanner (Host vulnerability) and Network vulnerability Scanner (Network vulnerability ). A host vulnerability scanner is a program that runs locally to detect system vulnerabilities. A network vulnerability scanner is a program that remotely detects the target network and host System Vulnerabilities Based on the Internet. below, we will introduce some typical software and instances.

　　1. host-based practical scanning software

(1) sXid

SXid is a system monitoring program. After downloading the software, run the "make install" command to install the software. It can scan suid and sgid files and directories in the system, because these directories are probably Backdoor programs and can be set to report results through email. The default installation configuration file is/etc/sxid. conf, which defines the working method of sxid and the number of cycles of log files. The default log file is/var/log/sxid. log. For security considerations, we can set sxid. conf to unchangeable After configuring the parameters. We can use the chattr command to set the sxid. log File to only add. In addition, we can also use the sxid-k plus-k option at any time for inspection. This check method is flexible, neither logged nor emailed. 1.

(2) LSAT

Linux Security Auditing Tool (LSAT) is a local Security scan program that generates reports when it is found that the default configuration is insufficient. Developed by Triode, LSAT is mainly designed for RPM-based Linux release. After the software is downloaded, compile it as follows:

Last-VERSION.tgz cndes $ tar xzvf Cndes $ cd lsat-VERSION Cndes $./configure Cndes $ make

Then run: root #./lsat as root. By default, it generates a report named lsat. out. You can also specify some options:

-O filename: Specifies the report generation file name. -V detailed output mode -S does not print any information on the screen. Only reports are generated. -R: run the RPM checksum and check to find the files whose default content and permissions are modified.

LSAT can check a lot of content, mainly including: Checking useless RPM installation; Checking inetd and Xinetd and some system configuration files; Checking SUID and SGID files; Checking 777 of files; check processes and services, and open ports. The common LSAT method is to use cron for regular calls, and then use diff to compare the differences between the current report and the previous report, so that you can find the changes in the system configuration. The following is a test report piece:

**************************************** This is a list of SUID files on the system: /Bin/ping /Bin/mount /Bin/umount /Bin/su /Sbin/pam_timestamp_check /Sbin/pwdb_chkpwd /Sbin/unix_chkpwd **************************************** This is a list of SGID files/directories on the system: /Root/sendmail. bak /Root/mta. bak /Sbin/netreport **************************************** List of normal files in/dev. MAKEDEV is OK, but there Shocould be no other files: /Dev/MAKEDEV /Dev/MAKEDEV. afa **************************************** This is a list of world writable files /Etc/cron. daily/backup. sh /Etc/cron. daily/update_CDV.sh /Etc/megamonitor/monitor /Root/e /Root/pl/outfile

(3) GNU Tiger

This is a scanning software that can detect the security of the local machine, derived from TAMU's Tiger (a legacy scanning software ). Items that can be checked by the Tiger program include: System Configuration errors; insecure permission settings; all user-writable files; SUID and SGID files; Crontab entries; Sendmail and ftp settings; weak password or empty password; changes to system files. In addition, it can expose various vulnerabilities and generate detailed reports.

(4) Nabou

Nabou is a Perl program that can be used to monitor system changes. It provides checks such as file integrity and user accounts, and stores all data in the database. In addition, you can embed Perl code in the configuration file to define your own functions and perform custom tests.

(5) COPS

COPS reports system configuration errors and other information to perform security checks on linux systems. Its targets include: permission check for files, directories, and device files; content, format, and permissions for important system files; and existence of SUID files whose owner is root; check the CRC of important system binary files to see if they have been modified. Check network applications such as anonymous FTP and Sendmai. It should be noted that COPS is only a monitoring tool and does not actually fix it. This software is suitable for use with other tools. It has the advantage of being good at identifying potential vulnerabilities.

(6) strobe

Strobe is a TCP port scanner that records all open ports of the specified Machine and runs very fast. It is initially used to scan public emails on the LAN to obtain Mail User information. Another important feature of Strobe is its ability to quickly identify what services are running on a specified machine, with limited information.

(7) SATAN

SATAN can be used to help system administrators detect security issues and be used by network-based attackers to search for vulnerable systems. SATAN is a security tool designed for systems and administrators. However, due to its extensiveness, ease of use, and ability to scan remote networks, SATAN may also be used to locate vulnerable hosts with curiosity. SATAN includes a detection table on network security issues, searches for a specific system or subnet through the network, and reports its findings. It can search for the following weaknesses:

NFS-exported from a program or port without permission. NIS --- Password File Access. Rexd -- whether the firewall is blocked. Sendmail-various vulnerabilities. Ftp -- ftp, wu-ftpd, or tftp configuration problems. Remote Shell access-whether it is disabled or hidden. X windows-whether the host provides unlimited access. Modem-no restrictions on dial-up access after tcp.

(8) IdentTCPscan

IdentTCPscan is a professional scanner that can run on various platforms. The software adds the ability to identify the owner of a specified TCP port process, that is, it can determine the UID of the process. This program has a very important function is to quickly identify the wrong configuration by discovering the UID of the process. It runs very fast and can be called an intruder's pet. It is a powerful and sharp tool.

　　2. Network-based practical scanning tools

(1) Nmap

Nmap is the Network Mapper, which is released under the GNU General Public License (GPL) of the Free Software Foundation. Basic functions: detects whether a group of hosts are online, scans host ports, sniffers network services, and determines the operating system of the host. After the software is downloaded, run the configure, make, and make install commands to install the nmap binary code on the system, and then run nmap.

The Nmap syntax is very simple, but the function is very powerful. For example, the Ping-scan command is "-sP". After the target host and network are determined, scanning can be performed. If Nmap is run as root, Nmap functions will be enhanced, because superusers can create custom data packets that facilitate Nmap utilization. Using Nmap for single-host scanning or scanning the entire network is simple. You only need to specify the target address with "/mask" to Nmap. In addition, Nmap allows various types of specified network addresses, such as 192.168.100. *, to scan hosts under the selected subnet.

Ping scan. Intruders use Nmap to scan the entire network to find the target. By using the "-sP" command, by default, Nmap sends an ICMP echo and a tcp ack to each scanned host, and the response of the host to any of them is obtained by Nmap. 2.

Nmap supports port scanning of different types. You can run the "-sT" command for TCP connection scanning, as shown in Figure 3:

Stealth Scanning ). During the scan, if the attacker does not want to record the information on the target system log, tcp syn scan can help you. Use the "-sS" command to send a SYN scan to detect the host or network. 4.

If an attacker wants to perform a UDP scan, he can know which ports are open to UDP. Nmap sends an O-byte UDP packet to each port. If the port returned by the host cannot be reached, the port is closed. 5.

Operating system identification. You can use the "-O" option to detect the type of the remote operating system. By sending different types of detection signals to the host, Nmap reduces the search range of the operating system. 6.

Ident scan. Attackers like to find a computer with vulnerabilities in some processes, such as a WEB server running as root. If the target machine runs identd, attackers can use the "-I" option to find out which User owns the http daemon. To scan a Linux WEB server, run the following command:

# Nmap-sT-p 80-I-O www.yourserver.com

In addition to the above scans, Nmap also provides many options, which are one of the essential tools for many Linux attackers. With this software, we can know the system well, this laid a good foundation for the following attacks.

(2) p0f

P0f is very useful for network attacks. It uses SYN data packets to implement the passive detection technology of the operating system and can correctly identify the target system type. Unlike other scanning software, it does not send any data to the target system, but passively accepts data from the target system for analysis. Therefore, p0f is a specialized system identification tool, and its fingerprint database is very detailed and updated quickly, it is particularly suitable for installation in the gateway. After the software is downloaded, run the following command to compile and install p0f:

# Tar zxvf p0f-1.8.2.tgz # Make & make install

P0f is easy to use. You can use the following command to automatically start p0f during system startup for system identification:

# Cp p0f. init/etc/init. d/p0f # Chkconfig p0f on

Then, you can analyze p0f logs at intervals. For ease of use, the p0f package provides a simple analysis script p0frep, through which attackers can easily find the remote host address that runs a certain system. P0f can also detect the existence or disguise of the firewall, the distance to the remote system and the start time of the firewall, other network connections and ISPs.

(3) ISS

The ISS Internet marketplace is a top product in the global network security market. through comprehensive and independent detection and analysis of network security vulnerabilities, it classifies risks into three levels: High School and low school, A range of meaningful reports can be generated. Now, the paid version of this software provides more attack methods and is gradually developing towards commercialization.

(4) Nessus

Nessus is a powerful remote security scanner that provides powerful report output capabilities and can generate security reports in HTML, XML, LaTeX, ASCII text, and other formats, provide suggestions for each security issue. The software system is in client/sever mode. The server is responsible for security checks and the client is used to configure and manage the server. The server also adopts the plug-in system, allowing users to add plug-ins that execute specific functions for faster and more complex security checks. In addition to plug-ins, Nessus also provides you with a scripting language that describes attack types for additional security tests.

After the software is downloaded, decompress the package and complete the installation. After the installation is complete, make sure to add the path of the installed library file to the/etc/ld. so. conf file:/usr/local/lib. If no, add this path to the file and execute ldconfig, so that Nessus can find the runtime. The configuration file of Nessus is Nessusd. conf, which is located in the/usr/local/etc/Nessus/directory. In general, it is not recommended to change the content. Note: You need to create a nessusd account for future login scanning. After completing the preceding preparations, run the following command as the root user to start the server: Nessusd? D.

On the client, you can specify the machine running the Nessus service, the port scanner used, the content of the test, and the IP address range of the test. Nessus is based on multiple threads, so you can set the number of threads that the system is working at the same time. In this way, you can set the Nessus working configuration at the remote end. After setting, click start to start scanning. After the scan is complete, a report is generated. All scanned hosts are listed on the left of the window. You only need to click the host name with the mouse, on the Right of the window, the security vulnerabilities of the host discovered by scan are listed. Click the Security Vulnerability icon to list the severity of the vulnerability and the cause and solution.

(5) Nikto

Nikto is a scanning software that can test various security projects of web servers. It can scan more than 200 kinds of potentially dangerous files, CGI and other problems on more than 2000 servers. It also uses the Whiske library, but it is usually updated more frequently than the Whisker.

(6) Whisker

Whisker is a very good HTTP Server vulnerability scanning software that can scan a large number of known security vulnerabilities, especially some dangerous CGI vulnerabilities. It uses perl to write libraries, we can use it to create our own HTTP scanner.

(7) Xprobe

XProbe is an active operating system fingerprint recognition tool that can determine the operating system type of remote hosts. XProbe depends on Fuzzy Matching with a signature database and reasonable speculation to determine the type of remote operating system. Using ICMP protocol for operating system fingerprint recognition is its unique feature. If a port is not used, it will send a UDP packet to the higher port of the target host, and the target host will respond to the ICMP packet. Then, XProbe will send other packages to identify the target host system. with this software, it is easy to determine the operating system of the target host.