www.it-ebooks.info A valuable extension to the Hacking Exposed franchise; the authors do a great job of incorporating the vast pool of knowledge of security testing from the team who built the Open Source Security Testing Methodology Manual (OSSTMM) into an easy-to-digest, concise read on how Linux systems can be hacked. Steven Splaine Author, The Web Testing Handbook and Testing Web Security Industry-Recognized Software Testing Expert With Pete being a pioneer of open-source security methodologies, directing ISECOM, and formulating the OPSA certification, few people are more qualified to write this book than him. Matthew Conover Principal Software Engineer Core Research Group, Symantec Research Labs You’ll feel as if you are sitting in a room with the authors as they walk you through the steps the bad guys take to attack your network and the steps you need to take to protect it. Or, as the authors put it: “Separating the asset from the threat.” Great job, guys! Michael T. Simpson, CISSP Senior Staff Analyst PACAF Information Assurance An excellent resource for security information, obviously written by those with real-world experience. The thoroughness of the information is impressive —very useful to have it presented in one place. Jack Louis Security Researcher www.it-ebooks.info This page intentionally left blank www.it-ebooks.info HACKING EXPOSED ™ LINUX: LINUX SECURITY SECRETS & SOLUTIONS THIRD EDITION ISECOM New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul Singapore Sydney Toronto www.it-ebooks.info Copyright © 2008 by The McGraw-Hill Companies. All rights reserved. Manufactured in the United States of America. Except as permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher. 0-07-159642-9 The material in this eBook also appears in the print version of this title: 0-07-226257-5. All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where such designations appear in this book, they have been printed with initial caps. McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training programs. For more information, please contact George Hoare, Special Sales, at george_hoare@mcgraw-hill.com or (212) 904-4069. TERMS OF USE This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGraw-Hill”) and its licensors reserve all rights in and to the work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent. You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to comply with these terms. THE WORK IS PROVIDED “AS IS.” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DIS- CLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MER- CHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom. McGraw-Hill has no responsibility for the content of any information accessed through the work. Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise. DOI: 10.1036/0072262575 www.it-ebooks.info As Project Leader, I want to dedicate this book to all the volunteers who helped out and contributed through ISECOM to make sense of security so the rest of the world can fi nd a little more peace. It’s the selfl ess hackers like them who make being a hacker such a cool thing. I also need to say that all this work would be overwhelming if not for my unbelievably supportive wife, Marta. Even my three children, Ayla, Jace, and Aidan, who can all put ISECOM on the list of their fi rst spoken words, were all very helpful in the making of this book. —Pete Herzog www.it-ebooks.info ABOUT THE AUTHORS This book was written according to the ISECOM (Institute for Security and Open Methodologies) project methodology. ISECOM is an open, nonprofit security research and certification organization established in January 2001 with the mission to make sense of security. They release security standards and methodologies under the Open Methodology License for free public and commercial use. This book was written by multiple authors, reviewers, and editors—too many to all be listed here—who collaborated to create the best Linux hacking book they could. Since no one person can master everything you may want to do in Linux, a community wrote the book on how to secure it. The following people contributed greatly and should be recognized. About the Project Leader Pete Herzog As Managing Director, Pete is the co-founder of ISECOM and creator of the OSSTMM. At work, Pete focuses on scientific, methodical testing for controlling the quality of security and safety. He is currently managing projects in development that include security for homeowners, hacking lessons for teenagers, source- code static analysis, critical-thinking training for children, wireless certification exam and training for testing the operational electromagnetic spectrum, a legislator’s guide to security solutions, a Dr. Seuss–type children’s book in metered prose and rhyme, a security analysis textbook, a guide on human security, solutions for university security and safety, a guide on using security for national reform, a guide for factually calculating trust for marriage counselors and family therapists, and of course, the Open Source Security Testing Methodology Manual (OSSTMM). In addition to managing ISECOM projects, Pete teaches in the Masters for Security program at La Salle University in Barcelona and supports the worldwide security certification network of partners and trainers. He received a bachelor’s degree from Syracuse University. He currently only takes time off to travel in Europe and North America with his family. About the Project Managers Marta Barceló Marta Barceló is Director of Operations, co-founder of ISECOM, and is responsible for ISECOM business operations. In early 2003, she designed the process for the Hacker Highschool project, developing and designing teaching methods for the website and individual and multilingual lessons. Later that same year, she developed the financial and IT operations behind the ISESTORM conferences. In 2006, Marta was invited to join the EU-sponsored Open Trusted Computing consortium to manage ISECOM’s participation within the project, including financial and operating procedures. In 2007, she began the currently running advertising campaign for ISECOM, providing all creative and technical skills as well as direction. Copyright © 2008 by The McGraw-Hill Companies. Click here for terms of use. www.it-ebooks.info Marta maintains the media presence of all ISECOM projects and provides technical server administration for the websites. She attended Mannheim University of Applied Sciences in Germany and graduated with a masters in computer science. In addition to running ISECOM, Marta has a strong passion for the arts, especially photography and graphic design, and her first degree is in music from the Conservatori del Liceu in Barcelona. Rick Tucker Rick Tucker has provided ISECOM with technical writing, editing, and general support on a number of projects, including SIPES and Hacker Highschool. He currently resides in Portland, Oregon, and works for a small law firm as the go- to person for all manner of mundane and perplexing issues. About the Authors Andrea Barisani Andrea Barisani is an internationally known security researcher. His professional career began eight years ago, but it all really started with a Commodore-64 when he was ten-years-old. Now Andrea is having fun with large-scale IDS/firewall-deployment administration, forensic analysis, vulnerability assessment, penetration testing, security training, and his open-source projects. He eventually found that system and security administration are the only effective way to express his need for paranoia. Andrea is the founder and project coordinator of the oCERT effort, the Open Source CERT. He is involved in the Gentoo project as a member of the Security and Infrastructure Teams and is part of Open Source Security Testing Methodology Manual, becoming an ISECOM Core Team member. Outside the community, he is the co-founder and chief security engineer of Inverse Path, Ltd. He has been a speaker and trainer at the PacSec, CanSecWest, BlackHat, and DefCon conferences among many others. Thomas Bader Thomas Bader works at Dreamlab Technologies, Ltd., as a trainer and solution architect. Since the early summer of 2007, he has been in charge of ISECOM courses throughout Switzerland. As an ISECOM team member, he participates in the development of the OPSE certification courses, the ISECOM test network, and the OSSTMM. From the time he first came into contact with open-source software in 1997, he has specialized in network and security technologies. Over the following years, he has worked in this field and gained a great deal of experience with different firms as a consultant and also as a technician. Since 2001, Thomas has worked as a developer and trainer of LPI training courses. Since 2006, he has worked for Dreamlab Technologies, Ltd., the official ISECOM representative for the German- and French-speaking countries of Europe. www.it-ebooks.info Simon Biles Simon Biles is the director and lead consultant at Thinking Security, a UK-based InfoSec Consultancy. He is the author of The Snort Cookbook from O’Reilly, as well as other material for ISECOM, Microsoft, and SysAdmin magazine. He is in currently pursuing his masters in forensic computing at the Defence Academy in Shrivenham. He holds a CISSP, OPSA, is an ISO17799 Lead Auditor, and is also a Chartered Member of the British Computer Society. He is married with children (several) and reptiles (several). His wife is not only the most beautiful woman ever, but also incredibly patient when he says things like “I’ve just agreed to <insert time-drain here>.” In his spare time, when that happens, he likes messing about with Land Rovers and is the proud owner of a semi-reliable, second-generation Range Rover. Colby Clark Colby Clark is Guidance Software’s Network Security Manager and has the day- to-day responsibility for overseeing the development, implementation, and management of their information security program. He has many years of security-related experience and has a proven track record with Fortune 500 companies, law firms, financial institutions, educational institutions, telecommunications companies, and other public and private companies in regulatory compliance consulting and auditing (Sarbanes Oxley and FTC Consent Order), security consulting, business continuity, disaster recovery, incident response, and computer forensic investigations. Colby received an advanced degree in business administration from the University of Southern California, maintains the EnCE, CISSP, OPSA, and CISA certifications, and has taught advanced computer forensic and incident response techniques at the Computer and Enterprise Investigations Conference (CEIC). He is also a developer of the Open Source Security Testing Methodology Manual (OSSTMM) and has been with ISECOM since 2003. Raoul Chiesa Raoul “Nobody” Chiesa has 22 years of experience in information security and 11 years of professional knowledge. He is the founder and president of @ Mediaservice.net Srl, an Italian-based, vendor-neutral security consulting company. Raoul is on the board of directors for the OWASP Italian Chapter, Telecom Security Task Force (TSTF.net), and the ISO International User Group. Since 2007, he has been a consultant on cybercrime issues for the UN at the United Nations Interregional Crime & Justice Research Institute (UNICRI). He authored Hacker Profile, a book which will be published in the U.S. by Taylor & Francis in late 2008. Raoul’s company was the first worldwide ISECOM partner, launching the OPST and OPSA classes back in 2003. At ISECOM, he works as Director of Communications, enhancing ISECOM evangelism all around the world. Pablo Endres Pablo Endres is a security engineer/consultant and technical solution architect with a strong background built upon his experience at a broad spectrum of companies: wireless phone providers, VoIP solution providers, contact centers, universities, and consultancies. He started working with computers (an XT) in www.it-ebooks.info the late 1980s and holds a degree in computer engineering from the Universidad Simón Bolívar at Caracas, Venezuela. Pablo has been working, researching, and playing around with Linux, Unix, and networked systems for more than a decade. Pablo would like to thank Pete for the opportunity to work on this book and with ISECOM, and last but not least, his wife and parents for all the support and time sharing. Richard Feist Richard has been working in the computer industry since 1989 when he started as a programmer and has since moved through various roles. He has a good view of both business and IT and is one of the few people who can interact in both spaces. He recently started his own small IT security consultancy, Blue Secure. He currently holds various certifications (CISSP, Prince2 Practitioner, OPST/OPSA trainer, MCSE, and so on) in a constant attempt to stay up-to-date. Andrea Ghirardini Andrea “Pila” Ghirardini has over seven years expertise in computer forensics analysis. The labs he leads (@PSS Labs, http://www.atpss.net) have assisted Italian and Swiss Police Special Units in more than 300 different investigations related to drug dealing, fraud, tax fraud, terrorism, weapons trafficking, murder, kidnapping, phishing, and many others. His labs are the oldest ones in Italy, continuously supported by the company team’s strong background in building CF machines and storage systems in order to handle and examine digital evidence, using both open-source-based and commercial tools. In 2007, Andrea wrote the first book ever published in Italy on computer forensics investigations and methodologies (Apogeo Editore). In this book, he also analyzed Italian laws related to these kinds of crimes. Andrea holds the third CISSP certification in Italy. Julian “HammerJammer” Ho Julian “HammerJammer” Ho is co-founder of ThinkSECURE Pte, Ltd., (http:// securitystartshere.org), an Asia-based practical IT security certification/training authority and professional IT security services organization and an ISECOM- certified OPST trainer. Julian was responsible for design, implementation, and maintenance of security operations for StarHub’s Wireless Hotzones in Changi International Airport Terminals 1 and 2 and Suntec Convention Centre. He is one half of the design team for BlackOPS:HackAttack 2004, a security tournament held in Singapore; AIRRAID (Asia’s first-ever pure wireless hacking tournament) in 2005; and AIRRAID2 (Thailand’s first-ever public hacking tournament) in 2008. He also contributed toward research and publication of the WCCD vulnerability in 2006. Julian created and maintains the OSWA-Assistant wireless auditing toolkit, which was awarded best in the Wireless Testing category and recommended/excellent in the LiveCDs category by Security-Database.com in their “Best IT Security and Auditing Software 2007” article. www.it-ebooks.info [...]... representative in a republic is not an absolute mirror of all the people being represented As with the entire Hacking Exposed series, the basic building blocks of this book are the attacks and countermeasures discussed in each chapter The attacks are highlighted here as they are throughout the Hacking Exposed series This Is an Attack Icon Highlighting attacks like this makes it easy to identify specific... points you right to the information you need to convince management to fund your new security initiative Each attack is also accompanied by a Risk Rating, scored exactly as in Hacking Exposed www.it-ebooks.info xxxi xxxii Hacking Exposed Linux: Linux Security Secrets & Solutions Popularity: The frequency of use in the wild against live targets, 1 being most rare, 10 being widely used Simplicity: The degree... and reconfigured by whim and can differ from machine to machine? You will seldom find two identical systems How then can you approach the possibility of providing security for all of them? This edition of Hacking Exposed Linux is based on the work of ISECOM, an open security research organization with the mission to “Make sense of security.” ISECOM has thousands of members worldwide and provides extensive... is also how this edition was developed Many security enthusiasts and professionals collaborated to create a book that is factual, practical, and really captures the spirit of Linux Only in this way can you expect to find the means of securing Linux in all of its many forms Copyright © 2008 by The McGraw-Hill Companies Click here for terms of use www.it-ebooks.info xxix xxx Hacking Exposed Linux: Linux... browse through the book at your leisure What’s New in This Edition? Unlike many other books that release edition updates, this particular one has been completely rewritten to assure a best fit to the ISECOM mission of making sense of security All the material is completely new, based upon the most recent and thorough security research The hacking and countermeasures are based on the OSSTMM, the security... first-ever pure wireless hacking tournament) in 2005, and AIRRAID2 (Thailand’s first-ever public hacking tournament) Christopher is also very actively involved in security research; he likes to code and created the Probemapper and MoocherHunter tools, both of which can be found in the OSWA-Assistant wireless auditing toolkit Ty Miller Ty Miller is Chief Technical Officer at Pure Hacking in Sydney, Australia... 28 30 37 Part II Hacking the System ▼ 4 Local Access Control 41 Case Study Physical Access to Linux Systems Console Access 42 43 44 xv www.it-ebooks.info xvi Hacking Exposed Linux: Linux Security Secrets & Solutions Privilege... Industrial Applications Summary 355 356 356 358 358 358 359 359 359 359 359 360 361 361 Part III Hacking the Users ▼ 13 Web Application Hacking 365 Case Study Enumeration Access and Controls Exploitation... DNS Basics DNS and IPv6 470 471 475 www.it-ebooks.info xix xx Hacking Exposed Linux: Linux Security Secrets & Solutions The Social Aspect: DNS and Phishing WHOIS and Domain Registration and Domain Hijacking The Technical... achieved their status through rigorous training and quality assurance programs so they are a great security reference for you THE BASIC BUILDING BLOCKS: ATTACKS AND COUNTERMEASURES Like the previous editions, this edition incorporates the familiar usability of icons, formatting, and the Risk Ratings For those who do not like the Risk Rating or feel it is too general or biased, keep in mind that risk itself . intentionally left blank www.it-ebooks.info HACKING EXPOSED ™ LINUX: LINUX SECURITY SECRETS & SOLUTIONS THIRD EDITION ISECOM New York Chicago San Francisco . www.it-ebooks.info A valuable extension to the Hacking Exposed franchise; the authors do a great job of incorporating the vast