Legal Disclaimer
Hacking-For-Beginners-a-beginners-guide-for-learning-ethical-hacking
Hacking-For-Beginners-a-beginners-guide-for-learning-ethical-hacking
- No tags were found...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Hacking For Beginners – Manthan Desai 2010<br />
cleaned correctly, a normal system administrator is unaware that the intrusion has even occurred until another site<br />
contacts him or the disks fill because of the sniffer logs.<br />
The most severe threat to system security that can be caused by a rootkit comes from those that deploy LKM (Loadable<br />
Kernel Module) trojans. Loadable Kernel Modules are a mechanism for adding functionality to an operating-system kernel<br />
without requiring a kernel recompilation. Even if an infected system is rebooted, the LKM process will reload the Trojan<br />
during boot-up just like any other kernel module. Loadable Kernel Modules are used by many operating systems including<br />
Linux, Solaris, and FreeBSD.<br />
The LKM rootkits facilitate the subversion of system binaries. Knark, Adore, and Rtkit are just a few of many LKM rootkits<br />
available today. As they run as part of the kernel, these rootkits are less detectable than conventional ones.<br />
Let us see how a typical backdoor can be installed by an intruder.<br />
The goal of backdoor is to give access to the hacker despite measures by the compromised system's administrator, with<br />
least amount of time and visibility. The backdoor that gives local user root access can be: set uid programs, trojaned<br />
system programs, cron job backdoor.<br />
Set uid programs. The attacker may plant some set uid shell program in the file system, which when executed will grant<br />
the root to the attacker.<br />
Trojaned system programs. The attacker can alter some system programs, such as "login" that will give him root access.<br />
Cron job backdoor. The attacker may add or modify the jobs of the cron while his program is running so that he can get<br />
root access.<br />
The backdoor that gives remote user root access can be: ".rhost" file ssh authorized keys, bind shell, trojaned service.<br />
<br />
<br />
<br />
<br />
".rhosts" file. Once "+ +" is in some user's .rhosts file, anybody can log into that account from anywhere without<br />
password.<br />
ssh authorized keys. The attacker may put his public key into victims ssh configuration file "authorized_keys", so<br />
that he can log into that account without password.<br />
Bind shell. The attacker can bind the shell to certain TCP port. Anybody doing a telnet to that port will have an<br />
interactive shell. More sophisticated backdoors of this kind can be UDP based, or unconnected TCP, or even ICMP<br />
based.<br />
Trojaned service. Any open service can be trojaned to give access to remote user. For example, trojaned the inetd<br />
program creates a bind shell at certain port, or trojaned ssh daemon give access to certain password.<br />
After the intruder plants and runs the backdoor, his attention turns to hiding his files and processes. However, these can<br />
be easily detected by the system administrator - especially if the system is running tripwire.<br />
Let us see how a LKM rootkit helps achieve the attacker's needs.<br />
In the case of LKM trojaned rootkits, the attacker can put LKM in /tmp or /var/tmp, the directory that the system<br />
administrator cannot monitor. Moreover, he can effectively hide files, processes, and network connections. Since he can<br />
modify the kernel structures, he can replace the original system calls with his own version.<br />
<br />
<br />
<br />
To hide files. Commands like "ls", "du" use sys_getdents() to obtain the information of a directory. The LKM will<br />
just filter out files such that they are hidden.<br />
To hide processes. In Linux implementations, process information is mapped to a directory in /proc file system. An<br />
attacker can modify sys_getdents() and mark this process as invisible in the task structure. The normal<br />
implementation is to set task's flag (signal number) to some unused value.<br />
To hide network connections. Similar to process hiding, the attacker can try to hide something inside<br />
/proc/net/tcp and /proc/net/udp files. He can trojan the sys_read () so that whenever the system reads these two<br />
files and a line matching certain string, the system call will not reveal the network connection.<br />
w w w . h a c k i n g t e c h . c o . t v Page 89