Lab 1 – use nmap to discover open services on your machine – use your linux virtual machine
- Login to your linux virtual machine as root with the password password
- open up a terminal
- scan yourself with nmap using the command
nmap –P0 –sT localhost
You should see the following
Starting Nmap 4.11 ( ) at 2010-04-06 15:14 EDT
Interesting ports on securityplus (127.0.0.1):
Not shown: 1674 closed ports
PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
111/tcp open rpcbind
631/tcp open ipp
890/tcp open unknown
Nmap finished: 1 IP address (1 host up) scanned in 0.112 seconds
Lab 2 – turn off un-needed services
- We will now turn off the following services that are not needed
- telnet
- smtp
- cups (ipp)
- type the following commands as root
- chkconfig telnet off
- chckconfig sendmail off
- chkconfig cups off
- /etc/init.d/sendmail stop
- /etc/init.d/cups stop
- now rescan youself with nmap (nmap –P0 –sT localhost)
You should now see telnet, smtp and ipp are no longer available!
Starting Nmap 4.11 ( ) at 2010-04-06 15:18 EDT
Interesting ports on securityplus (127.0.0.1):
Not shown: 1676 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
890/tcp open unknown
Lab 3 – Determine what versions of software are on your system (banner grabs)
- Determine what version of the ssh software you are running, type
nmap -sTV -p 22 -P0 localhost
What is the ssh software and version you are running? ______
- How does this information help an attacker? In profiling your system? ______
Lab 4 – run john the ripper against your password file
- Login to your linux virtual machine as root with password password
- open a terminal window
- run john the ripper against your password file (stored in /etc/shadow) with the command
cd /root/john/run
./john /etc/shadow
4. See how fast the passwords where cracked!
Lab 5 – Scan for setuid file
Setuid files are special files on unix that run with the privileges of the file OWNER rather than ther loged in user. These are necessary for some operations, however can be VERY dangerous. find is a tool you can use to identify setuid file
- Login to your linux virtual machine as root
- open a terminal window
- run the find command on the /sbin directory to find setuid file in /sbin
find /sbin -type f -perm -4000 -print | xargs ls –ld
you should see results similar to the following
-rwsr-x--- 1 root ecryptfs 12000 Sep 3 2009 /sbin/mount.ecryptfs_private
-rwsr-xr-x 1 root root 71156 Sep 3 2009 /sbin/mount.nfs
-rwsr-xr-x 1 root root 71160 Sep 3 2009 /sbin/mount.nfs4
-rwsr-xr-x 1 root root 12248 Mar 11 12:24 /sbin/pam_timestamp_check
-rwsr-xr-x 1 root root 71160 Sep 3 2009 /sbin/umount.nfs
-rwsr-xr-x 1 root root 71160 Sep 3 2009 /sbin/umount.nfs4
-rwsr-xr-x 1 root root 19184 Mar 11 12:24 /sbin/unix_chkpwd
Note the “s” in in “rws” which signifies a setuid file.
You could run this command (don’t do it now, it will take too long, which would identify ALL the setuid files on the entire system (again don’t do it now)
find / -type f -perm -4000 -print | xargs ls –ld
Lab 6 – tcp wrappers – use your linux virtual machine
- Login to your linux virtual machine as root
- open a terminal
- type find your ip address with the command
ifconfig eth0
- record the IP address for eth0 ______
- try to ssh to that IP address with the command
ssh your_ip_address
- can you connect? ______
- do not login, cancel with control-c
- view the current contents of your /etc/hosts.deny file use the command
cat /etc/hosts.deny
- you can see there are no entries (except comments) in /etc/hosts.deny
add a line to /etc/hosts.deny to restrict ssh from everywhere but localhost using the command
echo “sshd: ALL EXCEPT 127.0.0.1” > /etc/hosts.deny
- view /etc/hosts.deny again with the command
cat /etc/hosts.deny
- your line should have been added
- now try to ssh again to your IP address with the command
ssh your_ip_address
- You should not have been able to login (it will simply hang for a few seconds before closing)
- Now try to ssh to “localhost” with the command
ssh localhost
- were you able to login? ______(you should have been able to login)