OSS Linux Workshop

This is the outline from the talk given to the CSUF Offensive Security Society (OSS) Club on Friday, 16 March 2018. A big thanks goes to Shelley and Brandon for inviting me.

I also gave the same talk the next morning at OCLUG. Thanks goes to Steve for setting up the talk.

This outline is available in Emacs Org format, HTML, and plain text.

What are you looking at?

  • Laptop: System76 Gazelle Pro 8, running Slackware
  • Xorg desktop running Openbox
  • Emacs with an Org Mode document open
  • Web browser: Pale Moon <http://www.palemoon.org/>

About me

  • Name: Kyle Terrien
  • Alias: "klipkyle"
  • Studied Computer Science at CSUF
  • Graduated in May 2016
  • Working for Dell EMC on data protection "appliances"
  • Website: https://klipkyle.gitlab.io/

How did you get into Linux?

Telesphoreo (iPhone)

First Linuxes I used

  • First Linux install: Linux Mint 7 Gloria (2009)
  • 2013: started using Linux desktop as a daily driver
  • Desktops: Linux Mint, Arch Linux, Slackware
  • Servers (professional): SUSE Linux Enterprise, Red Hat Enterprise, Slackware

Documentation

  • man
  • /usr/doc (or /usr/share/doc)
  • Web

Books

  • Many. Online resources are good too.
  • Eric Raymond - "Cathedral and the Bazaar": http://www.catb.org/esr/writings/cathedral-bazaar/
  • Linux in a Nutshell (O'Reilly Media)
  • Unix System Administration Handbook
  • Internet Standards and Protocols (Microsoft Press) (Warning: out of date!)

Basic commands

cd/ls/pwd

mv/cp

touch/mkdir

rm/rmdir

chown/chmod

Unix Philosophy

Simplicity

  • Symplicity of design, not ease of use
  • I abhor a system designed for the "user", if that word is a coded pejorative meaning "stupid and unsophisticated". – Ken Thompson
  • Controlling complexity is the essence of computer programming. – Brian Kernighan

Everything is a file

Look under /dev

Expert-friendly

  • Unix was not designed to stop you from doing stupid things, because that would also stop you from doing clever things. – Doug Gwyn
  • To design the perfect anti-Unix, write an operating system that thinks it knows what you're doing better than you do. And then adds injury to insult by getting it wrong. – Eric S. Raymond, The Art of Unix Programming

Pipelines

Output of one command can be used as the input of another.

ntpq -pn | grep '^*'

Separation of user-space and kernel-space

User-space processes make syscalls to switch to kernel space

Searching and filtering: grep/sed/awk

grep

Search for a string (or regexp).

grep http /etc/services

sed

Edit contents of a stream.

sed 's/http/https/' /etc/services

awk

Parse and print reports.

awk '{print $2;}' /etc/services
awk '/http/' /etc/services
awk '$1 ~ /http/' /etc/services
awk '$1 == "http"' /etc/services
awk '$1 == "http" {print $2;}' /etc/services

Secure shell: ssh

Regular usage

ssh <host>
ssh <user>@<host>
ssh <host> <command>
ssh <host> -t <command>

Install key on remote system

ssh-copy-id -i ~/.ssh/id_rsa.pub <host>

SSH agent

ssh-agent bash
ssh-add [<key>]

Copy over SSH

scp <remote>:<path_to_file> <local_path>

rsync

  • Copy file tree across hosts
    rsync -av remote:/path/to/dir/ /path/to/local/dir/
    

CentOS

Binary compatible rebuild of Red Hat Enterprise Linux

GRUB2 bootloader

  • Press e to edit boot options

Apache httpd

  • Start and enable Apache
    sudo systemctl start httpd
    sudo systemctl enable httpd
    
  • Put files in
    /var/www/html/
    /var/www/htdocs/
    /srv/www/
    
  • Configuration is in
    /etc/httpd/
    /etc/apache2/
    

Firewalld

sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload

HTTP pocketknife: curl

Command-line downloader

Basic usage

curl http://www.example.com
curl -I http://www.example.com
curl -i http://www.example.com

wttr.in

curl wttr.in
curl -s wttr.in | colorstrip

HTTP downloader: wget

Another command-line downloader, supports recursive downloads

Basic usage

wget http://192.168.58.104/images/apache_pb.gif

Recursive downloading

Read the manual before attempting!

wget -r -m -np http://192.168.58.104/

Checking open ports: netstat

  • List all listening sockets
    netstat -tulpn
    

Checking open ports: nmap

Firewall rules: iptables

  • List all iptables rules
    iptables -nvL
    iptables -nvL -t nat
    ip6tables -nvL
    
  • Set a bunch of iptables rules at once
    iptables-restore /etc/iptables
    ip6tables-restore /etc/ip6tables
    

Generic TCP pocketknife: netcat (nc)

  • Client: nc <host> <port>
  • Server
    • Traditional and GNU: nc -l -p <port> -s <listen_addr>
    • OpenBSD: nc -l <listen_addr> <port>
    • nmap ncat: ncat -l <listen_addr> <port>

Real-world hacking: tar trick

  • Copy directory recursively from remote host
    ssh root@centos tar cC /etc/httpd . | tar xvC /home/kyle/tmp/httpd
    
  • Copy directory recursively to remote host
    tar cC /etc/httpd . | ssh kyle@192.168.58.1 tar xvC /home/kyle/tmp/httpd
    
  • Challenge: use this trick with netcat

Mapping network topology: traceroute

traceroute www.example.com

System service manager: systemd

You must either be root or a member of the wheel group.

Start a service

sudo systemctl start httpd

Check the status of a service

sudo systemctl status httpd

Automatically start a service

sudo systemctl enable httpd

Analyze bootup times

sudo systemd-analyze plot

Real world example: reset root password

See my guide: https://github.com/linuxcsuf/linuxcsuf/wiki/Rescue-boot

  1. In GRUB, try to boot in single user mode (single, systemd.target=rescue.target, or rd.break).
  2. Didn't work? Hijack the entire init process. Try to boot with
    init=/bin/sh
    mount -o remount,rw /
    
  3. Didn't work? Boot from a Live CD. If you do this, mount the partition and then chroot in.
    mount /dev/sda1 /mnt
    chroot /mnt /bin/su -
    
  4. When you find the system /etc/shadow, set a root password
    passwd
    
  5. Some systems (e.g. RHEL) require SELinux labels to be regenerated.
    touch /.autorelabel
    
  6. Reboot as cleanly as possible.

Audio/Video pocketknife: mpv

Basic usage

  • Local file
    mpv <file>
    
  • Youtube
    mpv https://www.youtube.com/watch?v=9SFFmbSPH5Y
    

Real-world hacking: pulling audio from a Youtube video

  • List formats
    youtube-dl -F https://www.youtube.com/watch?v=J2QE8pR2lX4
    
  • Download
    youtube-dl -f 251 https://www.youtube.com/watch?v=J2QE8pR2lX4
    
  • Stream
    mpv --ytdl-format 251 https://www.youtube.com/watch?v=J2QE8pR2lX4
    

Real-world hacking: getting a radio stream

Try it: http://www.885fm.org/

mpv <url>

Philosophy

Security

  • Security and convenience are inversely proportional.
  • Security is largely the way a computer is used. – Jack Denman

"Can we?" versus "Should we?"

Example: Nectome mind-uploading service can preserve your brain, but you must be euthanized first.

https://www.technologyreview.com/s/610456/a-startup-is-pitching-a-mind-uploading-service-that-is-100-percent-fatal/amp/

Bending the rules

"The worse the (objective) evil, the more the perpetrator was completely convinced of the goodness of himself and of his 'purification'." – Erik Naggum http://genius.cat-v.org/erik-naggum/punishers-and-moralists