OSS Linux Workshop

This is the outline from the talk given to the CSUF Offensive Security Society (OSS) Club on Friday, 16 March 2018. A big thanks goes to Shelley and Brandon for inviting me.

I also gave the same talk the next morning at OCLUG. Thanks goes to Steve for setting up the talk.

This outline is available in Emacs Org format, HTML, and plain text.

1 What are you looking at?

  • Laptop: System76 Gazelle Pro 8, running Slackware
  • Xorg desktop running Openbox
  • Emacs with an Org Mode document open
  • Web browser: Pale Moon <http://www.palemoon.org/>

2 About me

  • Name: Kyle Terrien
  • Alias: "klipkyle"
  • Studied Computer Science at CSUF
  • Graduated in May 2016
  • Working for Dell EMC on data protection "appliances"
  • Website: https://klipkyle.gitlab.io/

3 How did you get into Linux?

3.1 Telesphoreo (iPhone)

3.2 First Linuxes I used

  • First Linux install: Linux Mint 7 Gloria (2009)
  • 2013: started using Linux desktop as a daily driver
  • Desktops: Linux Mint, Arch Linux, Slackware
  • Servers (professional): SUSE Linux Enterprise, Red Hat Enterprise, Slackware

4 Documentation

  • man
  • /usr/doc (or /usr/share/doc)
  • Web

5 Books

  • Many. Online resources are good too.
  • Eric Raymond - "Cathedral and the Bazaar": http://www.catb.org/esr/writings/cathedral-bazaar/
  • Linux in a Nutshell (O'Reilly Media)
  • Unix System Administration Handbook
  • Internet Standards and Protocols (Microsoft Press) (Warning: out of date!)

6 Basic commands

6.1 cd/ls/pwd

6.2 mv/cp

6.3 touch/mkdir

6.4 rm/rmdir

6.5 chown/chmod

7 Unix Philosophy

7.1 Simplicity

  • Symplicity of design, not ease of use
  • I abhor a system designed for the "user", if that word is a coded pejorative meaning "stupid and unsophisticated". – Ken Thompson
  • Controlling complexity is the essence of computer programming. – Brian Kernighan

7.2 Everything is a file

Look under /dev

7.3 Expert-friendly

  • Unix was not designed to stop you from doing stupid things, because that would also stop you from doing clever things. – Doug Gwyn
  • To design the perfect anti-Unix, write an operating system that thinks it knows what you're doing better than you do. And then adds injury to insult by getting it wrong. – Eric S. Raymond, The Art of Unix Programming

7.4 Pipelines

Output of one command can be used as the input of another.

ntpq -pn | grep '^*'

7.5 Separation of user-space and kernel-space

User-space processes make syscalls to switch to kernel space

8 Searching and filtering: grep/sed/awk

8.1 grep

Search for a string (or regexp).

grep http /etc/services

8.2 sed

Edit contents of a stream.

sed 's/http/https/' /etc/services

8.3 awk

Parse and print reports.

awk '{print $2;}' /etc/services
awk '/http/' /etc/services
awk '$1 ~ /http/' /etc/services
awk '$1 == "http"' /etc/services
awk '$1 == "http" {print $2;}' /etc/services

9 Secure shell: ssh

9.1 Regular usage

ssh <host>
ssh <user>@<host>
ssh <host> <command>
ssh <host> -t <command>

9.2 Install key on remote system

ssh-copy-id -i ~/.ssh/id_rsa.pub <host>

9.3 SSH agent

ssh-agent bash
ssh-add [<key>]

9.4 Copy over SSH

scp <remote>:<path_to_file> <local_path>

10 rsync

  • Copy file tree across hosts

    rsync -av remote:/path/to/dir/ /path/to/local/dir/
    

11 CentOS

Binary compatible rebuild of Red Hat Enterprise Linux

11.1 GRUB2 bootloader

  • Press e to edit boot options

11.2 Apache httpd

  • Start and enable Apache

    sudo systemctl start httpd
    sudo systemctl enable httpd
    
  • Put files in

    /var/www/html/
    /var/www/htdocs/
    /srv/www/
    
  • Configuration is in

    /etc/httpd/
    /etc/apache2/
    

11.3 Firewalld

sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload

12 HTTP pocketknife: curl

Command-line downloader

12.1 Basic usage

curl http://www.example.com
curl -I http://www.example.com
curl -i http://www.example.com

12.2 wttr.in

curl wttr.in
curl -s wttr.in | colorstrip

13 HTTP downloader: wget

Another command-line downloader, supports recursive downloads

13.1 Basic usage

wget http://192.168.58.104/images/apache_pb.gif

13.2 Recursive downloading

Read the manual before attempting!

wget -r -m -np http://192.168.58.104/

14 Checking open ports: netstat

  • List all listening sockets

    netstat -tulpn
    

15 Checking open ports: nmap

16 Firewall rules: iptables

  • List all iptables rules

    iptables -nvL
    iptables -nvL -t nat
    ip6tables -nvL
    
  • Set a bunch of iptables rules at once

    iptables-restore /etc/iptables
    ip6tables-restore /etc/ip6tables
    

17 Generic TCP pocketknife: netcat (nc)

  • Client: nc <host> <port>
  • Server
    • Traditional and GNU: nc -l -p <port> -s <listen_addr>
    • OpenBSD: nc -l <listen_addr> <port>
    • nmap ncat: ncat -l <listen_addr> <port>

18 Real-world hacking: tar trick

  • Copy directory recursively from remote host

    ssh root@centos tar cC /etc/httpd . | tar xvC /home/kyle/tmp/httpd
    
  • Copy directory recursively to remote host

    tar cC /etc/httpd . | ssh kyle@192.168.58.1 tar xvC /home/kyle/tmp/httpd
    
  • Challenge: use this trick with netcat

19 Mapping network topology: traceroute

traceroute www.example.com

20 System service manager: systemd

You must either be root or a member of the wheel group.

20.1 Start a service

sudo systemctl start httpd

20.2 Check the status of a service

sudo systemctl status httpd

20.3 Automatically start a service

sudo systemctl enable httpd

20.4 Analyze bootup times

sudo systemd-analyze plot

21 Real world example: reset root password

See my guide: https://github.com/linuxcsuf/linuxcsuf/wiki/Rescue-boot

  1. In GRUB, try to boot in single user mode (single, systemd.target=rescue.target, or rd.break).
  2. Didn't work? Hijack the entire init process. Try to boot with

    init=/bin/sh
    mount -o remount,rw /
    
  3. Didn't work? Boot from a Live CD. If you do this, mount the partition and then chroot in.

    mount /dev/sda1 /mnt
    chroot /mnt /bin/su -
    
  4. When you find the system /etc/shadow, set a root password

    passwd
    
  5. Some systems (e.g. RHEL) require SELinux labels to be regenerated.

    touch /.autorelabel
    
  6. Reboot as cleanly as possible.

22 Audio/Video pocketknife: mpv

22.1 Basic usage

  • Local file

    mpv <file>
    
  • Youtube

    mpv <video-url>
    

22.2 Real-world hacking: pulling audio from a Youtube video

  • List formats

    youtube-dl -F <video-url>
    
  • Download

    youtube-dl -f 251 <video-url>
    
  • Stream

    mpv --ytdl-format 251 <video-url>
    

22.3 Real-world hacking: getting a radio stream

Try it: http://www.885fm.org/

mpv <url>

23 Philosophy

23.1 Security

  • Security and convenience are inversely proportional.
  • Security is largely the way a computer is used. – Jack Denman

23.2 "Can we?" versus "Should we?"

Example: Nectome mind-uploading service can preserve your brain, but you must be euthanized first.

https://www.technologyreview.com/s/610456/a-startup-is-pitching-a-mind-uploading-service-that-is-100-percent-fatal/amp/

23.3 Bending the rules

"The worse the (objective) evil, the more the perpetrator was completely convinced of the goodness of himself and of his 'purification'." – Erik Naggum http://genius.cat-v.org/erik-naggum/punishers-and-moralists