____________________ OSS LINUX WORKSHOP Kyle Terrien ____________________ [/] [Talks] [OSS Linux Workshop] This is the outline from the talk given to the [CSUF] Offensive Security Society (OSS) Club on Friday, 16 March 2018. A big thanks goes to Shelley and Brandon for inviting me. I also gave the same talk the next morning at [OCLUG]. Thanks goes to Steve for setting up the talk. This outline is available in Emacs Org format, [HTML], and [plain text]. [/] [Talks] [OSS Linux Workshop] [CSUF] [OCLUG] [HTML] [plain text] 1 What are you looking at? ========================== + Laptop: System76 Gazelle Pro 8, running Slackware + Xorg desktop running Openbox + Emacs with an Org Mode document open + Web browser: Pale Moon <> 2 About me ========== + Name: Kyle Terrien + Alias: "klipkyle" + Studied Computer Science at CSUF + Graduated in May 2016 + Working for Dell EMC on data protection "appliances" + Website: 3 How did you get into Linux? ============================= 3.1 Telesphoreo (iPhone) ~~~~~~~~~~~~~~~~~~~~~~~~ + + GNU coreutils and other Unix utilities ported to the iPhone 3.2 First Linuxes I used ~~~~~~~~~~~~~~~~~~~~~~~~ + First Linux install: Linux Mint 7 Gloria (2009) + 2013: started using Linux desktop as a daily driver + Desktops: Linux Mint, Arch Linux, Slackware + Servers (professional): SUSE Linux Enterprise, Red Hat Enterprise, Slackware 4 Documentation =============== + `man' + `/usr/doc' (or `/usr/share/doc') + Web 5 Books ======= + Many. Online resources are good too. + Eric Raymond - "Cathedral and the Bazaar": + Linux in a Nutshell (O'Reilly Media) + Unix System Administration Handbook + Internet Standards and Protocols (Microsoft Press) (Warning: out of date!) 6 Basic commands ================ 6.1 cd/ls/pwd ~~~~~~~~~~~~~ 6.2 mv/cp ~~~~~~~~~ 6.3 touch/mkdir ~~~~~~~~~~~~~~~ 6.4 rm/rmdir ~~~~~~~~~~~~ 6.5 chown/chmod ~~~~~~~~~~~~~~~ 7 Unix Philosophy ================= 7.1 Simplicity ~~~~~~~~~~~~~~ + Symplicity of design, not ease of use + I abhor a system designed for the "user", if that word is a coded pejorative meaning "stupid and unsophisticated". -- Ken Thompson + Controlling complexity is the essence of computer programming. -- Brian Kernighan 7.2 Everything is a file ~~~~~~~~~~~~~~~~~~~~~~~~ Look under `/dev' 7.3 Expert-friendly ~~~~~~~~~~~~~~~~~~~ + Unix was not designed to stop you from doing stupid things, because that would also stop you from doing clever things. -- Doug Gwyn + To design the perfect anti-Unix, write an operating system that thinks it knows what you're doing better than you do. And then adds injury to insult by getting it wrong. -- Eric S. Raymond, /The Art of Unix Programming/ 7.4 Pipelines ~~~~~~~~~~~~~ Output of one command can be used as the input of another. ,---- | ntpq -pn | grep '^*' `---- 7.5 Separation of user-space and kernel-space ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ User-space processes make syscalls to switch to kernel space 8 Searching and filtering: grep/sed/awk ======================================= 8.1 grep ~~~~~~~~ Search for a string (or regexp). ,---- | grep http /etc/services `---- 8.2 sed ~~~~~~~ Edit contents of a stream. ,---- | sed 's/http/https/' /etc/services `---- 8.3 awk ~~~~~~~ Parse and print reports. ,---- | awk '{print $2;}' /etc/services | awk '/http/' /etc/services | awk '$1 ~ /http/' /etc/services | awk '$1 == "http"' /etc/services | awk '$1 == "http" {print $2;}' /etc/services `---- 8.4 Resources ~~~~~~~~~~~~~ + + 9 Secure shell: ssh =================== 9.1 Regular usage ~~~~~~~~~~~~~~~~~ ,---- | ssh | ssh @ | ssh | ssh -t `---- 9.2 Install key on remote system ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ,---- | ssh-copy-id -i ~/.ssh/id_rsa.pub `---- 9.3 SSH agent ~~~~~~~~~~~~~ ,---- | ssh-agent bash | ssh-add [] `---- 9.4 Copy over SSH ~~~~~~~~~~~~~~~~~ ,---- | scp : `---- 10 rsync ======== + Copy file tree across hosts ,---- | rsync -av remote:/path/to/dir/ /path/to/local/dir/ `---- 11 CentOS ========= Binary compatible rebuild of Red Hat Enterprise Linux 11.1 GRUB2 bootloader ~~~~~~~~~~~~~~~~~~~~~ + Press `e' to edit boot options 11.2 Apache httpd ~~~~~~~~~~~~~~~~~ + Start and enable Apache ,---- | sudo systemctl start httpd | sudo systemctl enable httpd `---- + Put files in ,---- | /var/www/html/ | /var/www/htdocs/ | /srv/www/ `---- + Configuration is in ,---- | /etc/httpd/ | /etc/apache2/ `---- 11.3 Firewalld ~~~~~~~~~~~~~~ ,---- | sudo firewall-cmd --permanent --zone=public --add-service=http | sudo firewall-cmd --permanent --zone=public --add-service=https | sudo firewall-cmd --reload `---- 11.4 SELinux ~~~~~~~~~~~~ 12 HTTP pocketknife: curl ========================= Command-line downloader 12.1 Basic usage ~~~~~~~~~~~~~~~~ ,---- | curl http://www.example.com | curl -I http://www.example.com | curl -i http://www.example.com `---- 12.2 wttr.in ~~~~~~~~~~~~ ,---- | curl wttr.in | curl -s wttr.in | colorstrip `---- 13 HTTP downloader: wget ======================== Another command-line downloader, supports recursive downloads 13.1 Basic usage ~~~~~~~~~~~~~~~~ ,---- | wget http://192.168.58.104/images/apache_pb.gif `---- 13.2 Recursive downloading ~~~~~~~~~~~~~~~~~~~~~~~~~~ Read the manual before attempting! ,---- | wget -r -m -np http://192.168.58.104/ `---- 14 Checking open ports: netstat =============================== + List all listening sockets ,---- | netstat -tulpn `---- 15 Checking open ports: nmap ============================ + Regular scan ,---- | nmap 192.168.58.104 `---- + Intense scan ,---- | nmap -T4 -A -v 192.168.58.104 `---- + Resources + 16 Firewall rules: iptables =========================== + List all iptables rules ,---- | iptables -nvL | iptables -nvL -t nat | ip6tables -nvL `---- + Set a bunch of iptables rules at once ,---- | iptables-restore /etc/iptables | ip6tables-restore /etc/ip6tables `---- 17 Generic TCP pocketknife: netcat (nc) ======================================= + Client: `nc ' + Server + Traditional and GNU: `nc -l -p -s ' + OpenBSD: `nc -l ' + nmap ncat: `ncat -l ' 18 Real-world hacking: tar trick ================================ + Copy directory recursively from remote host ,---- | ssh root@centos tar cC /etc/httpd . | tar xvC /home/kyle/tmp/httpd `---- + Copy directory recursively to remote host ,---- | tar cC /etc/httpd . | ssh kyle@192.168.58.1 tar xvC /home/kyle/tmp/httpd `---- + Challenge: use this trick with netcat 19 Mapping network topology: traceroute ======================================= ,---- | traceroute www.example.com `---- 20 System service manager: systemd ================================== You must either be root or a member of the wheel group. 20.1 Start a service ~~~~~~~~~~~~~~~~~~~~ ,---- | sudo systemctl start httpd `---- 20.2 Check the status of a service ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ,---- | sudo systemctl status httpd `---- 20.3 Automatically start a service ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ,---- | sudo systemctl enable httpd `---- 20.4 Analyze bootup times ~~~~~~~~~~~~~~~~~~~~~~~~~ ,---- | sudo systemd-analyze plot `---- 21 Real world example: reset root password ========================================== See my guide: 1. In GRUB, try to boot in single user mode (`single', `systemd.target=rescue.target', or `rd.break'). 2. Didn't work? Hijack the entire init process. Try to boot with ,---- | init=/bin/sh | mount -o remount,rw / `---- 3. Didn't work? Boot from a Live CD. If you do this, mount the partition and then chroot in. ,---- | mount /dev/sda1 /mnt | chroot /mnt /bin/su - `---- 4. When you find the system `/etc/shadow', set a root password ,---- | passwd `---- 5. Some systems (e.g. RHEL) require SELinux labels to be regenerated. ,---- | touch /.autorelabel `---- 6. Reboot as cleanly as possible. 22 Audio/Video pocketknife: mpv =============================== 22.1 Basic usage ~~~~~~~~~~~~~~~~ + Local file ,---- | mpv `---- + Youtube ,---- | mpv `---- 22.2 Real-world hacking: pulling audio from a Youtube video ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + List formats ,---- | youtube-dl -F `---- + Download ,---- | youtube-dl -f 251 `---- + Stream ,---- | mpv --ytdl-format 251 `---- 22.3 Real-world hacking: getting a radio stream ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Try it: ,---- | mpv `---- 23 Philosophy ============= 23.1 Security ~~~~~~~~~~~~~ + Security and convenience are inversely proportional. + Security is largely the way a computer is used. -- Jack Denman 23.2 "Can we?" versus "Should we?" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Example: Nectome mind-uploading service can preserve your brain, but you must be euthanized first. 23.3 Bending the rules ~~~~~~~~~~~~~~~~~~~~~~ "The worse the (objective) evil, the more the perpetrator was completely convinced of the goodness of himself and of his 'purification'." -- Erik Naggum