OSS Linux Workshop

This is the outline from the talk given to the CSUF Offensive Security Society (OSS) Club on Friday, 16 March 2018. A big thanks goes to Shelley and Brandon for inviting me.

I also gave the same talk the next morning at OCLUG. Thanks goes to Steve for setting up the talk.

This outline is available in Emacs Org format, HTML, and plain text.

1 What are you looking at?

Laptop: System76 Gazelle Pro 8, running Slackware
Xorg desktop running Openbox
Emacs with an Org Mode document open
Web browser: Pale Moon <http://www.palemoon.org/>

2 About me

Name: Kyle Terrien
Alias: "klipkyle"
Studied Computer Science at CSUF
Graduated in May 2016
Working for Dell EMC on data protection "appliances"
Website: https://klipkyle.gitlab.io/

3 How did you get into Linux?

3.1 Telesphoreo (iPhone)

https://en.wikipedia.org/wiki/Cydia
GNU coreutils and other Unix utilities ported to the iPhone

3.2 First Linuxes I used

First Linux install: Linux Mint 7 Gloria (2009)
2013: started using Linux desktop as a daily driver
Desktops: Linux Mint, Arch Linux, Slackware
Servers (professional): SUSE Linux Enterprise, Red Hat Enterprise, Slackware

4 Documentation

man
/usr/doc (or /usr/share/doc)
Web

5 Books

Many. Online resources are good too.
Eric Raymond - "Cathedral and the Bazaar": http://www.catb.org/esr/writings/cathedral-bazaar/
Linux in a Nutshell (O'Reilly Media)
Unix System Administration Handbook
Internet Standards and Protocols (Microsoft Press) (Warning: out of date!)

6 Basic commands

6.1 cd/ls/pwd

6.2 mv/cp

6.3 touch/mkdir

6.4 rm/rmdir

6.5 chown/chmod

7 Unix Philosophy

7.1 Simplicity

Symplicity of design, not ease of use
I abhor a system designed for the "user", if that word is a coded pejorative meaning "stupid and unsophisticated". – Ken Thompson
Controlling complexity is the essence of computer programming. – Brian Kernighan

7.2 Everything is a file

Look under /dev

7.3 Expert-friendly

Unix was not designed to stop you from doing stupid things, because that would also stop you from doing clever things. – Doug Gwyn
To design the perfect anti-Unix, write an operating system that thinks it knows what you're doing better than you do. And then adds injury to insult by getting it wrong. – Eric S. Raymond, The Art of Unix Programming

7.4 Pipelines

Output of one command can be used as the input of another.

ntpq -pn | grep '^*'

7.5 Separation of user-space and kernel-space

User-space processes make syscalls to switch to kernel space

8 Searching and filtering: grep/sed/awk

8.1 grep

Search for a string (or regexp).

grep http /etc/services

8.2 sed

Edit contents of a stream.

sed 's/http/https/' /etc/services

8.3 awk

Parse and print reports.

awk '{print $2;}' /etc/services
awk '/http/' /etc/services
awk '$1 ~ /http/' /etc/services
awk '$1 == "http"' /etc/services
awk '$1 == "http" {print $2;}' /etc/services

8.4 Resources

9 Secure shell: ssh

9.1 Regular usage

ssh <host>
ssh <user>@<host>
ssh <host> <command>
ssh <host> -t <command>

9.2 Install key on remote system

ssh-copy-id -i ~/.ssh/id_rsa.pub <host>

9.3 SSH agent

ssh-agent bash
ssh-add [<key>]

9.4 Copy over SSH

scp <remote>:<path_to_file> <local_path>

10 rsync

Copy file tree across hosts

rsync -av remote:/path/to/dir/ /path/to/local/dir/

11 CentOS

Binary compatible rebuild of Red Hat Enterprise Linux

11.1 GRUB2 bootloader

Press e to edit boot options

11.2 Apache httpd

Start and enable Apache

sudo systemctl start httpd
sudo systemctl enable httpd

Put files in

/var/www/html/
/var/www/htdocs/
/srv/www/

Configuration is in
```
/etc/httpd/
/etc/apache2/
```

11.3 Firewalld

sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload

11.4 SELinux

http://selinuxgame.org/

12 HTTP pocketknife: curl

Command-line downloader

12.1 Basic usage

curl http://www.example.com
curl -I http://www.example.com
curl -i http://www.example.com

12.2 wttr.in

curl wttr.in
curl -s wttr.in | colorstrip

13 HTTP downloader: wget

Another command-line downloader, supports recursive downloads

13.1 Basic usage

wget http://192.168.58.104/images/apache_pb.gif

13.2 Recursive downloading

Read the manual before attempting!

wget -r -m -np http://192.168.58.104/

14 Checking open ports: netstat

List all listening sockets
```
netstat -tulpn
```

15 Checking open ports: nmap

Regular scan
```
nmap 192.168.58.104
```
Intense scan
```
nmap -T4 -A -v 192.168.58.104
```
Resources
- http://www.hackingexposed.com/hacking-exposed-an-overview.php

16 Firewall rules: iptables

List all iptables rules

iptables -nvL
iptables -nvL -t nat
ip6tables -nvL

Set a bunch of iptables rules at once

iptables-restore /etc/iptables
ip6tables-restore /etc/ip6tables

17 Generic TCP pocketknife: netcat (nc)

Client: nc <host> <port>
Server
- Traditional and GNU: nc -l -p <port> -s <listen_addr>
- OpenBSD: nc -l <listen_addr> <port>
- nmap ncat: ncat -l <listen_addr> <port>

18 Real-world hacking: tar trick

Copy directory recursively from remote host

ssh root@centos tar cC /etc/httpd . | tar xvC /home/kyle/tmp/httpd

Copy directory recursively to remote host

tar cC /etc/httpd . | ssh kyle@192.168.58.1 tar xvC /home/kyle/tmp/httpd

Challenge: use this trick with netcat

19 Mapping network topology: traceroute

traceroute www.example.com

20 System service manager: systemd

You must either be root or a member of the wheel group.

20.1 Start a service

sudo systemctl start httpd

20.2 Check the status of a service

sudo systemctl status httpd

20.3 Automatically start a service

sudo systemctl enable httpd

20.4 Analyze bootup times

sudo systemd-analyze plot

21 Real world example: reset root password

See my guide: https://github.com/linuxcsuf/linuxcsuf/wiki/Rescue-boot

In GRUB, try to boot in single user mode (single, systemd.target=rescue.target, or rd.break).
Didn't work? Hijack the entire init process. Try to boot with
```
init=/bin/sh
mount -o remount,rw /
```
Didn't work? Boot from a Live CD. If you do this, mount the partition and then chroot in.
```
mount /dev/sda1 /mnt
chroot /mnt /bin/su -
```
When you find the system /etc/shadow, set a root password
```
passwd
```
Some systems (e.g. RHEL) require SELinux labels to be regenerated.
```
touch /.autorelabel
```
Reboot as cleanly as possible.

22 Audio/Video pocketknife: mpv

22.1 Basic usage

Local file
```
mpv <file>
```
Youtube
```
mpv <video-url>
```

22.2 Real-world hacking: pulling audio from a Youtube video

List formats
```
youtube-dl -F <video-url>
```
Download
```
youtube-dl -f 251 <video-url>
```
Stream
```
mpv --ytdl-format 251 <video-url>
```

22.3 Real-world hacking: getting a radio stream

Try it: http://www.885fm.org/

mpv <url>

23 Philosophy

23.1 Security

Security and convenience are inversely proportional.
Security is largely the way a computer is used. – Jack Denman

23.2 "Can we?" versus "Should we?"

Example: Nectome mind-uploading service can preserve your brain, but you must be euthanized first.

https://www.technologyreview.com/s/610456/a-startup-is-pitching-a-mind-uploading-service-that-is-100-percent-fatal/amp/

23.3 Bending the rules

"The worse the (objective) evil, the more the perpetrator was completely convinced of the goodness of himself and of his 'purification'." – Erik Naggum http://genius.cat-v.org/erik-naggum/punishers-and-moralists