Linux Hosts (3.3)
In this section, you will learn about working with Linux hosts through the GUI and the CLI.
Working with the Linux GUI (3.3.1)
In this topic, you will learn about the Linux GUI.
X Window System (3.3.1.1)
The graphical interface present in most Linux computers is based on the X Window System. Also known as X or X11, X Window is a windowing system designed to provide the basic framework for a GUI. X includes functions for drawing and moving windows on the display device and interacting with a mouse and keyboard.
X works as a server and, as such, allows a remote user to use the network to connect, start a graphical application, and have the graphical window open on the remote terminal. While the application itself runs on the server, the graphical aspect of it is sent by X over the network and displayed on the remote computer.
Notice that X does not specify the user interface, leaving it to other programs such as window managers to define all the graphical components. This abstraction allows for great flexibility and customization as graphical components such as buttons, fonts, icons, window borders, and color scheme are all defined by the user application. Because of this separation, the Linux GUI varies greatly from distribution to distribution. Examples of window managers are Gnome and KDE, as shown in Figures 3-9 and 3-10, respectively. While the look and feel of window managers vary, the main components are still present.
)
Figure 3-9 Gnome Window Manager
)
Figure 3-10 KDE Window Manager
For more information on Gnome, visit the following website:
For more information on KDE, visit the following website:
The Linux GUI (3.3.1.2)
Although an operating system does not require a GUI to function, GUIs are considered more user-friendly than the CLI. The Linux GUI as a whole can be easily replaced by the user. As a result of the large number of Linux distributions, this chapter focuses on Ubuntu when covering Linux because it is a very popular and user-friendly distribution.
Ubuntu Linux uses Unity as its default GUI. Unity’s goal is to make Ubuntu even more user-friendly. The main UI components of Unity include:
Top Menu Bar: This multipurpose menu bar contains the currently running application. It includes the maximize, minimize, and exit buttons of the application in focus, as well as the system toggles including settings, logout, and shutdown, clock, and other notifications.
Launcher: This is a dock on the left side of the screen that serves as the application launcher and switcher. Click to launch an application and when the application is running, click again to switch between running applications. If more than one instance of an application is running, Launcher will display all instances.
Quicklist: Right-click any application hosted on the Launcher to access a short list of tasks the application can perform.
Dash Search Box: This holds the Search tool and a list of recently used applications. Dash includes Lenses at the bottom of the Dash area which allow the user to fine-tune Dash search results. To access Dash, click the Ubuntu button on the top of the Launcher.
System and Notification Menu: Many important functions are located in the indicator menu, located at the top right corner of the screen. Use the indicator menu to switch users, shut down your computer, control the volume level, or change network settings.
Figure 3-11 shows a breakdown of the Ubuntu Unity Desktop.
)
Figure 3-11 Ubuntu Unity GUI
To experience Unity desktop in your web browser, visit the following website:
Working on a Linux Host (3.3.2)
In this topic, you will learn how to install and run Linux applications, keep your system up to date, and guarding against malware on a Linux host.
Installing and Running Applications on a Linux Host (3.3.2.1)
Many end-user applications are complex programs written in compiled languages. To aid in the installation process, Linux often includes programs called package managers. A package is the term used to refer to a program and all its supported files. By using a package manager to install a package, all the necessary files are placed in the correct file system location.
There are several package managers. For this course, we will use the Advanced Packaging Tool (apt) package manager. Example 3-9 shows the output of a few apt commands. The apt-get update command is used to fetch the package list from the package repository and update the local package database. The apt-get upgrade command is used to update all currently installed packages to their latest versions.
Example 3-9 The Advanced Packaging Tool (APT) Package Manager
analyst@cuckoo:~$ sudo apt-get update [sudo] password for analyst: Hit:1 http://us.archive.ubuntu.com/ubuntu xenial InRelease Get:2 http://us.archive.ubuntu.com/ubuntu xenial-updates InRelease [102 kB] Get:3 http://security.ubuntu.com/ubuntu xenial-security InRelease [102 kB] Get:4 http://us.archive.ubuntu.com/ubuntu xenial-backports InRelease [102 kB] Get:5 http://us.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages [534 kB] <output omitted> Fetched 4,613 kB in 4s (1,003 kB/s) Reading package lists... Done analyst@cuckoo:~$ analyst@cuckoo:~$ sudo apt-get upgrade Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done The following packages have been kept back: linux-generic-hwe-16.04 linux-headers-generic-hwe-16.04 linux-image-generic-hwe-16.04 The following packages will be upgraded: firefox firefox-locale-en gir1.2-javascriptcoregtk-4.0 gir1.2-webkit2-4.0 libjavascriptcoregtk-4.0-18 libwebkit2gtk-4.0-37 libwebkit2gtk-4.0-37-gtk2 libxen-4.6 libxenstore3.0 linux- libc-dev logrotate openssh-client qemu-block-extra qemu-kvm qemu-system-common qemu-system-x86 qemu-utils snapd ubuntu-core-launcher zlib1g zlib1g-dev 21 upgraded, 0 newly installed, 0 to remove and 3 not upgraded. Need to get 85.7 MB of archives. After this operation, 1,576 kB of additional disk space will be used. Do you want to continue? [Y/n]
Keeping the System Up to Date (3.3.2.2)
Also known as patches, OS updates are released periodically by OS companies to address any known vulnerabilities in their operating system. While companies have update schedules, the release of unscheduled OS updates can happen when a major vulnerability is found in the OS code. Modern operating systems will alert the user when updates are available for download and installation but the user can check for updates at any time.
To update the local package metadata database using the CLI, use the apt-get update command.
To upgrade all the currently installed packages using the CLI, use the apt-get upgrade command.
To manually check and install updates on Linux using the GUI, click Dash Search Box, type software updater, and click the Software Updater icon, as shown in Figure 3-12.
)
Figure 3-12 The Ubuntu GUI-Based Software Updater
Processes and Forks (3.3.2.3)
A process is a running instance of a computer program. Multitasking operating systems can execute many processes at the same time.
Forking is a method that the kernel uses to allow a process to create a copy of itself. Processes need a way to create new processes in multitasking operating systems. The fork operation is the only way of doing so in Linux.
Forking is important for many reasons. One of them relates to process scalability. Apache, a popular web server, is a good example. By forking itself, Apache is able to serve a large number of requests with fewer system resources than a single-process-based server.
When a process calls fork, the caller process becomes the parent process, with the newly created process referred to as its child. After the fork, the processes are, to some extent, independent processes; they have different process IDs but run the same program code.
The following are a few commands used to manage processes:
ps: This command is used to list the processes running on the computer at the time it is invoked. ps can be instructed to display running processes that belong to the current user or other users. While listing processes does not require root privileges, killing or modifying other users’ processes does.
top: This command is also used to list running processes, but unlike ps, top keeps displaying running processes dynamically. Press q to exit top.
kill: This command is used to modify the behavior of a specific process. Depending on the parameters, kill will remove, restart, or pause a process. In many cases, the user will run ps or top before running kill. This is done so the user can learn the PID of a process before running kill.
Example 3-10 shows the output of the top command on a Linux computer.
Example 3-10 Output of the top Command
top - 12:37:51 up 28 min, 1 user, load average: 0.07, 0.02, 0.02
Tasks: 99 total, 1 running, 98 sleeping, 0 stopped, 0 zombie
%Cpu0 : 2.8/0.7 3[||| ]
GiB Mem : 94.6/0.981 [ ]
GiB Swap: 0.0/0.000 [ ]
PID USER PR NI VIRT RES %CPU %MEM TIME+ S COMMAND
1 root 20 0 8.9m 3.8m 0.0 0.4 0:00.70 S systemd
173 root 20 0 70.6m 2.4m 0.0 0.2 0:00.06 S `- systemd-journal
205 root 20 0 15.0m 1.8m 0.0 0.2 0:00.09 S `- systemd-udevd
270 root 20 0 5.5m 0.3m 0.0 0.0 0:00.09 S `- ovsdb-server
272 root 20 0 5.7m 0.9m 0.0 0.1 0:00.00 S `- start_pox.sh
281 root 20 0 42.0m 8.2m 0.7 0.8 0:03.47 S `- python2.7
274 root 20 0 23.2m 1.6m 0.0 0.2 0:00.00 S `- rsyslogd
276 root 20 0 7.0m 1.3m 0.0 0.1 0:00.00 S `- systemd-logind
277 dbus 20 0 6.4m 2.0m 0.0 0.2 0:00.18 S `- dbus-daemon
283 systemd+ 20 0 16.6m 0.5m 0.0 0.1 0:00.00 S `- systemd-network
284 root 20 0 7.5m 1.2m 0.0 0.1 0:00.00 S `- ovs-vswitchd
297 root 20 0 29.3m 1.5m 0.0 0.2 0:00.19 S `- VBoxService
314 root 20 0 5.2m 0.7m 0.0 0.1 0:00.00 S `- vsftpd
317 root 20 0 7.6m 0.9m 0.0 0.1 0:00.00 S `- sshd
320 root 20 0 35.3m 6.7m 0.0 0.7 0:00.04 S `- lightdm
332 root 20 0 164.3m 61.5m 2.6 6.1 0:05.76 S `- Xorg
385 root 20 0 31.2m 2.9m 0.0 0.3 0:00.01 S `- lightdm
396 analyst 20 0 5.5m 1.0m 0.0 0.1 0:00.00 S `- sh
416 analyst 20 0 75.7m 26.8m 0.0 2.7 0:00.07 S `- xfce4-session
426 analyst 20 0 60.0m 28.9m 0.0 2.9 0:00.41 S `- xfwm4
427 analyst 20 0 57.6m 25.6m 0.0 2.6 0:00.06 S `- Thunar
428 analyst 20 0 70.3m 31.9m 0.0 3.2 0:00.28 S `- xfce4-panel
459 analyst 20 0 56.7m 26.0m 0.0 2.6 0:00.08 S `- panel-6-systray
462 analyst 20 0 57.9m 25.5m 0.0 2.5 0:00.09 S `- panel-2-actions
432 analyst 20 0 90.2m 33.6m 0.0 3.3 0:00.57 S `- xfdesktop
444 analyst 20 0 78.5m 25.9m 0.0 2.6 0:00.06 S `- polkit-gnome-au
329 root 20 0 7.5m 0.5m 0.0 0.1 0:00.00 S `- nginx
330 http 20 0 8.8m 1.3m 0.0 0.1 0:00.00 S `- nginx
333 root 20 0 38.0m 2.8m 0.0 0.3 0:00.03 S `- accounts-daemon
340 polkitd 20 0 71.2m 10.3m 0.0 1.0 0:00.07 S `- polkitd
391 analyst 20 0 8.9m 1.8m 0.0 0.2 0:00.00 S `- systemd
392 analyst 20 0 12.2m 1.1m 0.0 0.1 0:00.00 S `- (sd-pam)
408 analyst 20 0 6.4m 1.8m 0.0 0.2 0:00.02 S `- dbus-daemon
420 analyst 20 0 10.2m 2.4m 0.0 0.2 0:00.01 S `- xfconfd
671 analyst 20 0 42.9m 6.4m 0.0 0.6 0:00.01 S `- at-spi-bus-laun
423 analyst 20 0 4.7m 0.2m 0.0 0.0 0:00.00 S `- ssh-agent
425 analyst 20 0 23.3m 0.2m 0.0 0.0 0:00.02 S `- gpg-agent
430 analyst 20 0 67.9m 26.3m 0.0 2.6 0:00.03 S `- xfsettingsd
440 analyst 20 0 80.0m 26.6m 0.0 2.6 0:00.08 S `- xfce4-power-man
448 analyst 20 0 79.8m 26.5m 0.0 2.6 0:00.02 S `- xfce4-power-man
463 root 20 0 52.6m 2.5m 0.0 0.2 0:00.02 S `- upowerd
478 analyst 20 0 15.2m 0.3m 0.0 0.0 0:00.00 S `- VBoxClient
487 analyst 20 0 17.4m 0.4m 0.7 0.0 0:01.78 S `- VBoxClient
479 analyst 20 0 15.2m 0.3m 0.0 0.0 0:00.00 S `- VBoxClient
484 analyst 20 0 16.9m 0.4m 0.0 0.0 0:00.01 S `- VBoxClient
Malware on a Linux Host (3.3.2.4)
Linux malware includes viruses, Trojan horses, worms, and other types of malware that can affect the operating system. Due to a number of design components such as file system structure, file permissions, and user account restrictions, Linux operating systems are generally regarded as better protected against malware.
While arguably better protected, Linux is not immune to malware. Many vulnerabilities have been found and exploited in Linux. These range from server software to kernel vulnerabilities. Attackers are able to exploit these vulnerabilities and compromise the target. Due to the open source nature of Linux, fixes and patches are often made available within hours of the discovery of such problems.
If a malicious program is executed, it will cause damage, regardless of the platform. A common Linux attack vector is its services and processes. Vulnerabilities are frequently found in server and process code running on computers connected to the network. An outdated version of the Apache web server could contain an unpatched vulnerability which can be exploited by an attacker, for example. Attackers often probe open ports to assess the version and nature of the server running on that port. With that knowledge, attackers can research if there are any known issues with that particular version of that particular server to support the attack. As with most vulnerabilities, keeping the computer updated and closing any unused services and ports is a good way to reduce the opportunities for attack in a Linux computer.
Example 3-11 shows an attacker using the telnet command to probe the nature and version of a web server. The attacker has learned that the server in question is running nginx version 1.12.0. The next step would be to research known vulnerabilities in the nginx 1.12.0 code.
Example 3-11 Using telnet to Probe a Web Server
[analyst@secOps ~]$ telnet 209.165.200.224 80 Trying 209.165.200.224... Connected to 209.165.200.224. Escape character is '^]'. type anything to force an HTTP error response HTTP/1.1 400 Bad Request Server: nginx/1.12.0 Date: Wed, 17 May 2017 14:27:30 GMT Content-Type: text/html Content-Length: 173 Connection: close <html> <head><title>400 Bad Request</title></head> <body bgcolor="white"> <center><h1>400 Bad Request</h1></center> <hr><center>nginx/1.12.0</center> </body> </html> Connection closed by foreign host. [analyst@secOps ~]$
Rootkit Check (3.3.2.5)
A rootkit is a set of software tools designed to increase a user’s privileges, or grant access to portions of the software that should not normally be allowed. Rootkits are also often used to secure a backdoor to a compromised computer.
The installation of a rootkit can be automated (done as part of an infection) or an attacker can manually install it after compromising a computer. A rootkit is destructive because it changes kernel code and its modules, changing the most fundamental operations of the OS itself. With such a deep level of compromise, rootkits can hide the intrusion, remove any installation tracks, and even tamper with troubleshooting and diagnostics tools so that their output now hides the presence of the rootkit. While a few Linux vulnerabilities through history have allowed rootkit installation via regular user accounts, the vast majority of rootkit compromises require root or administrator access.
Because the very nature of the computer is compromised, rootkit detection can be very difficult. Typical detection methods often include booting the computer from trusted media such as a diagnostics operating system live CD. The compromised drive is mounted and, from the trusted system toolset, trusted diagnostic tools can be launched to inspect the compromised file system. Inspection methods include behavioral-based methods, signature scanning, difference scanning, and memory dump analysis.
Rootkit removal can be complicated and often impossible, especially in cases where the rootkit resides in the kernel; reinstallation of the operating system is usually the only real solution to the problem. Firmware rootkits usually require hardware replacement.
chkrootkit is a popular Linux-based program designed to check the computer for known rootkits. It is a shell script that uses common Linux tools such as strings and grep to compare the signatures of core programs. It also looks for discrepancies as it traverses the /proc file system comparing the signatures found there with the output of the ps command For more information about chkrootkit, visit the following website:
While helpful, keep in mind that programs to check for rootkits are not 100% reliable.
Example 3-12 shows the output of chkrootkit on Ubuntu Linux.
Example 3-12 Output of the chkrootkit Command
analyst@cuckoo:~$ sudo ./chkrootkit [sudo] password for analyst: ROOTDIR is `/’ Checking `amd’... not found Checking `basename’... not infected Checking `biff’... not found Checking `chfn’... not infected Checking `chsh’... not infected Checking `cron’... not infected Checking `crontab’... not infected Checking `date’... not infected Checking `du’... not infected Checking `dirname’... not infected Checking `echo’... not infected Checking `egrep’... not infected Checking `env’... not infected Checking `find’... not infected Checking `fingerd’... not found Checking `gpm’... not found Checking `grep’... not infected Checking `hdparm’... not infected Checking `su’... not infected Checking `ifconfig’... not infected Checking `inetd’... not tested Checking `inetdconf’... not found Checking `identd’... not found Checking `init’... not infected Checking `killall’... not infected Checking `ldsopreload’... not infected Checking `login’... not infected Checking `ls’... not infected Checking `lsof’... not infected Checking `mail’... not found Checking `mingetty’... not found Checking `netstat’... not infected Checking `named’... not found Checking `passwd’... not infected Checking `pidof’... not infected Checking `pop2’... not found Checking `pop3’... not found Checking `ps’... not infected Checking `pstree’... not infected Checking `rpcinfo’... not found Checking `rlogind’... not found Checking `rshd’... not found Checking `slogin’... not infected Checking `sendmail’... not found Checking `sshd’... not infected Checking `syslogd’... not tested Checking `tar’... not infected Checking `tcpd’... not infected Checking `tcpdump’... not infected Checking `top’... not infected Checking `telnetd’... not found Checking `timed’... not found Checking `traceroute’... not found Checking `vdir’... not infected Checking `w’... not infected Checking `write’... not infected Checking `aliens’... no suspect files Searching for sniffer’s logs, it may take a while... nothing found Searching for HiDrootkit’s default dir... nothing found Searching for t0rn’s default files and dirs... nothing found Searching for t0rn’s v8 defaults... nothing found Searching for Lion Worm default files and dirs... nothing found Searching for RSHA’s default files and dir... nothing found Searching for RH-Sharpe’s default files... nothing found Searching for Ambient’s rootkit (ark) default files and dirs... nothing found Searching for suspicious files and dirs, it may take a while... /usr/lib/debug/.build-id /lib/modules/4.8.0-36-generic/vdso/.build-id /lib/ modules/4.8.0-52-generic/vdso/.build-id /lib/modules/4.8.0-49-generic/vdso/.build-id /usr/lib/debug/.build-id /lib/modules/4.8.0-36-generic/vdso/.build-id /lib/ modules/4.8.0-52-generic/vdso/.build-id /lib/modules/4.8.0-49-generic/vdso/.build-id Searching for LPD Worm files and dirs... nothing found Searching for Ramen Worm files and dirs... nothing found Searching for Maniac files and dirs... nothing found Searching for RK17 files and dirs... nothing found Searching for Ducoci rootkit... nothing found Searching for Adore Worm... nothing found Searching for ShitC Worm... nothing found Searching for Omega Worm... nothing found Searching for Sadmind/IIS Worm... nothing found Searching for MonKit... nothing found Searching for Showtee... nothing found Searching for OpticKit... nothing found Searching for T.R.K... nothing found Searching for Mithra... nothing found Searching for LOC rootkit... nothing found Searching for Romanian rootkit... nothing found Searching for Suckit rootkit... nothing found Searching for Volc rootkit... nothing found Searching for Gold2 rootkit... nothing found Searching for TC2 Worm default files and dirs... nothing found Searching for Anonoying rootkit default files and dirs... nothing found Searching for ZK rootkit default files and dirs... nothing found Searching for ShKit rootkit default files and dirs... nothing found Searching for AjaKit rootkit default files and dirs... nothing found Searching for zaRwT rootkit default files and dirs... nothing found Searching for Madalin rootkit default files... nothing found Searching for Fu rootkit default files... nothing found Searching for ESRK rootkit default files... nothing found Searching for rootedoor... nothing found Searching for ENYELKM rootkit default files... nothing found Searching for common ssh-scanners default files... nothing found Searching for Linux/Ebury - Operation Windigo ssh... not tested Searching for 64-bit Linux Rootkit ... nothing found Searching for 64-bit Linux Rootkit modules... nothing found Searching for Mumblehard Linux ... nothing found Searching for Backdoor.Linux.Mokes.a ... nothing found Searching for Malicious TinyDNS ... nothing found Searching for Linux.Xor.DDoS ... nothing found Searching for Linux.Proxy.1.0 ... nothing found Searching for suspect PHP files... nothing found Searching for anomalies in shell history files... nothing found Checking `asp’... not infected Checking `bindshell’... not infected Checking `lkm’... chkproc: nothing detected chkdirs: nothing detected Checking `rexedcs’... not found Checking `sniffer’... enp0s3: PF_PACKET(/sbin/dhclient) virbr0: not promisc and no PF_PACKET sockets Checking `w55808’... not infected Checking `wted’... chkwtmp: nothing deleted Checking `scalper’... not infected Checking `slapper’... not infected Checking `z2’... user analyst deleted or never logged from lastlog! Checking `chkutmp’... The tty of the following user process(es) were not found in /var/run/utmp ! ! RUID PID TTY CMD ! analyst 2597 pts/5 bash ! root 3733 pts/5 sudo ./chkrootkit ! root 3734 pts/5 /bin/sh ./chkrootkit ! root 4748 pts/5 ./chkutmp ! root 4749 pts/5 sh -c ps ax -o "tty,pid,ruser,args" ! root 4750 pts/5 ps ax -o tty,pid,ruser,args chkutmp: nothing deleted Checking `OSX_RSPLUG’... not tested analyst@cuckoo:~$
Piping Commands (3.3.2.6)
Although command line tools are usually designed to perform a specific, well-defined task, many commands can be combined to perform more complex tasks by a technique known as piping. Named after its defining character, the pipe (|), piping consists of chaining commands together, feeding the output of one command into the input of another.
For example, the ls command is used to display all the files and directories of a given directory. The grep command compares searches through a file or text looking for the specified string. If found, grep displays the entire contents of the folder where the string was found. The two commands, ls and grep, can be piped together to filter out the output of ls, as shown in Example 3-13 with the ls -l | grep nimda command.
Example 3-13 Output of the grep Command
[analyst@secOps ~]$ ls -l lab.support.files total 584 -rw-r--r-- 1 analyst analyst 649 Jun 28 2017 apache_in_epoch.log -rw-r--r-- 1 analyst analyst 126 Jun 28 2017 applicationX_in_epoch.log drwxr-xr-x 4 analyst analyst 4096 Aug 24 12:36 attack_scripts -rw-r--r-- 1 analyst analyst 102 Jul 20 09:37 confidential.txt -rw-r--r-- 1 analyst analyst 2871 Dec 15 2016 cyops.mn -rw-r--r-- 1 analyst analyst 75 May 24 2017 elk_services -rw-r--r-- 1 analyst analyst 373 Feb 16 2017 h2_dropbear.banner -rw-r--r-- 1 analyst analyst 147 Mar 21 2017 index.html drwxr-xr-x 2 analyst analyst 4096 Aug 24 12:36 instructor -rw-r--r-- 1 analyst analyst 255 May 2 2017 letter_to_grandma.txt -rw-r--r-- 1 analyst analyst 24464 Feb 7 2017 logstash-tutorial.log drwxr-xr-x 2 analyst analyst 4096 May 25 2017 malware -rwxr-xr-x 1 analyst analyst 172 Jul 25 16:27 mininet_services drwxr-xr-x 2 analyst analyst 4096 Feb 14 2017 openssl_lab drwxr-xr-x 2 analyst analyst 4096 Aug 24 12:35 pcaps drwxr-xr-x 7 analyst analyst 4096 Sep 20 2016 pox -rw-r--r-- 1 analyst analyst 473363 Feb 16 2017 sample.img -rw-r--r-- 1 analyst analyst 65 Feb 16 2017 sample.img_SHA256.sig drwxr-xr-x 3 analyst analyst 4096 Aug 24 10:47 scripts -rw-r--r-- 1 analyst analyst 25553 Feb 13 2017 SQL_Lab.pcap [analyst@secOps ~]$ ls -l lab.support.files | grep ap -rw-r--r-- 1 analyst analyst 649 Jun 28 2017 apache_in_epoch.log -rw-r--r-- 1 analyst analyst 126 Jun 28 2017 applicationX_in_epoch.log drwxr-xr-x 2 analyst analyst 4096 Aug 24 12:35 pcaps -rw-r--r-- 1 analyst analyst 25553 Feb 13 2017 SQL_Lab.pcap [analyst@secOps ~]$
VIDEO DEMONSTRATION 3.3.2.7: APPLICATIONS, ROOTKITS, AND PIPING COMMANDS
Refer to the online course to view this video.