Helpful Linux Tools - PowerPoint PPT Presentation

1 / 34
About This Presentation
Title:

Helpful Linux Tools

Description:

F-PROT FREE anti-virus/worm removal tool. Wireshark: Formerly known as Ethereal. ... Free anti-virus tools like F-PROT can be used to find and remove any known ... – PowerPoint PPT presentation

Number of Views:145
Avg rating:3.0/5.0
Slides: 35
Provided by: BARK78
Category:
Tags: free | helpful | linux | removal | tools | virus

less

Transcript and Presenter's Notes

Title: Helpful Linux Tools


1
Helpful Linux Tools
  • or
  • How to manage security risks on a very small
    budget, with few staff using FREE linux tools

2
Helpful FREE Linux tools
  • There are many security related tasks that can be
    done with tools that cost you nothing. Today I
    will share some details with you using some
    common tasks as examples.
  • All these tools are only a download away!
  • (Did I mention theyre free?)

3
Whats out there?
  • It is a big bad world out there
  • Viruses, worms, trojans
  • Hackers
  • Strange events on your network
  • Insider threats

4
What are you looking for?
  • What dont you know about your servers?
  • Whats exposed behind your firewall and across
    your DMZ?
  • Are any servers running unknown services or
    sending out odd traffic?

5
Tools to improve your security awareness
  • NMAP Great small tool for host iding.
  • Nessus Wide range of methods to find flaws and
    includes details to solve the problems you may
    find.
  • F-PROT FREE anti-virus/worm removal tool.
  • Wireshark Formerly known as Ethereal.
  • A full network traffic analysis toolkit.
  • These tools are all free and are easy to use

6
NMAP Overview
  • NMAP is a widely used port-scanning utility (the
    network mapper)
  • a command-line utility that uses a variety of
    scanning methods
  • allows for fingerprinting hosts
  • Use NMAP to find and fix problems before the
    hackers find them!
  • NMAP reveals all exposed services
  • NMAP is now available for Windows.

7
NMAP Overview
  • NMAP will collect very detailed data for your
    interpretation
  • nmap -A -T4 -F www.insecure.org
  • Starting nmap 3.40PVT16 ( http//www.insecure.org/
    nmap/ ) at 2006-09-06 1949 PDT
  • Interesting ports on www.insecure.org
    (205.217.153.53)
  • (The 1206 ports scanned but not shown below are
    in state filtered)
  • PORT STATE SERVICE VERSION
  • 22/tcp open ssh OpenSSH 3.1p1 (protocol
    1.99)
  • 25/tcp open smtp Qmail smtpd
  • 53/tcp open domain ISC Bind 9.2.1
  • 80/tcp open http Apache httpd 2.0.39
    ((Unix) mod_perl/1.99_07-dev Perl/v5.6.1)
  • 113/tcp closed auth
  • Device type general purpose
  • Running Linux 2.4.X2.5.X
  • OS details Linux Kernel 2.4.0 - 2.5.20
  • Uptime 108.307 days (since Wed May 21 122744
    2006)

8
NMAP for Windows
9
Nessus Security Scanner
  • Wouldnt it be great to have an easy-to-use tool
    that could identify nearly every known
    host/server vulnerability?
  • Wouldnt it be great if the tool generated
    reports?
  • Wouldnt it be even nicer if the tool was
    completely FREE?

10
Nessus Overview
  • Nessus
  • Remote Vulnerability Scanner
  • Remote Data Gathering , Host Identification, Port
    Scanning are the main purposes of using this
    tool.
  • Client/Server Setup.
  • Server UNIX (Linux) Based
  • Clients Windows and UNIX Based.
  • Open Source, Highly flexible, Harmless.

11
Nessus Overview Continued
  • Nessus Scripting Language (NASL)
  • Scripting Language used by Nessus to form attacks
    to detect vulnerabilities.
  • Guarantees
  • Will not send packets to any other hosts than
    target
  • Will execute commands on only local systems.
  • Optimized built-in fuctions to perform network
    related tasks.
  • e.g. Socket operations, open connection if port
    is open, forge IP/TCP/ICMP etc. Packets
  • Rich Knowledge Base KB, which provides ability
    to use results of other scripts to use in custom
    script.

12
Nessus Overview Continued
  • Features
  • Plug-in Architecture
  • Security Tests are modular Plug-ins, easy to add
    or modify tests with changes to NASL scripts.
  • Security Vulnerability Database
  • Database is updated a daily basis, keeps record
    of latest security holes.
  • Client-Server Architecture
  • Server Performs attacks
  • Client Front-end
  • Both can be located at different hosts

13
Nessus Overview Continued
  • Can Test unlimited amount of hosts in each scan.
  • Depending on server capacity, scan can be
    performed on any range of hosts.
  • Smart Service Recognition.
  • Doesn't believe in fixed ports for particular
    service.
  • Checks all ports for specific vulnerability.
  • Non-Destructive Option
  • Used to select only the non-destructive scripts
    to run for scanning. Nessus then will rely only
    on banner information for service identification.

14
Whats it look like?
  • Nessus Server Client
  • 10.10.10.101241
  • Authentication used
  • Password
  • nessus-mkcert will generate X.509 Cert.
  • Remote Host Scanned
  • 10.12.13.14

15
Whats it look like?
  • Plugins
  • Scan can be enabled for all possible plugins.
  • upload-plugin gives you to add plugin from
    local database.
  • Dependencies can be set enabled while scanning.

16
Nessus Reports
17
Fix a broken Windows system
  • Corrupted boot files?
  • Worm-damaged system?
  • Suspect a root-kit or keylogger?
  • Damaged Registry?
  • Need to reset password you dont know?
  • Knoppix boot-cd Linux is your friend!

18
Knoppix Boot CD/DVD
19
Knoppix Boot CD/DVD
  • Knoppix is a Boot-CD Linux version thats
    completely portable, works anywhere!
  • Constantly updated, easily customized.
  • Ability to download specific applications as
    modules for specific tasks.
  • Now can freely read/write NTFS 5.x file
    systems for easy virus removal.

20
Knoppix Boot CD/DVD
  • Any tools not preloaded are easy to add.
  • You can download your tools to a thumb drive and
    always have your custom tools.
  • Since it all runs in a RAM disk, the host system
    is not touched.
  • Free anti-virus tools like F-PROT can be used to
    find and remove any known malware.

21
Knoppix Boot CD/DVD
  • Using Knoppix sidesteps several key issues in the
    repair of virus/worm infected windows systems.
  • Many viruses kill av-software on sight if windows
    is running.
  • More details can be found here
  • www.oreilly.com/catalog/knoppixhks/chapter/hack7
    8.pdf

22
Knoppix Virus/worm removal
  • By default F-Prot not included with Knoppix as
    they dont want 3rd party distribution.
  • F-Prot is easy to install to the RAM disk by
    using a shell-script from a thumb drive as shown
    on the next page.

23
F-Prot installation script
  • !/bin/bash Install f-prot - useful in
    combination with persistant home GPL
    Author Fabian Franz
    mkdir -p HOME/software/ cd HOME/software/
    wget ftp//ftp.f-prot.com/pub/linux/fp-linux-ws.t
    ar.gz tar xzf fp-linux-ws.tar.gz mkdir -p
    HOME/man/man8 mkdir -p HOME/bin ln -fs
    (pwd)/f-prot/f-prot.sh HOME/bin/f-prot ln -fs
    (pwd)/f-prot/check-updates.sh HOME/bin/check-upd
    ates.sh ln -fs (pwd)/f-prot/man8/f-prot.8
    HOME/man/man8/ ln -fs (pwd)/f-prot/man8/check-u
    pdates.sh.8 HOME/man/man8/ Setting up
    Manpath PATH for f-prot cp HOME/.bashrc
    HOME/.bashrc.templ cat HOME/.bashrc.templ
    grep -v "export MANPATH\HOME/man" grep -v
    "export PATH\HOME/bin/" HOME/.bashrc echo
    "export MANPATH\HOME/man/\MANPATH"
    HOME/.bashrc echo "export PATH\HOME/bin/\PAT
    H" HOME/.bashrc rm -f HOME/.bashrc.templ
    Fix paths cp f-prot/f-prot.sh
    /tmp/f-prot. sed 's/usr/local/f-prot/'(pwd)'
    /f-prot/g' /tmp/f-prot. f-prot/f-prot.sh
    cp f-prot/check-updates.sh /tmp/f-prot. sed
    's/usr/local/f-prot/'(pwd)'/f-prot/g'
    /tmp/f-prot. f-prot/check-updates.sh rm -f
    /tmp/f-prot. cleanup rm -f
    fp-linux-ws.tar.gz

24
F-Prot inspection script
  • F-Prot inspection script with results to
    /virus.txt
  • !/bin/bash F-Prot Autoscan GPL
    Author Fabian Franz
    Idea by Robert Long Mount all
    partitions for i in (cat /etc/fstab grep -v
    "" awk ' print 2' egrep "hdsd") do sudo
    mount -o ro i done Run f-prot f-prot 
    (cat /etc/fstab grep -v "" awk ' print
    2' egrep "hdsd") -all -ai -archive -dumb
    -packed -list -report/virus.txt Unmount them
    for i in (cat /etc/fstab grep -v "" awk '
    print 2' egrep "hdsd") do sudo umount i
    done

25
F-Prot inspection report
  • Virus scanning report  -  31 May 2006 _at_
    1216F-PROT ANTIVIRUSProgram version
    4.6.1Engine version 3.16.8VIRUS SIGNATURE
    FILESSIGN.DEF created 30 May 2006SIGN2.DEF
    created 30 May 2006MACRO.DEF created 30 May
    2006Search homeAction Report onlyFiles
    "Dumb" scan of all filesSwitches -ARCHIVE
    -PACKED -SERVERError on reading homeResults
    of virus scanningFiles 0MBRs 0Boot
    sectors 0Objects scanned 0Time 000No
    viruses or suspicious files/boot sectors were
    found.

26
Knoppix virus/worm removal
  • If the report indicates any infected files they
    can be removed manually or you can command F-Prot
    to delete any malware upon discovery.

27
Wireshark
  • When you really want to know what your network is
    doing, you must climb in and look around!
  • Ideal for remote observation of insider threats

28
Wireshark
  • Wireshark (Formerly known as Ethereal) is an open
    source network protocol analyzer for Unix and
    Windows. It allows you to examine data from a
    live network or from a capture file on disk.
  • Decodes over 750 protocols
  • Download the program from
  • www.wireshark.org/download.html

29
Using Wireshark
  • After launching, select your interface

30
Using Wireshark
  • Click Start next to your interface to begin
    capturing traffic for analysis

31
Using Wireshark
  • Decoded datastreams look like this

32
Using Wireshark
  • What Ive shown you today about Wireshark is just
    the tip of the iceberg.
  • Wireshark has the ability to filter to or from
    any host or protocol and also can decode files
    created by tcpdump or other Unix traffic capture
    utilities for forensic traffic analysis. Its
    very versatile!

33
Summary
  • I hope today Ive called to your attention
    several tools that are very effective and cost
    only the time it takes to become familiar with
    them.
  • The tools Ive discussed are under constant
    improvement so be sure to carefully read the
    documentation to be sure youre using the most
    effective commands to complete a task.

34
Thank You
  • Thank You for taking the time to look at this
    presentation.
  • I hope you find the information helpful!
  • Phil Barker Curry County Computer Services
  • BarkerP_at_co.curry.or.us
  • 541.247.3372
  • http//co.curry.or.us/compsvcs/oagitm.ppt
Write a Comment
User Comments (0)
About PowerShow.com