This is the second article on the UNIX Health Check blog that discusses security awareness.
This article is all about WiFi security, and the ability of others to scan WiFi network information. For the purpose of this article, we'll be using Kali Linux. In the first article we discussed setting up a Kali Linux Live USB environment for this purpose.
Kali Linux, generally regarded as the de facto standard package of tools used to facilitate penetration testing to secure data and voice networks, comes with many pre-installed tools. One of those tool-sets is AirCrack-ng, which is a complete suite of tools to assess WiFi network security. We'll be looking at and using some of these tools in this article.
To prepare, start up a computer with the Kali Linux Live USB operating system.
Also make sure that the computer has a functional wireless interface. For purposes of using the AirCrack-ng tools, a good wireless interface is required. Please note that not all wireless devices are the same. The capabilities of a wireless device differ very much on the chipset used within a wireless device. A good and relatively cheap wireless interface is the Alpha AWUS036NH, which comes with a USB interface that can easily be plugged into any computer. This particular WiFi USB device is capable of high transmit power, and also allows to be configured in so-called Master mode, allowing it to function as an Access Point, which we'll be using in future articles. A good overview of wireless devices and their capabilities can be found at https://wikidevi.com/wiki/Wireless_adapters/Chipset_table.
Once the Kali Live system has booted, investigate which wireless interfaces are available. Good tools for this purpose are airmon-ng and iwconfig:
# airmon-ng
PHY Interface Driver Chipset
phy0 wlan0 iwlwifi Intel Corporation Wireless 7260 (rev 73)
phy1 wlan1 rt2800usb Ralink Technology, Corp. RT2870/RT3070
phy2 wlan2 rt2800usb Ralink Technology, Corp. RT5370
In the output above you can see there are 3 wireless devices. The first one, listed as phy0, is the internal WiFi device of the computer. The other two are using a USB driver, and are two USB WiFi devices that have been inserted. The Alpha AWUS036NH WiFi device is actually device phy2 in the output above.
Now run "iwconfig":
# iwconfig
wlan0 IEEE 802.11 ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=22 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
wlan1 IEEE 802.11 ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm
Retry short long limit:2 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:on
wlan2 IEEE 802.11 ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm
Retry short long limit:2 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
The "iwconfig" command above provides us with some more information, for example, if the interface is associated with any Access Point (a.k.a. router), and what the transmit power (Tx-Power) of the device is currently set to. Similar information can be retrieved by running the "iw dev" command, however that command will also display the MAC address of each device.
For the purpose of these security articles, we have equipped the computer with 3 WiFi devices. The first device, wlan0, will be used to regularly connect to a working WiFi Access Point for Internet connectivity. The second interface, wlan1, will be used to monitor WiFi networks. And the third interface, wlan2, will be used in a later article to set up our own Access Point. Having several WiFi interfaces gives us the capability to do multiple things.
WiFi network traffic is similar to radio signals. One can simply tune in the "radio" to listen to what is going on. This is the main reason why using Open (non-encrypted) WiFi networks is a security risk. Yet, many people use Open WiFi networks frequently.
Similar to radio signals, the location of where you are listening, and the equipment used to listen to it, matters. The closer you are to an Access Point, the stronger and more reliable the signals are. Also, the better the WiFi network device, or the larger the antenna used, the more likely it is that you will receive a good signal.
To start listening to WiFi traffic, it is useful to set one of the WiFi interfaces into Monitor mode. The airodump-ng command, that we'll we using to monitor WiFi network traffic will set a device in monitor mode itself, so you won't have to do it yourself. But if you do wish to configure a WiFi interface in Monitor mode, you can do so as follows, for example, for WiFi interface wlan1:
# ifconfig wlan1 down
# iwconfig wlan1 mode monitor
# ifconfig wlan1 up
# iwconfig wlan1
wlan1 IEEE 802.11 Mode:Monitor Frequency:2.462 GHz Tx-Power=20 dBm
Retry short long limit:2 RTS thr:off Fragment thr:off
Power Management:off
In the output of the "iwconfig" command above, you can now see that the wlan1 interface is in Monitor mode, and that the frequency is set to 2.462 GHz (configured to listen to the 2.4 GHz WiFi band).
Another way of configuring a WiFi network interface in Monitor mode is by running:
# airmon-ng start wlan1
However, when using the airmon-ng command, keep in mind that the interface used, in the example above: wlan1, will be renamed to wlan1mon.
When setting a WiFi network interface in Monitor mode, you may encounter a failure. If this happens, then most likely another process is using the WiFi network interface. To check this, run:
# airmon-ng check wlan1
If you want to stop all the other processes using the wireless device, simply run:
# airmon-ng check kill
A good example of a process using a wireless device is NetworkManger. By default, this process will be active on Kali Linux. To verify that, run:
# systemctl status NetworkManager
You can stop NetworkManager, you can run:
# systemctl stop NetworkManager
If you wish to keep on using NetworkManager, but just have NetworkManager not managed a specific wireless device, then do the following:
First determine the MAC address of the wireless device, by running "iw dev". Assuming that the MAC address of wireless device is 00:0f:60:01:07:4c, then add the following to the bottom of /etc/NetworkManager/NetworkManager.conf:
[keyfile]
unmanaged-devices=mac:00:0f:60:01:07:4c
Then restart NetworkManager:
# systemctl restart NetworkManager
From now on, NetworkManager will no longer manage the wireless device with MAC address 00:0f:60:01:07:4c, and you should not see any issues when running commands against the wireless device and having NetworkManager managing it at the same time.
Now you can start monitoring the WiFi networks, by running:
# airodump-ng wlan1
The output shown by the airodump-ng command is divided in two parts. On the top you can see all the BSSIDs. These are the Access Points / routers found. For each BSSID, you'll see the MAC address of the Access Point, the transmit power (PWR), the channel it is transmitting on (CH), the encryption used (ENC) and the ESSID (The name of the WiFi network). At the bottom, you can see the clients, also called stations. These are devices, such as computers and phones connected to an Access Point, or when listed as "not associated", devices that are not connected to any Access Point, but looking to connect. If a device is connected to an Access Point, then it will list both the MAC address of the BSSID (Access Point) and that of the client (Station). In the left-most column you can see information about "Probes", meaning clients that probe for a certain WiFi network name.
The airodump-ng command has some very useful commands, described in a lot of detail at
https://www.aircrack-ng.org/doku.php?id=airodump-ng. For example, the "a" key can be used to cycle through different parts of the output, which may come in handy if there is too much information to fit on the screen. The "s" and "r" keys can be used to sort the output per column and the TAB key can be used to highlight/select specific BSSIDs.
A note about MAC addresses: The MAC address alone doesn't provide any information about what kind of device it is, but some information can be derived from the MAC address. A MAC address consists of 6 parts, divided by colons. The first 3 parts determine the vendor of the device. You can take these first three parts, and look up which vendor it is, for example by typing in these 3 parts at
www.macvendors.com. For example, if you do so for MAC address B0:26:80:AA:CB:20, by taking the first three parts (BO:26:80) and enter that on
www.macvendors.com, it will tell you it is a Cisco device. When retrieving MAC address vendor information, you may discover a lot of China-based vendors that manufactured the wireless devices in computers, phones and other devices. So, it may not always be immediately clear what type of device is using a certain MAC address.
At the top of the airodump-ng command you will notice that it cycles through all the channels constantly, which is the default behavior. This way it is scanning all channels for WiFi networks. If you wish to look at a specific Access Point (or BSSID), then copy the MAC address of that BSSID, and take a note of the channel it uses.
For example, in the top output you may see a line for an Access Point/BSSID as follows:
BSSID PWR Beacons #Data #/s CH MB ENC CIPHER AUTH ESSID
B0:26:80:83:79:C0 -28 248 40 0 6 195 WPA2 CCMP PSK attwifi
This means that a WiFi network with the name "attwifi" is running at channel 6, with MAC address B0:26:80:83:79:C0.
To only look at this specific access point, start airmon-ng as follows:
# airmon-ng --channel 6 --bssid B0:26:80:83:79:C0 wlan1
So far for this article. At this point you have learned how to scan for WiFi networks using Kali Linux, and how to see all the different WiFi networks in the vicinity, and to see what clients (stations) are either associated to or probing for an Access Point.
This is the first article in a series of security awareness articles. The first few articles will focus initially on WiFi security.
For the purposes of hacking, people often tend to use the Kali distribution of Linux, which is generally regarded as the de facto standard package of tools used to facilitate penetration testing to secure data and voice networks. It was developed by Mati Aharoni and Devon Kearns of Offensive Security.
This article will focus on creating a bootable USB drive containing Kali Linux, allowing one to boot up a computer from USB with Kali Linux. The original documentation can be found at
https://docs.kali.org/downloading/kali-linux-live-usb-install and
https://docs.kali.org/downloading/kali-linux-live-usb-persistence.
For this article, you will need a Windows based computer and a USB drive of at least 8 GB.
Start of by downloading the 64 bit ISO image file from
https://www.kali.org/downloads/. Select the very first 3 GB file, named "Kali Linux 64bit" for amd64 based systems, assuming you will be using a 64 bit computer. Then, insert a USB drive into the computer of at least 8 GB.
Download Win32 Disk Imager from
https://sourceforge.net/projects/win32diskimager/. Note that this tool doesn't work on Windows if you have a RAM disk and/or Encrypted disk configured on your system. If you do, then unmount these first. Use the Win32 Disk Imager tool to write the Kali ISO image file to the USB drive.
Writing the ISO file takes a few minutes.
As an alternative, you can also download the ISO image file on a Linux system, and use the dd command to write the ISO image file to the USB drive. For example, assuming the USB device on Linux is /dev/sdb, and the ISO image file is called kali-linux-2018.3a-amd64.iso, run:
# dd if=kali-linux-2018.3a-amd64.iso of=/dev/sdb bs=512k
At this point, you can boot up Kali Linux from the USB drive. It may be necessary to change the boot order in the BIOS of the computer to boot from the USB drive (instead of the internal hard drive) first. The default password for the root user of Kali Linux is "toor".
What has been created at this point is an operating system that you can use normally. You will notice however, that once you shut down and restart Kali Linux, that any changes you have made, will be gone. This is due to it not having any persistent storage, and thus losing all the changes mades once the operating system has been shut down or restarted.
There is a way to create a persistent Kali Linux USB setup:
Fist, boot Kali Linux from the USB drive you have prepared above. Run "lsblk" to identify which drive the USB drive is, for example /dev/sda. By looking at the output of the lsblk command, you can see that about 3.7 GB is in use for two different partitions. We'll be creating an additional partition for the persistent storage. Just to be safe, we'll create a new partition of 4 GB, starting at a location 4 GB through 8 GB on the USB drive:
# parted /dev/sda mkpart primary 4gb 8gb
This will create a new partition called /dev/sda3. You can see this by running lsblk again. Next, create a file system on the new partition:
# mkfs.ext3 -L persistence /dev/sda3
# e2label /dev/sda3 persistence
Now create a mount point, mount the new partition there, and then create the configuration file to enable persistence. Finally, unmount the partition:
# mkdir -p /mnt/my_usb
# mount /dev/sda3 /mnt/my_usb
# echo "/ union" > /mnt/my_usb/persistence.conf
# umount /dev/sda3
Next, reboot the system, and boot the Kali Linux Live persistence option:
# reboot
From now on it will be possible to write to the file systems, and changes will be maintained. The downside of creating a persistent USB version of Kali Linux is however, that the OS becomes slower, because it is now writing to the USB drive, which isn't that fast as writes to memory.
There's also a method for creating an encrypted version of the persistent Kali Live Linux USB drive, which is described in more detail at
https://docs.kali.org/downloading/kali-linux-live-usb-persistence.
The following command will generate a random password of 9 characters:
# openssl rand -base64 9
Red Hat provides you the opportunity to download a KVM guest image, that you can use within virt-manager to start immediately. This saves you the trouble and time of having to install the operating system.
However, the root password is not known, and so, it may be difficult to log in as root when using the KVM guest image provided by Red Hat.
Luckily, there is an easy solution to changing the root password on a KVM guest image.
Start by installing guestfish:
# yum -y install guestfish
Guestfish is a tool that can be used from the command line to access guest virtual machine file systems.
Next, update the image file as follows, assuming the image file is located in /var/lib/libvirt/images, and the image file is called "rhel7.5.beta1.qcow2", and you want to set the password to "PASSWORD":
# cd /var/lib/libvirt/images
# virt-customize -a rhel7.5.beta1.qcow2 --root-password password:PASSWORD
Whenever you have to connect through SSH to a lot of different servers, and you create a command for it like this:
# for h in $SERVER_LIST; do ssh $h "uptime"; done
You may run into an error that stops your command, especially when a new server is added to $SERVER_LIST, like this:
The authenticity of host 'myserver (1.2.3.4)' can't be established.
RSA key fingerprint is .....
Are you sure you want to continue connecting (yes/no)?
And you'll have to type "yes" every time this error is encountered.
So, how do you automate this, and not have to type "yes" with every new host?
The answer is to disable strict host key checking with the ssh command like this:
ssh -oStrictHostKeyChecking=no $h uptime
Please note that you should only do this with hosts that you're familiar with, and/or are in trusted networks, as it bypasses a security question.
Security Enhanced Linux, or short SELinux, is by default enabled on Red Hat Enterprise (and alike) Linux systems.
To determine the status of SELinux, simply run:
# sestatus
There will be times when it may be necessary to disable SELinux. Or for example, when a Linux system is not Internet facing, you may not need to have SELinux enabled.
From the command line, you can edit the /etc/sysconfig/selinux file. This file is a symbolic link to file /etc/selinux/config.
By default, option SELINUX will be set to enforcing in this file:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
By changing it to "permissive", you will disable SELinux:
SELINUX=permissive
A way to create a random password yourself is using a password generator. The pwmake is a command-line tool for generating random passwords that consist of all four groups of characters: uppercase, lowercase, digits and special characters.
The utility allows you to specify the number of entropy bits that are used to generate the password. The entropy is pulled from /dev/urandom. The minimum number of bits you can specify is 56, which is enough for passwords on systems and services where brute force attacks are rare. 64 bits is adequate for applications where the attacker does not have direct access to the password hash file (/etc/shadow). For situations when the attacker might obtain the direct access to the password hash or the password is used as an encryption key, 80 to 128 bits should be used. If you specify an invalid number of entropy bits, pwmake will use the default of bits.
To create a password of 128 bits, enter the following command:
# pwmake 128
*oLhezv@Hal7YmUM;Igqilur0N&
If you run into a system that you can't access, but is available on the network, and have no idea what type of system that is, then there are few tricks you can use to determine the type of system remotely.
The first one, is by looking at the TTL (Time To Live), when doing a ping to the system's IP address. For example, a ping to an AIX system may look like this:
# ping 10.11.12.82
PING 10.11.12.82 (10.11.12.82) 56(84) bytes of data.
64 bytes from 10.11.12.82 (10.11.12.82): icmp_seq=1 ttl=253 time=0.394 ms
...
TTL (Time To Live) is a timer value included in packets sent over networks that tells the recipient how long to hold or use the packet before discarding and expiring the data (packet). TTL values are different for different Operating Systems. So, you can determine the OS based on the TTL value. A
detailed list of operating systems and their TTL values can be found here. Basically, a UNIX/Linux system has a TTL of 64. Windows uses 128, and AIX/Solaris uses 254.
Now, in the example above, you can see "ttl=253". It's still an AIX system, but there's most likely a router in between, decreasing the TTL with one.
Another good method is by using nmap. The nmap utility has a -O option that allows for OS detection:
# nmap -O -v 10.11.12.82 | grep OS
Initiating OS detection (try #1) against 10.11.12.82 (10.11.12.82)
OS details: IBM AIX 5.3
OS detection performed.
Okay, so it isn't a perfect method either. We ran the nmap command above against an AIX 7.1 system, and it came back as AIX 5.3 instead. And sometimes, you'll have to run nmap a couple of times, before it successfully discovers the OS type. But still, we now know it's an AIX system behind that IP.
Another option you may use, is to query SNMP information. If the device is SNMP enabled (it is running a SNMP daemon and it allows you to query SNMP information), then you may be able to run a command like this:
# snmpinfo -h 10.11.12.82 -m get -v sysDescr.0
sysDescr.0 = "IBM PowerPC CHRP Computer
Machine Type: 0x0800004c Processor id: 0000962CG400
Base Operating System Runtime AIX version: 06.01.0008.0015
TCP/IP Client Support version: 06.01.0008.0015"
By the way, the example for SNMP above is exactly why UNIX Health Check generally recommends to disable SNMP, or at least to dis-allow providing such system information trough SNMP by updating the /etc/snmpdv3.conf file appropriately, because this information can be really useful to hackers. On the other hand, your organization may use monitoring that relies of SNMP, in which case it needs to be enabled. But then you stil have the opportunity of changing the SNMP community name to something else (the default is "public"), which also limits the remote information gathering possibilities.
Here's how you can set up your /etc/profile in order to create a separate shell history file for each user and each login session. This is very useful when you need to know who exactly ran a specific command at a point in time. For Red Hat Linux, put the updates in either /etc/profile or /etc/bashrc.
Put this in /etc/profile on all servers:
# HISTFILE
# execute only if interactive
if [ -t 0 -a "${SHELL}" != "/bin/bsh" ]
then
d=`date "+%H%M.%m%d%y"`
t=`tty | cut -c6-`
u=`who am i | awk '{print $1}'`
w=`who -ms | awk '{print $NF}' | sed "s/(//g" | sed "s/)//g"`
y=`tty | cut -c6- | sed "s/\//-/g"`
mkdir $HOME/.history.$USER 2>/dev/null
export HISTFILE=$HOME/.history.$USER/.sh_history.$USER.$u.$w.$y.$d
find $HOME/.history.$USER/.s* -type f -ctime +91 -exec rm {} \; 2>/dev/null
H=`uname -n | cut -f1 -d'.'`
mywhoami=`whoami`
if [ ${mywhoami} = "root" ] ; then
PS1='${USER}@(${H}) ${PWD##/*/} # '
else
PS1='${USER}@(${H}) ${PWD##/*/} $ '
fi
fi
# Time out after 60 minutes
# Use readonly if you don't want users to be able to change it.
# readonly TMOUT=3600
TMOUT=3600
export TMOUT
When using ksh, put this in /etc/environment, to turn on time stamped history files:
# Added for extended shell history
EXTENDED_HISTORY=ON
When using bash, put this in /etc/bashrc, to enable time-stamped output when running the "history" command:
HISTTIMEFORMAT='%F %T '; export HISTTIMEFORMAT
This way, *every* user on the system will have a separate shell history in the .history directory of their home directory. Each shell history file name shows you which account was used to login, which account was switched to, on which tty this happened, and at what date and time this happened.
Shell history files are also time-stamped internally. For AIX, you can run "fc -t" to show the shell history time-stamped. For Red Hat, you can run: "history". Old shell history files are cleaned up after 3 months, because of the find command in the example above. Plus, user accounts will log out automatically after 60 minutes (3600 seconds) of inactivity, by setting the TMOUT variable to 3600. You can avoid running into a time-out by simply typing "read" or "\" followed by ENTER on the command line, or by adding "TMOUT=0" to a user's .profile, which essentially disables the time-out for that particular user.
One issue that you now may run into on AIX, is that because a separate history file is created for each login session, that it will become difficult to run "fc -t", because the fc command will only list the commands from the current session, and not those written to a different history file. To overcome this issue, you can set the HISTFILE variable to the file you want to run "fc -t" for:
# export HISTFILE=.sh_history.root.user.10.190.41.116.pts-4.1706.120210
Then, to list all the commands for this history file, make sure you start a new shell and run the "fc -t" command:
# ksh "fc -t -10"
This will list the last 10 commands for that history file.
By default, when using sudo, the env_reset sudo option is enabled.
From the sudoers manual, about the env_reset sudo option:
This causes commands to be executed with a new, minimal environment. On AIX the environment is initialized with the contents of the /etc/environment file. The new environment contains the TERM, PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables in addition to variables from the invoking process permitted by the env_check and env_keep options. This is effectively a whitelist for environment variables.
If, however, the env_reset option is disabled, any variables not explicitly denied by the env_check and env_delete options are inherited from the invoking process. In this case, env_check and env_delete behave like a blacklist. Since it is not possible to blacklist all potentially dangerous environment variables, use of the default env_reset behavior is encouraged.
In all cases, environment variables with a value beginning with () are removed as they could be interpreted as bash functions. The list of environment variables that sudo allows or denies is contained in the output of "sudo -V" when run as root.
So, what does this all mean? Well, it means that you should not use env_reset in the /etc/sudoers file.
First of all, if you would use:
Defaults env_reset
Then that would do you no good, because the default is already to reset the environment variables.
If you would use (notice the exclamation mark before env_reset):
Defaults !env_reset
Then it means you don't reset any environment variables from the invoking process, for ALL users. That is a security risk, as sudo will preserve variables such as PATH or LD_LIBRARY, and these variables can be configured with values such as "." or "/home/username", or they can be utilized by malicious software.
With the default env_reset all sudo sessions will invoke a shell with minimum shell variables, including those set in /etc/profile and some others if specified in sudoers file (using the env_keep option). So this will make a more controlled sudo access without bypassing sudo security restrictions.
Okay, so what if you need to run a command through sudo that requires a certain environment variable? A good example is the tcpdump command. When running tcpdump via sudo, you may encounter the following error message:
$ sudo tcpdump -i en12
tcpdump: bpf_load: genmajor failed: A file or directory in the path name does not exist.
In this case, tcpdump is known to require the ODMDIR environment variable to be set. One way is to use "Defaults !env_reset" in /etc/sudoers, but the sudoers manual above explains that this is discouraged. Another method is to allow only specific users in /etc/sudoers, by disabling env_reset, such as:
User_Alias UTCPDUMP = tim, john
Defaults:UTCPDUMP !env_reset
But this still allows specific users to "play" with all environment variables. So unless you trust these users very much, an even better way is to use the env_keep sudo option, to specify the environment variables that need not be reset (that is, if you know the correct environment variables that are required). In the case of the tcpdump command, we will want to retain the ODMDIR environment variable:
Defaults env_keep += ODMDIR
With the above line in /etc/sudoers, you will notice that running the tcpdump command via sudo will now work properly.
So, the bottom line is: Don't use env_reset at all in /etc/sudoers. If really necessary, use env_reset for only specific users, or even better, specify the required environment variables using env_keep.
Of course, the UNIX Health Check software will check if env_reset is used in /etc/sudoers, and if so, warn about this potential security risk.
Number of results found for topic
Security: 45.
Displaying results: 11 - 20.
