Before reading this article, we also need to Linux system basicsecuritycharacteristics have a certain understanding

The Linux operating system is an open-source freeOS, it is not onlysecurity, stability, low cost, and are rarely found to have a virus spread, and therefore, the Linux operating system has been considered to be the Microsoft Windows System to rival it. In recent years, with the Linux operating system in China’s growing popularity, as more and more servers, workstations and personal computers started using Linuxsoftware, and of course, moresecurityenthusiasts also start on thisoperating systemthe occurrence of a strong interest. The purpose of this article is to hope the user to the fastest speed on Linux under boutique Hacksoftwarethe function and method of Use have a more comprehensive understanding. Today we learn about looking for a broiler of the N kinds of weapons.

The vulnerability scanner is an automatic detection of remote or local hostsecurityweaknesses of the program. And Windows systems, when thehackingto give the target host list, he can use some of the Linux scanner program to find these host of vulnerabilities. Thus, the attacker can discover the server TCP port allocation, to provide the Services, Web servicessoftwareversion and these services andsecurityvulnerabilities. While the system administrator to say, if we can timely Discover and prevent these behaviors, but also can greatly reduce the intrusion event incidence. By conventional standards, it may be vulnerability scanners are divided into two types: a host vulnerability scanners-Host Scanner and network vulnerability scanner Network Scanner to. Host vulnerability scanner refers to a system running locally to detect system vulnerabilities; a network vulnerability scanner refers to Internet-based remote detection of the target network and the host system to the vulnerability of the program, the following, We select some typicalsoftwareand examples are introduced.

1, host-based utility scansoftware

（1）sXid

sXid is a system monitoring program, softwaredownload, use the“make install”command to install. It can scan the system suid and sgid files and directories, because these directories may very well be backdoors, and may be provided by e-mail to report the results. The default installation configuration file is/etc/sxid. conf this file comments easy read, it defines sxid work, log files, number of cycles, etc.; the log file defaults to/var/log/sxid. log. Forsecurityconsiderations, we may be in the configuration parameters after the sxid. conf set immutable, using the chattr command to put sxid. the log file is set to only be added. In addition, we also can always use sxid-k with the-k option to be checked, this check mode is very flexible, neither logged nor sent email. As shown in Figure 1.

!

Figure 1

（2）the LSAT

Linux Security Auditing Tool (LSAT) is a localsecurityscan the program, find the default configuration is notsafe, it can generate reports. LSAT by Triode developed, mainly for RPM-based Linux distribution designed. Softwaredownload, the following compiled:

| cndes$ tar xzvf last-VERSION. tgz
cndes$ cd lsat-VERSION
cndes$ ./ configure
cndes$ make

Then as root run: root# ./ the lsat is. By default, it will generate a name is lsat. out of the report. You can also specify some options:

-o filename specifies the generated report file name
-v verbose output mode
-s is not screen printing of any information, and only generate the report.
-r perform the RPM check and check, to find out the default content and the permissions are changed files

LSAT can check a lot of content, mainly has: the check useless RPM is installed; check the inetd and Xinetd and some system configuration file; check the SUID and SGID files; checks 7 7 7 file; check the process and services; open ports, etc. LSAT common method is to use cron to regularly call, and then use diff to compare the current report and previous reports of distinction, you can find the system configuration changes. The following is a test report of the piece:

---

This is a list of SUID files on the system:
/bin/ping
/bin/mount
/bin/umount
/bin/su
/sbin/pam_timestamp_check
/sbin/pwdb_chkpwd
/sbin/unix_chkpwd

---

This is a list of SGID files/directories on the system:
/root/sendmail. bak
/root/mta. bak
/sbin/netreport

---

List of normal files in /dev. MAKEDEV is ok, but there
should be no other files:
/dev/MAKEDEV
/dev/MAKEDEV. afa

---

This is a list of world writable files
/etc/cron.daily/backup.sh
/etc/cron.daily/update_CDV.sh
/etc/megamonitor/monitor
/root/e
/root/pl/outfile

（3）The GNU Tiger

This is a scanthe softwarecan detect the machinesecurity, derived from the TAMU Tiger, a veteran of the scansoftware to it. The Tiger program can check the project are: system configuration error; nosafethe permission is set; all users can write to the file; the SUID and SGID of the file; Crontab entry; Sendmail and ftp settings; vulnerable password, or the air interface; the system file changes. In addition, it also can expose a variety of weaknesses and produce a detailed report.

（4）Nabou

Nabou is a can be used to monitor changes in the system of the Perl program, it provides file integrity and user accounts such as checking, and all data will be stored in the database. In addition, the user can in a configuration file embedded in the Perl code to define your own function, execute the custom test, the operation in fact is very convenient.

（5）the COPS

COPS are can be for reporting system configuration errors, and other information on linux systemsecurityto check. The detection of the target: file, directory and device file permission check; the important system file of the content, format and permissions; whether the presence of the owner for the root SUID files; the important system binary files CRC checksum and check to see whether it is modified; for anonymous FTP, Sendmai and other network applications to be checked. It should be noted that, the COPS just monitoring tool, it does not do the actual repair. Thissoftwareto compare the fit with other tools, the advantage is relatively good at finding potential vulnerabilities.

（6）strobe

Strobe is a TCP port scanner, which can record the specified machine all openPut port, run very fast. It was initially used to scan the local area network disclosed in the e-mail, whereby the mail user information. Strobe another important feature is that it can quickly identify the specified machine is running what service, the downside is that this type of information is relatively limited.

（7）SATAN

SATAN can be used to help system administrators detectsecurity, can also be network-based attackers to search for vulnerable systems. SATAN is for system and administrators to design asecuritytool. However, due to its wide availability, ease of use and scan remote network capabilities, SATAN may also be because of curiosity and is used to locate weaknesses in the host. SATAN includes a about the networksecuritythe problem of the detection table, through the network to find a particular system or subnet, and report its findings. It can search for the following weaknesses:

NFS-no permission to the program or port of export.
NIS—password file access.
Rexd-isfirewallblock.
Sendmail-a variety of weaknesses.
ftp-the ftp, wu-ftpd or tftp configuration issue.
Remote Shell access–whether it was forbidden or hidden.
X windows–whether the host is providing unlimited access.
Modem–through tcp there is no limit dial-up access.

（8）IdentTCPscan

IdentTCPscan is a more specialized scanner can be in various platforms to run on. Softwarewas added to identify the specified TCP port the process to the owner of the function, that is, it can be measured by the process UID. This program has a very important function is through the discovery process of the UID, and quickly identify the error configuration. It runs very fast, can be called a Raider pet, is a strong, sharp tool.

2, the network-based functional scan tool

（1）Nmap

Nmap that Network Mapper, it is in the freesoftwarethe Foundation of the GNU General Public License (GPL). Its basic functions are: to detect a group of host is online; scan the host port, the Sniffer provides the network service; determining whether the hostoperating system. Softwaredownload, perform the configure, make and make install three commands, the nmap binary installed on your system, you can perform nmap.

The Nmap syntax is simple, but function is very powerful. For example: Ping-scan command is the“-sP”, in determining the target host and network, you can scan. If in as root to run Nmap, the Nmap features will be more enhanced, because the super user can create easy to Nmap using the custom data packet. Use Nmap to a single scanning machine or the entire network scan is very simple, just with a“/mask”the destination address assigned to the Nmap. In addition, Nmap allows the use of all kinds of the specified network address, such as the 1 9 2. 1 6 8. 1 0 0.*, the Is for the selected subnet under the host to be scanned.

The Ping scan. Intruders use Nmap to scan the entire network looking for the target. By using the“-sP”command, by default, Nmap to each scan to the host sends an ICMP echo and a TCP ACK, the host of any one of the response will be Nmap get. As shown in Figure 2.

!

Figure 2

Nmap supports different categories of Port scanning, TCP connect scanning can use the“-sT”command, as shown in Figure 3:

!

Figure 3

Hidden scan(Stealth Scanning) is. When scanning, if the attacker don’t want to make its information is recorded in the target system log on, the TCP SYN scan can help you a favor. Use the“-sS”command, you can send a SYN scan detection the host or network. As shown in Figure 4.

!

Figure 4

If an attacker want to perform UDP scanning, you can know which ports on UDP are open. Nmap will send a O-byte UDP packet to each port. If the host returns a port unreachable, it indicates port is closed. As shown in Figure 5.

!

Figure 5

Operating systemidentification. By using the“-O”option, it can be detected remotelyOStype. Nmap to the host by transmitting different types of signal detection, zoom out to find theoperating systemsystem range. As shown in Figure 6.

!

Figure 6

Ident scanning. Attacker like looking for a flat for certain processes the presence of vulnerabilities the computer, such as a root run theWEB server. If the target machine is running the identd, the attacker can use the“-I”option of the TCP connection to find out which user owns the http daemon. We to scan a Linux WEB server, for example, use the following command:

nmap-sT-p 8 0-I-O www.yourserver.com

In addition to these scans, Nmap also offers a lot of options, this is a lot of Linux attacker of the essential magic, by thissoftware, we can system well, so for the following attack to lay a good Foundation.

（2）p0f

p0f for network attacks is very useful, it uses SYN packets to achieve theoperating systempassive detection techniques, able to correctly identify the target system type. And the other scansoftware, it does not to the target system send any data, just passive acceptance from the target system the data for analysis. Therefore, a big advantage is: almost impossible to be detected, and p0f is a specialized system identification tool, wherein the fingerprint database is very detailed, the update is relatively fast, especially suitable for installation in the gateway. Softwaredownload, execute the following command to compile and install p0f: a

#tar zxvf p0f-1.8.2. tgz
#make&& make install

p0f is very simple to Use, use the following command in a system startup, automatically start the p0f for system identification:

#cp p0f. init /etc/init. d/p0f
#chkconfig p0f on

---

Then, every a period of time for the p0f log for analysis. For ease of use, p0fsoftwareprovides a simple analysis script p0frep, through it, an attacker can easily find running a class system of the remote host address. P0f can also detect the following: firewallthe presence or disguise; to remote system distance as well as its start time; the other network connection and ISP.

（3）ISS

ISS Internet Scanner is the global networksecuritythe market’s top products through the networksecurityweaknesses of fully and autonomously detect, analyze, and examine their weaknesses, the risk is divided into high school low three levels, and can generate a wide range of meaningful reports. Now, thissoftwareof the pay version provides more attack, and gradually towards the commercialization direction.

（4）Nessus

Nessus is a powerful remotesecurescanner, it has a powerful reporting output capabilities, and can produce HTML, XML, LaTeX and ASCII text formats such as[security], (<http://cnxhacker.net/article/sort/2_1.html&gt;)report, and for eachsecurityproblems recommendations. Softwaresystem for client/sever mode, the server side is responsible forsecuritycheck, the client is used to configure the management server. On the server side also uses a plug-in Architecture, allowing users to join to perform a specific function of the plug-in that can be more rapid and more complexsecurityto check. In addition to plug-ins, Nessus also provides users with a description of the attack type of the script language to perform the additionalsecuritytest.

Softwaredownload, unzip and complete the installation. The installation is completed, confirm in/etc/ld. so. conf file added to the installation have installed the library file path:/usr/local/lib. If not, just the files added to this path, and then execute ldconfig, so that Nessus at runtime can be found in the library. Nessus configuration file for Nessusd. conf, located in/usr/local/etc/Nessus/directory. Under normal circumstances, does not recommend changes to the content. Note that when used to create a nessusd account for future log scan when in use. Completion of the above preparatory work, to root the identity of the user with the following command to start the service end: Nessusd –d.

On the client side, the user can specify to run Nessus service machine, use a port scanner and test content and test of the ip address range. Nessus itself is working in a multi-thread basis, so the user can also set the system to work simultaneously the number of threads. So a user on the remote you can set up Nessus the working configuration. The setting is completed, click on start can start to scan. When the scan is finished, it will generate a report, the window on the left lists all the scanned host, as long as the click with the mouse on the host name, in the window on the right it lists the scan found the host of thesecurityvulnerabilities. Then clickSecuritythe vulnerability of the small icon, it lists the problem class and problem causes and solutions.

（5）Nikto

Nikto is able toweb servermoresecurityitems for testing of scansoftware, can in 2 0 0 variety on the server the scan-out 2 0 0 0 a variety of potentially dangerous files, CGI and other problems. It is also used Whiske library, but usually than a Whisker updated more frequently.

（6）Whisker

Whisker is a very good HTTP server defect scansoftware, can scan a large number of knownsecurityvulnerabilities, especially some dangerous CGI vulnerability, it uses perl to write the library, we can use it to create your own HTTP scanner.

（7）Xprobe

XProbe is an activeoperating systemthe fingerprint recognition tool, it can be determined that the remote hostoperating systemtype. XProbe rely on a signature database, the fuzzy matching as well as a reasonable speculation to determine the remoteOStype, the use of the ICMP Protocoloperating systemthe fingerprint recognition is its unique. When used, it is assumed that a port is not used, it will send the target host a high Port to send the UDP packet, the target host will respond to ICMP packets, and then, XProbe sends the other packets to distinguish the target host system, with thissoftware, to determine each otheroperating systemis very easy.