قالب وردپرس درنا توس
Home / Tips and Tricks / Using Ubuntu as Your Primary Operating System, Part 2 (Network Attack Defense) «Null Byte :: WonderHowTo

Using Ubuntu as Your Primary Operating System, Part 2 (Network Attack Defense) «Null Byte :: WonderHowTo



After installing Ubuntu as your primary operating system, you should be protected against USB Rubber Ducky payloads, defended against disk forensics, and reduced the attack surface from physical attacks. When defending against network-based attacks, you should minimize hardware disclosure, prevent packet sniffers, tighten firewall rules, and more.

Specifically, in this part of the mini-series to strengthen your primary Ubuntu installation, learn to manipulate your MAC address to outsmart passive attackers, disable unused network services such as CUPS and Avahi, specific firewall rules to block data on specific ports and prevent hackers from sniffing passwords and cookies in their packets VPN.

If you missed the previous version, you should visit Part One to learn more about my motivation to start this four-part guide ̵

1; even if you already have Ubuntu installed and just want to switch it off.

Step 1: Prevent hardware enumeration

If you are connecting to new Wi-Fi networks and routers, use the MAC address of the wireless adapter. This does not prevent a motivated attacker from knowing which operating system you are using, but it can confuse and prevent them from discovering hardware information.

For example, a hacker in a coffee shop Wi-Fi network could focus his attacks on non-Apple devices. If you appear on the network with an Apple MAC address, the attacker may completely ignore your device. Or you could try a MacOS-specific attack on your device that does not work because you're not using a MacBook – you only see on the network as Apple hardware. This, together with a fake browser user agent, can really confuse a passive adversary.

To fake your MAC address in Ubuntu, open the Network Manager and "Edit" your Wi-Fi connection. On the Identity tab, enter the MAC address that you want to use for the Cloned Address field.

Step 2: Protecting Against Abuse of Listening Services

A background process (or service) in a state " LISTEN" could mean that other services and applications on the device and the network can interact with it. These auditing services are always waiting for data to trigger a dynamic response. Any service with a local address of 0.0.0.0 and in a list state is likely to be accessible to anyone on the local network and possibly anyone on the Internet.

A new Ubuntu installation will only have a few services installed – no creepy list ports to worry about by default. However, be aware of applications that you will install in the future. You can open the monitoring ports without informing you.

To track which background processes are in a listening state, we use netstat a tool to print network connections, open ports, and run services. Because the minimal Ubuntu installation was used, the net-tools applications (including netstat) must be manually installed. This can be done with the command sudo apt-get install net-tools .

  sudo apt-get install net-tools

Read package lists ... Done
Create dependency structure
Read status information ... Done
The following NEW packages will be installed:
Network Tools
0 updated, 1 reinstalled, 0 removed and 0 not updated.
Need 194 kB archives.
After this operation, 803 KB of additional memory will be used.
Selecting previously unselected packet networks.
(Reading the database ... 149085 Files and directories are currently installed.)
Preparation for unpacking ... / net-tools_1.60 + git20161116.90da8a0-1ubuntu1_amd64.deb ...
Unpack Net Tools (1.60 + git20161116.90da8a0-1ubuntu1) ...
Processing trigger for man-db (2.8.3-2) ...
Setting up net-tools (1.60 + git20161116.90da8a0-1ubuntu1) ... 

Use the following command netstat to display services in the "LISTEN" status.

  sudo netstat -ntpul

Active Internet connections (server only)
Proto Recv-Q Send-Q Local Address Foreign Address Status PID / Program Name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 651 / systemd-resolve
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 806 / cupsd
tcp6 0 0 :: 1: 631 ::: * LISTEN 806 / cupsd
udp 47616 0 127.0.0.53:53 0.0.0.0:* 651 / systemd-resolve
udp 0 0 0.0.0.0:631 0.0.0.0:* 812 / cups-browsed
udp 2304 0 0.0.0.0:5353 0.0.0.0:* 750 / avahi-daemon: r
udp 0 0 0.0.0.0:38284 0.0.0.0:* 750 / avahi-daemon: r
udp6 0 0 ::: 37278 ::: * 750 / avahi-daemon: r
udp6 25344 0 ::: 5353 ::: * 750 / avahi-daemon: r 

System resolution is used to resolve domain names and should probably not be changed or removed. I will explain "cupsd" and "avahi-daemon" in the following steps.

Disabling or Removing CUPS

Cupsd is a scheduler for CUPS, a service used by applications as an interface to printers. There are several Nmap NSE scripts that retrieve information from CUPS services and present a very low security risk. However, if you need to interact with printers very seldom, CUPS can be disabled with the following command systemctl disable cups-Browsed . The changes take effect after a restart.

  systemctl disable cups-browsed

Synchronize the status of cups-browsed.service with the sysV service script with / lib / systemd / systemd-sysv-install.
Execution: / lib / systemd / systemd-sysv-install disable cups-browsed 

If you never use a printer, CUPS can be completely removed with sudo apt-get autoremove cups-daemon .

  sudo apt-get Autoremove-cups-daemon

Read package lists ... Done
Create dependency structure
Read status information ... Done
The following packages are REMOVED:
bluez-cups (5.48-0ubuntu3)
Mug (2.2.7-1ubuntu2)
Mug-Browsed (1.20.2-0ubuntu3)
cups-core driver (2.2.7-1ubuntu2)
cups-daemon (2.2.7-1ubuntu2)
hplip (3.17.10 + repack0-5)
Printer Driver Gutenprint (5.2.13-2)
Printer Driver hpcups (3.17.10 + repack0-5)
Printer Driver Postscript HP (3.17.10 + Repack0-5)
Printer Driver Splix (2.0.0 + svn315-6fakesync1)
0 updated, 0 reinstalled, 10 removed and 0 not updated.
After this operation, 8,383 KB of disk space is freed.
Do you want to continue? [Y/n] ^ C
root @ nullbyte: / home / tokyoneon # apt-get clean -V cups-daemon
Read package lists ... Done
Create dependency structure
Read status information ... Done
The following packages are REMOVED:
bluez-cups * (5.48-0ubuntu3)
Cups * (2.2.7-1ubuntu2)
Mug-Browsed * (1.20.2-0ubuntu3)
cups-core driver * (2.2.7-1ubuntu2)
cups-daemon * (2.2.7-1ubuntu2)
hplip * (3.17.10 + repack0-5)
printer-driver-goodprint * (5.2.13-2)
Printer Driver hpcups * (3.17.10 + repack0-5)
Printer Driver Postscript HP * (3.17.10 + Repack0-5)
Printer Driver Splix * (2.0.0 + svn315-6fakesync1)
0 updated, 0 reinstalled, 10 removed and 0 not updated.
After this operation, 8,383 KB of disk space is freed.
Do you want to continue? [Y/n] y 

Disabling or Removing Avahi

The Avahi daemon implements the Apple Zeroconf architecture (also known as "Rendezvous" or "Bonjour"). The daemon registers local IP addresses and static services with mDNS / DNS-SD.

In 2011, a denial-of-service vulnerability was discovered in the Avahi daemon. Although this CVE is fairly old and of minor importance, it demonstrates how attackers on a local network can find security holes in network protocols and manipulate ongoing services on a victim's device.

If you do not want to interact with Apple products or services Other devices, Avahi daemon can be disabled with the following command sudo systemctl disabled avahi-daemon

  sudo systemctl disabled avahi-daemon

Synchronize the status of avahi-daemon.service with the sysV service script with / lib / systemd / systemd-sysv-install.
Run: / lib / systemd / systemd-sysv-install disables Avahi daemon
Removes /etc/systemd/system/dbus-org.freedesktop.Avahi.service.
Removes /etc/systemd/system/sockets.target.wants/avahi-daemon.socket.

Avahi can also be completely removed with sudo apt-delete avahi-daemon .

  sudo apt -get Delete Avahi Daemon

Read package lists ... Done
Create dependency structure
Read status information ... Done
The following packages are REMOVED:
Avahi Daemon * (0.7-3.1ubuntu1)
avahi-utils * (0.7-3.1ubuntu1)
libnss-mdns * (0.10-8ubuntu1)
0 updated, 0 reinstalled, 3 removed and 0 not updated.
After this operation, 541 KB of memory will be freed up.
Do you want to continue? [Y/n] y 

Step 3: Defense Against Port Misuse

An amateur hacker could try to exfiltrate data on port 1337 or create a reverse shell on port 4444 (literally listed on Wikipedia as Metasploit's default port) , A firewall that only allows outgoing transmissions to a handful of ports keeps Leet h4x0rz dead.

To manage the port allowances, we use UFW, a program that provides a friendly interface when configuring firewalls. UFW literally stands for U uncomplicated F ire W all. It acts as a iptables frontend (packet filter) and is not intended to provide full firewall functionality, but an easy way to add or remove simple rules.

1. Reject All Inbound and Outbound Connections

Use the sudo ufw enable command to enable UFW.

  sudo ufw enable

Firewall is active and enabled at startup 

Reject all incoming connections with the following exceptions:

  sudo ufw default incoming reject 

Next, ban all redirects:

  sudo ufw default deny forward 

And then ban All outgoing connections:

  sudo ufw default deny outgoing 

At this point, you can not access the Internet with Firefox or any other application.

. 2 Find Your Wireless Interface

To allow outgoing connections, you must first look up the name of your wireless adapter with the command ifconfig -a .

  ifconfig -a

enp0s8: flags = 4163  mtu 1500
inet 192.168.1.44 Netmask 255.255.255.0 Broadcast 192.168.1.255
Ether e8: e1: e8: c2: bc: b9 txqueuelen 1000 (Ethernet)
RX packets 631 bytes 478024 (478.0 KB)
RX error 0 deleted 0 overflow 0 frame 0
TX packets 594 bytes 60517 (60.5 KB)
TX error 0 drops 0 overflows 0 carrier 0 collisions 0
Device alarm 16 base 0xd040

lo: flags = 73  mtu 65536
inet 127.0.0.1 Netmask 255.0.0.0
inet6 :: 1 prefixlen 128 scopeid 0x10 
Loop txqueuelen 1000 (Local Loopback)
RX packets 259 bytes 17210 (17.2 KB)
RX error 0 deleted 0 overflow 0 frame 0
TX packets 259 bytes 17210 (17.2 KB)
TX error 0 deleted 0 overflow 0 carrier 0 collision 0 

I am using Ubuntu in VirtualBox for this demo, so my interface name is "enp0s8." If you use the ifconfig command, your wireless interface may appear as "wlp3s0," "wlp42s0," or something similar.

3. Create firewall exceptions and configure a secure DNS resolver

Allow DNS, HTTP, and HTTPS traffic over the wireless interface with the following three commands.

  sudo ufw allow from  to 1.1.1.1 proto udp port 53 Comment & # 39; Allow DNS to  & # 39;
sudo ufw allow it to comment  on any proto-TCP port 80, allow http to  & # 39;
sudo ufw allow it  any proto-TCP port 443 Comment & # 39; Enable https on  & # 39; 

The "1.1.1.1" address in the DNS command is CloudFleel's new privacy-aware DNS resolver. Many netizens do not realize that even if you see a site with encrypted transmissions (small green lock in the URL bar), ISPs can still see all the domain names that you call via DNS queries. Using the CloudFlare DNS resolver helps prevent Internet Service Providers (ISPs) from monitoring your traffic.

4. Update Network Manager's DNS Configuration

After setting the UFW rules in Network Manager, "Edit" your Wi-Fi connection and change the field DNS in 1.1.1.1 . Disconnect and reconnect to the Wi-Fi network for the DNS changes to take effect.

View the newly created rules with the sudo ufw status numbered command.

  sudo ufw status numbered

Status: Active

Action of
------------
[ 1] 1.1.1.1 53 / udp ALLOW OUT Anywhere on enp0s8 (out) # Allow DNS on enp0s8
[ 2] 443 / tcp ALLOWS enp0s8 (out) # Allow HTTPS on enp0s8
[ 3] 80 / tcp ALLOW OUT Anywhere on enp0s8 (out) # allow HTTP on enp0s8 

Ubuntu can make standard HTTP / HTTPS requests on ports 80 and 443 on the wireless interface you specify. If these rules are too strict for daily activity, allow all outbound packets with the following command:

  sudo ufw default allow outgoing 

5. Monitoring the Firewall

If you are attempting to debug inbound or outbound connections, use the Tail command with the argument -f to track UFW log messages and discrepancies in real time , The command would be tail -f /var/log/ufw.log.

tail -f /var/log/ufw.log

Kernel: [ 3900.250931] [UFW BLOCK]   IN = OUT = enp0s8 SRC = 192.168.1.44 DST = 104.193.19.59 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 64 ID = 47090 DF PROTO = TCP SPT = 35944 DPT = 9999 WINDOW = 29200 RES = 0x00 SYN URGP = 0
Kernel: [ 3901.280089] [UFW BLOCK]   IN = OUT = enp0s8 SRC = 192.168.1.44 DST = 104.193.19.59 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 64 ID = 47091 DF PROTO = TCP SPT = 35944 DPT = 9999 WINDOW = 29200 RES = 0x00 SYN URGP = 0 

In the above logs, UFW blocks outgoing connections ( OUT = ) from my local IP address ( 192.168.1.44 ) to the zero-byte server ( 104.193.19.59 ), using TCP with a destination port ( DPT ) of 9999. This can be resolved with the following UFW command.

  sudo ufw allow out on  from 192.168.1.44 to 104.193.19.59 proto tcp port 9999 

For more information about UFW, see the manual man ufw to view the manual and the available options ,

  man ufw 

Firewalls at the granular level should check the Arch Linux wiki for iptables.

Step 4: Defend Against Packet Sniffers & Cookie Hijacking

Packet manipulation attacks on enemy networks can be achieved by using a Virtual Private Network (VPN). VPNs offer a number of technologies that:

  • Prevent hackers on Wi-Fi networks from manipulating and spying on your activities.
  • Prevent Internet service providers such as Verizon and AT & T from spying on your activities and selling your data to third parties
  • Allowing censorship bypass when ISPs or network firewalls prevent access to specific Web sites

Most premium VPN services start at about $ 5 a month. Some notable VPN providers are: ProtonVPN, Mullvad, VyprVPN and Private Internet Access

Image via ProtonVPN

Next Up: Application Hardening & Sandboxing

This is to improve your presence and activity in enemy networks. In the following article we learn about sandbox applications and secure our system in the event that a malicious program is running on the device. After that, we'll look at auditing, use antivirus software and monitor system logs.

Part 2: Using Ubuntu as the Primary Operating System (Application Hardening & Sandboxing)

Cover Picture (Original) by Tinh t? Photo / flickr; Screenshots of tokyoneon / null byte (unless otherwise noted)

Source link