ComputerSecurityStudent (CSS) [Login] [Join Now]




|UNIX >> Ubuntu >> Ubuntu 12.04 Desktop >> Current Page |Views: 8140

(Ubuntu: Lesson 13)

{ Installing and Testing denyhosts and brutessh.py }


Section 0. Background Information
  1. What is denyhosts
    • DenyHosts is a log-based intrusion prevention security tool for SSH servers written in Python. It is intended to prevent brute force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses.
    • http://denyhosts.sourceforge.net/
     
  2. What is brutessh.py
    • Brutessh is a program that uses the paramiko ssh library, to launch bruteforce passwords attacks to the sshd service. The tools is multithreading and uses a dictionary for the passwords.

  3. Prerequisite
  4. Lab Notes
    • In this lab we will how to do the following:
      1. We will install denyhosts on Ubuntu.
      2. We will install brutessh.py on BackTrack.
      3. We will use brutessh on BackTrack to attack Ubuntu.

  5. Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2012 No content replication of any kind is allowed without express written permission.

 

Section 1: Start Ubuntu 12.04
  1. Start VMware Player
    • Instructions
      1. For Windows 7
        1. Click Start Button
        2. Search for "vmware player"
        3. Click VMware Player
      2. For Windows XP
        • Starts --> Programs --> VMware Player

     

  2. Verify Virtual Machine Settings.
    • Instructions
      1. Click on Ubuntu 12.04
      2. Click on Edit virtual machine settings

     

  3. Configure Network Adapter
    • Instructions
      1. Click on Network Adapter
      2. Click on the Bridged Radio Button
      3. Click on the Close Button

     

  4. Start the Ubuntu 12.04 VM
    • Instructions
      1. Click on Ubuntu 12.04
      2. Click on Play virtual machine

 

Section 2: Login to Ubuntu
  1. Change to Gnome Classic
    • Instructions:
      1. Click on the Circle

     

  2. Select Gnome Classic
    • Instructions:
      1. Double Click on GNOME Classic

     

  3. Login to Server
    • Instructions
      1. User: Student
      2. Password: Please supply the student password.

 

Section 3: Become Root and Verify Network Connection
  1. Start up a Terminal
    • Instructions
      1. Click on the Terminal

     

  2. Become Root
    • Instructions
      1. sudo su -
      2. Supply the student password.

     

  3. Verify you have a network connection
    • Instructions
      1. ifconfig -a
        • eth0 is the name of my interface.
        • 192.168.1.104 is my network IP address.
    • Note(FYI):
      • If you do not have an DHCP IP Address try the following:
        • dhclient
          • OR
        • /etc/init.d/networking restart

 

Section 3: Update apt-get's package index
  1. Update apt-get's package index
    • Instructions
      1. apt-get update
    • Note(FYI):
      • update is used to resynchronize the package index files from their sources. I.e., The "update" flag updates apt-get's local database with debian server's pkglist files. The indexes of available packages are fetched from the location(s) specified in /etc/apt/sources.list.

 

Section 4: Search for denyhosts
  1. Search for denyhosts
    • Instructions
      1. apt-cache search denyhosts
    • Note(FYI):
      • apt-cache is a command to manipulate and obtain information from the ubuntu packages.

     

Section 5: Install denyhosts
  1. Install denyhosts
    • Instructions
      1. apt-get install denyhosts

     

  2. Verify that denyhosts is installed and is running
    • Instructions
      1. ps -eaf | grep -v grep | grep denyhosts
        • ps -eaf, show all processes.
        • grep -v grep, filter out the grep process.
        • grep denyhosts, show only the denyhosts process.

     

  3. View host files
    • Instructions
      1. cd /etc
      2. ls -l *hosts.*
    • Note(FYI):
      1. denyhosts.conf,
        • This is the denyhosts configuration file.
      2. hosts.allow
        • If you add a host to this file, beware that all other hosts not in this file will be denied access.
      3. hosts.deny
        • If a host is included in this file, then it will be denied access.

 

Section 6: Startup Script for denyhosts
  1. Startup Script for denyhosts
    • Instructions
      1. ls -l /etc/init.d/denyhosts
        • As part of the denyhosts installation, the denyhosts startup script is placed in /etc/init.d/denyhosts.
      2. find /etc/rc*.d/* -print | xargs ls -l | grep denyhosts
        • Identifies start up and kill scripts for denyhosts.
      3. runlevel
        • Identifies the current run level.
          • 0 System Halt
          • 1 Single user
          • 2 Full multi-user mode (Default)
          • 3-5 Same as 2
          • 6 System Reboot

     

  2. Stopping and Starting denyhosts with /etc/init.d/denyhosts
    • Instructions
      1. cd /etc/init.d
      2. ./denyhosts stop
      3. ps -eaf | grep -v grep | grep denyhosts
        • Notice, that no lines are returned, because denyhostsis not running.
      4. ./denyhosts start
      5. ps -eaf | grep -v grep | grep denyhosts
        • Now one line is returned, because denyhosts is running.

     

  3. Stopping and Starting DENYHOSTS with the "service" command
    • Instructions
      1. service denyhosts status
        • This will show if denyhosts is running or not.
      2. ps -eaf | grep -v grep | grep denyhosts
        • This will show the denyhosts process.
      3. service denyhosts stop
        • This command will stop the denyhosts daemon.
      4. ps -eaf | grep -v grep | grep denyhosts
        • This will show there is NO denyhosts process running.
      5. service denyhosts start
        • This will start the denyhosts daemon/service.
      6. ps -eaf | grep -v grep | grep denyhosts
        • This will show the denyhosts process.

     

Section 7: Configure BackTrack Virtual Machine Settings
  1. Start VMware Player
    • Instructions
      1. For Windows 7
        1. Click Start Button
        2. Search for "vmware player"
        3. Click VMware Player
      2. For Windows XP
        • Starts --> Programs --> VMware Player

     

  2. Edit BackTrack Virtual Machine Settings
    • Instructions:
      1. Highlight BackTrack5R1
      2. Click Edit virtual machine settings

     

  3. Edit Network Adapter
    • Instructions:
      1. Highlight Network Adapter
      2. Select Bridged
      3. Do not Click on the OK Button.

 

Section 8: Login to BackTrack
  1. Start BackTrack VM Instance
    • Instructions:
      1. Start Up VMWare Player
      2. Select BackTrack5R1
      3. Play virtual machine

     

  2. Login to BackTrack
    • Instructions:
      1. Login: root
      2. Password: toor or <whatever you changed it to>.

     

  3. Bring up the GNOME
    • Instructions:
      1. Type startx

 

Section 9: Open Console Terminal and Retrieve IP Address
  1. Open a console terminal
    • Instructions:
      1. Click on the console terminal

     

  2. Get IP Address
    • Instructions:
      1. ifconfig -a
    • Note(FYI):
      • As indicated below, my IP address is 192.168.1.105.
      • Please record your IP address.

 

Section 10: Test SSH Between BackTrack and Ubuntu
  1. Test SSH from Backtrack to Ubuntu
    • Note(FYI):
      • Issue the below commands from the BackTrack Terminal.
    • Instructions:
      1. ssh student@192.168.1.104 "uptime"
        • If you do not have a student account on ubuntu, replace it with the system account you create in Lab 1.
        • Replace 192.168.1.104 with Ubuntu's IP address you obtained in (Section 3, Step 3).
      2. connecting (yes/no)? yes
      3. Provide Password

     

  2. Check Ubuntu's auth.log
    • Note(FYI):
      • Issue the below commands from the Ubuntu Terminal.
    • Instructions:
      1. grep "Accepted password" /var/log/auth.log | grep "192.168.1.105"
        • Replace 192.168.1.105 with BackTrack's IP Address obtained in (Section 9, Step 2).

 

Section 11: Install and run BruteSSH.py against Ubuntu
  1. Search for BruteSSH.py
    • Note(FYI):
      • Issue the below commands from the BackTrack Terminal.
    • Instructions:
      1. cd /pentest/passwords/
        • In BackTrack, the password cracking programs are typically located in this directory.
      2. ls -l
      3. ls -l | grep -i brute
        • Our search for brute does not return results.

     

  2. Start Firefox
    • Instructions:
      1. Applications --> Internet --> Firefox Web Browser

     

  3. Download brutessh
    • Instructions:
      1. Place the below URL in the address box and Press Enter
        • http://www.computersecuritystudent.com/UNIX/UBUNTU/1204/lesson13/brutessh-0.5.tar.bz2
      2. Click the Save File radio button
      3. Click OK

     

  4. Save to /pentest/passwords
    • Instructions:
      1. Click on Browse for other folders
      2. Click on File System
      3. Navigate to /pentest/passwords
      4. Click Save

     

  5. Unzip brutessh-0.5.tar.bz2
    • Instructions:
      1. cd /pentest/passwords/
      2. ls -l brutessh-0.5.tar.bz2
      3. bunzip2 brutessh-0.5.tar.bz2
      4. ls -l brutessh-0.5.tar
      5. tar xovf brutessh-0.5.tar

     

  6. BruteSSH House Cleaning
    • Instructions:
      1. cd /pentest/passwords/
      2. rm brutessh-0.5.tar
        • We no longer need the tar file.
      3. cd brutessh/
      4. ls -la
      5. cat /pentest/passwords/john/password.lst | grep -v "^#" | head -50 > password.txt
        • I grabbed the first 50 passwords from John the Ripper to create enough future brute force ssh traffic for denyhosts to block.

     

  7. Using BruteSSH
    • Instructions:
      1. python brutessh.py -help
        • The -help flag produced the usage options.

     

  8. Using BruteSSH Against DenyHosts
    • Instructions:
      1. python brutessh.py -h 192.168.1.104 -u root -d password.txt
        • 192.168.1.104 is the IP address of the victim Ubuntu machine in my case.  Refer to (Section 3, Step 3) to obtain Ubuntu IP Address.

 

Section 12: Testing Blocked SSH Traffic from BackTrack to Ubuntu
  1. Testing Blocked SSH Connection
    • Instructions:
      1. ssh student@192.168.1.104
        • If you do not have a student account on ubuntu, replace it with the system account you created in Lab 1.
        • Replace 192.168.1.104 with Ubuntu's IP address you obtained in (Section 3, Step 3).
        • Note: DenyHosts on the Ubuntu server is now blocking the ssh protocol from connecting to port 22.
      2. telnet 192.168.1.104 22
        • Here I am testing to see if IP Addressed is really blocked or if just SSH traffic is blocked.
        • Note: Although BackTrack SSH traffic is now blocked, it is still possible to connect use TCP over port 22.

 

Section 13: Proof of Lab && Analyzing Ubuntu Deny Host Logs
  1. Analyzing Ubuntu Deny Host Logs
    • Note(FYI):
      • Make sure you are on the Ubuntu Server.
      • You will be analyzing Ubuntu log files.
    • Instructions:
      1. grep sshd /etc/hosts.deny
        • The hosts.deny file contains all the ports that have been blocked by the denyhosts daemon.
      2. grep -i "Failed password" /var/log/auth.log | grep "192.168.1.105"
        • Replace 192.168.1.105 with BackTrack's IP Address obtained in (Section 9, Step 2).
      3. date
      4. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • e.g., echo "John Gray"
    • Proof of Lab Instructions
      1. Press both the <Ctrl> and <Alt> keys at the same time.
      2. Do a <PrtScn>
      3. Paste into a word document
      4. Upload to Moodle

     

Section 14: Unblock BackTrack
  1. Stop rsyslog and denyhosts
    • Note(FYI):
      • Make sure you are on the Ubuntu Server.
    • Instructions:
      1. fuser /var/log/auth.log
      2. service rsyslog stop
      3. service denyhosts stop

     

  2. Scrub the hosts.deny file
    • Instructions:
      1. cd /etc
      2. grep -v "192.168.1.105" hosts.deny > hosts.deny.new
        • Replace 192.168.1.105 with BackTrack's IP Address obtained in (Section 9, Step 2).
      3. grep "192.168.1.105" hosts.deny.new | wc -l
        • Replace 192.168.1.105 with BackTrack's IP Address obtained in (Section 9, Step 2).
      4. mv hosts.deny hosts.deny.old
      5. mv hosts.deny.new hosts.deny

     

  3. Scrub the auth.log file
    • Instructions:
      1. cd /var/log/
      2. grep -v "192.168.1.105" auth.log > auth.log.new
        • Replace 192.168.1.105 with BackTrack's IP Address obtained in (Section 9, Step 2).
      3. grep "192.168.1.105" auth.log.new | wc -l
        • Replace 192.168.1.105 with BackTrack's IP Address obtained in (Section 9, Step 2).
      4. mv auth.log auth.log.old
      5. mv auth.log.new auth.log

     

  4. Scrub the denyhosts file
    • Instructions:
      1. cd /var/log/
      2. grep -v "192.168.1.105" denyhosts > denyhosts.new
        • Replace 192.168.1.105 with BackTrack's IP Address obtained in (Section 9, Step 2).
      3. mv denyhosts denyhosts.old
      4. mv denyhosts.new denyhosts

     

  5. Start syslog and denyhosts
    • Instructions:
      1. service rsyslog start
      2. service denyhosts start

     

  6. Test SSH Connection from BackTrack to Ubuntu
    • Note(FYI):
      • Make sure you are on the BackTrack Server.
    • Instructions:
      1. ssh student@192.168.1.104 "uptime"
        • If you do not have a student account on ubuntu, replace it with the system account you created in Lab 1.
        • Replace 192.168.1.104 with Ubuntu's IP address you obtained in (Section 3, Step 3).
      2. Provide Password.


Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth