ComputerSecurityStudent (CSS)

[Login]

[Join Now]

|UNIX >> Fedora >> Current Page

|Views: 16050

(Fedora: Lesson 19)

{ Testing denyhosts and brutessh.py }

Section 0. Background Information

What is denyhosts
- DenyHosts is a log-based intrusion prevention security tool for SSH servers written in Python. It is intended to prevent brute force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses.
- http://denyhosts.sourceforge.net/
What is brutessh.py
- Brutessh is a program that uses the paramiko ssh library, to launch bruteforce passwords attacks to the sshd service. The tools is multithreading and uses a dictionary for the passwords.
Prerequisite
Lab Notes
- In this lab we will how to do the following:
  1. We will install brutessh.py on BackTrack.
  2. We will use brutessh on BackTrack to attack Fedora.
  3. Fedora will block BackTrack
  4. We will unblock BackTrack
Legal Disclaimer
- As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
- In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
- In addition, this is a teaching website that does not condone malicious behavior of any kind.
- You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
- © 2013 No content replication of any kind is allowed without express written permission.

Section 1: Edit the Fedora14 Virtual Machine

Open Your VMware Player
- Instructions:
  1. On Your Host Computer, Go To
  2. Start --> All Program --> VMWare --> VMWare Player
Edit Fedora 14 Virtual Machine Settings
- Instructions:
  1. Highlight Fedora14
  2. Click Edit virtual machine settings
Edit Network Adapter
- Instructions:
  1. Highlight Network Adapter
  2. Select Bridged
  3. Click the OK Button

Section 2: Play the Fedora14 Virtual Machine

Start the Fedora14 VM
- Instructions:
  1. Click on the Fedora14 VM
  2. Click on Play virtual machine

Section 3: Login to your Fedora14 server:

Login As student
- Instructions:
  1. Click on student
  2. Provide student password
  3. Click the Login Button
Start Up A Terminal.
- Applications --> System Tools --> Terminal
Switch User to root
- Instruction:
  1. su - root
  2. Supply the Root Password
Get IP Address
- Instructions:
  1. ifconfig -a
- Notes (FYI):
  - As indicated below, my IP address is 192.168.1.105.
  - Please record your IP address.

Section 4: Configure BackTrack Virtual Machine Settings

Edit the BackTrack5R1 VM
- Instructions:
  1. Select BackTrack5R1 VM
  2. Click Edit virtual machine settings
Edit Virtual Machine Settings
- Instructions:
  1. Click on Network Adapter
  2. Click on the Bridged Radio button
  3. Click on the OK Button

Section 5: Play and Login to BackTrack

Play the BackTrack5R1 VM
- Instructions:
  1. Click on the BackTrack5R1 VM
  2. Click on Play virtual machine
Login to BackTrack
- Instructions:
  1. Login: root
  2. Password: toor or <whatever you changed it to>.
Bring up the GNOME
- Instructions:
  1. Type startx

Section 6: Open Console Terminal and Retrieve IP Address

Start up a terminal window (On BackTrack5R1)
- Instructions:
  1. Click on the Terminal Window
Obtain the IP Address
- Instructions:
  1. ifconfig -a
- Note(FYI):
  - My IP address 192.168.1.106.
  - In your case, it will probably be different.
  - This is the machine that will be use to attack the victim machine (Mutillidae).

Section 7: Test SSH Between BackTrack and Fedora

Test SSH from Backtrack to Fedora (On BackTrack5R1)
- Instructions:
  1. ssh student@192.168.1.105 "uptime"
    - If you do not have a student account on Fedora, replace it with the system account you create in Lab 1.
  2. connecting (yes/no)? yes
  3. Provide Password
- Note(FYI):
  1. Replace 192.168.1.105 with Fedora's IP Address obtained from (Section 3, Step 4).

Section 8: Inspect Fedora's Security Log

Check Fedora's secure log (On Fedora14)
- Note(FYI):
  - Replace 192.168.1.106 with BackTracks's IP Address obtained from (Section 6, Step 2).
- Instructions:
  1. grep "Accepted password" /var/log/secure | grep "192.168.1.106"

Section 9: Install and run BruteSSH.py against Fedora

Search for BruteSSH.py (On BackTrack5R1)
- Note(FYI):
  - Issue the below commands from the BackTrack Terminal.
  - IF BRUTESSH IS ALREADY INSTALLED, THEN CONTINUE TO SECTION 10.
- Instructions:
  1. cd /pentest/passwords/
    - In BackTrack, the password cracking programs are typically located in this directory.
  2. ls -l
  3. ls -l | grep -i brute | wc -l
    - ls -l, list all the files and directories under the directory /pentest/passwords.
    - grep -i brute, return only listings that contain the string "brute"
    - wc -l, count anything that is returned.
    - Notice a zero(0) is return, which infers BruteSSH is not installed.
Download, Unzip and Untar brutessh-0.5.tar.bz2
- Instructions:
  1. wget http://www.computersecuritystudent.com/UNIX/UBUNTU/1204/lesson13/brutessh-0.5.tar.bz2
  2. ls -l brutessh-0.5.tar.bz2
  3. bunzip2 brutessh-0.5.tar.bz2
  4. ls -l brutessh-0.5.tar
  5. tar xovf brutessh-0.5.tar
BruteSSH House Cleaning
- Instructions:
  1. ls -l brutessh-0.5.tar
  2. rm brutessh-0.5.tar
    - We no longer need the tar file.
  3. cd brutessh/
  4. ls -la
  5. cat /pentest/passwords/john/password.lst | grep -v "^#" | head -50 > password.txt
    - I grabbed the first 50 passwords from John the Ripper to create enough future brute force ssh traffic for denyhosts to block.
  6. ls -l password.txt
Using BruteSSH
- Instructions:
  1. python brutessh.py -help
    - The -help flag produced the usage options.
Using BruteSSH Against DenyHosts
- Note(FYI):
  - Replace 192.168.1.105 with Fedora's IP Address obtained from (Section 3, Step 4).
- Instructions:
  1. python brutessh.py -h 192.168.1.105 -u root -d password.txt

Section 10: Testing Blocked SSH Traffic from BackTrack to Fedora

Testing Blocked SSH Connection (On BackTrack5R1)
- Note(FYI):
  - Replace 192.168.1.105 with Fedora's IP Address obtained from (Section 3, Step 4).
- Instructions:
  1. ssh student@192.168.1.105
    - Note: DenyHosts on the Fedora server is now blocking the ssh protocol from connecting to port 22.
  2. telnet 192.168.1.105 22
    - Here I am testing to see if IP Addressed is really blocked or if just SSH traffic is blocked.
    - Note: Although BackTrack SSH traffic is now blocked, it is still possible to connect using TCP over port 22.

Section 11: Analyzing Fedora Deny Host Logs

Analyzing Fedora Deny Host Logs (On Fedora)
- Note(FYI):
  - Replace 192.168.1.106 with BackTracks's IP Address obtained from (Section 6, Step 2).
- Instructions:
  1. grep sshd /etc/hosts.deny | tee brute.txt
    - The hosts.deny file contains all the IP Addresses that have been blocked by the denyhosts daemon.
  2. grep -i "Failed password" /var/log/secure | grep "192.168.1.106" | tee -a brute.txt
    - Search the /var/log/secure file for the phrase "Failed password" AND IP Address "192.168.1.106".

Section 14: Unblock BackTrack

Stop rsyslog and denyhosts (On Fedora)
- Instructions:
  1. fuser /var/log/secure
    - The command fuser identifies Process IDs (PID)s that have open sockets to a file.
    - Notice that PIDs 2715 and 2738 currently have open sockets to the secure file.
  2. ps -eaf | grep -v grep | egrep '(2715|2738)'
    - Replace 2715 and 2738 with the Process IDs (PIDs) that fuser lists in your session.
  3. service rsyslog stop
  4. service denyhosts stop
  5. fuser /var/log/secure
    - Notice no Process IDs are returned.
Scrub the hosts.deny file
- Note(FYI):
  - Replace 192.168.1.106 with BackTracks's IP Address obtained from (Section 6, Step 2).
- Instructions:
  1. cd /etc
  2. grep -v "192.168.1.106" hosts.deny > hosts.deny.new
  3. grep "192.168.1.106" hosts.deny.new | wc -l
  4. mv hosts.deny hosts.deny.old
  5. mv hosts.deny.new hosts.deny
Scrub the secure file
- Note(FYI):
  - Replace 192.168.1.106 with BackTracks's IP Address obtained from (Section 6, Step 2).
- Instructions:
  1. cd /var/log/
  2. grep -v "192.168.1.106" secure > secure.new
  3. grep "192.168.1.106" secure.new | wc -l
  4. mv secure secure.old
  5. mv secure.new secure
Scrub the denyhosts file
- Note(FYI):
  - Replace 192.168.1.106 with BackTracks's IP Address obtained from (Section 6, Step 2).
- Instructions:
  1. cd /var/log/
  2. grep -v "192.168.1.106" denyhosts > denyhosts.new
  3. mv denyhosts denyhosts.old
  4. mv denyhosts.new denyhosts
Start syslog and denyhosts
- Instructions:
  1. service rsyslog start
  2. service denyhosts start

Section 15: Test SSH From BackTrack To Fedora

Test SSH Connection from BackTrack to Fedora (On BackTrack)
- Note(FYI):
  - Replace 192.168.1.105 with Fedora's IP Address obtained from (Section 3, Step 4).
- Instructions:
  1. ssh student@192.168.1.105 "hostname"
  2. Provide Password.

Section 16: Proof of Lab

Proof of Lab
- Instructions:
  1. cd
  2. cat brute.txt
  3. date
  4. echo "Your Name"
    - Replace the string "Your Name" with your actual name.
    - e.g., echo "John Gray"
- Proof of Lab Instructions
  1. Do a <PrtScn>
  2. Paste into a word document
  3. Upload to Moodle