WEBVTT

00:01.010 --> 00:04.910
Chapter 15 netfilter and system security services

00:08.220 --> 00:25.200
the unauthorized reproduction in whole or in part of this publication in any form is prohibited.

00:25.390 --> 00:31.870
We will now check using telnet which Damon s s h d version is installed on the tested server.

00:31.990 --> 00:33.840
So let's connect with port 22.

00:37.800 --> 00:42.160
As we can see we also managed to obtain very valuable information.

00:42.180 --> 00:47.330
The exact version of the remote system in this case Free BSD.

00:47.760 --> 00:51.740
This information is not always made available in order to overcome this.

00:51.750 --> 00:53.430
We will use special software.

00:53.430 --> 01:13.470
Therefore we will copy the files we need.

01:13.480 --> 01:23.920
We will now unpack compile and install the applications in the system.

01:23.970 --> 01:28.840
The compiling process will take a couple of minutes depending on the hardware resources available to

01:28.840 --> 01:29.260
us.

03:16.780 --> 03:22.690
After round 2 minutes of compiling the unmap application is ready for installation the installation

03:22.780 --> 03:29.320
should be made from the root level.

03:29.470 --> 03:32.590
Let's perform the operations for the program

03:46.360 --> 03:48.120
after the software installation.

03:48.130 --> 03:49.560
We can start our tests.

03:49.570 --> 03:59.350
Let's check which system version is installed on the tested server.

03:59.410 --> 04:03.460
We managed to obtain information independently on the system version

04:06.390 --> 04:12.030
the aim of this lesson is to demonstrate how the core modules that use the features of the netfilter

04:12.210 --> 04:19.560
subsystem work we will therefore learn to modify the behavior of the network stack which will enable

04:19.560 --> 04:25.290
us to receive the tools for the remote identification of the system version.

04:25.340 --> 04:30.800
But let's start by introducing a simple module that after uploading writes the information to the core

04:30.800 --> 04:31.220
logs

04:40.850 --> 04:46.910
after looking at the example we can proceed with using netfilter our next module will have to reject

04:46.970 --> 04:47.940
all packets.

04:54.820 --> 04:58.410
Let's familiarize ourselves with the structures we will use in our modules.

04:58.420 --> 05:03.440
This information is located in the netfilter h file in the kernel sources.

05:05.940 --> 05:11.160
The main structure of our module is an F under slash hook ups.

05:11.340 --> 05:12.540
Let's have a look at it.

05:28.950 --> 05:35.100
Another important structure is S-K under slash buff it stores all packets going through the network

05:35.100 --> 05:35.800
device.

05:57.200 --> 06:01.600
Let's compile and test the functioning of our module before compiling.

06:01.600 --> 06:04.850
We will make a slight correction to the make file.

06:20.130 --> 06:26.710
As we can see after uploading the module all packets going to the device are being rejected.

06:27.030 --> 06:33.210
After unloading the module everything returned to normal and the ping program registers subsequent echo

06:33.210 --> 06:40.860
reply packets our next modules task is to reject the packets on the eath zero interface and to print

06:40.860 --> 06:43.700
the information about the event in the core log.

07:11.750 --> 07:17.110
As we can notice all when according to our plans therefore it is time to describe another example

07:20.780 --> 07:27.760
next module takes advantage of filtering the IP address and the port by controlling these meters it

07:27.760 --> 07:30.350
is possible to reject only chosen files.

08:21.920 --> 08:28.010
As we can see after uploading the module the connection with port 22 was not possible.

08:28.070 --> 08:44.900
Our IP address 1 2 7 0 0 1 has been recognized.

08:44.910 --> 08:52.010
Our next example has been extended by the modification of the pair meters window and TTL for each x

08:52.020 --> 09:28.430
y in packet.

09:28.440 --> 09:33.240
First let's write the information on the fingerprint of the Free BSD system.

09:33.240 --> 09:35.330
We will use this in our next example.

09:55.250 --> 09:57.660
Now let's test the functioning of the module.

09:57.710 --> 10:02.210
We'll see what PLF returns before as well as after it uploads

10:18.440 --> 10:25.520
as we can see we manage to mislead the program and change the window and TTL values into the ones defined

10:25.550 --> 10:26.260
earlier.

10:35.650 --> 10:41.440
The last example shows how we can change other packet pair meters enabling us to pretend to be any operating

10:41.440 --> 10:53.220
system.

10:53.300 --> 10:59.690
Here we will use information obtained earlier from the signature database of the program for the Free

10:59.810 --> 11:01.100
BSD system.

11:23.220 --> 11:44.550
We will now test the module.

11:44.730 --> 11:46.070
We have been successful.

11:46.290 --> 12:05.910
Our system has been recognized as Free BSD version 5.1 although we are working in the Linux system.

12:06.140 --> 12:13.040
While it is true that the unmap program didn't recognize us as Free BSD by changing the packet properties

12:13.340 --> 12:16.030
we made identification of the system impossible.