1 00:00:00,690 --> 00:00:05,620 Welcome to part two of this module in this video. 2 00:00:05,660 --> 00:00:11,660 We're going to be taking a look at Linus like almost all of the tools showcased in this class. 3 00:00:11,660 --> 00:00:20,560 Linus comes pre installed on Kali 2.0 as well as most older versions of Kali Linus is an open source 4 00:00:20,590 --> 00:00:22,620 security auditing tool. 5 00:00:22,780 --> 00:00:30,100 It is used by system administrators security professionals and auditors to evaluate the security defenses 6 00:00:30,160 --> 00:00:33,070 of their Linux and Unix based systems. 7 00:00:33,070 --> 00:00:40,120 It runs on the host itself rather than scanning a target remotely so it performs more extensive security 8 00:00:40,120 --> 00:00:45,200 scans than most other vulnerability scanners that are similar to it. 9 00:00:45,220 --> 00:00:48,730 Linus runs on almost any Unix based system. 10 00:00:48,730 --> 00:00:54,540 It even runs on systems like the raspberry pi or even a Cuban app storage device. 11 00:00:54,550 --> 00:00:57,270 Linus is lightweight and easy to use. 12 00:00:57,280 --> 00:00:59,260 Installation is optional. 13 00:00:59,260 --> 00:01:04,390 Just copy it to a system and from the directory where you've saved it. 14 00:01:04,510 --> 00:01:06,330 We need to modify permissions. 15 00:01:06,340 --> 00:01:13,420 C H mod plus X Linus once this is done. 16 00:01:13,420 --> 00:01:20,570 You would just type period forward slash Linus audit system to start the security scan. 17 00:01:20,710 --> 00:01:24,910 However because we're using Cally Linux it is of course easier than this. 18 00:01:24,910 --> 00:01:27,460 We just go to applications 19 00:01:29,880 --> 00:01:38,470 vulnerability analysis and from here we can click on Linus loading it this way will give us the full 20 00:01:38,470 --> 00:01:44,830 list of switches and options for the script the use of which will hopefully be familiar to you. 21 00:01:45,040 --> 00:01:47,410 If you've been going through these modules one by one 22 00:01:55,840 --> 00:01:57,820 if we type Linus ordered 23 00:02:01,120 --> 00:02:05,440 were presented with a few examples of how we can set a target. 24 00:02:05,440 --> 00:02:11,050 We're going to be performing a full system audit since this is the easiest way to show off how the tool 25 00:02:11,050 --> 00:02:12,220 works. 26 00:02:12,400 --> 00:02:23,910 So we're going to type Linus audit system press enter. 27 00:02:24,350 --> 00:02:31,640 This is going to provide us with all kinds of information about the target system because we're running 28 00:02:31,640 --> 00:02:33,240 this in Cali 2.0. 29 00:02:33,260 --> 00:02:39,260 Your results should look similar to mine particularly if you've elected to follow along in this class 30 00:02:39,290 --> 00:02:43,130 using a virtual box installation of Cally. 31 00:02:43,240 --> 00:02:49,190 Linus really comes into its own when you're using it on a system that you have physical access to but 32 00:02:49,190 --> 00:02:55,850 less familiarity with it is useful for auditing a system to identify potential weaknesses to be cleaned 33 00:02:55,850 --> 00:02:56,080 up. 34 00:02:57,170 --> 00:03:05,360 It has a slightly more black hat use than it can be run on a system that a bad actor might wish to penetrate 35 00:03:05,420 --> 00:03:06,400 at a later date 36 00:03:09,960 --> 00:03:17,130 while Linus scans a system it will perform a single target test and output the results of every performed 37 00:03:17,130 --> 00:03:24,840 test to the screen every scan result has to be interpreted by the auditor and checked for what it means 38 00:03:27,450 --> 00:03:34,860 behind most tests it will display either an okay or a warning where the first one is considered an expected 39 00:03:34,860 --> 00:03:41,820 result and the second one is unexpected or denotes a potential problem more vulnerability. 40 00:03:41,820 --> 00:03:49,050 However keep in mind that a result saying okay does not always mean the scan target is correctly configured 41 00:03:49,680 --> 00:03:55,350 or safe in terms of its security or that its use is the best possible practice. 42 00:03:55,710 --> 00:04:01,470 But on the other side of that coin every warning doesn't necessarily mean that something is wrong or 43 00:04:01,470 --> 00:04:05,240 bad since systems and their requirements are different. 44 00:04:06,150 --> 00:04:14,320 However as the auditor performing the tests it is advisable to pay attention to them and check what 45 00:04:14,320 --> 00:04:20,120 influence that test may have on your system or your company policy. 46 00:04:20,260 --> 00:04:24,050 In the case of warnings there are several actions that you can take. 47 00:04:24,160 --> 00:04:27,910 First who can fix the problem which is the most obvious. 48 00:04:28,150 --> 00:04:34,480 Read the log about the technical background and then consult internet sources and documentation to see 49 00:04:34,480 --> 00:04:41,930 for yourself what impact the change might have on your particular system. 50 00:04:42,190 --> 00:04:45,940 Or you can disable that particular test. 51 00:04:45,940 --> 00:04:48,730 This is like the equivalent of a white listing. 52 00:04:48,730 --> 00:04:55,450 Certain types of test results if you wanted to do this you need to open up the scan profile and change 53 00:04:55,450 --> 00:05:01,030 a particular test to test underscore. 54 00:05:01,030 --> 00:05:04,180 Skip underscore always. 55 00:05:04,180 --> 00:05:10,070 However I don't advise doing this unless you have a highly specific reason to do so. 56 00:05:10,390 --> 00:05:13,570 As an example of what such a reason might be. 57 00:05:13,810 --> 00:05:21,790 Maybe you have only one DNS server configured on your workstation a test then shows a warning that reveals 58 00:05:21,790 --> 00:05:26,490 that it expected to working name servers. 59 00:05:27,040 --> 00:05:32,650 In such case you can choose to not get informed about it and disable the test. 60 00:05:32,650 --> 00:05:39,400 Extend the test underscore skip underscore always in your scanning profile with the test number which 61 00:05:39,400 --> 00:05:46,820 can be found in the log file at the end of the line of screen output after every scan. 62 00:05:46,860 --> 00:05:51,200 The auditor should consult the log file and interpret the results. 63 00:05:51,420 --> 00:05:57,610 If tests are displayed as a warning the log file will give the reason why a warning was displayed. 64 00:05:57,870 --> 00:06:04,620 In most cases a suggestion line will also be present to assist in resolving the issue or giving more 65 00:06:04,620 --> 00:06:08,670 information about what the test was expecting and why it was expecting it. 66 00:06:09,950 --> 00:06:17,840 At the end of the testing process Linus will display suggestions and warnings during the auditing process. 67 00:06:17,840 --> 00:06:23,570 Linus will gather these and the results will be grouped together and displayed at the bottom of the 68 00:06:23,570 --> 00:06:29,960 screen output usually warnings and events which really need action. 69 00:06:30,230 --> 00:06:34,340 Suggestions on the other hand could indicate room for improvement. 70 00:06:34,340 --> 00:06:38,390 It's common to find many more suggestions than there are warnings. 71 00:06:38,390 --> 00:06:44,750 But this does not imply that because there are many suggestions and no warnings that his system is properly 72 00:06:44,750 --> 00:06:45,680 secure. 73 00:06:45,680 --> 00:06:53,850 So keep that in mind to determine what has been checked together with the related suggestions or warning 74 00:06:54,600 --> 00:07:02,530 the test identify is displayed on the same line between the brackets when the test is complete. 75 00:07:02,540 --> 00:07:08,100 I'll demonstrate how to open the Linus log file and within it you can search for this identifier 76 00:07:11,440 --> 00:07:14,710 on the subject of identifiers during a security audit. 77 00:07:14,710 --> 00:07:22,730 Linus attempts to assign two identifiers to the system itself they can be compared as fingerprints and 78 00:07:22,730 --> 00:07:27,530 can be used in other tools to link data to an existing system. 79 00:07:28,320 --> 00:07:34,560 The first identifier is named host I.D. and it is 40 characters long. 80 00:07:34,560 --> 00:07:38,520 It typically uses the MAC address of the system as a data point. 81 00:07:38,580 --> 00:07:42,140 The second identifier is host 82. 82 00:07:42,240 --> 00:07:51,600 It is 64 characters long and typically uses a public SS H key which is generated by the test. 83 00:07:51,720 --> 00:07:53,910 I'm going to open a second terminal window 84 00:07:58,230 --> 00:08:03,090 to demonstrate the command necessary to show the host I.D.. 85 00:08:03,090 --> 00:08:10,930 Once the test has already run you would type Linus show host I.D. and this will show you these unique 86 00:08:10,930 --> 00:08:11,710 fingerprints 87 00:08:14,340 --> 00:08:22,320 Linus uses a number of plugins which are extensions to the Linus core where normal Linus controls perform 88 00:08:22,320 --> 00:08:28,190 individual tests and share the output plugins will usually gather information. 89 00:08:28,200 --> 00:08:32,330 This information is then collected and processed in bulk. 90 00:08:32,370 --> 00:08:36,640 The big benefit is that it is quicker and more powerful. 91 00:08:36,660 --> 00:08:42,630 For example security intelligence can be applied by collecting data and correlating it on the central 92 00:08:42,630 --> 00:08:51,360 node plugins which do use hooks in existing tests or gathered data for later processing will initialize 93 00:08:51,360 --> 00:08:53,890 during Phase 1 of the audit. 94 00:08:54,060 --> 00:08:59,160 Some tests which are part of the plugin itself will then finish during Phase 2. 95 00:09:00,540 --> 00:09:07,380 After running all of the tests plugins get a last chance to do their job for example pass discovered 96 00:09:07,440 --> 00:09:15,330 elements on the system like a virtual host with Apache plugins which can be used standalone In other 97 00:09:15,330 --> 00:09:23,890 words which have no hooks no input for existing tests etc. can be executed in Phase 1 in these cases 98 00:09:23,890 --> 00:09:31,940 there is no need for a Phase 2 component plugins can be enabled by using the plugin option within the 99 00:09:31,940 --> 00:09:33,810 profile. 100 00:09:34,190 --> 00:09:41,430 It is possible to create custom plugins for Linus or download custom plugins created by others. 101 00:09:41,480 --> 00:09:44,720 As always I am fond of adding. 102 00:09:45,020 --> 00:09:52,340 Be sure to do your due diligence and make sure that the source you download from is trustworthy. 103 00:09:52,340 --> 00:09:56,800 You don't want to get any kind of malware or malfunctioning plugins by accident. 104 00:09:58,120 --> 00:10:06,010 Either way you are advised to add a personal prefix and make the file name for these plugins unique. 105 00:10:06,010 --> 00:10:11,320 This will prevent the file from being overwritten when you update Linus which is likely to happen on 106 00:10:11,320 --> 00:10:17,530 its own whenever you conduct a general app to get update in Cali itself. 107 00:10:17,530 --> 00:10:24,500 For more information about writing your own custom plugins check out the Linus Web site for the professional 108 00:10:24,500 --> 00:10:30,620 penetration testers out there who make frequent use of this tool on a large number of systems. 109 00:10:30,650 --> 00:10:34,550 Linus offers what it calls the Enterprise Edition. 110 00:10:34,790 --> 00:10:42,470 This enterprise edition can be used to upload Linus data via the dash dash upload option for companies 111 00:10:42,470 --> 00:10:43,810 using multiple systems. 112 00:10:43,820 --> 00:10:47,450 The Linus collector is usually the preferred choice. 113 00:10:47,570 --> 00:10:56,600 This specific tool has more capabilities and features which batches data together both the dash dash 114 00:10:56,720 --> 00:11:04,250 upload parameter and the Linus collector are meant to upload data to the central node to use the addition 115 00:11:04,280 --> 00:11:06,410 you would need a license key. 116 00:11:06,410 --> 00:11:11,840 If this interests you please see the website and the Linus documentation for more information. 117 00:11:11,840 --> 00:11:18,230 Keep in mind that these versions of Linus are not free and will require you to have that license key 118 00:11:18,230 --> 00:11:24,880 in order to make use of them for individuals or companies that wish to build their own Linus packages. 119 00:11:24,890 --> 00:11:32,210 There is a Linus dot spec file available building and our PM is very easy due to the low amount of dependencies 120 00:11:32,210 --> 00:11:38,600 that Linus requires such customization is outside of the scope of this particular tutorial though. 121 00:11:38,720 --> 00:11:45,020 But again more detailed information is available online for those of you that have the wish and the 122 00:11:45,020 --> 00:11:49,010 coding skills to pursue that sort of modification. 123 00:11:49,010 --> 00:11:54,400 Now because this is such a straightforward tool but the scans tend to run rather long. 124 00:11:54,500 --> 00:11:59,870 They don't have quite enough to ramble about while it finishes so not wishing to waste your time. 125 00:11:59,870 --> 00:12:07,660 I will make a slight pause in the video recording here and I will resume when this audit scan is complete. 126 00:12:07,700 --> 00:12:09,560 All right now the scan is complete. 127 00:12:09,560 --> 00:12:16,850 I'm going to scroll up for a moment and you can get a sense just by looking at these results of exactly 128 00:12:16,850 --> 00:12:20,150 how detailed this audit was. 129 00:12:20,150 --> 00:12:29,280 Keep in mind that I ran the default options found in the default profile these are customizable. 130 00:12:29,290 --> 00:12:30,130 As I mentioned 131 00:12:40,180 --> 00:12:43,000 and as you can see a great many things were checked for 132 00:12:46,520 --> 00:12:53,450 and when you go through this yourself you can as an exercise select anything that comes up as a warning 133 00:12:53,870 --> 00:12:57,200 and you could look it up to get a sense of what that might mean 134 00:13:01,650 --> 00:13:08,410 basic system information is contained at the top of the test such as for example the operating system 135 00:13:08,440 --> 00:13:16,510 and the program version and the operating system name which for newer versions of Kali is always going 136 00:13:16,510 --> 00:13:22,450 to be Debian but older versions will say a bunch to and so forth 137 00:13:25,650 --> 00:13:27,360 so all the way towards the bottom 138 00:13:30,120 --> 00:13:38,280 want to pass them we can see that there are five warnings no passwords set for single mode. 139 00:13:38,420 --> 00:13:50,440 Can't find any security repository in at C apt source's name server name server IP tables and these 140 00:13:50,530 --> 00:13:58,930 would be things that it has found within Cowley that are concerning and you should be seeing the same 141 00:13:58,930 --> 00:13:59,310 thing. 142 00:13:59,320 --> 00:14:02,640 Although if your version of Carly is different than mine. 143 00:14:02,950 --> 00:14:11,530 This may be a slightly different read out and here are the suggestions that Linus gives. 144 00:14:11,530 --> 00:14:14,790 These will be included in log file. 145 00:14:14,990 --> 00:14:22,760 For example it points out that this version of Linus is outdated and should be upgraded and that's my 146 00:14:22,760 --> 00:14:26,030 fault for not doing that before running this test. 147 00:14:26,030 --> 00:14:34,720 But that's OK install apps get list bugs to display a list of critical bugs prior to each apt installation 148 00:14:34,720 --> 00:14:35,860 that would be a good idea. 149 00:14:39,130 --> 00:14:43,810 Install Deb scan to generate list of vulnerabilities which affect this installation 150 00:14:47,460 --> 00:14:51,210 configured minimum password age and at sea log in depths. 151 00:14:51,240 --> 00:14:57,540 So in other words you can see that there are a great many different possible suggestions to improve 152 00:14:57,540 --> 00:15:02,550 your security and all of these are pretty straightforward like set a password on the grub bootloader 153 00:15:02,550 --> 00:15:08,910 to prevent altering the boot configuration so that's just an idea and it's not something you have to 154 00:15:08,910 --> 00:15:12,000 do but you could. 155 00:15:12,000 --> 00:15:15,920 So anyway that's fairly self explanatory. 156 00:15:15,990 --> 00:15:17,790 I'm going to come back down to the bottom 157 00:15:20,500 --> 00:15:26,470 and here we see that Linus has created two different files the test and debug information. 158 00:15:26,470 --> 00:15:29,090 That's the log file and the report data. 159 00:15:29,290 --> 00:15:40,180 In both cases to access this we simply go to seed forward slash bar sports slash log and I'm going to 160 00:15:40,180 --> 00:15:41,170 use leaf pad. 161 00:15:41,170 --> 00:15:42,750 You can use whatever you would like. 162 00:15:44,520 --> 00:15:46,280 You know open up the Linus log. 163 00:15:51,340 --> 00:15:53,460 And this is what the log file looks like. 164 00:16:01,090 --> 00:16:02,790 And this file is of course searchable 165 00:16:11,960 --> 00:16:14,470 and here we have the test I.D.. 166 00:16:17,710 --> 00:16:30,350 In this case performing test I.D. cust 0 5 1 0 or up here performing test I.D. cust 0 2 8 5 167 00:16:33,690 --> 00:16:39,310 and that's the information you would need if you wished to modify Linus as I mentioned during my audit 168 00:16:39,310 --> 00:16:40,030 itself. 169 00:16:50,360 --> 00:16:54,530 And so forth and that pretty much covers the basic usage. 170 00:16:54,550 --> 00:17:00,580 Linus is a good little program to carry around with you want to USP thumb drive or other portable media 171 00:17:00,610 --> 00:17:04,490 as part of your pen testing and auditing tool kit. 172 00:17:04,520 --> 00:17:10,020 It can be used with Cowley It can be used with any other version of Linux any version of UNIX. 173 00:17:10,070 --> 00:17:11,620 It's quite versatile. 174 00:17:11,810 --> 00:17:19,980 Sadly it is not yet usable on windows and that about covers it so I hope this was of use to you.