26. Premier pas dans la sécurité

26.1. Application

  1. Vous allez relever les services (ports) ouverts et actifs sur votre machine (ou une autre peu importe).

    Détection des services sur la machine cible (avec nmap) :

    
vanvincq@CP2L ~ $ sudo nmap -sV 127.0.0.1
    
    Starting Nmap 5.00 ( http://nmap.org ) at 2012-02-20 19:55 CET
    Interesting ports on CP2L (127.0.0.1):
    Not shown: 994 closed ports
    PORT    STATE SERVICE VERSION
    21/tcp  open  ftp     ProFTPD 1.3.3a
    22/tcp  open  ssh     OpenSSH 5.5p1 Debian 6+squeeze1 (protocol 2.0)
    23/tcp  open  telnet  Linux telnetd
    25/tcp  open  smtp    Exim smtpd 4.72
    111/tcp open  rpcbind
    631/tcp open  ipp     CUPS 1.4
    Service Info: OSs: Unix, Linux
    
    Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 6.17 seconds
    
    
vanvincq@CP2L ~ $ sudo nmap -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389 127.0.0.1
    
    Starting Nmap 5.00 ( http://nmap.org ) at 2012-02-20 19:59 CET
    NSE: Loaded 30 scripts for scanning.
    Initiating SYN Stealth Scan at 19:59
    Scanning CP2L (127.0.0.1) [1000 ports]
    Discovered open port 23/tcp on 127.0.0.1
    Discovered open port 22/tcp on 127.0.0.1
    Discovered open port 111/tcp on 127.0.0.1
    Discovered open port 25/tcp on 127.0.0.1
    Discovered open port 21/tcp on 127.0.0.1
    Discovered open port 631/tcp on 127.0.0.1
    Completed SYN Stealth Scan at 19:59, 0.04s elapsed (1000 total ports)
    Initiating Service scan at 19:59
    Scanning 6 services on CP2L (127.0.0.1)
    Completed Service scan at 19:59, 6.00s elapsed (6 services on 1 host)
    Initiating OS detection (try #1) against CP2L (127.0.0.1)
    Retrying OS detection (try #2) against CP2L (127.0.0.1)
    Retrying OS detection (try #3) against CP2L (127.0.0.1)
    Retrying OS detection (try #4) against CP2L (127.0.0.1)
    Retrying OS detection (try #5) against CP2L (127.0.0.1)
    NSE: Script scanning 127.0.0.1.
    NSE: Starting runlevel 1 scan
    Initiating NSE at 19:59
    Completed NSE at 19:59, 5.11s elapsed
    NSE: Script Scanning completed.
    Host CP2L (127.0.0.1) is up (0.000015s latency).
    Interesting ports on CP2L (127.0.0.1):
    Not shown: 994 closed ports
    PORT    STATE SERVICE VERSION
    21/tcp  open  ftp     ProFTPD 1.3.3a
    22/tcp  open  ssh     OpenSSH 5.5p1 Debian 6+squeeze1 (protocol 2.0)
    |  ssh-hostkey: 1024 12:e8:74:93:e7:26:3a:6b:80:20:e4:da:2c:e6:a4:3b (DSA)
    |_ 2048 2c:74:6f:16:59:12:24:d0:40:1c:03:c9:aa:ce:80:b0 (RSA)
    23/tcp  open  telnet  Linux telnetd
    25/tcp  open  smtp    Exim smtpd 4.72
    |  smtp-commands: EHLO CP2L Hello cp2l [127.0.0.1], SIZE 52428800, PIPELINING, HELP
    |_ HELP Commands supported: AUTH HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP
    111/tcp open  rpcbind
    |  rpcinfo:  
    |  100000  2    111/udp  rpcbind  
    |  100024  1  59641/udp  status   
    |  100000  2    111/tcp  rpcbind  
    |_ 100024  1  50769/tcp  status   
    631/tcp open  ipp     CUPS 1.4
    No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
    TCP/IP fingerprint:
    OS:SCAN(V=5.00%D=2/20%OT=21%CT=1%CU=34969%PV=N%DS=0%G=Y%TM=4F42980F%P=x86_6
    OS:4-unknown-linux-gnu)SEQ(SP=102%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=8)SEQ(SP=
    OS:102%GCD=2%ISR=10C%TI=Z%CI=Z%II=I%TS=8)OPS(O1=M400CST11NW7%O2=M400CST11NW
    OS:7%O3=M400CNNT11NW7%O4=M400CST11NW7%O5=M400CST11NW7%O6=M400CST11)WIN(W1=8
    OS:000%W2=8000%W3=8000%W4=8000%W5=8000%W6=8000)ECN(R=Y%DF=Y%T=40%W=8018%O=M
    OS:400CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%
    OS:DF=Y%T=40%W=8000%S=O%A=S+%F=AS%O=M400CST11NW7%RD=0%Q=)T4(R=Y%DF=Y%T=40%W
    OS:=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
    OS:T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S
    OS:+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUC
    OS:K=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
    
    Uptime guess: 0.029 days (since Mon Feb 20 19:17:25 2012)
    Network Distance: 0 hops
    TCP Sequence Prediction: Difficulty=258 (Good luck!)
    IP ID Sequence Generation: All zeros
    Service Info: OSs: Unix, Linux
    
    Read data files from: /usr/share/nmap
    OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 22.96 seconds
               Raw packets sent: 1095 (51.990KB) | Rcvd: 2211 (98.764KB)
    

    Après le scan, on peut affirmer que les ports (TCP) 21, 22, 23, 25, 111, 631 et 50769 sont ouverts (dumoins, pour un scan local via l'interface lo).

    Réessayons en passant par eth0 :

    
vanvincq@CP2L ~ $ sudo nmap -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389 192.168.1.10
    
    Starting Nmap 5.00 ( http://nmap.org ) at 2012-02-20 20:07 CET
    NSE: Loaded 30 scripts for scanning.
    Initiating Parallel DNS resolution of 1 host. at 20:07
    Completed Parallel DNS resolution of 1 host. at 20:07, 0.03s elapsed
    Initiating SYN Stealth Scan at 20:07
    Scanning 192.168.1.10 [1000 ports]
    Discovered open port 23/tcp on 192.168.1.10
    Discovered open port 21/tcp on 192.168.1.10
    Discovered open port 111/tcp on 192.168.1.10
    Discovered open port 22/tcp on 192.168.1.10
    Completed SYN Stealth Scan at 20:07, 0.04s elapsed (1000 total ports)
    Initiating Service scan at 20:07
    Scanning 4 services on 192.168.1.10
    Completed Service scan at 20:07, 6.00s elapsed (4 services on 1 host)
    Initiating OS detection (try #1) against 192.168.1.10
    Retrying OS detection (try #2) against 192.168.1.10
    Retrying OS detection (try #3) against 192.168.1.10
    Retrying OS detection (try #4) against 192.168.1.10
    Retrying OS detection (try #5) against 192.168.1.10
    NSE: Script scanning 192.168.1.10.
    NSE: Starting runlevel 1 scan
    Initiating NSE at 20:07
    Completed NSE at 20:07, 5.10s elapsed
    NSE: Script Scanning completed.
    Host 192.168.1.10 is up (0.000014s latency).
    Interesting ports on 192.168.1.10:
    Not shown: 996 closed ports
    PORT    STATE SERVICE    VERSION
    21/tcp  open  ftp        ProFTPD 1.3.3a
    22/tcp  open  ssh        OpenSSH 5.5p1 Debian 6+squeeze1 (protocol 2.0)
    |  ssh-hostkey: 1024 12:e8:74:93:e7:26:3a:6b:80:20:e4:da:2c:e6:a4:3b (DSA)
    |_ 2048 2c:74:6f:16:59:12:24:d0:40:1c:03:c9:aa:ce:80:b0 (RSA)
    23/tcp  open  tcpwrapped
    111/tcp open  rpcbind
    |  rpcinfo:  
    |  100000  2    111/udp  rpcbind  
    |  100024  1  59641/udp  status   
    |  100000  2    111/tcp  rpcbind  
    |_ 100024  1  50769/tcp  status   
    No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
    TCP/IP fingerprint:
    OS:SCAN(V=5.00%D=2/20%OT=21%CT=1%CU=40425%PV=Y%DS=0%G=Y%TM=4F4299F3%P=x86_6
    OS:4-unknown-linux-gnu)SEQ(SP=100%GCD=1%ISR=109%TI=Z%CI=Z%II=I%TS=8)OPS(O1=
    OS:M400CST11NW7%O2=M400CST11NW7%O3=M400CNNT11NW7%O4=M400CST11NW7%O5=M400CST
    OS:11NW7%O6=M400CST11)WIN(W1=8000%W2=8000%W3=8000%W4=8000%W5=8000%W6=8000)E
    OS:CN(R=Y%DF=Y%T=40%W=8018%O=M400CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%
    OS:F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=8000%S=O%A=S+%F=AS%O=M400CST11NW7
    OS:%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=
    OS:0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T
    OS:7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN
    OS:=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
    
    Uptime guess: 0.035 days (since Mon Feb 20 19:17:24 2012)
    Network Distance: 0 hops
    TCP Sequence Prediction: Difficulty=256 (Good luck!)
    IP ID Sequence Generation: All zeros
    Service Info: OSs: Unix, Linux
    
    Read data files from: /usr/share/nmap
    OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 22.93 seconds
               Raw packets sent: 1095 (51.990KB) | Rcvd: 2209 (98.676KB)
    

    Dans ce cas de figure, le ports 631 n'est plus visible.

  2. Vous allez ensuite référencer tous les services que vous devez ou que vous pouvez conserver actifs et là vous fermerez les autres. Là encore vous noterez toutes les procédures que vous utilisez pour arriver au résultat.

    • Port 21 (FTP) : Ce port a été ouvert au cours d'un précédent TP. Je n'en ai plus besoin pour le moment.

    • Port 22 (SSH) : Je suis seul sur mon ordinateur, pas besoin d'y accéder d'une autre machine. Je ferme le port.

    • Port 23 (TELNET) : Idem que pour le port 21. Je n'en ai plus besoin.

    • Port 111 (PORTMAP / RPCBIND) : RPC (Remote Procedure Call) est un protocole réseau permettant de faire des appels de procédures sur un ordinateur distant à l'aide d'un serveur d'applications. Ce protocole est utilisé dans le modèle client-serveur et permet de gérer les différents messages entre ces entités (source: Wikipédia). Durant ma première année de Master, j'ai eu l'occasion d'utiliser le RPC dans des programmes en C. J'avoue qu'après avoir testé le Java RMI c'est dur de s'y replonger xD.

    Récapitulatif de la situation avant intervention :

    
vanvincq@CP2L ~ $ sudo netstat -atup | grep LISTEN
    tcp        0      0 *:sunrpc                *:*                     LISTEN      1108/portmap    
    tcp        0      0 *:50769                 *:*                     LISTEN      1120/rpc.statd  
    tcp        0      0 *:ftp                   *:*                     LISTEN      1578/inetd      
    tcp        0      0 *:ssh                   *:*                     LISTEN      2161/sshd       
    tcp        0      0 CP2L:ipp                *:*                     LISTEN      1905/cupsd      
    tcp        0      0 *:telnet                *:*                     LISTEN      1578/inetd      
    tcp        0      0 CP2L:smtp               *:*                     LISTEN      1912/exim4      
    tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      2161/sshd       
    tcp6       0      0 ip6-localhost:ipp       [::]:*                  LISTEN      1905/cupsd      
    tcp6       0      0 ip6-localhost:smtp      [::]:*                  LISTEN      1912/exim4  
    

    Pour les ports 21 et 22, on modifie le fichier /etc/inetd.conf et on commente les lignes correspondantes. Pour le port 23, on désactive le lancement du deamon sshd avec la commande de son choix. J'utilise pour ce coup-ci sysv-rc-conf (une version améliorée de rcconf).

    Après intervention :

    
vanvincq@CP2L ~ $ sudo netstat -atup | grep LISTEN
    tcp        0      0 *:sunrpc                *:*                     LISTEN      1146/portmap    
    tcp        0      0 *:45968                 *:*                     LISTEN      1158/rpc.statd  
    tcp        0      0 CP2L:ipp                *:*                     LISTEN      1834/cupsd      
    tcp        0      0 CP2L:smtp               *:*                     LISTEN      1938/exim4      
    tcp6       0      0 ip6-localhost:ipp       [::]:*                  LISTEN      1834/cupsd      
    tcp6       0      0 ip6-localhost:smtp      [::]:*                  LISTEN      1938/exim4  
    

    Trois ports ont ainsi été fermés !