System Hardening

Tips on System Penetration Testing

How to check for system vulnerabilities through self-audits.

A few of these tools can be used offensively. It is bad etiquette to use them on systems which you do not own. Please respect others and do not attempt to cause harm.

Lynis

Local testing suite which not only tests for security weaknesses, but also that best practices are being used in a POSIX environment (UNIX/Linux type standard).

Install

This program is best installed as root.

sudo su -
git clone https://github.com/CISOfy/lynis /opt/lynis
chmod -R 644 /opt/lynis
chmod 755 /opt/lynis/lynis

Testing

It is also best run as root, and executed from the install directory.

sudo su -
cd /opt/lynis
./lynis audit system

If placing the contents into a file, you’ll want to disable the colors to prevent unreadable special characters meant for terminal output.

./lynis audit system --no-colors > /root/lynis_results.txt 2>&1

Results

The output has a human readable section of results which give a description and ID for anything which is found. Suggestions are the lowest priority, with Warning and [TBD/TODO] being the more important items to correct.

NMap

This tool can be considered aggressive and should not be used against any systems you do not own or have explicit permission to test against.

Setup

Install nmap from your package manager.

• Debian Distros

  sudo apt update && sudo apt install -y nmap
  

• Fedora Distros

  sudo dnf install -y nmap
  

• Arch Distros

  sudo pacman -Syq nmap
  

Testing

Never run the -A parameter against an unsuspecting system.

Run this command to get a detailed summary of ports with an attackable surface:

nmap -A -p- --script=vuln server_or_IP

To simply see the open ports on a device, you may use the --open parameter:

nmap --open server_or_IP

This program executes more quickly if run from the local machine by using localhost, 127.0.0.1, 0.0.0.0, etc.

If you’d like the output saved into a file, pipe it with > to your desired directory.

For example, to place a local vulnerability scan into your Downloads directory:

nmap -A -p- --script=vuln localhost > ~/Downloads/nmap_report.txt 2>&1

Resolving Discoveries

If any vulnerabilities show up they usually come with a CVE which can be researched, such as CVE-2007-6750.

There are many reputable sites which come up when placing this in a search engine. cve.org is also supposed to be a good centralized repository,

Here are examples for the provided ID.

• https://www.suse.com/security/cve/CVE-2007-6750.html
• https://www.cve.org/CVERecord?id=CVE-2007-6750

Most vulnerabilities are fixed by upgrading software, migrating to safer software, and by following best practices such as not exposing databases to the Internet.

Metasploit

This tool IS aggressive and should NEVER be used against any systems you do not own or have explicit permission to test against. Thank you.

I recommend playing with Metasploit if you have extra time so that you can learn how easy it is to penetrate an exploit once it is found with NMap.

• https://www.metasploit.com/

Please be sure to test against your own machines, such as setting up a VM running an old Ubuntu LTS, starting up some services like CUPS, SSH, Apache, etc.

There are also VMs available such as Metasplotable 2 and 3 which come with the attack surfaces already set up for you.

This what “script kiddies” use to crack systems and “hack” people. From my experience it makes the process very easy.