Got SKYBOX course

Two week ago I have been in Milan for a security course.
I have seen and studied SKYBOX. It’s an impressive tool with you can make firewall / network / systems mapping , analysis and security checks. Skybox takes all data from routers,firewall,scans and tell you each scenario where you can simulate attacks defining multiple attackers profiles!!
I was very surprised during the simulations and I have seen that you can easily manage network components and get each info u need with some click/query, even with a large network map!!
The last days we did a two exams for two certifications. I hope to get both exams 🙂

What is a Unix rootkit ?

A rootkit is a collection of programs.
It’s installed and used after a system is compromised.

In this case the three steps for hack a system are:

1) scanning and detection of vulnerability
2) utilization of exploit for obtation a shell
3) installation of rootkit

A classic rootkit is composited by:

– local exploit
– multiple backdoors
– sniffers
– DDos agent

A local exploit is used for take a root shell when there is only limited access on the system.
Installing a backdoor is useful to open a priviliged port for future connections.
Then with this step many commands as netstat , who , pkg* , last are substituited with other binaries
So , if a local backdoor open the 2800 TCP port , with netstat this port will not be shown as opened!!!!!
Sniffers are useful for obtain passwords and applications activity
DDos agent is powerful for make a Dos attack. With the installation of this agent the system becomes a component of DDos network that after a master signal run a TCP/UDP syn flood attack

Today there are many products for detenction of a rootkit but it’s my opinion that if a system is compromised the best pratice is re-installation of the entire environment 🙂

Solaris 10 network services security

On Solaris 10 during the installation is possible limit network services.
Altough the installation is completed without this restrictions , is possible close all network services!

This can done by netservices command:

# netservices
netservices: usage: netservices [ open | limited ]

# netservices limited

Then i have ssh running and ready for external connection.
All other network services are disabled or are available from local request only, because they have a property config/local_only in SMF configured at true