Gadget Security
Last week I got my xmas gift...:) A Eeepc, (see wikipedia on it).
Basically, it is a small laptop (7'' screen), running a linux version, called XandrOS
(debian based), with a quite user-friendly interface, mostly for internet applications.
Well, it is quite good, and I am really liking it, but, of course, I had to try its security :).
Fortunately it allows you to get a console, which allows you to instantly get a root access, by issuing 'sudo bash'.
Well, this is not good, since if anyone can get it, it can change the root password, maybe letting you with the
unique alternative, restoring the system. So changing the config to ask for password is a ‘must do’, imho...:)
But let’s go to interesting stuff.
I was curious to see which ports were open using nmap from a remote host on it.
That was the result:
The SYN Stealth Scan took 0.61s to scan 1239 total ports.
Host 192.168.0.207 appears to be up ... good.
Interesting ports on 192.168.0.207:
Not shown: 1236 closed ports
PORT STATE SERVICE
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Nmap finished: 1 IP address (1 host up) scanned in 1.525 seconds
Hum...port 111, 139 and 445...139 and 445 are usually associated with Windows Systems, but we are on a Linux.
Also port 111, this is portmap...
So lets dig a little more. Using smbclient to query our remote system:
lab3:~# smbclient -N -L '\\192.168.0.207' (-L to list and -N for no password)
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.24]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (eeepc-root server (Asus Eee PC))
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.24]
Server Comment
--------- -------
EEEPC-ROOT eeepc-root server (Asus Eee PC)
Workgroup Master
--------- -------
GRUPO SRVWIN1
MSHOME PEDROLAP
WORKGROUP EEEPC-ROOT
On my opinion this is too much information to be shared...
Here we have the information that the EEEPC is running Samba (that explains the port 139 and 445), the SAMBA version (3.0.24) and some groups and shares info...
On port 111, nmap says portmap, so lets check it with rpcinfo:
rpcinfo -p 192.168.0.207
lab3:~# rpcinfo -p 192.168.0.207
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
Yes, portmap!
On our local system, we can check those with netstat -anp:
lab3:~# netstat -anp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 2339/smbd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1409/portmap
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1398/cupsd
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 2339/smbd
udp 0 0 192.168.0.207:137 0.0.0.0:* 2337/nmbd
udp 0 0 0.0.0.0:137 0.0.0.0:* 2337/nmbd
udp 0 0 192.168.0.207:138 0.0.0.0:* 2337/nmbd
udp 0 0 0.0.0.0:138 0.0.0.0:* 2337/nmbd
udp 0 0 0.0.0.0:68 0.0.0.0:* 2157/dhclient3
udp 0 0 0.0.0.0:68 0.0.0.0:* 1613/dhclient3
udp 0 0 0.0.0.0:111 0.0.0.0:* 1409/portmap
udp 0 0 0.0.0.0:631 0.0.0.0:* 1398/cupsd
Again, samba (smbd and nmbd) and portmap (sunrpc). Also, we can see Cups (used by printer).
Now, we could try to create some iptables rules to restrict access, but the iptables modules are not loaded...:(
Another alternative is to shut it down.
Since it is a debian-based linux, this could be easily done with:
/etc/init.d/portmap stop
/etc/init.d/samba stop
but it will only stop them for the current session. If you reboot it, they will be back...
Another option is to edit the file in /etc/hosts.deny and add the line
portmap:ALL
to restrict access to this service.
Or even disable it, by commenting the deamons from the usr/sbin/services.sh file.
Again, I am not saying that letting these services open will mean that you will be hacked or so, even because I am not aware of any recent vulnerability on them, but we are at least giving too much information...
This is just one example of how our new gadgets can expose ourselves. New smart phones, linux, windows based can also expose you and your data, and as we are using them to store lots of our data, we must be paranoid on their security measures...at least I am...:)
Ah, about my eeepc...it is not McDonalds, but "I am loving it!" :) All my security tools were installed perfectly on it...;)
---------------------------------------------------------
Handler on Duty: Pedro Bueno ( pbueno //&&// isc. sans. org)
Comments