How to Install a Specific Linux Kernel Version

Linux kernel is ubiquitous. Android, Ubuntu, Red Hat and more, use the Linux kernel at the heart of their product's operating systems. The birth-child of Linus Torvalds 25 years ago is now the boss of operating systems.

Many would already know how to install Linux on their system or on a VM. But this is not the same as installing a different (upgraded or degraded) version of the kernel. The latest Linux kernel is release v4.19-rc2. In this post, I'll show you how to install a different version of the Linux kernel on your host/VM.


Preparation


I have an Ubuntu 18.04 running in a VM on a Windows host. The current Linux kernel version is 4.15.0-33.

nikhilh@ubuntu:~$ uname -a
Linux ubuntu 4.15.0-33-generic #36-Ubuntu SMP Wed Aug 15 16:00:05 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

You'll need certain libraries prior to installation:

 nikhilh@ubuntu:~$ sudo apt-get update
nikhilh@ubuntu:~$ sudo apt-get install -y fakeroot ncurses-dev git libelf-dev libssl-dev build-essential xz-utils bc

For a project, I needed kernel version 4.15-rc3, so I downloaded it from https://github.com/torvalds/linux/releases.

Extracting the Linux Source Code


Now that we have the tar of the v4.15-rc3 kernel, the next step is to extract it.

nikhilh@ubuntu:~/Downloads$ tar -xf linux-4.15-rc3.tar.gz
nikhilh@ubuntu:~/Downloads$ cd linux-4.15-rc3

Selecting Kernel Features


Building the menuconfig code is very important before compiling the kernel code. It allows you to choose which features of the kernel you want to include. The first step would be to copy your current config file into the kernel source code's root directory

nikhilh@ubuntu:~/Downloads/linux-4.15-rc3$ cp /boot/config-$(uname -r) .config

nikhilh@ubuntu:~/Downloads/linux-4.15-rc3$ sudo make menuconfig

Once the code compiles, you should see a GUI interface. This interface allows you to select Linux features according to your preference. Since I didn't need anything changed, I saved it as a .config file and exit from that interface.

Installing Kernel Source Code


 We're finally here! But don't get too excited already; this process takes almost one and half hour to complete! If you're using a VM, it would help speed up the process if you can increase the number of logical cores that the VM can access. I used 8 cores and it still took more than an hour to complete.

 nikhilh@ubuntu:~/Downloads/linux-4.15-rc3$ sudo make && sudo make modules_install && sudo make install

Updating the Bootloader


Now that you've (hopefully!) installed the kernel version that you wanted, it is time to update the root filesystem and the bootloader to make sure that your kernel version is used to boot up and not the previous version.

nikhilh@ubuntu:~/linux-4.15-rc3$ sudo update-initramfs -c -k 4.15.0-rc3
nikhilh@ubuntu:~/linux-4.15-rc3$ sudo update-grub

At this point, you can go ahead and restart the system/VM. The next time you login, you will (hopefully) have the required kernel version running. You can verify this by running uname -r.

Hey! It's still the previous version!


Looks like you fell into the same pothole that I did. But don't worry, I know how to get out. Open /boot/grub/grub.cfg. Go through the file and find a string which is something along the lines of: 

gnulinux-4.15.0-33-generic-advanced-7c910840-e34a-4b21-bada-4433bf5e9f5c

(The above is just an example. You should find something like gnulinux-4.15-rc3.)

Copy that string and open /etc/default/grub. In this file, see if you can find an option - GRUB_DEFAULT=0. Change this to GRUB_DEFAULT=<string_that_you_copied>. This ensures that the default kernel that your system is loading into is the kernel version that you installed.

Now, restart the VM. If you still cannot boot up the required kernel version, please leave a comment below and we'll figure it out.

I hope this information was useful to you! It is not difficult to install a different kernel version, albeit time consuming. If there are any queries, please let me know in the comments and I'll get back to you as soon as I can!
By at No comments:
Labels: , , , , , ,

Getting started with Nmap - Part 8

In the last part, we learnt about the various options that Nmap provides for avoiding detection by firewall and IDS. So far, the output from Nmap that we've been looking at is all from the console. In this post, we'll look at the various output options that Nmap provides.

Disclaimer: In this entire tutorial series, I have used scanme.nmap.org as the target host and sometimes my local machine itself. scanme.nmap.org is a machine set up by Nmap developers for educational purposes, so it is legal to scan it a FEW TIMES A DAY. Scanning networks, in general is a cyber crime and may even lead to jail. Please take permission before scanning random networks.

Create Text Output


 While the results of the scan are stored in the text file, Nmap also outputs to STDOUT (usually, the console).

nikhilh@ubuntu:~$ nmap -d -oN scan-results.txt scanme.nmap.org
...
...

nikhilh@ubuntu:~$ cat scan-results.txt 
# Nmap 7.70 scan initiated Fri Aug 24 15:10:21 2018 as: nmap -d -oN scan-results.txt scanme.nmap.org
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up, received syn-ack (0.083s latency).
Scanned at 2018-08-24 15:10:21 PDT for 23s
Not shown: 997 filtered ports
Reason: 997 no-responses
PORT     STATE SERVICE    REASON
22/tcp   open  ssh        syn-ack
80/tcp   open  http       syn-ack
9929/tcp open  nping-echo syn-ack

Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
# Nmap done at Fri Aug 24 15:10:44 2018 -- 1 IP address (1 host up) scanned in 23.06 seconds

It is important to note here that the debug information was not saved to the text file. To ensure that the previous content of the file are not erased, use the --append-output option.

Create XML Output


This is the most used output type. Scan results in XML format can also be used as an input to Zenmap or Ndiff. While the results of the scan are stored in the XML file, Nmap also outputs to STDOUT (usually, the console).

nikhilh@ubuntu:~$ nmap -d -oX scan-results.xml scanme.nmap.org
...
...

nikhilh@ubuntu:~$ cat scan-results.xml 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/local/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 7.70 scan initiated Fri Aug 24 15:20:07 2018 as: nmap -d -oX scan-results.xml scanme.nmap.org -->
<nmaprun scanner="nmap" args="nmap -d -oX scan-results.xml scanme.nmap.org" start="1535149207" startstr="Fri Aug 24 15:20:07 2018" version="7.70" xmloutputversion="1.04">
<scaninfo type="connect" protocol="tcp" numservices="1000" services="1,3-4,6-7,9,13,17,19-26,30,32-33,37,42-43,49,53,70,79-85,88-90,99-100,106,109-111,113,119,125,135,139,143-144,146,161,163,179,199,211-212,222,254-993,995,999-1002,1007,1009-
...
...
848,52869,54045,54328,55055-55056,55555,55600,56737-56738,57294,57797,58080,60020,60443,61532,61900,62078,63331,64623,64680,65000,65129,65389"/>
<verbose level="1"/>
<debugging level="1"/>
<taskbegin task="Ping Scan" time="1535149207"/>
<taskend task="Ping Scan" time="1535149207" extrainfo="1 total hosts"/>
<taskbegin task="Parallel DNS resolution of 1 host." time="1535149207"/>
<taskend task="Parallel DNS resolution of 1 host." time="1535149207"/>
<taskbegin task="Connect Scan" time="1535149207"/>
<taskend task="Connect Scan" time="1535149228" extrainfo="1000 total ports"/>
<host starttime="1535149207" endtime="1535149228"><status state="up" reason="syn-ack" reason_ttl="0"/>
<address addr="45.33.32.156" addrtype="ipv4"/>
<hostnames>
<hostname name="scanme.nmap.org" type="user"/>
<hostname name="scanme.nmap.org" type="PTR"/>
</hostnames>
<ports><extraports state="filtered" count="996">
<extrareasons reason="no-responses" count="996"/>
</extraports>
<port protocol="tcp" portid="22"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="ssh" method="table" conf="3"/></port>
..
...
<runstats><finished time="1535149228" timestr="Fri Aug 24 15:20:28 2018" elapsed="21.08" summary="Nmap done at Fri Aug 24 15:20:28 2018; 1 IP address (1 host up) scanned in 21.08 seconds" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>

The above XML file has hard-coded stylesheet paths which make it useful only on the system where it was created. To make a portable XML file, use the --webxml option along with -oX. To avoid using the stylesheet at all, use the --no-stylesheet option.

Create Grepable Output


Using this option, we can have output that is in a format which is convenient for grep to work on. While the results of the scan are stored in the text file, Nmap also outputs to STDOUT (usually, the console).

nikhilh@ubuntu:~$ nmap -d -oG scan-results.txt scanme.nmap.org
...
...

nikhilh@ubuntu:~$ cat scan-results.txt
# Nmap 7.70 scan initiated Fri Aug 24 15:27:16 2018 as: nmap -d -oG scan-results.txt scanme.nmap.org
# Ports scanned: TCP(1000;1,3-4,6-7,9,13,17,19-26,30,32-33,37,42-43,49,53,70,79-85,88-90,99-100,106,109-111,113,119,125,135,139,143-
...
...
56738,57294,57797,58080,60020,60443,61532,61900,62078,63331,64623,64680,65000,65129,65389) UDP(0;) SCTP(0;) PROTOCOLS(0;)
Host: 45.33.32.156 (scanme.nmap.org) Status: Up
Host: 45.33.32.156 (scanme.nmap.org) Ports: 22/open/tcp//ssh///, 80/open/tcp//http///, 9929/open/tcp//nping-echo///, 31337/open/tcp//Elite/// Ignored State: filtered (996)
# Nmap done at Fri Aug 24 15:27:37 2018 -- 1 IP address (1 host up) scanned in 21.75 seconds

Create all Output Types


If you require all three output file types to be created, use this option.

nikhilh@ubuntu:~$ nmap -d -oA scan-results scanme.nmap.org

nikhilh@ubuntu:~$ ls scan-results*
scan-results.gnmap  scan-results.nmap  scan-results.xml

That's it for my Nmap tutorial! It is very important for you to know that the options that we've learnt over the tutorial are not an exhaustive list of options that Nmap provides. These are the options that you must know when you start playing around with Nmap. For an exhaustive list of Nmap options, visit their docs page at: https://nmap.org/book/man.html.

If you have any questions, leave them in the comments below and I'll get back to you as soon as I can! Thanks for reading!
By at No comments:
Labels: , , , , , , ,

Getting started with Nmap - Part 7

In the last part, we looked at OS and service version detection along with a few timing options that help in speeding up or slowing down scans according to need. In this post, we'll look at Nmap options that will help you evade firewalls and Intrusion Detection Systems (IDS).

Disclaimer: In this entire tutorial series, I have used scanme.nmap.org as the target host and sometimes my local machine itself. scanme.nmap.org is a machine set up by Nmap developers for educational purposes, so it is legal to scan it a FEW TIMES A DAY. Scanning networks, in general is a cyber crime and may even lead to jail. Please take permission before scanning random networks.

Fragmented Packets

  1. Packets containing malicious payload would be instantly detected by IDS and dropped. 
  2. For this reason, packets can be broken down into multiple fragments so that when the IDS examines each packet, they seem harmless. This applies to those types of IDS which don't re-assemble packets before examining them.
  3. Once the packets are re-assembled at the target host, the malicious payload will be effectively delivered.
This type of scan (or fragscan) requires sudo privileges. This option fragments the packet into multiple 8-byte fragments.

nikhilh@ubuntu:~$ sudo nmap -d -f scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-24 07:52 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
...
...
Final times for host: srtt: 48065 rttvar: 70016  to: 328129

Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 21.53 seconds
           Raw packets sent: 2014 (88.540KB) | Rcvd: 736 (29.440KB)

On Windows systems, an additional option --send-eth is required for fragmented packets to be transmitted. With this option, Nmap sends packets at the raw Ethernet layer rather than at the IP layer. Microsoft has disabled raw socket support on Windows OS.

Set Maximum Transmission Unit (MTU)


MTU is the maximum size of a packet which can be handled by the network.
  1. On an average, most Ethernet networks have an MTU size of 1500 bytes.
  2. Sending a packet with higher MTU size than what the network can handle will lead to packet drops.
  3. MTU size must always be a multiple of 8 (which is 1 byte)
nikhilh@ubuntu:~$ sudo nmap -d --mtu 1504 scanme.nmap.org

Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-24 08:32 PDT
...
...
Not shown: 996 filtered ports
Reason: 996 no-responses
PORT      STATE SERVICE    REASON
22/tcp    open  ssh        syn-ack ttl 128
80/tcp    open  http       syn-ack ttl 128
9929/tcp  open  nping-echo syn-ack ttl 128
31337/tcp open  Elite      syn-ack ttl 128
Final times for host: srtt: 52299 rttvar: 87551  to: 402503

Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 22.42 seconds
           Raw packets sent: 2011 (88.416KB) | Rcvd: 1579 (63.164KB)

In the above snippet, I used a MTU of 1504 which is more than 1500. So, how did this work? Nmap hands over the 1504 byte packet to the Network Interface Card (NIC) of the local system which then fragments the packets.

Using a Decoy


Using this option, it can be made to seem that the target system is being scanned by multiple systems at the same time. This allows the true IP to be "lost in the crowd". Using a lot of decoys is not advisable because that will cause network congestion.

nikhilh@ubuntu:~$ nmap -d -D RND:10 scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-24 13:17 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
...
...
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 6.64 seconds

It is also possible to specify a comma-separated list of decoy IP addresses.

Set a source port


Firewalls block incoming connections based on the application port number, transport layer protocol and more. To get around any source port restriction, it is possible to spoof the port number and get past the firewall.

It is important to note that this option is not compatible with TCP Connect scan (-sT option). This option can also be specified as -g.

nikhilh@ubuntu:~$ sudo nmap -d -sS --source-port 3389 scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-24 13:23 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
Initiating Ping Scan at 13:23
...
...
Discovered open port 22/tcp on 45.33.32.156
...
...
Final times for host: srtt: 28093 rttvar: 41588  to: 194445

Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 23.81 seconds
           Raw packets sent: 2012 (88.456KB) | Rcvd: 478 (19.124KB)

Add payload data


When Nmap sends packets there is no payload data; the packets are empty. In some cases, adding payload data can solicit a response from the target system.

nikhilh@ubuntu:~$ nmap -d --data-length 16 scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-24 13:31 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
...
...
Read from /usr/local/bin/../share/nmap: nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 18.62 seconds

In the above situation, 16 bytes of payload data will be added to each packet that Nmap sends.

Scan Multiple Hosts in Random Order


To avoid detection by intrusion detection systems, it is advisable to always scan multiple hosts in a random order. This option is especially useful when scanning multiple systems on the same subnet.

nikhilh@ubuntu:~$ nmap -d --randomize-hosts scanme.nmap.org 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-24 13:43 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
...
...
Not shown: 996 filtered ports
Reason: 993 no-responses and 3 host-unreaches
PORT      STATE SERVICE    REASON
22/tcp    open  ssh        syn-ack
...
...
Nmap scan report for localhost (127.0.0.1)
Host is up, received conn-refused (0.00013s latency).
Scanned at 2018-08-24 13:43:48 PDT for 0s
Not shown: 999 closed ports
...
...
Nmap done: 2 IP addresses (2 hosts up) scanned in 69.02 seconds

Spoof MAC address


The MAC address is your identity on the LAN. If you can change that, you've effectively changed your identity and the benefits of that are obvious. For one, you can get past MAC filtering, provided you know which MAC addresses are blocked.

nikhilh@ubuntu:~$ nmap -d --spoof-mac 0 scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-24 14:03 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
Spoofing MAC address F1:31:59:C6:60:C9 (No registered vendor)
...
...
31337/tcp open  Elite      syn-ack
Final times for host: srtt: 82422 rttvar: 15862  to: 145870

Read from /usr/local/bin/../share/nmap: nmap-mac-prefixes nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 16.59 seconds

It is also possible to specify a vendor-specific MAC address.

nikhilh@ubuntu:~$ nmap -d --spoof-mac vmware scanme.nmap.org
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-24 14:46 PDT
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
Spoofing MAC address 00:05:69:CA:56:27 (VMware)
...
...
Read from /usr/local/bin/../share/nmap: nmap-mac-prefixes nmap-payloads nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 22.01 seconds

Idle Zombie Scan


Idle zombie scan is a combination of packet forging and scanning, making it the ultimate stealth scan. This concept is based on tracking fragment identification number (IP ID) and that this number increases whenever a system sends a packet.

It is important to note that the zombie used must be truly idle. Since Nmap, by default pings the target host before scanning, it is advisable to use -Pn option to prevent the initial ping.

While I cannot demonstrate this concept because I don't have an available zombie host, here is the command construction:
nikhilh@ubuntu:~$ sudo nmap -d -Pn -sI <zombie-ip> scanme.nmap.org

 That's it for part 7! Evading firewalls and IDS is very important to ensure that your scanning attempts stay hidden from the target network's administrators. If there are any questions, leave them in the comments below and I'll get back to you as soon as I can!

 In the next (and final) part, we'll look at some of the output file types that Nmap provides.
By at No comments:
Labels: , , , , , , , ,
Subscribe to: Comments (Atom)

Popular posts