Linux Basics for Hacking and Hackers Latest Technics 12

Following on from the Linux Basics for Hackers, I want to show loadable kernel modules (LKMs) that enable us to add features to the kernel without having to recompile the kernel.

Things like device drivers can be added to the kernel without shutting down, recompiling or rebooting the system.

Loadable kernel modules are very important for hackers, because if we could get Linux admin to load a new module into the kernel, we would not just have their own system,

But because we are at the core of the operating system, we can control system reports in terms of process, port, service, hard disk space, and so on.

So if we can get Linux user / administrator access with a new driver that has our rootkit embedded, then we can control the system and the kernel.

This is the same method as some Linux operating system kits.

So hopefully you clearly understand LKMs, because it’s an effective key for a Linux administrator and a clever hacker.

Step 2: What is a kernel module?

The kernel or kernel is a major component of the Linux operating system. All control of an operating system is managing the relationship between the hardware components and executing the service required by the kernel tasks.

The kernel communicates between user and hardware applications such as CPU, memory, hard disk, etc.

The kernel manages all that is happening in the operating system, so sometimes it needs updating.

These updates may include drivers for new devices (such as graphics cards or USB devices), filesystem drivers, and even system development.

This is where LKMs come in. Now we can easily load and unload kernel modules without having to recompile the kernel.

Step 2: Check the kernel

We first examine what the kernel of our system is. There are at least two ways to do this.

uname -a

uname -a

Notice that the kernel tells us that the kernel build, or kernel build 4.18.0 -kali2-amd64, is built for (x86_64).

We can also learn more by reading / proc / version.

cat /proc/version

Step 2: Setup the kernel with Sysctl

Sometimes the Linux administrator wants to set up the kernel. This may include changing dedicated memory, enabling network capability and even more kernel security than hackers.

To configure modern Linux kernels, we use the sysctl command. All changes you make to sysctl will only remain until the system is restarted.

To make any permanent changes, the sysctl configuration file must be edited in the /etc/sysctl.conf file.

Be careful about using systctl because without proper knowledge and experience you can make your system unusable. Let’s take a look at sysctl content.

sysctl -a | cat

To view the sysctl configuration file we type:

cat /etc/sysctl.conf

.

One of the ways we use sysctl to hack is to enable ipforwarding (net.ipv4.conf.default.forwarding) for man-in-the-middle attacks.

For added security, we can echo ICMP requests

Disable (net.ipv4.icmp_echo_ignore_all) to make it harder for hackers to find our system, but it’s not impossible.

Step 2: The kernel modules

To manage your kernel, there are at least two ways to do this in Linux. An older way is to use a set of commands made with the insmod command.

Here we use one of those commands, lsmod, to list the modules installed in the kernel.

lsmod

We can load or import the module with insmod and remove the module with rmmod.

Step 1: Modprobe

Newer Linux distributions have a modprobe command to manage LKM. To see which module is installed in our kernel (-l switch removed), we can type:

ls -R /lib/modules/$(uname -r)/kernel
or
cd /lib/modules/$(uname -r); find kernel

To remove a module, simply use modprobe with the -r switch.

modprobe -r

One of the main benefits of Modprobe is that it understands the dependencies, options, and methods of installing and removing our kernel modules.

To view the configuration files of the installed modules, we list the contents of the /etc/modprobe.d directory.

ls -l /etc/modprobe.d/

Remember, LKM modules are for Linux user / admin convenience, but this is a major weakness of Linux security and a professional hacker should be familiar with it.

As I said before, LKM can be a great tool to get your rootkit in the kernel!

Leave a Reply

Your email address will not be published. Required fields are marked *