Hack Like a Pro: Linux Basics for the Aspiring Hacker, Part 12 (Loadable Kernel Modules)

Linux Basics for the Aspiring Hacker, Part 12 (Loadable Kernel Modules)

Hack Like a Pro: Linux Basics for the Aspiring Hacker, Part 12 (Loadable Kernel Modules)

Welcome back, my budding hackers!

In my continuing series on Linux basics for aspiring hackers, I now want to address Loadable kernel modules (LKMs), which are key to the Linux administrator because they provide us the capability to add functionality to the kernel without having to recompile the kernel. Things like video and other device drivers can now be added to the kernel without shutting down the system, recompiling, and rebooting.

Loadable kernel modules are critical to the hacker because if we can get the Linux admin to load a new module to their kernel, we not only own their system, but because we are at the kernel level of their operating system, we can control even what their system is reporting to them in terms of processes, ports, services, hard drive space, etc.

So, if we can offer the Linux user/admin a "new and improved" video driver with our rootkit embedded in it, we can take control of his system and kernel. This is the way some of the most insidious rootkits take advantage of the Linux OS.

So, I hope it's clear that understanding LKMs is key to being an effective Linux admin and being a VERY effective and stealthy hacker.

Step 1: What Is a Kernel Module?

The kernel is a core component of any Linux operating system, including our BackTrack System. The kernel is the central nervous system of our operating system, controlling everything an operating system does, including managing the interactions between the hardware components and starting the necessary services. The kernel operates between user applications and the hardware such as the CPU, memory, the hard drive, etc.

As the kernel manages all that is taking place with the operating system, sometimes it needs updates. These updates might include new device drivers (such as video card or USB devices), file system drivers, and even system extensions. This is where LKMs come in. We can now simply load and unload kernel modules as we need them without recompiling the kernel.

Step 2: Checking the Kernel

The first thing we want to do is check to see what kernel our system is running. There are at least two ways to do this. We can type:

  • uname -a

Note that the kernel tells us its kernel build (2.6.39.4), but also the architecture it is built for (x86_64). We can also get this info by "catting" the /proc/version file, which actually gives up even more info.

  • cat /proc/version

Step 3: Kernel Tuning with Sysctl

Sometimes, a Linux admin will want to "tune" the kernel. This might include changing memory allocations, enabling networking feature, and even hardening the kernel from hackers.

With modern Linux kernels, we have the sysctl command to tune kernel options. All changes you make with the sysctl remain in effect only until you reboot the system. To make any changes permanent, the configuration file for sysctl must be edited at /etc/sysctl.conf.

Be careful in using systctl because without the proper knowledge and experience, you can easily make your system unbootable and unusable. Let's take a look at the contents of sysctl now.

  • sysctl -a |less

To view the configuration file for sysctl, we can get it at /etc/sysctl.conf.

  • less /etc/sysctl.conf

One of the ways we may want to use sysctl for hacking is to enable ipforwarding (net.ipv4.conf.default.forwarding) for man-in-the-middle attacks. From a hardening perspective, we can disable ICMP echo requests (net.ipv4.icmp_echo_ignore_all) so as to make more difficult, but not impossible, for hackers to find our system.

Step 4: Kernel Modules

To manage our kernels, Linux has at least two ways to do it. The older way is to use a group of commands built around the insmod command. Here we use one of those—lsmod—to list the installed modules in kernel.

  • lsmod

We can load or insert a module with insmod and remove a module with rmmod.

Step 5: Modprobe

Most newer distributions of Linux, including our BackTrack 5v3, have converted to the modprobe command for LKM management. To see what modules are installed in our kernel, we can type:

  • modprobe -l

To remove a module, we simply use the -r switch with modprobe.

  • modprobe -r

A major advantage of modprobe is that understands dependencies, options, and installation and removal procedures for our kernel modules.

To see configuration files for the installed modules, we list the contents of the /etc/modprobe.d/ directory.

  • ls -l /etc/modprobe.d/

Remember, the LKM modules are a convenience to a Linux user/admin, but are a major security weakness of Linux and one the professional hacker should be familiar with. As I said before, the LKM can be the perfect vehicle to get your rootkit into the kernel and wreak havoc!

Penguin image via Shutterstock

30 Comments

Thnx Again!

I'm enjoying all this! :D

At the start of Step 5, there is no space typed between
'modprobe'
and
'-l'
Which is necessary when I attempt the command.

Thanks for your great Linux Tutos, it's a nice discovery for me.

But having tied the mitm before, i thought that the value 1 should be set to /proc/sys/net/ipv4/ipforward. Here you said net.ipv4.conf.default.forwarding in the ctlconf file is that the same? or which is more efficient. I'm a little confused about the relations insid the linux system. Thank for your explanations

Like anything, there is more than one way to.get it done.

I'm using kali linux and when i type modprobe-l , i get an error message saying "bash: probmode-l :command not found". any help is appreciated.

-l is an argument
Modprobe [space] -l

but when i type modprobe -l with the space it returns me with ;
modprobe: invalid option -- 'l'

is there a replacement for -l ? i'm a newbie to linux. so, explanation is really appreciated..

ah i found a solution, which is ls -R /lib/modules/$( uname -r )/kernel

# modprobe -l
modprobe: invalid option -- 'l'

help.. its said invalid option after i typed modprobe -l
How to solve this problem?Im using KALI LINUX and not bt5r3..

lsmod #LiSt all MODules

Sir, didn't know the best place to ask this question so i tried here...I've been surely hacked, my file system is in vfat, and there is a squash partition, my hard disk is filling up quickly...am reading online and trying to see if i can do something...but any quick advice will be very much appreciated...i see the vfat and squash partition only if i attach a live cd...else they are hidden...am running ubuntu 15

Rebuild your OS. Format your drive and rebuild your OS.

Hi OTW, nice tutorial I must confess
Pls how to you enable and disable in step 3

did but nothing...it was one of the best hacks I've ever seen...not a bootlogger but better...straight in the bios!!! and my pc company..Lenovo...has no update yet...may be just have to throw this nice pc in the toilet!!! cleaned everything with gparted and that thing running solaris was just waiting for me to come back...hahaha..damn it..

Why not just update or replace the BIOS?

is there a way I can protect the bios from malware? I was running Ubuntu...

like i said lenovo still has to bring up an update since 2013 :/

Superfish Lenovo? They dumped a bunch of patches late last year and early this year. One wasn't a firmware/BIOS update?

my lenovo is the IDEAPAD U310...there is nothing new...am already having the latest bios...and am infected...

OTW...did you say replacing the bios? You mean can i changed the bios and placed another one there other than the one specified by lenovo for this particular model? is that possible?

MASTER OTW...sorry for the bother..I know am becoming a nuisance...
one last question...
running fdisk -l I get this output..

Device Boot Start End Sectors Size Id Type
/dev/sdb1 2048 542597119 542595072 258,7G 83 Linux
/dev/sdb2 569221120 976773119 407552000 194,3G 83 Linux
/dev/sdb3 544645120 567173119 22528000 10,8G 82 Linux swap / Solaris
/dev/sdb4 542599166 544645119 2045954 999M 5 Extended
/dev/sdb5 542599168 544645119 2045952 999M 83 Linux

looking at /dev/sdb3..my swap...it shows swap/solaris, is that normal? I've never even downloaded solaris before.... what is your say MASTER?

and thanks for your precious time and patience with me

Thank you so much! OTW.

Why do I get an error that says: "modprobe: invalid option -- 'l' " when i try command "modprobe -l" ?

-l is not a valid option for modprobe nowadays

Try

$ cd /lib/modules/$(uname -r); find kernel

Thank you for your reply, I will use lsmod to list them.

Note that lsmod list the currently loaded modules. modprobe -l and the alternative I posted above, list all the available modules for your system. The ones currently loaded and the ones you can load.

Share Your Thoughts

  • Hot
  • Latest