Welcome back, aspiring cyberwarriors!
In this continuing series on Linux Basics for Hackers, I now want to address Loadable Kernel Modules (LKMs). LKM’s are critical to the Linux administrator, as they enable them to add functionality to the kernel without recompiling it. Things like video and other device drivers can be added to the Linux kernel without shutting down the system, recompiling, and rebooting.
Loadable kernel modules are critical to the hacker because if we can get the Linux admin to load our new module to their kernel, we not only own their system–but because we are at the kernel level of their operating system,–we can control even what their system is reporting to them in terms of processes, ports, services, hard drive space, etc.
So, if we can offer the Linux user/admin a “new and improved” video driver with our rootkit embedded, we can take control of their system and kernel. This is how some of the most insidious rootkits exploit the Linux OS.
So, I hope it’s clear that understanding LKMs is key to being an effective Linux admin and a VERY effective, stealthy hacker.
Step 1: What Is a Kernel Module?
The kernel is a core component of any Linux operating system, including our Kali Linux. The kernel is the central nervous system of our operating system, controlling everything it does, including managing interactions with hardware components and starting necessary services. The kernel operates between user applications and the hardware, such as the CPU, memory, and the hard drive.
Because the kernel manages everything in the operating system, it sometimes needs updates. These updates might include new device drivers (such as video card or USB devices), file system drivers, and even system extensions. This is where LKMs come in. We can now load and unload kernel modules as needed without recompiling the kernel.
Step 2: Checking the Kernel
The first thing we want to do is check which kernel our system is running. There are at least two ways to do this. We can enter:
kali > uname -a
Note that the kernel tells us its kernel build (6.12.25) and the architecture it is built for (x86_64). We can also get this info by “catting” the /proc/version file, which actually gives up even more info.
kali > cat /proc/version
Step 3: Kernel Tuning with sysctl
Sometimes, a Linux admin will want to “tune” the kernel. This might include changing memory allocations, enabling networking features, and even hardening the kernel from hackers.
With modern Linux kernels, we have the sysctl command to tune kernel options. All changes you make to sysctl settings remain in effect only until you reboot the system. To make any changes permanent, the sysctl configuration file must be edited in/etc/sysctl.conf.
Be careful when using sysctl, as without proper knowledge and experience, you can easily make your system unbootable and unusable. Let’s take a look at the contents of sysctl now.
kali > sysctl -a | less
To view the sysctl configuration file, open/etc/sysctl.conf.
kali > less /etc/sysctl.conf
One way to use sysctl for hacking is to enable IP forwarding for man-in-the-middle attacks. From a hardening perspective, we can disable ICMP echo requests to make it more difficult–but not impossible–for hackers to find our system.
Step 4: Kernel Modules
To manage our kernels, Linux provides at least two ways. The older way is to use a group of commands built around the insmod command. Here we use one of those—lsmod—to list the installed kernel modules.
kali > lsmod
We can load a module with insmod and remove it with rmmod.
Step 5: Modprobe
Most newer Linux distributions, including our Kali Linux (built on Debian), have adopted the modprobe command for LKM management. To add a module to our kernel, we can type:
kali > modprobe -a
To remove a module, use the -r switch with modprobe, followed by the module’s name.
kali > modprobe -r
A major advantage of modprobe is that it understands dependencies, options, and installation and removal procedures for our kernel modules.
To see the configuration files for the installed modules, we list the contents of /etc/modprobe.d/ directory.
kali> ls -l /etc/modprobe.d/
Summary
LKM modules are a convenience for Linux users/admins, but are a major security weakness of Linux, one that professional hackers should be familiar with. As I said before, the LKM can be the perfect vehicle for getting your rootkit into the kernel and wreaking havoc!
For more information on using Linux for hacking, check out the book “Linux Basics for Hackers” on Amazon or visit our training center.
Source: HackersArise
Source Link: https://hackers-arise.com/linux-basics-for-hackers-part-10-loadable-kernel-modules-lkm-2/