Hacking Unix and Unix Security - PowerPoint PPT Presentation

1 / 29
About This Presentation
Title:

Hacking Unix and Unix Security

Description:

File and print sharing: Legion by the Rhino9 group, provides the ability to scan ... Chances are high that a system using this will also have file sharing turned on. ... – PowerPoint PPT presentation

Number of Views:224
Avg rating:3.0/5.0
Slides: 30
Provided by: roberto2
Category:

less

Transcript and Presenter's Notes

Title: Hacking Unix and Unix Security


1
Hacking Unix andUnix Security
  • Lesson 11

2
Lets talk about Unix and Security
  • Passwords
  • Originally passwords in /etc/passwd. World
    readable as numerous programs needed access to
    information contained in it (more than just
    passwords, UID, GID, preferred shell, etc)
  • Passwords encrypted in file using one-way hash so
    you cant decrypt them.
  • Cracking accomplished by finding a hash for
    another for a word that matches your password
    hash, thus your password
  • Since having /etc/passwd world readable makes it
    easier for folks to grab password file to crack,
    systems generally now utilize a shadow file in a
    location such as /etc/shadow
  • Change password with passwd command
  • Unless NIS is being used, then use yppasswd

3
Users, Groups, and the Superuser
  • Some common users you may find in the /etc/passwd
    file
  • root the superuser
  • daemon or sys associated with some utility
    systems on some versions of Unix
  • guest used for site visitors
  • ftp used for anonymous ftp access
  • uucp manages the UUCP system (unix to unix copy
    program)
  • lp used for the printer system
  • nobody a user that owns no files and is
    sometimes used as a default user for unprivileged
    operations.

4
Users, groups, superuser
  • User Identifiers (UIDs)
  • A mapping between the username and the UID is
    kept in the /etc/passwd file.
  • The OS actually uses the UID for identifying a
    user and his/her processes. The username is just
    a convenience for the human user.
  • If two users are assigned the same UID, as far as
    Unix is concerned they are the same user.
  • Generally considered a bad idea

5
Users, groups, superuser
  • Every Unix user belongs to one or more groups.
  • Groups have both a groupname and group
    identification number (GID).
  • Each user belongs to a primary group. This GID
    is stored in their entry in the /etc/passwd file.
  • Groups provide a handy mechanism to handle
    several users in a specified way.
  • Groups can be used to restrict access to
    sensitive information or specific programs.
  • /etc/group file contains the list of groups with
    their names, GID, and list of users in the group.
  • Wheel group on some systems is group 0, the
    sysadmins
  • Users listed in groups in this file are in
    addition to their primary group found in the
    /etc/passwd file

6
Users, groups, superuser
  • The superuser has a UID of 0 and is usually
    called root.
  • The superuser can exercise almost complete
    control over the system.
  • Generally good idea to NOT have sysadmin log in
    as root. Create another account so that in case
    a mistake is made you dont trash the system.
  • Security checks turned off for Superuser.
  • Thus, remote logging in for root considered a bad
    thing, should not be allowed.
  • Sysadmins should log in using their own account
    and su to root. This makes tracking who is using
    root account easier.
  • su substitute user
  • You can restrict login of root to specific
    terminals on some versions of UNIX. Thus, you
    will need to have two passwords to be able to
    gain root access.

7
Log files
  • Different versions of Unix store messages in
    different files.
  • /etc/syslog.conf file on Linux to identify where
    log messages will go.
  • /var/adm/messages a possible place message may
    be found
  • May also be in /var/log/messages
  • /var/adm/sulog another possibility, used to log
    su attempts
  • /var/log/secure

8
inodes
  • Unix uses a system called inodes (index nodes) to
    implement the file system. Each inode contains
  • Location of the items contents on the disk
  • Pointers to the locations where file is stored,
    indirect blocks used for larger files
  • The items type
  • The items size
  • The time the inode was last modified
  • The time the files contents were last modified
  • The time the file was last accessed
  • A reference count (the number of names the file
    has)
  • The files owner (UID)
  • The files group (GID)
  • The files mode bits (file permissions or
    permission bits)

9
The ls command
ls lF total 161 -rw-r--r-- 1 fred user
505 Feb 9 1210 file1 -rw-rw-r-- 1 fred
marketing 1234 Feb 10 1320 client_lst -rwx--x-
-- 1 fred user 223433 Jan 29 0917 stats
  • - The files type. For regular files this field
    is always a dash
  • rw-r--r-- The files permissions
  • 1 The number of hard links to the file the
    number of names for the file
  • fred The name of the files owner
  • user The name of the files group
  • 505 The files size in bytes
  • Feb 9 1210 The files modification time
  • file1 The files name

10
The ls command with F option
ls lF total 161 -rw-r--r-- 1 fred user
505 Feb 9 1210 file1 -rw-rw-r-- 1 fred
marketing 1234 Feb 10 1320 client_lst -rwx--x-
-- 1 fred user 223433 Jan 29 0917 stats
  • The F option for the ls command prints a special
    character after the filename to indicate what
    type of file it is.
  • If blank then regular file or named pipe (FIFO)
  • If then executable program or command file
  • If / then a directory
  • If - then a socket
  • Socket used for interprocess communication by
    generalizing file I/O
  • If _at_ then a symbolic link

11
Understanding File permissions
ls lF total 161 -rw-r--r-- 1 fred user
505 Feb 9 1210 file1 -rw-rw-r-- 1 fred
marketing 1234 Feb 10 1320 client_lst -rwx--x-
-- 1 fred user 223433 Jan 29 0917
stats drwxr-xr-x 1 fred user 512 Feb
1 1011 saved/
  • The first character of the files mode field
    indicates the type of file.
  • If - then just a plain old ordinary file
  • If d then its a directory
  • If c then its a character device (tty or
    printer)
  • If b then its a block device (usually disk or
    CD-ROM)
  • If l then its a symbolic link (BSD or V.4)
  • If s then its a socket (BSD or V.4)
  • If or p then FIFO pipe (System V, Linux)

12
Understanding File permissions
ls lF total 161 -rw-r--r-- 1 fred user
505 Feb 9 1210 file1 -rw-rw-r-- 1 fred
marketing 1234 Feb 10 1320 client_lst -rwx--x-
-- 1 fred user 223433 Jan 29 0917
stats drwxr-xr-x 1 fred user 512 Feb
1 1011 saved/
  • The next nine characters, taken in groups of
    three, indicate who on your computer can do what
    with the file. There are 3 permissions
  • r permission to read
  • w permission to write
  • x permission to execute
  • The three groups represent the different classes
    of individuals, taken from the left in groups of
    three
  • Owner
  • Group, users who are in the files group
  • World (other), everybody else on the system

13
Changing permissions
ls lF total 161 -rw-r--r-- 1 fred user
505 Feb 9 1210 file1 -rw-rw-r-- 1 fred
marketing 1234 Feb 10 1320 client_lst -rwx--x-
-- 1 fred user 223433 Jan 29 0917
stats drwxr-xr-x 1 fred user 512 Feb
1 1011 saved/
  • The chmod command is used to change a files
    permissions
  • chmod -Rfh agou - rwxXstugol filelist
  • Changes the permissions of filelist which can be
    either a single file or group of files
  • agou specify whose privileges are being
    modified, can have none, one, or more
  • amodify privileges for all users
  • gmodify group privileges
  • omodify others privileges
  • umodify owners privileges
  • - specify what is supposed to be done with the
    privileges
  • adds to current privilege, - removes from
    current privilege, replaces current privilege
  • rwxXstugol specify which privilege is to be
    adjusted (some Unix variant specific)
  • r is for Read access
  • w is for write access
  • x is for execute access
  • s is for SUID or SGID
  • t is for the sticky bit
  • Rfh depends on variant,
  • R for recursive if filelist a directory, f to
    suppress error messages, h to not perform
    operation on links

14
Changing permissions
ls lF total 161 -rw-r--r-- 1 fred user
505 Feb 9 1210 file1 -rw-rw-r-- 1 fred
marketing 1234 Feb 10 1320 client_lst -rwx--x-
-- 1 fred user 223433 Jan 29 0917
stats drwxr-xr-x 1 fred user 512 Feb
1 1011 saved/
  • Some examples
  • chmod o-r client_lst / removes ability for
    others to read client_lst /
  • chmod gw file1 / adds ability for group to
    write to file1 /
  • Can also use octal representation
  • chmod 711 stats / gives everybody execute,
    owner also rw /
  • 7 111, thus rwx
  • 1 001, thus just x

15
The umask
  • Short for user file-creation mode mask
  • A four-digit octal number that UNIX uses to
    determine the file permission for newly created
    files.
  • Every process has its own umask, inherited from
    its parent process.
  • Specifies the permissions you do NOT want given
    by default to newly created files and
    directories.
  • Normally set in your .login, .cshrc, or .profile
    files.
  • e.g. umask 033 / would turn off wx for folks
    in/ / group and others /

16
Directories and permissions
  • What do the values for rwx mean for directories?
  • r you can use ls to find out what is in the
    directory
  • w you can add, rename, or remove entries in the
    directory
  • x you can determine the owners and the lengths
    of the files in the directory. You also need
    execute to make the directory your current
    working directory or to open files inside the
    directory.

17
SUID, SGID, and Sticky Bits
  • Sometimes unprivileged users must be able to
    accomplish tasks that require privileges
  • e.g. passwd program needs to write to password
    file which users normally dont have write
    permissions for.
  • Users can assume another UID or GID when running
    a program. A program that changes its UID is
    called a SUID program (set UID).
  • When a SUID program is run, its effective UID
    becomes that of the owner of the file, rather
    than the user who is running it.
  • If a program is SUID or SGID, the output of the
    ls l command will have the x in the display
    changed to an s. If the program is sticky, the
    last x changes to a t.
  • Sticky bit originally used to speed up swapping
    for files often used, now if with directory
    limits who can remove or rename files
  • Obvious security implications with SUID
  • If person were to execute
  • cp /bin/sh /tmp/specfile / create copy of sh /
  • chmod 4755 /tmp/specfile / SUID so it runs as if
    your UID /

18
SSH
  • Secure SHell
  • Most commonly used as a secure replacement for
    telnet, rsh, rcp, and rlogin.
  • Offers secure TCP communications between any two
    systems regardless of what untrusted systems
    might be between them
  • Uses public key encryption techniques to encrypt
    each message.
  • Check www.ssh.org or www.openssh.com

19
Remote versus Local Access
  • Remote Access gaining access via the network
    or other communication channel.
  • Local Access having an actual command shell or
    login to the system.
  • Also known as privilege escalation attacks.
  • Attackers may (often) start with a remote access
    attempt. If successful in obtaining shell access
    then they are considered local for further
    attempts.

20
Remote Access
  • Four primary methods used to remotely circumvent
    the security of a UNIX system.
  • Exploit a listening service
  • If it isnt listening, it cant be broken into.
  • Route through a UNIX system
  • Kernel had IP forwarding turned on (more on this
    in later chapter)
  • User-initiated remote execution attacks
  • A hostile web site or Trojan horse email
  • Promiscuous mode attacks
  • There are ways to exploit a NIC that has been
    placed in promiscuous mode.

21
Brute Force Attacks
  • Nothing more than guessing a user ID/password
    combination on a running service that includes
    authentication. (Implies we need usernames!)
  • Common services to brute force
  • Telnet
  • FTP
  • The R commands (rlogin, rsh, )
  • SSH
  • SNMP community names
  • Post Office Protocol (POP) and Internet Message
    Access Protocol (IMAP)
  • HTTP
  • Several tools to help with brute-forcing
  • Brutus, brute_web.c, pwscan.pl,

22
Data Driven Attacks
  • Executed by sending data to an active service
    that causes unintended or undesirable results.
  • Buffer Overflow Attacks
  • Nov 1996 Phrack Magazine article Smashing the
    Stack for Fun and Profit
  • On many C implementations it is possible to
    corrupt the execution stack by writing past the
    end of an array declared auto in a routine. Code
    that does this is said to smash the stack, and
    can cause return from the routine to jump to a
    random address.
  • A buffer overflow is the result of stuffing more
    data into a buffer than it can handle.
  • How can we place arbitrary instruction into its
    address space? The answer is to place the code
    we are trying to execute in the buffer we are
    overflowing, and overwrite the return address so
    it points back into the buffer.
  • Associated with certain commands such as
    strcpy(), strcat(), and sprintf().
  • If we find a program that has one of these in it,
    and we overflow the buffer, we may be able to
    execute a shell. If the original program was
    running as root, so will this shell!

23
Buffer overflow attacks
  • To exploit a buffer overflow (beyond simply
    crashing the program) takes quite a bit of
    sophistication.
  • Fortunately, there are others who have already
    written exploit code for us so we dont have to.
  • Exploit code for buffer overflows very system
    specific.
  • Buffer overflows are problems at the coding level
    and the real solution is secure programming
    practices.
  • For administrators the best thing you can do is
    to ensure all appropriate patches have been
    installed.

24
Input Validation Attack
  • An input validation attack occurs when
  • A program fails to recognize syntactically
    incorrect input.
  • A module accepts extraneous input.
  • A module fails to handle missing input fields.
  • A field-value correlation error occurs.
  • An early example of this was the PHF
    vulnerability that came standard with early
    versions of the Apache web server.
  • The program did not properly parse and validate
    input it received.
  • A newline character could be sent which would
    cause subsequent commands to be executed with the
    privilege that the web server was running at.
  • Common early exploit was to cause it to execute
    cat command to print password file which gave
    user names and encrypted passwords which could
    then be cracked.

25
Gaining Shell access and other remote attacks
  • What we want to be able to do is have shell
    access.
  • Number of different techniques described in text.
  • FTP useful but frequently anonymous use allowed.
  • Is file system restricted? World-writable
    directory? (if so, watch out for .rhosts files)
  • Sendmail
  • Numerous exploits over the years, as far back as
    1988 when Morris worm exploited a vulnerability
    in sendmail as part of its capability to gain
    access to systems.
  • Numerous other possible attacks, check textbook
    for more details

26
Local Access
  • Password cracking possible if you can obtain
    password file in /etc/passwd or shadow file.
  • Number of Unix password crackers that can be run
    on both Unix and Windows platforms.
  • Buffer overflows are a problem here as well.
  • Check file and directory permissions as they may
    not have been set to be secure.
  • Number of other possibilities, again, check the
    text.

27
Rootkits
  • After gaining root, one of the first things an
    attacker will want to do is install a rootkit.
  • A rootkit generally consists of
  • Trojan programs such as altered versions of login
    and ps.
  • Backdoors
  • Sniffers
  • System log clearers
  • Some of the latest rootkits are kernel rootkits
    which modify the OS kernel.
  • A Loadable Kernel Module (LKM) allows a running
    kernel to be modified without having to compile
    it into the kernel.

28
The 7 most deadly sins from Real World Linux
Security 2ed
  • The list was created to help folks secure
    systems, for us it provides ideas to test.
  • Weak and Default Passwords
  • Open Network Ports
  • Old Software Versions
  • Insecure and Badly Configured Programs
  • Insufficient Resources and Misplaced Priorities
  • Stale and Unnecessary Accounts
  • Procrastination

29
Summary
  • What is the importance and significance of this
    material?
  • Unix has been around for a long time and versions
    of Linux have been cutting into MS dominance.
  • How does this topic fit into the subject of
    Security Risk Analysis?
  • Need to know how to attack these systems. Also
    need to know how these systems work as many tools
    are designed for Unix environment.
Write a Comment
User Comments (0)
About PowerShow.com