Date post: | 15-Jan-2016 |
Category: |
Documents |
Upload: | matilda-johns |
View: | 217 times |
Download: | 0 times |
Unix Refresher
This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis.
I have edited and added material.
Dr. Stephen C. Hayne
Linus Torvalds
Was the chief architect behind the Linux kernel. Most of the work was done while he was still an undergraduate. He completed a master’s degree from
the University of Helsinki in Computer Science and now lives and works in the United States.
Unix File System Structure
Everything is treated as a file Tree structure / (root) is the root of the tree Filenames can be up to 32 characters in
length. There is no file type designation. Hacker.txt doesn’t imply a file type of TXT.
The period “.” is part of the name.
Unix Directories
/ - root directory, contains the other subdirs. /bin, /sbin – system binaries needed to boot
the system /dev – peripheral devices, disks, tapes, CD /etc – system configuration files, password
files, network configuration information
Unix Directories /home – user home directories /lib – shared libraries /mnt – temporary mount point /proc – images of currently running processes /tmp – temporary scratch space /usr – more system binaries, C headers,
system administration binaries /var – log files, spool space for printers
Unix Directories
“.” – means the current directory “..” – means a directory one level up “…” – should not exist but is the favorite
place for hackers to hide their code “.name” – a dot in front of a filename
denotes a hidden file that won’t show up with a standard ls command.
Unix Kernel & Processes
Kernel – core OS module, controls HW Process – running program and
memory All running programs are processes.
Use the “ps –ef” command to examine the process list.
Kernel handles process swapping and execution.
More Process Information
PID – unique identifier for each process
“lsof” tells you what files the process has opened for use.
Unix Kernel & Processes
System processes running in the background are called daemons. Common naming convention is the name of the service followed by a “d”
telnet is controlled by the telnetd process.
Automatic Process Startup
All processes have to be activated by the kernel or some other process
The ‘init’ daemon runs the boot startup scripts that start all system processes.
Startup scripts are in /etc/init.d, /sbin/init.d, /etc/rcX.d, /sbin/rcX.d where X=0-6
Automatic Process Startup
Run levels 0 – halt 1 – single user mode 2 – multi-user mode, no networking 3 – multi-user mode with networking 4-5 – reserved 6 - reboot
Init, inetd
Init starts processes at boot time including network services and inetd.
Inetd listens for service requests and starts a process to handle the service.
Inetd.conf is a favorite target of hackers. They install backdoors to the system.
Automatic Process Startup
Inetd is the master control process for well known network services
Config file is /etc/inetd.conf Network services are listed in
/etc/services Comment character is a # and if it’s in
column 1, then the process is NOT started.
/etc/inetd.conf format Service name – the name of the service Socket Type:
stream (TCP) dgram (UDP) raw rdm (reliably delivered message)
Protocol – tcp or udp Wait/nowait – wait means subsequent
requests must wait for the first one to finish
/etc/inetd.conf format
Username – the owner of the process Server program – the name and
location of the system daemon Server program arguments – arguments
and configuration flags that should be passed to the network service
/etc/passwd, /etc/shadow
/etc/passwd is the master password file for the system.
Login name – the account name Encrypted password field – one-way
encryption of the account password UID – unique numeric identifier for the
account. This is what Unix uses.
/etc/passwd, /etc/shadow
GID – group id number that identifies the group
GECOS info – commonly used to list the name of the account owner
Home directory – user home directory Login Shell – default user shell
/etc/passwd, /etc/shadow
/etc/passwd is world readable. This is what lets CRACK run on it. All you need is access to the system (login, WWW, FTP) and the ability to get a copy of the file.
/etc/shadow is the defense against the CRACK attack
/etc/passwd, /etc/shadow
/etc/shadow contains the encrypted password field and is readable by root only.
An “x” is placed as a marker in the equivalent field in /etc/passwd.
If you can read /etc/shadow, you have root and no need to crack passwords .
Linux Password Cracking
Ophcrack
System Logs
/etc/syslog.conf contains the locations of the system logs. Can be remote or local.
Syslogd is the syslog daemon. /var/log/syslog, /var/log/secure,
/var/adm/messages, /var/adm/syslog.dated/current/kern.log
/etc/utmp, /etc/wtmp, /etc/lastlog