140 likes | 477 Views
Overview of Unix. Jagdish S. Gangolly School of Business State University of New York at Albany
E N D
Overview of Unix Jagdish S. Gangolly School of Business State University of New York at Albany NOTE: These notes are based on the book Counter Hack, by Ed Skoudis and are prepared solely for the students in the course Acc 661 at SUNY Albany. They are not to be used by others without the permission of the instructor. Acc 661 Auditing of Adv Acctg Systems (Spring 2003) Gangolly
Overview of Unix • Architecture • File System Structure • Kernel and processes • Account groups Acc 661 Auditing of Adv Acctg Systems (Spring 2003) Gangolly
Architecture: File System Structure • Hierarchical / Bin dev etc home lib mnt proc tmp usr var passwd group bin man sbin Acc 661 Auditing of Adv Acctg Systems (Spring 2003) Gangolly
Architecture: Kernel & Processes I • CPU can run at most one program at a time • Kernel schedules processes, allocates and manages memory, and prevents one process from accessing memory belonging to other processes • Daemons (background processes) perform print spooling, network services, file-sharing, web access, remote management capabilities, etc. Acc 661 Auditing of Adv Acctg Systems (Spring 2003) Gangolly
Architecture: Kernel & Processes II • Automatically starting processes: • Init: parent of all user-level processes (/etc/init.d) • Httpd (port 80), Sendmail (port 25), NFS • Inetd (/etc/inetd.conf) • Echo, Chargen, FTPd, Telnetd, Shell, login, TFTP • Cron • Vulnerability: • Use of inetd.conf to create attack relays 11111 stream tcp nowait nobody /usr/sbin/tcpd /usr/bin/nc [next_hop] 54321 Acc 661 Auditing of Adv Acctg Systems (Spring 2003) Gangolly
Architecture: Kernel & Processes III • Vulnerability: Create a backdoor using Inetd • Overflow a buffer in a program running with root level privileges • Run a shell command to insert a line into the inetd.conf file (the line sets up a high order tcp port, running as root a command shell to execute any commands received) • Killall command sends an HUP signal to Inetd process, making it reread the configuration file Acc 661 Auditing of Adv Acctg Systems (Spring 2003) Gangolly
Accounts and Groups • /etc/passwd • Login name, encrypted/hashed password, UID number, default GID number, GECOS information, home directory, login shell • Vulnerability: Password attacks • Guessing, login scripts, L0phtCrack (win), John the Ripper • /etc/group • Unix permissions • SetUID Acc 661 Auditing of Adv Acctg Systems (Spring 2003) Gangolly
Miscellaneous • Unix trust • /etc/hosts.equiv • .rhosts • R-commands • rlogin, rsh, rcp, … • Vulnerable to IP-spoofing • Logs and auditing • /var/log/secure • /var/log/messages • /var/log/httpd, /var/log/cron,… Acc 661 Auditing of Adv Acctg Systems (Spring 2003) Gangolly
Miscellaneous • utmp – who • wtmp – last • lastlog – time of user’s last login Acc 661 Auditing of Adv Acctg Systems (Spring 2003) Gangolly
Windows 2000 • Domains: share authentication database • Primary Domain Controller (PDC) • Backup Domain Controller (BDC) • SAM database • Shares: remote connections to network devices • Service packs and hotfixes Acc 661 Auditing of Adv Acctg Systems (Spring 2003) Gangolly
Windows 2000: Architecture • User Mode • Kernel Mode • Executive Subsystems • Hardware Abstraction Layer • Accounts and groups • Default accounts (Administrator, Guest) • Created by administrator • Groups: Global and local Acc 661 Auditing of Adv Acctg Systems (Spring 2003) Gangolly
Windows 2000: Architecture II • Privileges: Administrators, users, guests • Rights: things users can do that can be added or revoked • Abilities: built-in capabilities of groups that can not be altered • Policies: • Account policy • User properties settings • Trust: No trust, Complete trust, Master domain, Multiple master domain Acc 661 Auditing of Adv Acctg Systems (Spring 2003) Gangolly
Windows 2000: Architecture III • Auditing • System Logging • Security Logging: logons/logoffs, files/object access, use of rights,… • Application Logging • Object access control and permissions • Ownership • NTFS permissions: No access, Read, Change, Full control • Share permissions Acc 661 Auditing of Adv Acctg Systems (Spring 2003) Gangolly
Windows 2000: Architecture III Acc 661 Auditing of Adv Acctg Systems (Spring 2003) Gangolly