Gathering information: LAB #7 Linux Tutorial Find the password file on a Linux box Scenario You have access to a Linux computer. You must find the password file on the computer. Objective Get a listing of the users found in the password file on a Linux box, and turn the list in as Lab #7. (Ignore the non-user information, which makes up 90% of the file.) (Actually, the real objective is to brush up on your use of Linux commands) Computer Network Security 1
The all-powerful user under Windows is Administrator or any user with admin privileges An attacker wants admin privileges The all-powerful user under Linux is root An attacker wants root privileges. Only root has root privileges no other users Linux Prompts: $ = normal user Important! # = root root account superuser / top level directory /root root users home directory Computer Network Security 2
Boot to Linux (Knoppix, BackTrack, Ubuntu) Use one of the Linux CD distributions (aka distro) Press <Enter> when you get the Boot: prompt Open a terminal window (console) The up/down arrow keys access command history Learn the CLI (Command Line Interface) This lab provides a brief overview of some basic features in Linux intended for those not used it (and who should be pitied, not scorned). Computer Network Security 3
Directories (Folders) The Windows directory structure: The Linux directory structure: Password files Note: Various distros may vary somewhat from this structure Computer Network Security 4
Navigating the directory structure You can move: Down the directory structure Up the directory structure Across the directory structure Computer Network Security 5
Enter the following ($ is normal user prompt) $ cd / cd (change directory) $ pwd $ ls The forward slash took us to top of tree Print working directory (where am I?) List files/directories $ ls al List all in a long format Computer Network Security 6
Continued (You re still at the top of the directory structure) $ cd home $ ls $ cd knoppix $ ls -al view the users directories move to knoppix s (or a user) directory view knoppix s directories and files Computer Network Security 7
Continued (You re in /home/knoppix) $ cd root oops! no /root dir under /home/knoppix! $ cd /root $ ls /home/knoppix $ cd.. go directly to /root from /home/knoppix view a remote dir w/o going there move up one level (space after d required) Computer Network Security 8
Don t re-type previous commands use the arrow keys! Tab completion - type part of file/directory name, hit <tab>, handy when names are long $ cd /ro<tab> ro expands to root! Wildcards (can be used with any command) * = zero or more characters;? = zero or one character $ cd /etc /etc is important folder $ ls *.conf $ ls *.c?? Configuration files Finding files (e.g. the passwd file or flags) $ cd / start at top $ find / -name passwd find passwd file list all.c?? files (2 chars after c ) Computer Network Security 9
Continued (You re at the top of the directory structure) $ cd etc move down to the /etc directory $ ls pass* list all files that start with pass $ cat passwd concatenate (that is, list the contents) cat is the Linux version of DOS s type Passwd shows all the user names, but no password hashes $ ls shad* list all files that start with shad $ cat shadow can t view the password file! Only root can! The passwd file lists users, including the user root The shadow file lists users and their password hashes Understand the concept of relative vs absolute movement Computer Network Security 10
Continued (You re in /etc) $ su switch user (root is default) # The prompt changes for root # cat shadow now you can view the password file! # cat shadow less view it a page at a time Press <space> to view next page, q to quit <up-arrow> for previous command If there is no root password there will not be a hash Note: Ubuntu uses sudo instead of a root account. BackTrack root password is toor Computer Network Security 11
Continued (assumes knopix) # passwd root give root a simple password confirm the new password <up-arrow> for next command <Enter> # cat shadow less now there is a hash for root When a password cracker guesses a password (either a word taken from a dictionary or just a random set of characters), it hashes that password and then compares the hash with the hash stored in the password file. If they match, the password has been successfully guessed! Remember, a hash is just the result of a mathematical operation done on the numerical equivalent of a password. Computer Network Security 12
Enter this sequence of commonly used commands: # cd /root go to root s home directory # mkdir test # cd test # pwd make a new directory under /root move to new directory you re in /root/test # echo Hello Linux World. > file1 # cat file1 # rm file1 # cd.. # rmdir test creates a new file called file1 and writes the message into the file view the contents of file1 remove (delete) file1 go up to /root remove test directory Computer Network Security 13
Continued # cat /etc/shadow # cat /etc/shadow # cd ~ # pwd # ls LAB #7 Linux Tutorial one more time Linux is case sensitive go home (/root) list present working directory nothing here # cp /etc/shadow. copy password file here (.) # ls # su knoppix $ ls $ cat shadow there it is - shadow! switch to knoppix user $ = you re a normal user you don t have the right! Note: Both cp and mv (move file) over-write existing files without warning you! Computer Network Security 14
File permissions: dooogggwww = permissions d: directory o = owner g = group w = world Example: -rwxr-x--x r = file can be read w = file can be written x = file can be executed Meaning: This is a file, not a directory (no d ) File s owner can read, write, execute Owner s group can read and execute The world (everyone) can execute only. # cd /etc if not already there, move to /etc # ls l passwd # ls l shadow LAB #7 Linux Tutorial list passwd note permissions list shadow note permissions Do you see the difference between passwd and shadow? World can read passwd, but not shadow Computer Network Security 15
Set user/group ID In addition to the basic permissions shown earlier: SUID or setuid: change user ID on execution. If setuid bit is set, when the file will be executed by a user, the process will have the same rights as the owner of the file being executed. If set, then replaces "x" in the owner permissions to "s", if owner has execute permissions, or to "S" otherwise. -rws------ both owner execute and SUID are set -r-s------ SUID is set - owner execute is not set SGID or setgid: change group ID on execution. Same as above, but inherits rights of the group of the owner of the file on execution. For directories indicates that a new file created in the directory will inherit the group of the directory (and not of the user who created the file). -rwxrws--- both group execute and SGID are set -rwxr-s--- SGID is set - group execute is not set Computer Network Security 16
The ps command (process status) # ps process status running programs # ps A # ps A less # ps ef or ax same as Windows Task Manager PID (process ID) listed in left column list All processes pipe the list to less - q to quit Compare and contrast You can shut down a process using the kill command # kill 2020 2020 = the pid (process ID) # kill -9 2020 # kill HUP 2020 use ps to get pids does a clean kill (closes open files) add -9 to kill for sure kill then restart process Computer Network Security 17
grep grep is a string-search utility sshd is the string we re looking for in this example # ps A grep sshd pipe the ps list to grep SSH daemon (sshd) running? No # ps A grep tty any process names with tty? # ps A grep bash how about bash? Networking commands # ifconfig # ping 127.0.0.1 # netstat an less interface information ping the target (Ctrl-c = quit) list all interfaces pipe to less Computer Network Security 18
The man command LAB #7 Linux Tutorial Short for manual -- documents Linux commands # man passwd describe the passwd command Press <space_bar> to scroll through pages Press <Up> & <Dn> arrows to scroll 1 line Press q to quit Other examples: # man ls # man pwd # man man Computer Network Security 19
Mounting and unmounting a CDROM: # mount /mnt/cdrom mount a CDROM # umount /mnt/cdrom # eject un-mount a CDROM open the cd tray To copy files to a floppy (e.g. for offline cracking): # mount /mnt/floppy mount the floppy drive # cp passwd /mnt/floppy copy passwd # cp shadow /mnt/floppy copy shadow # umount /mnt/floppy Note: Commands may vary across distros Computer Network Security 20
The are over 100 UNIX/Linux Distributions available KDE and Gnome are popular desktop environments The following are used in the Network Security lab: Knoppix - default distribution used in lab (Live CD) Ubuntu - alternate lab distribution (Live CD) Back Track - security toolset (Live CD) Ophcrack - password cracker (Live CD) Solaris - (Intel and SPARC) attack surface Red Hat - attack surface Other popular distributions include: OS X - Apple Mac Slackware - oldest maintained distribution BSD - a branch of UNIX Computer Network Security 21
The Oak Ridge National Laboratory's Jaguar supercomputer. In November 2009 was the world's fastest supercomputer. A Cray XT5, it runs on Linux, with 225k cores and a peak speed of 2.33 petaflops. LAB #7 Linux Tutorial Computer Network Security 22