Defcon-1-Logo

           [Home]    [FBSD Articles]    [Scripts Corner]    [Contribute]    [Search]    [FBSD Links]    [Files]

About Us

FreeBSD Articles
  *Hardware
  *Networking
  *Security
  *Software
  *X Windows


Files / Scripts
Newbies Corner
Tech. Talk
Tips and Tricks


FreeBSD Links

Articles in other
Languages :
  *French Articles
  *Spanish Articles

Want to Help ?
 
   Click Here

Email Users5

Search:
 

 


FreeBSD Search:


 

 

Powered-By-Apache-Logo
Defcon1-Logo

                   Password Security:

Examine the /etc/passwd file on the system and check the modifications to that file. In particular, look for the unauthorized creation of new accounts, accounts with no passwds, or UID changes ( especially UID 0) to existing accounts.

     johnsmith:naVwowMManasMMo:10:200:John Smith:/users/johnsmith:/bin/bash

                     ^      ^     ^  ^    ^      ^      ^

                     |      |     |  |    |      |      +- User's

                     |      |     |  |    |      |      shell program

                     |      |     |  |    |      +---- User's home directory

                     |      |     |  |    +----------------- User's real name

                     |      |     |  +------------------------- User number

                     |      |     +----------------------------- User's group number

                     |      +--------------------------------------- Hash of user's password

                     +--------------------------------------------------- Username

                   - Username is the name under which the user logs in. Usually this is

                    accomplished by typing in the username at the username prompt and then

                    the password at the password prompt.


                   - Hash of user's password is the target of the cracking method. This is

                    what the hash of each word in the dictionary file is compared to.

 

                   - User's group number determines things such as access to certain files,

                    etc. Used more in the exploit technique

 

                   - User's number is basically identification for the system.

                   - User's real name is the name the user entered. Not used by the system,

                    but it provides a handy human-readable id of each user.

 

                   - User's home directory is the directory that they go to when they log

                    into the system. 

 

EOF.

 

Security continued...

Check your system and network configuration files for unauthorized entries. In particular, look for '+' (plus sign) entries and inappropriate non-local host names in /etc/hosts.equiv, /etc/hosts.lpd, and in all .rhosts files (especially root, uucp, ftp, and other system accounts) on the system. These files should not be world-writable. Furthermore, confirm that these files existed prior to any intrusion and were not created by the intruder.

Look everywhere on the system for unusual or hidden files (files that start with a period and are normally not shown by 'ls'), as these can be used to ide tools and information (password cracking programs, password files from other systems, etc.). A common technique on UNIX systems is to put a hidden directory in a user's account with an unusual name, something like '...' or '.. ' (dot dot space) or '..^G' (dot dot control-G). Again, the find(1) program can be used to look for hidden files, for example: 

 find / -name ".. " -print -xdev

 find / -name ".*" -print -xdev | cat -v

 

note: /tmp/... and /etc/... are most commonly used for "script kiddies" favourite tool dir.

 

Finding setuid & setgid files:

Look for setuid and setgid files (especially setuid root files) everywhere on your system. Intruders often leave setuid copies of /bin/sh or /bin/time around to allow them root access at a later time. The UNIX find(1) program can be used to hunt for setuid and/or setgid files. For example, you can use he following commands to find setuid root files and setgid kmem files on the entire file system:

 

 find / -user root -perm -4000 -print

 find / -group kmem -perm -2000 -print

 

Note that the above examples search the entire directory tree, including NFS/AFS mounted file systems. Some find(1) commands support an "-xdev" option to avoid searching those hierarchies. For example:

 find / -user root -perm -4000 -print -xdev

At this point you need to make sure all the directories where users can write are either mounted "-nosuid" or have been chmod'ed in such way that only root user can write to them. By default FreeBSD will have only one you should be concerned with: /var/spool/uucppublic You can either mount your /var filesystem "-nosuid" or just do:

 chmod o-w /var/spool/uucppublic

If you want to find all your writable directories, issue:

 find / -perm -0777 -type d -ls

As the man page points out, having an suid/sgid wrapper will make mounting your other filesystems nosuid useless. Find out what files are installed on your system as suid or guid. To do that use find(1):

 find / -perm -2000 -ls

 find / -perm -4000 -ls

Note: This is NOT a total secure system audit. This is only a a safeyt reference.

 

Done by obscure_

Email Us

ghostrdr@defcon1.org

This site cannot be duplicated without permission

© 1998 - 2010 Defcon1, www.defcon1.org. Copyrights for all materials on this web site are held by the individual authors, artists, photographers or creators. Materials may not be reproduced or otherwise distributed without permission of www.defcon1.org and the content's original author.