Defcon1-Header Defcon1-Header2
Tool-BarfreeBSD ArticlesSearch Our SiteHOMEfreeBSD LinksContribute to FreeBSD HelpFreeBSD FilesFreeBSD Script Corner Tool-Bar-2Defcon1  Webmail


Password Security:

Examine the /etc/passwd file on the system and check the modifications to that file. In particular, look for the unauthorized creation of new accounts, accounts with no passwds, or UID changes ( especially UID 0) to existing accounts.
     johnsmith:naVwowMManasMMo:10:200:John Smith:/users/johnsmith:/bin/bash
                     ^      ^     ^  ^    ^      ^      ^
                     |      |     |  |    |      |      +- User's
                     |      |     |  |    |      |      shell program
                     |      |     |  |    |      +---- User's home directory
                     |      |     |  |    +----------------- User's real name
                     |      |     |  +------------------------- User number
                     |      |     +----------------------------- User's group number
                     |      +--------------------------------------- Hash of user's password
                     +--------------------------------------------------- Username
                   - Username is the name under which the user logs in. Usually this is
                    accomplished by typing in the username at the username prompt and then
                    the password at the password prompt.

                   - Hash of user's password is the target of the cracking method. This is
                    what the hash of each word in the dictionary file is compared to.

                   - User's group number determines things such as access to certain files,
                    etc. Used more in the exploit technique

                   - User's number is basically identification for the system.
                   - User's real name is the name the user entered. Not used by the system,
                    but it provides a handy human-readable id of each user.

                   - User's home directory is the directory that they go to when they log
                    into the system. 


Security continued...
Check your system and network configuration files for unauthorized entries. In particular, look for '+' (plus sign) entries and inappropriate non-local host names in /etc/hosts.equiv, /etc/hosts.lpd, and in all .rhosts files (especially root, uucp, ftp, and other system accounts) on the system. These files should not be world-writable. Furthermore, confirm that these files existed prior to any intrusion and were not created by the intruder.
Look everywhere on the system for unusual or hidden files (files that start with a period and are normally not shown by 'ls'), as these can be used to ide tools and information (password cracking programs, password files from other systems, etc.). A common technique on UNIX systems is to put a hidden directory in a user's account with an unusual name, something like '...' or '.. ' (dot dot space) or '..^G' (dot dot control-G). Again, the find(1) program can be used to look for hidden files, for example: 
 find / -name ".. " -print -xdev
 find / -name ".*" -print -xdev | cat -v

note: /tmp/... and /etc/... are most commonly used for "script kiddies" favourite tool dir.

Finding setuid & setgid files:
Look for setuid and setgid files (especially setuid root files) everywhere on your system. Intruders often leave setuid copies of /bin/sh or /bin/time around to allow them root access at a later time. The UNIX find(1) program can be used to hunt for setuid and/or setgid files. For example, you can use he following commands to find setuid root files and setgid kmem files on the entire file system:

 find / -user root -perm -4000 -print
 find / -group kmem -perm -2000 -print

Note that the above examples search the entire directory tree, including NFS/AFS mounted file systems. Some find(1) commands support an "-xdev" option to avoid searching those hierarchies. For example:
 find / -user root -perm -4000 -print -xdev
At this point you need to make sure all the directories where users can write are either mounted "-nosuid" or have been chmod'ed in such way that only root user can write to them. By default FreeBSD will have only one you should be concerned with: /var/spool/uucppublic You can either mount your /var filesystem "-nosuid" or just do:
 chmod o-w /var/spool/uucppublic
If you want to find all your writable directories, issue:
 find / -perm -0777 -type d -ls
As the man page points out, having an suid/sgid wrapper will make mounting your other filesystems nosuid useless. Find out what files are installed on your system as suid or guid. To do that use find(1):
 find / -perm -2000 -ls
 find / -perm -4000 -ls
Note: This is NOT a total secure system audit. This is only a a safeyt reference.

Done by obscure

© 1997 - 20013 Defcon1, , Copyrights for all materials on this web site are held by the individual authors, artists, photographers or creators. Materials may not be reproduced or otherwise distributed without permission of and the content's original author.