Unix Refresher

This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis.

I have edited and added material.

Dr. Stephen C. Hayne

Linus Torvalds

Was the chief architect behind the Linux kernel. Most of the work was done while he was still an undergraduate. He completed a master’s degree from

the University of Helsinki in Computer Science and now lives and works in the United States.

Unix File System Structure

Everything is treated as a file Tree structure / (root) is the root of the tree Filenames can be up to 32 characters in

length. There is no file type designation. Hacker.txt doesn’t imply a file type of TXT.

The period “.” is part of the name.

Unix Directories

/ - root directory, contains the other subdirs. /bin, /sbin – system binaries needed to boot

the system /dev – peripheral devices, disks, tapes, CD /etc – system configuration files, password

files, network configuration information

Unix Directories /home – user home directories /lib – shared libraries /mnt – temporary mount point /proc – images of currently running processes /tmp – temporary scratch space /usr – more system binaries, C headers,

system administration binaries /var – log files, spool space for printers

Unix Directories

“.” – means the current directory “..” – means a directory one level up “…” – should not exist but is the favorite

place for hackers to hide their code “.name” – a dot in front of a filename

denotes a hidden file that won’t show up with a standard ls command.

Unix Kernel & Processes

Kernel – core OS module, controls HW Process – running program and

memory All running programs are processes.

Use the “ps –ef” command to examine the process list.

Kernel handles process swapping and execution.

More Process Information

PID – unique identifier for each process

“lsof” tells you what files the process has opened for use.

Unix Kernel & Processes

System processes running in the background are called daemons. Common naming convention is the name of the service followed by a “d”

telnet is controlled by the telnetd process.

Automatic Process Startup

All processes have to be activated by the kernel or some other process

The ‘init’ daemon runs the boot startup scripts that start all system processes.

Startup scripts are in /etc/init.d, /sbin/init.d, /etc/rcX.d, /sbin/rcX.d where X=0-6

Automatic Process Startup

Run levels 0 – halt 1 – single user mode 2 – multi-user mode, no networking 3 – multi-user mode with networking 4-5 – reserved 6 - reboot

Init, inetd

Init starts processes at boot time including network services and inetd.

Inetd listens for service requests and starts a process to handle the service.

Inetd.conf is a favorite target of hackers. They install backdoors to the system.

Automatic Process Startup

Inetd is the master control process for well known network services

Config file is /etc/inetd.conf Network services are listed in

/etc/services Comment character is a # and if it’s in

column 1, then the process is NOT started.

/etc/inetd.conf format Service name – the name of the service Socket Type:

stream (TCP) dgram (UDP) raw rdm (reliably delivered message)

Protocol – tcp or udp Wait/nowait – wait means subsequent

requests must wait for the first one to finish

/etc/inetd.conf format

Username – the owner of the process Server program – the name and

location of the system daemon Server program arguments – arguments

and configuration flags that should be passed to the network service

/etc/passwd, /etc/shadow

/etc/passwd is the master password file for the system.

Login name – the account name Encrypted password field – one-way

encryption of the account password UID – unique numeric identifier for the

account. This is what Unix uses.

/etc/passwd, /etc/shadow

GID – group id number that identifies the group

GECOS info – commonly used to list the name of the account owner

Home directory – user home directory Login Shell – default user shell

/etc/passwd, /etc/shadow

/etc/passwd is world readable. This is what lets CRACK run on it. All you need is access to the system (login, WWW, FTP) and the ability to get a copy of the file.

/etc/shadow is the defense against the CRACK attack

/etc/passwd, /etc/shadow

/etc/shadow contains the encrypted password field and is readable by root only.

An “x” is placed as a marker in the equivalent field in /etc/passwd.

If you can read /etc/shadow, you have root and no need to crack passwords .

Linux Password Cracking

Ophcrack

System Logs

/etc/syslog.conf contains the locations of the system logs. Can be remote or local.

Syslogd is the syslog daemon. /var/log/syslog, /var/log/secure,

/var/adm/messages, /var/adm/syslog.dated/current/kern.log

/etc/utmp, /etc/wtmp, /etc/lastlog