• 0900-1030 - class
• 1030-1050 - break
• 1050-1200/1215 - class
• 1200-1330 - Lunch
• 1330-1500 - class
• 1500-1520 - break
• 1520-1715 - class
• 1715-1900 - Bootcamp

• color coding scheme
  • Red - external
  • Yellow - DMZ
  • Green - internal
• left interface usually external interface

• LAN - Local Area Network
• MAN - Metropolitan Area Network
• WAN - Wide area network
• Internet
• PAN - Personal Area Network

• Physical
  • Bus - older
  • Ring - older
  • Star - most popular
• Logical
  • Ethernet
  • Token Ring

• Baseband shared media network.
• CSMA/CD - carrier sense, multiple access with collision detection
• the most common layer 2 protocol
• A Chunk of data transmitted over the wire is called a frame
• Uses 1500 byte frame size
• GigE networks utilize Jumbo Frames. Large numbers of small frames will cause problems on GigE.

• Communications is token based
• Not common with client computing
• Large mainframes where each system needs to communicat in a predictable manner still use this technology

• Older protocol
• Encapsulates common protocols
• Like combining Ethernet and IP
• expensive to set up, not seen on LANs
• efficient for video streaming
• commonly used for establishing high speed backbones over significant distances

• Dedicated lines
  • T1 or T3
  • E1 or E3
• Frame Relay
• MPLS - IPv6, VoIP, IP Video – considered a replacement for Frame Relay and ATM
• ISDN - any ISDN could possibly call any other ISDN providing a backdoor attack
• DSL
  • Distance limitations
• Cable Modems
• WAN

• Category 1 and 2
• Cat 3 10Mb
• Cat 4 16Mb
• Cat 5,5e 100Mb-1Gb
• Cat 6
• Network Taps
• Vampire Taps

• +TX to +RX
• -TX to -RX

• Hub
• Bridge
• Switch - can be flooded and turned into a hub. Newer devices not susceptible.
  • ettercap
  • dsniff
• Router - Drops traffic if it does not know where to send it.

• block-all-icmp cannot (should not) be done on IPv6
• ping
  • ECHO REQ →
  • ECHO REP ←
  • sending an inbound ECHO REP can let a hacker map networks blocking ECHO REQ, because the router sends host unreachable. If the machine exists, the reply will just be dropped, indicating the existence of a machine.

• can be used to switch an attacking machine to a virtual “jail”.

• Publish separate mail, Web and DNS servers to the Internet
• Provide appropriate access from the internal network to the Internet
• Protect the internal network from external attaccks
• Provide defense-in-depth
• Protect all aspects of the system

• Public - Internet
• Semi-public(DMZ) - Web, Mail, DNS servers
• Private - Internal Systems
• Locate firewalls:
  • Between the Internet and the other networks
  • Between the semi-public and private network
  • Between sections of varying trust levels

• Three basic purposes
  • to standardizw the format of communication
  • to specify the order or timing of communication
  • to allow all parties to determine the meaning of a communication
• Protocol Stacks - The layered protocols involved in communication

• International Standards Organization (ISO) Open Systems Interconnect (OSI)
• Application - Layer 7
• Presentation - Layer 6
• Session - Layer 5
• Transport - Layer 4
• Network - Layer 3
• Data - Layer 2
• Physical - Layer 1

• Encapsulation passes information to each layer
• Each layer adds header information
• The previous layer's headers are the current layers data

• Version field tells IPv4 or IPv6
• Protocol can be a user defined number by a hacker
• TTL Time to Live, router hops counts
  • Decremented each time and is discarded once the count reaches 0
  • Can tell how far away in router hops.
  • TTL can tell if a packet has been spoofed. If you expect a close route and receive a high count, something is wrong or intercepted (man in the middle).
• Fragment Offset
  • 1500 bytes is generally the MTU. Anything longer will need to be put back together once received.
  • crafting the offset value can cause bytes to overlap and change the value.
• IP addresses
• Identity Match - commercial SSN finder

• network and Host portions

• Class A address - 1-127
  • N.H.H.H
  • 255.0.0.0
  • /8
• Class B Address - 128-191
  • /16
• Class C Address - 192-223
  • N.N.N.H
  • 255.255.255.0
  • /24

• CIDR provides a shorthand like /16
• 172.20.0.0/16
• the 16 is how many bits are allocated to the network address

• all 1's for the host portion
• older networking hardware will interpret all zeros as broadcast
• 172.20.15.0/24 broadcast is 172.20.15.255
• Limited Broadcast - 255.255.255.255 limited to local network
• smurf attack based on Windows 95 stack vulnerability from broadcast flood

• 10.0.0.0
• 172.16.0.0
• 192.168.0.0

• using NAT on wireless does not buy you anything because a sniffer can read the internal IP's

• Mac address
• IP address

• Hacker in the '90's would respond to arp requests and be man in the middle.

• Static host tables

• Gethostbyname
• Gethostbyaddr

• Attacks
  • Cashe poisioning
  • Denial of service
  • Footprinting - information leakage
  • Registration spoofing
• Defenses
  • Keep DNS software up-to-date
  • Distribute aurhoritative DNS servers
  • Limit zone transfers (Never allow this)
  • Register with reputable registrars

• split dns
  • external
    • only authoritative for your domain name
    • randomize query id's
    • only recursive for your internal dns server
    • don't allow zone transfers
  • internal
    • always does recursion on external

• 128 bits

• IPv4
  • 32 bits, 4.2 billion addresses
  • no authentication
  • Encryption provided by applications
  • Best effort transport
• IPv6
  • 128 bits, 240 undecillion addresses
  • Provides authentication of endpoinots
  • Support for encryption in protocol
  • Quality of Service (QoS) features provided in the protocol

• divided in three portions
• Network prefix (48 bits)
• Subnet ID (32 bits)
• Interface ID (64 bits)

• connectionless communications

• (Multimedia/VoIP) streaming
• multicasting is required
  • transmission is expected to occur on a reliable network.
• TCP is fundamentally incapable of multicasting
• DNS
• Common protocols:

• Offers flow control to handle network congestion
• Allows for transmission of larger amount of data per packet
• Guaranteed delivery of transmitted dtat is more important than speed
• offers better

• bounce attack can allow access to FTP through firewall

• google “FTP Bounce attack”

• SYN, SYN/ACK, ACK

• session hijacking can be accomplished by sending a duplicate frame number which will cause the receiver to discard the old frame
• hunt 1.5 is a tool to hijack telnet or tcp sessions

• Mask
  • SYN 02
  • SYN/ACK 12
  • ACK 10

• an attacker could open a session then disconnect leaving an outbound port open
• graceful close is 4-way
• Abrupt closure RST/ACK in either direction

• Because closure occurs based upon a single packet, be sure to validate the packet was not spoofed
  • Check Sequence/Acknowledgment numbers

• two purposes
  • report errors
  • provide network information

• ICMP Payload usually contains the header of the packet that failed
• Payload can contain anything
• tools that cross firewall
  • icmptunnel
  • httptunnel
  • smtptunnel
  • loki is an old tool that used the icmp tunnel

• be most concerned about icmp being used as covert data channel

• Unix traceroute uses UDP packets
• Windows tracert uses ICMP

• airpcap wireless
• ettercap dcap for wired networks

• The technique of sniffing traffic on a switched segment has been discussed for some time. …dsniff

• -s entire packet
• -vv
• -nn

• some extra fields
  • Flag
  • Sequence numbers

• Safety trumps security
• oftcrack
• backtrack

router example - put in

• no ip source routing
• no ip directed broadcast

• application flaws should be known to the user for them to make the decision on how to proceed.
• the informed user is a safe user

• Data
• Application
• Host
• internal network
• perimeter
• Physical security

• Risk = threat x vulnerabilities

• Confidentiality
  • Pharmaceuticals
  • soft drink manufacturers
• Integrity
• Availability

• Primary Threats:
  • Malware
  • Insider
  • Natural disasters
  • Terrorism

• known
• unknown - “zero day”
• unpatched systems
• mis-configured systems

• inserts itself in existing code

• similar to com infectors

• a 1×1 document that points to a remote site which records a log entry indicating the document has been opened.
• cnn.com use techniques like this all the time.

• Attack systems through known vulnerabilities
• scan for more systems to attack
• used to build botnets

• search for lrk4 lrk5 lrk6 to find these rootkits

• backdoor access
• leaking of data

• Activity monitoring
• malware scanners
• File and resource integrity checking
• Stripping e-mail attachments - can cause business practice problems
• Remember defense-in-depth
• Patch all systems
• turn off unused services

• paper on problems with voting machines

• Protect people who are trying to do the right thing

• if an organization does not have this is will cost money maybe in fines

• Presumption of privacy
• physical search
• Trust for all connections initid inside the organization
  • no egress filtering

• A high level policy should not address specific technologies

• make sure there is a way to enforce the policy. For instance each user should be responsible for activities from an account.

• SMART

• consistent with law, regulations?

• Maximum tolerable downtime MTD

* several machines may be part of a single system, such as an Oracle system

• it is the data owners job to determine if the data is sensitive.

• Identity
• Authentication
• Authorization
• Accountability

• Angels and Demons ←-movie

• Least Privilege
• Need to Know
• Separation of Duties
• Rotation of Duties

• Discretionary
• Mandatory
• Role-based
• Ruleset-based
• List-based
• Token-based

• best stored as irreversible hashes

• crack for unix systems used the dictionary to create hashes and compared to the password file

• Quality of algorithm
• etc…

• Dictionary attack
• Hybrid attack
• Brute force
• Precomputation brute force (Rainbow attack)

• ntds.dit

• ophcrack website has pre-made tables

• check the passwords!

• Preparation..2-181
• Identification..2-183
• Containment..2-188
• Eradication..2-190
• Recovery..2-192
• Lessons Learned..2-194

• Criminal Law
• Civil Law
• Others
  • GLBA, SOX, HIPAA, PCI

• Computer Fraud and Abuse Act

• Computer Security Act of 1987
• US Privacy Act of 1974
• ECPS 1986
• HIPAA

• base business decisions on logs will show the logs are used for important purposes.
• 18 month retention allows 6 months to do a 1 year log review.

• md5sum

• Search Warrant, comply immediately
• supeana contact local authority first

• POST Actions sends form data in http headers
• GET action post form dta appended with URL

• 99% of problems are input validation problems
• accunetics (commercial), paros (free)

• basic mode uses base64 encoding
• digest used encryption

http://www.giac.org/proctor/kryterion.php

• Reconnaissance (r utilities, rlogin, rshell)
• TCP/IP sequence number prediction attack

• Finger gives information about users and accounts

• SYN Floods B

• IP spoofing attack

• The Attacker, pretending to be B, uses the predictable response to open a connection

• Attacker sends expected ACK wut fake SRC IP Address to establish a connection

• Sends rshell packet '“echo ++”>/.rhosts' to open the victim to accept any login
• Then, Attacker uses '# rlogin -l root' to takover “A”

• disable finger

• tripwire
• aide

• Logic Bombs
• Trojan Horses
• Trap Doors
  • Embed malware in something that looks like a music file.

• Smurf
• SYN flood
• DDoS Attacks

• stealing hard drives

• poorly coded applications
• extra code placed in buffers can be used to execute attack code
• The Shellcoder's Handbook 2nd or 3rd edition

• buffer, heap, stack
• “Smashing the Stack” paper on topic

• bombard with passwords

• vendor can have access to machine

• rootkit.com

• Protecting systems from attempts to exploit vulnerabilities

• protects unwanted services
• logs

• Attacks at the application layer may sneak through
• Dial-up, VPN extranet can bypass.

• firewall protect in one direction only
• Ingress
• Egress

• what happens if the state table fills up
  • DoS or Stateless

• wireless allows anyone to sniff addresses behind NAT

• Old document on firewall configuration

http://www.security.vt.edu/lockitdown/Firewall_Ports_and_Protocols_Summary.doc

• 80, 1494 are only needed now for Citrix server

• system that has no legitimate purpose for someone to connect.

• Provides insight

• Way too time consuming

• nc -l -p 80 -n -o hexcapture.txt >port80-listener.txt

• simulate network

• Steve Gibbson - Shields up

• P2P
• bounce a scan off an internal machine

• ids.cirt.vt.edu

• allows crafting packets with illegal flag settings

• nmap -A -T4 testip

• system fingerprinting based on responses to various requests

• only scan systems you own
• the difference between a hacker and a vulnerability scan is permission

• scan when you can respond

• Freeware scanner.
• grand daddy of all scanners

• Windows

• Linux

• identify phone modems and see who answers to find an entry point

• Core Impact
• metasploit auto pwn

• sec 503 Sans intrusion detection

• true positives, False Positive
• True Negative, False Negative

• passive sensor, a sniffer

• to attack a signature, alter the signature

• requires an understanding of what “normal” is

• things like it's not possible to have SYN and FIN set at the same time

• Early were local only with no way to collect logs.

• Tripwire

• logcheck

• Zone Alarm is Randy's Favorite

• Host based Intrusion Prevention System

• to test, use hping
• Port Sentry

• network-tools.com/analyze
• FastDial add on for Firefox

http://www.security.vt.edu/playitsafe/riskassessmentresources.html

• Nexpose commercial vulnerability scanner
• Hawki asset manager

• ip2location.com
• dnsstuff.com

• means hidden writing
• plaintext is a message in its original form
• Ciphertext is a message in its encrypted form
• David kann, “Codebreaker”

• never believe in a secret pro proprietary cryptographic algorithm

• large key lengths do not ensure security

• symmetric crypto system uses the same key to encrypt and decrypt

• substitution
• Permutation
• Hybrid

• Usenet uses ROT-13

• ECB
• CBC
• CFB
• OFB

• could be used for VoIP

• Secret Key
  • Symmetric
  • Single or 1-key encryption
• Public Key
  • Asymetric
  • Dual or Two key encryption
• Hash
  • One-way transformation
  • No key encryption

• AKA “Secret Key” Encryption
• DES
• Triple-DES
• RC4
• IDEA

• “Public-Key” Encryption
• RSA
• EI Gamal
• ECC

• Agree on a large prime number, n
• generator number, g
• …
• algorithms like this are not unbreakable, just not in a reasonable amount of time

• No Key
• Primary Use: Message integrity
• “weaknesses in oracle password algorithm”
• a weakness involves multiple strings resolving to the same hash.
  • marchany, marchan, marcha all could give the same hash. This is bad

• hides message in another, like a message in a picture

• need Host to carry the message, an image or sound file

• Injection..4-47
  • antiword - retrieves deleted text in a Word document
  • hydan
• Substitution..4-49
• Generate New File..4-46
  • spammimic.com

• xrite.com Online color Challenge

• Tractable problems
• Intractable problems, cannot be solved in a reasonable time..4-58
  • factory primes
  • solving the discrete logarithm problem (El Garmal)..4-61
  • Computing Elliptic curves (ECC)..4-63
    • low power consumption would be useful on cell phones, pda's

• began in 1975 (same time Randy started at Tech)
• O'Riely “Cracking DES”

• Advanced Encryption Standard
• round is the number of iterations within the algorithm

• DVD encryption secrecy resulted in a crackable system
• seed numbers make an algorithm secure

• center part of SSL
• cracked system have been insecure keys or small key length

• speed. DES is about 100 times faster

• PDA's smart phones, appliances, smart cards

• important when evaluating vendor encryption
• bigger may not be better
• compare sysmetric systems with symetric systems

• known plaintext attack
• chosen plaintext attack
• Adaptive chosen plaintext attack
• Ciphertext only Attack
• Chosen ciphertext attack
• Chosen key attack

• pairs of messages might share the same hash

• Data in Transit - VPN's
• data at rest - PGP
• Key Management - PKI

• private network

• data encrypted at on end, cyphertext is transmitted
• endpoints are the weakness

• must trust the other end

• IP Security Standard for VPN's
• the term gets blurred with a Windows term

• authentication header (AH)
  • ICV computation , AH includes every field that does not change from source to destination
• Encapsulation Security Payload (ESP)
  • encrypts the entire message including the header

• tunnel mode (site to site VPN's)
  • entire ip packet
• transport mode (client side)

• requirements for procurement..4-113 *

• ssh
• L2TP
• SLIP
• PPP
• SOCKS

• Phil Zimmerman
• entire disk vs file-by-file

• data encrypted to be transmitted

• repository of digital certificates that is vetted by some personal identification.
• root CA
• Intermediate CA
• Issuing CA
• implementation
  • Microsoft Certificate Services
  • Entrust Authority
  • Verizon / Cybertrust UniCert PKI
  • OpenSSL

1. Client Web Request
2. Server Responds
3. Client validates certificate & Crypto ( this is the step the client can cause failure by accepting the cert)
4. Client encrypts the session dey
5. Session key exchange
6. Server decrypts the session key
7. Encrypted messages are exchanged

• Microsoft BitLocker..4-148

• Certificate Authorities
  • expense
  • certification of the CA

• www.pki.vt.edu

• PDA's
• Mobile Phones
• Laptops
• Pagers
• HVAC Control Units
• traffic signals
• power meters

• Healthcare
• Financial
• Academia
• Factroies/Industrial
• Retail
• Wireless Internet Service Providers

• 4-16 byte pin
• default 0000 or 9999

• hackfromacave.com - John Paul's security tools

• hcitool bluez-hcidump
• merlin and frontline are commercial sniffers

• non-advertise mode
• change pin
• Josh Write utube - Eavesdropping on Bluetooth headsets
  • carwhisperer
• bluesnipper
• gumstick computer

• HVAC
• product tracking
• medical device monitoring
• Industrial sensors
• Home automation

• 10-75 meters
• 868 MHz, 915 MHz, 2.4 GHz
• low power consumption, goal of 10 year service

• airsnort has been replaced by aircrack (aircrack-ng)

• wellenreiter - listens for mac address and spoofs the address for wireless access

• use strong encryption in the lowest layer protocol possible
• Design you wireless networks with caution- minimize coverage area
• Audit with a sniffer

• Use SSL/TLS
• Educate users on the danger of clicking “Yes” to digital certificate warnings ←-Joke?

• detection tools:
• kismet
  • get_essid

• Phone can be routed and transmitted over the network.
• can be any combination of analog telephone adapter, IP telephone and Computers.

• External attacks
• Internal Misuse
• Theft
• System Malfunction
• Service interruption

• Media Gateways
• Registration and location servers
• Messaging servers
• End user devices: VoIP phones, softphones

• H.323, SIP

• …
• H239

• alternate to H.323

• base protocol decision on need. reliable connection would require TCP

• CID spoofing. privacy attacks
• Phone impersonation

• Call Hijacking

• security focus article#1862 http://www.securityfocus.com/infocus/1862

• google voice

• bing bird's eye view
• pipl.com
• governmentrecords.com
• magtech software for reading and writing magnetic cards

• Intelius
• County Court House records

• google searches

• steganographic tools
  • bmp
  • gif
  • wav

• hide information inside
  • jpeg
  • png
  • bmp
  • html
  • wav
• DOD-compliant shredder
• 30 day demo
• added features cost extra

• xsteg is gui front end for stegdetect
• detects stego from the following:
  • jsteg
  • outguess
  • jphide
  • invisible secrets
  • f5

• tiddlywiki java script and css http://www.tiddlywiki.com
• articles to google:
  • How Mitnick Hacked Tsutomu Shimomura with an IP sequence attack
  • Best Practices for “Forgotten Passwords” Feature
• truecrypt
  • only one person gets rw access, all others ro
  • put hidden volume inside a visible truecrypt volume (plausible denyability)
• pgp netshare gets around the rw limitation of truecrypt
• http://security.vt.edu/findssnccn.html
• http://securiosities.org/tag/secret-question/

• Windows Mobile
  • not socket access, so no sniffers available

• xp home used to ship with a blank admin password
• sp2 started shipping with security features enabled

• same code base as vista
• Powershell
• Hyper-V

• no raw socket support, so no sniffer cannot be written for it
• therefore, no IDS would be available
• showing up in embedded systems
• Windows Mobile security Best Practices..19 *

• no domain controller

• Users are creatively careless

• wmic
• netsh

• SIDs for common accounts are well known, like Administrator and Everyone
• changing the name of these common accounts is a minimal security gain
  • it might lessen the brute force attacks
  • it could also lessen the log entries

whoami.exe /all /fo list

• master database for machines and users
• similar to nis+
• partial list of what can be stored in Active Directory..5-36 *

• 4 parts of SAT..5-37 *

• default authentication protocol
  • NTLM only used when necessary
• ticket encrypted based on the user's passphrase
  • vulnerable to brute-force cracking, last paragraph..40 *
  • http://ntsecurity.nu

• ..43 2nd paragraph http://www.microsoft.com/activedirectory

• GPO's applied at boot-up, Logon and 90-120 minute intervals

• It's a Giant Patch
• Do staged roll-outs and check for problems

• nlite helps with this

• microsoft.com/security

• http://vtnet.vt.edu

• http://www.windowsitpro.com
• for remote offices heise or disconnected remote site

http://www.h-online.com/security/Do-it-yourself-Service-Pack--/features/80682

• ntbackup.exe came from veritas

• Windows 7 will allow system state over the network

• robocopy (Vista/2008/7)
• wbadmin (2008)

• system restore snapshot times

To clean up a new system

• http://www.pcdecrapifier.com/

• by default, deny overrides allow
• inherited..5-103 *

• needs analysis

• net help share

• calculate effective permissions of user

• default is enabled

• medium is default

• ..5-130,5-132 *

• can prevent Linux boot disk access
• cipher.exe

• motherboard failure would render data inaccessible.

• …the decryption key is stored in plaintext on the drive

• keep track of the template directory with tripwire.
• CIS scoring tool..5-162,5-163

• there is no Un-Do

• activestate.com
• loopback policy processing mode

• if there is a conflict between user and computer, usually the computer wins

• gpupdate /force /sync

net.exe use \\address\IPC$ "" /user:""
* null users not used as much on later OS's

• Don't use!

• Randy does not recommend 4 or 6 on the slide

• Windows 7, AppLocker

• folders with Low MIC label assigned “low” contain low in name

• Internet Zone
• Trusted Sites Zone..5-203
• SmartScreen filter and XSS Filter

• Service Applet
• Security Template
• GPO
• SC.EXE

• Windows XP services that can be disabled http://www.digitalmediaminute.com/article/1841/windows-xp-services-that-can-be-disabled
• blackviper http://www.blackviper.com/

• restrict to campus or subnet
• don't let requests off campus or subnet

nbstat.exe -A ipaddress

• refer to table on page 5-223 *

• SMB TCP/139/445
• RPC TCP/135
• LDAP TCP/389/636/3268/3269
• Kerberos TCP/UDP/88

• Order Firewall Rules are processes..5-235,5-236 *

• never use PPTPv1 or NTML
• these could be required by embedded devices that cannot be updated

• Windows VPN Client..5-247

• the gui is almost required to get it to do anything

• very important
• makes backup easier

• Validate and sanitize all user input before letting it touch the server

• TCP port 3389

• Investigate Citrix as a cross-platform alternative

wmic.exe process list full

• netsh.exe

• whatsrunning http://www.whatsrunning.net/
• activeports

• windowsitpro.com has tutorials

• http://www.windowspowershelltraining.com/downloads/scripts.zip

• event log scanning tools
• ossec http://en.wikipedia.org/wiki/OSSEC
• Microsoft log parser http://www.microsoft.com/technet/scriptcenter/tools/logparser/default.mspx

• running security tools and monitoring logs will help reveal what the logs will look like with a certain attack. Signature.

• kb183097

nmap SYN: -sS, UDP: -sU, Xmas: -sX, FIN: -sF

• Free Opensource Ghost http://www.fogproject.org
• http://www.hfslip.org for slipstreaming xp, 2003
• nLite, vLite

• the most important thing to protect from a security point

• the root structure is independent of drives

• only one root denoted by /

• three basic shells
  • sh was native shell

• sh
• csh
• bash
• ksh
• tcsh
• for windows, COMMAND.COM

• pwd..6-13
• cd..6-14
• ls..6-15
• touch / clear..6-16
• cat..6-17
• mv..6-18
• cp..6-19
• mkdir..6-20
• rmdir..6-21
• rm..6-22
• su..6-23
• find..6-26
• grep..6-27
  • generic regular expression program
• man

• vms moved from DEC to windows NT (vms→wnt one letter off) (ibm→hal one letter of Arthur C. Clarke's Space Odyssey saga)

• ls -l
• - regular file
• d directory
• l link
• c
• v

• w implies delete
• x execute, or list directory

• permissions have different meaning if the target it is a file or or a folder

• chmod..6-32
• setuid..6-33
  • run program with owner's permission
  • for example passwd modifies /etc/passwd, which is not writable by users.
  • don't have shell scripts with suid set, especially if the owner is root. Aborting the shell will leave the system in root shell.
  • 4 suid, 2 sgid, 1 sticky
  • capital S means x is not set
• chmod..38 chmod nnnn <filename>
• chown/chgrp

• newgrp
• groupadd
• groupdel

• gpasswd..6-42

• id..6-44

uid=500(steve) gid=500(steve) groups=500(steve) context=user_u:system_r:unconfined_t

• Hash string stored in passwd file
• @Large book on password cracking

• AIX
  • /etc/passwd
  • /etc/security/passwd
• Free BSD
  • /etc/passwd
  • /etc/master.passwd
• HP-UX
  • /etc/passwd
  • /etc/files/auth/root
• LINUX(RedHat) & Solaris
  • /etc/passwd
  • /etc/shadow

• some flavors - adduser

• /etc/login.defs
• /etc/default/useradd

chage -l <user>

ps -aux |more

• User
• PID
• %CPU
• %mem
• vsz
• stat
• start
• time
• command

• 1st stage is MBR
• 2nd stage

• lilo
• grub

• rc files and directories
• scripts in /etc/init.d
• rc directories have links to these scripts

• solaris 10 uses smf instead of rc

• list services at each run level

• at boot time
• automatically by inetd/xinetd
• cron
• command line

• File sharing - NFS and samba
• Naming - NIS/NIS+, DNS
• RPC
• internet

• UDP port 2049

• different machines can have different users with the same UID

• uses smb to share with Windows clients

• DNS server check cache first the goes out to root servers

• used to be called Yellow Pages (yp)

• lockd
• statd
• automountd
• rsh
• rcmd and rexd

• gave a method for access control for services started with inetd

• showing use of log files for business decisions will validate confidence in logs even for legal matters.

• /var/log/wtmp
• logins and logouts
• last command pulls from here

• w, finger and who
• updated by login program

• /var/adm/sulog

• /etc/syslog.conf

• Facilities..6-123
• Levels..6-124
• Actions..6-125

• rpm -q <pkgname>
• rpm -initdb
• rpm -rebuilddb

iptables -L -n

• Boot Loader Password
• ps
• Netstat
• SELinux
• AppArmor

• AppArmor

• center for internet security cis tool http://www.cisecurity.org/
• katana http://www.hackfromacave.com
• ronin@shadowcave.org