Ethical Hacking

Computer Science Innovations, LLC

Overview

Define Security Discretionary Access Control Trusted Computer System Evaluation

Criteria (TCSEC) - Orange Book 1984 by MITRE Corporation Basis for all we do in Security Define Security, how me measure it.

Long-term goal

Given a System, X, tell me the security level. C2, B1, PL3, PL3+

What does the security level imply? It implies, what you can do with the system. Says Who? Commercial world – Underwriter? What's an Underwriter? Quantify? Insurance Companies.

The Present Situation

If I am Responsible for System, X, how do I bring it into Production?

Someone must Approve. Somebody must assume risk. Who is that? Insurance company DOD Adjudicator. Someone who assumes the risk.

Development up to present

If your system, and you are well defined. If your security model is simple and based

on standards. If you speak the same language as the

decision maker? It is easier to get someone to put their neck

on the line. Einstein said, If I saw further than others it is

because I was standing on the shoulders of Giants.

Goals

Einstein said, As simple as possible, but no simpler.

If you cannot explain it simply, you do not understand it well enough.

Any fool can make things more complex it takes genius to find the simplicity.

Great science is simple.

Science Being Simple

Computer Science – Simple seems to win.

P-V Semaphore --- Seven lines of code.

Google ---- Processing Paradigms....

Simplicity in processing.

Map/Reduce …. Solr...

Open Source......

Definitions

Levels of Security Lowest D... Not even discuss it. Next Level up is C... C1 and C2 C1 and C2 rely on Discretionary Access

Control. Next level up is B1, B2, B3 which are largely

related. B level uses Mandatory Access Control

Use of Definitions

The same definitions are used for Commercial as Government

In other words, there is just one Security. There is Computer Security Used in Different

Areas. What is Discretionary Access Control?

Discretionary Access Control

Concerns itself with Named Subjects accessing Named Objects.

So what is a Subject.... Someone or something wishing to access a computer object.

You accessing your email. The Subject --- You. The Object Email.

What does Concerns Itself with Mean?

Subjects and Objects

Access Control... Can the subject read or write the Object? That is one thing we are concerned with.

Auditing... What did the subject do on June 30th? Who are the subjects that accessed my mail.

Assurance – How can I be Guaranteed that all access to th data have access control and Auditing. And … Does my model work?

Access Control

Access Control has some pieces.... What are the pieces? The first two are Identity Assertion Role Gathering Systems do this. We knew this in 1984.. This is not new and

pre-dates the Internet.

Identity Assertion

Eminem – I am who you say I am. How do you find out your identity? Google... Username and Password Google.. Additional Security through a Token Show Something About yourself Biometric Devices. Prove who you are.

How Do We Do Identity Assertion

Web ServerBrowser

Www.bankofamerica.com

Do

I ha

ve

a se

ssi

on

Do I have a session

How Do We Assert and Identity

Username and Password

Sitekey

Identity Asserter is username and password.

Google --- username and password.

Challenge ---> send a key to cell phone

Biometrics... cheap....

Identity Assertion

Identity Asserters must be pluggable. What does that mean? It means if I change the Identity Asserter, I do

not need to change the software. Best Practice … Run the software with two

different Identity Asserters without changing, compiling or writing Software.

Role Gathering

Browser Web server

Asserts IdentityGathers roles

Role Gathering

Having proven who I am.... What can I do? The Roles Dictate what you can do. So if my role is Administrator.. I can do a lot. If my role is Guest... I can do a little. Show me what you mean. Ok. Let's do a

practical Example.

Where do We See Roles

Web applications.....

Web.xml

Directory ---- roles can work in the directory

Page --- useradmin ----> roles can see it are

Administrator....

Browser... look up web.xml roles..... See it.

Practical Example - Roles

id

uid=1000(scott) gid=1000(scott) groups=1000(scott),27(sudo),30(dip),46(plugdev),109(lpadmin),124(sambashare),129(vboxusers)

Groups are Synonymous with Roles... Spec says.

They say what I can do. Use Plug in Devices Line Printer Administrator, Share Files...etc.

What Happened?

Logged into my machine. Asserted my identity by username password. Gathered my roles. Determined what I can do. Why? It's the standard.

Impromptu Lab

Go to your backtrack instance.

Username root

Password toor

id command

Common Shortcomings?

Let's say you have a machine with a web server.

You have 5 people that are Web Server Administrators

What are your options? You can have a Group Account Or you can setup the machine to allow multiple

people to update the Web Server.

What is Wrong with a Group Account?

It Violates Discretionary Access Control. Why? Named Subject, Named Object. NOT Named Group containing many Subjects and

Named Object. Must be one to one – Person to Subject. Now Three More Topics for C2.

Bringing Up A Web Server

Web Server ---- runs on port 80

Web Server ---- runs on port 8080

Ports < 1024 require Admin Privilege to Start Process.

Ports >= 1024 do not require Admin

Why do we care? Least Privilege....

Have “Normal” Users Web Admin

So Let's say --- Morris Mo... he is a web admin

Cheri is a web admin.... They are going to run

As normal users... But they need to share

The web server.. and we do not want to violate

DAC.. So we need to separate them and

Keep Least Privilege...

Separate Users

Step 1

Create a group per user

And create a shared group.

Mo Al

Webguys shared group.

How To

root@companion:/opt# groupadd mo

root@companion:/opt# groupadd al

root@companion:/opt# groupadd webguys

root@companion:/opt# useradd mo -g mo -G webguys

root@companion:/opt# useradd al -g al -G webguys

root@companion:/opt# useradd mo -g mo -G webguysroot@companion:/opt# useradd al -g al -G webguys

Three More Topics

Confidentiality No one can listen in and gain information. Encryption

Least Privilege Very Very Important. Am I doing the action with the least amount

of Authority. Don't work as Root or Admin Non-Repudiation

How can I not deny that I sent it.

Confidentiality

https Hyper Text Transport Protocol Secure When you read your email are you

http or https? Log into your mail. Is it http or https? https

Least Privilege

I must work as a normal user Or I must work as an admin. Which is better? Why? Myself? Why? You don't mess up the

system on purpose or by accident. Ports... https which port is that? 443 Who do you have to be to work as 443? For ports less than 1024 you must be admin

How Do We Do Least Privilege With https?

The browser (Source) wants to communicate on 443.... Default

The system wants to use a normal user. So what happens? So your Firewall or Router maps 443 to 8443 So the Source requests 443 the System

responds with 8443 the Router maps them. Best Practice … Always map <1024 ports to >

1024 to preserve Least Privilege.

Outside World to Inside

Https in a browser it says communicate on 443

But we want least privilege … So how do we do that.

8443 on the local system.

We need our firewall/router administrator to set this up for us.

Let's Look At This

Web Server8443Browser 443

FirewallAl Admin

Map Incoming443 to intenal 8443 On a specifc Server

Apache and Least Privilege ubuntu@ip-10-204-147-104:~$ ps -ef | grep apache

root 3725 1 0 14:55 ? 00:00:00 /usr/sbin/apache2 -k start

www-data 3727 3725 0 14:55 ? 00:00:00 /usr/sbin/apache2 -k start

www-data 3729 3725 0 14:55 ? 00:00:00 /usr/sbin/apache2 -k start

www-data 3730 3725 0 14:55 ? 00:00:00 /usr/sbin/apache2 -k start

ubuntu 3828 865 0 14:55 pts/0 00:00:00 grep --color=auto apache

ubuntu@ip-10-204-147-104:~$ sudo su -

root@ip-10-204-147-104:~# cd /etc/

root@ip-10-204-147-104:/etc# grep www-data passwd

www-data:x:33:33:www-data:/var/www:/bin/sh

Apache is not adhering to Least Privilege

Let's Do It

Go to Amazon Web Services. Where .. Google it.

Use Scott's Account scott@scottstreit.com

lakers Create an Ubuntu 12.04 instance.

Use Backtrack

Go ti VMWare and Start Backtrack Login root toor Type dhclient Type startx Go to firefox Login using your pem key Then go to firefox on backtrack and do http://<amazon.machine.name> You will get …. nothing running

What Happened

Security Group had to have ports 80 and 22 open.

You had to set permission on pem file as 400 meaning only the user can read it.

You ssh -i <pem.filie> ubuntu@<amazon.host.name>

When you go to browser http://<amazon.host.name> nothing

So what are we going to do.. Apache runs.

Next Step – Start Apache

Do an sudo apt-get install apache2 Take the defaults Go to the browser http://<amazon host name> you should see an “It worked!”

What port is it running as? 80

Do a ps -ef | grep apache

root@ip-10-204-147-104:/etc# ps -ef | grep apache

root 3725 1 0 14:55 ? 00:00:00 /usr/sbin/apache2 -k start

www-data 3727 3725 0 14:55 ? 00:00:00 /usr/sbin/apache2 -k start

www-data 3729 3725 0 14:55 ? 00:00:00 /usr/sbin/apache2 -k start

www-data 3730 3725 0 14:55 ? 00:00:00 /usr/sbin/apache2 -k start

Who is it Running As?

It was www-data. Who is www-data? Do a grep www-data /etc/passwd What number is associated with www-data? 33 which is less than 1000 which is a root type

user. Do we have least privilege? No. Why? Running as root and using port 80

How For Lab

Classic wizard gives you different ones to choose from. Amazon gives you their own AMI default. Choose an instance of them.

Option to create a new key pair.

Custom TCP rule.

Allow all of 80 8080 22

Then lets launch it.

Need to take a list of it. Need to set the key to get it to log in.

Unix Cheat Sheet

The command ls is the same thing as dir in windows

The command ps is process status and commonly used as ps -ef | more

Do a ps -ef | more The command pwd is print working directory The command chmod is change mode The command chgrp is change user and group

DAC in UNIX

In Unix we get DAC out of the box. How do we do it. Name Subject …. logging in You guys are root/toor – backtrack How do we protect files? This is access control.

Unix History

How did we get to Unix? Who created it? Brian Kerrnighan, Dennis

Ritchie, Thompson. They worked for AT&T in New Jersey in the

70's. They had an idea. What if an operating systems was created that worked on any hardware?

So they needed a hardware independent language – they called it C.

Unix History Continued

AT&T gave it away for free. How many run Android's. Unix kernel How many run IPhones. Unix. There are two flavors. System V – MIT –

Linux BSD – Berkeley – Cal Berkley – Mac/OS AT&T – Created this.

Amazon Unix vs. Windows

Unix and Windows are both available in the Cloud.

The pricing difference is what? Windows is more expensive differing by

licensing costs. Access is a little different.

Commands - Unix

Permissions wwwxxxyyy for a file or directory. Now let's define www it has 3 digit for RWE So RWE is what … 7 now www is for the

user's permission. xxx is for the group's permission and yyy is for the world's permission. So if a file is 400 like .pem file what is that? 400 100 000 000 which is R------ at the owner

level.

More Permissions

So if I want a file to be Read and Write for the Owner (User) of the file and Read for the Group and Nothing for the world.

Let's do it together www xxx yyy U G O The three digits RWE 110 100 000 = 6 4 0

Lab on Permissions

So..... A User may Read Write and Execute. The Group may Read and Write. The Other may only Read. What is the pattern? Remember www xxx yyy RWE U G O 1 1 1 1 10 100 7 6 4

So Back to Commands

The command ls -al full listing. You can see the pattern.

So we a couple more commands and we are done.

The command chmod 3DIGITS files changes the mode. chmod 777 allows all access.

The command chgrp user:group and it lets yo set the owner.

The World of Discretionary Access Control

Says I should have a way to protect my private files.......

Well, let's create two users. Chris and Dave Chris should see Chris files and David could

see Chris files, but only Chris can update Chris files and only Dave can update Dave files.

Let's Do It root@companion:/opt# groupadd class

root@companion:/opt# groupadd dave

root@companion:/opt# groupadd chris

root@companion:/opt# useradd dave -g dave -G class

root@companion:/opt# useradd chris -g chris -G class

So class is a shared group with two members dave and chris.

So, dave has a primary group …. dave

So,, chris has a primary group …. chris

See DAC

Common area and it is call /opt … which is for optional software

The command mkdir makes a directory.

root@companion:/opt# echo "hello" > chris.txt

root@companion:/opt# echo "goodbye" > dave.txt

root@companion:/opt# more chris.txt

hello

root@companion:/opt# more dave.txt

goodbye

root@companion:/opt# ls -al chris.txt dave.txt

-rw-r--r-- 1 root root 6 Jun 25 13:40 chris.txt

-rw-r--r-- 1 root root 8 Jun 25 13:40 dave.txt

Chris and Dave – Private for Writing

Command chown user:group file Command chown chris:chris chris.txt Command chown dave:dave dave.txt Command ls -al *.txt

root@companion:/opt# ls -al *.txt

-rw-r--r-- 1 chris chris 6 Jun 25 13:40 chris.txt

-rw-r--r-- 1 dave dave 8 Jun 25 13:40 dave.txt

root@companion:/opt# su - dave

No directory, logging in with HOME=/

$ cd /opt

Lab

Create a private group for you and your partner along with a shared group.

Create a user for you and your partner with the private group as your primary group (-g) and the shared group (-G) as your supplemental group.

Add each user. Put a file in opt for each user. Use chmod and

chown to make the file globally read but only private write.

Bit Patterns for File Permissions

File www xxx yyy

The first w bit is 4

The next w bit is 2

The last w bit is 1

So if we have 111 what is that 7

So if we have rwe what is that 7

So if we have Read only that is 4

Annoying Cannot Save Backup File

When you are working as a user... you have a private home directory, where you can work.

The command useradd has a way to specify the home directory, which we did not do, so it defaulted to the root of the system which is owned by root. So you cannot write to it.

To Consider

There is an appropriate tool for a job. This is not Religion. We are trying to get a job done. There are 2M LAMP developers worldwide.

Wikipedia – written in LAMP. Bugzilla, written in LAMP.

So, what Computer Scientists say is LAMP is not real computer science. I disagree,

To Consider

There is an appropriate tool for a job. This is not Religion. We are trying to get a job done. There are 2M LAMP developers worldwide.

Wikipedia – written in LAMP. Bugzilla, written in LAMP.

So, what Computer Scientists say is LAMP is not real computer science. I disagree,

We Want To Use Least Privilege

We get our web server (Tomcat) to work as a normal users.

What does this imply?

Port # >= 1024... No privileged User.

Example of this

Google Technology

Starting out... Google ingested the entire web and searches it.

But the technology that ingest the entire web is called Map/Reduce and is the open source Apache project – Hadoop.

The technology to read the entire web is called the Apache project Solr.

Solr

Runs with Least Privilege.

Show me!

Ran Solr:

Accessed it through http://localhost:8080/solr

Did a ps -ef | grep tomcat.

Running as scott

AWS.amazon.com/amis – these are amazon machine images.

Top Down.... A specification committee gets together,,, they understand the need.... they build a specification. Many are good, some are bad.

Bottom up... The specification committees do not know about this. A vendor starts it.... It gets critical mass... It becomes a defacto standard.

Somethings That Came From a Specification

TCP/IP

HTML

Web Archives.

Java.

Browsers.

Some Things not from a Specification (defacto)

Processors on PC

Wiki's

Spring Framework

Social Networking

RESTFull

Amazon - AMI

Amazon Machine Images

https://aws.amazon.com/amis

65,000 different machine machine images.

Ubuntu 12.04, MySQL Apache, php, postfix

Server … Elastic... Managed in a secure way.

Why is this Popular

Speed, efficiency, cost

Shawn – I can bring up a production instance in less than 5 minutes.

Cost – Initial costs are nominal. I pay as I go.

How Do I do This

And, can I learn from them. In other words, what are smarter people than me doing?

First go to amazon ece2. (Elastic Compute Cloud)

classic wizard gives you different ones to choose from. Amazon gives you their own AMI default. Can go out to community and see the ones out there running . Choose an instance of them. Takes the image out there running and takes a copy of it. 12.04 seems to be the sweet spot. Stability. The later ones more experimental. If you're a developer or newer things you may want experimental ones. If setting up a production environment not prudent.

Launched an Instance

I have a security key that I use to get to the server. This is going to lead to a best practice.

scott@companion:~/Desktop$ ls -al elijah.pem

-rw-rw-r-- 1 scott scott 1696 Sep 11 11:13 elijah.pem

scott@companion:~/Desktop$ chmod 600 elijah.pem

scott@companion:~/Desktop$ ls -al elijah.pem

-rw------- 1 scott scott 1696 Sep 11 11:13 elijah.pem

scott@companion:~/Desktop$

Let's Get to our Server

ssh -i elijah.pem ubuntu@ec2-50-19-29-234.compute-1.amazonaws.com

So if we do not use a private key

ssh ubuntu@ec2-50-19-29-234.compute-1.amazonaws.com

Permission denied (publickey)

Best Practices?

No unencrypted access. Only ssh or https

443 22 80, ports that are open

DAC – Single User to account. Groups. Shared, etc.

And Private key to get into ssh.

LabGo back to Amazon,

Create an instance.

Log on to the server.

Remember.... chmod 400 on the key

Do not lose the key.

scott@scottstreit.com

Password lakers

Review

Security Levels:

D everything

C1 – DAC with group level

C2 - DAC individual users and objects.

B1 - Mandatory Access Control – Wednesday It is what we need for Multi-level secure.

B2, B3, A1 is the same as B1 with more Assurance.

Review - II

So, how can I prove Solr is running with Least Privilege?

Possibly – it is running on port 8080 >= 1024.

scott@companion:~$ ps -ef | grep tomcat

scott 10139 18578 0 14:55 pts/4 0

User is scott

Command grep scott /etc/passwd

Command su - scott

SQL Injection and Cross-Site Scripting

You have web page..... It has a text box. Your programmer is not very sophisticated, think of a Neanderthal...

The code can be

SQL statement including <text box contents>

Javascript code can be Javascript statement including contents of <text box>

Contents make it do bad things.

Confidentiality

Encrypted - Keeping data confidential.

We believe all communication links between the outside world and our systems shall be encrypted.

Command ssh

Data is considered either active or passive. Active is you are transferring it for use.

Passive is the data is stationary. In a Relational Database Base Management System.

Should Passivated Data Be Encrypted?

This is unsettled science.

So your homework assignment is to reference some opinions on this and state your opinion based on your analysis at 9am tomorrow morning.

Make sense? Remember, active data is encrypted. This is settled science. Passivated is not settled. Valid opinions on both sides.

Fingerprinting

So, we have a file at the top level of a

Web site.

It is called robots.txt

It specifies where to fine content and

What content to avoid.

What can this tell us from a fingerprinting perspective? Tells us the stuff we wish to protect.

Fingerprinting Perspective

Www.walmart.com

Www.schwans.com

Take down the robots.txt

Take down the sitemaps

Try to take down the disallows

Use wget …

For backtrack command line dhclient

Lab Fingerprint Web Server

Use wget

Use wget www.walmart.com/robots.txt

Use more robots.txt

Use wget <sitemap files>

Use more <sitemap files>

Use www.schwans.file

Try to wget disallowed files.

What Did We Learn?

What can we do with robots.txt from a fingerprint perspective. Part of directory structure.

Show's you what they do not want to share.

Why does wget not pull disallow information? Hint man wget . It adhere's to the robots.txt protocol.

How could we get disallowed information? What type of licensing is wget? Open Source. We can get the source. Change it and go after the disallow.

Web Site Fingerprinting

Best Practices:

1) Use robots.txt for things you want found by a search engine and disallow for things you do not want found.

2) Use a tool (if you are a penetration tester) to work around the disallow in robots.txt. Remember disallow is a protocol.

3) Use security in the web server to protect sensitive files.

Network 101

Typically three types of networks A, B, C

Differ by.... netmask

A netmask 255.0.0.0

B netmask 255.255.0.0

C netmask 255.255.255.0

So how does this work.

OSI Networking Model

Application - Applications running on top - ssh

Presentation --- Map data between representations.

Session --- Support conversation.

Transport --- Put stuff in order, end to end

Network – communicate with routing

Data Link --- communicate without routing

Physical --- Cable

Data Link Layer

Data link – no routing

Scott Brian

Command to See Network

Ifconfig -a

Scott

inet addr:10.10.10.234 Bcast:10.10.10.255 Mask:255.255.255.0

Brian ….. 10.10.10.231...

Netmask 255.255.255.0 What does that mean.

Netmask

255.255.255.0 Class C network. Only route if you differ by more than the last

octet. 10.10.10.234 10.10.10.231 No Routing necessary. Only differ by where

the Netmask is 0 therefore resolved at the data link layer. MAC/IP. The conversion between MAC and IP is datalink.

More Netmask

255.255.0.0 is a B network only route if differ by left-most two octets.

192.168.1.2

192.168.2.3

Routing? No. Why? The only values that differ are where you have a bit pattern of 1111's

255.0.0.0 is an A network

10.0.1.7 and 10.1.1.7 does it require routing. Only differs by where it is 1.

Netmask Concluded

Class C network Netmask 255.255.255.0 What is that in HEX?

– FFFF.FFFF.FFFF.0000 What is that in Binary?

– 1111111111111.1111111111111111.111111111111.0

So Class C network one computer is 192.168.1.10 and one is 192.168.1.12 Need Routing?

Netmask Lab

Class C Network 255.255.255.0

– 192.168.1.10 and 192.168.0.11Need routing? Yes. Differs by third

Class A Network 255.0.0.0

– 10.11.1.1 and 10.10.1.1 need routing? no.

– 11.11.1.1. and 10.10.1.2 need routing? yes

Question 192.168.1.1 for a router Cisco– who makes it. 192.168.0.1 – Dlink Netgear, who makes it?

A Little Further in the Network Find the router..

– Unix

– Command netstat -rnscott@kitchen:~$ ifconfig -a

eth0 Link encap:Ethernet HWaddr c8:0a:a9:b5:9d:db

inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.252.0

scott@kitchen:~$ netstat -rn

Kernel IP routing table

Destination Gateway Genmask Flags MSS Window irtt Iface

192.168.0.0 0.0.0.0 255.255.252.0 U 0 0 0 eth0

169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0

0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0

What About DNS?

Domain Name Service. Maps names to IP addresses.

It is given to us by DHCP Unix find it? More /etc/resolv.conf

scott@kitchen:~$ more /etc/resolv.conf

# Generated by NetworkManager

nameserver 192.168.1.1

On My Network

192.168.1.1 is the DNS Server and the Router Netmask is 255.255.252.0 It is CISCO like???? That is what we found out. To do on Windows ipconfig /all

Lab.... Tell me what you have on your Windows box?

Conventions

Class C 255.255.255.0

– Generally 192.168.x.x Class A (bigger network)

Generally 10.x.x.x.

Gateway … generally. What ever you are working with .1 DHCP Server is generally the Gateway.

What is DHCP?

Distributed Hosts Configuration Protocol Turn on a computer, get the IP address, DNS

Server, Router, and any Routes. Broadcasts for it. In other words, comes up, says who is my

DHCP? First one wins.

What is wrong with our Network, via Conventions?

C Network, why netmask 255.255.255.0 IP address starts with 10, which is an A

network Should start with ???? 192.168 Router ends in .254, what does it typically do?

– .1

Review Fingerprinting Why do we Fingerprint? To learn about the

system. If you are an adversary, you want to find something easy.

If you are a security professional, you want to see how hard your systems are.

Most common tool is nmap. Nmap can help you work around an IDS. Inspects traffic to tell you about products and

ports. Nmap is a TCP/IP expert, Xmas, Stealth,

etc.

Network use Netmask

Typical network --- cisco …

Ip address of the router is

192.168.1.1

255.255.255.0

C

So if I talk to 192.168.1.10 to 192.168.1.21

Do I need to route?

No?

So if the address differs by the octet with a 0 in the netmask no routing.

Network Route When

Addresses differ from where there is a 1.

For 255.255.255.0

If we wish to go from 192.168.1.10 to 206.245.1.17

Do we need to route? Yes

How do we find our router? Use netstat -rn

Talk About Addresses

TCP/IP protocol

We agree to not route what addresses:

169.254 what you get when you do not get a dhcp address.

172.

10.

192.168

127.0.0.1 127.0.0.2

192.168.1.x CISCO

192.168.0.x DLINK

Network Topology

So, I want three networks to be separate and have one external address to the internet. How do I do this?

206.1.17.9 external address 10.10.10.254 internal

Network1 192.168.1.x 255.255.255.0 gtw 192.168.1.1

Internal (10.10.10.1)

Network2 192.168.2.x 255.255.255.0 gtw 192.168.2.1

Internal (10.10.10.2)

Network3 192.168.3.x 255.255.255.0 gtw 192.168.3.1

Internal (10.10.10.3)

What Did We Learn

1) Netmask determines your address range.. Route when difference is in the area of 1's on netmask.

2) Router must be on same subnet as network it is routing.

3) How do we find netmask Unix (ifconfig -a) windows ipconfig /all

4) How do we find router – netstat -rn

5) How do we find dns server windows its ipconfig /all

Use more /etc/resolv.conf

Email Tracking

Let's say, I sent an email to Mo and I wanted assurance that he has read it. Email itself is a datagram.

In the email message

<img src=”www.morrisisagreatguy.com/photo.jpg”>

Tools that do this for you. Put a link that does not require a click and sends that to a server for recordiing.

Fingerprinting Lab

Tell me what I am running at www.scottstreit.com

By using nmap

Tell me what hosts on your subnet are running.

By using nmap

Lab

Create a private group for you and your partner along with a shared group.

Create a user for you and your partner with the private group as your primary group (-g) and the shared group (-G) as your supplemental group.

Add each user. Put a file in opt for each user. Use chmod and

chown to make the file globally read but only private write.

Review and Talk About Today

Discretionary Access Control

Go through nmap

DAC – Step by Step lab.

For nmap – two videos from youtube.

DAC

Why do we care how this works?

Unix paradigm is everywhere

Old people like Scott we had Unix with no commands. So we manually modified two files /etc/group and /etc/passwd

This impacted or effected the behavior.

Ubuntu/debian Fedora/RedHat... they have different commands … but they all impact /etc/group /etc/passwd

Commands

We have useradd, groupadd, umask, chmod, chown --- five commands to do all of it.

1) Group out there. So you need private group which means the username is the same as the group name. So you need one of these per user, and one shared group.

root@companion:~# groupadd dhoward

root@companion:~# groupadd snash

root@companion:~# groupadd lakers

What Happened Here?

We have two new Lakers as we move towards our 17th NBA Championship, Dwight Howard and Steve Nash. So if we wish to add them we need to add the private group first. Next we need a shared group... Lakers.

How do we check this

We can do a tail /etc/group

dhoward:x:1004:

snash:x:1005:

lakers:x:1006:

What do We do Next

Create the users

Do useradd snash -g snash -G lakers

root@companion:~# useradd snash -g snash -G lakers

root@companion:~# useradd dhoward -g dhoward -G lakers

What Happened

root@companion:~# tail /etc/group

dhoward:x:1004:

snash:x:1005:

lakers:x:1006:snash,dhoward

We have dhoward and snash are private. The group lakers has two supplemental users snash and dhoward.

What do we do Next?

Create a shared area on disk.

Going to go to /opt create a directory called seventeen. In there I want to share files.

root@companion:~# mkdir /opt/seventeen

root@companion:~# cd /opt/seventeen

root@companion:/opt/seventeen# ls -al

total 8

drwxr-xr-x 2 root root 4096 Sep 11 09:31 .drwxr-xr-x 2 root root 4096 Sep 11 09:31 .

drwxr-xr-x 4 root root 4096 Sep 11 09:31 ..

drwxr-xr-x 2 root root 4096 Sep drwxr-xr-x 2 root root 4096 Sep 11 09:31 .11 09:31 .

What is wrong with this. Group cannot write to it. That is wrong because we want the group to share it. Why did it default to 755 for permissions.

We have rwe rwe rwe

111 101 101

This implies a umask of 22. Umask, as the name implies (mask) are the 0's for file creation.

Command umask

The command umask with no parameters gives us the mask – user mask. Or with a parameter, changes it. So we want what umask.

We want rwe rwe rwe

111 111 101

What umask 002

root@companion:/opt/seventeen# umask

0022

root@companion:/opt/seventeen# touch z

root@companion:/opt/seventeen# ls -al z

-rw-r--r-- 1 root root 0 Sep 11 09:35 z

root@companion:/opt/seventeen# umask 002

root@companion:/opt/seventeen# touch y

root@companion:/opt/seventeen# ls -al y

-rw-rw-r-- 1 root root 0 Sep 11 09:38 y

Ownership, directories and files

Rules for ownership.

Is am Unix and my default behavior is

Create a file with the user being the user creating it the group being the user's primary group and the permissions are determined by the umask.

root@companion:/opt/seventeen# chown snash:lakers /opt/seventeen

root@companion:/opt/seventeen# su - snash

No directory, logging in with HOME=/

$ cd /opt/seventeen

$ touch t

$ umask

0002

$ ls -al t

-rw-rw-r-- 1 snash snash 0 Sep 11 09:41 t

-rw-rw-r-- 1 snash snash 0 Sep 11 09:41 t

We have a problem.... really is major, which is the file is owned by the primary group not the shared group.

We cannot fully share the file across dhoward and snash so let's revisit our rule.

Rule

When a user creates a file...... the file has the owner as the user and the group is the directory above if the sticky bit is set... or the primary group.... if the sticky bit is not set... So how do we set the sticky bit.

We user chmod 2775 /opt/seventeen

The Sticky Bit

root@companion:/opt/seventeen# chmod 2775 /opt/seventeen

root@companion:/opt/seventeen# su - snash

No directory, logging in with HOME=/

$ cd /opt/seventeen

$ touch zzz

$ ls -al zzz

-rw-rw-r-- 1 snash lakers 0 Sep 11 09:46 zzz

What Do We Have Here

Posix compliant Discretionary Access Control.

It comes... out of the box..... No add on packages, no recompiles, and it is constant protection.

We say, linux, out of the box is C2 capable.

We say it is capable, why?

C2 Capable

Anyone can take a C2 system and make it D. If you have a group account and multiple people log in using the same account … you are now at D.

PL3, PL3+ … C1, C2

PL3 = C2

PL3+ = B1

Passive Encryption vs. Active

Read the Orange book, there standards that say passivated data must be encrypted B1...

We largely do not do this.... Is this good or bad and why?

Encrypting Passivate Data is Good

Handle the case of the disk falling into the wrong hands. Could argue, encrypting a laptop hard drive.

Tiered Security.... Encryption at the Xmission level and at the storage level.

Encrypting Passivated Data is Bad

1) We typically do not guard against physical access. Guns, Guards, Gates.

2) What if you loose the key.

3) None of our tools run on encrypted data.

So if you have encrypted data in a mysql table, you have to write the encryption/decryption layer..... so the costs of software development goes up dramatically.

Reasonable Compromise

Highest risk data is encrypted.. which means lap top data is encrypted. Why? No penalty. And you are much more likely to lose a lap top then a bad person grabbing control of your machine. This is where we are today.

Fingerprinting

We want to see what is on our network. If you are bad.... then you are looking for easy

things. We want to make sure, we are not one of

those easy things. So for Bad People, Fingerprinting is a way to

find easy systems to crack. For Security Professionals, hardening our

systems.

Best Practices

Only SSH login and only through a private key. Open Ports 22 (private key only) and 443 This is for externally facing Servers So how do we find out?

How Do We Fingerprint

Command - telnet host port Then send it commands Then get what's running by parsing the results

of commands.

scott@companion:~$ telnet www.scottstreit.com 80

Trying 74.103.6.161......

HEAD

<address>Apache/2.2.14 (Ubuntu) Server at localhost Port 80</address>

</body></html>

Instead Of

Telnet to a port. Writing a socket level program Ping

scott@companion:~$ ping www.scottstreit.com

PING www.scottstreit.com (74.103.6.161) 56(84) bytes of data.

64 bytes from pool-74-103-6-161.bltmmd.fios.verizon.net (74.103.6.161): icmp_req=1 ttl=52 time=24.7 ms

We Use Nmap

What is good about Nmap? Price.... Free Runs on every system. Around a long time – stable. Defacto Standard. Does a lot of things.

nmap

We can see what systems are up on a subnet We can see what ports are open We can see what tools are runinng on the

open ports. We don't have to fool around with TCP/IP

Two Movies on nmap

Let's watch two youtube videos on nmap.

Lab Tell me what is running on my machine. Www.scottstreit.com Do it two ways. First telnet port HEAD port 80. Telnet www.scottstreit.com 80

– HEAD Then do an nmap on my box. Tell me what is running. Tell me what hosts are up on our 10. subnet. Use your backtrack instance Google it.

Let's Simulate nmap

scott@companion:~$ telnet www.scottstreit.com 80

Trying 173.59.254.127...

Connected to www.scottstreit.com.

Escape character is '^]'.

head

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html><head>

<title>501 Method Not Implemented</title>

</head><body>

<h1>Method Not Implemented</h1>

<p>head to /index.html not supported.<br />

</p>

<hr>

<address>Apache/2.2.14 (Ubuntu) Server at localhost Port 80</address>

</body></html>

Connection closed by foreign host.

scott@companion:~$