Cybersecurity Computer Science Innovations, LLC

Ethical Hacking

Course Overview Course Content

Rules Address me as “Scott” Being able to do something is more important than memorizing. I will not ask you to memorize. My tests ask you to think and explain. I ask you to take a position. Your grade on a test (mid-term, final) is not the final grade. You must successfully complete all projects to pass the course. You pick your grade – I'll explain.

Goals Einstein said, As simple as possible, but no simpler. If you cannot explain it simply, you do not understand it well enough. Any fool can make things more complex it takes genius to find the simplicity. Great science is simple.

How did we get here? Turing Machine P-V Semaphore – Unix – Flat Files 1972, Dr. E. F. Codd invented Relational Database, Linear Algebra → Data Storage. RDBMS – Transactions – Bob Epstein Databases fault tolerant and load balanced. They were tightly coupled. Startup and you want to do load balancing... Larger than anyone ever has..... What do you do.?

Class Overview It is Good to be Smart, It is better to be funny. 90% of the Material, how? Projects – 2 Adjudicators Everything is negotiable This is supposed to be fun.

Overview Ethical Hacking Issues in Security Trusted Computer System Evaluation Criteria (TCSEC) - Orange Book Measure Security Implementation Assurance

5 Rules of Software Development 1.W3C specifications ahead of JSR specifications. 2.JSR ahead of defacto standards. 3.Defacto standards ahead of custom development. 4.Compositional patterns to create software systems. 5.Use design patterns when creating custom code.

LAMP vs. WAR Where is LAMP best. Linux, Apache, MySQL, Php 1) Your views closely model your database design. 2) Security requirements are not excessive. Where is War best. 1) You views do not closely model your database Design. In fact there probably is not RDBMS. Elastic. 2) Serious Security Requirements (Underwriting).

Issues In Security Convenience Adjudication Front/End Back End IDS Network Security Database Security Insurance Companies.

The Present Situation If I am Responsible for System, X, how do I bring it into Production? Someone must Approve. Somebody must assume risk. Who is that? Insurance company DOD Adjudicator. Someone who assumes the risk.

Development up to present If your system, and you are well defined. If your security model is simple and based on standards. If you speak the same language as the decision maker? It is easier to get someone to put their neck on the line. Einstein said, If I saw further than others it is because I was standing on the shoulders of Giants.

Science Being Simple Computer Science – Simple seems to win. P-V Semaphore --- Seven lines of code. Google ---- Processing Paradigms.... Simplicity in processing. Map/Reduce …. Solr... Open Source......

Definitions Levels of Security Lowest D... Not even discuss it. Next Level up is C... C1 and C2 C1 and C2 rely on Discretionary Access Control. Next level up is B1, B2, B3 which are largely related. B level uses Mandatory Access Control

Lab – Setup in Preparation for C2 MacOs – BSD Linux – Ubuntu Fedora Not used a Virtualized Environment Linux – VM → Windows … Fine Windows → Linux –-- Bad, Very Very Bad Amazon, free micro instance. Scott Start Here – Next time – instance setup on Amazon.

Discretionary Access Control Concerns itself with Named Subjects accessing Named Objects. So what is a Subject.... Someone or something wishing to access a computer object. You accessing your . The Subject --- You. The Object . What does Concerns Itself with Mean?

Subjects and Objects Access Control... Can the subject read or write the Object? That is one thing we are concerned with. Auditing... What did the subject do on June 30th? Who are the subjects that accessed my mail. Assurance – How can I be Guaranteed that all access to th data have access control and Auditing. And … Does my model work?

Access Control Access Control has some pieces.... What are the pieces? The first two are Identity Assertion Role Gathering Systems do this. We knew this in This is not new and pre-dates the Internet.

Identity Assertion Eminem – I am who you say I am. How do you find out your identity? Google... Username and Password Google.. Additional Security through a Token Show Something About yourself Biometric Devices. Prove who you are.

How Do We Do Identity Assertion Web Server Browser Do Ihaveasession

How Do We Assert and Identity Username and Password Sitekey Identity Asserter is username and password. Google --- username and password. Challenge ---> send a key to cell phone Biometrics... cheap....

Identity Assertion Identity Asserters must be pluggable. What does that mean? It means if I change the Identity Asserter, I do not need to change the software. Best Practice … Run the software with two different Identity Asserters without changing, compiling or writing Software.

Role Gathering BrowserWeb server Asserts Identity Gathers roles

Role Gathering Having proven who I am.... What can I do? The Roles Dictate what you can do. So if my role is Administrator.. I can do a lot. If my role is Guest... I can do a little. Show me what you mean. Ok. Let's do a practical Example.

Where do We See Roles Web applications..... Web.xml Directory ---- roles can work in the directory Page --- useradmin ----> roles can see it are Administrator.... Browser... look up web.xml roles..... See it.

Practical Example - Roles id uid=1000(scott) gid=1000(scott) groups=1000(scott),27(sudo),30(dip),46(plugd ev),109(lpadmin),124(sambashare),129(vboxu sers) Groups are Synonymous with Roles... Spec says. They say what I can do. Use Plug in Devices Line Printer Administrator, Share Files...etc.

What Happened? Logged into my machine. Asserted my identity by username password. Gathered my roles. Determined what I can do. Why? It's the standard.

Impromptu Lab Go to your linux instance. Any linux instance. id command then do a sudo su - then do a adduser pedro su - pedro id

Common Shortcomings? Let's say you have a machine with a web server. You have 5 people that are Web Server Administrators What are your options? You can have a Group Account Or you can setup the machine to allow multiple people to update the Web Server.

What is Wrong with a Group Account? It Violates Discretionary Access Control. Why? Named Subject, Named Object. NOT Named Group containing many Subjects and Named Object. Must be one to one – Person to Subject. Now Three More Topics for C2.

Bringing Up A Web Server Web Server ---- runs on port 80 Web Server ---- runs on port 8080 Ports < 1024 require Admin Privilege to Start Process. Ports >= 1024 do not require Admin Why do we care? Least Privilege....

Have “Normal” Users Web Admin So Let's say --- Morris Mo... he is a web admin Cheri is a web admin.... They are going to run As normal users... But they need to share The web server.. and we do not want to violate DAC.. So we need to separate them and Keep Least Privilege...

Separate Users Step 1 Create a group per user And create a shared group. Mo Al Webguys shared group.

How To groupadd mo groupadd al groupadd webguys useradd mo -g mo -G webguys useradd al -g al -G webguys useradd mo -g mo -G webguys useradd al -g al -G webguys

How To mkdir /opt/share chown al:webguys /opt/share chmod 2775 /opt/share the 2 is the set groupid bit. It means that all files created inherit the group from the directory not the user. useradd mo -g mo -G webguys useradd al -g al -G webguys

Three More Topics Confidentiality  No one can listen in and gain information.  Encryption Least Privilege  Very Very Important.  Am I doing the action with the least amount of Authority. Don't work as Root or Admin Non-Repudiation  How can I not deny that I sent it.

Confidentiality https Hyper Text Transport Protocol Secure When you read your are you  http or https?  Log into your mail.  Is it http or https? https

Least Privilege I must work as a normal user Or I must work as an admin. Which is better? Why? Myself? Why? You don't mess up the system on purpose or by accident. Ports... https which port is that? 443 Who do you have to be to work as 443? For ports less than 1024 you must be admin

How Do We Do Least Privilege With https? The browser (Source) wants to communicate on Default The system wants to use a normal user. So what happens? So your Firewall or Router maps 443 to 8443 So the Source requests 443 the System responds with 8443 the Router maps them. Best Practice … Always map 1024 to preserve Least Privilege.

Outside World to Inside Https in a browser it says communicate on 443 But we want least privilege … So how do we do that on the local system. We need our firewall/router administrator to set this up for us.

Let's Look At This Web Server 8443 Browser 443 Firewall Al Admin Map Incoming 443 to intenal 8443 On a specifc Server

Apache and Least Privilege ps -ef | grep apache root :55 ? 00:00:00 /usr/sbin/apache2 -k start www-data :55 ? 00:00:00 /usr/sbin/apache2 -k start www-data :55 ? 00:00:00 /usr/sbin/apache2 -k start www-data :55 ? 00:00:00 /usr/sbin/apache2 -k start ubuntu :55 pts/0 00:00:00 grep --color=auto apache sudo su - cd /etc/ grep www-data passwd www-data:x:33:33:www-data:/var/www:/bin/sh Apache is not adhering to Least Privilege

Unix Cheat Sheet The command ls is the same thing as dir in windows The command ps is process status and commonly used as ps -ef | more Do a ps -ef | more The command pwd is print working directory The command chmod is change mode The command chown is change user and group

DAC in UNIX In Unix we get DAC out of the box. How do we do it. Name Subject …. logging in How do we protect files? This is access control.

Unix History How did we get to Unix? Who created it? Brian Kerrnighan, Dennis Ritchie, Thompson. They worked for AT&T in New Jersey in the 70's. They had an idea. What if an operating systems was created that worked on any hardware? So they needed a hardware independent language – they called it C.

Unix History Continued AT&T gave it away for free. How many run Android's. Unix kernel How many run IPhones. Unix. There are two flavors. System V – MIT – Linux BSD – Berkeley – Cal Berkley – Mac/OS AT&T – Created this.

Commands - Unix Permissions wwwxxxyyy for a file or directory. Now let's define www it has 3 digit for RWE So RWE is what … 7 now www is for the user's permission. xxx is for the group's permission and yyy is for the world's permission. So if a file is 400 like.pem file what is that? which is R at the owner level.

More Permissions So if I want a file to be Read and Write for the Owner (User) of the file and Read for the Group and Nothing for the world. Let's do it together www xxx yyy U G O The three digits RWE = 6 4 0

Lab on Permissions So..... A User may Read Write and Execute. The Group may Read and Write. The Other may only Read. What is the pattern? Remember www xxx yyy RWE U G O

So Back to Commands The command ls -al full listing. You can see the pattern. So we a couple more commands and we are done. The command chmod 3DIGITS files changes the mode. chmod 777 allows all access. The command chgrp user:group and it lets yo set the owner.

The World of Discretionary Access Control Says I should have a way to protect my private files Well, let's create two users. Chris and Dave Chris should see Chris files and David could see Chris files, but only Chris can update Chris files and only Dave can update Dave files.

Let's Do It groupadd class groupadd dave groupadd chris useradd dave -g dave -G class useradd chris -g chris -G class So class is a shared group with two members dave and chris. So, dave has a primary group …. dave So,, chris has a primary group …. chris

See DAC Common area and it is call /opt … which is for optional software The command mkdir makes a directory. echo "hello" > chris.txt echo "goodbye" > dave.txt more chris.txt hello more dave.txt goodbye ls -al chris.txt dave.txt -rw-r--r-- 1 root root 6 Jun 25 13:40 chris.txt -rw-r--r-- 1 root root 8 Jun 25 13:40 dave.txt

Chris and Dave – Private for Writing Command chown user:group file Command chown chris:chris chris.txt Command chown dave:dave dave.txt Command ls -al *.txt ls -al *.txt -rw-r--r-- 1 chris chris 6 Jun 25 13:40 chris.txt -rw-r--r-- 1 dave dave 8 Jun 25 13:40 dave.txt su - dave No directory, logging in with HOME=/ $ cd /opt

umask The opposite of bits set on a file when created umask 0002 touch zzzz ls -al zzzz -rw-rw-r-- 1 scott scott 0 Dec 6 20:11 zzzz When I create a file the only bit to NOT set is the 2 bit. Command ls -al *.txt ls -al *.txt -rw-r--r-- 1 chris chris 6 Jun 25 13:40 chris.txt -rw-r--r-- 1 dave dave 8 Jun 25 13:40 dave.txt su - dave No directory, logging in with HOME=/ $ cd /opt

umask (continued) The opposite of bits set on a file when created umask 22 touch zzyy ls -al zzyy -rw-r--r-- 1 scott scott 0 Dec 6 20:13 zzyy umask with a value sets the umask. setting it as 22 means not to set the write bit for users and groups.

Lab Create a private group for you and your partner along with a shared group. Create a user for you and your partner with the private group as your primary group (-g) and the shared group (-G) as your supplemental group. Add each user. Put a file in opt for each user. Use chmod and chown to make the file globally read but only private write.

Annoying Cannot Save Backup File When you are working as a user... you have a private home directory, where you can work. The command useradd has a way to specify the home directory, which we did not do, so it defaulted to the root of the system which is owned by root. So you cannot write to it.

Back to Least Privilege Access Control, Auditing, Assurance, Least Privilege. We saw that Apache on Ubuntu, Amazon web services did not implement least privilege. Why? The answer is the LAMP (Linux, Apache, Mysql, Php) uses a very simplistic model. This is different than Enterprise Software.

To Consider There is an appropriate tool for a job. This is not Religion. We are trying to get a job done. There are 2M LAMP developers worldwide. Wikipedia – written in LAMP. Bugzilla, written in LAMP. So, what Computer Scientists say is LAMP is not real computer science. I disagree,

To Consider There is an appropriate tool for a job. This is not Religion. We are trying to get a job done. There are 2M LAMP developers worldwide. Wikipedia – written in LAMP. Bugzilla, written in LAMP. So, what Computer Scientists say is LAMP is not real computer science. I disagree,

We Want To Use Least Privilege We get our web server (Tomcat) to work as a normal users. What does this imply? Port # >= No privileged User. Example of this

Google Technology Starting out... Google ingested the entire web and searches it. But the technology that ingest the entire web is called Map/Reduce and is the open source Apache project – Hadoop. The technology to read the entire web is called the Apache project Solr.

Solr Runs with Least Privilege. Show me! Ran Solr: Accessed it through Did a ps -ef | grep tomcat. Running as scott

AWS.amazon.com/amis – these are amazon machine images. Top Down.... A specification committee gets together,,, they understand the need.... they build a specification. Many are good, some are bad. Bottom up... The specification committees do not know about this. A vendor starts it.... It gets critical mass... It becomes a defacto standard.

Somethings That Came From a Specification TCP/IP HTML Web Archives. Java. Browsers.

Some Things not from a Specification (defacto) Processors on PC Wiki's Spring Framework Social Networking RESTFull

Amazon - AMI Amazon Machine Images 65,000 different machine machine images. Ubuntu 12.04, MySQL Apache, php, postfix Server … Elastic... Managed in a secure way.

Why is this Popular Speed, efficiency, cost Shawn – I can bring up a production instance in less than 5 minutes. Cost – Initial costs are nominal. I pay as I go.

How Do I do This First go to amazon EC2. (Elastic Compute Cloud) classic wizard gives you different ones to choose from. Amazon gives you their own AMI default. Can go out to community and see the ones out there running. Choose an instance of them. Takes the image out there running and takes a copy of it.

Launched an Instance I have a security key that I use to get to the server. This is going to lead to a best practice. ls -al elijah.pem -rw-rw-r-- 1 scott scott 1696 Sep 11 11:13 elijah.pem chmod 600 elijah.pem ls -al elijah.pem -rw scott scott 1696 Sep 11 11:13 elijah.pem

Let's Get to our Server ssh -i elijah.pem 234.compute-1.amazonaws.com So if we do not use a private key ssh 1.amazonaws.com Permission denied (publickey)

Best Practices? No unencrypted access. Only ssh or https , ports that are open DAC – Single User to account. Groups. Shared, etc. And Private key to get into ssh.

Lab Go back to Amazon, Create an instance. Log on to the server. Remember.... chmod 400 on the key Do not lose the key. Password redskins1992

Review Security Levels: D everything C1 – DAC with group level C2 - DAC individual users and objects. B1 - Mandatory Access Control – Wednesday It is what we need for Multi-level secure. B2, B3, A1 is the same as B1 with more Assurance.

Review - II So, how can I prove Solr is running with Least Privilege? Possibly – it is running on port 8080 >= ps -ef | grep tomcat scott :55 pts/4 0 User is scott Command grep scott /etc/passwd Command su - scott

SSH groupadd jon useradd jon -g jon -d /home/jon - s/bin/bash cd / cd /home mkdir /home/jon chown jon:jon /home/jon ssh localhost password: Welcome to Ubuntu LTS (GNU/Linux generic- pae i686) Requires password!!!!

No Password – How? $ ssh-keygen Enter file in which to save the key (/home/jon/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Your public key has been saved in /home/jon/.ssh/id_rsa.pub. ls -al.ssh -rw jon jon 1675 Sep 11 14:18 id_rsa -rw-r--r-- 1 jon jon 395 Sep 11 14:18 id_rsa.pub -rw-r--r-- 1 jon jon 222 Sep 11 14:16 known_hosts mv id_rsa.pub authorized_keys prove it: ssh localhost

We ssh now ssh localhost Welcome to Ubuntu LTS (GNU/Linux generic-pae i686) * Documentation: Let's us in without a password!!!

Look at this a little further more id_rsa -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEA1/O96EGofjJ/fdBvF5VVIiG tnCeLgc+Ygt0XIv/N3M9lmCLN 9m6TGkJgn9AzrdVREb+R93i0D4Tvpv/kufd3LP 9joAWPHIoFIEq6rRsrhj1U4qnb more authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDX 873oQah+Mn990G8XlVUiIa2cJ4uBz5iC3Rci/8 3c z2WYIs32bpMaQmCf0DOt1VERv5H3eLQPhO+ m/+S593cs/2OgBY8cigUgSrqtGyuGPVTiqduN zfWyx9ky Lk+fXTZ0UTr745rR2BSnz2lhgLAmVyJiqIdxxX+ +Wqkc2Ku3uukntLCyQKO0p+6cubufLi7wdbw 9FpW3 tKHLFJeOWjA86F32rZTSdNmz5Cv1ieXgO92Mt 81wsAQ/yHO4ZvBPHdH97r91gdu1qftEskZJu mZq9gO0 ElxFaX4SR+HLoZpVrjkE1kEE5xVdZHDsWB/6Y WkzfBsGCsdvfhcSEEnxsL21

SSH With Passphrase ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/jon/.ssh/id_rsa): Enter passphrase (empty for no passphrase): lakers Enter same passphrase again: lakers mv id_rsa.pub authorized_keys ssh localhost Enter passphrase for key '/home/jon/.ssh/id_rsa': Welcome to Ubuntu LTS (GNU/Linux generic-pae i686)

Lab 3 Use ssh-keygen to create a public and private key. Use this to get access to your account via ssh without a password.

Setting SSHD to only allow Private Key sudo su - cd /etc/ssh/ edit sshd_config change #PasswordAuthentication yes PasswordAuthentication no

Lab 4 Allow private key only access to your account. Log out of Xwindows and see password still works. THIS ONLY IMPACTS SSH, WHICH SHOULD BE YOUR ONLY EXTERNAL ACCESS. Physical access - we do not care.

Fingerprinting So, we have a file at the top level of a Web site. It is called robots.txt It specifies where to fine content and What content to avoid. What can this tell us from a fingerprinting perspective? Tells us the stuff we wish to protect.

Fingerprinting Perspective Take down the robots.txt Take down the sitemaps Try to take down the disallows Use wget …

Lab Fingerprint Web Server Use wget Use wget Use more robots.txt Use wget Use more Use Try to wget disallowed files.

What Did We Learn? What can we do with robots.txt from a fingerprint perspective. Part of directory structure. Show's you what they do not want to share. Why does wget not pull disallow information? Hint man wget. It adhere's to the robots.txt protocol. How could we get disallowed information? What type of licensing is wget? Open Source. We can get the source. Change it and go after the disallow.

Web Site Fingerprinting Best Practices: 1) Use robots.txt for things you want found by a search engine and disallow for things you do not want found. 2) Use a tool (if you are a penetration tester) to work around the disallow in robots.txt. Remember disallow is a protocol. 3) Use security in the web server to protect sensitive files.

Network 101 Typically three types of networks A, B, C Differ by.... netmask A netmask B netmask C netmask So how does this work.

OSI Networking Model Application - Applications running on top - ssh Presentation --- Map data between representations. Session --- Support conversation. Transport --- Put stuff in order, end to end Network – communicate with routing Data Link --- communicate without routing Physical --- Cable

Data Link Layer Data link – no routing Scott Brian

Command to See Network Ifconfig -a Scott inet addr: Bcast: Mask: Brian … Netmask What does that mean.

Netmask  Class C network.  Only route if you differ by more than the last octet.    No Routing necessary. Only differ by where the Netmask is 0 therefore resolved at the data link layer. MAC/IP. The conversion between MAC and IP is datalink.

More Netmask is a B network only route if differ by left-most two octets Routing? No. Why? The only values that differ are where you have a bit pattern of 1111's is an A network and does it require routing. Only differs by where it is 1.

Netmask Concluded Class C network Netmask What is that in HEX? – FFFF.FFFF.FFFF.0000 What is that in Binary? – So Class C network one computer is and one is Need Routing?

Netmask Lab Class C Network – and Need routing? Yes. Differs by third Class A Network – and need routing? no. – and need routing? yes Question for a router Cisco– who makes it – Dlink Netgear, who makes it?

A Little Further in the Network Find the router.. – Unix – Command netstat -rn ifconfig -a eth0 Link encap:Ethernet HWaddr c8:0a:a9:b5:9d:db inet addr: Bcast: Mask: netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface U eth U eth UG eth0

What About DNS? Domain Name Service. Maps names to IP addresses. It is given to us by DHCP Unix find it? More /etc/resolv.conf more /etc/resolv.conf # Generated by NetworkManager nameserver

On My Network is the DNS Server and the Router Netmask is It is CISCO like???? That is what we found out. To do on Windows ipconfig /all Lab.... Tell me what you have on your Windows box?

Conventions Class C – Generally x.x Class A (bigger network) Generally 10.x.x.x. Gateway … generally. What ever you are working with.1 DHCP Server is generally the Gateway.

What is DHCP? Distributed Hosts Configuration Protocol Turn on a computer, get the IP address, DNS Server, Router, and any Routes. Broadcasts for it. In other words, comes up, says who is my DHCP? First one wins.

What is wrong with our Network, via Conventions? C Network, why netmask IP address starts with 10, which is an A network Should start with ???? Router ends in.254, what does it typically do? –.1

Review Fingerprinting Why do we Fingerprint? To learn about the system. If you are an adversary, you want to find something easy. If you are a security professional, you want to see how hard your systems are. Most common tool is nmap. Nmap can help you work around an IDS. Inspects traffic to tell you about products and ports. Nmap is a TCP/IP expert, Xmas, Stealth, etc.

Network use Netmask Typical network --- cisco … Ip address of the router is C So if I talk to to Do I need to route? No? So if the address differs by the octet with a 0 in the netmask no routing.

Network Route When Addresses differ from where there is a 1. For If we wish to go from to Do we need to route? Yes How do we find our router? Use netstat -rn

Talk About Addresses TCP/IP protocol We agree to not route what addresses: what you get when you do not get a dhcp address x CISCO x DLINK

Network Topology So, I want three networks to be separate and have one external address to the internet. How do I do this? external address internal Network x gtw Internal ( ) Network x gtw Internal ( ) Network x gtw Internal ( )

What Did We Learn 1) Netmask determines your address range.. Route when difference is in the area of 1's on netmask. 2) Router must be on same subnet as network it is routing. 3) How do we find netmask Unix (ifconfig -a) windows ipconfig /all 4) How do we find router – netstat -rn 5) How do we find dns server windows its ipconfig /all Use more /etc/resolv.conf

Tracking Let's say, I sent an to Mo and I wanted assurance that he has read it. itself is a datagram. In the message Tools that do this for you. Put a link that does not require a click and sends that to a server for recordiing.

Tracking This can be a servlet that returns a graphic. When the is read, the servlet it called (it has to show the graphic). While getting the graphic, it denotes the fact that the was read.

Fingerprinting Lab Tell me what I am running at By using nmap Tell me what hosts on your subnet are running. By using nmap

Review and Talk About Today Discretionary Access Control Go through nmap DAC – Step by Step lab. For nmap – two videos from youtube.

DAC Why do we care how this works? Unix paradigm is everywhere Old people like Scott we had Unix with no commands. So we manually modified two files /etc/group and /etc/passwd This impacted or effected the behavior. Ubuntu/debian Fedora/RedHat... they have different commands … but they all impact /etc/group /etc/passwd

Commands We have useradd, groupadd, umask, chmod, chown --- five commands to do all of it. 1) Group out there. So you need private group which means the username is the same as the group name. So you need one of these per user, and one shared group. groupadd dhoward groupadd snash groupadd lakers

What Happened Here? We have two new Lakers as we move towards our 17th NBA Championship, Dwight Howard and Steve Nash. So if we wish to add them we need to add the private group first. Next we need a shared group... Lakers. How do we check this We can do a tail /etc/group dhoward:x:1004: snash:x:1005: lakers:x:1006:

What do We do Next Create the users Do useradd snash -g snash -G lakers useradd snash -g snash -G lakers useradd dhoward -g dhoward -G lakers

What Happened tail /etc/group dhoward:x:1004: snash:x:1005: lakers:x:1006:snash,dhoward We have dhoward and snash are private. The group lakers has two supplemental users snash and dhoward.

What do we do Next? Create a shared area on disk. Going to go to /opt create a directory called seventeen. In there I want to share files. mkdir /opt/seventeen cd /opt/seventeen ls -al total 8 drwxr-xr-x 2 root root 4096 Sep 11 09:31. drwxr-xr-x 4 root root 4096 Sep 11 09:31..

drwxr-xr-x 2 root root 4096 Sep 11 09:31. What is wrong with this. Group cannot write to it. That is wrong because we want the group to share it. Why did it default to 755 for permissions. We have rwe rwe rwe This implies a umask of 22. Umask, as the name implies (mask) are the 0's for file creation.

What Do We Have Here Posix compliant Discretionary Access Control. It comes... out of the box..... No add on packages, no recompiles, and it is constant protection. We say, linux, out of the box is C2 capable. We say it is capable, why?

C2 Capable Anyone can take a C2 system and make it D. If you have a group account and multiple people log in using the same account … you are now at D. PL3, PL3+ … C1, C2 PL3 = C2 PL3+ = B1

Passive Encryption vs. Active Read the Orange book, there standards that say passivated data must be encrypted B1... We largely do not do this.... Is this good or bad and why?

Encrypting Passivate Data is Good Handle the case of the disk falling into the wrong hands. Could argue, encrypting a laptop hard drive. Tiered Security.... Encryption at the Xmission level and at the storage level.

Encrypting Passivated Data is Bad 1) We typically do not guard against physical access. Guns, Guards, Gates. 2) What if you loose the key. 3) None of our tools run on encrypted data. So if you have encrypted data in a mysql table, you have to write the encryption/decryption layer..... so the costs of software development goes up dramatically.

Reasonable Compromise Highest risk data is encrypted.. which means lap top data is encrypted. Why? No penalty. And you are much more likely to lose a lap top then a bad person grabbing control of your machine. This is where we are today.

Fingerprinting We want to see what is on our network. If you are bad.... then you are looking for easy things. We want to make sure, we are not one of those easy things. So for Bad People, Fingerprinting is a way to find easy systems to crack. For Security Professionals, hardening our systems.

Best Practices Only SSH login and only through a private key. Open Ports 22 (private key only) and 443 This is for externally facing Servers So how do we find out?

How Do We Fingerprint Command - telnet host port Then send it commands Then get what's running by parsing the results of commands. telnet 80 Trying HEAD Apache/ (Ubuntu) Server at localhost Port 80

Instead Of Telnet to a port. Writing a socket level program Ping ping PING ( ) 56(84) bytes of data. 64 bytes from pool bltmmd.fios.verizon.net ( ): icmp_req=1 ttl=52 time=24.7 ms

We Use Nmap What is good about Nmap? Price.... Free Runs on every system. Around a long time – stable. Defacto Standard. Does a lot of things.

nmap We can see what systems are up on a subnet We can see what ports are open We can see what tools are runinng on the open ports. We don't have to fool around with TCP/IP

Two Movies on nmap Let's watch two youtube videos on nmap.

Lab Tell me what is running on my machine. Do it two ways. First telnet port HEAD port 80. Telnet 80www.scottstreit.com – HEAD Then do an nmap on my box. Tell me what is running. Tell me what hosts are up on our 10. subnet. Use your backtrack instance Google it.

Let's Simulate nmap telnet 80 Trying Connected to Escape character is '^]'. head 501 Method Not Implemented Method Not Implemented head to /index.html not supported. Apache/ (Ubuntu) Server at localhost Port 80 Connection closed by foreign host.