1 SANS Technology Institute - Candidate for Master of Science Degree 1 Covering the Tracks on Mac OS X Charlie Scott November 2010 GIAC GSEC Gold, GCIH.

Slides:



Advertisements
Similar presentations
Presented by Nikita Shah 5th IT ( )
Advertisements

Operating-System Structures
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Assessing Privacy Risks of Flash Cookies Kevin Fuller and Stacy Jordan February.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Baselining Windows and Comparative Analysis: Quick and Easy Kevin Fuller May 2012.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,
Detecting Intruders from log files and traces Special Intruder Detection Systems (IDS) are now a market niche, and there are many products on the market.
Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge.
Aktueller Status How Hackers Cover Their Tracks ECE 4112 May 1st, 2007 Group 1 Chris Garyet Christopher Smith Introduction Lab Content Conclusions Questions.
Presented by Justin Bode CS 450 – Computer Security February 17, 2010.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 7: Advanced File System Management.
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
User Accounts and Permissions Chapter IV / Part II.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Host-Based Intrusion Detection software TRIPWIRE & MD5.
70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 7: Advanced File System Management.
Information Networking Security and Assurance Lab National Chung Cheng University Investigating Unix System.
Linux Networking and Security Chapter 10 File Security.
Presentation By Deepak Katta
Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall.
COMP1070/2002/lec4/H.Melikian COMP1070 Lecture #5  Files and directories in UNIX  Various types of files  File attributes  Notion of pathname  Commands.
Version Control with Subversion. What is Version Control Good For? Maintaining project/file history - so you don’t have to worry about it Managing collaboration.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 7: Advanced File System Management.
Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.
Caleb Walter. Created when Microsoft made the NTFS File system in NT 3.1 Made for Compatibility with HFS HFS uses Data Forks ; NTFS uses File Extensions.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 7: Advanced File System Management.
Managing User Accounts. Module 2 – Creating and Managing Users ♦ Overview ► One should log into a Linux system with a valid user name and password granted.
Rootkits. EC-Council The Problem  Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or.
CIS 450 – Network Security Chapter 16 – Covering the Tracks.
Environmental Genomics Thematic Programme Data Centre Advanced Bio-Linux Dan Swan: Log files and log monitoring.
Client – Server Application Can you create a client server application: The server will be running as a service: does not have a GUI The server will run.
CIS 290 LINUX Security Tripwire file integrity and change management tool and log monitoring.
Tools Menu and Other Concepts Alerts Event Log SLA Management Search Address Space Search Syslog Download NetIIS Standalone Application.
Mathieu Castets October 17th,  What is a rootkit?  History  Uses  Types  Detection  Removal  References 2/11.
Users Greg Porter V1.0, 26 Jan 09. What is a user? Users “own” files and directories Permission based on “ownership” Every user has a User ID (UID) 
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Detecting and Responding to Data Link Layer Attacks With Scapy TJ OConnor September.
Managing Users  Each system has two kinds of users:  Superuser (root)  Regular user  Each user has his own username, password, and permissions that.
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
Chapter 10: Rights, User, and Group Administration.
FTP Server API Implementing the FTP Server Registering FTP Command Callbacks Data and Control Port Close Callbacks Other Server Calls.
1 LINUX SECURITY. 2 Outline Introduction Introduction - UNIX file permission - UNIX file permission - SUID / SGID - SUID / SGID - File attributes - File.
INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.
CS 346 – Chapter 11 File system –Files –Access –Directories –Mounting –Sharing –Protection.
1 Network Information System (NIS). 2 Module – Network Information System (NIS) ♦ Overview This module focuses on configuring and managing Network Information.
Host Security Overview Onion concept of security Defense in depth How secure do you need to be? You can only reduce risk Tradeoffs - more security means:
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Diskless Cluster Computing: Security Benefit of oneSIS and Git Aron Warren September.
Computer Security Threats CLICKTECHSOLUTION.COM. Computer Security Confidentiality –Data confidentiality –Privacy Integrity –Data integrity –System integrity.
SCSC 455 Computer Security Chapter 3 User Security.
VIRTUAL HOSTING WITH PureFTPd And MYSQL (Quota And Bandwidth Management) BY Odoh Kenneth Emeka Sun Yu Patrick Appiah.
Power of OSSEC By Donovan Thorpe CS 5910 Fall 2010.
Lecture 02 File and File system. Topics Describe the layout of a Linux file system Display and set paths Describe the most important files, including.
 Introduction  Tripwire For Servers  Tripwire Manager  Tripwire For Network Devices  Working Of Tripwire  Advantages  Conclusion.
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
OST More about using Macs. Applications An Application is just software that helps a users do something. These include iTunes, Word, Excel, PowerPoint.
Agenda The Bourne Shell – Part I Redirection ( >, >>,
Integrity Check As You Well Know, It Is A Violation Of Academic Integrity To Fake The Results On Any.
IDS And Tripwire Rayhan Mir COSC 356. What is IDS IDS - Intrusion detection system Primary function – To monitor network or host resources to detect intrusions.
BILKENT UNIVERSITY DEPARTMENT OF COMPUTER TECHNOLOGY AND INFORMATION SYSTEMS CTIS156 INFORMATION TECHNOLOGIES II FILES AND FILE SYSTEM STRUCTURE.
Linux 101 Training Module Linux Basics.
Ubuntu Working in Terminal
Introduction to Computers
Rootkit A rootkit is a set of tools which take the ability to access a computer or computer network at administrator level. Generally, hackers install.
File Management.
Operating System Security
Working with Mac OS and Linux
File System Management
Adding New Users.
Tools and Explanations for Mac Beginners
Access Control and Audit
Presentation transcript:

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Covering the Tracks on Mac OS X Charlie Scott November 2010 GIAC GSEC Gold, GCIH Gold, GCPM

SANS Technology Institute - Candidate for Master of Science Degree 2 Objective Apply "Covering the Tracks" from "Hacker Techniques, Exploits, and Incident Handling" to Mac OS X. Demonstrate unique ways an attacker might hide files in Mac OS X. Discuss the challenges of Mac OS X's unique log files. Show how to identify some of the techniques in this presentation.

SANS Technology Institute - Candidate for Master of Science Degree 3 Hiding Files from the Command Line Dot, dot-dot-space, and triple-dot work: $ mkdir.tmpx $ echo hidden data > ".. " $ echo more hidden data > "…"

SANS Technology Institute - Candidate for Master of Science Degree 4 Hiding Files from the Command Line Dot, dot-dot-space, and triple-dot work: $ mkdir.tmpx $ echo hidden data > ".. " $ echo more hidden data > "…"

SANS Technology Institute - Candidate for Master of Science Degree 5 Hiding Files from the Finder: SetFile Dot-dot files are hidden from the command line, but not the Finder. Use SetFile from the install DVD to make it invisible from the Finder. Modify the "v" (invisible) attribute: $ SetFile –a V ".. "

SANS Technology Institute - Candidate for Master of Science Degree 6 Hiding Files from the Finder Dot-dot files are not hidden! Use SetFile from the install DVD. Modify the "v" (invisible) attribute: $ SetFile –a V ".. "

Hiding Files from the Finder: xattr Using xattr is another option. The com.apple.FinderInfo attribute controls Finder visibility (and other things). Benefit of xattr: It comes standard, you don't need dev tools. SANS Technology Institute - Candidate for Master of Science Degree 7

8 Who Looks in the Trash? /.Trashes folder temporarily stores files deleted by users. Interesting permission set: d-wx-wx-wt Anyone can write to this dir. The creator of a file in this dir can modify, execute, or delete it, but not read; nobody but root can read it.

SANS Technology Institute - Candidate for Master of Science Degree 9 Who Looks in the Trash? /.Trashes folder temporarily stores files deleted by users. Interesting permission set: d-wx-wx-wt Anyone can write to this dir. The creator of a file in this dir can modify, execute, or delete it, but not read; nobody but root can read it.

SANS Technology Institute - Candidate for Master of Science Degree 10 Editing Log Files Attacker primarily concerned about: –system.log: notices, kernel debug, login –secure.log: authentication & authorization You must stop and restart syslogd to modify them. OS X uses the launchctl command to stop/start services.

SANS Technology Institute - Candidate for Master of Science Degree 11 Editing Log Files Attacker primarily concerned about: –system.log: notices, kernel debug, login –secure.log: authentication & authorization You must stop and restart syslogd to modify them. OS X uses the launchctl command to stop/start services.

SANS Technology Institute - Candidate for Master of Science Degree 12 The ASL Database Syslog also logs to the Apple System Log (ASL): /var/log/asl.db binary file on Leopard /var/log/asl directory of binary files on Snow Leopard A lot of duplication exists between the.log text files and ASL db, so an attacker needs to hit both.

SANS Technology Institute - Candidate for Master of Science Degree 13 The syslog Tool In 10.5 the syslog tool prunes ASL db entries. Syslogd must be shut down for pruning. Use the "-db", "-p" and "-k" switches with a key/value expression. Prune based on service, process ID, host, time, and other keys.

SANS Technology Institute - Candidate for Master of Science Degree 14 Examples of Removing ASL Entries with syslog Remove all sshd entries: # syslog -db -p -k Sender sshd Remove all authentication entries: # syslog -db -p -k Sender \ com.apple.SecurityServer Remove all sudo entries: # syslog -db -p -k Sender sudo Remember to restart syslogd!

The aslmanager Tool In 10.6, aslmanager gives some syslog tool functionality. You can delete logs based on size or age (in days). Not likely a useful tool for intruders. SANS Technology Institute - Candidate for Master of Science Degree 15

SANS Technology Institute - Candidate for Master of Science Degree 16 Identifying: The Find Command Look for hidden files and directories. E.g.: # find / -name "..." –print Can be automated through "cron"

SANS Technology Institute - Candidate for Master of Science Degree 17 Identifying: OSSEC HIDS Host Based Intrusion Detection Integrity checking: –Look for changes in system, Applications, and Developer directories. –See if /etc/asl.conf has been modified. Rootkit detection: –Look for hidden files and directories. Available at

SANS Technology Institute - Candidate for Master of Science Degree 18 Identifying: OSSEC HIDS Host Based Intrusion Detection Integrity checking: –Look for changes in system, Applications, and Developer directories. –See if /etc/asl.conf has been modified. Rootkit detection: –Look for hidden files and directories. Available at

SANS Technology Institute - Candidate for Master of Science Degree 19 Summary Attackers have unique ways to hide files on Macs. An attacker may find removing log files on Macs challenging, but there are ways to do it. A well-prepared sysadmin can still detect these attempts at stealth.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.