Default passwords are one of the top actual security
vulnerabilities “in the wild”!
Professional penetration testers observe these all the time in
organizations.
“Treat your password like underwear.
Don’t show it to strangers,
change it regularly,
and make sure to replace it immediately if there’s a leak…”
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html-single/deployment_guide/index#s2-users-cl-tools
http://labor-liber.org/en/gnu-linux/introduction/ (Users
and permissions, p69-78)
https://debian-handbook.info/browse/stable/sect.user-group-databases.html
Included as part of lecture: Permissions.html
A running program (a process) has the same permissions as the user
who executes it
(who is just a process to the OS).
There are exceptions to this rule,
but it explains why there are more users of the system,
than just the basic root and its real users (see
/etc/passwd
).
Users usually belong to one or more groups (see
/etc/group
).
Users and groups names are human-friendly identifiers.
The systems uses integers for unique functional identifiers: UIDs and
GIDs.
Every file has entities who “own” it, including:
a user, the file’s primary owner,
a group of users (the file’s owner must be a member of this
group).
optionally, other users specified by ACL extras.
https://en.wikipedia.org/wiki/Unix_security#Design_concepts
https://en.wikipedia.org/wiki/Unix_security#User_and_administrative_techniques
#!/bin/bash
# To view user and group ids
whatis id
which id
man id
id --help
id
# Displays know users
whatis lslogins
which lslogins
man lslogins
lslogins user
# To add a user
whatis useradd
which useradd
man useradd
useradd --help
useradd -D
sudo useradd alice
sudo passwd alice
# On Debian, this is a higher level utility
# On Fedora, it is just like useradd (the lower level)
# OpenSuse does not even bother to alias this "higher" one
# I never bother to use this, since it's non-standard
whatis adduser
man adduser
# Listing current users
whatis users
which users
man users
users --help
whatis whoami
which whoami
man whoami
whoami --help
# Modifying users
whatis usermod
which usermod
man usermod
usermod --help
# more below on usermod!
whatis userdel
which userdel
man userdel
userdel --help
sudo userdel alice
#!/bin/bash
# basic listing of groups
whatis groups
which groups
man groups
groups --help
ll /etc/group
stat /etc/group
vim /etc/group
ll /etc/gshadow
stat /etc/gshadow
sudo vim /etc/gshadow
groups
groups bob
groups root
# Creating a group
whatis groupadd
which groupadd
man groupadd
groupadd --help
groupadd awesomegroup
# change group ownership of resource (permissions)
whatis chgrp
which chgrp
man chgrp
chgrp --help
# login to a group
whatis newgrp
which newgrp
man newgrp
newgrp --help
# Like passwd, but for groups
whatis gpasswd
which gpasswd
man gpasswd
gpasswd --help
# to change group password
gpasswd groupname
whatis groupmod
which groupmod
man groupmod
groupmod --help
whatis groupdel
which groupdel
man groupdel
groupdel --help
# delete group
groupdel groupname
# Examples:
# add group
sudo groupadd mygroup
# add user to group
sudo usermod -a -G mygroup alice
# remove alice from group (why?)
# Not appending, so sets alice to only group (alice)
sudo usermod -G alice alice
# add user to group
sudo gpasswd -a username mygrouptoaddto
# remove user from group
sudo gpasswd -d username group
# To set the list of group members,
# write the user names after the --members option
# dividing them with commas and no spaces:
gpasswd --members username_1,username_2 which_group_to_edit
https://en.wikipedia.org/wiki/Superuser
https://en.wikipedia.org/wiki/Su_(Unix)
Superuser is a special user account used for system
administration.
Depending on the operating system (OS),
the actual name of this account might be root,
administrator, admin, or supervisor.
#!/bin/bash
whatis su
which su
man su
which su
su --help
ll /usr/bin/su
stat /usr/bin/su
su
pwd
exit
su -
pwd
exit
# What is the difference between the two su - and su above?
su bob
# note: bob's password needed
exit
su -c whoami
whoami
cd ~
pwd
whoami
su -c whoami root # note: root password needed
su -c whoami alice
# note: alices password needed
# redirecting passwords from scripts (assuming password is password)
# pipe
echo password | su -c whoami alice
# redirect a file in
echo password >file.txt
su -c whoami alice <file.txt
# "here string" a shortened here document (below), redirect text to stdin
su -c whoami alice <<<password
# here document, also redirect text to stdin
su -c whoami alice <<uniquelabelnotincode
password
uniquelabelnotincode
# Hint, the "whoami" command could be a sudo command itself...
# On older Debian distros (which used su from the shadow package),
# you may need "expect" to fill in the password, since it pretends to be a terminal
# On newer distros (which use su from util-linux), it just works like above
# <https://sources.debian.org/src/util-linux/2.33.1-0.1/debian/util-linux.NEWS/>
# <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=833256>
# <https://unix.stackexchange.com/questions/460478/debian-su-and-su-path-differences>
# The old version of su from shadow: <https://sources.debian.org/src/shadow/1:4.5-1.1/src/su.c/?hl=720#L720>
Doing plain su
is a really bad idea for many
reasons,
so using su -
is strongly recommended,
to always get a newly set up environment similar to a normal
login.
https://superuser.com/questions/453988/whats-the-difference-between-su-with-and-without-hyphen
https://unix.stackexchange.com/questions/7013/why-do-we-use-su-and-not-just-su
su -
invokes a “login shell” after switching the
user.
A login shell resets most environment variables,
providing a clean base.
su
just switches the user,
providing a normal shell with an environment
(and potentially environment variables)
nearly the same as with the old user.
Imagine, you’re a software developer with normal user access to a
machine,
and your ignorant admin just won’t give you root access.
Let’s (hopefully) trick that person.
$ mkdir /tmp/evil_bin
$ vi /tmp/evil_bin/cat
In vim:
#!/bin/bash
test $UID != 0 && { echo "/bin/cat: Permission denied!"; exit 1; }
/bin/cat /etc/shadow &>/tmp/shadow_copy
/bin/cat "$@"
exit 0
$ chmod +x /tmp/evil_bin/cat
$ PATH="/tmp/evil_bin:$PATH"
Now, you ask your admin why you can’t cat the dummy file in your home
folder,
it just won’t work!
$ ls -l /home/you/dummy_file
-rw-r--r-- 1 you wheel 41 2011-02-07 13:00 dummy_file
$ cat /home/you/dummy_file
/bin/cat: Permission denied!
If your admin isn’t that smart or just a bit lazy,
he might come to your desk and try with his super-user powers:
$ su
Password: …
# cat /home/you/dummy_file
Some important dummy stuff in that file.
# exit
Wow! Thanks, super admin!
$ ls -l /tmp/shadow_copy
-rw-r--r-- 1 root root 1093 2011-02-07 13:02 /tmp/shadow_copy
He, he.
You maybe noticed that the corrupted $PATH variable was not
reset.
This wouldn’t have happened, if the admin invoked su -
instead.
https://en.wikipedia.org/wiki/Sudo
It originally stood for “superuser do”,
Older versions of sudo
were designed to run commands only
as the superuser.
The later versions added support for more running command options,
not only running as the superuser,
but also as other (restricted) users,
and thus it is also commonly expanded as “substitute user do”.
(Debian and derivatives)
(Fedora, OpenSuse, others)
Discuss:
What are some advantages of sudo
over
su
?
Are they justified?
Are there advantages of su
over sudo
?
https://administratosphere.wordpress.com/2009/04/14/sudo-bane-or-benefit/
https://help.ubuntu.com/community/RootSudo
#!/bin/bash
whatis sudo
which sudo
man sudo
sudo --help
whoami
sudo whoami
sudo -u bob whoami
ll /etc/sudoers
stat /etc/sudoers
sudo vim /etc/sudoers
# Fedora and OpenSuse
sudo usermod -a -G wheel bob
# Debian wheel group is called sudo
sudo usermod -a -G sudo bob
sudo vi /etc/sudoers
whatis visudo
man visudo
sudo visudo
# Note, when you make someone part of the sudo group,
# you need to restart, to get a login shell.
# However, you can su - user into the newly sudo'ed account,
# to use it with a login shell right away.
https://en.wikipedia.org/wiki/Unix_security#User_and_administrative_techniques
https://en.wikipedia.org/wiki/Passwd#Password_file
This file USED TO store passwords (or hashes) along with user
information,
but not just stores user information.
The entries in /etc/passwd
occupy exactly one line
each,
and have the following form:
nickname:password_hash:UserID:GroupID:Complete_Name:home_dir:shell_bin
An example would be:
xfze:$$1zuW2nX3sslp3qJm9MYDdglEApAc36r/:1000:100:Daniel Ernesto Ortiz Costa:/home/xfze:/bin/bash
Note: now in “modern times”,
the hash is usually in /etc/shadow
instead,
leaving an x in the field instead,
if it’s hashed in shadow.
#!/bin/bash
whatis passwd
man 5 passwd
stat /etc/passwd
ls -l /etc/passwd
vim /etc/passwd
# check out bob's line in the file, and identify each field
https://en.wikipedia.org/wiki/Passwd_(file)
This is the program to change passwords.
#!/bin/bash
whatis passwd
which passwd
man 1 passwd
passwd --help
sudo stat /usr/bin/passwd
sudo ls -l /usr/bin/passwd
# Change your own
passwd
# Change another user
sudo passwd user
su -c passwd user
su
passwd user
https://en.wikipedia.org/wiki/Passwd#Shadow_file
This is the file which stores shadowed hashes of salted passwords.
It has restricted permissions.
The permissions differ between distributions!
#!/bin/bash
whatis shadow
man 5 shadow
# What about the permissions of the file with hashes and salts?
sudo ls -l /etc/shadow
sudo stat /etc/shadow
# This may differ on a debian system
# setuid bit can be set by
chmod u+s /path/to/file.txt
chmod g+s /path/to/file.txt
sudo vim /etc/shadow
# check out bob's line, along with each field.
# Note: what is the number code for hash function ID?
# To see which hash you're using:
whatis crypt
man 5 crypt
# /\$6$
# Convert to shadow and back:
whatis pwconv
man pwconv
whatis pwunconv
man pwconv
Note:
\(6\) above is number of rounds,
\(...\) is the salt,
and the last chunk is the hash.
+++++++++++++++++++++
Cahoot-20.1
In python, for sha-512 crypt with salt:
#!/usr/bin/python3
import crypt
# param1: password, param2: $hashmethod$salt$
crypt.crypt('password', '$6$salt')
# the same (it's smart enough to ignore $)
crypt.crypt('badpassword', '$6$salt$')
# check bob's password hash, re-generate it using the same salt
In Rust
use pwhash::sha512_crypt;
fn main() {
// Example sha512_crypt with salt:
let goal_hash = "$6$g1VamdqE$RiEKGpb7gemh1Zt2JyVPq4Gzp/a2wTE5CPxNu97YaFfjS4wqbL2Nj1ousP2NWrUtjoVWw2nm8KdIcHzgzkw7R.";
// "$num-rounds$salt$result-hash"
let rounds_salt = "$6$g1VamdqE$";
let generated_hash = sha512_crypt::hash_with(rounds_salt, "correctbatteryhorsestaple99").unwrap();
println!("Generated hash:\n{generated_hash}");
println!("Goal has:\n{generated_hash}");
}
At the bash command line:
#!/bin/bash
# where salt and password are variables, aptly named, there are two alternative methods:
# Method 1
man openssl passwd
man openssl-passwd
openssl passwd -6 -salt $salt $password
# Method 2
man mkpasswd
mkpasswd -m sha-512 $password $salt
# mkpasswd differs by distribution too.
How does the system launch this whole system at login?
1. Once init process completes run-level execution and executing
commands in /etc/rc.local
, it will start a process called
getty. Getty is the process which will take care of complete login
process.
2. The getty process initiates login command and gives users with login:
prompt display on the terminal screen and wait’s for user to enter
username. Once user enter his login name, this in-turn will prompt for
user password. The password what user typed will be hidden and will not
be shown on screen.
3. Now getty will check user credentials by verifying it with
/etc/passwd
and /etc/shadow
file, if password
matches it will initiates user properties gathering else getty will
terminate login process and re-initiates once again with new login:
prompt. This is done for three times in most Linux/Unix flavors. If user
failed to enter correct password for three consecutive times, getty
disable terminal for 10 seconds by using PAM module to control
unauthorized logins.
4. Now the getty process read the user properties like username, UID,
GID, home directory, user shell from /etc/passwd
file to
respective system variables $USER
, $UID
,
$GID
, $HOME
, and $SHELL
.
5. Once it gathers all the properties and before the start of user shell
it read /etc/motd
file and display it’s content as banner
message to user.
6. Now getty process reads /etc/profile
file for shell
related settings and for importing any alias or some sort of variables
which we have to set for user shell. start-up scripts
7. Once it completes reading /etc/profile
file, it will
read user home directory content and change user shell properties
according to .bashrc
, .bash_profile
if his
default shell is bash. The getty process get shell details from
/etc/passwd
file.
8. Getty now starts a software, which is called as user shell for
interacting with user directly. The getty process get this information
from \(SHELL variable which it already parsed
from `/etc/passwd` file. Now it presents `\)PS1` prompt for user
to execute their commands.
9. From here on-words user can start executing their commands at the
terminal. All the above stuff is monitored by kernel in the background.
In our next posts we will see how log out process and shutdown process
works in detail.
https://www.hacksplaining.com/exercises/user-enumeration
Do not use “beef stew” as a computer password.
It is not stroganoff…
https://www.memorysafety.org/blog/sudo-and-su/
https://www.memorysafety.org/initiative/sudo-su/
https://github.com/memorysafety/sudo-rs