Notes from CPNT-250 course at SAIT.

Approach depends on type of incident. Includes:

linux

stat

stat - display file or file system status

$ stat favicon.ico 
  File: ‘favicon.ico’
    Size: 3262            Blocks: 8          IO Block: 4096   regular
    file
    Device: fd02h/64770d    Inode: 293912      Links: 1
    Access: (0664/-rw-rw-r--)  Uid: ( 1000/   mo)   Gid: ( 1000/ mo)
    Context: unconfined_u:object_r:user_home_t:s0
    Access: 2016-04-10 18:40:19.631463576 -0600
    Modify: 2016-04-09 08:19:50.321826875 -0600
    Change: 2016-04-09 08:19:50.321826875 -0600
     Birth: -

Filesystem Hierarchy

FHS is a standard that describes the proper organization and use of the various directories found on Linux systems.

Ownership and Permissions

Ownership refers to the user and/or group that a file or directory belongs to, whereas permissiosn refer to the things these (and other) users can do with or to the file or directory.

Hidden Files

File are `hidden’ from normal view by beginning the filename with a dot ‘.’.

$ mkdir -p ...
$ ls -a | head -n4
./
../
.../
404.mkd

In the example above ‘.’ refers to the current directory. ‘..’ refers to the parent directory and ‘…’ refers to an actual directory we just created. This is a sneaky way to hide a directory in plain sight.

In the next example we are hiding a secret in the file named ‘ ‘.

$ echo 'secret' > ' '
$ ls -a | head -n4
 
 ./
 ../
 .../

In the next example we alias ls to show control characters. Then we create a filename with a backspace character ‘\b’.

$ alias ls='ls --show-control-chars'
$ echo 'secret' > $'a\bb'
$ ls| head -n2
404.mkd
b

User Accounts

Begin looking for information on user accounts in /etc/passwd. It contains a list of users and the full path to their home directory. The passwords for user accounts are generally stored in the /etc/shadow file.

username : hashed password (deprecated) : user id : group id : comment : home dir : shell

$ cat /etc/passwd | head -n1
root:x:0:0:root:/root:/bin/bash

/etc/group file has a format similar to /etc/passwd.

group name : group password hash : group id : csv of group members

$ cat /etc/group | head -n1
root:x:0:

/etc/shadow contains the hash user passwords. ‘*’ and ‘!!’ in the password field indicate a daemon account because these are not user accounts and should not need to login. If any daemon accounts have a password field then they should be investigated.

$ sudo cat /etc/shadow
daemon:*:16232:0:99999:7:::
sssd:!!:16775::::::

Shell History

The default shell in most linux distrutions is the Bourne Again Shell (BASH). Commands typed in shell sessions will usually be stored in a file on the users home directory called ‘.bash_history’.

Logs

Most logs are stored in clear text, with a single line per event.

/var/run/utmp: holds information about active system logons.

$ last -f /var/run/utmp 
mo    pts/0        :0               Sat Apr  9 10:17   still logged in   
mo    :0           :0               Sat Apr  9 10:17   still logged in   
reboot   system boot  4.5.0-1.el7.elre Sat Apr  9 10:17 - 20:35
(1+10:18)   

utmp begins Sat Apr  9 10:17:00 2016

/var/log/wtmp: stores logon information long term.

$ last -f /var/log/wtmp  | head -n 5
mo    pts/0        :0               Sat Apr  9 10:17   still logged in   
mo    :0           :0               Sat Apr  9 10:17   still logged in   
(unknown :0           :0               Sat Apr  9 10:17 - 10:17  (00:00)    
reboot   system boot  4.5.0-1.el7.elre Sat Apr  9 10:17 - 20:38 (1+10:21)   
mo    pts/0        :0               Sat Apr  9 10:16 - 10:16  (00:00)

lastlog is binary log file that stores the last logon time and remote host for each user on the system.

$ lastlog | grep mo
daemon                                     **Never logged in**
mo            :0                        Sat Apr  9 10:17:23 -0600
2016

Processes

ps - report a snapshot of the current processes.

$ ps ax | tail -n10
mo     3315  0.0  0.1  34116 14932 ?        Ss   Apr09   1:25 tmux
mo     3316  0.0  0.0 117208  5272 pts/1    Ss   Apr09   0:00  \_ -bash
mo     9533  0.5  0.2 790752 26568 pts/1    Sl+  18:13   0:54  |   \_ mplayer http://relay1.dubstep.fm
mo     9534  0.1  0.0 651204  7976 pts/1    S+   18:13   0:10  | \_ mplayer http://relay1.dubstep.fm
mo     9763  0.0  0.0 117332  5580 pts/2    Ss   18:14   0:00  \_ -bash
mo     9906  1.4  0.1 168588 22856 pts/2    S+   18:14   2:17  |   \_ vim
mo    13575  0.0  0.0 117408  5888 pts/3    Ss   19:18   0:01  \_ -bash
mo    19003  0.0  0.0 151424  4224 pts/3    R+   20:47   0:00      \_ ps auxf ax
mo    19004  0.0  0.0 107944  1844 pts/3    S+   20:47   0:00      \_ tail -n10
mo     3863  0.0  0.0 180940  4820 ?        Sl   Apr09   0:00 /usr/libexec/dconf-service

Network Connections

netstat -tulpn

$ netstat -tunlp | head -n 5
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
 Active Internet connections (only servers)
 Proto Recv-Q Send-Q Local Address           Foreign Address
 State       PID/Program name    
 tcp        0      0 127.0.0.1:17600         0.0.0.0:\* LISTEN      2981/dropbox        
 tcp        0      0 127.0.0.1:17603         0.0.0.0:\* LISTEN      2981/dropbox        
 tcp        0      0 0.0.0.0:902             0.0.0.0:\* LISTEN      -

lsof - list open files

$ lsof -i:17600
COMMAND  PID  USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
dropbox 2981 mo      97u  IPv4  32441      0t0  TCP localhost:17600 (LISTEN)

crontab - maintains crontab files for individual users.

$ crontab -l
no crontab for mokha

windows

comments powered by Disqus