6. • 1945 - ENIAC (1st* Large-Scale General Purpose Computer)
#> history
7. #> history
• 1945 - ENIAC (1st* Large-Scale General Purpose Computer)
• 1964 - Multics (Multiplexed Information and Computing
Service) developed by GE and Bell Labs
8. • 1945 - ENIAC (1st* Large-Scale General Purpose Computer)
• 1964 - Multics (Multiplexed Information and Computing
Service) developed by GE and Bell Labs
• 1969 - Ken Thompson & Dennis Ritchie and others start on
what would become Unix
#> history
9. • 1945 - ENIAC (1st* Large-Scale General Purpose Computer)
• 1964 - Multics (Multiplexed Information and Computing
Service) developed by GE and Bell Labs
• 1969 - Ken Thompson & Dennis Ritchie and others start on
what would become Unix
• 1971 - UNIX was developed for the PDP-11/20 written in
Assembly
#> history
10. • 1945 - ENIAC (1st* Large-Scale General Purpose Computer)
• 1964 - Multics (Multiplexed Information and Computing
Service) developed by GE and Bell Labs
• 1969 - Ken Thompson & Dennis Ritchie and others start on
what would become Unix
• 1971 - UNIX was developed for the PDP-11/20 written in
Assembly
• 1973 - UNIX was completely rewritten in C
#> history
11. • 1945 - ENIAC (1st* Large-Scale General Purpose Computer)
• 1964 - Multics (Multiplexed Information and Computing
Service) developed by GE and Bell Labs
• 1969 - Ken Thompson & Dennis Ritchie and others start on
what would become Unix
• 1971 - UNIX was developed for the PDP-11/20 written in
Assembly
• 1973 - UNIX was completely rewritten in C
• 1978 - BSD is Released
#> history
12. • 1945 - ENIAC (1st* Large-Scale General Purpose Computer)
• 1964 - Multics (Multiplexed Information and Computing
Service) developed by GE and Bell Labs
• 1969 - Ken Thompson & Dennis Ritchie and others start on
what would become Unix
• 1971 - UNIX was developed for the PDP-11/20 written in
Assembly
• 1973 - UNIX was completely rewritten in C
• 1978 - BSD is Released
• 1982 - AT&T’s UNIS System Group releases System III, the first
public release outside Bell Lab
#> history
13. • 1982 - SunOS 1.0, HP-UX, Ultix-11
#> history
22. • Morris Worm (1988)
• targeted sendmail, finger, rsh/rexec, weak passwords
• Written by: Robert Tappan Morris @ Cornell University
#> apropos "Morris Worm"
23. /etc/passwd
<username>:<encrypted password>:<UID>:<GID>:<full name>:<home dir>:<shell>
<encrypted password> = crypt(plaintext password)
crypt() used to use DES (with a 12 bit number salt 0-4095)
salt selected based on time of day
converted to 2 character string and prepended to encrypted password
Improvements:
• /etc/shadow
• crypt() -> md5, sha1, sha256
#> cat /etc/passwd
33. • Who am I? Who else is logged in? Who are superusers?
• What info do I have access to? What can I do?
• Where can I go?
#> cat enum.txt
34. uname –a – Current kernel version
env – Current environment variable
pwd – Current directory
whoami – Current user
history – Command history for current user
cat ~/.bash_history – Bash history
sudo –l Commands you can run as sudo
cat /etc/sudoers – Who is in sudoers file
cat /etc/passwd – Additional users
#> cat example.txt
37. Searchsploit is a command line search tool for Exploit-DB that also allows you to
take a copy of Exploit Database with you, everywhere you go.
SearchSploit gives you the power to perform detailed off-line searches through
your locally checked-out copy of the repository.
#> searchsploit -h
38. SUID (Set owner User ID up on execution) is a special type of file permissions
given to a file. Normally in Linux/Unix when a program runs, it inherits access
permissions from the logged in user. SUID is defined as giving temporary
permissions to a user to run a program/file with the permissions of the file owner
rather that the user who runs it.
In simple words, users will get file owners permissions as well as owner UID
and GID when executing a file/program/command.
#> find / -perm /4000 -ls
44. • https://initblog.com/2019/dirty-sock/
• A privilege escalation vulnerability in default installations of Ubuntu Linux. This
was due to a bug in the ‘snapd’ API, a default service. Any local user could
exploit this vulnerability to obtain immediate root access to the system.
• Affects snapd versions < 2.37.1
#> apropos DirtySock
49. Contact Us!
Adam L. Compton
@tatanus
www.hillbillystorytime.com
www.youtube.com/hillbillstorytime
adam.comptom@gmail.com
adam.compton@trustedsec.com
David R. Boyd
@fir3d0g
www.twitch.tv/fir3d0g
fir3d0g
techboyd@gmail.com
david.boyd@trustedsec.com
Editor's Notes
Welcome to our talk.
Hopefully you are here for “Unix: The Other White Meat”…. If not, um…. Just stay anyway please?
So, lets get started…
1945 - ENIAC (1st* Large-Scale General Purpose Computer)
1964 - Multics (Multiplexed Information and Computing Service) developed by GE and Bell Labs
1969 - Ken Thompson & Dennis Ritchie and others start on what would become Unix
1971 - UNIX was developed for the PDP-11/20 written in Assembly
Interesting Note: The original name was proposed to be “Unics (Uniplexed Information and Computing Service)“
1973 - UNIX was completely rewritten in C
1978 - BSD is Released
1982 - AT&T’s UNIS System Group releases System III, the first public release outside Bell Lab
SUNOS 1.0 shipped, HP-US is introduced and Ultix-11 is introduced
1945 - ENIAC (1st* Large-Scale General Purpose Computer)
1964 - Multics (Multiplexed Information and Computing Service) developed by GE and Bell Labs
1969 - Ken Thompson & Dennis Ritchie and others start on what would become Unix
1971 - UNIX was developed for the PDP-11/20 written in Assembly
Interesting Note: The original name was proposed to be “Unics (Uniplexed Information and Computing Service)“
1973 - UNIX was completely rewritten in C
1978 - BSD is Released
1982 - AT&T’s UNIS System Group releases System III, the first public release outside Bell Lab
SUNOS 1.0 shipped, HP-US is introduced and Ultix-11 is introduced
1945 - ENIAC (1st* Large-Scale General Purpose Computer)
1964 - Multics (Multiplexed Information and Computing Service) developed by GE and Bell Labs
1969 - Ken Thompson & Dennis Ritchie and others start on what would become Unix
1971 - UNIX was developed for the PDP-11/20 written in Assembly
Interesting Note: The original name was proposed to be “Unics (Uniplexed Information and Computing Service)“
1973 - UNIX was completely rewritten in C
1978 - BSD is Released
1982 - AT&T’s UNIS System Group releases System III, the first public release outside Bell Lab
SUNOS 1.0 shipped, HP-US is introduced and Ultix-11 is introduced
1945 - ENIAC (1st* Large-Scale General Purpose Computer)
1964 - Multics (Multiplexed Information and Computing Service) developed by GE and Bell Labs
1969 - Ken Thompson & Dennis Ritchie and others start on what would become Unix
1971 - UNIX was developed for the PDP-11/20 written in Assembly
Interesting Note: The original name was proposed to be “Unics (Uniplexed Information and Computing Service)“
1973 - UNIX was completely rewritten in C
1978 - BSD is Released
1982 - AT&T’s UNIS System Group releases System III, the first public release outside Bell Lab
SUNOS 1.0 shipped, HP-US is introduced and Ultix-11 is introduced
1945 - ENIAC (1st* Large-Scale General Purpose Computer)
1964 - Multics (Multiplexed Information and Computing Service) developed by GE and Bell Labs
1969 - Ken Thompson & Dennis Ritchie and others start on what would become Unix
1971 - UNIX was developed for the PDP-11/20 written in Assembly
Interesting Note: The original name was proposed to be “Unics (Uniplexed Information and Computing Service)“
1973 - UNIX was completely rewritten in C
1978 - BSD is Released
1982 - AT&T’s UNIS System Group releases System III, the first public release outside Bell Lab
SUNOS 1.0 shipped, HP-US is introduced and Ultix-11 is introduced
1945 - ENIAC (1st* Large-Scale General Purpose Computer)
1964 - Multics (Multiplexed Information and Computing Service) developed by GE and Bell Labs
1969 - Ken Thompson & Dennis Ritchie and others start on what would become Unix
1971 - UNIX was developed for the PDP-11/20 written in Assembly
Interesting Note: The original name was proposed to be “Unics (Uniplexed Information and Computing Service)“
1973 - UNIX was completely rewritten in C
1978 - BSD is Released
1982 - AT&T’s UNIS System Group releases System III, the first public release outside Bell Lab
SUNOS 1.0 shipped, HP-US is introduced and Ultix-11 is introduced
1945 - ENIAC (1st* Large-Scale General Purpose Computer)
1964 - Multics (Multiplexed Information and Computing Service) developed by GE and Bell Labs
1969 - Ken Thompson & Dennis Ritchie and others start on what would become Unix
1971 - UNIX was developed for the PDP-11/20 written in Assembly
Interesting Note: The original name was proposed to be “Unics (Uniplexed Information and Computing Service)“
1973 - UNIX was completely rewritten in C
1978 - BSD is Released
1982 - AT&T’s UNIS System Group releases System III, the first public release outside Bell Lab
SUNOS 1.0 shipped, HP-US is introduced and Ultix-11 is introduced
1982 - SUNOS 1.0 shipped, HP-US is introduced and Ultix-11 is introduced
1986 - AIX
1987 - IRIX
1991 - Solaris 1.0 ships and Linus Torvalds starts on Linux 0.01
1995 - Digital Unix
1999 - Tru64
2001` - OSX 10 released
1982 - SUNOS 1.0 shipped, HP-US is introduced and Ultix-11 is introduced
1986 - AIX
1987 - IRIX
1991 - Solaris 1.0 ships and Linus Torvalds starts on Linux 0.01
1995 - Digital Unix
1999 - Tru64
2001` - OSX 10 released
1982 - SUNOS 1.0 shipped, HP-US is introduced and Ultix-11 is introduced
1986 - AIX
1987 - IRIX
1991 - Solaris 1.0 ships and Linus Torvalds starts on Linux 0.01
1995 - Digital Unix
1999 - Tru64
2001` - OSX 10 released
1982 - SUNOS 1.0 shipped, HP-US is introduced and Ultix-11 is introduced
1986 - AIX
1987 - IRIX
1991 - Solaris 1.0 ships and Linus Torvalds starts on Linux 0.01
1995 - Digital Unix
1999 - Tru64
2001` - OSX 10 released
1982 - SUNOS 1.0 shipped, HP-US is introduced and Ultix-11 is introduced
1986 - AIX
1987 - IRIX
1991 - Solaris 1.0 ships and Linus Torvalds starts on Linux 0.01
1995 - Digital Unix
1999 - Tru64
2001` - OSX 10 released
1982 - SUNOS 1.0 shipped, HP-US is introduced and Ultix-11 is introduced
1986 - AIX
1987 - IRIX
1991 - Solaris 1.0 ships and Linus Torvalds starts on Linux 0.01
1995 - Digital Unix
1999 - Tru64
2001` - OSX 10 released
1982 - SUNOS 1.0 shipped, HP-US is introduced and Ultix-11 is introduced
1986 - AIX
1987 - IRIX
1991 - Solaris 1.0 ships and Linus Torvalds starts on Linux 0.01
1995 - Digital Unix
1999 - Tru64
2001` - OSX 10 released
Show Family Tree
Historical issues and VulnerabilitiesKeep in mind that UNIX like so many other early Operating Systems were not designed with security in mind. They were intended to be open-ish. Sure they eventually implemented passwords and file permissions, but they were not taken overly seriously until sometime around 2000.
Nov 2, 1988
Launched from a computer at MIT
It would infect systems 1 out 7 times.
The worm obtains host addresses by examining the system tables /etc/hosts.equiv and /.rhosts, user files like .forward and. rhosts, dynamic routing information produced by the netstat program, and finally randomly generated host addresses on local networks.
Penetration of a remote system can be accomplished in any of three ways. The worm can take advantage of a bug in the finger server that allows it to download code in place of a finger request and trick the server into executing it. The worm can use a "trap door" in the sendmail SMTP mail service, exercising a bug in the debugging code that allows it to execute a command interpreter and download code across a mail connection. If the worm can penetrate a local account by guessing its password, it can use the rexec and rsh remote command interpreter services to attack hosts that share that account.
It would randomly “FORK” to avoind being on any given PID too long.. It would change its execution arg list to be just “sh”
If remote connection start to fail, then it deletes itself
EXPLOITS:
rsh/rexec
RCE in fingerd
DEBUG feature in sendmail allowed for RCE
Weak passwords
Owner – group – other
R
W
X
SETUID chmod g+s <file>
SETGID chmod u+s <file>
STICKY chmod o+t <file>
only the file's owner, the directory's owner, or root user can rename or delete the file
The .rhosts file is used with the r- commands (rlogin, rsh, etc.) and it allows anyone to log in to the system without a password as long as they report having certain usernames or hostnames.
The file /etc/hosts.equiv contains at least one entry that allows unauthenticated remote access from certain systems based only on the IP address or hostname
The .rhosts file is used with the r- commands (rlogin, rsh, etc.) and it allows anyone to log in to the system without a password as long as they report having certain usernames or hostnames.
The file /etc/hosts.equiv contains at least one entry that allows unauthenticated remote access from certain systems based only on the IP address or hostname
Rexec 512/tcp
rlogin 513/tcp
Rsh 514/tcp
.rhosts
<ip> <user>
+ +
/etc/hostes.equiv
<ip> <user>
+ +
Rpcinfo –p <ip>
Rusers –l <ip>
Rpcinfo
Rsysinfo
Rusers
Rsh
Showmount
Nfs
No-root-squash
So I need some audience participation here. During these demos youll hear me say, so we got a shell. As pentesters, we love doing a shell dance. So when you hear that, I need yall to holler turtle power!
We recently discovered cleartext passwords in bash history on a gig
LinEnum.sh - Scripted Local Linux Enumeration & Privilege Escalation Checks
LinuxPrivChecker - This script is intended to be executed locally on a Linux box to enumerate basic system info and search for common privilege escalation vectors such as world writable files, misconfigurations, clear-text passwords and applicable exploits
UnixPrivescCheck – From PentestMonkey, Shell script to check for simple privilege escalation vectors on Unix systems
What is SetUid
So here we find files with the SETUID flag enabled
Kernel exploits
"A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system." (RH)