Rose & Marinaldo

Rose

Welcome back to Linux Command Line Hackery series, I hope you've enjoyed this series so far and would have learned something (at least a bit). Today we're going to get into user management, that is we are going to learn commands that will help us add and remove users and groups. So bring it on...

Before we get into adding new users to our system lets first talk about a command that will be useful if you are a non-root user.

Command: sudo
Syntax: sudo [options] command
Description: sudo allows a permitted user to execute a command as a superuser or another user.

Since the commands to follow need root privileges, if you are not root then don't forget to prefix these commands with sudo command. And yes you'll need to enter the root password in order to execute any command with sudo as root.

Command: useradd
Syntax: useradd [options] username
Description: this command is used for creating new user but is kinda old school.
Lets try to add a new user to our box.
[Note: I'm performing these commands as root user, you'll need root privileges to add a new user to your box. If you aren't root then you can try these commands by prefixing the sudo command at the very beginning of these command like this sudo useradd joe. You'll be prompted for your root password, enter it and you're good to go]

useradd joe

To verify that this command has really added a user to our box we can look at three files that store a users data on a Linux box, which are:

/etc/passwd -> this file stores information about a user separated by colons in this manner, first is login name, then in past there used to be an encrypted password hash at the second place however since the password hashes were moved to shadow file now it has a cross (x) there, then there is user id, after it is the user's group id, following it is a comment field, then the next field contains users home directory, and at last is the login shell of the user.

/etc/group -> this file stores information about groups, that is id of the group and to which group an user belongs.

/etc/shadow -> this file stores the encrypted password of users.

Using our command line techniques we learned so far lets check out these files and verify if our user has been created:

cat /etc/passwd /etc/group /etc/shadow | grep joe

In the above screenshot you can notice an ! in the /etc/shadow, this means the password of this user has not been set yet. That means we have to set the password of user joe manually, lets do just that.

Command: passwd
Syntax: passwd [options] [username]
Description: this command is used to change the password of user accounts.
Note that this command needs root privileges. So if you are not root then prefix this command with sudo.

passwd joe

After typing this command, you'll be prompted password and then for verifying your password. The password won't show up on the terminal.
Now joe's account is up and running with a password.

The useradd command is a old school command, lets create a new user with a different command which is kinda interactive.

Command: adduser
Syntax: adduser [options] user
Description: adduser command adds a user to the system. It is more friendly front-end to the useradd command.

So lets create a new user with adduser.

adduser jane

as seen in the image it prompts for password, full name and many other things and thus is easy to use.

OK now we know how to create a user its time to create a group which is very easy.

Command: addgroup
Syntax: addgroup [options] groupname
Description: This command is used to create a new group or add an existing user to an existing group.

We create a new group like this

addgroup grownups

So now we have a group called grownups, you can verify it by looking at /etc/group file.
Since joe is not a grownup user yet but jane is we'll add jane to grownups group like this:

addgroup jane grownups

Now jane is the member of grownups.

Its time to learn how to remove a user from our system and how to remove a group from the system, lets get straight to that.

Command: deluser
Syntax: deluser [options] username
Description: remove a user from system.

Lets remove joe from our system

deluser joe

Yes its as easy as that. But remember by default deluser will remove the user without removing the home directory or any other files owned by the user. Removing the home directory can be achieved by using the --remove-home option.

deluser jane --remove-home

Also the --remove-all-files option removes all the files from the system owned by the user (better watch-out). And to create a backup of all the files before deleting use the --backup option.

We don't need grownups group so lets remove it.

Command: delgroup
Syntax: delgroup [options] groupname
Description: remove a group from the system.

To remove grownups group just type:

delgroup grownups

That's it for today hope you got something in your head.

Related news

Rose

From time to time, I get disappointed how much effort and money is put into securing computers, networks, mobile phones, ... and yet in 2016 here we are, where not much has changed on the defensive side. There are many things I personally blame for this situation, and one of them is the security tips.

The goal of these security tips is that if the average user follows these easy to remember rules, their computer will be safe. Unfortunately, by the time people integrate these rules into their daily life, these rules either become outdated, or these rules were so oversimplified that it was never true in the first place. Some of these security tips might sound ridiculous to people in InfoSec nowadays, but this is exactly what people still remember because we told them so for years.

PDF is safe to open

This is an oldie. I think this started at the time of macro viruses. Still, people think opening a PDF from an untrusted source is safer than opening a Word file. For details why this is not true, check: https://www.cvedetails.com/vulnerability-list/vendor_id-53/product_id-497/Adobe-Acrobat-Reader.html

On an unrelated note, people still believe PDF is integrity protected because the content cannot be changed (compared to a Word document).

Image stolen from Kaspersky

Java is secure

One of the best ones. Oracle started marketing Java as a safe language, where buffer overflows, format strings and pointer-based vulnerabilities are gone. Unfortunately, they forgot to tell the world that instead of "unsafe programs developed by others" they installed their unsafe program on 3 billion devices.

Stay away from rogue websites and you will be safe

This is a very common belief I hear from average people. "I only visit some trusted news sites and social media, I never visit those shady sites." I have some bad news. At the time of malvertising and infected websites, you don't have to visit those shady sites anymore to get infected.

Don't use open WiFi

I have a very long explanation of why this makes no sense, see here. Actually, the whole recommendation makes no sense as people will connect to public WiFis, no matter what we (InfoSec) recommend.

The password policy nightmare

Actually, this topic has been covered by myself in two blog posts, see here and here. Long story short: use a password manager and 2-factor authentication wherever possible. Let the password manager choose the password for you. And last but not least, corporate password policy sux.

Sites with a padlock are safe

We tell people for years that the communication with HTTPS sites are safe, and you can be sure it is HTTPS by finding a randomly changing padlock icon somewhere next to the URL. What people hear is that sites with padlocks are safe. Whatever that means. The same goes for WiFi - a network with a padlock is safe.

Use Linux, it is free from malware

For years people told to Windows users that only if they would use Linux they won't have so much malware. Thanks to Android, now everyone in the world can enjoy malware on his/her Linux machine.

OSX is free from malware

It is true that there is significantly less malware on OSX than on Windows, but this is an "economical" question rather than a "security" one. The more people use OSX, the better target it will become. Some people even believe they are safe from phishing because they are using a Mac!

Updated AV + firewall makes me 100% safe

There is no such thing as 100% safe, and unfortunately, nowadays most malware is written for PROFIT, which means it can bypass these basic protections for days (or weeks, months, years). The more proactive protection is built into the product, the better!

How to backup data

Although this is one of the most important security tips which is not followed by people, my problem here is not the backup data advise, but how we as a community failed to provide easy to use ways to do that. Now that crypto-ransomware is a real threat to every Windows (and some OSX) users, even those people who have backups on their NAS can find their backups lost. The only hope is that at least OSX has Time Machine which is not targeted yet, and the only backup solution which really works.

The worst part is that we even created NAS devices which can be infected via worms ...

Disconnect your computer from the Internet when not used

There is no need to comment on this. Whoever recommends things like that, clearly has a problem.

Use (free) VPN to protect your anonimity

First of all. There is no such thing as free service. If it is free, you are the service. On another hand, a non-free VPN can introduce new vulnerablities, and they won't protect your anonymity. It replaces one ISP with another (your VPN provider). Even TOR cannot guarantee anonymity by itself, and VPNs are much worse.

The corporate "security tips" myth

"Luckily" these toxic security tips have infected the enterprise environment as well, not just the home users.

Use robots.txt to hide secret information on public websites

It is 2016 and somehow web developers still believe in this nonsense. And this is why this is usually the first to check on a website for penetration testers or attackers.

My password policy is safer than ever

As previously discussed, passwords are bad. Very bad. And they will stick with us for decades ...

Use WAF, IDS, IPS, Nextgen APT detection hibber-gibber and you will be safe

Companies should invest more in people and less into magic blinking devices.

Instead of shipping computers with bloatware, ship computers with exploit protection software

Teach people how to use a password safe

Teach people how to use 2FA

Teach people how to use common-sense

Conclusion

Computer security is complex, hard and the risks change every year. Is this our fault? Probably. But these kinds of security tips won't help us save the world.

More information

Rose

In the Hacking Windows 95, part 1 blog post, we covered that through a nasty bug affecting Windows 95/98/ME, the share password can be guessed in no time. In this article, I'm going to try to use this vulnerability to achieve remote code execution (with the help of publicly available tools only).

The first thing we can do when we have read access to the Windows directory through the share, is to locate all the *.pwl files on the c:\windows directory, copy them to your machine where Cain is installed, switch to Cracker tab, pwl files, load the pwl file, add username based on the filename, and try to crack it. If you can't crack it you might still try to add a .pwl file where you already know the password in the remote windows directory. Although this is a fun post-exploitation task, but still, no remote code execution. These passwords are useless without physical access.

One might think that after having a share password and user password, it is easy to achieve remote code execution. The problem is:

there is no "at" command (available since Windows 95 plus!)
there is no admin share
there is no RPC
there is no named pipes
there is no remote registry
there is no remote service management

If you think about security best practices, disabling unnecessary services is always the first task you should do. Because Windows 95 lacks all of these services, it is pretty much secure!

During my quest for a tool to hack Windows 95, I came across some pretty cool stuff:

Internet periscope

Winfingerprint

LanSpy

But the best of the best is Fluxay, which has been written by chinese hackers. It is the metasploit from the year 2000. A screenshot is worth more than a 1000 words. 4 screenshot > 4 thousand words :)

It is pretty hard to find the installer, but it is still out there!

But at the end, no remote code execution for me.

My idea here was that if I can find a file which executes regularly (on a scheduled basis), I can change that executable to my backdoor and I'm done. Although there is no scheduler in the default Windows 95, I gave it a try.

Let's fire up taskman.exe to get an idea what processes are running:

Looks like we need a more powerful tool here, namely Process Explorer. Let's try to download this from oldapps.com:

LOL, IE3 hangs, can't render the page. Copying files to the Win95 VM is not that simple, because there are no shared folders in Win95 VM. And you can't use pendrives either, Win95 can't handle USB (at least the retail version). After downloading the application with a newer browser from oldapps, let's start Process Explorer on the test Windows 95.

Don't try to download the Winsocks 2 patch from the official MS site, it is not there anymore, but you can download it from other sites.

Now let's look at the processes running:

After staring it for minutes, turned out it is constant, no new processes appeared.
Looking at the next screenshot, one can notice this OS was not running a lot of background processes ...

My current Win7 has 1181 threads and 84 processes running, no wonder it is slow as hell :)

We have at least the following options:

You are lucky and not the plain Windows 95 is installed, but Windows 95 Plus! The main difference here is that Windows 95 Plus! has built-in scheduler, especially the "at" command. Just overwrite a file which is scheduled to execution, and wait. Mission accomplished!
Ping of death - you can crash the machine (no BSOD, just crash) with long (over 65535 bytes) ICMP ping commands, and wait for someone to reboot it. Just don't forget to put your backdoor on the share and add it to autoexec.bat before crashing it.
If your target is a plain Windows 95, I believe you are out of luck. No at command, no named pipes, no admin share, nothing. Meybe you can try to fuzz port 137 138 139, and write an exploit for those. Might be even Ping of Death is exploitable?

Let's do the first option, and hack Windows 95 plus!

Look at the cool features we have by installing Win95 Plus!

Cool new boot splash screen!

But our main interest is the new, scheduled tasks!

Now we can replace diskalm.exe with our backdoor executable, and wait maximum one hour to be scheduled.

Instead of a boring text based tutorial, I created a YouTube video for you. Based on the feedbacks on my previous tutorialz, it turned out I'm way too old, and can't do interesting tutorials. That's why I analyzed the cool skiddie videoz, and found that I have to do the followings so my vidz won't suck anymore:

use cool black windows theme
put meaningless performance monitor gadgets on the sidebar
use a cool background, something related with hacking and skullz
do as many opsec fails as possible
instead of captions, use notepad with spelling errorz
there is only one rule of metal: Play it fuckin' loud!!!!

Rose & Marinaldo

domingo, 28 de janeiro de 2024

Linux Command Line Hackery Series - Part 6