CPU - Linux Attack Plan

CPU - Linux Attack Plan

Pre – Competition

-Download and transfer images to all computers.

-Have unique ID and password to extract images ready

-Make sure all computers are up to date

-Make sure there is enough storage space in hard drive

Competition

-Give VM a ram boost (2-4gb)

-Enter Unique ID

-Read Readme File

-Make note of scored/forensics question( answer these as soon as you find the answer)

Remember not to delete/remove any user account, file, or script as they can be the answer to your questions

Write down every change you make that gives you points. This is just incase you need to restart your image.

DO NOT disable CyberPatriot Scoring Engine

User Accounts

-Create/change passwords for all accounts (Root,Admins,Standard)

-Make sure all user accounts are in their respective groups

-Disable all user accounts not authorized

-Disable Guest Account if not stated in readme file

*******

Useful commands/config files

Change Passwords – sudopasswd “username”

Disable/Lock Accounts – sudousermod –L “username” ;sudodeluser –l “username”

/etc/passwd/ - contains list of usernames, user IDs, group IDs

/etc/shadow/ - contains list of ““, password hashes

/etc/group/ - contains list of groups

Format: groupname:x:groupid:”username”;”username

*******

Background Tasks

Because we cannot pre-stage anything for linux all downloads will have to be done in

real time.

While reading the readme file or securing your user accounts do the following:

-Update/Upgrade OS

-Download, install and run any software (antivirus, network scanners, etc).

********

Useful Commands

Update Repositories – sudo apt-get update

Download & Install Updates – sudo apt-get upgrade

DO NOT run the following command: sudo apt-get dist-upgrade

This will update your OS from 14.04 to 16.04 and will break your scoring engine.

********

Quick and Easy Tasks

-Bring up firewall

-Enable Automatic Updates

-Disable automatic login (found in System Settings in UI)

Checking & Disabling Services

-Make sure only to run services stated in readme file.

-Services Previously seen in CP:

SSH, Telnet, Apache, FTP, Mysql, Filezilla, Samba

-Configuration files for most of these services are found in /etc/

*********

Useful Commands

ps aux – will show process with their respective directory/file in which it was used to create

top – terminal based task/activity monitor.

Htop – interactive terminal based task/activity monitor. ( must install: apt-get install htop)

Rcconf – interactive terminal based manager that shows startup services. Can be used to disable start up services. (must install: apt-get install rcconf)

*********

Local Security Policies

-Account Policies

-Password Policies

-Lockout Policies

Use similar settings to that of Windows:

Min ageAccount Lockout Threshold

Max ageAccount Lockout time/counter

Complexity

Length

Most security policies can be found in /etc/pam.d/

Files to look at:

Common-password

Common-auth

Login.defs – can be found in /etc/

*****

Useful links – Remember: A google search can take you a long way.

******

Firewall and Ports

-Quick scan of open ports (this will often show if there are any services you may have missed)

-Double Check and see if firewall is on

-Block any ports used by services either than those stated in Readme & Scoring Engine

******

Useful tools for port scanning:

Nmap – to run use command: nmap localhost or nmap 127.0.0.1

This will show you any services that are currently using a port

Netstat – to run use command: netstat –plnt or netstat –punta

This is a more detailed report similar to nmap.

******

Remove Malicious/Unwanted software

-Check all packages/software installed and remove any software that may seem fishy

-Common software often found in images:

John the Rippertelnetnetcat

Tcpdumpaircrackbind9

Reaverophcrack

******

Useful Command

Dpkg – this will show all packages installed

Run as: dpkg--get-selections

******

MISC. Items

-Search User Directories for “non-work related” media files

-Check and see if user account directories are not shared publicly (777)

Use command: chmod 700 /home/*

This will make user account directories private

-Check crontab/cronjob to see if any scripts are running in background

-Update any programs that should be on the OS

What to do if you are stuck?

-GOOGLE! Search things such as: linux hardening checklists, how to secure linux, etc

-Take a break! Competition can be stressful.

-Ask your team for help.

-Remember, the team is only as good as how well we have documented our notes and how well we communicate between each other.

-Do not be afraid to ask questions.