Outline for January 13, 2003
Reading: Text, §23.1-23.2
What is suspicious about the following "ls" output?
host % ls -sail /var/mail
271873 1 drwxrwxrwt 3 root 512 Feb 21 12:26 ./
3776 1 drwxrwxr-x 20 root 512 Aug 19 1996 ../
275649 1 drwxrwxr-x 2 root 512 Sep 11 12:43 :saved/
272086 0 -rw-rw---- 1 ann 0 Feb 21 12:36 ann
272088 1 lrwxrwxrwx 1 bob 32 Feb 21 10:23 bob -> /etc/passwd
272087 4 -rw-rw---- 1 bob 3515 Feb 21 12:23 cheryl
Outline for the Day
- System Analysis
- Learn everything you can about the system
- Learn everything you can about operational procedures
- Compare to other systems
- Study the system, look for inconsistencies in interfaces
- Compare to other systems' flaws
- Compare to vulnerabilities models
- Look at system code, see if it would work (live experiment may be unneeded)
- If live experiment needed, observe usual protocols
- See if other programs, interfaces, or subjects/objects suffer from the same problem
- See if this suggests a more generic type of flaw
Peeling the Onion
- You know very little (not even phone numbers or IP addresses)
- You know the phone number/IP address of system, but nothing else
- You have an unprivileged (guest) account on the system.
- You have an account with limited privileges.
Example Penetration Studies
- Michigan Terminal System
- Burroughs System
- Attacking the Organization Directly
Here is a PDF version of this document.