Unix Security
Please note the knowledge domains and topics outlined here are for guidance only and subject to change.
Demonstrate ability to exploit weak sudo configuration
–
Understand difference between sudo and su
–
Understand purpose of using sudo rather than logging in as root
Understands backported patches, and the effect they have on scanning tools
–
Understands OS lifecycle management
Can identify Unix hosts on a target network
Understands mail relaying
–
Awareness of recent sendmail vulnerabilities and ability to exploit them if possible
Can demonstrate how trust relationships can lead to the compromise of a server, allow a user to escalate privileges and/or gain further access to a host, e.g. through the use, creation or modification of –/.ssh/ authorized_keys files
–
Understands SSH and its associated security attributes, including the different versions of the protocol, version fingerprinting and how the service can be used to provide a number of remote access services
–
Understand that SSH can be used for port forwarding and file transfer
Understands the Berkeley r-services and their associated security attributes and can demonstrate how trust relationships can:
• Lead to the compromise of a server
• Allow a user to escalate privileges and/or gain further access to a host, e.g. through the use, creation or modification of .rhosts and/or /etc/hosts.equiv files
Understands how NFS exports can be restricted at both a host and file level
–
Understands the concepts of root squashing, nosuid and noexec options
–
Can demonstrate how a poorly configured NFS service can lead to the compromise of a server, allow a user to escalate privileges and/or gain further access to a host, e.g. through the creation of SUID-root files, the modification of files and file system permissions, and UID/GID manipulation
–
Understands NFS and its associated security attributes and can demonstrate how exports can be identified
Understands and can exploit TFTP within a Cisco environment
–
Understands TFTP and can demonstrate how a poorly configured TFTP server can be exploited, e.g. the downloading of arbitrary files, the uploading over-writing of files
–
Understands the security implications of anonymous FTP access
–
Understands FTP and can demonstrate how a poorly configured FTP server can be exploited, e.g. the downloading of arbitrary files, the uploading and over-writing of files, and the modification of file system permissions
–
Understand that SSH can be used for port forwarding and file transfer
Understands and can perform common post exploitation activities, including:
• Obtaining password hashes, both from the local SAM and cached credentials
• Obtaining locally stored clear-text passwords
• Cracking password hashes
• Obtaining patch levels
• Deriving a list of missing security patches
• Reverting to a previous state
• Lateral and horizontal movement
Understands and can demonstrate Local privilege escalation techniques, e.g. through the manipulation of insecure file system permissions
–
Understands and can demonstrate the local exploitation of Solaris and Linux operating system vulnerabilities
Can demonstrate the recovery of password hashes when given physical access to a UNIX host
–
Understands and can demonstrate off-line password cracking using dictionary and brute-force attacks
–
Understands UNIX password hashing algorithms and their associated security attributes
–
Understands users, groups and password policies, including complexity requirements and lock-out
–
Understands how passwords are stored and protected and can demonstrate how they can be recovered
–
Understands how to avoid causing a denial of service by locking-out accounts
–
Understands the format of the passwd, shadow, group and gshadow files
Can enumerate RPC services and identify those with known security vulnerabilities
–
Is aware of legacy user enumeration techniques such as rusers and rwho
–
Can demonstrate and explain the enumeration of data from a variety of common network services on various platforms including:
• Filesystems or resources shared remotely, such as NFS and SMB
• SMTP
• SSH
• Telnet
• SNMP and RID cycling