1 sans technology institute - candidate for master of science degree 1 covering the tracks on mac os...
TRANSCRIPT
![Page 1: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Covering the Tracks on Mac OS X Charlie Scott November 2010 GIAC GSEC Gold, GCIH](https://reader036.vdocuments.net/reader036/viewer/2022083010/5697bfc61a28abf838ca70ef/html5/thumbnails/1.jpg)
1SANS Technology Institute - Candidate for Master of Science Degree 1
Covering the Tracks on Mac OS X
Charlie ScottNovember 2010
GIAC GSEC Gold, GCIH Gold, GCPM
![Page 2: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Covering the Tracks on Mac OS X Charlie Scott November 2010 GIAC GSEC Gold, GCIH](https://reader036.vdocuments.net/reader036/viewer/2022083010/5697bfc61a28abf838ca70ef/html5/thumbnails/2.jpg)
SANS Technology Institute - Candidate for Master of Science Degree 2
Objective
• Apply "Covering the Tracks" from "Hacker Techniques, Exploits, and Incident Handling" to Mac OS X.
• Demonstrate unique ways an attacker might hide files in Mac OS X.
• Discuss the challenges of Mac OS X's unique log files.
• Show how to identify some of the techniques in this presentation.
![Page 3: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Covering the Tracks on Mac OS X Charlie Scott November 2010 GIAC GSEC Gold, GCIH](https://reader036.vdocuments.net/reader036/viewer/2022083010/5697bfc61a28abf838ca70ef/html5/thumbnails/3.jpg)
SANS Technology Institute - Candidate for Master of Science Degree 3
Hiding Files from the Command Line
• Dot, dot-dot-space, and triple-dot work:$ mkdir .tmpx$ echo hidden data > ".. "$ echo more hidden data > "…"
![Page 4: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Covering the Tracks on Mac OS X Charlie Scott November 2010 GIAC GSEC Gold, GCIH](https://reader036.vdocuments.net/reader036/viewer/2022083010/5697bfc61a28abf838ca70ef/html5/thumbnails/4.jpg)
SANS Technology Institute - Candidate for Master of Science Degree 5
Hiding Files from the Finder: SetFile
•Dot-dot files are hidden from the command line, but not the Finder.
•Use SetFile from the install DVD to make it invisible from the Finder.
•Modify the "v" (invisible) attribute:
$ SetFile –a V ".. "
![Page 5: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Covering the Tracks on Mac OS X Charlie Scott November 2010 GIAC GSEC Gold, GCIH](https://reader036.vdocuments.net/reader036/viewer/2022083010/5697bfc61a28abf838ca70ef/html5/thumbnails/5.jpg)
Hiding Files from the Finder: xattr
• Using xattr is another option.• The com.apple.FinderInfo
attribute controls Finder visibility (and other things).
• Benefit of xattr: It comes standard, you don't need dev tools.
SANS Technology Institute - Candidate for Master of Science Degree 7
![Page 6: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Covering the Tracks on Mac OS X Charlie Scott November 2010 GIAC GSEC Gold, GCIH](https://reader036.vdocuments.net/reader036/viewer/2022083010/5697bfc61a28abf838ca70ef/html5/thumbnails/6.jpg)
SANS Technology Institute - Candidate for Master of Science Degree 8
Who Looks in the Trash?
• /.Trashes folder temporarily stores files deleted by users.
• Interesting permission set: d-wx-wx-wt
• Anyone can write to this dir.• The creator of a file in this dir can
modify, execute, or delete it, but not read; nobody but root can read it.
![Page 7: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Covering the Tracks on Mac OS X Charlie Scott November 2010 GIAC GSEC Gold, GCIH](https://reader036.vdocuments.net/reader036/viewer/2022083010/5697bfc61a28abf838ca70ef/html5/thumbnails/7.jpg)
SANS Technology Institute - Candidate for Master of Science Degree 10
Editing Log Files
• Attacker primarily concerned about:– system.log: notices, kernel debug,
login– secure.log: authentication &
authorization• You must stop and restart syslogd
to modify them.• OS X uses the launchctl command
to stop/start services.
![Page 8: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Covering the Tracks on Mac OS X Charlie Scott November 2010 GIAC GSEC Gold, GCIH](https://reader036.vdocuments.net/reader036/viewer/2022083010/5697bfc61a28abf838ca70ef/html5/thumbnails/8.jpg)
SANS Technology Institute - Candidate for Master of Science Degree 12
The ASL Database
• Syslog also logs to the Apple System Log (ASL):• /var/log/asl.db binary file on Leopard• /var/log/asl directory of binary files on
Snow Leopard
• A lot of duplication exists between the .log text files and ASL db, so an attacker needs to hit both.
![Page 9: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Covering the Tracks on Mac OS X Charlie Scott November 2010 GIAC GSEC Gold, GCIH](https://reader036.vdocuments.net/reader036/viewer/2022083010/5697bfc61a28abf838ca70ef/html5/thumbnails/9.jpg)
SANS Technology Institute - Candidate for Master of Science Degree 13
The syslog Tool
•In 10.5 the syslog tool prunes ASL db entries.
•Syslogd must be shut down for pruning.
•Use the "-db", "-p" and "-k" switches with a key/value expression.
•Prune based on service, process ID, host, time, and other keys.
![Page 10: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Covering the Tracks on Mac OS X Charlie Scott November 2010 GIAC GSEC Gold, GCIH](https://reader036.vdocuments.net/reader036/viewer/2022083010/5697bfc61a28abf838ca70ef/html5/thumbnails/10.jpg)
SANS Technology Institute - Candidate for Master of Science Degree 14
Examples of Removing ASL Entries with syslog
•Remove all sshd entries:# syslog -db -p -k Sender sshd
•Remove all authentication entries:# syslog -db -p -k Sender \
com.apple.SecurityServer
•Remove all sudo entries:# syslog -db -p -k Sender sudo
•Remember to restart syslogd!
![Page 11: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Covering the Tracks on Mac OS X Charlie Scott November 2010 GIAC GSEC Gold, GCIH](https://reader036.vdocuments.net/reader036/viewer/2022083010/5697bfc61a28abf838ca70ef/html5/thumbnails/11.jpg)
The aslmanager Tool
• In 10.6, aslmanager gives some syslog tool functionality.
• You can delete logs based on size or age (in days).
• Not likely a useful tool for intruders.
SANS Technology Institute - Candidate for Master of Science Degree 15
![Page 12: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Covering the Tracks on Mac OS X Charlie Scott November 2010 GIAC GSEC Gold, GCIH](https://reader036.vdocuments.net/reader036/viewer/2022083010/5697bfc61a28abf838ca70ef/html5/thumbnails/12.jpg)
SANS Technology Institute - Candidate for Master of Science Degree 16
Identifying: The Find Command
• Look for hidden files and directories.
• E.g.:# find / -name "..." –print
• Can be automated through "cron"
![Page 13: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Covering the Tracks on Mac OS X Charlie Scott November 2010 GIAC GSEC Gold, GCIH](https://reader036.vdocuments.net/reader036/viewer/2022083010/5697bfc61a28abf838ca70ef/html5/thumbnails/13.jpg)
SANS Technology Institute - Candidate for Master of Science Degree 17
Identifying: OSSEC HIDS
• Host Based Intrusion Detection• Integrity checking:
–Look for changes in system, Applications, and Developer directories.
–See if /etc/asl.conf has been modified.
• Rootkit detection:–Look for hidden files and
directories.• Available at www.ossec.net
![Page 14: 1 SANS Technology Institute - Candidate for Master of Science Degree 1 Covering the Tracks on Mac OS X Charlie Scott November 2010 GIAC GSEC Gold, GCIH](https://reader036.vdocuments.net/reader036/viewer/2022083010/5697bfc61a28abf838ca70ef/html5/thumbnails/14.jpg)
SANS Technology Institute - Candidate for Master of Science Degree 19
Summary
• Attackers have unique ways to hide files on Macs.
• An attacker may find removing log files on Macs challenging, but there are ways to do it.
• A well-prepared sysadmin can still detect these attempts at stealth.