1 / 14

Covering the Tracks on Mac OS X

Covering the Tracks on Mac OS X. Charlie Scott November 2010 GIAC GSEC Gold, GCIH Gold, GCPM. Objective. Apply "Covering the Tracks" from "Hacker Techniques, Exploits, and Incident Handling" to Mac OS X. Demonstrate unique ways an attacker might hide files in Mac OS X.

gustav
Download Presentation

Covering the Tracks on Mac OS X

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Covering the Tracks on Mac OS X Charlie Scott November 2010 GIAC GSEC Gold, GCIH Gold, GCPM SANS Technology Institute - Candidate for Master of Science Degree

  2. Objective • Apply "Covering the Tracks" from "Hacker Techniques, Exploits, and Incident Handling" to Mac OS X. • Demonstrate unique ways an attacker might hide files in Mac OS X. • Discuss the challenges of Mac OS X's unique log files. • Show how to identify some of the techniques in this presentation. SANS Technology Institute - Candidate for Master of Science Degree

  3. Hiding Files from the Command Line • Dot, dot-dot-space, and triple-dot work: $ mkdir .tmpx $ echo hidden data > ".. " $ echo more hidden data > "…" SANS Technology Institute - Candidate for Master of Science Degree

  4. Hiding Files from the Finder: SetFile • Dot-dot files are hidden from the command line, but not the Finder. • Use SetFile from the install DVD to make it invisible from the Finder. • Modify the "v" (invisible) attribute: $ SetFile –a V ".. " SANS Technology Institute - Candidate for Master of Science Degree

  5. Hiding Files from the Finder: xattr • Using xattr is another option. • The com.apple.FinderInfo attribute controls Finder visibility (and other things). • Benefit of xattr: It comes standard, you don't need dev tools. SANS Technology Institute - Candidate for Master of Science Degree

  6. Who Looks in the Trash? • /.Trashes folder temporarily stores files deleted by users. • Interesting permission set: d-wx-wx-wt • Anyone can write to this dir. • The creator of a file in this dir can modify, execute, or delete it, but not read; nobody but root can read it. SANS Technology Institute - Candidate for Master of Science Degree

  7. Editing Log Files • Attacker primarily concerned about: • system.log: notices, kernel debug, login • secure.log: authentication & authorization • You must stop and restart syslogd to modify them. • OS X uses the launchctl command to stop/start services. SANS Technology Institute - Candidate for Master of Science Degree

  8. The ASL Database • Syslog also logs to the Apple System Log (ASL): • /var/log/asl.db binary file on Leopard • /var/log/asl directory of binary files on Snow Leopard • A lot of duplication exists between the .log text files and ASL db, so an attacker needs to hit both. SANS Technology Institute - Candidate for Master of Science Degree

  9. The syslog Tool • In 10.5 the syslog tool prunes ASL db entries. • Syslogd must be shut down for pruning. • Use the "-db", "-p" and "-k" switches with a key/value expression. • Prune based on service, process ID, host, time, and other keys. SANS Technology Institute - Candidate for Master of Science Degree

  10. Examples of Removing ASL Entries with syslog • Remove all sshd entries: # syslog -db -p -k Sender sshd • Remove all authentication entries: # syslog -db -p -k Sender \ com.apple.SecurityServer • Remove all sudo entries: # syslog -db -p -k Sender sudo • Remember to restart syslogd! SANS Technology Institute - Candidate for Master of Science Degree

  11. The aslmanager Tool • In 10.6, aslmanager gives some syslog tool functionality. • You can delete logs based on size or age (in days). • Not likely a useful tool for intruders. SANS Technology Institute - Candidate for Master of Science Degree

  12. Identifying: The Find Command • Look for hidden files and directories. • E.g.: # find / -name "..." –print • Can be automated through "cron" SANS Technology Institute - Candidate for Master of Science Degree

  13. Host Based Intrusion Detection Integrity checking: Look for changes in system, Applications, and Developer directories. See if /etc/asl.conf has been modified. Rootkit detection: Look for hidden files and directories. Available at www.ossec.net Identifying: OSSEC HIDS SANS Technology Institute - Candidate for Master of Science Degree

  14. Summary • Attackers have unique ways to hide files on Macs. • An attacker may find removing log files on Macs challenging, but there are ways to do it. • A well-prepared sysadmin can still detect these attempts at stealth. SANS Technology Institute - Candidate for Master of Science Degree

More Related