1
00:00:01,270 --> 00:00:07,520
Welcome to part three of this module.

2
00:00:07,640 --> 00:00:16,100
Today we're going to be taking a look at Unix privacy checker which is short for a Unix privilege escalation

3
00:00:16,100 --> 00:00:17,390
checker.

4
00:00:17,390 --> 00:00:22,430
This is a small and simple tool so I'm going to launch it right away so I can run it when I speak about

5
00:00:22,430 --> 00:00:30,910
it the checker can be launched from either the terminal window or simply going to applications vulnerability

6
00:00:30,910 --> 00:00:35,350
analysis and then clicking on the icon which looks like a little monkey

7
00:00:41,460 --> 00:00:44,340
once it comes up.

8
00:00:44,840 --> 00:00:51,340
We'll get this page essentially asking us if we want to run in standard mode or detailed mode detailed

9
00:00:51,350 --> 00:00:53,930
mode is extremely slow.

10
00:00:54,110 --> 00:01:03,470
So I'll be showing off in standard mode for time considerations so to launch the tool we're just going

11
00:01:03,470 --> 00:01:12,390
to type Unix dash print cask dash check and then we're going to specify standard.

12
00:01:12,470 --> 00:01:16,670
We could put in detailed as I said but standard for this demonstration

13
00:01:19,230 --> 00:01:25,270
OK now that the audit is up and running all try to explain what this tool is.

14
00:01:26,040 --> 00:01:31,020
Unix privacy checker is a script that runs on Unix systems.

15
00:01:31,020 --> 00:01:39,530
It's been tested on Solaris 9 HP Unix eleven various flavors of Linux free BSD.

16
00:01:39,690 --> 00:01:42,130
Six point two et cetera.

17
00:01:42,420 --> 00:01:49,980
It tries to find mis configurations that could allow local unprivileged users to escalate privileges

18
00:01:50,550 --> 00:01:56,870
to other users or access local applications such as databases.

19
00:01:56,950 --> 00:02:05,410
It is written as a single shell script so it can be easily uploaded and run as opposed to being on tard

20
00:02:05,620 --> 00:02:08,450
compiled and installed.

21
00:02:08,680 --> 00:02:15,150
It can run either as a normal user or as a root user though obviously it does a better job when running

22
00:02:15,150 --> 00:02:24,510
as root because it can read more files the tool comes prepackaged with Kelly 2.0 and can also be downloaded

23
00:02:24,510 --> 00:02:26,850
from pen test monkey dot net

24
00:02:30,050 --> 00:02:37,340
so at this point you might be wondering what is the point of this tool and Carly it's intended to be

25
00:02:37,340 --> 00:02:45,290
run by security auditors and penetration testers against systems they have been engaged to assess and

26
00:02:45,290 --> 00:02:51,570
also by system administrators who want to check for obvious mis configurations.

27
00:02:51,740 --> 00:03:00,500
It can even be run as a cron job so you can check regularly for mis configurations that might be introduced.

28
00:03:00,850 --> 00:03:06,460
There are a lot of possibilities for escalation that are just too hard to audit.

29
00:03:06,460 --> 00:03:14,410
Using a script this script is intended to be a shortcut not a replacement for a proper auditing procedure.

30
00:03:14,410 --> 00:03:18,090
Of course that's just the official description.

31
00:03:18,100 --> 00:03:22,210
The real point of this script is that it is very lightweight.

32
00:03:22,390 --> 00:03:27,780
You don't have to compile it or even upload it in a compressed form.

33
00:03:27,790 --> 00:03:33,250
Imagine for a moment that you have remote access to a system but that access is limited.

34
00:03:33,250 --> 00:03:39,410
You want to escalate your perspire privileges so you upload and run this simple little script.

35
00:03:39,550 --> 00:03:47,080
It won't find every possibility that a trained penetration tester might through a long careful examination

36
00:03:47,080 --> 00:03:52,640
of the system but it might come back with something that you can quickly use.

37
00:03:52,660 --> 00:04:00,070
Time is a consideration during any pen test as many tools and scans require a certain number of minutes

38
00:04:00,070 --> 00:04:02,950
or even hours to run properly.

39
00:04:02,950 --> 00:04:08,200
And if you're working for a demanding employer you may be on a timetable.

40
00:04:08,260 --> 00:04:16,000
The script is also popular with black hats who are less skilled and just want to find the easiest ways

41
00:04:16,000 --> 00:04:18,970
into a system without much fuss.

42
00:04:18,970 --> 00:04:22,870
What this tool lacks in artistry it makes up for inconvenience

43
00:04:25,810 --> 00:04:30,790
really the main thing this tool is looking at are weak file permissions.

44
00:04:30,790 --> 00:04:37,120
Note that whenever it checks file permissions It also checks the permissions on the parent directories

45
00:04:37,660 --> 00:04:46,360
when it finds a group readable file or directory it flags an issue if that group has more than one non

46
00:04:46,360 --> 00:04:48,760
root member.

47
00:04:48,760 --> 00:04:54,760
So what are some examples of things it can find that you actually want to find.

48
00:04:54,760 --> 00:05:02,320
Well let's say the home directory is rateable if you can write to someone's home directory.

49
00:05:02,330 --> 00:05:12,980
You can add a dot R hosts file or a dot SS H authorization key file and thereby log in right away or

50
00:05:13,310 --> 00:05:20,990
alter one of the log in scripts such as the bash profiles and have them create a super user I.D. shell

51
00:05:20,990 --> 00:05:22,540
whenever they log in.

52
00:05:22,550 --> 00:05:30,370
There are lots of problems with home directories that are right of all the script flags a warning if

53
00:05:30,460 --> 00:05:36,550
any home directories are writeup all by anyone other than the owner or root user.

54
00:05:36,550 --> 00:05:43,710
Another example is readable shadow at C directories although it is not so common these days.

55
00:05:43,720 --> 00:05:50,390
This could allow you to read password hashes cracked them then log in as other users.

56
00:05:50,500 --> 00:05:55,870
This script the script checks if the shadow file is readable by non users

57
00:05:59,770 --> 00:06:06,970
it'll look for weak permissions on cron jobs as well chrome jobs are normally listed in the at C cron

58
00:06:06,970 --> 00:06:14,350
tab and var spool cron cron tab directories cron jobs can be run by any user.

59
00:06:14,350 --> 00:06:22,480
This script checks of cron jobs run programs that can be modified by users other than route and the

60
00:06:22,480 --> 00:06:23,350
user.

61
00:06:23,350 --> 00:06:33,810
The job runs as it also looks at rival configuration files programs that are run his route are listed

62
00:06:33,810 --> 00:06:35,580
in lots of files.

63
00:06:35,580 --> 00:06:42,660
If any of these files are rateable by non route users this script will flag a warning by the same token

64
00:06:43,170 --> 00:06:46,170
the tool checks for rentable device files.

65
00:06:46,230 --> 00:06:53,820
In other words it checks device files corresponding to currently mounted file systems and make sure

66
00:06:53,880 --> 00:06:55,440
that they aren't readable.

67
00:06:55,440 --> 00:07:03,530
It doesn't happen very often but it never hurts to check another thing the tool checks for readable

68
00:07:03,530 --> 00:07:09,520
files in home directories and there can be a lot of interesting things in home directories.

69
00:07:09,530 --> 00:07:20,600
But this script checks for files that contain passwords such as Dot any T or C dot my and Dot CnF as

70
00:07:20,600 --> 00:07:31,350
well as AC ls like dot R hosts and Dot SS age if readable and these can provide a way to access local

71
00:07:31,350 --> 00:07:37,330
applications or other local accounts.

72
00:07:37,350 --> 00:07:44,040
Finally it checks to see that running processes correspond to rateable programs.

73
00:07:44,040 --> 00:07:50,850
The script does a PSA listing attempting to determine the full path of each program and run a check

74
00:07:50,940 --> 00:07:53,880
if it can be modified by anyone other than the user.

75
00:07:54,540 --> 00:08:03,010
It's running as root the script also performs a couple of other checks related to privilege escalation

76
00:08:03,460 --> 00:08:07,740
but not related to file permissions.

77
00:08:08,180 --> 00:08:11,330
It checks pseudo configuration first.

78
00:08:11,630 --> 00:08:20,720
Pseudo is one of the most obvious ways to escalate privileges if it is enabled sometimes only certain

79
00:08:20,720 --> 00:08:23,450
commands can be run sometimes.

80
00:08:23,450 --> 00:08:29,050
Any commands can be run if SC pseudo ers is readable.

81
00:08:29,110 --> 00:08:36,480
The script checks if it's being used lists which users can use pseudo and which ones can use it without

82
00:08:36,540 --> 00:08:39,830
a password.

83
00:08:39,850 --> 00:08:44,080
Last but not least it checks for accounts with no passwords.

84
00:08:44,080 --> 00:08:51,050
If Etsy shadow is readable the script lists any accounts without passwords that it finds.

85
00:08:51,050 --> 00:08:56,220
I've never once seen this work but in theory you might get lucky.

86
00:08:56,320 --> 00:08:59,050
So how useful is Unix.

87
00:08:59,050 --> 00:09:01,570
Privacy checker in practice.

88
00:09:01,570 --> 00:09:07,930
Well it depends largely on the base operating system and the amount of configuration an administrator

89
00:09:07,930 --> 00:09:13,780
has done more configuration equals more chance of mistakes.

90
00:09:13,780 --> 00:09:21,790
If you run it against a fairly modern operating system such as let's say Linux or Solaris 10 that hasn't

91
00:09:21,790 --> 00:09:23,410
had much configuration done.

92
00:09:23,410 --> 00:09:30,670
You're probably not going to find very much the operating systems have fairly secure file permissions

93
00:09:30,670 --> 00:09:32,490
by default.

94
00:09:32,530 --> 00:09:39,760
However if you run it against something like Solaris 8 or against a system that has been running for

95
00:09:39,760 --> 00:09:46,420
a couple of years and has a lot of configuration done or it's running a lot of third party applications

96
00:09:47,380 --> 00:09:55,220
that maybe aren't updated very frequently then you'll probably strike gold quite a bit.

97
00:09:55,240 --> 00:10:02,530
That being said there are a lot of standard things that would normally be checked for during any real

98
00:10:02,530 --> 00:10:06,050
audit that this tool simply doesn't look for.

99
00:10:06,070 --> 00:10:12,750
Like I said it is meant to be a lightweight and simple method.

100
00:10:12,790 --> 00:10:18,520
This is a quick and dirty way to check a target for simple ways to escalate privileges.

101
00:10:18,520 --> 00:10:25,720
As such I really don't recommend this tool for professional pen Tester who is interested in during doing

102
00:10:25,720 --> 00:10:33,420
a thorough job as a black hat tool though it has its uses particularly for those less skilled.

103
00:10:33,520 --> 00:10:37,120
However it's really no replacement for a proper audit

104
00:10:39,800 --> 00:10:44,370
so anyway as you can see the program is still running.

105
00:10:44,510 --> 00:10:51,490
I'm going to make a quick cut to the end of this process for time consideration

106
00:10:54,070 --> 00:11:00,490
and we'll look at the final results real quick when it's done so here we see that the tool has finished

107
00:11:00,490 --> 00:11:00,850
running

108
00:11:04,810 --> 00:11:08,590
and as we scroll up we can see all of the various things that it checked

109
00:11:16,280 --> 00:11:17,320
and that's really about it.

110
00:11:17,320 --> 00:11:18,710
It's very straightforward.

111
00:11:18,710 --> 00:11:19,430
As I said

112
00:11:27,160 --> 00:11:36,010
so I hope this video was of use to you and you understand the purpose of Unix privacy checker.

113
00:11:36,010 --> 00:11:44,200
Like most of the tools in this module it really is just a straightforward run it type of program as

114
00:11:44,200 --> 00:11:44,660
always.

115
00:11:44,680 --> 00:11:50,560
Never run such a script against any system that you do not personally own or have written permission

116
00:11:50,560 --> 00:11:52,160
to pen test.

117
00:11:52,600 --> 00:11:58,360
If you find this tool useful and it is pretty nice I encourage you to check on line at pen test monkey

118
00:11:58,390 --> 00:12:02,430
dot net for all the latest updates.

119
00:12:02,500 --> 00:12:02,920
Thank you.