FreeBSD uses the package manager pkg, similar to the package manager apt
+
Example usage commands
+
+
sudo pkg update
+
sudo pkg install (package name)
+
sudo pkg delete (package name)
+
+
+
Monitoring Services
+
+
Services and other scripts run at system startup are located in the directories
+
+
/etc/rc.d/
+
/usr/local/etc/rc.d/
+
Scripts are ran at the kernel level (higher privileges than the root user)
+
Each script is a POSIX-compliant /bin/sh script with no file extension
+
+
+
#!/bin/sh
+
+my_example_service code
+
+
+
Use the service command to view services and their status
+
+
List all enable services
+
+
service -e
+
+
List all loaded services (enabled or not enabled)
+
+
service -l
+
Check for any malicious/unneeded services and remove the file from /etc/rc.d or /usr/local/etc/rc.d as needed
+
+
Start, stop, and restart services
+
+
service (service name) start
+
service (serivce name) stop
+
service (service name) restart
+
+
Enable and disable services
+
+
service (service name) enable
+
service (service name) disable
+
+
Reload a service (this applies configuration file changes to services without a full restart)
+
+
service (service name) reload
+
Note that all services may not support this feature. If a service does not support reload, restart it instead to apply configuration file changes.
+
+
View the status of a service
+
+
service -v (service name) status
+
+
When running, the process ID is shown
+
The directory the service file is located in is shown
+
This command’s output is not very descriptive. We recommend using the ps command to view more information about the service. Additionally, navigate to the service’s directory and view its shell script.
+
+
+
+
+
Checking Network Connections
+
+
The sockstat command displays network and system opened sockets in FreeBSD
+
List all opened ports
+
+
sockstat
+
+
List all listening ports
+
+
sockstat -l
+
+
List all TCP or UDP sockets
+
+
sockstat -P udp
+
sockstat -P tcp
+
sockstat -P tcp,udp
+
sockstat -P tcp -p 80, 443
+
+
-p allows for filtering by port numbers
+
+
+
List all Unix sockets and named pipes
+
+
sockstat -u
+
+
+
Changing File Flags
+
+
Alongside the chattr command, FreeBSD includes the chflags command to set file flags
+
Examples
+
+
Set the system immutable flag
+
+
sudo chflags schg (filepath)
+
Remove the flag: sudo chflags noschg (filepath)
+
+
Set the system append-only flag
+
+
sudo chflags sappnd (filepath)
+
Remove the flag: sudo chflags noappnd (filepath)
+
+
Set the system undeletable flag
+
+
sudo chflags sunlnk (filepath)
+
Remove the flag: sudo chflags nounlnk (filepath)
+
+
+
To view which flags are set on a file, run ls -lo (filepath)
+
+
System Configuration Files
+
+
FreeBSD’s main system configuration file is /etc/rc.conf
+
+
System variables can be changed by either editing this file or using the sysrc command
+
To check the value of a variable in rc.conf, run sudo sysrc (variable name)
+
To set a variable’s value, run sudo sysrc (variable name)=(new value)
+
To append a value to a variable run **sudo sysrc (variable name)+=(value to append)
+
To remove a value from a variable run sudo sysrc (variable name)-=(value to remove)
+
+
Note that rc.conf should not be made immutable, as sysrc commands won’t be able to update variable names
+
Limit rc.conf visibility and read/write permissions to only the root user:
+
+
sudo chown root:(sudoers group) /etc/rc.conf
+
sudo chmod 640 /etc/rc.conf
+
+
+
The Kernel Securelevel
+
+
The FreeBSD kernel has five different levels of security
+
If the rc.conf variable kern_securelevel_enable is set to “YES”, then the kernel level is enforced
+
+
Otherwise, if kern_securelevel_enable is set to “NO”, then the kernel level is disabled and always set to Level -1
+
+
The current level is stored in the rc.conf variable kern.securelevel
+
+
Level -1: permanently insecure mode
+
+
Always run the system in level 0 mode
+
Default initial value upon installation
+
+
Level 0: insecure mode
+
+
Immutable and append-only flags may be turned off
+
+
Level 1: secure mode
+
+
The system immutable and system append-only flags may not be turned off
+
Note that not even the root user can remove the system immutable and system append-only flags
+
+
Level 2 is basically identical to level 1
+
Level 3: nearly identical to level 1, except IP packet filter rules cannot be changed
+
+
Any super-user process can raise the security level, but no process can lower the level
+
+
To lower or raise kern.securelevel, use the command sudo sysrc kern.securelevel=(new level)
+
If /etc/rc.conf is made immutable, this command along with other sysrc commands to alter variables will not work
+
+
+
Linux Persistent Iptables Service
+
NOTE: Using systemd
+
1. Creating the Backup Script
+
+
Make a directory to store the restore script
+
sudo mkdir /etc/iptables-persistent/
+
Put your iptables rules file in the created directory
All changes pertain to the splunk.sh script (competition-resources/Splunk/splunk.sh)
+
+
Change INDEXER to the ip address of the splunk instance (receiver)
+
Changed PASS to a different password
+
Remove the else branch from the “if ! restart_splunk” (lines 126-128)
+
+
Post script execution
+
Manually add source(s) to monitor:
+
+
Select a file (or entire directory) to monitor
+
Talk to a captain to obtain the index to use (most likely either “linux” or “windows”)
+
Change directory into the $SPLUNK_HOME/bin directory (most likely /opt/splunkforwarder)
+
Run a command like sudo ./splunk add monitor /path/to/thing/to/monitor -index <name of index>
+
+
In the case where the chosen source is already being monitored (and you need to change something about how it is being monitored… e.g., changing the index):
+
+
Change directory into the $SPLUNK_HOME/bin directory
+
Run the command sudo ./splunk remove monitor /path/to/thing/to/monitor
+
Follow the previous set of steps to re-add the source as a monitor
+
+
These commands edit the file at the path $SPLUNK_HOME/etc/apps/search/local/inputs.conf. Do what you will with this information. It should be noted that making manual changes usually requires a restart of the splunk daemon to take effect. To do this: sudo $SPLUNK_HOME/bin/splunk restart
+
Linux CCDC Basic Checklist
+
1. Network Scanning & Enumeration
+
Nmap Scanning
+
+
Scan all ports:
+
nmap -p- <IP ADDRESS>
+
Ping sweep for active hosts:
+
nmap 10.10.10.0-10
+nmap 10.10.10.0/24
+
Scan specific ports for service versions and OS detection, saving output to a file:
+
nmap -sS -sV -O <IP ADDRESS> > nmap.txt
+
+
2. User & Password Management
+
Reset Passwords
+
(expects /etc/passwd copy with only accounts you want to reset the password for to be in the file)
+
Without saving passwords:
+
for user in $(cat ./users | awk -F: '{print $1}'); do echo "$user:m0Nk3y!m0Nk3y!" | sudo chpasswd; done
+
With saving passwords to a file:
+
for user in $(cat ./users | awk -F: '{print $1}'); do echo "$user:m0Nk3y!m0Nk3y!" | tee -a ./new_passwords | sudo chpasswd; done
for user in $(cut -f1 -d: /etc/passwd); do echo "user: $user"; crontab -u "$user" -l 2>/dev/null && echo ""; done
+
+
6. Security Hardening & Permissions
+
Remove SUID Binaries
+
+
Find all SUID binaries:
+
find / -perm -u=s
+
Find files with read-only permissions:
+
find / -type f -perm -0400 -ls 2>/dev/null
+
Remove SUID permissions:
+
chmod a-s <file path>
+
Add SUID permissions:
+
chmod u+s <file path>
+
+
Secure /etc/sudoers
+
+
Ensure it is only writable by root:
+
chmod 0440 /etc/sudoers
+
+
7. Incident Response & Documentation
+
Kill Active Sessions
+
+
Kill by TTY:
+
pkill -9 -t <TTY>
+
Find your own TTY:
+
tty
+
Kill by username:
+
pkill -9 -u <username>
+
Kill by PID:
+
kill -9 <PID>
+
Kill by process name:
+
pkill <process name>
+
+
Backups
+
+
Take a backup of /etc/ directory or any other mission critial services:
+
tar -czvf etc-backup.tar.gz /etc/
+
+
Documentation
+
+
Record findings for incident response
+
Save nmap scans & security incidents
+
Maintain logs for injects & investigations
+
+
Cisco Firepower Firewall
+
Note: The web interface and command line interface may be split on two different machines.Make sure that passwords are reset on both the web and command line interface.
+
Reset Passwords on the Web Interface
+
+
Log in to the web interface as a user with administrator access.
+
Navigate to System > Users, and click the edit icon (a pencil) for each user.
+
Enter the new password in the Password and Confirm Password fields.
+
Click Save. If prompted to restart the device, then restart.
+
Verify that the passwords were changed for all users.
+
+
Reset Passwords on the Command Line Interface
+
+
Log in to the administrator account over SSH or with the console.
+
If you do not immediately boot into a Linux shell, enter the command expert to access the Linux shell.
+
At the shell prompt enter the command sudo passwd (the name of the user) to change passwords for all users.
+
Enter the command exit to exit the shell/interface.
+
Verify that the passwords were changed for all users.
# start production server (need to provide TLS certs)
+bin/kc.sh start --bootstrap-admin-username admin --bootstrap-admin-password admin
+
+# start development server
+bin/kc.sh start-dev --bootstrap-admin-client-id tmpadm --bootstrap-admin-client-secret secret
+
+# create temporary admin user (done without server running)
+bin/kc.sh bootstrap-admin user # --username tmpadm --password:env PASS_VAR (optional)
+
+# create temporary service user
+bin/kc.sh bootstrap-admin service # --client-id tmpclient --client-secret:env=SECRET_VAR (optional)
When installed, the mysql service will automatically start and run upon system startup on port 3306. The config file is stored in /etc/mysql/mysql.conf.d/mysqld.cnf.
+
MariaDB Config File
+
When installed, the mysql service will automatically start and run upon system startup on port 3306. The config files are stored in /etc/mysql/my.cnf and /etc/mysql/mariadb.conf.d/50-server.cnf (this file contains Maria-DB server specific settings).
+
Securing the Services and Databases
+
The config file:
+
+
Ensure that these fields are set properly
+
+
User (should be mysql)
+
Ensure that the user mysql does not have sudo privileges, i.e., not in any sudoers group
+
Do not set the user to root!
+
+
Port (3306 by default if no value is present)
+
Bind-address (typically localhost or 127.0.0.1 if the database is hosted on the same machine with the config file)
+
Disable local-infile
+
+
Include the line local-infile = 0 anywhere underneath [mysqld] in the config file
+
Local-infile introduces a security risk as enabling it allows users to import data from files on disk into a database table
+
+
After making changes to the config file, restart mysql with sudo systemctl restart mysql
+
+
The service files:
+
+
MariaDB and MySQL’s service files are stored in /lib/systemd/system/ and/or /etc/systemd/system/
+
Things to look out for:
+
+
User and Group should be set to mysql, as shown below
+
If they are set to anything else (such as root), red team can leverage exploits for privilege escalation
+
To check which user mysql is running as, use the command ps aux | grep mysql
+
+
Good idea to backup the service files as well in case of deletion/alteration
+
+
Passwords:
+
+
By default, the root user in MySQL has no password. To change root’s password, open a mysql session with sudo mysql -u root
+
Run Use mysql;
+
If you’re on MySQL, run ALTER USER ‘root’@‘localhost’ IDENTIFIED WITH mysql_native_password BY ‘(new_password)’;
+
If you’re on MariaDB, run ALTER USER ‘root’@‘localhost’ IDENTIFIED BY ‘(new_password)’;
+
Run FLUSH PRIVILEGES;
+
+
Auditing Users:
+
+
In an open MYSQL session, run SELECT User, Host FROM mysql.user; to view all users and their host values
+
Host values are either localhost or an IP address. They restrict a user’s connection to that host only, i.e., a host value of localhost restricts connections to the local machine.
+
A host value of % allows the user to connect from any host. Ensure that the root user and other system users have a host value of localhost. Ideally, no user should have a host value of %.
+
To change a user’s host value, run the command RENAME USER ‘(username)’@‘(old_host)’ TO ‘(username)’@‘(new_host)’; Then run FLUSH PRIVILEGES; to apply the changes.
+
+
Removing unwanted users:
+
+
run DROP USER (username);
+
+
Backing up the databases:
+
+
While the MySQL service is running, run sudo mysqldump –all-databases –routines -u root -p > (path to a backup .sql file)
+
Create a copy of the config file: sudo cp (path to config file) (path to backup config file)
+
Also a good idea to backup the files for the mysql service for systemctl should those files be altered or deleted
+
+
Restoring the databases:
+
+
sudo cp (path to backup config file) (path to config file)
+
sudo systemctl stop mysql
+
+
sudo rm -rf /var/lib/mysql/*
+
sudo mysqld –initialize
+
sudo chown -R mysql: /var/lib/mysql
+
sudo systemctl start mysql
+
cat (path to backup .sql file) | sudo mysql -u root -p
+
+
MariaDB and MySQL Hardening
+
+
Log in to the mysql/mariadb console with sudo mysql -u root -p
+
Root’s password may be blank if it is not provided during the competition
+
If you can not log in, ensure the mysql service has properly started without logging errors (broken config file, networking error, etc.)
+
In MySQL, run USE mysql;
+
Change root user’s password
+
+
If you’re on MySQL, run ALTER USER ‘root’@‘localhost’ IDENTIFIED WITH mysql_native_password BY ‘’;
+
If you’re on MariaDB, run ALTER USER ‘root’@‘localhost’ IDENTIFIED BY ‘’;
+
+
Run FLUSH PRIVILEGES;
+
Verify/edit the appropriate config file
+
+
MySQL: /etc/mysql/mysql.conf.d/mysqld.cnf
+
MariaDB: /etc/mysql/my.cnf and /etc/mysql/mariadb.conf.d/50-server.cnf
+
Verify that user is set to mysql
+
Verify that the port is set correctly (3306 by default)
+
Verify that the bind-address is set correctly
+
Add the line local-infile = 0 somewhere underneath the [mysqld] section
+
Save changes and restart mysql with sudo systemctl restart mysql
+
+
Audit users
+
+
Log in to the mysql/mariadb console
+
run SELECT User, Host FROM mysql.user; to view all users and their host values
+
Make sure host values are either a valid IP address or localhost. No user should have a host value of %.
+
To change a user’s host value, run the command RENAME USER ‘(username)’@‘(current_host)’ TO ‘(username)’@‘(new_host)’; Then run FLUSH PRIVILEGES; to apply the changes.
+
Remove unneeded users with DROP USER (username);
+
+
Create backups
+
+
While the MySQL service is running, run sudo mysqldump –all-databases –routines -u root -p > (path to backup .sql file)
+
Create a copy of the config file: sudo cp (path to config file) (path to backup config file)
+
Create backups of the mysql service files used by systemctl
+
+
/lib/systemd/system/ and/or /etc/systemd/system/
+
+
+
+
PostgreSQL Hardening
+
+
Log in to the PostgreSQL console with sudo psql
+
Root’s password may be blank if it is not provided during the competition
+
If you can not log in, ensure the PostgreSQL service has properly started without logging errors (broken config file, networking error, etc.)
+
Change root user’s password
+
+
In PostgreSQL, run ALTER USER root WITH PASSWORD ‘(new password)’;
+
Alternatively, use ***
+
+
Verify/edit the config files in /etc/postgresql/(version number)/main
+
+
pg_hba.conf
+
+
Client Authentication Config File
+
Controls which hosts can connect to the PostgreSQL server, how clients are authenticated, which users they can log in as, and which databases they can access
+
Remove all suspicious entries from the file
+
Check for out-of-place users and hosts
+
+
postgresql.conf
+
+
Main Config File for PostgreSQL
+
Important fields
+
+
listen_addresses: which IPs to listen on
+
port: should always be set to 5432
+
password_encryption
+
+
+
+
Audit users
+
+
Log in to the PostgreSQL console
+
Run \duS+ to view all users and their permissions
+
Remove unneeded users with DROP USER (username);
+
+
Create backups
+
+
While the PostgreSQL service is running, run sudo pg_dumpall > postgresql_dump
+
Create a copy of the config files: sudo cp -r /etc/postgresql/(version number)/main /path/to/backup/directory
+
Also a good idea to backup the files for the postgreSQL service for systemctl should those files be altered or deleted
+
+
Located in /lib/systemd/system/ and/or /etc/systemd/system/
+
+
+
+
PostgreSQL
+
Config Files
+
+
When installed, the postgresql service will automatically start and run upon system startup on port 5432. The config files are stored in /etc/postgresql/(version number)/main.
+
Important config files are
+
+
pg_hba.conf
+
+
Client Authentication Config File
+
Controls which hosts can connect to the PostgreSQL server, how clients are authenticated, which users they can log in as, and which databases they can access
+
Remove all suspicious entries from the file
+
Check for out-of-place users and hosts
+
+
postgresql.conf
+
+
Main Config File for PostgreSQL
+
Important fields
+
+
listen_addresses: which IPs to listen on
+
port: should always be set to 5432
+
password_encryption
+
+
+
+
Check if any malicious files are in /etc/postgresql/(version number)/main/conf.d
+
After updating config files, restart the service using sudo systemctl restart postgresql
+
+
The service files:
+
+
PostgreSQL’s service files are stored in /lib/systemd/system/ and/or /etc/systemd/system/
+
Good idea to backup the service files as well in case of deletion/alteration
+
+
Passwords:
+
+
By default, the root user in PostgreSQL has no password. To change root’s password, run ALTER USER root WITH PASSWORD ‘(new password)’;
+
+
Auditing Users:
+
+
In an open PostgreSQL session, run \duS+ to view all users and their permissions
+
Add new users with the command CREATE USER (username);
+
+
Removing unwanted users:
+
+
run DROP USER (username);
+
+
Backing up the databases:
+
+
While the PostgreSQL service is running, run sudo pg_dumpall > postgresql_dump
+
Create a copy of the config files: sudo cp -r /etc/postgresql/(version number)/main /path/to/backup/directory
+
Also a good idea to backup the files for the postgreSQL service for systemctl should those files be altered or deleted
# ping minions
+sudo salt '*' test.ping
+
+# list version
+sudo salt -v '*' test.version
+
+# install command
+sudo salt -v '*linux*' pkg.install vim
+
+# apply /srv/salt/test.sls
+sudo salt -v '*linux*' state.apply test
+
+# run commands (can use pipes, command substitution, etc.)
+sudo salt '*linux*' cmd.run 'uptime'
+
+# execute other code
+sudo salt '*' cmd.exec_code perl 'print("hello")'
+sudo salt '*' cmd.exec_code ruby 'puts "cheese"' args='["arg1", "arg2"]' env='{"FOO": "bar"}'
+
Copying Files
+
# put files into /srv/salt to use salt://
+sudo salt '*linux*' cp.get_file salt://files/reset_passwords.pl /tmp/reset_passwords.pl
+
+sudo salt '*linux*' cp.get_dir salt://files /tmp/files
+sudo salt '*win*' cp.get_dir salt://files C:/ # no \
+
+sudo salt-cp '*linux*' src dest # slower
+
+# push files from minion; /var/cache/salt/master/minions/minion-id/files
+sudo salt '*linux*' cp.push_dir /var/www/html/index.html
+sudo salt '*linux*' cp.push_dir /var/www/html
+
User Administration
+
# user management
+sudo salt 't*' user.add jp2
+
+# get users
+sudo salt '*' ps.get_users
+
+# add/remove user to group
+sudo salt '*' group.adduser group user
+sudo salt '*' group.deluser group user
+
+# delete group
+sudo salt '*' group.delete group
+
+# get all group info
+sudo salt '*' group.getent
+
+# set group members (replaces users)
+sudo salt '*' group.members group 'user1,user2,user3'
+
+# set password
+sudo salt '*' shadow.gen_password 'password'
+sudo salt '*' shadow.set_password someuser 'hash'
+
System Info
+
# get disk partitons
+sudo salt '*' ps.disk_partitions
+
+# get running processes
+sudo salt '*' ps.status running
+sudo salt '*' ps.top
+sudo salt 'linux*' ps.aux '.*'
+sudo salt '*' ps.get_pid_list
+
Services & More
+
# crontabs!!! (list/add/remove)
+sudo salt '*' cron.ls user
+sudo salt '*' cron.set_job root '*''*''*''*''*' cmd
+sudo salt '*' cron.set_special root @hourly 'echo foobar'
+
+# install wordpress
+sudo salt '*' wordpress.install /var/www/html apache dwallace password123 dwallace@example.com "Daniel's Awesome Blog" https://blog.dwallace.com
+
+# mysql
+sudo salt '*' mysql.db_create 'dbname'
+sudo salt '*' mysql.db_remove 'dbname'
+sudo salt '*' mysql.query 'dbname''DELETE from users where id = 4 limit 1'
+
+# services
+sudo salt '*' service.get_all
+sudo salt '*' service.restart service
+sudo salt '*' service.start service
+sudo salt '*' service.stop service