Linux (part 4) chmod, manipulation and packages

00:04

So let's see what else? What else? There's file permission. We saw those wounded. L s Dash l Earlier we saw our file permissions Night vision we had read, right. Execute,

00:18

Read,

00:19

right. Execute, Read right. Execute three sets of permissions to read, write and execute. Makes sense, right? We can read the sile. We're going right to the file. We can execute the file.

00:30

Probably executing this text file called My file won't make anything particularly interesting happen.

00:37

But reading and writing it might be interesting. What if it's stored passwords for some program? Having read access to it would be

00:45

something that would be definitely cool. What if it was, say, source code for a Web server and we wanted to give face someone website. Having right access would be very, very interesting. What if it was a password decrypt er So it was used by a program to take a password hash and

01:03

make sure whether it was right on

01:07

my throat, a secret key at the end, or give you access to

01:11

like, uh,

01:11

a key to open up additional functionality that you should have to pay for being able to execute it when you shouldn't would be something we'd want to do. So having extra permissions that you shouldn't own files is

01:26

valid way of getting access to a system or more access than you has in the local privilege escalation. It happens.

01:34

Certainly people develop programs and give too much permissions. I've been guilty of that certainly have certainly set things too

01:41

full access for everybody when I shouldn't have, because it's easier than coming up with what should be the right permissions

01:49

and certainly rather spend my time actually developing stuff than development get securely. That's generally the problem with security.

01:56

You don't get medals for making things secure. You get medals for writing cool stuff,

02:02

so

02:04

little stop it there. But so we've gotta read, right execute and three sets. So the 1st 1 the one on the left, is the owner.

02:12

The owner is route.

02:14

The second set is the group, so anyone else who was in the root group besides route would have read and execute permissions on this directory, whereas Route

02:25

user itself have read, write and execute permissions,

02:30

and then the third set is everybody else or the world

02:34

so everybody can read and execute. So on my file. It looks like we have read, write permissions for root,

02:40

just read permissions for the group and just read permissions for the world.

02:46

So what if we want to change those? We can change permissions on vials that we own or for route. We can change permissions on anything. Don't go crazy on changing permissions. I think it was gonna actually probably one of my first security classes were supposed to

03:04

make a secure system or we're basically doing attack and defend in the class. And I had a Lennox system. It's like, Oh, all this like take away the file permissions from like everything. So if somebody gets on it that can't use it Well, unfortunately, neither could look the

03:19

programs that are on here and, like have to read files like they're configurations while

03:23

operating system itself suddenly had problems functioning. So probably stick your own files, Justin,

03:31

keep from having to wipe this thing out and start over.

03:35

But as route, we can change it and file permissions that we want. So how we do that is with ch mod. We have a few different ways of using ch mod.

03:44

So what we can do is we can use what I usually do. It is like this. Give it numbers.

03:51

So there is a chart in your slides of you. Look at the slides for this section. I don't have them up right now,

03:57

but if you look at the slides, there is a table that shows the energy or values for ch mod. So it goes all the way from 0 to 77 is full permission. Zero is no permissions

04:09

and execute on Leah's one right only is to write and executed three thinking of it in terms of binary. And again, that's in the flood as well. This is the binary representation,

04:20

and Read only has four reading executed five. Reading right is six and again seven is full

04:29

because you don't remember those again. It's in the slide, but

04:31

honestly, I google it all the time. I mean, seven and

04:35

Jiro are obviously easy to remember some of the ones in the middle who probably forgets him.

04:41

So no problem there. So what we can do is say, I want

04:45

how about I do like 750 So one digit for each.

04:51

So we've got owner group and everyone so owner should have full permissions to read, write and execute. What did we say? Five Waas read and execute

05:03

who? The group should have read and execute permissions and zero is nothing.

05:09

So everyone should have no permissions.

05:14

You are L s dash again

05:16

Looks like exactly what happened. So we have read, right? Execute,

05:21

read and execute

05:24

nothing.

05:25

We can change those and you can use different values.

05:29

There are other ways of doing it like we could. D'oh ch

05:34

mod

05:35

plus X would add execute permissions for everybody.

05:45

Now I have execute permissions for everybody.

05:47

I find the judge it waves that uses what? There are certainly other ways to do it. So when the main point is, if you have sensitive files, we want to make sure that we don't give them too many permission

06:00

that So let's see what else? How about that? A manipulation? That's something that would certainly need to know.

06:08

I'm gonna use Indiana and open up my file

06:13

and it was going to create something here. It's illegal to text that feels put in. How about some conferences? He doesn't love security. Conference is How about Well, the 1st 1 I ever went to in the 1st 1 I ever spoke at Shahrukh Khan,

06:28

and that is typically in like February or January, and I don't know to spell February, so January is

06:35

and let's see black hat that's always a big one

06:39

spell black hat,

06:42

and that's typically in July or August. Realizes your spell. Let's see, I went to this one in Norway once called Hat Con. That was really fun on that. That was in April. Always like to go to interesting places. Brew cons. A good one, too, and Belgium

06:59

just fine. Only invite your complete list, obviously, just us two You that air popping into my mind

07:04

And let's see, how about one more?

07:10

Always not do desk. Khan will need that one later. How about Hacker Halted? I'll do this. One word will screw up my chart otherwise, and that's typically and I think you two were.

07:25

I've just got a set of

07:27

conferences on when they're typically held.

07:30

We'll save that so that you can control X on this time. Why,

07:35

for yes, for saving

07:39

first, I can cat out that file.

07:42

And what if we want to do some data manipulation? What if I only want to see the conference names. What if I

07:48

I need to throw out all of the months? Do I have to edit it and line by line? Get rid of it. I mean, with this man and that wouldn't be that big of a deal, But it certainly could be if it was a really long file. Luckily, no. We have other options. We can cat out my file,

08:07

have it into grasps of that

08:09

shift, and then

08:11

bar is

08:13

a pipe. So that's gonna take the output of cat my file on. Then pipe it as input into whatever. My next committee is

08:22

in the pipe it into Grete

08:24

and it doesn't like that

08:26

and why it doesn't like that it should. But what I can also do is I can actually grab

08:35

Oh, uh, I just figured out what I did wrong.

08:37

So I'm gonna grab What did I do wrong? I didn't tell it what I wanted to grab for.

08:43

So no matter how long you usually next you'll keep making mistakes, particularly in videos.

08:48

So he's off. The only mistake I makes and we'll be good. So Grab is going to look for a specific pattern on it wants an actual pattern for me to look for. I didn't give it any pattern. Joyner's didn't know what to do. Give me usage information.

09:05

So if I gripped for,

09:07

say what I want is the B

09:11

we'll grab everything that has a bee in it to a black hat and brew. Khan and I mentioned I could also d'oh

09:20

if I wanted to grab just the first part of the line interview different ways to do this. I like cut

09:26

close. They cut with the delimit er Dash D is space and dash f for the field

09:33

and I want field one

09:35

that'll grab just the first field.

09:39

I can also like, string more of these together so I could do cat my file Grete for b

09:46

pipe that so another pipe

09:48

intercut the limiter

09:50

space fielders to

09:54

And that'll get just the months for those two to start with these or have a bee in them.

10:00

And of course, we can also puts it into a file in my file, too.

10:07

That'll take the results and put him in a file. I'm in some cases you might have a glowing lists that

10:15

have more than one of the same thing. So say if I did

10:20

not the case here particularly. I'm working with I P addresses and I only want, like, unique entries. This comes up

10:26

so I put in, like sh mu gone again

10:31

January

10:39

on and if I did

10:43

is my courage.

10:46

So there's two January's in here. So if I fight it again and did sort does you

10:54

now we see that there's

10:56

only 1 January

11:01

that took only unique entries there. So that's a little something extra that

11:07

be nice, because I only want one. Don't want overlaps.

11:11

We're certainly other ways to manipulate data, There's

11:16

said and Auken

11:18

lots of different other ones that you've been used

11:20

can I found I could do pretty much everything I want to do with

11:26

cut and grab.

11:28

But

11:28

perhaps I'm just simple about what I want to do. So you certainly look at other manipulators, like said,

11:37

Oh, look,

11:39

there's other ones as well what you want to d'oh! So whatever works for you. But generally I find that the best way to learn how to use limits or anything, for that matter, is do this. Use it on every time you come up against something you don't know how to do. Instead of switching back to Windows or your Mac,

11:54

you can figure it out. Go on. Google. Um,

11:58

stack overflow dot coms. You know, he has answers to everything, so

12:03

it's worth checking out.

12:05

So if you are miscellaneous things with Lennox and Bond So how about installing packages?

12:13

How we do that on this particular flavor of LAX? There are other versions that use, like rpm instead of the app get. But on this one, we wanted to install a package that wasn't installed on here,

12:24

but it had

12:26

an injury. In the repositories

12:28

you act does get

12:33

install. And then, for instance, Armitage

12:37

Stoller our message.

12:41

I'm not gonna use Armitage in this class, but Armitage is a basically a front end for medicine. Floyd on it is

12:48

good for using with team, sir.

12:52

Something you might want to check out. And we're not gonna use it in this particular class. But it is an interesting tool that you like,

12:58

find worth spending your time lawn.

13:01

If we do, let's see what else. How about service is so currently we don't have anything listening on any ports anywhere. If I do a net stat

13:13

a n g p.

13:16

It says we were

13:20

some point talking to

13:22

probably this Web servers or the repositories for

13:28

Callie to get Armitage. But we don't have any listening port right now, So if you're not familiar with the port, it's not

13:37

the Ethernet port on the back of the computer, though I did once have a manager at work who thought so

13:41

when I had a job. But these were just going to be network socket. So there are 65,535 TCP and 5535 U T P. So you can imagine

13:56

how that would be rather cumbersome on the back who slapped up.

14:01

But again, these are just going to be networked socket. So we open up a socket that we could listen on for incoming data or call out to another socket.

14:09

Who will see that

14:11

a lot in this class. So no worries there. But currently there's nothing listening, but,

14:18

well, something we might wanna have listening. How about a Web server? What if we wanted to share of Web pages? Well,

14:24

Luckily, Cali comes with a Web server installed You won't have to worry about setting one up.

14:28

What we would do is service

14:31

have patched. You too