# Linux Security Fundamentals

## Users and Groups
- in Linux, users are assigned unique user IDs
- user ID and other information are stored in `/etc/passwd` file
- you can find the user ID using `id` command or reading the `/etc/passwd` file
- each line belongs to a user with the following ':' delimited format:
- `username:password:userid:groupid:User Info:home folder:default shell`

In [1]:
! cat /etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:101:systemd Time Synchronization,,,:/run/systemd:/u

In [3]:
! cat /etc/passwd | grep kali

kali:x:1000:1000:kali,,,:/home/kali:/usr/bin/zsh


In [2]:
! id

uid=1000(kali) gid=1000(kali) groups=1000(kali),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),100(users),105(netdev),117(wireshark),120(bluetooth),133(scanner),140(kaboxer)


## Add Users and Switch between Users

- you can add users by directly updating the `/etc/passwd` file
    - not recommended as one could easily mess up the format of the password file and the system may render unbootable
    - always backup `/etc/passwd` file if you want to update it directly
- use `adduser` command instead
    - friendlier front ends to the low level tools like `useradd`
- requires root/admin priviledge
- open a Terminal and add a new user called `bob`

```bash
sudo adduser
```

- provide some password and other option information
- check to make sure `bob` is added

In [4]:
! man adduser

[4mADDUSER[24m(8)                  System Manager's Manual                 [4mADDUSER[24m(8)

[1mNAME[0m
       adduser, addgroup - add or manipulate users or groups

[1mSYNOPSIS[0m
       [1madduser [22m[[1m--add-extra-groups[22m] [[1m--allow-all-names[22m] [[1m--allow-bad-names[22m]
               [[1m--comment [4m[22mcomment[24m] [[1m--conf [4m[22mfile[24m] [[1m--debug[22m] [[1m--disabled-login[22m]
               [[1m--disabled-password[22m] [[1m--firstgid [4m[22mid[24m] [[1m--firstuid [4m[22mid[24m]
               [[1m--gid [4m[22mid[24m] [[1m--home [4m[22mdir[24m] [[1m--ingroup [4m[22mgroup[24m] [[1m--lastgid [4m[22mid[24m]
               [[1m--lastuid [4m[22mid[24m] [[1m--no-create-home[22m] [[1m--shell [4m[22mshell[24m] [[1m--quiet[22m]
               [[1m--uid [4m[22mid[24m] [[1m--verbose[22m] [[1m--stdoutmsglevel [4m[22mprio[24m]
               [[1m--stderrmsglevel [4m[22mprio[24m] [[1m--logmsgle

In [5]:
! ls /home

bob  kali


In [11]:
! finger bob

Login: bob            			Name: 
Directory: /home/bob                	Shell: /bin/bash
Never logged in.
No mail.
No Plan.


## Delete Users

- run `deluser` with sudo
- take caution when deleting anything on Linux as it can't be undone

In [6]:
! man deluser

[4mDELUSER[24m(8)                  System Manager's Manual                 [4mDELUSER[24m(8)

[1mNAME[0m
       deluser, delgroup - remove a user or group from the system

[1mSYNOPSIS[0m
       [1mdeluser [22m[[1m--backup[22m] [[1m--backup-suffix [4m[22mstr[24m] [[1m--backup-to [4m[22mdir[24m]
               [[1m--conf [4m[22mfile[24m] [[1m--debug[22m] [[1m--remove-all-files[22m] [[1m--remove-home[22m]
               [[1m--quiet[22m] [[1m--verbose[22m] [[1m--stdoutmsglevel [4m[22mprio[24m]
               [[1m--stderrmsglevel [4m[22mprio[24m] [[1m--logmsglevel [4m[22mprio[24m] [1muser[0m

       [1mdeluser [22m[[1m--system[22m] [[1m--backup[22m] [[1m--backup-suffix [4m[22mstr[24m] [[1m--backup-to [4m[22mdir[24m]
               [[1m--conf [4m[22mfile[24m] [[1m--debug[22m] [[1m--remove-all-files[22m] [[1m--remove-home[22m]
               [[1m--quiet[22m] [[1m--verbose[22m] [[1m--stdoutmsglevel [4m[22mprio[24m]

In [8]:
! echo kali | sudo -S deluser --remove-home bob

[sudo] password for kali: info: Looking for files to backup/remove ...
info: Removing files ...
info: Removing crontab ...
info: Removing user `bob' ...


In [9]:
! man sudo

[4mSUDO[24m(8)                     System Manager's Manual                    [4mSUDO[24m(8)

[1mNAME[0m
       sudo, sudoedit — execute a command as another user

[1mSYNOPSIS[0m
       [1msudo -h [22m| [1m-K [22m| [1m-k [22m| [1m-V[0m
       [1msudo -v [22m[[1m-ABkNnS[22m] [[1m-g [4m[22mgroup[24m] [[1m-h [4m[22mhost[24m] [[1m-p [4m[22mprompt[24m] [[1m-u [4m[22muser[24m]
       [1msudo  -l [22m[[1m-ABkNnS[22m] [[1m-g [4m[22mgroup[24m] [[1m-h [4m[22mhost[24m] [[1m-p [4m[22mprompt[24m] [[1m-U [4m[22muser[24m] [[1m-u [4m[22muser[24m]
            [[4mcommand[24m [[4marg[24m [4m...[24m]]
       [1msudo  [22m[[1m-ABbEHnPS[22m]  [[1m-C  [4m[22mnum[24m]  [[1m-D  [4m[22mdirectory[24m]  [[1m-g  [4m[22mgroup[24m]  [[1m-h   [4m[22mhost[24m]
            [[1m-p  [4m[22mprompt[24m]  [[1m-R  [4m[22mdirectory[24m]  [[1m-r  [4m[22mrole[24m]  [[1m-t  [4m[22mtype[24m] [[1m-T [4m[22mtimeout[24m]
      

In [12]:
! ls /home

bob  kali


## Group Management

- a group represent a group of users
- a user can belong to multiple groups
- allwo to provide permissions based on group to all users in the group
- a user's primary group is listed in `/etc/passwd`
- detailed group infromation is stored in `/etc/group` file
    - each line in the file represents a group
    - each line has 4 sections separated by ':'
    - `group_name:password:group_id:group_list`
- you can see the contents of `/etc/group` file or use `groups <username>`  command

In [14]:
! cat /etc/passwd | grep bob

bob:x:1001:1001:,,,:/home/bob:/bin/bash


In [15]:
! cat /etc/passwd | grep kali

kali:x:1000:1000:kali,,,:/home/kali:/usr/bin/zsh


In [16]:
! grep kali  /etc/group

adm:x:4:kali
dialout:x:20:kali
cdrom:x:24:kali
floppy:x:25:kali
sudo:x:27:kali
audio:x:29:pulse,kali
dip:x:30:kali
video:x:44:kali
plugdev:x:46:kali
users:x:100:kali,bob
netdev:x:105:kali
wireshark:x:117:kali
bluetooth:x:120:kali
scanner:x:133:saned,kali
kali-trusted:x:139:
kali:x:1000:
kaboxer:x:140:kali


In [17]:
! groups

kali adm dialout cdrom floppy sudo audio dip video plugdev users netdev wireshark bluetooth scanner kaboxer


In [18]:
! groups bob

bob : bob users


In [19]:
# print user's group id
! id -g bob

1001


In [20]:
# print user's group names
! id -Gn bob

bob users


## Add New Group

- use `groupadd` or `addgroup` commands
- let's add a group called `hackers` and add `bob` into the group
- use `usermod` command to modify user's info or add it to group

```bash
usermod -a -G <groupname> <username>
```

In [21]:
! echo kali | sudo -S groupadd hackers

[sudo] password for kali: 

In [22]:
! grep hackers /etc/group

hackers:x:1002:


In [23]:
! echo kali | sudo -S usermod -aG hackers bob

[sudo] password for kali: 

In [24]:
! id -Gn bob

bob users hackers


## Traditional Permission and Access Control on Linux
- default permission system in Linux is user-group-other:read-write-execute
- you can change the permission using `chmod` command
- `ls -l` command displays the permission of each file and folder
- 3 types of Access Controls on Files and Folders
    - Read
    - Write
    - Execute

### Types of Access on Files

#### read (r)
- user can view/read the contents of the file

#### write (w)
- user can change the contents of the file

#### execute (x)
- user can execute/run the file if it is a program/script

### Types of access on directories

#### read (r)
- user can list the contents of the directory (e.g., using `ls`)

#### write (w)
- user can create files and sub-directories inside the directory

#### execute (x)

- user can enter into the directory (e.g., using `cd`)

- `ls -al <folder>` command displays detail of each file and folder in the provided folder
- provides space separated list of information for each file and folders
- [LS details and contents](https://www.ibm.com/docs/en/i/7.1?topic=directories-ls)

`
 file_type rwx(owner) rwx(group) rwx(other) owner_name group_owner file_size Last_modified_timestamp path_name
`

In [25]:
! ls -al

total 2524
drwxr-xr-x 11 kali kali   4096 Jan 17 14:08 .
drwxr-xr-x  3 kali kali   4096 Jan 17 12:07 ..
drwxr-xr-x  8 kali kali   4096 Jan 17 12:07 .git
-rw-r--r--  1 kali kali    381 Jan 17 12:07 .gitignore
drwxr-xr-x  2 kali kali   4096 Jan 17 13:47 .ipynb_checkpoints
-rw-r--r--  1 kali kali   4535 Jan 17 13:00 00-TableOfContents.ipynb
-rw-r--r--  1 kali kali  35107 Jan 17 12:07 BufferOverflowBasics.ipynb
-rw-r--r--  1 kali kali  29856 Jan 17 12:07 BufferOverflowProtections.ipynb
-rw-r--r--  1 kali kali  25444 Jan 17 12:07 C-Arrays.ipynb
-rw-r--r--  1 kali kali   7763 Jan 17 12:07 C-Strings.ipynb
-rw-r--r--  1 kali kali  48332 Jan 17 12:07 CS1-Review.ipynb
-rw-r--r--  1 kali kali  25731 Jan 17 12:07 CTF.ipynb
-rw-r--r--  1 kali kali  49945 Jan 17 12:07 DetectingMemoryCorruptionErrors.ipynb
-rw-r--r--  1 kali kali 229579 Jan 17 12:07 ELF-ReverseEngineeing.ipynb
-rw-r--r--  1 kali kali    678 Jan 17 12:59 EnvVarSetUID.ipynb
-rw-r--r--  1 kali kali  25745 Jan 17 12:07 ExploitCode-UsingB



## File Access Control List (ACL)

- fine grained ACL
- helps assign permissions to individual users/groups
- coexist with the traditional permission model
- use `setfacl` and `getfacl` commands to set and get file access control list

```bash
setfacl {-m -x} {u, g}:<name>:{r, w, x} <file, directory>
```
- may have to install if not available by default

```bash
sudo apt install acl
```

In [1]:
! sudo apt install acl

Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  acl
0 upgraded, 1 newly installed, 0 to remove and 30 not upgraded.
Need to get 37.8 kB of archives.
After this operation, 197 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu focal/main amd64 acl amd64 2.2.53-6 [37.8 kB]
Fetched 37.8 kB in 0s (107 kB/s)[0m[33m

7[0;23r8[1ASelecting previously unselected package acl.
(Reading database ... 70786 files and directories currently installed.)
Preparing to unpack .../acl_2.2.53-6_amd64.deb ...
7[24;0f[42m[30mProgress: [  0%][49m[39m [..........................................................] 87[24;0f[42m[30mProgress: [ 20%][49m[39m [###########...............................................] 8Unpacking acl (2.2.53-6) ...
7[24;0f[42m[30mProgress: [ 40%][49m[39m [#######################...................................] 8Setting up acl (2.2.5

In [2]:
! man setfacl

SETFACL(1)                   Access Control Lists                   SETFACL(1)

NAME
       setfacl - set file access control lists

SYNOPSIS
       setfacl [-bkndRLPvh] [{-m|-x} acl_spec] [{-M|-X} acl_file] file ...

       setfacl --restore={file|-}

DESCRIPTION
       This utility sets Access Control Lists (ACLs) of files and directories.
       On the command line, a sequence of commands is followed by  a  sequence
       of  files  (which  in  turn can be followed by another sequence of com‐
       mands, ...).

       The -m and -x options expect an ACL on the command line.  Multiple  ACL
       entries  are separated by comma characters (`,'). The -M and -X options
       read an ACL from a file or from standard input. The ACL entry format is
       described in Section ACL ENTRIES.

       The  --set and --set-file options set the ACL of a file or a directory.
       The previous ACL is replaced.  ACL entries for this operation must  in‐
       clude permissions.

       The  -

In [27]:
! echo "Hello" > example.txt

In [28]:
! cat example.txt

Hello


In [31]:
! getfacl example.txt

# file: example.txt
# owner: kali
# group: kali
user::rw-
group::r--
other::r--



In [34]:
! setfacl -m u:bob:rw- example.txt

In [35]:
! getfacl example.txt

# file: example.txt
# owner: kali
# group: kali
user::rw-
user:bob:rw-
group::r--
mask::rw-
other::r--



In [37]:
# note the + after permission
# indicates that ACLs are defined
! ls -al example.txt

-rw-rw-r--+ 1 kali kali 6 Jan 17 16:08 example.txt


## Running Command With Privilege

### sudo
- super-user do
- run command as a superuser
- a user must be authorized or be in `sudoers` group which is in the `/etc/sudoers`

In [39]:
! echo kali | sudo -S cat /etc/sudoers

[sudo] password for kali: #
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults	env_reset
Defaults	mail_badpass
Defaults	secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# This fixes CVE-2005-4890 and possibly breaks some versions of kdesu
# (#1011624, https://bugs.kde.org/show_bug.cgi?id=452532)
Defaults	use_pty

# This preserves proxy settings from user environments of root
# equivalent users (group sudo)
#Defaults:%sudo env_keep += "http_proxy https_proxy ftp_proxy all_proxy no_proxy"

# This allows running arbitrary commands, but so does ALL, and it means
# different sudoers have their choice of editor respected.
#Defaults:%sudo env_keep += "EDITOR"

# Completely harmless preservation of a user preference.
#Defaults:%sudo env_keep += "GREP_COLOR"

# While you shouldn't 

In [41]:
! groups kali

kali : kali adm dialout cdrom floppy sudo audio dip video plugdev users netdev wireshark bluetooth scanner kaboxer


In [42]:
! grep kali /etc/group 

adm:x:4:kali
dialout:x:20:kali
cdrom:x:24:kali
floppy:x:25:kali
sudo:x:27:kali
audio:x:29:pulse,kali
dip:x:30:kali
video:x:44:kali
plugdev:x:46:kali
users:x:100:kali,bob
netdev:x:105:kali
wireshark:x:117:kali
bluetooth:x:120:kali
scanner:x:133:saned,kali
kali-trusted:x:139:
kali:x:1000:
kaboxer:x:140:kali


## Adding User to sudo group
- use `usermod` command

In [43]:
! echo kali | sudo -S usermod -aG sudo bob

[sudo] password for kali: 

In [45]:
! groups bob

bob : bob sudo users hackers


## Removing User from group

```bash
gpasswd --deletee user group
deluser user group
```

In [46]:
! gpasswd

Usage: gpasswd [option] GROUP

Options:
  -a, --add USER                add USER to GROUP
  -d, --delete USER             remove USER from GROUP
  -h, --help                    display this help message and exit
  -Q, --root CHROOT_DIR         directory to chroot into
  -r, --remove-password         remove the GROUP's password
  -R, --restrict                restrict access to GROUP to its members
  -M, --members USER,...        set the list of members of GROUP
  -A, --administrators ADMIN,...
                                set the list of administrators for GROUP
Except for the -A and -M options, the options cannot be combined.


In [48]:
! echo kali | sudo -S gpasswd -d bob sudo

[sudo] password for kali: Removing user bob from group sudo


In [49]:
! groups bob

bob : bob users hackers


## Root Login

- newer Kali and Ubuntu 20.04 and newer don't allow root login
    - why is it a good idea?
- not recommended to run commands using a root shell
    - use sudo to run individual commands
    
### Switch to root shell

```bash
sudo -s
sudo bash
sudo su
```

### Running commands as another user

- default is `root`; but can run command as another user

```bash
sudo -u <another_user> <command>
```

In [50]:
! echo kali | sudo -S -u bob id

[sudo] password for kali: uid=1001(bob) gid=1001(bob) groups=1001(bob),100(users),1002(hackers)


## Linux/POSIX Capabilities

- divide the root privilege into smaller privilege units called **capabalities**
- capabilities are assigned to processes to bypass or set what the spawned process is capable of doing

- example capabiltiies:

### CAP_CHOWN
- Make arbitrary changes to file UIDs and GIDs

### CAP_DAC_OVERRIDE
- Bypass file read/write/execute permission checks

### CAP_DAC_READ_SEARCH
- Bypass the file read permission checks

### CAP_NET_RAW
- use RAW and PACKET sockets

- https://manpages.ubuntu.com/manpages/noble/en/man7/capabilities.7.html

```bash
sudo setcap CAP_NAME={effective|permitted} <file_name>
```

! man capabilities

In [57]:
# copy bash program into the current directory
! cp /bin/bash mybash

In [58]:
! getfacl mybash

# file: mybash
# owner: kali
# group: kali
user::rwx
group::r-x
other::r-x



In [59]:
! getcap mybash

In [60]:
! ls mybash -al

-rwxr-xr-x 1 kali kali 1277936 Jan 17 17:13 mybash


In [67]:
# permission is denied to read /etc/shadow file
! cat < /etc/shadow

zsh:1: permission denied: /etc/shadow


In [63]:
! getfacl /etc/shadow

getfacl: Removing leading '/' from absolute path names
# file: etc/shadow
# owner: root
# group: shadow
user::rw-
group::r--
other::---



In [64]:
# let's set the capability to by pass file read permission check
! echo kali | sudo -S setcap CAP_DAC_READ_SEARCH=ep mybash

[sudo] password for kali: 

In [65]:
! getcap mybash

mybash cap_dac_read_search=ep


- run the mybash from Terminal after setting CAP_DAC_READ_SEARCH

```bash
(base) ┌──(kali㉿kali)-[~/projects/SoftwareSecurity]
└─$ ./mybash         
┌──(kali㉿kali)-[~/projects/SoftwareSecurity]
└─$ cat < /etc/shadow
root:!:19662:0:99999:7:::
daemon:*:19662:0:99999:7:::
bin:*:19662:0:99999:7:::
sys:*:19662:0:99999:7:::
sync:*:19662:0:99999:7:::
games:*:19662:0:99999:7:::
man:*:19662:0:99999:7:::
lp:*:19662:0:99999:7:::
mail:*:19662:0:99999:7:::
news:*:19662:0:99999:7:::
uucp:*:19662:0:99999:7:::
proxy:*:19662:0:99999:7:::
www-data:*:19662:0:99999:7:::
backup:*:19662:0:99999:7:::
list:*:19662:0:99999:7:::
irc:*:19662:0:99999:7:::
_apt:*:19662:0:99999:7:::
nobody:*:19662:0:99999:7:::
systemd-network:!*:19662::::::
_galera:!:19662::::::
mysql:!:19662::::::
tss:!:19662::::::
strongswan:!:19662::::::
systemd-timesync:!*:19662::::::
redsocks:!:19662::::::
rwhod:!:19662::::::
_gophish:!:19662::::::
iodine:!:19662::::::
messagebus:!:19662::::::
miredo:!:19662::::::
redis:!:19662::::::
usbmux:!:19662::::::
mosquitto:!:19662::::::
tcpdump:!:19662::::::
sshd:!:19662::::::
_rpc:!:19662::::::
dnsmasq:!:19662::::::
statd:!:19662::::::
avahi:!:19662::::::
stunnel4:!*:19662::::::
Debian-snmp:!:19662::::::
_gvm:!:19662::::::
speech-dispatcher:!:19662::::::
sslh:!:19662::::::
postgres:!:19662::::::
pulse:!:19662::::::
inetsim:!:19662::::::
lightdm:!:19662::::::
geoclue:!:19662::::::
saned:!:19662::::::
polkitd:!*:19662::::::
rtkit:!:19662::::::
colord:!:19662::::::
nm-openvpn:!:19662::::::
nm-openconnect:!:19662::::::
kali:$y$j9T$K/agt9PK0eYweoRVbd9yK0$6BUblkWhNb00ZJWw7nYm0fZL1bpF.1BAs5h0CRF4xj2:19662:0:99999:7:::
bob:$y$j9T$KoIINXes24L0Z2qTeAdEX0$aNnlXFBUXuSZrsiCKPFPCxMIz/KNoz0gIzFnOppN2F1:19739:0:99999:7:::
```
    
### Case Study 1 - Wireshark

- Wireshark is a sniffing tool that needs root privilege
- the GUI is not privileged
- the backend sniffing part uses priviledge `dumpcap`

In [66]:
! getcap /usr/bin/dumpcap

/usr/bin/dumpcap cap_net_admin,cap_net_raw=eip


### Case Study 2 - ping
- the **ping** program uses raw socket
- has the CAP_NET_RAW capability

In [68]:
! getcap /usr/bin/ping

/usr/bin/ping cap_net_raw=ep


## Authentication Methods

- **authentication** is a way to verify user's identity
- multifactor authentication
- typical authentication methods:
1. based on something the **you know**: password
2. based on something the **you have**: ID card
3. based on something the **you are**: fingerprint


## Login Shell/Terminal

- after the user logins, the shell program to execute as the login shell
- the last field in `/etc/passwd` file has the shell program path to be executed
- `x` in the second column means the passowrd is stored somewhere else
    - password can still be stored in this file, but not normally
- passwords are hashed/salted and stored in `/etc/shadow` file
- https://www.cyberciti.biz/faq/understanding-etcshadow-file/
- similar to passwd file, shadow file is ':' delimited with the following structure:

```bash
kali:$y$j9T$K/agt9PK0eYweoRVbd9yK0$6BUblkWhNb00ZJWw7nYm0fZL1bpF.1BAs5h0CRF4xj2:19662:0:99999:7:::
usrname:$Algorithm_ID$Salt$Hashed_Password$:last_changed:minimum_days_before_next_pw_change:maximum_days:Warn:Inactive:Expire
```


In [70]:
! cat /etc/passwd

root:x:0:0:root:/root:/usr/bin/zsh
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
_galera:x:100:65534::/nonexistent:/usr/sbin/nologin
mysql:x:101:106:MySQL Server,,,:/

In [72]:
! echo kali | sudo -S su bin

[sudo] password for kali: This account is currently not available.


In [73]:
! echo kali | sudo -S cat /etc/shadow

[sudo] password for kali: root:!:19662:0:99999:7:::
daemon:*:19662:0:99999:7:::
bin:*:19662:0:99999:7:::
sys:*:19662:0:99999:7:::
sync:*:19662:0:99999:7:::
games:*:19662:0:99999:7:::
man:*:19662:0:99999:7:::
lp:*:19662:0:99999:7:::
mail:*:19662:0:99999:7:::
news:*:19662:0:99999:7:::
uucp:*:19662:0:99999:7:::
proxy:*:19662:0:99999:7:::
www-data:*:19662:0:99999:7:::
backup:*:19662:0:99999:7:::
list:*:19662:0:99999:7:::
irc:*:19662:0:99999:7:::
_apt:*:19662:0:99999:7:::
nobody:*:19662:0:99999:7:::
systemd-network:!*:19662::::::
_galera:!:19662::::::
mysql:!:19662::::::
tss:!:19662::::::
strongswan:!:19662::::::
systemd-timesync:!*:19662::::::
redsocks:!:19662::::::
rwhod:!:19662::::::
_gophish:!:19662::::::
iodine:!:19662::::::
messagebus:!:19662::::::
miredo:!:19662::::::
redis:!:19662::::::
usbmux:!:19662::::::
mosquitto:!:19662::::::
tcpdump:!:19662::::::
sshd:!:19662::::::
_rpc:!:19662::::::
dnsmasq:!:19662::::::
statd:!:19662::::::
avahi:!:19662::::::
stunnel4:!*:19662::::::
Debian-s

## Purpose of Salt

- defeat the brute-force attacks: dictionary attack, rainbow-table attack
- makes the same passwords different when hashed; can't guess password from hash alone

## Locking Account

- put an invalid value in the password field

```bash
root:!:0:099999:7:::
```
- the root account is locked!