Nuevas formas de afrontar la participación y la convivencia: las asambleas de aula en Secundaria

As discussed in the previous section, most of the system logs are text files. Two exceptions to this norm are the btmp and wtmp binary files which store failed logins and login session information, respectively. Earlier in this book, when we were talking about live response, we introduced the last and lastb commands which display information from wtmp and btmp, respectively.

Like all good Linux utilities, these two commands support a number of command line options. The command last -Faiwx will produce a full listing (-F), append (-a) the IP address for remote logins (-i), use the wide format (-w), and include extra information (-x), such as when a user changed the run level. Running this command will provide information contained within the current wtmp file only. What if you want to view older information, perhaps because the current file is only a couple days old? For this and other

reasons, last allows you to specify a file using the -f option.

The results of running last against the current and most recent archive wtmp are shown in Figure 6.24. This is a good example of why you should look at the archived wtmp (and btmp) files as well. The current wtmp file contains only three days of information, but the archive file has an additional month of data.

FIGURE 6.24

Running the last command on the current and most recent archive wtmp files.

Not surprisingly, we can create a script that will import the logins and failed login attempts into our database. Because these files tend to be smaller than some other logs and they can contain valuables information, the script presented here loads not only the current files but also any archives. A few new techniques can be found in the script that follows.

#!/bin/bash

#

# get-logins.sh

#

# Simple script to get all successful and unsuccessful

# login attempts and optionally store them in a database.

#

# by Dr. Phil Polstra (@ppolstra) as developed for

# PentesterAcademy.com.

usage () {

echo “usage: $0 <mount point of root> [database name]”

echo “Simple script to get logs of successful “

echo “and unsucessful logins.”

stop datetime,

This script starts out in the usual way and is quite simple right up until the line for logfile in $1/var/log/wtmp*. This is our first new item. The bash shell supports a number of variations of a for loop. Readers familiar with C and similar programming languages have seen for loops that are typically used to iterate over a list

where the number of iterations is known beforehand and an integer is incremented (or decremented) with each step in the loop. Bash supports those types of loops and also allows a loop to be created that iterates over files that match a pattern.

We have seen awk, including the use of positional parameters such as $0 and $1, in previous scripts. The substr function is new, however. The format for substr is substr(<some string>, <starting index>, <max length>). For example, substr(“Hello there”, 1, 4) would return “Hell”. Notice that indexes are 1-based, not 0-based as in many other languages and programs. Once you understand how substr works, it isn’t difficult to see that this somewhat long awk command is printing six fields of output from last separated by semicolons. In order these fields are to whom or what this entry refers, the terminal or event for this entry, start time, stop time, elapsed time, and IP address.

There is still a small problem with the formatted output from last. Namely, there is likely a bunch of whitespace in each entry before the semicolons. This is where sed, the scripted editor, comes in. One of the most popular commands in sed is the substitution command which has a general format of s/<search pattern>/<replacement pattern>/<options>. While “/” is the traditional separator used, the user may use a different character (“#” is a common choice) if desired. The translation of sed

‘s/[[:space:]]*;/;/g’ is search for zero or more whitespace characters before a semicolon, if you find them substitute just a semicolon, and do this globally (g option) which in this context means do not stop with the first match on each line. The second sed command, sed ‘s/[[:space:]]+\n/\n/’, removes whitespace from the end of each line (the IP field). The code for processing btmp (failed logins) parallels the wtmp code.

The database code is similar to what we have used before. Once again, the only small complication is formatting the date and time information output by last and lastb into a MySQL datetime object. Some of the output from running this script against the PFE subject system is shown in Figure 6.25. Note that last and lastb generate an empty line and a message stating when the log file was created. This results in bogus entries in your database. My philosophy is that it is better to ignore these entries than to add considerable complication to the script to prevent their creation.

FIGURE 6.25

Output from running logins and failed login attempts script. Note that there are a couple of empty entries and erroneous lines that follow.

The query select * from logins order by start; will list login sessions and select * from login_fails order by start; will display failed login attempts. Some of the results from these queries are shown in Figure 6.26. In the figure it can be seen that the attacker failed to log in remotely from IP address 192.168.56.1 as lightdm on 2015-03-09 21:33:55. Around that same time the john, johnn, and lightdm accounts had successful logins from the same IP address. The attacker appears to be testing some newly created accounts.

FIGURE 6.26

Login sessions and failed login attempts.