SANS Digital Forensics and Incident Response Blog

Finding out about other users on a Linux system

These commands are used to find out about other users on a *NIX host. When testing the security of a system covertly (such as when engaged in a penetration test) it is best to stop running commands when the system administrator is watching. These commands may also be useful for digital forensics investigators and incident response personnel.

w

The ?w' command displays any user logged into the host and their activity. This is used to determine if a user is ?idle' or if they are actively monitoring the system.

who

The ?who' command is used to find both which users are logged into the host as well as to display their source address and how they are accessing the host. The command will display if a user is logged into a local tty (more on this later) or is connecting over a remote network connection.

finger <user_name>

The ?finger' command is rarely used these days (but does come up from time to time on legacy and poorly configured systems). The command provides copious amounts of data about the user who is being "fingered". This information includes the last time that user read their mail and any log in details.

last -1 <user_name>

The ?last' command can be used to display the "last" user to have logged on and off the host and their location (remote or local tty). The command will display a log of all recorded logins and log-offs if no options are used.

When the <user_name> option is provided, this will display all of the user's log-ins to the system. This is used when profiling a system administrator to discover the usual times that person will be logged into and monitoring a system.

whoami

This command displays the username that is currently logged into the shell or terminal session.

passwd <user_name>

The ?passwd' command is used to change your password (not options) or that of another user (if you have permissions to do this).

kill PID

This command "kills" any processes with the PID (process ID) given as an option. The ?ps' command (detailed later in the paper) is used to find the PID of a process.

This command can be used to stop a monitoring or other security process when testing a system. The ?root' user can stop any process, but other users on a host can only stop their own (or their groups) processes by default.

du <filename>

The ?du' command displays the disk usage (that is the space used on the drive) associated with the files and directories listed in the <filename> command option.

df

The ?df' command is used to disaplay the amount of free and used disk space on the system. This command displays this information for each mounted volume of the host.

Craig Wright is a Director with Information Defense in Australia. He holds both the GSE-Malware and GSE-Compliance certifications from GIAC and completed the GSE as well. He is a perpetual student with numerous post graduate degrees including an LLM specializing in international commercial lawand ecommerce law, A Masters Degree in mathematical statistics from Newcastle as well as working on his 4th IT focused Masters degree (Masters in System Development) from Charles Stuart University where he lectures subjects in a Masters degree in digital forensics. He is writing his second doctorate, a PhD on the quantification of information system risk at CSU.

5 Comments

Posted March 15, 2010 at 12:45 PM | Permalink | Reply

proneer

generally, finger command frequently use with "-lmsp" option. # finger -lmsp

Posted March 15, 2010 at 4:11 PM | Permalink | Reply

gleeda

The kill command by default sends out the TERM signal which may or may not be caught by the process (depending on if they have a signal handler set up for this signal). You should send the SIGKILL signal, which cannot be caught if you want to make sure to kill the process:
$ kill -9 [PID]
You can also kill process(es) by process name like so:
$killall -9 [processname]

Posted March 15, 2010 at 4:47 PM | Permalink | Reply

gleeda

sorry, i didn't denote for root, but you get the idea ;-)

Posted March 15, 2010 at 6:45 PM | Permalink | Reply

wat

WAT? BOY MEETS UNIX, BOY MEETS WORLD!
finding out about other users in the box ?
how 'bout
for n in `cut -d: -f6 /etc/passwd`; do ls -al `find $n/.ssh*/*` $n/.*hist*;done
?
''much more useful, no ?
i'm amazed this kind of noobie shit flys on a SANS blog, but it makes sense when you see the "profile" of who wrote it. prolly did some SANS courses and he's finding out the wonders of unix!
ROFL.
also, doing those commands in a box with auditing is not really covert at all'' for the same information u might as well just strings the wtmp and utmp files''

Posted March 15, 2010 at 6:47 PM | Permalink | Reply

wat

also, a more useful thing to \\"find out about other users in the box\\" is prolly poking about in their home directory''. but i guess this author hasn\\'t learn about umask yet.
ROFL.
this reminds me of those \\"HOW TO HACK UNIX\\" TXT files from the 80\\'s.