These commands are used to find out about other users on a *NIX host. When testing the security of a system covertly (such as when engaged in a penetration test) it is best to stop running commands when the system administrator is watching. These commands may also be useful for digital forensics investigators and incident response personnel.
w
The "?w'" command displays any user logged into the host and their activity. This is used to determine if a user is "?idle'" or if they are actively monitoring the system.
who
The "?who'" command is used to find both which users are logged into the host as well as to display their source address and how they are accessing the host. The command will display if a user is logged into a local tty (more on this later) or is connecting over a remote network connection.
finger <user_name>
The "?finger'" command is rarely used these days (but does come up from time to time on legacy and poorly configured systems). The command provides copious amounts of data about the user who is being "fingered". This information includes the last time that user read their mail and any log in details.
last -1 <user_name>
The "?last'" command can be used to display the "last" user to have logged on and off the host and their location (remote or local tty). The command will display a log of all recorded logins and log-offs if no options are used.
When the <user_name> option is provided, this will display all of the user's log-ins to the system. This is used when profiling a system administrator to discover the usual times that person will be logged into and monitoring a system.
whoami
This command displays the username that is currently logged into the shell or terminal session.
passwd <user_name>
The "?passwd'" command is used to change your password (not options) or that of another user (if you have permissions to do this).
kill PID
This command "kills" any processes with the PID (process ID) given as an option. The "?ps'" command (detailed later in the paper) is used to find the PID of a process.
This command can be used to stop a monitoring or other security process when testing a system. The ?root' user can stop any process, but other users on a host can only stop their own (or their groups) processes by default.
du <filename>
The "?du'" command displays the disk usage (that is the space used on the drive) associated with the files and directories listed in the <filename> command option.
df
The "?df'" command is used to display the amount of free and used disk space on the system. This command displays this information for each mounted volume of the host.
Craig Wright is a Director with Information Defense in Australia. He holds both the GSE-Malware and GSE-Compliance certifications from GIAC and completed the GSE as well. He is a perpetual student with numerous post graduate degrees including an LLM specializing in international commercial lawand ecommerce law, A Masters Degree in mathematical statistics from Newcastle as well as working on his 4th IT focused Masters degree (Masters in System Development) from Charles Stuart University where he lectures subjects in a Masters degree in digital forensics. He is writing his second doctorate, a PhD on the quantification of information system risk at CSU.
.jpg "1245x705_FREE_DFIR-Summit_(1).jpg")
