🐧Linux Attacks
Linux Vulnerabilities
GNU/Linux is a free and open source operating system, combination of the Linux kernel and the GNU toolkit software collection, developed by Richard Stallman.
Linux kernel is the core of the O.S.
Linux distributions are variants of the same O.S.
Typically deployed as a server O.S.
Linux server services and protocols can provide with an access vector that an attacker can use
SSH (Secure Shell)
TCP 22
Cryptographic remote access protocol, used for operating network services securely over an unsecured network. Secure successor of telnet
FTP (File Transfer Protocol)
TCP 21
Communication protocol used for file sharing between a server and a client, over TCP
TCP 445
Open source implementation of the SMB
protocol. Enabled Unix machines to communicate with Windows machines in a network
Linux Exploitation
Apache - ShellShock
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka ShellShock.
Bash
shell since v.1.3The
Bash
mistakenly exectutes trailing commands after a series of charactersApache web servers that run CGI or
.sh
scripts are also vulnerable
🗒️ Bash - *Nix shell part of the GNU project and default shell for most Linux distros.
🗒️ CGI (Commond Gateway Interface) - Apache executes arbitrary commands on the Linux system and the output displayed on the web server.
ShellShock Exploitation
Locate a script or input vector (legitimate Apache CGI scripts) to communicate with Bash
Input special characters within the HTTP headers (e.g.
user-agent
)When CGI is executed, the web server will run it with Bash in a new process
The exploitation can be done manually and automatically.
🔬 Check the Bash - ShellShock Lab here
FTP
🗒️ FTP (File Transfer Protocol) - facilitate file sharing between a server and clients. Used for transfering files to and from a web server (e.g.
CPanel or FTP credentials).
Port:
21
(TCP) - defaultUser Authentication -
username
&password
anonymous access may be configured on FTP - no credentials needed
FTP Exploitation
Credentials can be brute-forced on the FTP server
Exploit inherent vulnerability within FTP service
🔬 Check the FTP Brute force Lab here
SSH
🗒️ SSH (Secure Shell) - cryptographic remote administration protocol, tipically used for servers remote access
Port:
22
(TCP) - defaultSSH Authentication:
User Authentication -
username
&password
Key
based, 2 key pairs (public and private keys) - no username and password
SSH Exploitation
Credentials can be brute-forced on the SSH
With SSH legitimate credentials the attacker gain access to a full shell, with the utilized user account's privileges
🔬 Check the SSH Brute force Lab here
SAMBA
🗒️ SAMBA - network file sharing protocol, for file and peripherals sharing on a LAN. It is the Linux implementation of SMB
Port:
445
(TCP)Not pre-packed, not a common running service
User Authentication -
username
&password
SAMBA Exploitation
Credentials can be brute-forced
Use SMBMap or
smbclient
to retrieve information
🔬 Check the SAMBA Brute force Lab here
Linux Privilege Escalation
Linux Kernel Exploits
❗ Targeting Kernel can cause system crashes, data loss, kernel panics etc ❗
Linux kernel vulnerabilities can be targetted to execute arbitrary code and obtain privileged system shell.
Kernel version and distribution is important
The Linux Privilege Exploitation process consists of:
Identify kernel vulnerabilities (
Linux Exploit Suggester
)Download, compile, transfer kernel exploits onto the target system
Linux-Exploit-Suggester - a tool designed to assist in detecting security deficiencies for given Linux kernel/Linux-based machine.
Assessing kernel exposure on publicly known exploits
Verifying state of kernel hardening security measures
Very useful to get Kernel version, possible Exploits with detailed information on the CVEs
Misconfigured Cron Jobs
🗒️ Cron - a time-based daemon/service, scheduler of applications, scripts and commands. It executed non-interactive jobs.
Tasks scheduled in
cron
are called cron jobse.g.
backups, o.s. upgrades, patches, scripts, commands etc
Default cron table/configuration file is
/etc/crontab
Cron Jobs can be run as any user
Cron Jobs Privesc
The attacker will target
root
's privileged Cron JobsFind and identify cron jobs scheduled by the
root
user or the files processed by te cron job.
🔬 Check the Cron Jobs Lab here
SUID Binaries
🗒️ SUID (Set owner User ID) - is a type of special access permission given to a file. A file with SUID always executes as its the owner, regardless of the user passing the command.
Allows unprivileged users to run scripts or binaries with
root
permissions, and it's limited to the execution of that specific binary.This is not privilege escalation, but can be used to obtain an elevated session
e.g.
thesudo
binary
The exploitation of SUID binaries to get privesc depends on:
the owner of the SUID file -
e.g.
look forroot
user's SUID binariesaccess permissions -
x
executable permissions are required to execute the SUID binary
🔬 Check the SUID Lab here
Linux Credential Dumping
All the Linux accounts' information is stored in the passwd
file stored in /etc/
directory.
Linux has multi-user support, this can increase the overall risk of a server.
Passwords cannot be viewed because they are encrypted and stored in the shadow
file in the /etc/
directory.
📌 Only
root
account can accessshadow
file
The hashed password have a prefix $id
value that indicates the type of hashing algorithm that is being used, e.g.
:
🔬 Check the Dumping Linux Hashes Lab here
Last updated