Linux Attacks
Last updated
Was this helpful?
Last updated
Was this helpful?
is a free and open source operating system, combination of the Linux kernel and the GNU toolkit software collection, developed by Richard Stallman.
Linux kernel is the core of the O.S.
Linux distributions are variants of the same O.S.
Typically deployed as a server O.S.
Linux server services and protocols can provide with an access vector that an attacker can use
TCP 80/443
Open source cross-platform web server
TCP 22
Cryptographic remote access protocol, used for operating network services securely over an unsecured network. Secure successor of telnet
TCP 21
Communication protocol used for file sharing between a server and a client, over TCP
TCP 445
Open source implementation of the SMB protocol. Enabled Unix machines to communicate with Windows machines in a network
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka ShellShock.
Bashshell since v.1.3The
Bashmistakenly exectutes trailing commands after a series of charactersApache web servers that run CGI or
.shscripts are also vulnerable
🗒️ CGI (Commond Gateway Interface) - Apache executes arbitrary commands on the Linux system and the output displayed on the web server.
Locate a script or input vector (legitimate Apache CGI scripts) to communicate with Bash
Input special characters within the HTTP headers (e.g. user-agent)
When CGI is executed, the web server will run it with Bash in a new process
The exploitation can be done manually and automatically.
Port: 21 (TCP) - default
User Authentication - username & password
anonymous access may be configured on FTP - no credentials needed
Credentials can be brute-forced on the FTP server
Exploit inherent vulnerability within FTP service
Port: 22 (TCP) - default
SSH Authentication:
User Authentication - username & password
Key based, 2 key pairs (public and private keys) - no username and password
Credentials can be brute-forced on the SSH
With SSH legitimate credentials the attacker gain access to a full shell, with the utilized user account's privileges
Port: 445 (TCP)
Not pre-packed, not a common running service
User Authentication - username & password
Credentials can be brute-forced
Use SMBMap or smbclient to retrieve information
❗ Targeting Kernel can cause system crashes, data loss, kernel panics etc ❗
Linux kernel vulnerabilities can be targetted to execute arbitrary code and obtain privileged system shell.
Kernel version and distribution is important
The Linux Privilege Exploitation process consists of:
Identify kernel vulnerabilities (Linux Exploit Suggester)
Download, compile, transfer kernel exploits onto the target system
Assessing kernel exposure on publicly known exploits
Verifying state of kernel hardening security measures
Very useful to get Kernel version, possible Exploits with detailed information on the CVEs
🗒️ Cron - a time-based daemon/service, scheduler of applications, scripts and commands. It executed non-interactive jobs.
Tasks scheduled in cron are called cron jobs
e.g. backups, o.s. upgrades, patches, scripts, commands etc
Default cron table/configuration file is /etc/crontab
Cron Jobs can be run as any user
The attacker will target root's privileged Cron Jobs
Find and identify cron jobs scheduled by the root user or the files processed by te cron job.
Allows unprivileged users to run scripts or binaries with root permissions, and it's limited to the execution of that specific binary.
This is not privilege escalation, but can be used to obtain an elevated session
e.g. the sudo binary
The exploitation of SUID binaries to get privesc depends on:
the owner of the SUID file - e.g. look for root user's SUID binaries
access permissions - x executable permissions are required to execute the SUID binary
All the Linux accounts' information is stored in the passwd file stored in /etc/ directory.
Linux has multi-user support, this can increase the overall risk of a server.
Passwords cannot be viewed because they are encrypted and stored in the shadow file in the /etc/ directory.
📌 Only root account can access shadow file
The hashed password have a prefix $id value that indicates the type of hashing algorithm that is being used, e.g.:
$1
MD5 (easy to crack)
$2
Blowfish (easy to crack)
$5
SHA-256 (difficult to crack)
$6
$y
(Secure Shell)
(File Transfer Protocol)
🗒️ - *Nix shell part of the GNU project and default shell for most Linux distros.
🔬 Check the
🗒️ (File Transfer Protocol) - facilitate file sharing between a server and clients. Used for transfering files to and from a web server (e.g. CPanel or FTP credentials).
🔬 Check the
🗒️ (Secure Shell) - cryptographic remote administration protocol, tipically used for servers remote access
🔬 Check the
🗒️ - network file sharing protocol, for file and peripherals sharing on a LAN. It is the Linux implementation of SMB
🔬 Check the
- a tool designed to assist in detecting security deficiencies for given Linux kernel/Linux-based machine.
🔬 Check the
🗒️ (Set owner User ID) - is a type of special access permission given to a file. A file with SUID always executes as its the owner, regardless of the user passing the command.
🔬 Check the
(difficult to crack)
🔬 Check the
