Exploit Linux

Abstract

Linux is one of the most known and used Operating systems. Many people are walking around with the a misconception and assume that Linux is secure. It is loaded with security mechanisms but linux machines can be compromised. Thus, I am going to take the opportunity to discuss the major techniques to exploit a Linux infrastructure and to give you the required safeguards to defend against Linux attacks

In this Article we are going to discover the following topics:

  • Linux Overview and Linux Commands
  • Linux Streams and redirection
  • Linux file system  Hierarchy
  • Users and groups
  • permisions
  • chmod , chown and chroot commands
  • Cron jobs  and Cron tabs
  • Linux attack vectors
  • Linux enumeration
  • Linux Privilege escalation
  • Linux kernel exploitation
  • Linux hardening

Linux Overview

The main goal of an operating system is managing computer hardware and software resources and provides common services for computer programs. Linux operating system is a clone developed by Linus Torvalds in 1991. Don’t confuse between Linux and Unix. It is licensed under a GNU General Public License (GPL). To command you will need a shell which is a command-line interfaces that interpret and execute the entered commands. Some of the most known shells are: Bourne again shell (Bash), C shell (csh), Korn shell (ksh). If you are using linux and you want to check the shell environments type: cat /etc/shells

 

i3quIfY.png

The following are some vital linux commands:

  • ls : list the content of the directory
  • find : locate files
  • cd : enter a directory
  • cp : copy
  • mv : move
  • mkdir : make a directory
  • rmdir : remove a directory
  • rm : remove files

To learn more about a certain command just type the famous man command

lWlr2Lw.png

 

 

Linux Streams and redirection

When you are interacting with a Linux environment, it will provide an input/output redirection capabilities to ease your experience. To manipulate the input/output streams, there are three streams you can use:

  • Standard input (stdin)
  • Standard output (stdout)
  • Standard error (stderr)
    The three major streams are represented in the following graph:

 

stdin-stdout-stderr.png

Another capability is Redirection. It is used to redirect the discussed streams. In order to perform a text redirection you can use the following symbols:

“>” : overwrite the file

“>>” : add the input to the file

This is the list of some redirection symbols:

redirection_symbols.jpg

 

 

Linux File system Hierarchy

Linux Directories and files are respecting a certain Hierarchy even in Linux everything is a file. Yes! You heard me everything is a file even directories and devices. The hierarchical design of Linux is the following:

 

gtuIBzE.png

Where:

/root : All the files and directories start from this directory
/home : Contains personal files of all users
/bin : Contains all the binaries (executables)
/sbin : Like /bin , but it contains the system binaries
/lib : Contains required library files
/usr : Contains binaries used by a normal user
/opt : Contains optional add-on applications
/etc : Contains all the required configuration files for the programs
/dev : Contains device files
/media : Contains files of temporary removable devices
/mnt : Contains mount point for filesystems
/boot : Contains boot loader files
/tmp : Contains temporary files
/var : Contains variable files, such as logs
/proc : Contains information about the system processes

MNqnP3A.png

 

 

Users and groups

Users and groups are vital in Linux while it provides multitasking and multiusers capabilities. To manage users and groups you can use set of linux commands including:

Useradd : to add a new user
Passwd : to change the user password
Userdel : to delete a user and you can add ‘-r’ option to delete the files of the user that you are going to delete.
To check the Linux Groups type cat /etc/group (We are using cat as a display command)

Os9z4Yw.png

 

 

To create a group you can use:

newgrp <Group-Name-Here>
Permissions

To protect the users and the groups permissions is used in Linux. The three main permissions used in Linux are:

Read represented by the letter (r)
Write represented by the letter (w)
Execute represented by the letter (x)
To view permissions of a file you can use the ls command in addition of the -l option

CGuuJ3d.png

 

 

Where :

mode.png

 

 

chmod , chown and chroot commands :

To change a permission of files you can use the chmod command as the following format:

chmod <Permission Letters> <File/Directory>

Or you can use octal representation instead of the permission letters

httpatomoreillycomsourceoreillyimages305342.png

 

  • chown is used to change the owner of a file
  • chroot is a technique used for separating a non-root process and its children from the other system components.

Cronjobs and Crontabs:

Automation and scheduling are very important aspects in system administration especially when you use Linux. Automating tasks make the job of system administrators more easier. Linux is giving scheduling capabilities to run commands or scripts in a specific time.We call it a Cron (cron derives from chronos, Greek for time) .To schedule a task you need to fellow this format:

<Day of the week> <Month> <Day of the Month> <Hour> <Minutes> <Command>

cron-job.png

 

 

To check the Crontab (The file that contains information about the cronjobs) just type cat /etc/crontab

s9mh9gt.png

 

 

Linux attack vectors

After acquiring a fair understanding about Linux OS environment and commands.It is time to discuss Linux threats. To attack Linux infrastructure attackers are using many Attack vectors. Generally Attacks vectors can be categorized into three main types:

  • Network Threats
  • Host Threats
  • Application Threats
    We are going to discuss Linux Threats in a detailed way in the further sections but first before attacking a Linux Machine a Phase of enumeration is needed like any methodological attack.

OS Detection with Nmap

top.ten_.tools_.nmap_-768x432.png

 

 

To detect if the host is running on Linux you can use the famous Network scanner Nmap. Just type nmap – O <target>

Linux enumeration

To enumerate a Linux Machine you can use a wide range of open source tools. One of the best tools is LinEnum.

You can download it from here: https://github.com/rebootuser/LinEnum

General usage: ./LinEnum.sh -k keyword -r report -e /tmp/ -t

OPTIONS:

-k Enter keyword
-e Enter export location
-t Include thorough (lengthy) tests
-r Enter report name
-h Displays this help text
Running with no options = limited scans/no output file

-e Requires the user enters an output location i.e. /tmp/export. If this location does not exist, it will be created.
-r Requires the user to enter a report name. The report (.txt file) will be saved to the current working directory.
-t Performs thorough (slow) tests. Without this switch default ‘quick’ scans are performed.
-k An optional switch for which the user can search for a single keyword within many files (documented below).

 

linux.png

This tools help you find information about the Linux host including:

  • System Information:
    • Hostname
    • Networking details:
    • Current IP
    • Default route details
    • DNS server information
  • User Information:
    • Current user details
    • Last logged on users
    • Shows users logged onto the host
    • List all users including uid/gid information
    • List root accounts
    • Extracts password policies and hash storage method information
    • Checks umask valueChecks if password hashes are stored in /etc/passwd
    • Extract full details for ‘default’ uid’s such as 0, 1000, 1001 etc\
    • Attempt to read restricted files i.e. /etc/shadow
    • List current users history files (i.e .bash_history, .nano_history etc.)
    • Basic SSH checks

Linux Privilege escalation

By definition: “A privilege escalation attack is a type of intrusion that takes advantage of programming errors or design flaws to grant the attacker elevated access to the network and its associated data and applications.” (Source techtarget.com) .

The escalation can be vertical or horizontal; if we are moving from an account to another with the same privilege it is horizontal else it is vertical escalation. The are many Privilege escalation techniques used in the wild including:

Linux Services Exploitations: it is done by finding a bug in linux services or configurations
Wildcards: wildcards can be used to inject arbitrary commands
For More information read : Back To The Future: Unix Wildcards Gone Wild

https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt

SUID abuse: in this technique the attackers use a legitimate tool that require root privilege like nmap to run malicious commands on the system
Linux Kernel Exploitation: This technique is highly dangerous. If attackers exploit the linux kernel they will be able to take full control of the system
To check your system for privilege escalation weaknesses you can use

 

 

 

Leave a comment