linux-security
All things linux security!
• LinPEAS, an amazing privilege escaltion script: github.com/carlospolop/PEASS-ng/tree/master/linPEAS#linpeas---linux-privilege-escalation-awesome-script
•
-
-
-
-
-
•
•
-
-
-
-
-
•
-
-
-
-
-
-
•
-
•
•
•
•
•
•
•
•
•
•
=
•
- look for users with UID of 0 other than root
- to disable an account, put a ! in front of their hash as such:
•
• check crontab at
• look at services in
• check out
• nmap scan on myself:
• look at permissions for like, the fucking cronjob items lmao.
• look at vim history
• look at sudoers
• use
• look at
- also, look at
• check ps -aux | grep
• once we have a process, use
• to analyze a suspicious binary, use GDB, strings, file (to determine filetype)
Tools
• LinEnum, privilege escalation checks on Linux: github.com/rebootuser/LinEnum• LinPEAS, an amazing privilege escaltion script: github.com/carlospolop/PEASS-ng/tree/master/linPEAS#linpeas---linux-privilege-escalation-awesome-script
System Structure
•/bin -> essential user command binaries
•
/etc -> configuration files for the system
-
/etc/pam.d/ -> pluggable authentication modules, responsible for checking the local account authentication
-
/etc/security -> many things installed with pam
-
/etc/security/limits.conf -> resource limits for specific users
-
/etc/host.conf -> resolver configuration file, see man host.conf
-
/etc/sudoers -> shows who can run what without using sudo. edit with visudo
•
/sbin -> essential system binaries
•
/usr -> read-only user application support data & binaries
-
/usr/bin -> lots of user commands and whatnot
-
/usr/include -> lots of standard includes, e.g., things required to run c
-
/usr/lib -> obj, bin. lib files for coding and packages and whatnot
-
/usr/local -> local software, contains bin, lib, man, sbin, share
-
/usr/share -> data for sharing across all architectures
•
/var -> variable data files
-
/var/cache -> application cache data
-
/var/lib -> data modified as programs run
-
/var/log -> logs
-
/var/opt -> variable data for installed packages
-
/var/spool -> where data goes when it's waiting to be processed, e.g., /var/spool/mail
-
/var/tmp -> temporary files saved between reboots
•
/dev -> device files
-
/dev/null -> deletes everything that's written to it
•
/home -> user home directories
•
/lib -> libraries and kernel modules
•
/mnt -> mount files and temporary file systems
•
/opt -> optional software applications
•
/proc -> process and kerenl info files
•
/root -> home dir for the root user!
•
/boot -> everything needed for boot
Important things to check
•who/w -> see who is currently logged in
•
last -> last login
•
ps aux/top -> see what processes are currently running
•
netstat -tuln/ss -tuln -> see active network connections
=
/etc/passwd -> check for unfamiliar user accounts
•
/etc/shadow -> for users with no passwords or weak passwords
- look for users with UID of 0 other than root
- to disable an account, put a ! in front of their hash as such:
username:!$6$hashvalue:...
•
/etc/log/auto.log or /var/log/secure
• check crontab at
/etc/crontab
• look at services in
/etc/systemd and /etc/init.d
• check out
/etc/rc.local and /etc/inittab
• nmap scan on myself:
nmap -p- -sV --open -v 127.0.0.1
• look at permissions for like, the fucking cronjob items lmao.
/var/spool/cron
• look at vim history
• look at sudoers
Analyzing sus things
• identify sus processes withtop/htop
• use
ps aux to list all running processes. look for sus things!
• look at
netstat -tulnp or ss -tulnp to see active network connections - look for unfamiliar IP addresses or unexpected outbound connections.
- also, look at
lsof -i :port to find which processes are using network connections. might need sudo.
• check ps -aux | grep
[PID]
• once we have a process, use
lsof -p [PID] to see which files the process is accessing, or strace -p [PID] to trace system calls made by it
• to analyze a suspicious binary, use GDB, strings, file (to determine filetype)