For the past few days I've been thinking whether to share the scripts I've put together. Being a guy who is fascinated with Offensive Security I felt that sharing everything that I worked hard on was like giving away my ammunition.
However, I strongly feel that sharing my knowledge and my tricks have more benefits to the Info Sec Community and myself.
I also realized the restrains of blogging and only relaying on screenshots without being able to show proof of concepts via videos. So I decided to go ahead and create a YouTube Channel where I will upload the videos.
Where possible at the bottom of each article I will attach a video demo.
These are my Advanced Persistence Threat (APT) tricks that I put together in order to achieve some level of persistence. These methods are not 100% undetectable but it may reserve you a backdoor into the system.
First and foremost I need to make sure that the system in question has all the requirements installed in order to execute all my scripts. The requirements differ from system to system but I am being more broad to target the common linux distros.
With an if-else statement I am checking if the system is using apt or yum.
Advanced Package Tool also know as APT works with libraries to handle the installation and removal of packages.
Yellowdog Updater also known as YUM is a command line package manager utility for Linux operating systems commonly found on CentOS/RHEL distributions.
Where needed, I installed cron, net-tools, and systemd.
Users that set up and maintain software use Cron to schedule jobs that are running periodically at fixed intervals.
Cron and Crontab
The name of the tool is Cron and Crontab is the binary that will print the jobs that cron is executing.
The Net-tools package is made up of programs which form the base of Linux networking.
Systemd is a Linux service manager that includes features like on-demand starting of daemons, mount and automount point maintenance, and processes tracking.
I like to encode my scripts, so below is a version of the initial script that undergone simple b64 encoding and had a file format change.
In case you are wondering why I'm using .JPG format, is just something I prefer. I want to camouflage myself as much as possible in the event "someone" finds my files. Using jpg, gif or other unsuspicious formats, file names and output folders might trick the "person" into believing it is not something malicious.
This is the main script that does most of the work.
To briefly explain what is happening in this script, This script is purposely made for being executed into a system where I would be root. I have created different scripts for systems where I have limited access but still want some form of persistence, I will get into that further along.
Cloning the ssh port apart from the default one weather it is 22 or the admin has changed this to 2222, my new port will be 28822.
I am using authorized_keys and placing my own key into the .ssh folder (/root/.ssh/), this key is crafted to look like it was generated by the server itself to blend in. I am also adding a new user called "system" with admin privileges, and this user will be placed right underneath the root user. By default new users are wrote at the bottom of passwd and shadow files but I think by moving it at the top it would be harder to spot.
This script will be put into /etc/syslogservice.
The script is also making sure that my new ssh backdoor port will be allowed in the system via ufw and iptables, also adding a new entry in .bashrc.
.bashrc initializes an interactive shell session, Any command that is being put in this file is executed whenever a new terminal session is opened.
I am making use of grep, sed, and echo with the other variables in my script to help me along the way in injecting code in places where I want them to be (e.g changing PermitRootLogin from no to yes in sshd_config).
Again as with the previous script this will one undergo encoding.
The command chown root:rootchanges the user and group of the specified file or directory to user root and group root.
More importantly chattr, this is the command in the GNU system that allows a user to set certain attributes of a file.
I am doing this because I don't want my file being edited or removed from the system. As you can see even with administrative privileges I cannot change, remove or edit the file.
It means execute syslogservice at 10 minutes past every hour.
Encoding the cron script below.
The next thing I want to do is also beneficial to the "system that has been compromised" , What.. ? Putting my whitehat on...
I would not like other hackers to "compromise" the same systems that "I did". So I am going to harden the system by installing fail2ban to block other ssh attempts, I would have a look in the system to get a feel of what is it being used for, update all the packages, check the system for weak passwords, and basically and way of someone else getting in. (Being selfish am I ?)
Fail2ban is an framework that prevents intrusion, it protects systems from brute force attacks.
Using a simple if / else statement I am installing fail2ban and creating the jail file for the ssh protocol.
I can also configure Fail2Ban to monitor Apache or Nginx logs. There are many 'jails' templates that I could include in my script but for the purpose of this demo I am only creating a jail for the ssh protocol. Below are other jails and what they being used for.
[apache-noscript] jail is used to ban clients that are looking for scripts on the webpage to execute and exploit.
The [apache-overflows] jail is used to restrict access to client who are trying to request suspicious URLs. These can often be signs of attempts from attackers that are trying to exploit your webserver by triggering buffer overflows.
Other additional jails are apache-badbots, this is used to stop known malicious bots.
Lastly, if you are running apache with php, you may need to enable the [php-url-fopen] jail, this blocks attempts for usage of specific php behavior for malicious purposes. You are most likely going to need to change the logpath directory to point to the correct access log location e.g in Ubuntu the location is at /var/log/apache2/access.log.
Encoding the fail2ban script:
In this script I have also added a fail2ban service, This is just a timer that makes sure that fail2ban is always running.
Systemd are unit files whose name are ending in .service. This timers can be used as an alternative to cron.
Encoding fail2ban service:
I also need service for syslogservice:
Explaining the parameters in this service file.
Description= This is just a description for the service
Requires=network configuration dependency
After=This means that the service must be started after the network is ready.
Example:If my program expected the MySQL server to be running, I would add:
WorkingDirectory=The folder in which the script or binary is located.
ExecStart=here is the absolute path for the program I want to start.
SuccessExitStatus=143; this exit code means that the program received a SIGTERM signal to instruct it to exit, but it did not handle the signal properly.
TimeoutStopSec= Configures the time to wait for each ExecStop= command.
By default, systemd doesn't restart the service if the program exits. This is usually not what I want for a service that must be always running, so I'm instructing it to always restart on exit.
I could also use on-failure to only restart if the exit status is not 0.
By default, systemd attempts a restart after 100ms. I can specify the number of seconds to wait before attempting a restart.
It is useful to note: By default when I configured Restart=always, systemd will give up restarting my service (Forever) if it fails to start it in 5 attempts within 10 seconds. The units that are responsable for this are StartLimitBurst=5 StartLimitIntervalSec=10
The RestartSec parameter will also have an impact, for example if it is set to restart within 3 seconds then I cannot reach 5 failed tries within 10 seconds, right? right. The easiest fix will be to set StartLimitIntervalSec=0, this means that systemd will attempt to start the service forever. As an alternative, by leaving the default settings, I can tell systemd to restart the service if the start limit is reached by using StartLimitAction=reboot.
Using tar and assuming these files are within a folder I can pack them all into 1 single file.
tar czvf unix.jpg *
I like keeping persistance through light scripts and not rootkits that are potentially detected by AV's or by other scanners because they infect a lot of /bin files. See my previous post at have-i-been-hacked to read where I talk about rkhunter, chkrootkit.
This blog post is informative for both communities, Offensive and Defensive as it shows a tiny glimpse into the world of hide and seek.
Room for improvement? Sure there is! This is just a warm-up!
The idea is to blend in the system as much as possible, stay hidden and quiet for as long as possible.
To do: inject a sneaky web shell in the web server that would get me a simple shell.
Have you got suggestions for improvement ? Get in touch!
In a future post I will go into detail about hiding the output from netstat, and further hiding our files and tracks within the system.
Thank you for reading my article, Until next time!