Skip to content

Latest commit

 

History

History
482 lines (418 loc) · 28.8 KB

PrivescPostExLin.md

File metadata and controls

482 lines (418 loc) · 28.8 KB

Linux Privilege Escalation & Post-Exploitation

Table of Contents

Post-Exploitation Linux

  • 101
  • Discovery
    • Articles/Blogposts/Writeups
    • Account Discovery
    • Browser Bookmark Discovery
    • File and Directory Discovery
    • Network Service Scanning
    • Network Sniffing
    • Password Policy Discovery
    • Permission Groups Discovery
    • Process Discovery
      • Articles/Blogposts/Writeups
      • Tools
        • pspy
          • pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute. The tool gathers the info from procfs scans. Inotify watchers placed on selected parts of the file system trigger these scans to catch short-lived processes.
    • Remote System Discovery
      • nullinux
        • nullinux is an internal penetration testing tool for Linux that can be used to enumerate OS information, domain information, shares, directories, and users through SMB. If no username and password are provided, nullinux will attempt to connect to the target using an SMB null session. Unlike many of the enumeration tools out there already, nullinux can enumerate multiple targets at once and when finished, creates a users.txt file of all users found on the host(s). This file is formatted for direct implementation and further exploitation.This program assumes Python 2.7, and the smbclient package is installed on the machine. Run the setup.sh script to check if these packages are installed.
    • Software Discovery
    • System Information Discovery
    • System Network Configuration Discovery
    • System Network Connections Discovery
    • System Owner/User Discovery
  • Execution
  • Persistence
    • Account Manipulation
      • Additional Azure Service Principal Credentials
      • Exchange Email Delegate Permissions
      • Add Office 365 Global Administrator Role
      • SSH Authorized Keys
    • BITS Jobs
    • Boot or Logon Autostart Execution
      • Registry Run Keys / Startup Folder
      • Authentication Package
      • Time Providers
      • Winlogon Helper DLL
      • Security Support Provider
      • Kernel Modules and Extensions
      • Re-opened Applications
      • LSASS Driver
      • Shortcut Modification
      • Port Monitors
      • Plist Modification
    • Boot or Logon Initialization Scripts
      • Logon Script (Windows)
      • Logon Script (Mac)
      • Network Logon Script
      • Rc.common
      • Startup Items
      • Browser Extensions
    • Browser Extensions
    • Compromise Client Software Binary
      • Tools
    • Create Account
      • Local Account
      • Domain Account
      • Cloud Account
    • Create or Modify System Process
      • Launch Agent
      • Systemd Service
      • Windows Service
      • Launch Daemon
    • Event Triggered Execution
      • Change Default File Association
      • Screensaver
      • Windows Management Instrumentation Event Subscription
      • .bash_profile and .bashrc
      • Trap
      • LC_LOAD_DYLIB Addition
      • Netsh Helper DLL
      • Accessibility Features
      • AppCert DLLs
      • AppInit DLLs
      • Application Shimming
      • Image File Execution Options Injection
      • PowerShell Profile
      • Emond
      • Component Object Model Hijacking
    • External Remote Services
    • Hijack Execution Flow
      • Services File Permissions Weakness
      • Executable Installer File Permissions Weakness
      • Services Registry Permissions Weakness
      • Path Interception by Unquoted Path
      • Path Interception by PATH Environment Variable
      • Path Interception by Search Order Hijacking
      • DLL Search Order Hijacking
      • DLL Side-Loading
      • LD_PRELOAD
      • Dylib Hijacking
      • COR_PROFILER
      • Implant Container Image
    • Implant Container Image
    • Office Application Startup
      • Add-ins
      • Office Template Macros
      • Outlook Forms
      • Outlook Rules
      • Outlook Home Page
      • Office Test
    • Pre-OS Boot
      • System Firmware
      • Component Firmware
      • Bootkit
    • Scheduled Task/Job
      • At (Windows)
      • Scheduled Task
      • At (Linux)
      • Launchd
      • Cron
    • Server Software Component
      • SQL Stored Procedures
      • Transport Agent
      • Web Shell
    • Traffic Signaling
      • Port Knocking
    • Valid Accounts
      • Default Accounts
      • Domain Accounts
      • Local Accounts
      • Cloud Accounts
  • Privilege Escalation
  • Defense Evasion
  • Credential Access
    • Bash History
      • Articles/Blogposts
      • Tools
    • Brute Force
      • Articles/Blogposts
      • Tools
    • Credential Dumping
      • Articles/Blogposts
        • Where 2 Worlds Collide: Bringing Mimikatz et al to UNIX - Tim(-Wadha) Brown
          • What this talk is about: Why a domain joined UNIX box matters to Enterprise Admins; How AD based trust relationships on UNIX boxes are abused; How UNIX admins can help mitigate the worst side effects;
        • linikatz
          • This repository contains all of the scripts and source code for "Where 2 Worlds Collide: Bringing Mimikatz et al to UNIX". In addition to the main linikatz.sh script, this also includes auditd policies, John the Ripper rules, Metasploit post-exploitation modules and fuzzers. More will follow in due course.
        • Kerberos Credential Thiever (GNU/Linux) - Ronan Loftus, Arne Zismer
          • Kerberos is an authentication protocol that aims to reduce the amount of sensitive data that needs to be sent across a network with lots of network resources that require authentication. This reduces the risk of having authentication data stolen by an attacker. Network Attached Storage devices, big data processing applications like Hadoop, databases and web servers commonly run on GNU/Linux machines that are integrated in a Kerberos system. Due to the sensitivity of the data these services deal with, their security is of great importance. There has been done a lot of research about sniffing and replaying Kerberos credentials from the network. However, little work has been done on stealing credentials from Kerberos clients on GNU/Linux. We therefore investigate the feasibility of extracting and reusing Kerberos credentials from GNU/Linux machines. In this research we show that all the credentials can be extracted, independently of how they are stored on the client. We also show how these credentials can be reused to impersonate the compromised client. In order to improve the security of Kerberos, we also propose mitigations to these attacks.
        • Exfiltrating credentials via PAM backdoors & DNS requests - x-c3ll
      • Tools
        • linikatz
        • mimipenguin
          • A tool to dump the login password from the current linux user
        • 3snake
          • Targeting rooted servers, reads memory from sshd and sudo system calls that handle password based authentication. Doesn't write any memory to the traced processes. Spawns a new process for every sshd and sudo command that is run. Listens for the proc event using netlink sockets to get candidate processes to trace. When it receives an sshd or sudo process ptrace is attached and traces read and write system calls, extracting strings related to password based authentication.
        • Tickey
          • Tool to extract Kerberos tickets from Linux kernel keys. Paper
        • Impost3r
          • Impost3r is a tool that aim to steal many kinds of linux passwords(including ssh,su,sudo) written by C
    • Credentials from Web Browsers
      • Articles/Blogposts
      • Tools
    • Credentials in Files
      • Articles/Blogposts
      • Tools
        • KeyTabExtract
          • KeyTabExtract is a little utility to help extract valuable information from 502 type .keytab files, which may be used to authenticate Linux boxes to Kerberos. The script will extract information such as the realm, Service Principal, Encryption Type and NTLM Hash.
        • swap_digger
          • swap_digger is a bash script used to automate Linux swap analysis for post-exploitation or forensics purpose. It automates swap extraction and searches for Linux user credentials, Web form credentials, Web form emails, HTTP basic authentication, WiFi SSID and keys, etc.
    • Exploitation for Credential Access
      • Articles/Blogposts
      • Tools
    • Input Capture
      • Articles/Blogposts
      • Tools
        • SudoHulk
          • This tool change sudo command, hooking the execve syscall using ptrace, tested under bash and zsh
    • Network Sniffing
      • Articles/Blogposts
      • Tools
    • Private Keys
      • Articles/Blogposts
      • Tools
    • Steal Web Session Cookie
      • Articles/Blogposts
      • Tools
    • Two-Factor Authentication Interception
      • Articles/Blogposts
      • Tools
  • Lateral Movement
  • Collection
    • Audio Capture
    • Automated Collection
    • Clipboard Data
    • Data from Information Repositories
    • Data from Local System
      • Tools
        • swap_digger
          • swap_digger is a bash script used to automate Linux swap analysis for post-exploitation or forensics purpose. It automates swap extraction and searches for Linux user credentials, Web form credentials, Web form emails, HTTP basic authentication, WiFi SSID and keys, etc.
    • Data from Network Shared Drive
    • Data from Removable Media
    • Data Staged
    • Input Capture
    • Screen Capture

Linux Code Injection

  • 101
  • Articles/Blogposts/Writeups
  • Talks & Presentations
  • Tools
    • Jugaad - Thread Injection Kit
      • Jugaad is an attempt to create CreateRemoteThread() equivalent for *nix platform. The current version supports only Linux operating system. For details on what is the methodology behind jugaad and how things work under the hood visit http://null.co.in/section/projects for a detailed paper.
    • linux-injector
      • Utility for injecting executable code into a running process on x86/x64 Linux. It uses ptrace() to attach to a process, then mmap()'s memory regions for the injected code, a new stack, and space for trampoline shellcode. Finally, the trampoline in the target process is used to create a new thread and execute the chosen shellcode, so the main thread is allowed to continue. This project borrows from a number of other projects and research, see References below.
    • linux-inject
      • Tool for injecting a shared object into a Linux process
    • injectso64
      • This is the x86-64 rewrite of Shaun Clowes' i386/SPARC injectso which he presented at Blackhat Europe 2001.
  • Techniques