MITRE ATT&CK - Resource Development - Building Custom Tools

 MITRE ATT&CK - Resource Development - Building Custom Tools

1. Local Enumeration - Architecture

The difference between reconnaissance and enumeration stands in the former being the act of scouting or exploring with the aim of gaining information. On the other hand, enumeration is the second phase centered around the obtainment of information missed during the first phase. E.g. The versions of services or operating systems scanned on the target's machine. 

The architecture of the Linux operating system contains the following components: the Kernel, System Library, Hardware layer, System, and Shell utility. In terms of security, valuable information is contained within these components. Nonetheless, specific versions of the components are vulnerable to adversary threats. 

Enumerating the architecture is crucial in gaining information and using it to determine the machine environment.

Create a bash script using gedit in order to enumerate the architecture of the local machine by using the following command:

# sudo gedit arch-enum

#!/bin/bash <determines it is a bash (Bourne Again Shell) script
uname -a <unix name all: prints name, version, and other details regarding the current machine and OS
arch <print the computer architecture>
getconf LONG_BIT <examines to see if the OS kernel is 32 bit or 64 bit)
lsb_release -a <obtains specific information specific to the local Linux dist>
env <current environment>

Make the bash script executable:
# sudo chmod +x arch-enum


2. Local Enumeration - Running Processes

Linux systems provide a variety of system services (processes). Each service is assigned a unique PID (process identification number). The system reuses old PIDs for new processes if no possible combinations are left. A process may be initiated as a foreground or background process. By default, all commands running in the shell will start as foreground processes. Init is a daemon process, which begins when a computer boots. Init is the parent of all other running processes be that directly or indirectly. As such, it is typically assigned “pid=1“. 

Use the following command to create a bash script using gedit, which will be used to enumerate and monitor local running processes:
# sudo gedit proc-enum
#!/bin/bash
sudo netstat -antup
top

Commands used for local process enumeration in the bash file are:

• netstat -antup (network statistics) command is used to display detailed information on the network status of the local machine.

• top command is used to list all active processes and threads currently managed by the Linux Kernel.

Make the bash script executable in order to use it with the following command:

# sudo chmod +x proc-enum
Run the bash script and analyze the displayed output:
# ./proc-enum


3. Local Enumeration - Weak File Permissions

Files with weak permissions allow privilege escalation on the system. This occurs due to permissions on the files being overly lenient. Low level users may gain root access to the system if they have writing permission on a file owned by the root or a group with sudo privileges.

Create a bash script named file-enum in /home/admin using nano to enumerate weak file permissions in the local machine:

# sudo nano file-enum

Add the commands shown below to the script:

#!/bin/bash whoami pwd id finger find / ‑perm /6000

Commands used for local weak file enumeration in the bash file are:

• whoami - displays the username of the current user.

• id - displays the UID and all groups associated with a user.

• pwd - displays the current path.

• finger - provides details on all the users currently logged in.

• find / -perm /6000 - lists out all the SUID and SGID files.

Make the bash script executable by using the following command:

sudo chmod +x file‑enum

Run the bash script and analyze the displayed output:

./file‑enum


4. Resolving Hostname to IP with Python

The following steps focus on building custom tools using Python. Python is a valuable exploit development tool used to discover, explore, and exploit a wide range of vulnerabilities. Python scripts are agile and easy to write. As such, swift iteration is present when designing and testing exploit code due to Python using its own interpreter

Create a Python script to resolve the Hostname to IP by using the Socket library containing the functions below:

• import socket - a Python library used to connect two nodes on a network with the aim of fostering communication.

• hostname - is a unique identifier (parameter) for the target's machine.

• ipAddress - is a unique identifier (parameter) for the target's machine IP. When given a hostname, the gethostbyname() function returns the IP address of the host.

• print() - used to display the operation.

Use gedit to create a file for the Python script:

sudo gedit host‑ip.py


Write the code as shown below:

import socket hostname = input("Domain: ") ipAddress = socket.gethostbyname(hostname) print("IP address of the hostname {} is: {}".format(hostname, ipAddress))

Afterwards, run the python script and resolve the host www.lab.com using the following command:

python3 host‑ip.py






Comments

Post a Comment

Popular posts from this blog

Install Gophish and Start Your Phishing Campaign

Image
Install Gophish on Kali Linux and Start Your Phishing Campaign  Installing go programming language # source ~/.bashrc # sudo apt install -y golang # sudo vim helloworld.go  # go run helloworld.go # sudo vim ~/.bashrc Add the following paths to the end of the file export GOPATH=/root/go-workspace export GOROOT=/usr/local/go PATH=$PATH:$GOROOT/bin/:$GOPATH/bin Installing gophish using pre-built binaries Download the  gophish installer  and extract the contents of the zip file # unzip gophish-v0.11.0-linux-64bit.zip -d /home/kali/Downloads/gophish Give Gophish necessary permissions Give the gophish the necessary permissions to run without permission restrictions: # sudo chmod +x gophish Running gophish # ./gophish Logging into gophish  Go to the admin server at https://127.0.0.0:3333. Setting up gophish sending profile New Sending Profile Note : Create an application-specific password on Gmail. First, enable 2-step verification: Send Test Email Received the test em...
Read more

[LINUX] - SECURING LINUX SYSTEMS

Image
TOPIC A: IMPLEMENT CYBERSECURITY BEST PRACTICES A chroot jail is a technique of controlling what a process a user can access on a file system by changing the root directory of that process's environment: Encryption is a cryptographic technique that converts data from plaintext into coded, or ciphertext, form. Decryption is the companion technique that converts ciphertext back to plaintext: LUKS: Linux Unified Key Setup is a platform-independent FDE solution that is commonly that is commonly used to encrypt storage devices in a Linux environment. The cryptsetup command is used as a front-end to LUKS and dm-crypt SYNTAX The syntax of the cryptsetup command is cryptsetup [options] {actions} [action arguments]  Hashing is a process or function that transforms plaintext input into an indecipherable fixed-length output and ensures this process cannot be feasibly reversed. The resulting output of the hashing process is called a hash, hash value, or message digest. TOPIC B: IMPLEMENT IAM M...
Read more

Hướng dẫn cách đọc và hiểu thông số firewall - tường lửa

Image
  Hướng dẫn cách hiểu thông số firewall - tường lửa 17/01/2021 09:00 Chắc hẳn trong chúng ta khi tìm hiểu các mẫu mã và thông số firewalls (tường lửa) để mua cho công ty, ai cũng thấy bối rối khi đọc các thông số kỹ thuật. Vậy làm cách nào để có thể hiểu được các thông số cơ bản của firewalls? Firewall Throughput Thông thường, chỉ số này được ghi là Mbps (megabits per second) hoặc Gbps (gigabits per second). Đây chính là lượng traffic có thể đi qua tường lửa tài một thời điểm. Thông số này có vẻ quan trọng, nhưng thực ra nó...không có ý nghĩa gì lắm. Thực ra con số này chỉ là con số thô, chỉ đo lượng traffic đi qua firewall mà không tính đến việc quét virus, lọc nội dung (content filtering), ngăn chặn xâm nhập (intrusion prevention), kiểm tra thất thoát dữ liệu và các bước tương tự. Con số còn có thể thay đổi theo giao thức (protocol) và kích cỡ gói tin (packet). Thông số Throughput thậm chí quan trọng hơn cho việc chia lớp mạng nội bộ (network segmentation). Khi tường lửa được sử ...
Read more