Linux Host & Network Information Gathering


For this portion of my notes I will be focusing on collecting information useful for someone attempting to leverage a breached system to further their attack. Here I would be talking about some of the tools and resources that is native within a Linux system that may help scope out a scene. Additionally mentioning some tactics the attacker may use when sniffing or scanning an area with minimal detection.


Linux Host Information Gathering


Ifconfig output


Ifconfig is a tool that details how network interfaces are being used. This tool could help give more context to the attacker on how long this system has been running. Additionally detailing whether how much interaction this system has with other networks. Such context is useful when one needs to limit their traffic production to be within normal levels, therefore minimalizing their presence. Another detail that could be useful is how stable the network connections are. Letting one to know how careful they should be to appear stable when performing any scanning. Below I expanded on some of the output from ifconfig:


Eth0: name of the interface

Link encap: Link encapsulation type, in this case refers to an ethernet wire

HWaddr: MAC address of the system, the first fields can help infer the type of hardware via lookup

Inet addr: ip address of system and type (192.168. Infers that this uses DHCP)

Bcast: broadcast ip that communicate to all ip address (ipv4 255 is the max)

Mask: infers the size of the sub network

Inet6 addr: IPv6 address for the system

MTU: Maximum transmission unit of data of this system

RX packets: Received packets

Errors: Errors occurred within connections

Dropped: Dropped packets within connections 

TX packets: transmitted packets


Netstat -g output


-g: details multicast group memberships by this flag

lo:  refers to our loopback interface, which is information that only is directed to the host system

224.0.0.251: a IPv4 reserve multicast ip address

Eth0: refers to a ethernet cable connection


Netstat -r output



Destination: refers to networks involved in the routing scheme

Default: refers to networking paths default ip route (default gateway)

Genmask: refers to the size of the subnet from a given ip

IFace: refers to the network interface



Netstat -i output


This table describes details of a system’s interfaces.


Iface: interface name

MTU: Maximum transmission unit

RX-OK: OK received packets

TX-OK: OK received packets


Netstat -s output (IP)


Many of the these details are self explanatory but here are some of which I expended on for further understanding:


Forwarded: entails whether or not the system sends packers on behalf of others similar to a router.

Incoming packets discarded: refers to bad input, a trait an attacker would want to avoid being detected as.


Netstat -d output (ICMP)


Internet Control Message Protocol, a protocol within the IP suite that manages error messages and management inquiries within a network. For instance it would be used when informing a system of a host within a network being unreachable via pinging. The following output list the activity observed at this system. Such as message received,  input/output failed, and echo requests. The following commands like ping may trigger a IDS as this system is seen not to be pinged a lot.


Netstat -s output (TCP)


Active connections refers to tcp connections that have been sending data over the network, while passive refers to tcp open connections that have not. The amount of segments sent and received details a system that doesn’t seem to interact with the network too much; within a tcp context.


 Netstat -s output (UDP)


This output details the amount of packets that are sent and received. Additionally the behavior that is seen from these packets such as any errors. Useful for an attacker to understand how to leverage UDP communication under what appears to be normal behavior.


Arp output


This details the address resolution protocol tables. Essentially information that helps track down ip addresses and their corresponding MAC addresses. May potentially give context of the machine involved when breached via a MAC address lookup.


Nsswitch.conf.info


A file that details information of databases within a network that this host system knows of.


Resolv.conf information (DNS)


Details recognized DNS servers.


Nmap localhost output


Using nmap on one's own host will allow some sort of interaction with its own interfaces. Perhaps revealing information on this host that netstat otherwise did not inform us. This will not send packets outside the host. Here we have three open ports. Tor of course being a protocol not typical within a work environment.


Linux Network Information Gathering 


Nmap options to discover other Hosts and scanning the interfaces of a target

Nmap could be a great tool for an attacker attempting to scope out its next host when one wants to pivot. Here is a list of options an attacker may attempt to discover other ports as well as scanning them. Some of which may strategically allow them to scope out these details with minimal notice. For instance when one scans a host with a TCP SYN/Connect(), where within an environment may either drop or start the 3-way handshake. 


Other configurations for scanning


The -sV flag allows for the attacker to probe what kind of services are running at that port. For instance it could reveal the version of ssh that the system is running. The attacker would count themselves lucky if they found it running ssh version 1, now known to be vulnerable for man-in-the-middle attacks.


p0f example output


Passive OS fingerprinting (p0f) is a form of scanning that is minimal in its work compared to its nmap counterpart. This listens to any traffic with the purpose of identifying other hosts. This is all down without outputting any traffic of its own


Tcpdump output


Tcpdump is a packet sniffer that details readable information to the user. Some of the details highlighted show information an attacker may infer as useful through this tool. Such as the domain that this ack message is involved with. Additionally the windows size of this packet may infer the typical OS that develops towards this size.


Tshark output


Tshark is the command line version of wireshark. Similar to tcpdump but with more capabilities on how data can be read.


Comments

Post a Comment

Popular posts from this blog

Questions and Answers to some TTPs involving Malicious Processes

Image
When examining ongoing processes for any signs of a breach, is it possible that a malicious process can go under the same name of a legitimate process?  As someone who runs multiple windows of chrome, I expect to see more than one chrome.exe amongst my processes. Malware may run another process under the same name. Additionally I often see malware run processes under a misspelled name at least in some CTFs, is this seen in other breaches?
Read more

Taking a Closer Look on IPv6 and Portable Executable Files

Image
These were other materials that I learned during my investigation. Pointing these out here for my own benefit, for whenever I need to return to in the future. When reading out netscan results, most were not in the IPv4 format but rather in IPv6. After some researching I learned I was looking at the link-local IPv6 addresses (LAN) because of the “FE80” denotation, the first 10 bits within a IPv6 address. This introduced me to telling the difference of examining a local address and a global address (for the public).
Read more