NetWitness: Finding the Crown Jewels of Linux /etc/passwd and /etc/shadow

Executive Summary

• This Packet Parser enables threat hunting, malicious actor and misconfiguration detection
• This Packet Parser detects when /etc/passwd and /etc/shadow are sent through clear text protocols.

Introduction

Responding to alerts and threat hunting is core for any analyst.  There are numerous tools out there to detect anomalies, password spraying, and others are primarily focused on windows-based attacks.  However, what if an attacker gets onto one of your Linux devices?  Does your team have nearly as much monitoring for your Linux servers as your Windows hosts?  We created a packet parser to help detect malicious actors transferring /etc/passwd and /etc/shadow files in cleartext through our customers networks. This parser’s goal is to help threat hunt and detect misconfigurations and enumerations performed by the malicious actors.

Attack Details

If an attacker gets onto one of your Linux servers – what are some of the first things they are going to do?  Enumerate, enumerate, enumerate!  They will likely run an assortment of the following commands to find out basic information about the host and identify any low-hanging fruit:

• id
• who
• w
• uname -a
• last
• ps -ef
• history
• cat /etc/passwd
• cat /etc/shadow
• cat /etc/sudoers
• ….to infinity and beyond.

Of course, we can create a correlation rule looking for the rapid/semi-rapid succession of these commands on one host (and we have) but, lets cover another avenue: monitoring for /etc/shadow and /etc/passwd traversing the network.

So, just what are these files and why are they so important? The ‘passwd’ file will contain a list of usernames, UID (user id), GID (Group ID), full name of user, user’s home directory, and login shell. The ‘shadow’ file contains the golden egg: passwords (hopefully salted), when it was changed, minimum days required between password changes, maximum days a password is valid, how many days left till the password expires, how many days the account has been inactive and when an account was disabled.

Will these files ever be accessed as part of normal business procedures? Absolutely! Linux admins and system processes will be interacting with these files frequently for updating, adding and deleting entries.  However, if we ever see these files being transferred outbound, that is no longer a normal business procedure, but is instead the indication something malicious is afoot.

This is where packet parsing knowledge can save the day. Packet parsing often leaves out some pieces of information, simply because capturing all relevant data in a packet would be unsustainably intensive and difficult to store at a reasonable volume. However, it’s possible to address certain gaps in default parsing by specially crafted parsers looking for certain attributes in network traffic.

To address this specific technique, we developed a custom packet parser to detect these files being transferred over the network. Below we’ll break it down for you:

Example

Passwd Entry

root:x:0:0:root:/root:/bin/bash

Shadow Entry

root:$6$Q9TU2oS4$asdKKLRfldsajfkLAsdjlkfjlkuk453jklj89sDvj38kdfgKDflgjk/7KvInwPcr32uIVrgj.QUGerT0qFvn0f/EQ9/:17984:0:99999:7:::

Parser

local LinuxLFIDetection = nw.createParser("LinuxLFIDetection", "LinuxLFIDetection")

LinuxLFIDetection:setKeys({
nwlanguagekey.create("mss.con.apprule", nwtypes.Text),
})
function LinuxLFIDetection:passwdTokenFIND(token, first, last)
payload = nw.getPayload(last + 1, last + 160)
passwdDetect = payload:find("x:0",1,4)
shadowDetect = payload:find(":::",40,160)

if passwdDetect then
local firstFind = payload:find("/bin/bash",1,32)
local secondFind = payload:find("/bin/sh",1,32)
if firstFind then 
nw.createMeta(self.keys["mss.con.apprule"], "potential_etc_passwd_exfil")
end
if secondFind then 
nw.createMeta(self.keys["mss.con.apprule"], "potential_etc_passwd_exfil")
end
end
if shadowDetect then
nw.createMeta(self.keys["mss.con.apprule"], "potential_etc_shadow_exfil")
end
end

LinuxLFIDetection:setCallbacks({
["root:"] = LinuxLFIDetection.passwdTokenFIND
})

We start off by looking for the common denominator in both files (root:). If we find this value, we start to evaluate if this is a passwd or shadow file and apply the meta to the session for detection. We have created a flow chart to better depict how this parser functions:

False Positives Observed

Backup traffic is the main culprit for false positives. However, this also reveals a bad security practice as backups should be encrypted in transit, this packet parser will detect the transfer if it is in plaintext.

Customizations

If you are looking for a custom shell, change the shell being searched for from /bin/bash to another shell.

if passwdDetect then
local firstFind = payload:find("/bin/bash",1,32)

This does use our own custom metakey within NetWitness, mss.con.apprule. If you plan to use it, you will need to index it properly or you will not see the output. You can change it or create your own meta key tuned to your environment.

LinuxLFIDetection:setKeys({
nwlanguagekey.create("mss.con.apprule", nwtypes.Text),
})
…
if passwdDetect then
local firstFind = payload:find("/bin/bash",1,32)
local secondFind = payload:find("/bin/sh",1,32)
if firstFind then 
nw.createMeta(self.keys["mss.con.apprule"], "potential_etc_passwd_exfil")
…etc.

Raw Traffic Example Detection

GET /../../../../../../../../../../../etc/passwd HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0
Host: FakeWebsite.com
Connection: Keep-Alive
Accept-Encoding: gzip, deflate
Accept-Language: en-US,*

HTTP/1.1 200 OK
Date: Mon, 2 Mar 2020 17:41:55 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Last-Modified: Wed, 12 Mar 2014 16:27:23 GMT
ETag: "37-4f46b4fb850c0"
Accept-Ranges: bytes
Content-Length: 55
X-XSS-Protection: 1; mode=block
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive

root:x:0:1:::
bin:x:2:2:::
sys:x:3:3:::
ftp:x:108:1:::

Conclusion

Packet parsing is enormously powerful within NetWitness, opening new avenues of detection you might not have ever considered, and it can help catch “under the radar” attacks that default parsing may capture in the raw data, but not identify in indexed meta. Please let us know if you have any feedback on the parser or how it worked out for you team!