Videoserver(Scenario1)

../_images/AECID-Testbed-Videoserver.png

Attacker Steps:

  1. Attacker scans DNS-Server of company with dns-brute(T1590,T1591)

  2. Attacker scans Host with nmap(T1595) auch mit -O (T1592)

  3. Attacker scans Host with nikto(T1595)

  4. Attacker uses gobuster to crawl webserver(T1594)

  5. Attacker penetrates zoneminder(T1190, T1059)

  6. Attacker creates a stable reverse-shell(T1574, T1104) and attaches it to a running process(T1055 https://github.com/W3ndige/linux-process-injection) [KEIN PROZESS ATTACH]

  7. Attacker uploads linpeas(T1105) and executes it(T1087, T1083, T1201, T1069, T1057, T1518, T1082, T1614, T1016, T1049, T1033, T1007, T1615)

  8. Attacker finds privilege escalation

    1. Polkit exploit(T1068, T1546, T1574)

    2. Sudo weakness (T1548)

    3. Misconfigured systemd-unit(T1547)

    4. Logrotten(T1546)

    5. Misconfigured cron-job(T1053)

    6. Finds ssh-key for root-user(T1078)

  9. Attacker gains root

  10. Attacker adds backdoor

  1. Attacker adds new ssh-key to authorized_keys(T1098)

  2. Attacker creates new account(T1136)

  3. Attacker modifies pam(T1556)

  1. Attacker uses split to proxy command(T1218)

  2. Attacker reads from /etc/shadow(T1555)

  3. Attacker runs nmap(T1046) [VERSCHIEBEN IN ANDERES SZENARIO]

  4. Attacker runs lspci and lsusb(T1120) [lsusb ist nicht installiert]

  5. Attacker runs ntpdate or date(T1124) [ntpdate ist nicht installiert]

  6. Attacker checks virtualbox-files(T1497)