Videoserver (Scenario1)

../_images/AttackBed-Videoserver.png

Attacker Steps:

  1. Attacker scans DNS-Server of company with dns-brute(T1590,T1591)

  2. Attacker scans Host with nmap(T1595) also with -O (T1592)

  3. Attacker scans Host with nikto(T1595)

  4. Attacker uses gobuster to crawl webserver(T1594)

  5. Attacker penetrates zoneminder(T1190, T1059)

  6. Attacker creates a stable reverse-shell(T1574, T1104) and attaches it to a running process(T1055 https://github.com/W3ndige/linux-process-injection) [NO PROCESS ATTACHED]

  7. Attacker uploads linpeas(T1105) and executes it(T1087, T1083, T1201, T1069, T1057, T1518, T1082, T1614, T1016, T1049, T1033, T1007, T1615)

  8. Attacker finds privilege escalation

    1. Polkit exploit(T1068, T1546, T1574)

    2. Sudo weakness (T1548)

    3. Misconfigured systemd-unit(T1547)

    4. Logrotten(T1546)

    5. Misconfigured cron-job(T1053)

    6. Finds ssh-key for root-user(T1078)

  9. Attacker gains root

  10. Attacker adds backdoor

  1. Attacker adds new ssh-key to authorized_keys(T1098)

  2. Attacker creates new account(T1136)

  3. Attacker modifies pam(T1556)

  1. Attacker uses split to proxy command(T1218)

  2. Attacker reads from /etc/shadow(T1555)

  3. Attacker runs nmap(T1046) [MOVE TO ANOTHER SCENARIO]

  4. Attacker runs lspci and lsusb(T1120) [lsusb isn’t installed]

  5. Attacker runs ntpdate or date(T1124) [ntpdate isn’t installed]

  6. Attacker checks virtualbox-files(T1497)