Don’t bash your head over unsecured credentials

Issue 8 2021 News, Access Control & Identity Management

While working on servers, you or your team will likely spend a decent amount of time on the command line. During this time, it is more than likely that, amongst other available shells, you will be using the bash shell, which is the default shell in most Linux distributions.

Server administrators are likely to perform the same commands repeatedly, so it makes sense that all executed commands are stored. This allows the administrators to quickly execute a previous command without having to repeatedly type it out.

This, however, also makes it extremely easy for adversaries to search the bash command history on compromised systems for insecurely stored credentials.

An attacker eye view on bash shell misuse

Bash keeps track of the commands that users type on the command-line with the ‘history’ utility. Once a user logs out, the history is flushed to the user’s bash history file. For each user, this file resides at the same location: ~/.bash_history. Typically, this file keeps track of the user’s last 500 commands. The amount can be increased or decreased depending on your environment variables.

Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Attackers can abuse this by looking through the file for potential credentials.

Below is a simple one-line command which will return the bash history for every user on a particular Linux server. Once an attacker has a presence on the server and executes a command like the one below, they will be able to see the history of all commands executed through bash. With a slight modification to the command below, they may decide to pipe the response into a simple .txt file for offline consumption and analysis.

find /home -name .bash_history -print -exec cat {} 2>/dev/null \;

While the above command will list the history for all users under the home directory, it is also possible to get more specific with the query so that it will return commands that contain certain key words like ‘Summer2021’, this being a possible indicator of a weak password stored insecurely.

Below is an example of how an attacker would search the bash history of the current user to identify if any passwords have been configured insecurely and therefore, ended up in the bash history.

cat ~/.bash_history | grep "Summer2021"

This is a common technique within the MITRE ATT&CK; Framework:

If the adversary is lucky, they will see usernames and passwords in clear text. Armed with the usernames and passwords, they can then continue their advance through your environment either via lateral movement or privilege escalation. Below is an example of what an attacker might find in your bash history.

• echo 'root:RedactedPassword*' |chpasswd

• useradd -c Joe Blogs joeb ; echo joeb:RedactedPassword |chpasswd

Here, you can see the Bash HISTCONTROL and HISTIGNORE variables to control how commands are added to history.

‘HISTCONTROL can be used to exclude lines starting with a space and prevent duplicates from being placed in history. While HISTIGNORE can be used to exclude repeated commands, commands that start with spaces and commands that match on password irrespective of the case of the word password (*[Pp][Aa][Ss][Ss][Ww][Oo][Rr][Dd]*).’ – Rob Kielty.

HISTIGNORE=”&:[ \t]*:*[Pp][Aa][Ss][Ss][Ww][Oo][Rr][Dd]*”

How to use bash history for incident response

It is worth noting that it is a good idea to hunt proactively across your Linux estate for insecure and weak passwords contained within the bash history file. If you are able to surface these issues at the earliest opportunity, it will strengthen your security posture and hamper the adversary.

In addition, the bash history is an incredibly useful tool during incident response engagements. For instance, if you are performing an investigation on a Linux server, the commands executed by the adversary will be stored in the bash history. Assuming that they haven’t used another shell or cleared the bash history. From this, you can then see the commands and map out the attack made. With this knowledge, analysts can then put in place actions to mitigate the attack or prevent a similar attack from occurring again.

If you found this blog useful, you may also find the analysis of other vulnerabilities that often get overlooked, such as Security 101: Compromised AWS S3 Buckets and Security 101: What are LOLBins and How Can They be Used Maliciously valuable.


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Real-world ransomware
Ransomware hit 51% of South African organisations surveyed for Sophos’ Annual ‘State of Ransomware 2022’; and 49% of South African organisations that had data encrypted in a ransomware attack paid the ransom.

New renewable energy partnership
SolarWorld Africa partners with Meyer Burger to bring solar technology to South Africa and sub-Saharan Africa. The partnership will see both leading businesses serve the African renewable energy sector.

inq. expands in SA with acquisition of Syrex
Inq., a Convergence Partner’s company, is set to acquire Syrex, a provider of hyper-converged cloud technology solutions in South Africa to provide innovative and reliable solutions to the South African market.

Check Point and DCC partner for SA and SADC channel
Check Point Software Technologies has appointed Drive Control Corporation (DCC) as its official distributor for South Africa and the SADC region. The appointment will see DCC distributing Check Point’s ...

Product launches, demos and competitions at Securex 2022
Specialised Exhibitions News
The first Securex South Africa expo since 2019 is coming up and exhibitors are pulling out all the stops to wow visitors.

Facilities Management seminar theatre
Free-to-attend Facilities Management Expo 2022 seminar theatre, sponsored by Broll, will focus on today’s industry-critical topics.

From the editor's desk: Signs of life?
Technews Publishing News
Welcome to the latest issue of Hi-Tech Security Solution. The big news in this issue is the Securex Preview which, although smaller than in the past, is still a great (late) start to the year as it means ...

ZKTeco Experience Centre
ZKTeco News Access Control & Identity Management
ZKTeco South Africa has opened the doors to its innovative and interactive space, the ZKTeco Experience Centre in Centurion, Pretoria and welcomes visitors to partake in the ‘Powered by ZKTeco’ experience.

Technoswitch appointed as FST distributor
Technoswitch Fire Detection & Suppression News Fire & Safety
Technoswitch’s appointment as a distributor for the Fire & Security Techniques (FST) range of fire suppression solutions forms part of the company’s strategic plan to expand its range of suppression solutions.

Self-learning AI for existing CCTV systems
Iris AI Editor's Choice CCTV, Surveillance & Remote Monitoring News
Snap Guard is a cloud application that integrates into a property owner’s live CCTV feed, working with existing hardware and software, adding an additional layer of security.