Categories

Editor's Choice
Tech Jobs Network
News & Events
Access Control & Identity Management
AI & Data Analytics
Asset Management
Associations
Conferences & Events
Facilities & Building Management
Fire & Safety
Information Security
Infrastructure
Integrated Solutions
IoT & Automation
Perimeter Security, Alarms & Intruder Detection
Power Management
Products & Solutions
Security Services & Risk Management
Smart Home Automation 
Surveillance
Training & Education
Videos
Security by Industry Sector ▾








Print this page printer friendly version

Don’t bash your head over unsecured credentials

Issue 8 2021 News & Events, Access Control & Identity Management

Aaron Hambleton, security monitoring and incident response lead and Eleanor Barlow, content manager, SecurityHQ.

While working on servers, you or your team will likely spend a decent amount of time on the command line. During this time, it is more than likely that, amongst other available shells, you will be using the bash shell, which is the default shell in most Linux distributions.

Server administrators are likely to perform the same commands repeatedly, so it makes sense that all executed commands are stored. This allows the administrators to quickly execute a previous command without having to repeatedly type it out.

This, however, also makes it extremely easy for adversaries to search the bash command history on compromised systems for insecurely stored credentials.

An attacker eye view on bash shell misuse

Bash keeps track of the commands that users type on the command-line with the ‘history’ utility. Once a user logs out, the history is flushed to the user’s bash history file. For each user, this file resides at the same location: ~/.bash_history. Typically, this file keeps track of the user’s last 500 commands. The amount can be increased or decreased depending on your environment variables.

Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Attackers can abuse this by looking through the file for potential credentials.

Below is a simple one-line command which will return the bash history for every user on a particular Linux server. Once an attacker has a presence on the server and executes a command like the one below, they will be able to see the history of all commands executed through bash. With a slight modification to the command below, they may decide to pipe the response into a simple .txt file for offline consumption and analysis.

find /home -name .bash_history -print -exec cat {} 2>/dev/null \;

While the above command will list the history for all users under the home directory, it is also possible to get more specific with the query so that it will return commands that contain certain key words like ‘Summer2021’, this being a possible indicator of a weak password stored insecurely.

Below is an example of how an attacker would search the bash history of the current user to identify if any passwords have been configured insecurely and therefore, ended up in the bash history.

cat ~/.bash_history | grep "Summer2021"

This is a common technique within the MITRE ATT&CK; Framework: https://attack.mitre.org/techniques/T1552/003/

If the adversary is lucky, they will see usernames and passwords in clear text. Armed with the usernames and passwords, they can then continue their advance through your environment either via lateral movement or privilege escalation. Below is an example of what an attacker might find in your bash history.

• echo 'root:RedactedPassword*' |chpasswd

• useradd -c Joe Blogs joeb ; echo joeb:RedactedPassword |chpasswd

Here, you can see the Bash HISTCONTROL and HISTIGNORE variables to control how commands are added to history.

‘HISTCONTROL can be used to exclude lines starting with a space and prevent duplicates from being placed in history. While HISTIGNORE can be used to exclude repeated commands, commands that start with spaces and commands that match on password irrespective of the case of the word password (*[Pp][Aa][Ss][Ss][Ww][Oo][Rr][Dd]*).’ – Rob Kielty.

HISTIGNORE=”&:[ \t]*:*[Pp][Aa][Ss][Ss][Ww][Oo][Rr][Dd]*”

How to use bash history for incident response

It is worth noting that it is a good idea to hunt proactively across your Linux estate for insecure and weak passwords contained within the bash history file. If you are able to surface these issues at the earliest opportunity, it will strengthen your security posture and hamper the adversary.

In addition, the bash history is an incredibly useful tool during incident response engagements. For instance, if you are performing an investigation on a Linux server, the commands executed by the adversary will be stored in the bash history. Assuming that they haven’t used another shell or cleared the bash history. From this, you can then see the commands and map out the attack made. With this knowledge, analysts can then put in place actions to mitigate the attack or prevent a similar attack from occurring again.

If you found this blog useful, you may also find the analysis of other vulnerabilities that often get overlooked, such as Security 101: Compromised AWS S3 Buckets and Security 101: What are LOLBins and How Can They be Used Maliciously valuable.


Credit(s)

Tel: +27 21 427 6691
Email: [email protected]
www: www.paxton-access.com/za
Articles: More information and articles about Paxton



Share this article:
Share via emailShare via LinkedInPrint this page


Further reading:

From prevention to protection
Securex South Africa News & Events Fire & Safety
The Western Cape’s varied landscapes and rapid urban development present a range of fire safety challenges, from densely populated city centres to remote industrial sites, and from heritage buildings to new high-rise developments.

Read more...
Workflow and asset management solutions
Asset Management News & Events
Zamatrack’s innovative workflow and asset management solutions feature the Worxit platform. This all-in-one solution allows businesses to streamline operations with real-time tracking, GPS data, and custom reports.

Read more...
SAQCC Gas awareness
Associations News & Events
SAQCC Gas will raise awareness within the gas industry by emphasising the importance of using registered gas practitioners and getting a Certificate of Compliance (CoC) for all your gas systems.

Read more...
Why Securex matters more than ever
Securex South Africa News & Events Fire & Safety Facilities & Building Management
Visitors will observe the application of integrated security solutions, including AI-enhanced surveillance, cloud-based access control, cybersecurity tools, and perimeter protection within residential, commercial, logistics, and industrial environments

Read more...
Fire Ops SA Partners with Matrix
News & Events Fire & Safety Residential Estate (Industry)
Fire Ops SA, a South African private fire and rescue service, has announced its partnership with Matrix Vehicle Tracking to launch FireStop, providing Matrix and Beame clients with direct access to a dedicated professional private fire service.

Read more...
SABRIC Annual Crime Statistics 2024
News & Events Security Services & Risk Management Residential Estate (Industry)
SABRIC has released its Annual Crime Statistics for 2024, reflecting a significant decline in financial crime losses, but also warning of the growing threat posed by artificial intelligence (AI) in fraud schemes.

Read more...
Adding AI analytics to security monitoring
SEON South Africa News & Events Perimeter Security, Alarms & Intruder Detection Residential Estate (Industry) AI & Data Analytics
SEON has announced its latest integration with Refraime, an AI-powered video analytics platform designed to elevate CCTV surveillance through real-time object detection and intelligent alerting.

Read more...
Advances in electric fence management
Nemtek Electric Fencing Products News & Events Perimeter Security, Alarms & Intruder Detection
Nemtek will demonstrate its newly enhanced FG7C+ Fence Controller, now featuring an advanced software upgrade that connects all Nemtek devices, aggregating data to a single point for efficient electric fence alarm monitoring and control.

Read more...
Fire safety in focus
Securex South Africa Fire & Safety News & Events
Firexpo Cape Town visitors will not only compare technologies side-by-side, but also connect with suppliers and experts who understand both the region’s regulatory framework and its unique environmental risks.

Read more...
Blue Security ranked best reaction team in KZN
News & Events Commercial (Industry)
Blue Security has been ranked the Best Reaction Team in KwaZulu-Natal following its outstanding performance at the SAIDSA Reaction Man Competition 2025, which took place on 25 September at the Ballito Defensive Sport Shooting Club.

Read more...











SMART Security Business Directory


While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.

Published by Technews

»  Dataweek Electronics & Communications Technology
»  Electronics Buyers' Guide (EBG)

»  SMART Security Solutions
»  SMART Security Business Directory

»  Motion Control in Southern Africa
»  Motion Control Buyers' Guide (MCBG)

»  South African Instrumentation & Control
»  South African Instrumentation & Control Buyers' Guide (IBG)



© Technews Publishing (Pty) Ltd. | All Rights Reserved.