Categories

Editor's Choice
Tech Jobs Network
News & Events
Access Control & Identity Management
AI & Data Analytics
Asset Management
Associations
Conferences & Events
Facilities & Building Management
Fire & Safety
Information Security
Infrastructure
Integrated Solutions
IoT & Automation
Perimeter Security, Alarms & Intruder Detection
Power Management
Products & Solutions
Security Services & Risk Management
Smart Home Automation 
Surveillance
Training & Education
Videos
Security by Industry Sector ▾








Print this page printer friendly version

Don’t bash your head over unsecured credentials

Issue 8 2021 News & Events, Access Control & Identity Management

Aaron Hambleton, security monitoring and incident response lead and Eleanor Barlow, content manager, SecurityHQ.

While working on servers, you or your team will likely spend a decent amount of time on the command line. During this time, it is more than likely that, amongst other available shells, you will be using the bash shell, which is the default shell in most Linux distributions.

Server administrators are likely to perform the same commands repeatedly, so it makes sense that all executed commands are stored. This allows the administrators to quickly execute a previous command without having to repeatedly type it out.

This, however, also makes it extremely easy for adversaries to search the bash command history on compromised systems for insecurely stored credentials.

An attacker eye view on bash shell misuse

Bash keeps track of the commands that users type on the command-line with the ‘history’ utility. Once a user logs out, the history is flushed to the user’s bash history file. For each user, this file resides at the same location: ~/.bash_history. Typically, this file keeps track of the user’s last 500 commands. The amount can be increased or decreased depending on your environment variables.

Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Attackers can abuse this by looking through the file for potential credentials.

Below is a simple one-line command which will return the bash history for every user on a particular Linux server. Once an attacker has a presence on the server and executes a command like the one below, they will be able to see the history of all commands executed through bash. With a slight modification to the command below, they may decide to pipe the response into a simple .txt file for offline consumption and analysis.

find /home -name .bash_history -print -exec cat {} 2>/dev/null \;

While the above command will list the history for all users under the home directory, it is also possible to get more specific with the query so that it will return commands that contain certain key words like ‘Summer2021’, this being a possible indicator of a weak password stored insecurely.

Below is an example of how an attacker would search the bash history of the current user to identify if any passwords have been configured insecurely and therefore, ended up in the bash history.

cat ~/.bash_history | grep "Summer2021"

This is a common technique within the MITRE ATT&CK; Framework: https://attack.mitre.org/techniques/T1552/003/

If the adversary is lucky, they will see usernames and passwords in clear text. Armed with the usernames and passwords, they can then continue their advance through your environment either via lateral movement or privilege escalation. Below is an example of what an attacker might find in your bash history.

• echo 'root:RedactedPassword*' |chpasswd

• useradd -c Joe Blogs joeb ; echo joeb:RedactedPassword |chpasswd

Here, you can see the Bash HISTCONTROL and HISTIGNORE variables to control how commands are added to history.

‘HISTCONTROL can be used to exclude lines starting with a space and prevent duplicates from being placed in history. While HISTIGNORE can be used to exclude repeated commands, commands that start with spaces and commands that match on password irrespective of the case of the word password (*[Pp][Aa][Ss][Ss][Ww][Oo][Rr][Dd]*).’ – Rob Kielty.

HISTIGNORE=”&:[ \t]*:*[Pp][Aa][Ss][Ss][Ww][Oo][Rr][Dd]*”

How to use bash history for incident response

It is worth noting that it is a good idea to hunt proactively across your Linux estate for insecure and weak passwords contained within the bash history file. If you are able to surface these issues at the earliest opportunity, it will strengthen your security posture and hamper the adversary.

In addition, the bash history is an incredibly useful tool during incident response engagements. For instance, if you are performing an investigation on a Linux server, the commands executed by the adversary will be stored in the bash history. Assuming that they haven’t used another shell or cleared the bash history. From this, you can then see the commands and map out the attack made. With this knowledge, analysts can then put in place actions to mitigate the attack or prevent a similar attack from occurring again.

If you found this blog useful, you may also find the analysis of other vulnerabilities that often get overlooked, such as Security 101: Compromised AWS S3 Buckets and Security 101: What are LOLBins and How Can They be Used Maliciously valuable.


Credit(s)

Tel: +27 21 427 6691
Email: [email protected]
www: www.paxton-access.com/za
Articles: More information and articles about Paxton



Share this article:
Share via emailShare via LinkedInPrint this page


Further reading:

Fire Ops SA Partners with Matrix
News & Events Fire & Safety Residential Estate (Industry)
Fire Ops SA, a South African private fire and rescue service, has announced its partnership with Matrix Vehicle Tracking to launch FireStop, providing Matrix and Beame clients with direct access to a dedicated professional private fire service.

Read more...
SABRIC Annual Crime Statistics 2024
News & Events Security Services & Risk Management Residential Estate (Industry)
SABRIC has released its Annual Crime Statistics for 2024, reflecting a significant decline in financial crime losses, but also warning of the growing threat posed by artificial intelligence (AI) in fraud schemes.

Read more...
Adding AI analytics to security monitoring
SEON South Africa News & Events Perimeter Security, Alarms & Intruder Detection Residential Estate (Industry) AI & Data Analytics
SEON has announced its latest integration with Refraime, an AI-powered video analytics platform designed to elevate CCTV surveillance through real-time object detection and intelligent alerting.

Read more...
Blue Security ranked best reaction team in KZN
News & Events Commercial (Industry)
Blue Security has been ranked the Best Reaction Team in KwaZulu-Natal following its outstanding performance at the SAIDSA Reaction Man Competition 2025, which took place on 25 September at the Ballito Defensive Sport Shooting Club.

Read more...
Sophos launches advisory services to deliver proactive cybersecurity resilience
Information Security News & Events
Sophos has launched a suite of penetration testing and application security services, designed to identify gaps in organisations’ security programs, which is informed by Sophos X-Ops Threat Intelligence and delivered by world-class experts.

Read more...
Why Securex matters more than ever
Securex South Africa News & Events Fire & Safety Facilities & Building Management
Visitors will observe the application of integrated security solutions, including AI-enhanced surveillance, cloud-based access control, cybersecurity tools, and perimeter protection within residential, commercial, logistics, and industrial environments

Read more...
SA’s private security industry receives multi-million USD investment
News & Events Security Services & Risk Management
South Africa's private security sector has attracted significant international attention, with the world’s largest tactical flashlight manufacturer, Nextorch, announcing a major investment in its local operations, Nextorch Africa.

Read more...
Kaspersky highlights biometric and signature risks
Information Security News & Events
AI has elevated phishing into a highly personalised threat. Large language models enable attackers to craft convincing emails, messages and websites that mimic legitimate sources, eliminating grammatical errors that once exposed scams.

Read more...
Keenfinity launches Radionix as new intrusion brand
Perimeter Security, Alarms & Intruder Detection News & Events
Keenfinity Group’s Intrusion & Access Business Unit has launched Radionix as its new brand for intrusion alarm systems, unlocking new potential and growth opportunities.

Read more...
From the editor's desk: Can it be October already?
Technews Publishing News & Events
Welcome to the final SMART Handbook of the year. In this issue, we focus on residential estate security, from the fence to the gate and beyond. We also review our Durban SMART Estate Security Conference, ...

Read more...











SMART Security Business Directory


While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.

Published by Technews

»  Dataweek Electronics & Communications Technology
»  Electronics Buyers' Guide (EBG)

»  SMART Security Solutions
»  SMART Security Business Directory

»  Motion Control in Southern Africa
»  Motion Control Buyers' Guide (MCBG)

»  South African Instrumentation & Control
»  South African Instrumentation & Control Buyers' Guide (IBG)



© Technews Publishing (Pty) Ltd. | All Rights Reserved.