GETTING BASH HISTORIES

Earlier in this book we discussed how to get users’ bash histories from their history files. We can also get the bash history information from the bash process memory itself. As discussed previously, a sophisticated attacker might delete the history files and/or set the history size to zero. The history size is determined by the HISTSIZE environment variable, which is normally set in the .bashrc file (default value is 1000). Even if the history is not being saved to disk, it is still present in memory.

The Volatility command for retrieving bash histories from bash process memory is linux_bash. Partial results from running this command against the PFE subject system, with suspicious activity highlighted, are shown in Figure 8.12 and Figure 8.13. Many other actions by the attacker were found that are not displayed in the figures.

FIGURE 8.12

Partial results from running linux_bash against the PFE subject system. The highlighted portion shows where an attacker attempted to modify the /etc/password file after moving the bogus johnn user’s home directory.

FIGURE 8.13

Partial results from running linux_bash against the PFE subject system. The highlighted portion shows where an attacker moved a home directory for a newly created user and set passwords for system accounts.

Just as we have a command for retrieving the environment for any process, linux_psenv, there is a Volatility command that returns the environment for any running bash shell. This command is called linux_bash_env. Partial results from running this command are shown in Figure 8.14. From the USER variable in each of the bash shells shown in the figure, we can see that one shell is run by the john user and the other is run by root. It is likely that the john user started the second shell with sudo -s.

FIGURE 8.14

Partial output from running the Volatility linux_bash_env command against the PFE subject system.

When a command is run for the first time in a bash shell, bash must search through the user’s path (stored in the PATH environment variable). Because this is a time consuming process, bash stores frequently run commands in a hash table to alleviate the need to find programs each time. This hash table can be viewed, modified, and even cleared using the hash command. Volatility provides the command linux_bash_hash for viewing this bash hash table for each bash shell in memory. The results of running this command against the PFE subject system are shown in Figure 8.15.

FIGURE 8.15

Results from running the Volatility linux_bash_hash command against the PFE subject system.

results matching ""

    No results matching ""