This webcast was originally published on April 21st, 2023.
In this video, John Strand discusses the essential Linux commands for initial forensic analysis when suspecting a system compromise. He demonstrates how to use Lsof to identify and investigate open files and network connections, providing insights into process IDs and associated resources. Strand further explores the Proc file system, detailing how to examine executable memory attributes and perform a preliminary malware analysis.
- Linux systems are not immune to malware, contrary to some beliefs.
- Lsof is an essential tool in Linux forensics for listing open files and internet connections.
- The Proc file system is crucial for accessing detailed process information and memory attributes in Linux.
Highlights
Full Video
Transcript
Voiceover
Looking to stake a claim on some security wisdom in a hurry. Well, you’re in luck, keyboard cowboy. It’s time for another black Hills information security nugget. Settle up for your first three Linux IR commands brought to you by Black Hills information security.
Now here’s Jon Strand.
John Strand
Hello and welcome to another video from myself, John Strand. We’re going to be talking a little bit about Linux forensics. Specifically, we’re going to be focusing on what are the first three Linux commands that you should be doing.
If you think that your Linux computer system is compromised now, some of you will say, well, there’s no malware on Linux because Linux is immune to viruses. You’re wrong. Not true. we actually have malware that we’ve created.
I’m going to share my screen really quickly. I’ve got some malware on this little Linux computer system. It’s just a very, very, very simple netcat based backdoor that I’ve created using a backpipe and make node and FIFO device files.
Just the simple things in life that people love and care about quite deeply. I’m going to go through what I do as soon as I think a Linux computer system has compromised my opening gambit, kind of my opening chess moves that I would focus on.
So let’s go ahead and let’s get started. The first thing that I like to do is I like to focus on what are the open Internet connections on this particular computer system.
I could run netstat, just run net stat like a lot of people do. If I could type it still can’t. I just can’t type people.
I just run Netstat like that. And Netstat gives me some connections. But what, Netstat, while it’s okay ish, we can actually do something even cooler because lots of people have heard of Netstat.
That’s not even one of my commands because I don’t really count it. I’m going to do lsof. The reason why I’m going to do Lsof is Lsof stands for list open files. Everything on a Linux computer system is a file.
Just tap your heels together and keep telling yourself that. It’s going to make your life a lot easier. Everything on a Linux computer system is a file. And if I have the tool that gives me the capability to list open files, that is a very powerful tool, which LSOF does.
I can even go further, though. I can restrict the open files that it gives me to the files that are associated with open Internet connections with the minus I and P says don’t tell me what the port number is, just give me the raw number.
Nothing bigger than that. So we’re going to do LSof space minus lowercase I minus p. Now I have the same thing that you see up above, but I got one crucial piece of information that is awesome and we can dig deeper.
Got the process id. So always start with network connections whenever you’re dealing with malware. Granted there’s a far less than 1% chance that you have malware that may not show up.
You may be dealing with a rootkit, you may be dealing with some intermittent malware that’s using something like DNS, but when you’re starting, you have to start somewhere. Network connections are a good, quick, easy, dirty way to start looking at network communications.
Now that I have the process id for this process that has an open network connection, I can drill in on that process id. So I’m going to zoom in on process id.
106 LSOF is now going to show me all of the open files associated with this process id. It’s going to tell me what is the current working directory.
It’s executing out of out of home ADHD, what it considers to be the root level directory, which is the top level directory on the system. It’s not char rooted. What is the executable?
It’s openetcat open openBSD. What are the different shared object libraries that this particular executable is using? Is it using a pseudo teletype terminal? Yes it is as a matter of fact.
And the Opentcp connection. So now we have two commands, both of which were LSOf, LSOF space minus capital p to show me the open the open so lowercase I, capital p rather shows me the open inet connections, lowercase pull, or the process id.
But we can do something even cooler. We can play with the proc file system on a Linux computer system. Once I have that process id, I cd into proc and then I put in the process id which is 106.
This is going to give me a directory that has all the memory attributes associated with that executable. There’s a lot of cool things. In fact the proc file system doesn’t really exist on the hard drive.
It only is running when the system is running and each process id gets their own directory. In proc in particular. In this particular directory im interested in the exe.
So now Im going to do strings against the memory of the executable in memory. Lets see what comes up. Im going to pipe it through less really quick like so we can now see all the printable strings from that malware that I’m running on my Linux computer system.
Once again I’m going to see shared object libraries. I’m going to see that it has network connection socket capability. I’m going to get errors that are in memory. If an error were to occur, it would print these.
But as I go further, I can eventually see what is the name of the executable in this situation. OpenBSD netcat and it gives me usage information.
This can be incredibly powerful when you’re trying to do a quick reverse engineering of malware on a Linux computer system. Go from the network connections all the way down to the point where you can get memory information and printable strings out of memory on your Linux computer systems.
Thank you so much. Hope to see you in another video. Please don’t forget to like and subscribe thank you.
Voiceover
If you stuck around this long like and subscribe to get more Black Hills infosec nuggets and check out these other videos while you’re at it. See on the range keyboard cowboy