Network Attacks: Entrenchment & Exfiltration

SSH, Telnet, Exfiltration, and Whoami?

For many cybersecurity professionals, simply compromising a network may only be the first step in an attack. It may require a great technical effort to gain undetected access to a network, but entrenchment involves gaining an advantageous position after gaining network access. This means gaining root access if not yet accomplished, creating administrator accounts to access in the future, creating backdoors to access the network in the future, cracking passwords required to access devices in the network, and even sending out copied data from the network back to the attacker (exfiltration).Let’s say an attacker has gained undetected access to a building’s network via SSH. After scanning for open SSH ports on the network and cracking the SSH password, an attacker would need to get entrenched to gather any useful information. Assuming the attacker is working from a shell, entering the “whoami” command into the command console will reveal the status of the account the attacker has accessed the network with. This is typically known ahead of time in SSH as login may require username and password credentials. If the attacker’s account does not have admin access they could modify their account’s permissions or create a new admin account.Once the attacker has compromised the network and acquired root access, the attacker needs to create a backdoor in order to access the network or device again in the future. This can be done in a myriad of ways. The simplest way to do this is to enable a remote access service or protocol. Services like SSH and Telnet provide a reliable way to access the network remotely, but this approach may be very visible or obvious to the organization. Rootkits provide a more covert yet more technical solution to creating a backdoor, and specialized backdoor programs can be covert and easy to install.Finally, the attacker searches the network for valuable information to copy for exfiltration. Depending on the context of the attack, this may be login credentials, sensitive data, organizational information, or anything worth copying and keeping. The data is copied from the network and sent to a remote host for storage or monitoring. A lot of organizations store their password data in encrypted hashes, and an attacker may need to decrypt or crack these hashes in order to retrieve passwords. Either way, solving hashes is no simple task. Some attackers only retrieve raw hash data for decryption or run the hash data through well-known programs like ophcrack. The attacker can then use these passwords to create new points of access or acquire additional data for exfiltration.[clear]