Capabilities are system in Linux for dividing up privileges associated with root
. Instead of running a command with sudo
, giving a command full control over your system, capabilities allow you to give more limited access, such as capturing packets or controlling network interfaces.
Here we are interested in the following capabilities [1]:
CAP_NET_ADMIN
Perform various network-related operations:
* interface configuration;
* administration of IP firewall, masquerading, and accounting;
* modify routing tables;
* bind to any address for transparent proxying;
* set type-of-service (TOS);
* clear driver statistics;
* set promiscuous mode;
* enabling multicasting;
* use setsockopt(2) to set the following socket options:
SO_DEBUG, SO_MARK, SO_PRIORITY (for a priority outside
the range 0 to 6), SO_RCVBUFFORCE, and SO_SNDBUFFORCE.
CAP_NET_BIND_SERVICE
Bind a socket to Internet domain privileged ports (port numbers less than 1024).
CAP_NET_RAW
* Use RAW and PACKET sockets;
* bind to any address for transparent proxying.
CAP_NET_ADMIN
Running a shell with ambient capabilities [1] listed above will allow you to run any commands you need for network hacking without sudo
and without giving excessive permissions.
Run this command to create a shell with networking admin capabilities [2]:
sudo setpriv --inh-caps "+net_admin,+net_raw,+net_bind_service" --ambient-caps "+net_admin,+net_raw,+net_bind_service" --reuid $USER --regid $USER --init-groups --reset-env $SHELL
Run this command to check that the capabilities were set correctly:
/usr/sbin/capsh --print
# Current: cap_net_bind_service,cap_net_admin,cap_net_raw=eip
# Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore
# Ambient set =cap_net_bind_service,cap_net_admin,cap_net_raw
# Current IAB: ^cap_net_bind_service,^cap_net_admin,^cap_net_raw
Now you can use this shell to execute any commands that require network admin privileges (e.g. wireshark
, ifconfig
, bettercap
) in a more-or-less normal environment without root access.
If you don’t want to enter that long command every time you can create an alias by adding the following line to your ~/.bashrc
or ~/.bash_profile
:
alias netadminsh='sudo setpriv --inh-caps "+net_admin,+net_raw,+net_bind_service" --ambient-caps "+net_admin,+net_raw,+net_bind_service" --reuid $USER --regid $USER --init-groups --reset-env $SHELL'
[1] Ambient capabilities are only available with Linux kernel 4.3 and above. In lower version kernels, capabilities can be given to a command by setting the permitted and effective bits, but they will not be automatically enabled for child processes, so you won’t be able to create a “privileged shell”. Using capsh
to run commands if one option for older kernels. Another is simply to use sudo
.
[2] Another similar command is:
udo capsh --caps="${capabilties}+i" -- -c "capsh --user=${calling_user} --addamb='${capabilties}' --"
It achieves roughly the same result, but doesn’t set up the user environment as nicely.