GithubHelp home page GithubHelp logo

tadryanom / esonhugh_sshd-backdoor Goto Github PK

View Code? Open in Web Editor NEW

This project forked from esonhugh/sshd_backdoor

0.0 0.0 0.0 80 KB

/root/.ssh/authorized_keys evil file watchdog with ebpf tracepoint hook.

Home Page: https://www.youtube.com/watch?v=2BUbPzwaGdk

C 47.73% Go 40.07% Makefile 12.20%

esonhugh_sshd-backdoor's Introduction

sshd_backdoor

This Project is based on BlackHat USA 2021 and Defcon 29.

About Using ebpf technique, hijacking the process during sshd service getting the ~/.ssh/authorized_keys to authorize user logging and injecting our public key make our login successful.

Demo

SSHD backdoor Demo

Main Process in ebpf program

  1. Hook OpenAt syscall enter: check if the sshd process call this, log the pid of sshd.

  2. Hook OpenAt Syscall exit: check the pid logged. logging the fd of pid, map pid->fd.

  3. Hook Read Syscall enter: check the pid logged. logging the user_space_char_buffer of pid.

  4. Hook Read Syscall exit: check the pid logged. find the buffer and change the buffer into our Key. Then delete pid in map to avoid blocking administrators' keys be read.

Usage

$ make help

|=======================================================================================================
|usage:
|       build:  build full sshd_backdoor cli tool. But full sshd_backdoor is just supoorted the demo only
|       generate: Generate the ebpf prog in kernel with clang.
|                         if you need you can set the CFLAGS to append
|       test_ebpf: if you editing the ebpf-c c files and header files
|                          to test the ebpf can be compiled and pass ebpf verifier when load
|       tool_unload: bpftool unload progs.
|       tool_load: bpftool load  progs.
|       bpftrace_keylogging: logging sshd keys.Also it can catch the passwords when logging
|

By the way

sshd keylogging

make bpftrace_keylogging

which logging all message in sshd process. Of Course the key log.

reference

https://github.com/pathtofile/bad-bpf/blob/main/src/sudoadd.bpf.c

https://www.youtube.com/watch?v=5zixNDolLrg

etc.

esonhugh_sshd-backdoor's People

Contributors

esonhugh avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.