Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Sat 17 Nov 2018, 23:55
All times are UTC - 4
 Forum index » Off-Topic Area » Security
ssh backdoor extension
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 1 [5 Posts]  
Author Message
rufwoof

Joined: 24 Feb 2014
Posts: 2636

PostPosted: Fri 09 Nov 2018, 11:32    Post subject:  ssh backdoor extension  

I run a open ssh server so others can log in and run/do things. Rather than using restricted shell, which has known weaknesses, I created my own restricted shell, something along the lines of the following (note that is ksh and BSD script lingo). My actual script is much more extensive, for instance a BBS look and feel (tput/dialog based) that supports creating threads/posting messages, text to voice, selected share price lookups, moon phase, screensaver, local weather report ...etc. The bottom line however is that anyone ssh'ing in is restricted to certain commands/activities.
Code:
#!/bin/ksh

# create a userid and set this script as its default shell

typeset -a commands
commands[0]="whoami"
commands[1]="pwd"
commands[2]="ls"
commands[3]="clear"
commands[4]=""              # just enter pressed

export TERM=pccon0

trycmd()
{
  # Provide an option to exit the shell
  if [[ "$ln" == "exit" ]] || [[ "$ln" == "q" ]]
  then
    exit
  fi

  if [[ "$ln" == "help" ]]
  then
    echo "Type exit or q or quit or bye or logout ... to quit (ssh disconnect)."
    echo "Commands you can use: "
    echo "  help"
    echo "${commands[@]}" | tr ' ' '\n' | awk '{print "  " $0}'
    return
  fi

  for cmd in "${commands[@]}"
  do
if [[ "$cmd" == "$ln" ]]
then
        $ln
        return
fi
  done

  # If get to here (not return'd) then no command was found
  nf=`echo "$ln" | cut -d' ' -f1`
  echo "$nf :not found"
}

while echo -n "> " && read ln
do
  trycmd "$ln"
done

I do however also have a back door, where a certain command acts as a userid, and when entered even though the return is a standard 'invalid command' type response, that is actually the password prompt. Entering the valid password drops me into a standard shell (normal permissions). So the standard ssh access is hidden, requiring both a userid and password, but where the prompting of entry of those is also obscure.

Mindful that a brute force attack could still try all userid and password combinations, I've extended the code to include a timing element as well. Enter a userid and type the password too soon ... or too late and that's invalid. You have to get each of userid, timing (within a certain range) and password all correct

The high level pseudo code code is simple :

read command
if the secret command (userid) still show the normal invalid command response
if a entry is made before the secret start time period then ignore it
if a entry is made during the secret time period then if its the valid 'password' invoke a standard shell
if a entry is made after the end of the secret time period then ignore it

Likely any brute force attack is more inclined to be automated, not pausing between trying a userid and password. And even if the brute force attempts are adjusted to include timings between userid and password then not only does that make attempts individually slower, but also adds in another whole layer of combinations to try.

_________________
( ͡° ͜ʖ ͡°) :wq
Back to top
View user's profile Send private message 
s243a

Joined: 02 Sep 2014
Posts: 1278

PostPosted: Fri 09 Nov 2018, 12:46    Post subject:  

I like it Smile.
Back to top
View user's profile Send private message 
rufwoof

Joined: 24 Feb 2014
Posts: 2636

PostPosted: Fri 09 Nov 2018, 18:24    Post subject:  

This is a example code snippet for the script that should be stored as x only for others, read/write only by root as it contains plain text password. In this case the restricted shell account prompts xxx : not found or not permitted when a invalid command xxx is entered, so the first part of the script fakes that when it is detected/run - in this case with the command (userid) of 'letmein'. A fake $ prompt is also shown. The start time is noted (STIME) and the time of the next thing entered is also noted i.e. the valid password ... in this case a password of SeCr3t. The difference in start and end times are calculated and tested to ensure the difference wasn't less than 15 seconds or greater than 20 seconds

So in this case the userid 'letmein' and password 'Secr3t' both have to be correct, and not only that the password had to be entered 15 to 20 seconds after running the letmein command (userid), otherwise the attempt fails.

With such timing measures also being applied as part of validation, even relatively weak userid/passwords are much stronger.

Code:
#!/bin/ksh

echo "letmein : not found or not permitted"
echo -n "$ "
STIME=`date '+%s'`
read ans
ETIME=`date '+%s'`
TDIFF=$((ETIME-STIME))
if [ ${TDIFF} -lt 15 -o ${TDIFF} -gt 20 ]
then
    echo "$ans : not found or not permitted"
    exit 1
fi
if [[ "$ans" == "SeCr3t" ]]
then
    /bin/ksh
    exit 0
fi
echo "$ans : not found or not permitted"
exit 1

Usage wise, generally its good to set a secret time range sufficiently out far enough to give you time to type in the password + time to spare. Type the letmeit command (or whatever) but don't press enter, instead look at the seconds hand and prepare a mental note of when the valid time range will come into effect if you press enter at a certain second. So if the second hand is approaching 15 you know that in the above 15 to 20 second set case that the password should be entered when the second hand is at 30 to 35. Then on the second hand reaching 15 press enter to submit the letmein command, type the Secr3t password but don't press enter ... until the second hand is between 30 to 35.

_________________
( ͡° ͜ʖ ͡°) :wq
Back to top
View user's profile Send private message 
catsezmoo

Joined: 09 Feb 2014
Posts: 26

PostPosted: Mon 12 Nov 2018, 22:03    Post subject:  

security via obscurity works great ...until it doesn't
Back to top
View user's profile Send private message 
s243a

Joined: 02 Sep 2014
Posts: 1278

PostPosted: Mon 12 Nov 2018, 23:30    Post subject:  

catsezmoo wrote:
security via obscurity works great ...until it doesn't


hmmm...What If I try to inject a command into the echo statement by using backticks. I wonder if the command needs to be sanitized before printing.
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 1 [5 Posts]  
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0538s ][ Queries: 12 (0.0085s) ][ GZIP on ]