ssh backdoor extension

For discussions about security.
Post Reply
Message
Author
User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

ssh backdoor extension

#1 Post by rufwoof »

I run a open ssh server so others can log in and run/do things. Rather than using restricted shell, which has known weaknesses, I created my own restricted shell, something along the lines of the following (note that is ksh and BSD script lingo). My actual script is much more extensive, for instance a BBS look and feel (tput/dialog based) that supports creating threads/posting messages, text to voice, selected share price lookups, moon phase, screensaver, local weather report ...etc. The bottom line however is that anyone ssh'ing in is restricted to certain commands/activities.

Code: Select all

#!/bin/ksh

# create a userid and set this script as its default shell

typeset -a commands
commands[0]="whoami"
commands[1]="pwd"
commands[2]="ls"
commands[3]="clear"
commands[4]=""              # just enter pressed

export TERM=pccon0

trycmd()
{
  # Provide an option to exit the shell
  if [[ "$ln" == "exit" ]] || [[ "$ln" == "q" ]] 
  then
    exit
  fi

  if [[ "$ln" == "help" ]]
  then
    echo "Type exit or q or quit or bye or logout ... to quit (ssh disconnect)."
    echo "Commands you can use: " 
    echo "  help"
    echo "${commands[@]}" | tr ' ' '\n' | awk '{print "  " $0}'
    return
  fi

  for cmd in "${commands[@]}"
  do
if [[ "$cmd" == "$ln" ]]
then
        $ln
        return
fi
  done

  # If get to here (not return'd) then no command was found
  nf=`echo "$ln" | cut -d' ' -f1`
  echo "$nf :not found"
}

while echo -n "> " && read ln
do
  trycmd "$ln"
done
I do however also have a back door, where a certain command acts as a userid, and when entered even though the return is a standard 'invalid command' type response, that is actually the password prompt. Entering the valid password drops me into a standard shell (normal permissions). So the standard ssh access is hidden, requiring both a userid and password, but where the prompting of entry of those is also obscure.

Mindful that a brute force attack could still try all userid and password combinations, I've extended the code to include a timing element as well. Enter a userid and type the password too soon ... or too late and that's invalid. You have to get each of userid, timing (within a certain range) and password all correct

The high level pseudo code code is simple :

read command
if the secret command (userid) still show the normal invalid command response
if a entry is made before the secret start time period then ignore it
if a entry is made during the secret time period then if its the valid 'password' invoke a standard shell
if a entry is made after the end of the secret time period then ignore it

Likely any brute force attack is more inclined to be automated, not pausing between trying a userid and password. And even if the brute force attempts are adjusted to include timings between userid and password then not only does that make attempts individually slower, but also adds in another whole layer of combinations to try.
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

s243a
Posts: 2580
Joined: Tue 02 Sep 2014, 04:48
Contact:

#2 Post by s243a »

I like it :).

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#3 Post by rufwoof »

This is a example code snippet for the script that should be stored as x only for others, read/write only by root as it contains plain text password. In this case the restricted shell account prompts xxx : not found or not permitted when a invalid command xxx is entered, so the first part of the script fakes that when it is detected/run - in this case with the command (userid) of 'letmein'. A fake $ prompt is also shown. The start time is noted (STIME) and the time of the next thing entered is also noted i.e. the valid password ... in this case a password of SeCr3t. The difference in start and end times are calculated and tested to ensure the difference wasn't less than 15 seconds or greater than 20 seconds

So in this case the userid 'letmein' and password 'Secr3t' both have to be correct, and not only that the password had to be entered 15 to 20 seconds after running the letmein command (userid), otherwise the attempt fails.

With such timing measures also being applied as part of validation, even relatively weak userid/passwords are much stronger.

Code: Select all

#!/bin/ksh

echo "letmein : not found or not permitted"
echo -n "$ "
STIME=`date '+%s'`
read ans
ETIME=`date '+%s'`
TDIFF=$((ETIME-STIME))
if [ ${TDIFF} -lt 15 -o ${TDIFF} -gt 20 ]
then
    echo "$ans : not found or not permitted"
    exit 1
fi
if [[ "$ans" == "SeCr3t" ]]
then
    /bin/ksh
    exit 0
fi
echo "$ans : not found or not permitted"
exit 1
Usage wise, generally its good to set a secret time range sufficiently out far enough to give you time to type in the password + time to spare. Type the letmeit command (or whatever) but don't press enter, instead look at the seconds hand and prepare a mental note of when the valid time range will come into effect if you press enter at a certain second. So if the second hand is approaching 15 you know that in the above 15 to 20 second set case that the password should be entered when the second hand is at 30 to 35. Then on the second hand reaching 15 press enter to submit the letmein command, type the Secr3t password but don't press enter ... until the second hand is between 30 to 35.
[size=75]( ͡° ͜ʖ ͡°) :wq[/size]
[url=http://murga-linux.com/puppy/viewtopic.php?p=1028256#1028256][size=75]Fatdog multi-session usb[/url][/size]
[size=75][url=https://hashbang.sh]echo url|sed -e 's/^/(c/' -e 's/$/ hashbang.sh)/'|sh[/url][/size]

catsezmoo
Posts: 26
Joined: Sun 09 Feb 2014, 04:59

#4 Post by catsezmoo »

security via obscurity works great ...until it doesn't

s243a
Posts: 2580
Joined: Tue 02 Sep 2014, 04:48
Contact:

#5 Post by s243a »

catsezmoo wrote:security via obscurity works great ...until it doesn't
hmmm...What If I try to inject a command into the echo statement by using backticks. I wonder if the command needs to be sanitized before printing.

Post Reply