Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/Esonhugh/sshd_backdoor

/root/.ssh/authorized_keys evil file watchdog with ebpf tracepoint hook.
https://github.com/Esonhugh/sshd_backdoor

backdoor ebpf offensive-security

Last synced: 3 months ago
JSON representation

/root/.ssh/authorized_keys evil file watchdog with ebpf tracepoint hook.

Host: GitHub
URL: https://github.com/Esonhugh/sshd_backdoor
Owner: Esonhugh
Created: 2023-01-11T09:42:53.000Z (almost 2 years ago)
Default Branch: Skyworship
Last Pushed: 2023-02-05T04:22:03.000Z (over 1 year ago)
Last Synced: 2024-04-24T13:41:07.600Z (6 months ago)
Topics: backdoor, ebpf, offensive-security
Language: C
Homepage: https://www.youtube.com/watch?v=2BUbPzwaGdk
Size: 82 KB
Stars: 313
Watchers: 4
Forks: 36
Open Issues: 1
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

awesome-hacking-lists - Esonhugh/sshd_backdoor - /root/.ssh/authorized_keys evil file watchdog with ebpf tracepoint hook. (C)

README

        ## sshd_backdoor

This Project is based on BlackHat USA 2021 and Defcon 29.

About Using ebpf technique, hijacking the process during sshd service getting the ~/.ssh/authorized_keys to authorize user logging and injecting our public key make our login successful.

### Demo

[![SSHD backdoor Demo](https://res.cloudinary.com/marcomontalbano/image/upload/v1674832434/video_to_markdown/images/youtube--2BUbPzwaGdk-c05b58ac6eb4c4700831b2b3070cd403.jpg)](https://youtu.be/2BUbPzwaGdk "SSHD backdoor Demo")

### Main Process in ebpf program

1. Hook OpenAt syscall enter: 

    check if the sshd process call this, log the pid of sshd.

2. Hook OpenAt Syscall exit:

    check the pid logged. logging the fd of pid, map pid->fd.

3. Hook Read Syscall enter:

    check the pid logged. logging the user_space_char_buffer of pid.

4. Hook Read Syscall exit:

    check the pid logged. find the buffer and change the buffer into our Key. Then delete pid in map to avoid blocking administrators' keys be read.

### Usage

```

$ make help

|=======================================================================================================

|usage:

|       build:  build full sshd_backdoor cli tool. But full sshd_backdoor is just supoorted the demo only

|       generate: Generate the ebpf prog in kernel with clang.

|                         if you need you can set the CFLAGS to append

|       test_ebpf: if you editing the ebpf-c c files and header files

|                          to test the ebpf can be compiled and pass ebpf verifier when load

|       tool_unload: bpftool unload progs.

|       tool_load: bpftool load  progs.

|       bpftrace_keylogging: logging sshd keys.Also it can catch the passwords when logging

|

```

## By the way

### sshd keylogging

```

make bpftrace_keylogging

```

which logging all message in sshd process. Of Course the key log.

## troubleshooting

Common Issue: https://github.com/Esonhugh/sshd_backdoor/issues/6

## reference

https://github.com/pathtofile/bad-bpf/blob/main/src/sudoadd.bpf.c

https://www.youtube.com/watch?v=5zixNDolLrg

etc.